diff --git a/clusters/android.json b/clusters/android.json index 4392f4b..8b87b4f 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -7,7 +7,8 @@ "refs": [ "https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/" ] - } + }, + "uuid": "40aa797a-ee87-43a1-8755-04d040dbea28" }, { "value": "Andr/Dropr-FH", @@ -20,7 +21,8 @@ "synonyms": [ "GhostCtrl" ] - } + }, + "uuid": "a01e1d0b-5303-4d11-94dc-7db74f3d599d" }, { "value": "Judy", @@ -30,7 +32,8 @@ "http://fortune.com/2017/05/28/android-malware-judy/", "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/" ] - } + }, + "uuid": "1a73ceaf-7054-4882-be82-8994805676fc" }, { "value": "RedAlert2", @@ -39,7 +42,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/" ] - } + }, + "uuid": "d10f8cd5-0077-4d8f-9145-03815a68dd33" }, { "value": "Tizi", @@ -48,7 +52,8 @@ "refs": [ "https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html" ] - } + }, + "uuid": "8f374460-aa58-4a31-98cb-58db42d0902a" }, { "value": "DoubleLocker", @@ -57,7 +62,8 @@ "refs": [ "https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/" ] - } + }, + "uuid": "6671bb0b-4fab-44a7-92f9-f641a887a0aa" }, { "value": "Svpeng", @@ -70,7 +76,8 @@ "synonyms": [ "Invisble Man" ] - } + }, + "uuid": "426ead34-b3e6-45c7-ba22-5b8f3b8214bd" }, { "value": "LokiBot", @@ -79,7 +86,8 @@ "refs": [ "https://clientsidedetection.com/lokibot___the_first_hybrid_android_malware.html" ] - } + }, + "uuid": "fbda9705-677b-4c5b-9b0b-13b52eff587c" }, { "value": "BankBot", @@ -90,7 +98,8 @@ "https://forensics.spreitzenbarth.de/android-malware/", "https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers" ] - } + }, + "uuid": "4ed03b03-a34f-4583-9db1-6c58a4bd952b" }, { "value": "Viking Horde", @@ -99,7 +108,8 @@ "refs": [ "http://www.alwayson-network.com/worst-types-android-malware-2016/" ] - } + }, + "uuid": "c62a6121-2ebc-4bee-a25a-5285bf33328a" }, { "value": "HummingBad", @@ -109,7 +119,8 @@ "http://www.alwayson-network.com/worst-types-android-malware-2016/", "http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf" ] - } + }, + "uuid": "f5cacc72-f02a-42d1-a020-7a59650086bb" }, { "value": "Ackposts", @@ -118,7 +129,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99" ] - } + }, + "uuid": "8261493f-c9a3-4946-874f-fe8445aa7691" }, { "value": "Wirex", @@ -128,7 +140,8 @@ "https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/", "http://www.zdnet.com/article/wirex-ddos-malware-given-udp-flood-capabilities/" ] - } + }, + "uuid": "0b4f1af0-e0fb-4148-b08c-f6782757752a" }, { "value": "WannaLocker", @@ -137,7 +150,8 @@ "refs": [ "https://fossbytes.com/wannalocker-ransomware-wannacry-android/" ] - } + }, + "uuid": "db4ddfc4-4f39-4e0b-905f-4703ed6b39b6" }, { "value": "Switcher", @@ -148,7 +162,8 @@ "https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/", "https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99" ] - } + }, + "uuid": "60857664-0671-4b12-ade9-86ee6ecb026a" }, { "value": "Vibleaker", @@ -157,7 +172,8 @@ "refs": [ "http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-videos-505758.shtml" ] - } + }, + "uuid": "27354d65-ca90-4f73-b942-13046e61700c" }, { "value": "ExpensiveWall", @@ -167,7 +183,8 @@ "https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/", "http://fortune.com/2017/09/14/google-play-android-malware/" ] - } + }, + "uuid": "1484d72b-54d0-41b7-a9fa-18db9e9e5c69" }, { "value": "Cepsohord", @@ -176,7 +193,8 @@ "refs": [ "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord" ] - } + }, + "uuid": "05b0c492-e1ef-4352-a714-b813e54b9032" }, { "value": "Fakem Rat", @@ -186,7 +204,8 @@ "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf", "https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99" ] - } + }, + "uuid": "c657075e-3ffb-4748-bfe2-f40c3527739f" }, { "value": "GM Bot", @@ -200,7 +219,8 @@ "SlemBunk", "Bankosy" ] - } + }, + "uuid": "3d3aa832-8847-47c5-9e31-ef13ab7ab6fb" }, { "value": "Moplus", @@ -209,7 +229,8 @@ "refs": [ "http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html" ] - } + }, + "uuid": "d3f2ec07-4af3-4b3b-9cf0-2dba08bf5e68" }, { "value": "Adwind", @@ -227,7 +248,8 @@ "jRat", "Backdoor:Java/Adwind" ] - } + }, + "uuid": "ce1a9641-5bb8-4a61-990a-870e9ef36ac1" }, { "value": "AdSms", @@ -237,7 +259,8 @@ "https://www.fortiguard.com/encyclopedia/virus/7389670", "https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99" ] - } + }, + "uuid": "55b6621f-f928-4530-8271-5150e5f39211" }, { "value": "Airpush", @@ -249,7 +272,8 @@ "synonyms": [ "StopSMS" ] - } + }, + "uuid": "1393cccf-19c0-4cc8-8488-8156672d87ba" }, { "value": "BeanBot", @@ -258,7 +282,8 @@ "refs": [ "https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml" ] - } + }, + "uuid": "8dbacb31-2ae9-4c0a-bf62-d017b802d345" }, { "value": "Kemoge", @@ -268,7 +293,8 @@ "https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html", "https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99" ] - } + }, + "uuid": "0c769e82-df28-4f65-97f5-7f3d88488f2e" }, { "value": "Ghost Push", @@ -278,7 +304,8 @@ "https://en.wikipedia.org/wiki/Ghost_Push", "https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push" ] - } + }, + "uuid": "c878cdfc-ab8b-40f1-9173-e62a51e6f804" }, { "value": "BeNews", @@ -287,7 +314,8 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/" ] - } + }, + "uuid": "281cf173-d547-4b37-a372-447caab577be" }, { "value": "Accstealer", @@ -296,7 +324,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99" ] - } + }, + "uuid": "cbc1c053-5ee8-40c9-96c2-431ac6852fe1" }, { "value": "Acnetdoor", @@ -305,7 +334,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99" ] - } + }, + "uuid": "b36f7ce2-e208-4879-9a3f-58623727f887" }, { "value": "Acnetsteal", @@ -314,7 +344,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99" ] - } + }, + "uuid": "dbbc6b6f-fa87-4fdc-880d-7c22c2723c58" }, { "value": "Actech", @@ -323,7 +354,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99" ] - } + }, + "uuid": "0bf67f5b-0bcc-41e0-8db9-2b8df8cf1d03" }, { "value": "AdChina", @@ -332,7 +364,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99" ] - } + }, + "uuid": "33a06139-1c18-4a9a-b86b-440c43266b15" }, { "value": "Adfonic", @@ -341,7 +374,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99" ] - } + }, + "uuid": "a02b2327-525a-4343-9c76-64f2c984c536" }, { "value": "AdInfo", @@ -350,7 +384,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99" ] - } + }, + "uuid": "a1737465-7af6-4362-b938-3a3fa737ebb7" }, { "value": "Adknowledge", @@ -359,7 +394,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99" ] - } + }, + "uuid": "dd626b23-173c-4737-b9d7-c44571c1abb3" }, { "value": "AdMarvel", @@ -368,7 +404,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99" ] - } + }, + "uuid": "6eb47eef-898e-4d74-9f85-ac9c99250e9b" }, { "value": "AdMob", @@ -377,7 +414,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99" ] - } + }, + "uuid": "932d18c5-6332-4334-83fc-4af3c46a4992" }, { "value": "Adrd", @@ -386,7 +424,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99" ] - } + }, + "uuid": "121b8084-fdfd-4746-9675-cf8a191bf6d9" }, { "value": "Aduru", @@ -395,7 +434,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99" ] - } + }, + "uuid": "3476c6dd-3cb0-443d-8668-0f731616b068" }, { "value": "Adwhirl", @@ -404,7 +444,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99" ] - } + }, + "uuid": "6fe8fd1b-a7d9-4ece-95f5-fdaaa0acd797" }, { "value": "Adwlauncher", @@ -413,7 +454,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99" ] - } + }, + "uuid": "8ee649b6-8379-4b01-8997-dc7c82e22bb5" }, { "value": "Adwo", @@ -422,7 +464,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99" ] - } + }, + "uuid": "5c979585-51c3-427c-a23d-cbe43083ce2d" }, { "value": "Airad", @@ -431,7 +474,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99" ] - } + }, + "uuid": "5824688f-e91c-44ab-ae2e-392299e9d071" }, { "value": "Alienspy", @@ -440,7 +484,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99" ] - } + }, + "uuid": "680a1677-9bff-4285-9394-62b1ce096c84" }, { "value": "AmazonAds", @@ -449,7 +494,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99" ] - } + }, + "uuid": "3a94a731-4566-4cc5-8c01-d651dc11b8a5" }, { "value": "Answerbot", @@ -458,7 +504,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99" ] - } + }, + "uuid": "b8f8d1c1-5f33-4b13-8ecf-2383e3213713" }, { "value": "Antammi", @@ -467,7 +514,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99" ] - } + }, + "uuid": "bbc13ff1-0cee-4c30-a864-2c6a341ac365" }, { "value": "Apkmore", @@ -476,7 +524,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99" ] - } + }, + "uuid": "f45b87cf-6811-427c-84ff-027898b0592a" }, { "value": "Aplog", @@ -485,7 +534,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99" ] - } + }, + "uuid": "600da14d-a959-4a06-9a13-85ff50cb05b4" }, { "value": "Appenda", @@ -494,7 +544,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99" ] - } + }, + "uuid": "1840c69b-f340-444e-a4e5-ac324c8214eb" }, { "value": "Apperhand", @@ -503,7 +554,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99" ] - } + }, + "uuid": "2c199154-888b-4444-8d21-622ed62e6e63" }, { "value": "Appleservice", @@ -512,7 +564,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99" ] - } + }, + "uuid": "920b0561-abc9-409e-92b1-3b13b7d21a06" }, { "value": "AppLovin", @@ -521,7 +574,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99" ] - } + }, + "uuid": "e212433e-6dac-40ab-8793-8dcfe4a1538f" }, { "value": "Arspam", @@ -530,7 +584,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99" ] - } + }, + "uuid": "e565a78c-8fa8-419b-b235-1fafa500686c" }, { "value": "Aurecord", @@ -539,7 +594,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99" ] - } + }, + "uuid": "80a800a7-01ec-4712-9d2b-2382f7bf9201" }, { "value": "Backapp", @@ -548,7 +604,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99" ] - } + }, + "uuid": "a4100d65-78d0-47ec-b939-709447641bab" }, { "value": "Backdexer", @@ -557,7 +614,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99" ] - } + }, + "uuid": "27c289c7-a661-4322-9c21-8053f347e457" }, { "value": "Backflash", @@ -566,7 +624,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99" ] - } + }, + "uuid": "da8cc77b-a26d-43da-a47a-a50892c08edd" }, { "value": "Backscript", @@ -575,7 +634,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99" ] - } + }, + "uuid": "d9f11a96-5f9a-48b6-9dac-735ca4fca4d2" }, { "value": "Badaccents", @@ -584,7 +644,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99" ] - } + }, + "uuid": "1442e5a8-d2cf-48cd-86e5-276a9dfc0bae" }, { "value": "Badpush", @@ -593,7 +654,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99" ] - } + }, + "uuid": "ceacaa80-471e-4e38-b648-78b000771076" }, { "value": "Ballonpop", @@ -602,7 +664,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99" ] - } + }, + "uuid": "6f957cc5-467b-4465-b14d-ccc6f2206543" }, { "value": "Bankosy", @@ -611,7 +674,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99" ] - } + }, + "uuid": "620981e8-49c8-486a-b30c-359702c8ffbc" }, { "value": "Bankun", @@ -620,7 +684,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99" ] - } + }, + "uuid": "bc45ca3c-a6fa-408d-bfab-cc845ffde1e2" }, { "value": "Basebridge", @@ -629,7 +694,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99" ] - } + }, + "uuid": "9ae60aaa-bcdb-46a1-a1da-d779cb13cb2b" }, { "value": "Basedao", @@ -638,7 +704,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99" ] - } + }, + "uuid": "9d625454-80a7-4c56-bb90-c0a678c6dec1" }, { "value": "Batterydoctor", @@ -647,7 +714,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99" ] - } + }, + "uuid": "5bd321b1-afef-482f-b160-2e209dffb390" }, { "value": "Beaglespy", @@ -656,7 +724,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99" ] - } + }, + "uuid": "2e3ad1af-e24c-4b1c-87cb-360dab4d90a9" }, { "value": "Becuro", @@ -665,7 +734,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99" ] - } + }, + "uuid": "dd83dbc7-9ffa-4ca7-a8c3-6b27bde4c3bd" }, { "value": "Beita", @@ -674,7 +744,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99" ] - } + }, + "uuid": "4baa74be-682f-4a38-b4b1-aceba8f48009" }, { "value": "Bgserv", @@ -683,7 +754,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99" ] - } + }, + "uuid": "e4a18a09-09ed-4ca8-93b8-be946e9f560c" }, { "value": "Biigespy", @@ -692,7 +764,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99" ] - } + }, + "uuid": "7a46c9c6-9af5-41e6-a625-aa14009c528e" }, { "value": "Bmaster", @@ -701,7 +774,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99" ] - } + }, + "uuid": "9ac3232d-b533-44d6-9b73-4341e2cba4b4" }, { "value": "Bossefiv", @@ -710,7 +784,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99" ] - } + }, + "uuid": "45d85c09-8bed-4c4e-b1d1-4784737734a5" }, { "value": "Boxpush", @@ -719,7 +794,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99" ] - } + }, + "uuid": "412bb5c6-a5fd-4f36-939e-47f87cc3edae" }, { "value": "Burstly", @@ -728,7 +804,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99" ] - } + }, + "uuid": "74053925-b076-47b0-8c23-bb90ff89653c" }, { "value": "Buzzcity", @@ -737,7 +814,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99" ] - } + }, + "uuid": "604430f2-8109-40a6-8224-39d2790914e5" }, { "value": "ByPush", @@ -746,7 +824,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99" ] - } + }, + "uuid": "7c373640-5830-4f23-b122-3fb4f7af0b64" }, { "value": "Cajino", @@ -755,7 +834,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99" ] - } + }, + "uuid": "388ed802-54bc-4cf0-899e-92fed27df5e1" }, { "value": "Casee", @@ -764,7 +844,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99" ] - } + }, + "uuid": "f48a667a-a74d-4c04-80a2-a257cd8e29cc" }, { "value": "Catchtoken", @@ -773,7 +854,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99" ] - } + }, + "uuid": "ec37c5db-0497-440b-a7bc-4e28dc5c95f4" }, { "value": "Cauly", @@ -782,7 +864,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99" ] - } + }, + "uuid": "b5db1360-91fc-4dc3-8520-d00f9f3601ce" }, { "value": "Cellshark", @@ -791,7 +874,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99" ] - } + }, + "uuid": "471e6971-ab43-4b59-917c-5cdd5b8fd531" }, { "value": "Centero", @@ -800,7 +884,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99" ] - } + }, + "uuid": "a9595906-adcf-4a08-9f71-f2eb2199cb87" }, { "value": "Chuli", @@ -809,7 +894,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99" ] - } + }, + "uuid": "f2f3e65a-5e46-45e9-aa23-addd841ba3c6" }, { "value": "Citmo", @@ -818,7 +904,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99" ] - } + }, + "uuid": "e271a188-fc07-4f03-a047-d96ea64ee1e5" }, { "value": "Claco", @@ -827,7 +914,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99" ] - } + }, + "uuid": "2a7c2aff-9e7f-4358-9196-477042fc2f5b" }, { "value": "Clevernet", @@ -836,7 +924,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99" ] - } + }, + "uuid": "76090f4b-eb03-42c0-90bb-9337d1a20d74" }, { "value": "Cnappbox", @@ -845,7 +934,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99" ] - } + }, + "uuid": "d343483b-909c-490a-827e-3a2c9d6ad033" }, { "value": "Cobblerone", @@ -854,7 +944,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99" ] - } + }, + "uuid": "4863856a-9899-42a2-b02c-449aaa5a8258" }, { "value": "Coolpaperleak", @@ -863,7 +954,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99" ] - } + }, + "uuid": "272b75a0-a77f-44eb-ba7f-b68804d3506d" }, { "value": "Coolreaper", @@ -872,7 +964,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99" ] - } + }, + "uuid": "f2646118-fa1d-4e6a-9115-033ba1e05b21" }, { "value": "Cosha", @@ -881,7 +974,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99" ] - } + }, + "uuid": "045d0e45-ce4d-4b51-92c8-111013b3b972" }, { "value": "Counterclank", @@ -890,7 +984,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99" ] - } + }, + "uuid": "95b527d5-d90c-4c37-973f-1dc83da6511e" }, { "value": "Crazymedia", @@ -899,7 +994,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99" ] - } + }, + "uuid": "a08d4206-92b7-4b0e-9267-24eb4acf737f" }, { "value": "Crisis", @@ -908,7 +1004,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99" ] - } + }, + "uuid": "c17f6e4b-70c5-42f8-a91b-19d73485bd04" }, { "value": "Crusewind", @@ -917,7 +1014,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99" ] - } + }, + "uuid": "67c624e1-89a0-4581-9fa3-de4864a03aab" }, { "value": "Dandro", @@ -926,7 +1024,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99" ] - } + }, + "uuid": "a5bff39e-804e-4c62-b5fb-7a7e32069a7d" }, { "value": "Daoyoudao", @@ -935,7 +1034,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99" ] - } + }, + "uuid": "939f5057-635a-46e7-b15a-fb301258d0f9" }, { "value": "Deathring", @@ -944,7 +1044,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99" ] - } + }, + "uuid": "07ca0660-3391-4cb1-900c-a1ad38980b06" }, { "value": "Deeveemap", @@ -953,7 +1054,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99" ] - } + }, + "uuid": "a23a5f71-affe-4f0e-aa8f-39a3967210ae" }, { "value": "Dendoroid", @@ -962,7 +1064,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99" ] - } + }, + "uuid": "f1a4a027-bb70-4279-9c59-c271ac264cbf" }, { "value": "Dengaru", @@ -971,7 +1074,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99" ] - } + }, + "uuid": "2788d128-4c7a-4ed2-93c1-03125579251c" }, { "value": "Diandong", @@ -980,7 +1084,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99" ] - } + }, + "uuid": "4fc012cf-dbbf-4200-af95-879eb668eb66" }, { "value": "Dianjin", @@ -989,7 +1094,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99" ] - } + }, + "uuid": "bb9ff44c-eb04-4df3-8e17-967f59fee4f5" }, { "value": "Dogowar", @@ -998,7 +1104,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99" ] - } + }, + "uuid": "397ed797-e2a9-423a-a485-e06b4633b37a" }, { "value": "Domob", @@ -1007,7 +1114,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99" ] - } + }, + "uuid": "e99fe1de-4f88-4c69-95bc-87df65dc73ca" }, { "value": "Dougalek", @@ -1016,7 +1124,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99" ] - } + }, + "uuid": "d06b78de-b9f1-474a-b243-c975bd55baed" }, { "value": "Dowgin", @@ -1025,7 +1134,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99" ] - } + }, + "uuid": "8635a12e-4fa4-495e-b3c9-de4a01c1bc59" }, { "value": "Droidsheep", @@ -1034,7 +1144,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99" ] - } + }, + "uuid": "0ac34775-2323-4866-a540-913043aec431" }, { "value": "Dropdialer", @@ -1043,7 +1154,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99" ] - } + }, + "uuid": "d3aeb67a-6247-4a90-b7c2-971ced9dc7ef" }, { "value": "Dupvert", @@ -1052,7 +1164,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99" ] - } + }, + "uuid": "f8c910ed-6047-4628-a21a-2d5bf6895fd4" }, { "value": "Dynamicit", @@ -1061,7 +1174,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99" ] - } + }, + "uuid": "e9df4254-31d9-45c3-80df-f6da15549ebb" }, { "value": "Ecardgrabber", @@ -1070,7 +1184,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99" ] - } + }, + "uuid": "70570b6a-7236-48cb-9b0d-e8495779f51d" }, { "value": "Ecobatry", @@ -1079,7 +1194,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99" ] - } + }, + "uuid": "d8f4b1c3-7234-40ec-b944-8b22d2ba1fe7" }, { "value": "Enesoluty", @@ -1088,7 +1204,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99" ] - } + }, + "uuid": "6d5be115-6245-456b-929c-3077987e65d4" }, { "value": "Everbadge", @@ -1097,7 +1214,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99" ] - } + }, + "uuid": "36a6af63-035c-43ef-b534-0fe2f16462eb" }, { "value": "Ewalls", @@ -1106,7 +1224,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99" ] - } + }, + "uuid": "ef424b45-fb8a-4e81-9b9e-5ebb8d9219ed" }, { "value": "Exprespam", @@ -1115,7 +1234,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99" ] - } + }, + "uuid": "043ee6fa-37de-4a2d-a888-95febf8a243c" }, { "value": "Fakealbums", @@ -1124,7 +1244,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99" ] - } + }, + "uuid": "0399e18a-e047-4507-a66c-2503b00cd727" }, { "value": "Fakeangry", @@ -1133,7 +1254,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99" ] - } + }, + "uuid": "6032b79e-68e7-4a9f-b913-8cb62e7c28e8" }, { "value": "Fakeapp", @@ -1142,7 +1264,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99" ] - } + }, + "uuid": "493c97f8-db6c-40ae-a06e-fa2a9d84d660" }, { "value": "Fakebanco", @@ -1151,7 +1274,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99" ] - } + }, + "uuid": "7714a6ee-3a75-42b2-ad4b-ec21da4259fd" }, { "value": "Fakebank", @@ -1160,7 +1284,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99" ] - } + }, + "uuid": "4fba0b79-0be2-4471-9c1a-5a0295130ac2" }, { "value": "Fakebank.B", @@ -1169,7 +1294,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99" ] - } + }, + "uuid": "fb3083ad-5342-4913-9d48-f3abaf613878" }, { "value": "Fakebok", @@ -1178,7 +1304,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99" ] - } + }, + "uuid": "84318a88-5ed5-43e9-ae8d-143e7373a46d" }, { "value": "Fakedaum", @@ -1187,7 +1314,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99" ] - } + }, + "uuid": "b91c1aaf-4a06-40ec-b4b9-59e9da882697" }, { "value": "Fakedefender", @@ -1196,7 +1324,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99" ] - } + }, + "uuid": "79a6bf32-d063-4b7c-a891-3dda49e31582" }, { "value": "Fakedefender.B", @@ -1205,7 +1334,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99" ] - } + }, + "uuid": "26f660c5-c04b-4bb2-8169-5dc2dfe1c835" }, { "value": "Fakedown", @@ -1214,7 +1344,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99" ] - } + }, + "uuid": "f43ef200-e9d8-4cca-bb63-ac3d70465fed" }, { "value": "Fakeflash", @@ -1223,7 +1354,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99" ] - } + }, + "uuid": "d2fe043a-8b6c-4aa2-8527-c51b7b44f9df" }, { "value": "Fakegame", @@ -1232,7 +1364,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99" ] - } + }, + "uuid": "250a3e30-2025-486d-98fe-2fe1cf817451" }, { "value": "Fakeguard", @@ -1241,7 +1374,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99" ] - } + }, + "uuid": "2c5798aa-e68c-4158-ba04-1db39512451f" }, { "value": "Fakejob", @@ -1250,7 +1384,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99" ] - } + }, + "uuid": "ba8bf35c-187f-4acb-8b44-5ee288535679" }, { "value": "Fakekakao", @@ -1259,7 +1394,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99" ] - } + }, + "uuid": "f0915277-0156-4832-b282-4447f4d06449" }, { "value": "Fakelemon", @@ -1268,7 +1404,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99" ] - } + }, + "uuid": "398bd8d6-a7ee-4f51-a8ff-96d8b4ae93a5" }, { "value": "Fakelicense", @@ -1277,7 +1414,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99" ] - } + }, + "uuid": "21e5a963-ad8a-479b-b33e-35deb75f846d" }, { "value": "Fakelogin", @@ -1286,7 +1424,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99" ] - } + }, + "uuid": "6bd49caa-59a2-4abf-86ea-7a2ebc7ed324" }, { "value": "FakeLookout", @@ -1295,7 +1434,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99" ] - } + }, + "uuid": "caffc461-7415-4017-82bf-195df5d7791f" }, { "value": "FakeMart", @@ -1304,7 +1444,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99" ] - } + }, + "uuid": "6816561e-203f-4f6c-b85b-e4f51148e9e7" }, { "value": "Fakemini", @@ -1313,7 +1454,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99" ] - } + }, + "uuid": "b40b23aa-5b2a-46bf-94ab-0bd0f9a896c9" }, { "value": "Fakemrat", @@ -1322,7 +1464,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99" ] - } + }, + "uuid": "b61b0ca5-fd3c-4e65-af3f-7d4e9bc75e62" }, { "value": "Fakeneflic", @@ -1331,7 +1474,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99" ] - } + }, + "uuid": "58113e57-f6df-45f0-a058-b08a892c3903" }, { "value": "Fakenotify", @@ -1340,7 +1484,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99" ] - } + }, + "uuid": "9dbfc63d-2b0d-406d-95cf-f87494bd588a" }, { "value": "Fakepatch", @@ -1349,7 +1494,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99" ] - } + }, + "uuid": "981938f8-7820-4b15-ab96-f4923280253c" }, { "value": "Fakeplay", @@ -1358,7 +1504,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99" ] - } + }, + "uuid": "4ac0574f-8faa-463f-a493-b245f2c76d2c" }, { "value": "Fakescarav", @@ -1367,7 +1514,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99" ] - } + }, + "uuid": "d52ff282-7b5c-427d-bc79-fbd686fb9ba3" }, { "value": "Fakesecsuit", @@ -1376,7 +1524,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99" ] - } + }, + "uuid": "c23a04d3-5c38-4edc-b082-84c8997405ab" }, { "value": "Fakesucon", @@ -1385,7 +1534,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99" ] - } + }, + "uuid": "942a4a67-875a-4273-845f-3d6845738283" }, { "value": "Faketaobao", @@ -1394,7 +1544,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99" ] - } + }, + "uuid": "ee83a04a-5ce2-41f9-b232-c274c25acd7e" }, { "value": "Faketaobao.B", @@ -1403,7 +1554,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99" ] - } + }, + "uuid": "2d4899d5-d566-4058-b216-a5c37f601417" }, { "value": "Faketoken", @@ -1413,7 +1565,8 @@ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99", "http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/" ] - } + }, + "uuid": "25feca2d-6867-4390-9d60-100b47d9d81a" }, { "value": "Fakeupdate", @@ -1422,7 +1575,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99" ] - } + }, + "uuid": "e3eab046-a427-4132-99e7-f69598abcfd4" }, { "value": "Fakevoice", @@ -1431,7 +1585,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99" ] - } + }, + "uuid": "aab42c7b-fe4e-483c-9db5-146f449c0937" }, { "value": "Farmbaby", @@ -1440,7 +1595,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99" ] - } + }, + "uuid": "97973daa-ece5-46ef-ac5b-a6ead8bddb97" }, { "value": "Fauxtocopy", @@ -1449,7 +1605,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99" ] - } + }, + "uuid": "1b316569-88c5-4f5a-874c-b3eb7f5a229d" }, { "value": "Feiwo", @@ -1458,7 +1615,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99" ] - } + }, + "uuid": "0e5a7148-d5ab-4428-bbec-55780a4fcdad" }, { "value": "FindAndCall", @@ -1467,7 +1625,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99" ] - } + }, + "uuid": "d49baeba-0982-4815-a30a-c6520424a44d" }, { "value": "Finfish", @@ -1476,7 +1635,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99" ] - } + }, + "uuid": "b17a7d6f-8a48-408d-9362-3be6fab1d464" }, { "value": "Fireleaker", @@ -1485,7 +1645,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99" ] - } + }, + "uuid": "c8202616-804d-48c6-b104-466b3584f511" }, { "value": "Fitikser", @@ -1494,7 +1655,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99" ] - } + }, + "uuid": "10ac6220-2f49-4b25-9024-15f83f18033e" }, { "value": "Flexispy", @@ -1503,7 +1665,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99" ] - } + }, + "uuid": "a24e855e-cd0c-4abd-b2d8-0eaec87bcae5" }, { "value": "Fokonge", @@ -1512,7 +1675,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99" ] - } + }, + "uuid": "819bf929-01f0-447e-994c-e0e2f5a145c9" }, { "value": "FoncySMS", @@ -1521,7 +1685,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99" ] - } + }, + "uuid": "917270d8-d7f3-432a-8c5c-28e7ea842f3e" }, { "value": "Frogonal", @@ -1530,7 +1695,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99" ] - } + }, + "uuid": "c0c69286-1448-4a37-b047-7518d45a0b80" }, { "value": "Ftad", @@ -1539,7 +1705,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99" ] - } + }, + "uuid": "4295a452-f24d-4a95-be3c-dc5f17606669" }, { "value": "Funtasy", @@ -1548,7 +1715,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99" ] - } + }, + "uuid": "8e11e4fa-e8d5-485d-8ee8-61bf52bcde27" }, { "value": "GallMe", @@ -1557,7 +1725,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99" ] - } + }, + "uuid": "2086ef12-5578-496c-b140-433836b643ef" }, { "value": "Gamex", @@ -1566,7 +1735,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99" ] - } + }, + "uuid": "fb63ab80-c198-48a8-a2f3-5fee516d8277" }, { "value": "Gappusin", @@ -1575,7 +1745,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99" ] - } + }, + "uuid": "65a95075-b79d-42ea-8a62-8390994fbed4" }, { "value": "Gazon", @@ -1584,7 +1755,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99" ] - } + }, + "uuid": "77ea250b-d8aa-4477-8c74-93af056d8eee" }, { "value": "Geinimi", @@ -1593,7 +1765,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99" ] - } + }, + "uuid": "da751d6f-779e-4d87-99ad-9393cb72607d" }, { "value": "Generisk", @@ -1602,7 +1775,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99" ] - } + }, + "uuid": "1f8573ad-c3ff-4268-83a5-c0a71f7b7944" }, { "value": "Genheur", @@ -1611,7 +1785,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99" ] - } + }, + "uuid": "5bcc7083-006b-428a-8952-aa34354e011e" }, { "value": "Genpush", @@ -1620,7 +1795,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99" ] - } + }, + "uuid": "1854c808-f818-416c-961a-ba582bf5f27c" }, { "value": "GeoFake", @@ -1629,7 +1805,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99" ] - } + }, + "uuid": "4fa4e576-369a-4211-a1ea-4896aacfe4a7" }, { "value": "Geplook", @@ -1638,7 +1815,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99" ] - } + }, + "uuid": "ead163e7-c5b5-486f-b27d-629b26f6abdc" }, { "value": "Getadpush", @@ -1647,7 +1825,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99" ] - } + }, + "uuid": "f41a08e2-5fc4-48ca-9cbc-9c7f0bce9b1f" }, { "value": "Ggtracker", @@ -1656,7 +1835,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99" ] - } + }, + "uuid": "d4aed5c2-4011-4b62-80c1-8cdc6e5b2fc5" }, { "value": "Ghostpush", @@ -1665,7 +1845,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99" ] - } + }, + "uuid": "9423457b-4660-4d27-916f-b6fd39628e17" }, { "value": "Gmaster", @@ -1674,7 +1855,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99" ] - } + }, + "uuid": "92955169-4734-47d5-adfe-e01003dc0768" }, { "value": "Godwon", @@ -1683,7 +1865,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99" ] - } + }, + "uuid": "3787e5cf-49af-4105-a775-241c40aec377" }, { "value": "Golddream", @@ -1692,7 +1875,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99" ] - } + }, + "uuid": "fa2fe25b-247a-4675-ab85-a040200ff9a7" }, { "value": "Goldeneagle", @@ -1701,7 +1885,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99" ] - } + }, + "uuid": "c0836a8b-b104-42e5-ba0c-261ae2f65c50" }, { "value": "Golocker", @@ -1710,7 +1895,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99" ] - } + }, + "uuid": "28171041-ed65-4545-9e21-e6f925fd1688" }, { "value": "Gomal", @@ -1719,7 +1905,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99" ] - } + }, + "uuid": "666b5326-8552-481a-85ee-37cea031de9d" }, { "value": "Gonesixty", @@ -1728,7 +1915,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99" ] - } + }, + "uuid": "b153de8e-1096-4ff3-8c00-0dffe77574eb" }, { "value": "Gonfu", @@ -1737,7 +1925,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99" ] - } + }, + "uuid": "b10ae730-e9d8-42f7-8970-77fde44733c2" }, { "value": "Gonfu.B", @@ -1746,7 +1935,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99" ] - } + }, + "uuid": "0caf0b55-e4ee-4971-86f0-8968ecbec5cf" }, { "value": "Gonfu.C", @@ -1755,7 +1945,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99" ] - } + }, + "uuid": "faf9c1dc-4efd-4e16-abf9-135839126b58" }, { "value": "Gonfu.D", @@ -1764,7 +1955,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99" ] - } + }, + "uuid": "7ee57b0f-fc7c-424a-b3c7-e1a5a028ed8e" }, { "value": "Gooboot", @@ -1773,7 +1965,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99" ] - } + }, + "uuid": "dedde091-a167-42bd-b47c-710381a5fc4f" }, { "value": "Goodadpush", @@ -1782,7 +1975,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99" ] - } + }, + "uuid": "24d9abb7-67e6-4cd5-8f34-6fae58293134" }, { "value": "Greystripe", @@ -1791,7 +1985,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99" ] - } + }, + "uuid": "4e9b59a3-1b0b-4c94-bac2-22a9730cc1a0" }, { "value": "Gugespy", @@ -1800,7 +1995,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99" ] - } + }, + "uuid": "1d9c433a-9b8c-4ad7-b4b3-5a29137aca3b" }, { "value": "Gugespy.B", @@ -1809,7 +2005,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99" ] - } + }, + "uuid": "3869692a-e24c-44ad-8f46-a0bd38c5bc5e" }, { "value": "Gupno", @@ -1818,7 +2015,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99" ] - } + }, + "uuid": "2434d65f-7a96-4cf3-b3c7-d93d70be8907" }, { "value": "Habey", @@ -1827,7 +2025,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99" ] - } + }, + "uuid": "15109175-300b-42b1-bc59-2ad305cb2338" }, { "value": "Handyclient", @@ -1836,7 +2035,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99" ] - } + }, + "uuid": "dc37a1f9-dec0-4ea0-94c6-450b26272e3d" }, { "value": "Hehe", @@ -1845,7 +2045,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99" ] - } + }, + "uuid": "c9538896-1dd4-4d87-b89c-a0a019996b27" }, { "value": "Hesperbot", @@ -1854,7 +2055,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99" ] - } + }, + "uuid": "a642266c-b729-4009-8bd5-9cb06857cda7" }, { "value": "Hippo", @@ -1863,7 +2065,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99" ] - } + }, + "uuid": "bdf5533f-f05d-44cf-ad0c-c1db9689961f" }, { "value": "Hippo.B", @@ -1872,7 +2075,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99" ] - } + }, + "uuid": "04d2d441-1a18-4921-96f1-56fc938e01ea" }, { "value": "IadPush", @@ -1881,7 +2085,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99" ] - } + }, + "uuid": "d8dd9f88-4acf-4bbf-886b-6c48f2463109" }, { "value": "iBanking", @@ -1890,7 +2095,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99" ] - } + }, + "uuid": "531f750f-fe86-4548-a2e5-540fda864860" }, { "value": "Iconosis", @@ -1899,7 +2105,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99" ] - } + }, + "uuid": "71e19f13-ef09-44f2-a71b-ef39b2f02dbf" }, { "value": "Iconosys", @@ -1908,7 +2115,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99" ] - } + }, + "uuid": "84480513-a52a-4de2-9869-1c886a6e8365" }, { "value": "Igexin", @@ -1917,7 +2125,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99" ] - } + }, + "uuid": "52c5f9b3-e9ed-4c86-b4a8-d4ebc68a4d7b" }, { "value": "ImAdPush", @@ -1926,7 +2135,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99" ] - } + }, + "uuid": "847d6c0e-d92e-4466-91b8-6fe2718c6031" }, { "value": "InMobi", @@ -1935,7 +2145,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99" ] - } + }, + "uuid": "65e35c22-4a55-44ad-bd09-43f8a18d7e93" }, { "value": "Jifake", @@ -1944,7 +2155,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99" ] - } + }, + "uuid": "d32149d8-a20c-40eb-b486-7c3b3369bb9a" }, { "value": "Jollyserv", @@ -1953,7 +2165,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99" ] - } + }, + "uuid": "ee7faba5-6d35-49ff-af50-1ded1e42cc0b" }, { "value": "Jsmshider", @@ -1962,7 +2175,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99" ] - } + }, + "uuid": "5390586b-a224-4006-ab43-73ecdebe7892" }, { "value": "Ju6", @@ -1971,7 +2185,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99" ] - } + }, + "uuid": "7886d5bb-8318-427a-a5df-9dc2122d8f05" }, { "value": "Jumptap", @@ -1980,7 +2195,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99" ] - } + }, + "uuid": "ab353e23-22ef-44a8-80de-fe0ae609e571" }, { "value": "Jzmob", @@ -1989,7 +2205,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99" ] - } + }, + "uuid": "941608bc-1fd5-473a-b4f7-a7f9763a4276" }, { "value": "Kabstamper", @@ -1998,7 +2215,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99" ] - } + }, + "uuid": "ff8e4fe3-12b3-4c3b-959e-82971821d8e9" }, { "value": "Kidlogger", @@ -2007,7 +2225,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99" ] - } + }, + "uuid": "89c13c33-8ec2-4bbe-9867-02ac9f0a7dad" }, { "value": "Kielog", @@ -2016,7 +2235,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99" ] - } + }, + "uuid": "324a5388-63f9-4ba8-aa5f-6a803be5e903" }, { "value": "Kituri", @@ -2025,7 +2245,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99" ] - } + }, + "uuid": "d1c6c267-4c59-4cf9-a540-13d38b20d360" }, { "value": "Kranxpay", @@ -2034,7 +2255,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99" ] - } + }, + "uuid": "67f27518-6ec3-4723-8b4d-34d91a4d3a3e" }, { "value": "Krysanec", @@ -2043,7 +2265,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99" ] - } + }, + "uuid": "736ebf9f-1868-45ea-94a5-d389f2d11588" }, { "value": "Kuaidian360", @@ -2052,7 +2275,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99" ] - } + }, + "uuid": "0ec6ad4a-77ce-4c68-a349-1973bdc328f6" }, { "value": "Kuguo", @@ -2061,7 +2285,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99" ] - } + }, + "uuid": "9fa68491-57fc-4d85-a063-0b822286c25f" }, { "value": "Lastacloud", @@ -2070,7 +2295,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99" ] - } + }, + "uuid": "3bbf47e9-57b1-4bd1-9dc3-34d59e203771" }, { "value": "Laucassspy", @@ -2079,7 +2305,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99" ] - } + }, + "uuid": "3b3956a8-a1cb-4839-8731-08295c2b88d6" }, { "value": "Lifemonspy", @@ -2088,7 +2315,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99" ] - } + }, + "uuid": "063abe8e-3688-48af-848e-132d636b4ecc" }, { "value": "Lightdd", @@ -2097,7 +2325,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99" ] - } + }, + "uuid": "47aec378-9c9c-432c-9cd5-ddaa7942c6f4" }, { "value": "Loaderpush", @@ -2106,7 +2335,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99" ] - } + }, + "uuid": "5b137010-c01c-4811-b93f-e1de1c986563" }, { "value": "Locaspy", @@ -2115,7 +2345,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99" ] - } + }, + "uuid": "75e2f27a-cdeb-4768-808e-469d99a581d1" }, { "value": "Lockdroid.E", @@ -2124,7 +2355,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99" ] - } + }, + "uuid": "04fc65b7-47a1-4eac-b485-ea8a6933613c" }, { "value": "Lockdroid.F", @@ -2133,7 +2365,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99" ] - } + }, + "uuid": "a98bb328-2a25-4733-b1d2-688abf25784d" }, { "value": "Lockdroid.G", @@ -2142,7 +2375,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99" ] - } + }, + "uuid": "0e4f2334-889f-4438-bdfb-b4287397fc43" }, { "value": "Lockdroid.H", @@ -2151,7 +2385,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99" ] - } + }, + "uuid": "f453d127-48ae-4422-9e79-fb138f26de83" }, { "value": "Lockscreen", @@ -2160,7 +2395,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99" ] - } + }, + "uuid": "370237dc-95f4-47a0-9985-2ec8151f7e3a" }, { "value": "LogiaAd", @@ -2169,7 +2405,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99" ] - } + }, + "uuid": "8a065cda-da87-46b6-960a-2bcc74e92fd1" }, { "value": "Loicdos", @@ -2178,7 +2415,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99" ] - } + }, + "uuid": "32ec05c2-a360-49b1-8863-166fd0011460" }, { "value": "Loozfon", @@ -2187,7 +2425,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99" ] - } + }, + "uuid": "983458be-99a4-460a-be5d-c8b284468a61" }, { "value": "Lotoor", @@ -2196,7 +2435,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99" ] - } + }, + "uuid": "f459ff4a-3015-458f-8402-9981b6164f17" }, { "value": "Lovespy", @@ -2205,7 +2445,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99" ] - } + }, + "uuid": "508ab8e3-c950-4adf-b87a-90f86423fa4d" }, { "value": "Lovetrap", @@ -2214,7 +2455,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99" ] - } + }, + "uuid": "ab2b8596-4304-4682-a324-6a9ddd9a9c31" }, { "value": "Luckycat", @@ -2223,7 +2465,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99" ] - } + }, + "uuid": "5429dd64-74f5-4370-85f0-2654c067dfc5" }, { "value": "Machinleak", @@ -2232,7 +2475,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99" ] - } + }, + "uuid": "68c21410-a32c-4151-9e3e-bd3070937bfd" }, { "value": "Maistealer", @@ -2241,7 +2485,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99" ] - } + }, + "uuid": "88521447-177a-4024-b336-0a065e6d7f16" }, { "value": "Malapp", @@ -2250,7 +2495,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99" ] - } + }, + "uuid": "4b2483e7-acc2-4eec-bd7f-a8ac45e403b4" }, { "value": "Malebook", @@ -2259,7 +2505,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99" ] - } + }, + "uuid": "93177c2f-79fa-4b3e-8312-994306bac870" }, { "value": "Malhome", @@ -2268,7 +2515,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99" ] - } + }, + "uuid": "6178421f-b4d9-4307-b9ac-f75139651adf" }, { "value": "Malminer", @@ -2277,7 +2525,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99" ] - } + }, + "uuid": "1e7e1c16-f241-41ea-ab12-f3c3f72f0931" }, { "value": "Mania", @@ -2286,7 +2535,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99" ] - } + }, + "uuid": "dd97858e-001b-4ac4-9947-fcfdf24e12f7" }, { "value": "Maxit", @@ -2295,7 +2545,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99" ] - } + }, + "uuid": "0687203f-8f57-4de3-86f5-ceb3f151151c" }, { "value": "MdotM", @@ -2304,7 +2555,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99" ] - } + }, + "uuid": "aa94146b-6901-4c6c-8669-d64b4eb70594" }, { "value": "Medialets", @@ -2313,7 +2565,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99" ] - } + }, + "uuid": "3bd73087-fdf8-426a-84b9-50f308a05c53" }, { "value": "Meshidden", @@ -2322,7 +2575,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99" ] - } + }, + "uuid": "35ec0f9f-4516-45ed-b101-6829bd99ce86" }, { "value": "Mesploit", @@ -2331,7 +2585,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99" ] - } + }, + "uuid": "bed7e358-3b69-4944-898f-aabf32e1af3d" }, { "value": "Mesprank", @@ -2340,7 +2595,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99" ] - } + }, + "uuid": "989b1801-a3a9-4671-b161-d7b07cbbae32" }, { "value": "Meswatcherbox", @@ -2349,7 +2605,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99" ] - } + }, + "uuid": "d4a7f045-7e1c-4467-8eb7-7dc3ce3c04dd" }, { "value": "Miji", @@ -2358,7 +2615,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99" ] - } + }, + "uuid": "c5fa5347-0338-43f1-813b-b11ce13a44e5" }, { "value": "Milipnot", @@ -2367,7 +2625,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99" ] - } + }, + "uuid": "44ab46dd-7027-4f66-a716-d59db5cf5e73" }, { "value": "MillennialMedia", @@ -2376,7 +2635,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99" ] - } + }, + "uuid": "549a3d4e-d8f8-48b5-9b4b-659646640f85" }, { "value": "Mitcad", @@ -2385,7 +2645,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99" ] - } + }, + "uuid": "03d069bd-53f5-4d62-82af-2461b8b501f7" }, { "value": "MobClix", @@ -2394,7 +2655,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99" ] - } + }, + "uuid": "9688b924-811f-4315-ba42-2ee1e9e52b55" }, { "value": "MobFox", @@ -2403,7 +2665,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99" ] - } + }, + "uuid": "ee248082-86b3-48ce-9500-47ccd471edec" }, { "value": "Mobidisplay", @@ -2412,7 +2675,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99" ] - } + }, + "uuid": "d2a7cd95-3a32-4da4-97fb-a0982c2eaf60" }, { "value": "Mobigapp", @@ -2421,7 +2685,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99" ] - } + }, + "uuid": "f35969cc-13d8-46cf-a4cc-ff2f15844205" }, { "value": "MobileBackup", @@ -2430,7 +2695,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99" ] - } + }, + "uuid": "caea6805-dad0-44b7-a0f2-3f41c227698c" }, { "value": "Mobilespy", @@ -2439,7 +2705,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99" ] - } + }, + "uuid": "a6acb97a-359a-4fdc-9f27-2190dbe66c02" }, { "value": "Mobiletx", @@ -2448,7 +2715,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99" ] - } + }, + "uuid": "3752d35b-0cbf-41ee-a057-6252342d94a7" }, { "value": "Mobinaspy", @@ -2457,7 +2725,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99" ] - } + }, + "uuid": "dda43d3d-5852-4957-834a-a711bbfa3e4a" }, { "value": "Mobus", @@ -2466,7 +2735,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99" ] - } + }, + "uuid": "95272c25-5df1-47ef-af3d-88e7b7492d45" }, { "value": "MobWin", @@ -2475,7 +2745,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99" ] - } + }, + "uuid": "960804ae-0c6a-42de-9f0c-2b20a56c2c32" }, { "value": "Mocore", @@ -2484,7 +2755,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99" ] - } + }, + "uuid": "be1c2349-1864-4164-905b-cd971454448d" }, { "value": "Moghava", @@ -2493,7 +2765,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99" ] - } + }, + "uuid": "671a2ca3-fa4f-4bfb-95d0-ac9c2479edff" }, { "value": "Momark", @@ -2502,7 +2775,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99" ] - } + }, + "uuid": "f68ccede-1c5a-4d27-8d5f-2e68ebbbfcd7" }, { "value": "Monitorello", @@ -2511,7 +2785,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99" ] - } + }, + "uuid": "5b89b17f-d569-4c7d-9990-c8054d506e02" }, { "value": "Moolah", @@ -2520,7 +2795,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99" ] - } + }, + "uuid": "c630be3f-709c-42e7-8523-905ca6896066" }, { "value": "MoPub", @@ -2529,7 +2805,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99" ] - } + }, + "uuid": "1243bbc1-32a5-4034-a68b-fe67472469af" }, { "value": "Morepaks", @@ -2538,7 +2815,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99" ] - } + }, + "uuid": "20ca85ec-bb04-47b1-9179-aa3871724cc4" }, { "value": "Nandrobox", @@ -2547,7 +2825,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99" ] - } + }, + "uuid": "32ebe3f6-4a19-4e95-b06b-18663f4f0b43" }, { "value": "Netisend", @@ -2556,7 +2835,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99" ] - } + }, + "uuid": "deef380d-8e63-4669-9f5b-0cbf50c57070" }, { "value": "Nickispy", @@ -2565,7 +2845,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99" ] - } + }, + "uuid": "7bdcf5c4-4c1d-4f37-8811-58f60c07dc51" }, { "value": "Notcompatible", @@ -2574,7 +2855,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99" ] - } + }, + "uuid": "c18d1cdc-855a-47b0-93f6-9d8795c9121d" }, { "value": "Nuhaz", @@ -2583,7 +2865,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99" ] - } + }, + "uuid": "ea8ff12e-fdd1-425d-bb4e-39374040b290" }, { "value": "Nyearleaker", @@ -2592,7 +2875,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99" ] - } + }, + "uuid": "08381c6b-5c92-4e14-8ad5-52954b101907" }, { "value": "Obad", @@ -2601,7 +2885,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99" ] - } + }, + "uuid": "f59181e2-6214-4ff7-842e-916d124b3535" }, { "value": "Oneclickfraud", @@ -2610,7 +2895,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99" ] - } + }, + "uuid": "99ebc7b4-dbba-4c1c-a991-3c75d69007f6" }, { "value": "Opfake", @@ -2619,7 +2905,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99" ] - } + }, + "uuid": "9017bea0-d29e-4a2d-bda5-03ca6d0c7bc0" }, { "value": "Opfake.B", @@ -2628,7 +2915,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99" ] - } + }, + "uuid": "40115080-242e-4278-97b6-77171aa6ec47" }, { "value": "Ozotshielder", @@ -2637,7 +2925,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99" ] - } + }, + "uuid": "b6e17717-a860-412b-a223-8fb0a7f5fe26" }, { "value": "Pafloat", @@ -2646,7 +2935,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99" ] - } + }, + "uuid": "4fa40665-8a2a-4b01-bda7-5860497a46cc" }, { "value": "PandaAds", @@ -2655,7 +2945,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99" ] - } + }, + "uuid": "fd4d373a-dc7a-4ed0-8880-3f4d46ab4541" }, { "value": "Pandbot", @@ -2664,7 +2955,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99" ] - } + }, + "uuid": "aaa14125-c4eb-49b1-a397-6eb23e9ca8bf" }, { "value": "Pdaspy", @@ -2673,7 +2965,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99" ] - } + }, + "uuid": "d206b674-2c8b-4165-955f-c7b3747f881e" }, { "value": "Penetho", @@ -2682,7 +2975,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99" ] - } + }, + "uuid": "a032b966-7274-4963-82e3-4d6ea805db91" }, { "value": "Perkel", @@ -2691,7 +2985,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99" ] - } + }, + "uuid": "c076d45a-d4f8-4e6b-9f69-71687b5670f7" }, { "value": "Phimdropper", @@ -2700,7 +2995,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99" ] - } + }, + "uuid": "12801a82-add4-48f4-957a-5e7b09f2d0e3" }, { "value": "Phospy", @@ -2709,7 +3005,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99" ] - } + }, + "uuid": "058809da-b25d-429b-8773-e2b2f820d5ef" }, { "value": "Piddialer", @@ -2718,7 +3015,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99" ] - } + }, + "uuid": "c561faeb-2b49-413c-90fa-879fed864e76" }, { "value": "Pikspam", @@ -2727,7 +3025,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99" ] - } + }, + "uuid": "da914e7e-8cd2-49d2-9e6c-ce7f5174f3e1" }, { "value": "Pincer", @@ -2736,7 +3035,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99" ] - } + }, + "uuid": "4ef79875-3b57-4025-8a2a-07cdb078064f" }, { "value": "Pirator", @@ -2745,7 +3045,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99" ] - } + }, + "uuid": "42b22f4f-c4ca-49a7-8ef2-4f470a611d87" }, { "value": "Pjapps", @@ -2754,7 +3055,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99" ] - } + }, + "uuid": "5ad131de-ee9b-4815-9779-dd41bbc691ac" }, { "value": "Pjapps.B", @@ -2763,7 +3065,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99" ] - } + }, + "uuid": "337a4e0f-3ba7-4b3e-8ee8-6dec28efa367" }, { "value": "Pletora", @@ -2772,7 +3075,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99" ] - } + }, + "uuid": "e7fcea42-c041-4650-8a74-980e2580f707" }, { "value": "Poisoncake", @@ -2781,7 +3085,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99" ] - } + }, + "uuid": "f3fa28df-2f61-4391-921d-0df12015406a" }, { "value": "Pontiflex", @@ -2790,7 +3095,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99" ] - } + }, + "uuid": "a69028fd-345c-46c1-a8e4-5344edf4a83b" }, { "value": "Positmob", @@ -2799,7 +3105,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99" ] - } + }, + "uuid": "55014563-84cd-42bd-a4d0-9cb59fed0954" }, { "value": "Premiumtext", @@ -2808,7 +3115,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99" ] - } + }, + "uuid": "aafa218b-681d-4fa9-bbe0-3e5e1655e379" }, { "value": "Pris", @@ -2817,7 +3125,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99" ] - } + }, + "uuid": "84c24979-1f6b-4fb6-9783-b0262002f27c" }, { "value": "Qdplugin", @@ -2826,7 +3135,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99" ] - } + }, + "uuid": "104be155-2e71-46bf-90a4-c2b27c6b6825" }, { "value": "Qicsomos", @@ -2835,7 +3145,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99" ] - } + }, + "uuid": "ef0a5556-2328-47f2-9703-bd8001639afe" }, { "value": "Qitmo", @@ -2844,7 +3155,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99" ] - } + }, + "uuid": "0d2c5dd9-8300-4570-a49e-971ac90efdec" }, { "value": "Rabbhome", @@ -2853,7 +3165,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99" ] - } + }, + "uuid": "4c15d120-70c8-4d9f-b001-bf6c218a991a" }, { "value": "Repane", @@ -2862,7 +3175,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99" ] - } + }, + "uuid": "4f07cf74-9b9b-479d-859e-67a2a13ca5de" }, { "value": "Reputation.1", @@ -2871,7 +3185,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99" ] - } + }, + "uuid": "d1ef2846-24cc-48a7-9bf2-c739eed7d25a" }, { "value": "Reputation.2", @@ -2880,7 +3195,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99" ] - } + }, + "uuid": "522a2325-290b-45ac-9eab-ffdf3898dbee" }, { "value": "Reputation.3", @@ -2889,7 +3205,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99" ] - } + }, + "uuid": "095a898a-301a-49f1-9bc6-c43425d17c8e" }, { "value": "RevMob", @@ -2898,7 +3215,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99" ] - } + }, + "uuid": "6469a63e-5c6b-4517-9540-eb16488ad67a" }, { "value": "Roidsec", @@ -2907,7 +3225,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99" ] - } + }, + "uuid": "06ae93ed-13ba-4200-9c91-8901f08a4fae" }, { "value": "Rootcager", @@ -2916,7 +3235,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99" ] - } + }, + "uuid": "25f0c7d4-f961-4cd1-ac70-90242506200d" }, { "value": "Rootnik", @@ -2925,7 +3245,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99" ] - } + }, + "uuid": "05f5a051-d7a2-4757-a2f0-d685334d9374" }, { "value": "Rufraud", @@ -2934,7 +3255,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99" ] - } + }, + "uuid": "99064315-2097-4c2e-8f92-a34ab9422441" }, { "value": "Rusms", @@ -2943,7 +3265,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99" ] - } + }, + "uuid": "77ba4823-2d71-4ead-aba8-71a15a2a7c99" }, { "value": "Samsapo", @@ -2952,7 +3275,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99" ] - } + }, + "uuid": "d266a784-3ce7-40f2-b710-0d758700276b" }, { "value": "Sandorat", @@ -2961,7 +3285,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99" ] - } + }, + "uuid": "f0baccdc-d38f-4bb1-ab42-319b69be6322" }, { "value": "Sberick", @@ -2970,7 +3295,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99" ] - } + }, + "uuid": "bd781792-dd1f-4fa9-a523-53f578b8f52c" }, { "value": "Scartibro", @@ -2979,7 +3305,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99" ] - } + }, + "uuid": "0c7bac44-c062-4dd6-824d-79f3c225d3e5" }, { "value": "Scipiex", @@ -2988,7 +3315,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99" ] - } + }, + "uuid": "e658c4ff-a749-44d1-9c7c-d8782cecbb05" }, { "value": "Selfmite", @@ -2997,7 +3325,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99" ] - } + }, + "uuid": "666eb607-971e-4a90-92df-2b1903eb5c29" }, { "value": "Selfmite.B", @@ -3006,7 +3335,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99" ] - } + }, + "uuid": "1031ff29-419d-450e-a1d3-d203db10b7df" }, { "value": "SellARing", @@ -3015,7 +3345,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99" ] - } + }, + "uuid": "875a58aa-f155-48d5-86a7-b18bf711a211" }, { "value": "SendDroid", @@ -3024,7 +3355,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99" ] - } + }, + "uuid": "69ca9eb1-f19a-4442-8bfd-ac5f9a5387c2" }, { "value": "Simhosy", @@ -3033,7 +3365,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99" ] - } + }, + "uuid": "96624486-651c-499d-a731-83e149e16ea4" }, { "value": "Simplocker", @@ -3042,7 +3375,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99" ] - } + }, + "uuid": "194d0629-9e26-4de4-8239-85b862aadc7f" }, { "value": "Simplocker.B", @@ -3051,7 +3385,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99" ] - } + }, + "uuid": "6cf6fdd1-acce-4498-afe9-bc9202235cfa" }, { "value": "Skullkey", @@ -3060,7 +3395,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99" ] - } + }, + "uuid": "8f5e8349-14cb-4dc2-86dc-bcfe7360d4c7" }, { "value": "Smaato", @@ -3069,7 +3405,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99" ] - } + }, + "uuid": "5e02d505-59bf-493e-b9d8-29dffcc5045a" }, { "value": "Smbcheck", @@ -3078,7 +3415,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99" ] - } + }, + "uuid": "60be1539-2205-4865-87ab-318dcdb1873e" }, { "value": "Smsblocker", @@ -3087,7 +3425,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99" ] - } + }, + "uuid": "13b6f47b-12bd-4c0a-88d1-b6a627169266" }, { "value": "Smsbomber", @@ -3096,7 +3435,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99" ] - } + }, + "uuid": "054789dc-6ffa-4a06-ace9-6fd7095c7504" }, { "value": "Smslink", @@ -3105,7 +3445,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99" ] - } + }, + "uuid": "5d41547a-fc71-4e49-8dbf-59f15a58a74c" }, { "value": "Smspacem", @@ -3114,7 +3455,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99" ] - } + }, + "uuid": "3191e73e-72a4-4a05-9d5b-2da158822820" }, { "value": "SMSReplicator", @@ -3123,7 +3465,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99" ] - } + }, + "uuid": "8e638226-b772-492c-b0a3-3a77e5b08496" }, { "value": "Smssniffer", @@ -3132,7 +3475,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99" ] - } + }, + "uuid": "4d79cd58-217a-454a-991c-19219612580c" }, { "value": "Smsstealer", @@ -3141,7 +3485,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99" ] - } + }, + "uuid": "c502316f-f3bb-47a4-9198-d73426609429" }, { "value": "Smstibook", @@ -3150,7 +3495,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99" ] - } + }, + "uuid": "312806f6-dc58-4b2b-b86e-1338626460ea" }, { "value": "Smszombie", @@ -3159,7 +3505,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99" ] - } + }, + "uuid": "99884c3e-cc56-4099-a52b-136ae0078d61" }, { "value": "Snadapps", @@ -3168,7 +3515,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99" ] - } + }, + "uuid": "ac43bc86-59da-42ad-82d6-d0a17cc04a40" }, { "value": "Sockbot", @@ -3177,7 +3525,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99" ] - } + }, + "uuid": "e8096285-d437-4664-9125-d30cb19b84cb" }, { "value": "Sockrat", @@ -3186,7 +3535,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99" ] - } + }, + "uuid": "dadccdda-a4c2-4021-90b9-61a394e602be" }, { "value": "Sofacy", @@ -3195,7 +3545,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99" ] - } + }, + "uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729" }, { "value": "Sosceo", @@ -3204,7 +3555,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99" ] - } + }, + "uuid": "f1118dcb-13a3-4021-8dee-22201ae9324a" }, { "value": "Spitmo", @@ -3213,7 +3565,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99" ] - } + }, + "uuid": "98a51dbd-5fe4-44f1-8171-2f7bb5691ca8" }, { "value": "Spitmo.B", @@ -3222,7 +3575,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99" ] - } + }, + "uuid": "75ee2fc5-f412-42a3-b17b-be5b7c1b5172" }, { "value": "Spyagent", @@ -3231,7 +3585,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99" ] - } + }, + "uuid": "b399f848-032d-4e7b-8c53-1d61ef53ef73" }, { "value": "Spybubble", @@ -3240,7 +3595,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99" ] - } + }, + "uuid": "ee87a204-a0d6-4e4b-ba05-85853df60857" }, { "value": "Spydafon", @@ -3249,7 +3605,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99" ] - } + }, + "uuid": "8e313409-bee2-4ea5-9dc5-062dde2d37a7" }, { "value": "Spymple", @@ -3258,7 +3615,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99" ] - } + }, + "uuid": "d2f7d24a-5ad2-4cae-a600-9f9e0415e32f" }, { "value": "Spyoo", @@ -3267,7 +3625,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99" ] - } + }, + "uuid": "d3f5be8f-e1bd-45a7-b78e-1594884ed740" }, { "value": "Spytekcell", @@ -3276,7 +3635,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99" ] - } + }, + "uuid": "7e83bb34-5b0a-4a04-9c33-45ccd62adb49" }, { "value": "Spytrack", @@ -3285,7 +3645,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99" ] - } + }, + "uuid": "70ff60ea-2955-4ab0-ad7f-aa33e6bb0b9c" }, { "value": "Spywaller", @@ -3294,7 +3655,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99" ] - } + }, + "uuid": "eff7bcd4-a797-4a85-8db2-583b182c98e5" }, { "value": "Stealthgenie", @@ -3303,7 +3665,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99" ] - } + }, + "uuid": "3e90ee61-4377-473f-8469-7a91875b54f1" }, { "value": "Steek", @@ -3312,7 +3675,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99" ] - } + }, + "uuid": "31f0f24e-6807-4a1a-b14d-cb421b1aea12" }, { "value": "Stels", @@ -3321,7 +3685,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99" ] - } + }, + "uuid": "435cbdcd-4cab-4a2e-8e58-9094b6226f94" }, { "value": "Stiniter", @@ -3330,7 +3695,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99" ] - } + }, + "uuid": "418dc95a-a638-4e85-b72d-0bf6b7cbda0c" }, { "value": "Sumzand", @@ -3339,7 +3705,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99" ] - } + }, + "uuid": "2799ad1e-b438-4da5-a489-6035643c71a8" }, { "value": "Sysecsms", @@ -3348,7 +3715,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99" ] - } + }, + "uuid": "7f7611d7-0419-4d6c-8026-6d132912f297" }, { "value": "Tanci", @@ -3357,7 +3725,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99" ] - } + }, + "uuid": "031cabf7-f43c-4de3-9cd7-2ee96a4a3696" }, { "value": "Tapjoy", @@ -3366,7 +3735,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99" ] - } + }, + "uuid": "e57f936d-0cf2-4f83-9daf-3d167de8fdfb" }, { "value": "Tapsnake", @@ -3375,7 +3745,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99" ] - } + }, + "uuid": "a5ff203d-3613-4b66-bdec-ef342e9c85c2" }, { "value": "Tascudap", @@ -3384,7 +3755,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99" ] - } + }, + "uuid": "171cfcc4-171c-4f62-82c0-b1583937cd0d" }, { "value": "Teelog", @@ -3393,7 +3765,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99" ] - } + }, + "uuid": "9de29650-4fca-40d1-8def-1fe39bde13a3" }, { "value": "Temai", @@ -3402,7 +3775,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99" ] - } + }, + "uuid": "3b8479b5-1ea2-4a0d-a80d-4ab9f91b477a" }, { "value": "Tetus", @@ -3411,7 +3785,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99" ] - } + }, + "uuid": "d706632e-0940-4ae0-9fc5-ed59b941828c" }, { "value": "Tgpush", @@ -3420,7 +3795,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99" ] - } + }, + "uuid": "c9e1c4d7-7082-45c3-8aae-4449d94639ef" }, { "value": "Tigerbot", @@ -3429,7 +3805,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99" ] - } + }, + "uuid": "7ae84b6b-79c0-4835-8ebe-f9da724cde3f" }, { "value": "Tonclank", @@ -3438,7 +3815,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99" ] - } + }, + "uuid": "68c29f38-36a6-46c0-bef9-cd70de3d6497" }, { "value": "Trogle", @@ -3447,7 +3825,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99" ] - } + }, + "uuid": "fae64496-415e-49fa-94ed-519ef7a0fac9" }, { "value": "Twikabot", @@ -3456,7 +3835,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99" ] - } + }, + "uuid": "301a279e-ea93-4857-b994-b846712b6fac" }, { "value": "Uapush", @@ -3465,7 +3845,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99" ] - } + }, + "uuid": "c7c3547b-513c-4f65-b896-77bcf2bbf3a9" }, { "value": "Umeng", @@ -3474,7 +3855,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99" ] - } + }, + "uuid": "bc21922b-50a2-49a2-8828-c032b75dd4d1" }, { "value": "Updtbot", @@ -3483,7 +3865,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99" ] - } + }, + "uuid": "572c7fc4-081b-4e13-a1c2-5c1b7c7288bf" }, { "value": "Upush", @@ -3492,7 +3875,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99" ] - } + }, + "uuid": "6d386a6c-0cd2-47f9-891d-435e135bf005" }, { "value": "Uracto", @@ -3501,7 +3885,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99" ] - } + }, + "uuid": "d94c59b1-165b-4f8c-ba96-16209a99bbd0" }, { "value": "Uranico", @@ -3510,7 +3895,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99" ] - } + }, + "uuid": "6d50487d-ac9a-4369-9520-471b2c9d2413" }, { "value": "Usbcleaver", @@ -3519,7 +3905,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99" ] - } + }, + "uuid": "5110098d-d07d-4e85-bde5-2b2dcd844317" }, { "value": "Utchi", @@ -3528,7 +3915,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99" ] - } + }, + "uuid": "45633e6c-482b-40d8-aab6-5702ebfd1a25" }, { "value": "Uten", @@ -3537,7 +3925,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99" ] - } + }, + "uuid": "a677735e-fc30-47ea-a679-3eae567a0c50" }, { "value": "Uupay", @@ -3546,7 +3935,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99" ] - } + }, + "uuid": "0766d789-3c9b-4bad-bc2e-8bdeccdef2fa" }, { "value": "Uxipp", @@ -3555,7 +3945,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99" ] - } + }, + "uuid": "da60c9f2-5429-46f6-9482-6f406e56ba07" }, { "value": "Vdloader", @@ -3564,7 +3955,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99" ] - } + }, + "uuid": "d0dbf62f-77fe-4051-a34a-67c843248357" }, { "value": "VDopia", @@ -3573,7 +3965,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99" ] - } + }, + "uuid": "17241b57-1b2f-4013-bc8b-f68e4e57e1a7" }, { "value": "Virusshield", @@ -3582,7 +3975,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99" ] - } + }, + "uuid": "dd1185c0-6456-4231-b39b-b127c2be88c5" }, { "value": "VServ", @@ -3591,7 +3985,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99" ] - } + }, + "uuid": "e8d75cbf-aaed-4b9e-8599-36ee963f8439" }, { "value": "Walkinwat", @@ -3600,7 +3995,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99" ] - } + }, + "uuid": "e2696142-5981-4055-874b-727eefda8c46" }, { "value": "Waps", @@ -3609,7 +4005,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99" ] - } + }, + "uuid": "aa3cebc6-9083-42c4-8eae-e7662aa934a2" }, { "value": "Waren", @@ -3618,7 +4015,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99" ] - } + }, + "uuid": "164fb7dd-3fab-45fd-9d0a-4c2d61841059" }, { "value": "Windseeker", @@ -3627,7 +4025,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99" ] - } + }, + "uuid": "30b09d1a-2503-4481-a939-f6227fb2ead5" }, { "value": "Wiyun", @@ -3636,7 +4035,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99" ] - } + }, + "uuid": "ced6bfb0-a4eb-460a-9594-185ddaaec5c6" }, { "value": "Wooboo", @@ -3645,7 +4045,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99" ] - } + }, + "uuid": "0bd6959f-b764-431f-b75c-0cb4fe88f025" }, { "value": "Wqmobile", @@ -3654,7 +4055,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99" ] - } + }, + "uuid": "ce553391-48ef-4749-af44-ef899e710558" }, { "value": "YahooAds", @@ -3663,7 +4065,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99" ] - } + }, + "uuid": "8ff80176-7fb2-41ed-8b4c-5995d4f4bc9f" }, { "value": "Yatoot", @@ -3672,7 +4075,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99" ] - } + }, + "uuid": "ac66cb33-91a0-4777-a78d-8077089a7231" }, { "value": "Yinhan", @@ -3681,7 +4085,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99" ] - } + }, + "uuid": "956d67a6-5e5f-48bf-b1c5-bc34536b8845" }, { "value": "Youmi", @@ -3690,7 +4095,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99" ] - } + }, + "uuid": "805ea1fb-c6e3-47d9-9eb5-2d4b73e63f42" }, { "value": "YuMe", @@ -3699,7 +4105,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99" ] - } + }, + "uuid": "e5a6a49e-92df-4e94-ac87-78d0f08c482e" }, { "value": "Zeahache", @@ -3708,7 +4115,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99" ] - } + }, + "uuid": "78f04148-de99-4249-8057-ca610d6cab4e" }, { "value": "ZertSecurity", @@ -3717,7 +4125,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99" ] - } + }, + "uuid": "3f77d88c-b3a6-4cc8-bc09-40dca0f942c5" }, { "value": "ZestAdz", @@ -3726,7 +4135,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99" ] - } + }, + "uuid": "94572b76-b677-40da-8e92-db29ea1f0307" }, { "value": "Zeusmitmo", @@ -3735,7 +4145,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99" ] - } + }, + "uuid": "1bce8b50-16e8-4548-94c9-f82bdbc91053" }, { "value": "SLocker", @@ -3748,7 +4159,8 @@ "synonyms": [ "SMSLocker" ] - } + }, + "uuid": "e8bb68f2-d8ca-4576-b47b-8123aef6324b" }, { "value": "Loapi", @@ -3757,7 +4169,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/" ] - } + }, + "uuid": "2620f8ce-a4a6-4ea2-a281-7f476ff114ed" }, { "value": "Podec", @@ -3766,7 +4179,8 @@ "refs": [ "https://securelist.com/sms-trojan-bypasses-captcha/69169//" ] - } + }, + "uuid": "e3cd1cf3-2f49-4adc-977f-d15a2b0b4c85" } ], "version": 4, diff --git a/clusters/banker.json b/clusters/banker.json index f6c6300..c98c0a6 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -11,7 +11,8 @@ "date": "Initally discovered between 2006 and 2007. New bankers with Zeus roots still active today." }, "description": "Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.", - "value": "Zeus" + "value": "Zeus", + "uuid": "f0ec2df5-2e38-4df3-970d-525352006f2e" }, { "meta": { @@ -27,7 +28,8 @@ "date": "Discovered early 2013" }, "description": "Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.", - "value": "Vawtrak" + "value": "Vawtrak", + "uuid": "f3813bbd-682c-400d-8165-778be6d3f91f" }, { "meta": { @@ -41,7 +43,8 @@ "date": "Discovery in 2014, still active" }, "description": " Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.", - "value": "Dridex" + "value": "Dridex", + "uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e" }, { "meta": { @@ -59,7 +62,8 @@ "date": "First seen ~ 2007" }, "description": "Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010", - "value": "Gozi" + "value": "Gozi", + "uuid": "b9448d2a-a23c-4bf2-92a1-d860716ba2f3" }, { "meta": { @@ -74,7 +78,8 @@ "date": "Fall Oct. 2012 - Spring 2013" }, "description": "Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.", - "value": "Goziv2" + "value": "Goziv2", + "uuid": "71ad2c86-b9da-4351-acf9-7005f64062c7" }, { "meta": { @@ -87,7 +92,8 @@ "date": "Beginning 2010" }, "description": "Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.", - "value": "Gozi ISFB" + "value": "Gozi ISFB", + "uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369" }, { "meta": { @@ -99,7 +105,8 @@ "date": "Since 2014" }, "description": "Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.", - "value": "Dreambot" + "value": "Dreambot", + "uuid": "549d1f8c-f76d-4d66-a1a2-2cd048d739ea" }, { "meta": { @@ -110,7 +117,8 @@ "date": "Seen Autumn 2014" }, "description": "Gozi ISFB variant ", - "value": "IAP" + "value": "IAP", + "uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924" }, { "meta": { @@ -121,7 +129,8 @@ "date": "Spring 2016" }, "description": "GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.", - "value": "GozNym" + "value": "GozNym", + "uuid": "bcefac9a-a928-490f-9cb6-a8863f40c949" }, { "meta": { @@ -135,7 +144,8 @@ "date": "First seen in Fall 2016 and still active today." }, "description": "Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails. ", - "value": "Zloader Zeus" + "value": "Zloader Zeus", + "uuid": "2eb658ed-aff4-4253-a21f-9059b133ce17" }, { "meta": { @@ -149,7 +159,8 @@ "date": "First seen ~Feb 2014" }, "description": "Zeus variant that utilizes steganography in image files to retrieve configuration file. ", - "value": "Zeus VM" + "value": "Zeus VM", + "uuid": "09d1cad8-6b06-48d7-a968-5b17bbe9ca65" }, { "meta": { @@ -159,7 +170,8 @@ "date": "First seen ~Aug 2015" }, "description": "Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.", - "value": "Zeus Sphinx" + "value": "Zeus Sphinx", + "uuid": "8914802c-3aca-4a0d-874a-85ac7a1bc505" }, { "meta": { @@ -174,7 +186,8 @@ "date": "First seen ~ Spring 2016" }, "description": "Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.", - "value": "Panda Banker" + "value": "Panda Banker", + "uuid": "f1971442-6477-4aa2-aafa-7529b8252455" }, { "meta": { @@ -189,7 +202,8 @@ "date": "First seen 2014" }, "description": "Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it's config in the registry. ", - "value": "Zeus KINS" + "value": "Zeus KINS", + "uuid": "bc0be3a4-89d8-4c4c-b2aa-2dddbed1f71d" }, { "meta": { @@ -200,7 +214,8 @@ "date": "First seen fall of 2014" }, "description": "Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.", - "value": "Chthonic" + "value": "Chthonic", + "uuid": "6deb9f26-969b-45aa-9222-c23663fd6ef8" }, { "meta": { @@ -217,7 +232,8 @@ "date": "Discovered Fall 2016" }, "description": "Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan", - "value": "Trickbot" + "value": "Trickbot", + "uuid": "07e3260b-d80c-4c86-bd28-8adc111bbec6" }, { "meta": { @@ -231,7 +247,8 @@ "date": "Discovered ~June 2014" }, "description": "Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim's computer.", - "value": "Dyre" + "value": "Dyre", + "uuid": "15e969e6-f031-4441-a49b-f401332e4b00" }, { "meta": { @@ -249,7 +266,8 @@ "date": "Discovered ~Spring 2012" }, "description": "Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.", - "value": "Tinba" + "value": "Tinba", + "uuid": "5594b171-32ec-4145-b712-e7701effffdd" }, { "meta": { @@ -264,7 +282,8 @@ "date": "Discovered ~Summer 2014" }, "description": "Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.", - "value": "Geodo" + "value": "Geodo", + "uuid": "8e002f78-7fb8-4e70-afd7-0b4ac655be26" }, { "meta": { @@ -280,7 +299,8 @@ "date": "Discovered ~September 2011" }, "description": "Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.", - "value": "Feodo" + "value": "Feodo", + "uuid": "7ca93488-c357-44c3-b246-3f88391aca5a" }, { "meta": { @@ -293,7 +313,8 @@ "date": "Discovered ~2010." }, "description": "Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.", - "value": "Ramnit" + "value": "Ramnit", + "uuid": "7e2288ec-e7d4-4833-9245-a2bc5ae40ee2" }, { "meta": { @@ -309,7 +330,8 @@ "date": "Discovered ~2007" }, "description": "Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.", - "value": "Qakbot" + "value": "Qakbot", + "uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a" }, { "meta": { @@ -321,7 +343,8 @@ "date": "Discovered ~Fall 2015" }, "description": "Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.", - "value": "Corebot" + "value": "Corebot", + "uuid": "8a3d46db-d3b4-4f89-99e2-d1f0de3f484c" }, { "meta": { @@ -341,7 +364,8 @@ "date": "Discovered ~December 2016" }, "description": "TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It's main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.", - "value": "TinyNuke" + "value": "TinyNuke", + "uuid": "e683cd91-40b4-4e1c-be25-34a27610a22e" }, { "meta": { @@ -359,7 +383,8 @@ "date": "Discovered in 2014" }, "description": "Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails. ", - "value": "Retefe" + "value": "Retefe", + "uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c" }, { "meta": { @@ -372,7 +397,8 @@ "date": "Discovered ~early 2015" }, "description": "ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.", - "value": "ReactorBot" + "value": "ReactorBot", + "uuid": "d939e802-acb2-4881-bdaf-ece1eccf5699" }, { "meta": { @@ -382,7 +408,8 @@ "date": "Discovered ~Spring 2017" }, "description": "Matrix Banker is named accordingly because of the Matrix reference in it's C2 panel. Distributed primarily via malspam emails.", - "value": "Matrix Banker" + "value": "Matrix Banker", + "uuid": "aa3fc68c-413c-4bfb-b4cd-bca7094da985" }, { "meta": { @@ -393,7 +420,8 @@ "date": "Discovered ~Sept. 2011" }, "description": "Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.", - "value": "Zeus Gameover" + "value": "Zeus Gameover", + "uuid": "8653a94e-3eb3-4d88-8683-a1ae4a524774" }, { "meta": { @@ -405,7 +433,8 @@ "date": "Discovered early 2011" }, "description": "SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.", - "value": "SpyEye" + "value": "SpyEye", + "uuid": "ebce18e9-b387-4b7d-bab9-4acd4fca7a7c" }, { "meta": { @@ -417,7 +446,8 @@ "date": "Discovered ~January 2012" }, "description": "Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.", - "value": "Citadel" + "value": "Citadel", + "uuid": "9eb89081-3245-423a-995f-c1d78ce39619" }, { "meta": { @@ -428,7 +458,8 @@ "date": "Discovered ~spring 2016" }, "description": "Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.", - "value": "Atmos" + "value": "Atmos", + "uuid": "ee021933-929d-4d6c-abca-5827cfb77289" }, { "meta": { @@ -438,7 +469,8 @@ "date": "Discovered ~Fall 2011" }, "description": "Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.", - "value": "Ice IX" + "value": "Ice IX", + "uuid": "1d4a5704-c6fb-4bbb-92b2-88dc67f86339" }, { "meta": { @@ -448,7 +480,8 @@ "date": "Discovered ~end of 2010" }, "description": "Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.", - "value": "Zitmo" + "value": "Zitmo", + "uuid": "3b1aff8f-647d-4709-aab0-6db1859c5f11" }, { "meta": { @@ -463,7 +496,8 @@ "date": "Discovered in 2010" }, "description": "Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011", - "value": "Licat" + "value": "Licat", + "uuid": "0b097926-2e1a-4134-8ab9-4c16d0cca0fc" }, { "meta": { @@ -473,7 +507,8 @@ "date": "Discovered end of 2012" }, "description": "Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.", - "value": "Skynet" + "value": "Skynet", + "uuid": "f20791e4-26a7-45e0-90e6-709553b223b2" }, { "meta": { @@ -484,7 +519,8 @@ "date": "Discovered in September 2017" }, "description": "According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.", - "value": "IcedID" + "value": "IcedID", + "uuid": "9d67069c-b778-486f-8158-53f5dcd05d08" }, { "value": "GratefulPOS", @@ -493,7 +529,8 @@ "refs": [ "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" ] - } + }, + "uuid": "7d9362e5-e3cf-4640-88a2-3faf31952963" }, { "value": "Dok", @@ -502,7 +539,8 @@ "refs": [ "https://objective-see.com/blog/blog_0x25.html#Dok" ] - } + }, + "uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0" }, { "value": "downAndExec", @@ -511,7 +549,8 @@ "refs": [ "https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/" ] - } + }, + "uuid": "bfff538a-89dd-4bed-9ac1-b4faee373724" }, { "value": "Smominru", @@ -524,7 +563,8 @@ "Ismo", "lsmo" ] - } + }, + "uuid": "f93acc85-8d2c-41e0-b0c5-47795b8c6194" } ], "version": 7, diff --git a/clusters/botnet.json b/clusters/botnet.json index f0c66d0..a298c3f 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -7,7 +7,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/" ] - } + }, + "uuid": "6d7fc046-61c8-4f4e-add9-eebe5b5f4f69" }, { "value": "Bagle", @@ -22,7 +23,8 @@ "Lodeight" ], "date": "2004" - } + }, + "uuid": "d530ea76-9bbc-4276-a2e3-df04e0e5a14c" }, { "value": "Marina Botnet", @@ -38,7 +40,8 @@ "Hacktool.Spammer", "Kraken" ] - } + }, + "uuid": "7296f769-9bb7-474d-bbc7-5839f71d052a" }, { "value": "Torpig", @@ -52,7 +55,8 @@ "Anserin" ], "date": "2005" - } + }, + "uuid": "415a3667-4ac4-4718-a6ea-617540a4abb1" }, { "value": "Storm", @@ -69,7 +73,8 @@ "Ecard" ], "date": "2007" - } + }, + "uuid": "74ebec0c-6db3-47b9-9879-0d125e413e76" }, { "value": "Rustock", @@ -82,7 +87,8 @@ "Costrat" ], "date": "2006" - } + }, + "uuid": "9bca63cc-f0c7-4704-9c5f-b5bf473a9b43" }, { "value": "Donbot", @@ -94,7 +100,8 @@ "Buzus", "Bachsoy" ] - } + }, + "uuid": "27a7fd9b-ec9a-4f4a-b3f5-a3b81c71970a" }, { "value": "Cutwail", @@ -108,7 +115,8 @@ "Mutant" ], "date": "2007" - } + }, + "uuid": "35e25aad-7c39-4a1d-aa17-73fa638362e8" }, { "value": "Akbot", @@ -118,7 +126,8 @@ "https://en.wikipedia.org/wiki/Akbot" ], "date": "2007" - } + }, + "uuid": "6e1168e6-7768-4fa2-951f-6d6934531633" }, { "value": "Srizbi", @@ -132,7 +141,8 @@ "Exchanger" ], "date": "March 2007" - } + }, + "uuid": "6df98396-b52a-4f84-bec2-0060bc46bdbf" }, { "value": "Lethic", @@ -142,7 +152,8 @@ "https://en.wikipedia.org/wiki/Lethic_botnet" ], "date": "2008" - } + }, + "uuid": "a73e150f-1431-4f72-994a-4000405eff07" }, { "value": "Xarvester", @@ -154,7 +165,8 @@ "Rlsloup", "Pixoliz" ] - } + }, + "uuid": "e965dd3a-bfd9-4c88-b7a5-a8fc328ac859" }, { "value": "Sality", @@ -173,7 +185,8 @@ "Kukacka" ], "date": "2008" - } + }, + "uuid": "6fe5f49d-48b5-4dc2-92f7-8c94397b9c96" }, { "value": "Mariposa", @@ -183,7 +196,8 @@ "https://en.wikipedia.org/wiki/Mariposa_botnet" ], "date": "2008" - } + }, + "uuid": "f4878385-c6c7-4f6b-8637-08146841d2a2" }, { "value": "Conficker", @@ -199,7 +213,8 @@ "Kido" ], "date": "November 2008" - } + }, + "uuid": "ab49815e-8ba6-41ec-9f51-8a9587334069" }, { "value": "Waledac", @@ -213,7 +228,8 @@ "Waledpak" ], "date": "November 2008" - } + }, + "uuid": "4e324956-3177-4c8f-b0b6-e3bc4c3ede2f" }, { "value": "Maazben", @@ -222,7 +238,8 @@ "refs": [ "https://www.symantec.com/connect/blogs/evaluating-botnet-capacity" ] - } + }, + "uuid": "a461f744-ab52-4a78-85e4-aedca1303a4c" }, { "value": "Onewordsub", @@ -230,7 +247,8 @@ "refs": [ "https://www.botnets.fr/wiki/OneWordSub" ] - } + }, + "uuid": "4cc97d31-c9ab-4682-aae4-21dcbc02118f" }, { "value": "Gheg", @@ -243,7 +261,8 @@ "Tofsee", "Mondera" ] - } + }, + "uuid": "ca11e3f2-cda1-45dc-bed1-8708fa9e27a6" }, { "value": "Nucrypt", @@ -251,7 +270,8 @@ "refs": [ "https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en" ] - } + }, + "uuid": "ec9917f4-006b-4a32-9a58-c03b5c85abe4" }, { "value": "Wopla", @@ -259,7 +279,8 @@ "refs": [ "https://www.botnets.fr/wiki.old/index.php/Wopla" ] - } + }, + "uuid": "b2ec8e6b-414d-4d76-b51c-8ba3eee2918d" }, { "value": "Asprox", @@ -275,7 +296,8 @@ "Hydraflux" ], "date": "2008" - } + }, + "uuid": "0d58f329-1356-468c-88ab-e21fbb64c02b" }, { "value": "Spamthru", @@ -289,7 +311,8 @@ "Covesmer", "Xmiler" ] - } + }, + "uuid": "3da8c2f9-dbbf-4825-9010-2261b2007d22" }, { "value": "Gumblar", @@ -299,7 +322,8 @@ "https://en.wikipedia.org/wiki/Gumblar" ], "date": "2008" - } + }, + "uuid": "5b83d0ac-3661-465e-b3ab-ca182d1eacad" }, { "value": "BredoLab", @@ -312,7 +336,8 @@ "synonyms": [ "Oficla" ] - } + }, + "uuid": "65a30580-d542-4113-b00f-7fab98bd046c" }, { "value": "Grum", @@ -326,7 +351,8 @@ "Tedroo", "Reddyb" ] - } + }, + "uuid": "a2a601db-2ae7-4695-ac0c-0a3ea8822356" }, { "value": "Mega-D", @@ -338,7 +364,8 @@ "synonyms": [ "Ozdok" ] - } + }, + "uuid": "c12537fc-1de5-4d12-ae36-649f32919059" }, { "value": "Kraken", @@ -350,7 +377,8 @@ "synonyms": [ "Kracken" ] - } + }, + "uuid": "e721809b-2785-4ce3-b95a-7fde2762f736" }, { "value": "Festi", @@ -363,7 +391,8 @@ "synonyms": [ "Spamnost" ] - } + }, + "uuid": "b76128e3-cea5-4df8-8d23-d9f3305e5a14" }, { "value": "Vulcanbot", @@ -373,7 +402,8 @@ "https://en.wikipedia.org/wiki/Vulcanbot" ], "date": "March 2010" - } + }, + "uuid": "dfd17a50-65df-4ddc-899e-1052e5001a1f" }, { "value": "LowSec", @@ -384,7 +414,8 @@ "FreeMoney", "Ring0.Tools" ] - } + }, + "uuid": "533e3474-d08d-4d02-8adc-3765750dd3a3" }, { "value": "TDL4", @@ -398,7 +429,8 @@ "TDSS", "Alureon" ] - } + }, + "uuid": "61a17703-7837-4cc9-b022-b5ed6b30efc1" }, { "value": "Zeus", @@ -415,7 +447,8 @@ "Gorhax", "Kneber" ] - } + }, + "uuid": "e878d24d-f122-48c4-930c-f6b6d5f0ee28" }, { "value": "Kelihos", @@ -428,7 +461,8 @@ "synonyms": [ "Hlux" ] - } + }, + "uuid": "07b10419-e8b5-4b5f-a179-77fc9b127dc6" }, { "value": "Ramnit", @@ -438,7 +472,8 @@ "https://en.wikipedia.org/wiki/Botnet" ], "date": "2011" - } + }, + "uuid": "8ed81090-f098-4878-b87e-2d801b170759" }, { "value": "Zer0n3t", @@ -449,7 +484,8 @@ "Zer0n3t", "Zer0Log1x" ] - } + }, + "uuid": "417c36fb-fff7-40df-8387-07169113b9b4" }, { "value": "Chameleon", @@ -459,7 +495,8 @@ "https://en.wikipedia.org/wiki/Chameleon_botnet" ], "date": "2012" - } + }, + "uuid": "3084cd06-e415-4ff0-abd0-cf8fbf67c53c" }, { "value": "Mirai", @@ -469,7 +506,8 @@ "https://en.wikipedia.org/wiki/Mirai_(malware)" ], "date": "August 2016" - } + }, + "uuid": "fcdfd4af-da35-49a8-9610-19be8a487185" }, { "value": "Satori", @@ -482,13 +520,15 @@ "synonyms": [ "Okiru" ] - } + }, + "uuid": "e77cf495-632a-4459-aad1-cdf29d73683f" }, { "value": "BetaBot", "meta": { "date": "April 2017" - } + }, + "uuid": "3d7c771b-b175-41c9-8ba1-904ef29715fa" } ], "name": "Botnet", diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json index 34599aa..2119fd1 100644 --- a/clusters/branded_vulnerability.json +++ b/clusters/branded_vulnerability.json @@ -10,7 +10,8 @@ "logo": [ "https://upload.wikimedia.org/wikipedia/commons/thumb/5/56/Meltdown_with_text.svg/300px-Meltdown_with_text.svg.png" ] - } + }, + "uuid": "70bee5b7-0fa3-4a4d-98ee-d8ab787c6db1" }, { "value": "Spectre", @@ -23,7 +24,8 @@ "logo": [ "https://en.wikipedia.org/wiki/File:Spectre_with_text.svg" ] - } + }, + "uuid": "36168188-6d14-463a-9713-f88764a83329" }, { "value": "Heartbleed", @@ -35,7 +37,8 @@ "logo": [ "https://upload.wikimedia.org/wikipedia/commons/thumb/d/dc/Heartbleed.svg/440px-Heartbleed.svg.png" ] - } + }, + "uuid": "d6d85947-e6ee-4d2e-bb48-437f31c7a270" }, { "value": "Shellshock", @@ -49,7 +52,8 @@ "https://upload.wikimedia.org/wikipedia/commons/8/86/Shellshock.png", "https://cdn-images-1.medium.com/max/1600/1*bopQcJtKouPOJ_isSzanLw.png" ] - } + }, + "uuid": "2102db77-5a51-40c1-bfc1-38fb7dcb7f05" }, { "value": "Ghost", @@ -61,7 +65,8 @@ "logo": [ "https://cdn-images-1.medium.com/max/1600/1*HnCEOo0RUT1fliJjRT02lA.png" ] - } + }, + "uuid": "a1640081-aa8d-4070-84b2-d23e2ae82799" }, { "value": "Stagefright", @@ -81,7 +86,8 @@ "https://upload.wikimedia.org/wikipedia/en/f/f2/Stagefright_bug_logo.png", "https://cdn-images-1.medium.com/max/1600/1*-Ivm3lZHNaOUwmklT4Rb1g.png" ] - } + }, + "uuid": "352916e7-62bf-4b0c-bce7-da759d1a4f5f" }, { "value": "Badlock", @@ -91,7 +97,8 @@ "https://upload.wikimedia.org/wikipedia/commons/thumb/4/4b/Badlock_logo.svg/440px-Badlock_logo.svg.png", "https://cdn-images-1.medium.com/max/1600/1*EVbwwxEBOU83NKxgQrPG9w.png" ] - } + }, + "uuid": "74f2bd2c-69f1-4d28-8d42-94b7ef89f31e" }, { "value": "Dirty COW", @@ -103,7 +110,8 @@ "logo": [ "https://upload.wikimedia.org/wikipedia/commons/thumb/1/1b/DirtyCow.svg/440px-DirtyCow.svg.png" ] - } + }, + "uuid": "54196537-cb0c-425c-83d6-437d41b4cc65" }, { "value": "POODLE", @@ -112,11 +120,13 @@ "aliases": [ "CVE-2014-3566" ] - } + }, + "uuid": "22b9af72-48c9-4da1-b13d-15667dbdd998" }, { "value": "BadUSB", - "description": "The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent." + "description": "The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.", + "uuid": "bc3a3299-1443-4390-8b25-4bb280c1abd7" }, { "value": "ImageTragick", @@ -127,7 +137,8 @@ "logo": [ "https://imagetragick.com/img/logo-medium.png" ] - } + }, + "uuid": "e85e1270-eec5-4331-8004-a063125a54b4" } ], "version": 1, diff --git a/clusters/cert-eu-govsector.json b/clusters/cert-eu-govsector.json index 7c60f29..64c7131 100644 --- a/clusters/cert-eu-govsector.json +++ b/clusters/cert-eu-govsector.json @@ -1,22 +1,28 @@ { "values": [ { - "value": "Constituency" + "value": "Constituency", + "uuid": "8ebd301f-067f-499d-8718-f63c8ced73ac" }, { - "value": "EU-Centric" + "value": "EU-Centric", + "uuid": "bf3fd6a1-692e-4d77-b17d-496f71eebac9" }, { - "value": "EU-nearby" + "value": "EU-nearby", + "uuid": "536dada1-30e5-453a-9611-33597ab5c373" }, { - "value": "World-class" + "value": "World-class", + "uuid": "8024aa5d-d0b0-4114-87c9-92e358c96850" }, { - "value": "Unknown" + "value": "Unknown", + "uuid": "32f8b3dd-defc-47c8-a070-378f5e0e1be8" }, { - "value": "Outside World" + "value": "Outside World", + "uuid": "adc80f46-86ef-4de8-95d1-15c45c15d002" } ], "version": 1, diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 520a706..db13ad7 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -12,14 +12,16 @@ "Stegano EK" ], "status": "Active" - } + }, + "uuid": "e9ca60cd-94fc-4a54-ac98-30e675a46b3e" }, { "value": "Bingo", "description": "Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia", "meta": { "status": "Active" - } + }, + "uuid": "9e864c01-3d9e-4b8d-811e-46471ff866e9" }, { "value": "Terror EK", @@ -33,7 +35,8 @@ "Neptune EK" ], "status": "Active" - } + }, + "uuid": "f15f9264-854e-4e25-8641-cde2faeb86e9" }, { "value": "DealersChoice", @@ -48,7 +51,8 @@ "Sednit RTF EK" ], "status": "Active" - } + }, + "uuid": "0f116533-a755-4cfc-815a-fa6bcb85efb7" }, { "value": "DNSChanger", @@ -62,7 +66,8 @@ "RouterEK" ], "status": "Active" - } + }, + "uuid": "74fb6a14-1279-4a5b-939a-76478d36d3e1" }, { "value": "Disdain", @@ -72,7 +77,8 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/" ], "status": "Active" - } + }, + "uuid": "1ded776d-6772-4cc8-a27f-f61e24a58d96" }, { "value": "Kaixin", @@ -86,7 +92,8 @@ "CK vip" ], "status": "Active" - } + }, + "uuid": "e6c1cfcf-3e37-4f5a-9494-989dd8c43d88" }, { "value": "Magnitude", @@ -103,7 +110,8 @@ "TopExp" ], "status": "Active" - } + }, + "uuid": "6a313e11-5bb2-40ed-8cde-9de768b783b1" }, { "value": "MWI", @@ -114,7 +122,8 @@ "https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf" ], "status": "Active" - } + }, + "uuid": "489acbf2-d80b-4bb5-ac7d-c8573dcb6324" }, { "value": "RIG", @@ -133,7 +142,8 @@ "Meadgive" ], "status": "Active" - } + }, + "uuid": "0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a" }, { "value": "Sednit EK", @@ -147,7 +157,8 @@ "SedKit" ], "status": "Active" - } + }, + "uuid": "c8b9578a-78be-420c-a29b-9214d09685c8" }, { "value": "Sundown-P", @@ -161,7 +172,8 @@ "CaptainBlack" ], "status": "Active" - } + }, + "uuid": "3235ae90-598b-45dc-b336-852817b271a8" }, { "value": "Bizarro Sundown", @@ -175,7 +187,8 @@ "Sundown-b" ], "status": "Retired" - } + }, + "uuid": "ef3b170e-3fbe-420b-b202-4689da137c50" }, { "value": "Hunter", @@ -188,7 +201,8 @@ "3ROS Exploit Kit" ], "status": "Retired - Last seen 2017-02-06" - } + }, + "uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c" }, { "value": "GreenFlash Sundown", @@ -201,7 +215,8 @@ "Sundown-GF" ], "status": "Active" - } + }, + "uuid": "6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2" }, { "value": "Angler", @@ -218,7 +233,8 @@ "Axpergle" ], "status": "Retired - Last seen: 2016-06-07" - } + }, + "uuid": "5daf41c7-b297-4228-85d1-eb040d5b7c90" }, { "value": "Archie", @@ -228,7 +244,8 @@ "https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit" ], "status": "Retired" - } + }, + "uuid": "2756caae-d2c5-4170-9e76-2b7f1b1fccb1" }, { "value": "BlackHole", @@ -242,7 +259,8 @@ "BHEK" ], "status": "Retired - Last seen: 2013-10-07" - } + }, + "uuid": "e6201dc3-01a7-40c5-ba72-02fa470ada53" }, { "value": "Bleeding Life", @@ -257,7 +275,8 @@ "BL2" ], "status": "Retired" - } + }, + "uuid": "5abe6240-dce2-4455-8125-ddae2e651243" }, { "value": "Cool", @@ -273,7 +292,8 @@ "Styxy Cool" ], "status": "Retired - Last seen: 2013-10-07" - } + }, + "uuid": "9bb229b0-80f9-48e5-b8fb-00ee7af070cb" }, { "value": "Fiesta", @@ -288,7 +308,8 @@ "Fiexp" ], "status": "Retired - Last Seen: beginning of 2015-07" - } + }, + "uuid": "f50f860a-d795-4f4e-a170-8190f65499ad" }, { "value": "Empire", @@ -301,7 +322,8 @@ "RIG-E" ], "status": "Retired - Last seen: 2016-12-29" - } + }, + "uuid": "6eb15569-4ddd-4820-9a44-7bca5b303b86" }, { "value": "FlashPack", @@ -318,7 +340,8 @@ "Vintage Pack" ], "status": "Retired - Last seen: middle of 2015-04" - } + }, + "uuid": "55a30ccc-8905-4af2-a498-5c0010815cc1" }, { "value": "GrandSoft", @@ -334,7 +357,8 @@ "SofosFO" ], "status": "Active" - } + }, + "uuid": "180b6969-2aca-4642-b684-b57db8f0eff8" }, { "value": "HanJuan", @@ -347,7 +371,8 @@ "https://twitter.com/kafeine/status/562575744501428226" ], "status": "Retired - Last seen: 2015-07" - } + }, + "uuid": "886abdc6-db1a-4fc5-afe0-e17d65a83614" }, { "value": "Himan", @@ -360,7 +385,8 @@ "High Load" ], "status": "Retired - Last seen: 2014-04" - } + }, + "uuid": "3d0cb558-7f04-4be8-963e-5f137566b07b" }, { "value": "Impact", @@ -370,7 +396,8 @@ "http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html" ], "status": "Retired" - } + }, + "uuid": "319357b4-3041-4a71-89c5-51be08041d1b" }, { "value": "Infinity", @@ -385,7 +412,8 @@ "Goon" ], "status": "Retired - Last seen: 2014-07" - } + }, + "uuid": "4b858835-7b31-4b94-8144-b5175da1551f" }, { "value": "Lightsout", @@ -397,7 +425,8 @@ "http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html" ], "status": "Unknown - Last seen: 2014-03" - } + }, + "uuid": "244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1" }, { "value": "Nebula", @@ -407,7 +436,8 @@ "http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html" ], "status": "Retired - Last seen 2017-03-09" - } + }, + "uuid": "4ca96067-8fdd-4b48-bd34-d2e175e27bad" }, { "value": "Neutrino", @@ -423,7 +453,8 @@ "Neutrino-v" ], "status": "Retired - Last seen 2017-04-10" - } + }, + "uuid": "218ae39b-2f92-4355-91c6-50cce319d26d" }, { "value": "Niteris", @@ -437,7 +468,8 @@ "CottonCastle" ], "status": "Unknown - Last seen: 2015-11" - } + }, + "uuid": "b344133f-e223-4fda-8fb2-88ad7999e549" }, { "value": "Nuclear", @@ -453,7 +485,8 @@ "Neclu" ], "status": "Retired - Last seen: 2015-04-30" - } + }, + "uuid": "e7c516f9-5222-4f0d-b80b-ae9f4c24583d" }, { "value": "Phoenix", @@ -467,7 +500,8 @@ "PEK" ], "status": "Retired" - } + }, + "uuid": "0df2c7a6-046f-4489-8c77-0999c92c839d" }, { "value": "Private Exploit Pack", @@ -481,7 +515,8 @@ "PEP" ], "status": "Retired" - } + }, + "uuid": "cfd0a4af-f559-496f-b56b-97145ea4e4c3" }, { "value": "Redkit", @@ -493,7 +528,8 @@ "https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/" ], "status": "Retired" - } + }, + "uuid": "6958ff90-75e8-47ee-ab07-daa8d487130c" }, { "value": "Sakura", @@ -503,7 +539,8 @@ "http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html" ], "status": "Retired - Last seen: 2013-09" - } + }, + "uuid": "12af9112-3ac5-4422-858e-a22c293c6117" }, { "value": "SPL", @@ -518,7 +555,8 @@ "SPLNet", "SPL2" ] - } + }, + "uuid": "15936d30-c151-4051-835e-df327143ce76" }, { "value": "Sundown", @@ -535,7 +573,8 @@ ], "status": "Retired - Last seen 2017-03-08", "colour": "#C03701" - } + }, + "uuid": "670e28c4-001a-4ba4-b276-441620225123" }, { "value": "Sweet-Orange", @@ -549,7 +588,8 @@ "Anogre" ], "status": "Retired - Last seen: 2015-04-05" - } + }, + "uuid": "222bc508-4d8d-4972-9cac-65192cfefd43" }, { "value": "Styx", @@ -561,7 +601,8 @@ "http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html" ], "status": "Retired - Last seen: 2014-06" - } + }, + "uuid": "006eaa87-e8a6-4808-93ff-302b52c628b0" }, { "value": "WhiteHole", @@ -571,7 +612,8 @@ "http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html" ], "status": "Retired - Last seen: 2013-12" - } + }, + "uuid": "570bc715-7fe8-430b-bd2e-5512c95f2370" }, { "value": "Unknown", @@ -582,7 +624,8 @@ "https://twitter.com/node5", "https://twitter.com/kahusecurity" ] - } + }, + "uuid": "00815961-3249-4e2e-9421-bb57feb73bb2" } ], "version": 6, diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 5c771ea..5862c4b 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -16,7 +16,8 @@ ] }, "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", - "value": "PROMETHIUM" + "value": "PROMETHIUM", + "uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f" }, { "meta": { @@ -25,7 +26,8 @@ ] }, "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", - "value": "NEODYMIUM" + "value": "NEODYMIUM", + "uuid": "47b5007a-3fb1-466a-9578-629e6e735493" }, { "meta": { @@ -34,7 +36,8 @@ ] }, "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", - "value": "TERBIUM" + "value": "TERBIUM", + "uuid": "99784b80-6298-45ba-885c-0ed37bfd8324" }, { "meta": { @@ -58,7 +61,8 @@ ] }, "description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. ", - "value": "STRONTIUM" + "value": "STRONTIUM", + "uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec" }, { "description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.", @@ -73,7 +77,8 @@ "synonyms": [ "darkhotel" ] - } + }, + "uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a" }, { "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", @@ -83,7 +88,8 @@ "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/", "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ] - } + }, + "uuid": "154e97b5-47ef-415a-99a6-2157f1b50339" }, { "meta": { @@ -92,7 +98,8 @@ ] }, "description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.", - "value": "BARIUM" + "value": "BARIUM", + "uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af" }, { "meta": { @@ -101,7 +108,8 @@ ] }, "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", - "value": "LEAD" + "value": "LEAD", + "uuid": "f542442e-ba0f-425d-b386-6c10351a468e" }, { "meta": { @@ -110,7 +118,8 @@ ] }, "description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ", - "value": "ZIRCONIUM" + "value": "ZIRCONIUM", + "uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d" } ] } diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index 1f7c71c..fc7c62f 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -13,7 +13,8 @@ ] }, "value": "Backup and Restore Process", - "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore" + "description": "Make sure to have adequate backup processes on place and frequently test a restore of these backups.\n(Schrödinger's backup - it is both existent and non-existent until you've tried a restore", + "uuid": "5f942376-ea5b-4b23-9c26-81d3aeba7fb4" }, { "meta": { @@ -29,7 +30,8 @@ ] }, "value": "Block Macros", - "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros" + "description": "Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes:\nA.) Open downloaded documents in 'Protected View'\nB.) Open downloaded documents and block all macros", + "uuid": "79563662-8d92-4fd1-929a-9b8926a62685" }, { "meta": { @@ -45,7 +47,8 @@ "possible_issues": "Administrative VBS scripts on Workstations" }, "value": "Disable WSH", - "description": "Disable Windows Script Host" + "description": "Disable Windows Script Host", + "uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f" }, { "meta": { @@ -57,7 +60,8 @@ ] }, "value": "Filter Attachments Level 1", - "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub" + "description": "Filter the following attachments on your mail gateway:\n.ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub", + "uuid": "7055b72b-b113-4f93-8387-e6f58ce5fc92" }, { "meta": { @@ -70,7 +74,8 @@ "possible_issues": "Office Communication with old versions of Microsoft Office files (.doc, .xls) " }, "value": "Filter Attachments Level 2", - "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm" + "description": "Filter the following attachments on your mail gateway:\n(Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm", + "uuid": "8c9bbbf5-a321-4eb1-8c03-a399a9687687" }, { "meta": { @@ -87,7 +92,8 @@ "possible_issues": "Web embedded software installers" }, "value": "Restrict program execution", - "description": "Block all program executions from the %LocalAppData% and %AppData% folder" + "description": "Block all program executions from the %LocalAppData% and %AppData% folder", + "uuid": "6a234b1d-8e86-49c4-91d6-cc3be3d04f74" }, { "meta": { @@ -102,7 +108,8 @@ ] }, "value": "Show File Extensions", - "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")" + "description": "Set the registry key \"HideFileExt\" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. \"not_a_virus.pdf.exe\")", + "uuid": "5b911d46-66c8-4180-ab97-663a0868264e" }, { "meta": { @@ -118,7 +125,8 @@ "possible_issues": "administrator resentment" }, "value": "Enforce UAC Prompt", - "description": "Enforce administrative users to confirm an action that requires elevated rights" + "description": "Enforce administrative users to confirm an action that requires elevated rights", + "uuid": "3f8c55db-611e-4831-b624-f9cbdc3b0e11" }, { "meta": { @@ -131,7 +139,8 @@ "possible_issues": "Higher administrative costs" }, "value": "Remove Admin Privileges", - "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to." + "description": "Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.", + "uuid": "168f94d3-4ffc-4ea6-8f2e-8ba699f0fef6" }, { "meta": { @@ -143,7 +152,8 @@ ] }, "value": "Restrict Workstation Communication", - "description": "Activate the Windows Firewall to restrict workstation to workstation communication" + "description": "Activate the Windows Firewall to restrict workstation to workstation communication", + "uuid": "fb25c345-0cee-4ae7-ab31-c1c801cde1c2" }, { "meta": { @@ -154,7 +164,8 @@ ] }, "value": "Sandboxing Email Input", - "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis" + "description": "Using sandbox that opens email attachments and removes attachments based on behavior analysis", + "uuid": "7960740f-71a5-42db-8a1a-1c7ccbf83349" }, { "meta": { @@ -165,7 +176,8 @@ ] }, "value": "Execution Prevention", - "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor" + "description": "Software that allows to control the execution of processes - sometimes integrated in Antivirus software\nFree: AntiHook, ProcessGuard, System Safety Monitor", + "uuid": "bfda0c9e-1303-4861-b028-e0506dd8861c" }, { "meta": { @@ -181,7 +193,8 @@ "possible_issues": "Some extensions will have legitimate uses, e.g., .vbs for logon scripts." }, "value": "Change Default \"Open With\" to Notepad", - "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer" + "description": "Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer", + "uuid": "3b7bc1b2-e04f-4492-b3b1-87bb6701635b" }, { "meta": { @@ -196,7 +209,8 @@ ] }, "value": "File Screening", - "description": "Server-side file screening with the help of File Server Resource Manager" + "description": "Server-side file screening with the help of File Server Resource Manager", + "uuid": "79769940-7cd2-4aaa-80da-b90c0372b898" }, { "meta": { @@ -213,7 +227,8 @@ "possible_issues": "Configure & test extensively" }, "value": "Restrict program execution #2", - "description": "Block program executions (AppLocker)" + "description": "Block program executions (AppLocker)", + "uuid": "feb6cddb-4182-4515-94dc-0eadffcdc098" }, { "meta": { @@ -229,7 +244,8 @@ ] }, "value": "EMET", - "description": "Detect and block exploitation techniques" + "description": "Detect and block exploitation techniques", + "uuid": "5f0a749f-88f2-4e6e-8fd8-46307f8439f6" }, { "meta": { @@ -244,7 +260,8 @@ ] }, "value": "Sysmon", - "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring" + "description": "Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring", + "uuid": "1b1e5664-4250-459b-adbb-f0b33f64bf7e" }, { "value": "Blacklist-phone-numbers", @@ -256,7 +273,8 @@ "effectiveness": "Medium", "impact": "Medium", "complexity": "Low" - } + }, + "uuid": "123e20c5-8f44-4de5-a183-6890788e5a81" } ], "name": "Preventive Measure", diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f088473..ec3e30e 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -19,7 +19,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Nhtnwcuf Ransomware (Fake)" + "value": "Nhtnwcuf Ransomware (Fake)", + "uuid": "81b4e3ac-aa83-4616-9899-8e19ee3bb78b" }, { "meta": { @@ -37,7 +38,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoJacky Ransomware" + "value": "CryptoJacky Ransomware", + "uuid": "a8187609-329a-4de0-bda7-7823314e7db9" }, { "meta": { @@ -51,7 +53,8 @@ "date": "March 2017" }, "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kaenlupuf Ransomware" + "value": "Kaenlupuf Ransomware", + "uuid": "b97f07c4-136a-488a-9fa0-35ab45fbfe36" }, { "meta": { @@ -70,7 +73,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "EnjeyCrypter Ransomware" + "value": "EnjeyCrypter Ransomware", + "uuid": "e98e6b50-00fd-484e-a5c1-4b2363579447" }, { "meta": { @@ -84,7 +88,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Dangerous Ransomware" + "value": "Dangerous Ransomware", + "uuid": "7dbdb949-a53b-4ebe-bc9a-7f49a7c5fd78" }, { "meta": { @@ -104,7 +109,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Vortex Ransomware" + "value": "Vortex Ransomware", + "uuid": "04a5889d-b97d-4653-8a0f-d2df85f93430" }, { "meta": { @@ -121,7 +127,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "GC47 Ransomware" + "value": "GC47 Ransomware", + "uuid": "2069c483-4701-4a3b-bd51-3850c7aa59d2" }, { "meta": { @@ -140,7 +147,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", - "value": "RozaLocker Ransomware" + "value": "RozaLocker Ransomware", + "uuid": "f158ea74-c8ba-4e5a-b07f-52bd8fe30888" }, { "meta": { @@ -157,7 +165,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoMeister Ransomware" + "value": "CryptoMeister Ransomware", + "uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b" }, { "meta": { @@ -171,7 +180,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Hewlett-Packard 2016", - "value": "GG Ransomware" + "value": "GG Ransomware", + "uuid": "f62eb881-c6b5-470c-907d-072485cd5860" }, { "meta": { @@ -189,7 +199,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Project34 Ransomware" + "value": "Project34 Ransomware", + "uuid": "4af0d2bd-46da-44da-b17e-987f86957c1d" }, { "meta": { @@ -206,7 +217,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PetrWrap Ransomware" + "value": "PetrWrap Ransomware", + "uuid": "e11da570-e38d-4290-8a2c-8a31ae832ffb" }, { "meta": { @@ -225,7 +237,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. RaaS, baed on HiddenTear", - "value": "Karmen Ransomware" + "value": "Karmen Ransomware", + "uuid": "da7de60e-0725-498d-9a35-303ddb5bf60a" }, { "meta": { @@ -245,7 +258,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant", - "value": "Revenge Ransomware" + "value": "Revenge Ransomware", + "uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e" }, { "meta": { @@ -268,7 +282,8 @@ "date": "March 2017" }, "description": "his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Turkish FileEncryptor Ransomware" + "value": "Turkish FileEncryptor Ransomware", + "uuid": "a291ac4c-7851-480f-b317-e977a616ac9d" }, { "meta": { @@ -294,7 +309,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Payments in Monero", - "value": "Kirk Ransomware & Spock Decryptor" + "value": "Kirk Ransomware & Spock Decryptor", + "uuid": "6e442a2e-97db-4a7b-b4a1-9abb4a7472d8" }, { "meta": { @@ -314,7 +330,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ZinoCrypt Ransomware" + "value": "ZinoCrypt Ransomware", + "uuid": "719c8ba7-598e-4511-a851-34e651e301fa" }, { "meta": { @@ -335,7 +352,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Uses @enigma0x3's UAC bypass", - "value": "Crptxxx Ransomware" + "value": "Crptxxx Ransomware", + "uuid": "786ca8b3-6915-4846-8f0f-9865fbc295f5" }, { "meta": { @@ -354,7 +372,8 @@ "date": "March 2017" }, "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "MOTD Ransomware" + "value": "MOTD Ransomware", + "uuid": "5d1a3631-165c-4091-ba55-ac8da62efadf" }, { "meta": { @@ -373,7 +392,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoDevil Ransomware" + "value": "CryptoDevil Ransomware", + "uuid": "f3ead274-6c98-4532-b922-03d5ce4e7cfc" }, { "meta": { @@ -391,7 +411,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "FabSysCrypto Ransomware" + "value": "FabSysCrypto Ransomware", + "uuid": "e4d36930-2e00-4583-b5f5-d8f83736d3ce" }, { "meta": { @@ -408,7 +429,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Lock2017 Ransomware" + "value": "Lock2017 Ransomware", + "uuid": "cf47a853-bc1d-42ae-8542-8a7433f6c9c2" }, { "meta": { @@ -422,7 +444,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "RedAnts Ransomware" + "value": "RedAnts Ransomware", + "uuid": "dd3601f1-df0a-4e67-8a20-82e7ba0ed13c" }, { "meta": { @@ -436,7 +459,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ConsoleApplication1 Ransomware" + "value": "ConsoleApplication1 Ransomware", + "uuid": "4c3788d6-30a9-4cad-af33-81f9ce3a0d4f" }, { "meta": { @@ -451,7 +475,8 @@ "date": "March 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "KRider Ransomware" + "value": "KRider Ransomware", + "uuid": "f5ac03f1-4f6e-43aa-836a-cc7ece40aaa7" }, { "meta": { @@ -461,7 +486,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg", - "value": "CYR-Locker Ransomware (FAKE)" + "value": "CYR-Locker Ransomware (FAKE)", + "uuid": "44f6d489-f376-4416-9ba4-e153472f75fc" }, { "meta": { @@ -479,7 +505,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DotRansomware" + "value": "DotRansomware", + "uuid": "0570e09d-10b9-448c-87fd-c1c4063e6592" }, { "meta": { @@ -499,7 +526,8 @@ "date": "February 2017" }, "description": "About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Unlock26 Ransomware" + "value": "Unlock26 Ransomware", + "uuid": "37b9a28d-8554-4233-b130-efad4be97bc0" }, { "meta": { @@ -517,7 +545,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", - "value": "PicklesRansomware" + "value": "PicklesRansomware", + "uuid": "87171865-9fc9-42a9-9bd4-a453f556f20c" }, { "meta": { @@ -532,7 +561,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses at MSOffice to fool users into opening the infected file. GO Ransomware", - "value": "Vanguard Ransomware" + "value": "Vanguard Ransomware", + "uuid": "6a6eed70-3f90-420b-9e4a-5cce9428dc06" }, { "meta": { @@ -550,7 +580,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PyL33T Ransomware" + "value": "PyL33T Ransomware", + "uuid": "305cb1fb-d43e-4477-8edc-90b34aaf227f" }, { "meta": { @@ -572,7 +603,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg", - "value": "TrumpLocker Ransomware" + "value": "TrumpLocker Ransomware", + "uuid": "63bd845c-94f6-49dc-8f0c-22e6f67820f7" }, { "meta": { @@ -591,7 +623,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Written in Delphi", - "value": "Damage Ransomware" + "value": "Damage Ransomware", + "uuid": "fbcb6a4f-1d31-4e31-bef5-e162e35649de" }, { "meta": { @@ -609,7 +642,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "XYZWare Ransomware" + "value": "XYZWare Ransomware", + "uuid": "f0652feb-a104-44e8-91c7-b0435253352b" }, { "meta": { @@ -626,7 +660,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "YouAreFucked Ransomware" + "value": "YouAreFucked Ransomware", + "uuid": "912af0ef-2d78-4a90-a884-41f3c37c723b" }, { "meta": { @@ -641,7 +676,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. ", - "value": "CryptConsole 2.0 Ransomware" + "value": "CryptConsole 2.0 Ransomware", + "uuid": "7343da8f-fe18-46c9-8cda-5b04fb48e97d" }, { "meta": { @@ -660,7 +696,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "BarRax Ransomware" + "value": "BarRax Ransomware", + "uuid": "c0ee166e-273f-4940-859c-ba6f8666247c" }, { "meta": { @@ -674,7 +711,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoLocker by NTK Ransomware" + "value": "CryptoLocker by NTK Ransomware", + "uuid": "51bcbbc6-d8e0-4d2b-b5ce-79f26d669567" }, { "meta": { @@ -695,7 +733,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "UserFilesLocker Ransomware" + "value": "UserFilesLocker Ransomware", + "uuid": "c9e29151-7eda-4192-9c34-f9a81b2ef743" }, { "meta": { @@ -710,7 +749,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. PAYING RANSOM IS USELESS, YOUR FILES WILL NOT BE FIXED. THE DAMAGE IS PERMENENT!!!!", - "value": "AvastVirusinfo Ransomware" + "value": "AvastVirusinfo Ransomware", + "uuid": "78649172-cf5b-4e8a-950b-a967ff700acf" }, { "meta": { @@ -724,7 +764,8 @@ "date": "February 2017" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "SuchSecurity Ransomware" + "value": "SuchSecurity Ransomware", + "uuid": "22481dfd-8284-4071-a76f-c9a4a5f43f00" }, { "meta": { @@ -741,7 +782,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PleaseRead Ransomware" + "value": "PleaseRead Ransomware", + "uuid": "9de7a1f2-cc21-40cf-b44e-c67f0262fbce" }, { "meta": { @@ -760,7 +802,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kasiski Ransomware" + "value": "Kasiski Ransomware", + "uuid": "59b537dc-3764-42fc-a416-92d2950aaff1" }, { "meta": { @@ -782,7 +825,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Fake Locky Ransomware" + "value": "Fake Locky Ransomware", + "uuid": "26a34763-a70c-4877-b99f-ae39decd2107" }, { "meta": { @@ -802,7 +846,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoShield 1.0 is a ransomware from the CryptoMix family.", - "value": "CryptoShield 1.0 Ransomware" + "value": "CryptoShield 1.0 Ransomware", + "uuid": "1f915f16-2e2f-4681-a1e8-e146a0a4fcdf" }, { "meta": { @@ -825,7 +870,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Filemarker: \"HERMES\"", - "value": "Hermes Ransomware" + "value": "Hermes Ransomware", + "uuid": "b7102922-8aad-4b29-8518-6d87c3ba45bb" }, { "meta": { @@ -842,7 +888,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "LoveLock Ransomware or Love2Lock Ransomware" + "value": "LoveLock Ransomware or Love2Lock Ransomware", + "uuid": "0785bdda-7cd8-4529-b28e-787367c50298" }, { "meta": { @@ -859,7 +906,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Wcry Ransomware" + "value": "Wcry Ransomware", + "uuid": "0983bdda-c637-4ad9-a56f-615b2b052740" }, { "meta": { @@ -875,7 +923,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DUMB Ransomware" + "value": "DUMB Ransomware", + "uuid": "27feba66-e9c7-4414-a560-1e5b7da74d08" }, { "meta": { @@ -891,7 +940,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "X-Files" + "value": "X-Files", + "uuid": "c24f48ca-060b-4164-aafe-df7b3f43f40e" }, { "meta": { @@ -908,7 +958,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The Ransom is 249$ and the hacker demands that the victim gets in contact through e-mail and a Polish messenger called Gadu-Gadu.", - "value": "Polski Ransomware" + "value": "Polski Ransomware", + "uuid": "b50265ac-ee45-4f5a-aca1-fabe3157fc14" }, { "meta": { @@ -928,7 +979,8 @@ "date": "February 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This hacker demands that the victim contacts him through email and decrypts the files for FREE.(moreinfo in the link below)", - "value": "YourRansom Ransomware" + "value": "YourRansom Ransomware", + "uuid": "908b914b-6744-4e16-b014-121cf2106b5f" }, { "meta": { @@ -943,7 +995,8 @@ "date": "February 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ranion Raas gives the opportunity to regular people to buy and distribute ransomware for a very cheap price. (More info in the link below). RaaS service", - "value": "Ranion RaasRansomware" + "value": "Ranion RaasRansomware", + "uuid": "b4de724f-add4-4095-aa5a-e4d039322b59" }, { "meta": { @@ -963,7 +1016,8 @@ "date": "January 2017" }, "description": "Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.", - "value": "Potato Ransomware" + "value": "Potato Ransomware", + "uuid": "378cb77c-bb89-4d32-bef9-1b132343f3fe" }, { "meta": { @@ -984,7 +1038,8 @@ "date": "December 2016/January 2017" }, "description": "This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", - "value": "of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)" + "value": "of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)", + "uuid": "e290fa29-6fc1-4fb5-ac98-44350e508bc1" }, { "meta": { @@ -1005,7 +1060,8 @@ "date": "January 2017" }, "description": "Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", - "value": "RansomPlus" + "value": "RansomPlus", + "uuid": "c039a50b-f5f9-4ad0-8b66-e1d8cc86717b" }, { "meta": { @@ -1026,7 +1082,8 @@ "date": "January 2017" }, "description": "This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files", - "value": "CryptConsole" + "value": "CryptConsole", + "uuid": "42508fd8-3c2d-44b2-9b74-33c5d82b297d" }, { "meta": { @@ -1040,7 +1097,8 @@ "date": "January 2017" }, "description": "Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A", - "value": "ZXZ Ramsomware" + "value": "ZXZ Ramsomware", + "uuid": "e4932d1c-2f97-474d-957e-c7df87f9591e" }, { "meta": { @@ -1054,7 +1112,8 @@ "date": "January 2017" }, "description": "Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc", - "value": "VxLock Ransomware" + "value": "VxLock Ransomware", + "uuid": "14deb95c-7af3-4fb1-b2c1-71087e1bb156" }, { "meta": { @@ -1070,7 +1129,8 @@ "date": "January 2017" }, "description": "Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.", - "value": "FunFact Ransomware" + "value": "FunFact Ransomware", + "uuid": "2bfac605-a2c5-4742-92a2-279a08a4c575" }, { "meta": { @@ -1091,7 +1151,8 @@ "date": "January 2017" }, "description": "First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.", - "value": "ZekwaCrypt Ransomware" + "value": "ZekwaCrypt Ransomware", + "uuid": "89d5a541-ef9a-4b18-ac04-2e1384031a2d" }, { "meta": { @@ -1114,7 +1175,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker", - "value": "Sage 2.0 Ransomware" + "value": "Sage 2.0 Ransomware", + "uuid": "9174eef3-65f7-4ab5-9b55-b323b36fb962" }, { "meta": { @@ -1131,7 +1193,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures", - "value": "CloudSword Ransomware" + "value": "CloudSword Ransomware", + "uuid": "a89e0ae0-e0e2-40c5-83ff-5fd672aaa2a4" }, { "meta": { @@ -1152,7 +1215,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!", - "value": "DN" + "value": "DN", + "uuid": "327eb8b4-5793-42f0-96c0-7f651a0debdc" }, { "meta": { @@ -1170,7 +1234,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc..", - "value": "GarryWeber Ransomware" + "value": "GarryWeber Ransomware", + "uuid": "b6e6da33-bf23-4586-81cf-dcfe10e13a81" }, { "meta": { @@ -1192,7 +1257,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS", - "value": "Satan Ransomware" + "value": "Satan Ransomware", + "uuid": "61d8bba8-7b22-493f-b023-97ffe7f17caf" }, { "meta": { @@ -1212,7 +1278,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..", - "value": "Havoc" + "value": "Havoc", + "uuid": "c6bef9c8-becb-4bee-bd97-c1c655133396" }, { "meta": { @@ -1232,7 +1299,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Its fake name is Bitcoin and maker’s name is Santiago. Work of the encrypted requires the user to have .NET Framework 4.5.2. on his computer.", - "value": "CryptoSweetTooth Ransomware" + "value": "CryptoSweetTooth Ransomware", + "uuid": "ca831782-fcbf-4984-b04e-d79b14e48a71" }, { "meta": { @@ -1255,7 +1323,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The word Kaandsona is Estonian, therefore the creator is probably from Estonia. Crashes before it encrypts", - "value": "Kaandsona Ransomware" + "value": "Kaandsona Ransomware", + "uuid": "aed61a0a-dc48-43ac-9c33-27e5a286899e" }, { "meta": { @@ -1274,7 +1343,8 @@ "date": "January 2017" }, "description": "It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware", - "value": "LambdaLocker Ransomware" + "value": "LambdaLocker Ransomware", + "uuid": "0d1b35e9-c87a-4972-8c27-a11c13e351d7" }, { "meta": { @@ -1296,7 +1366,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "NMoreia 2.0 Ransomware" + "value": "NMoreia 2.0 Ransomware", + "uuid": "0645cae2-bda9-4d68-8bc3-c3c1eb9d1801" }, { "meta": { @@ -1317,7 +1388,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)", - "value": "Marlboro Ransomware" + "value": "Marlboro Ransomware", + "uuid": "4ae98da3-c667-4c6e-b0fb-5b52c667637c" }, { "meta": { @@ -1334,7 +1406,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png", - "value": "Spora Ransomware" + "value": "Spora Ransomware", + "uuid": "46601172-d938-47af-8cf5-c5a796ab68ab" }, { "meta": { @@ -1348,7 +1421,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files get encrypted, but the decrypt key is not available. NO POINT OF PAYING THE RANSOM, THE FILES WILL NOT BE RETURNED.", - "value": "CryptoKill Ransomware" + "value": "CryptoKill Ransomware", + "uuid": "7ae2f594-8a72-4ba8-a37a-32457d1d3fe8" }, { "meta": { @@ -1364,7 +1438,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "All_Your_Documents Ransomware" + "value": "All_Your_Documents Ransomware", + "uuid": "62120e20-21f6-474b-9dc1-fc871d25c798" }, { "meta": { @@ -1385,7 +1460,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 500$ in bitcoins. The name of the hacker is R4z0rx0r Serbian Hacker.", - "value": "SerbRansom 2017 Ransomware" + "value": "SerbRansom 2017 Ransomware", + "uuid": "fb1e99cb-73fa-4961-a052-c90b3f383542" }, { "meta": { @@ -1401,7 +1477,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 0.33 bitcoins.", - "value": "Fadesoft Ransomware" + "value": "Fadesoft Ransomware", + "uuid": "ccfe7f6a-9c9b-450a-a4c7-5bbaf4a82e37" }, { "meta": { @@ -1420,7 +1497,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "HugeMe Ransomware" + "value": "HugeMe Ransomware", + "uuid": "681ad7cc-fda0-40dc-83b3-91fdfdec81e1" }, { "meta": { @@ -1441,7 +1519,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DynA-Crypt Ransomware" + "value": "DynA-Crypt Ransomware", + "uuid": "9979ae53-98f7-49a2-aa1e-276973c2b44f" }, { "meta": { @@ -1461,7 +1540,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Serpent 2017 Ransomware" + "value": "Serpent 2017 Ransomware", + "uuid": "3b472aac-085b-409e-89f1-e8c766f7c401" }, { "meta": { @@ -1477,7 +1557,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Erebus 2017 Ransomware" + "value": "Erebus 2017 Ransomware", + "uuid": "c21e637c-6611-47e1-a191-571409b6669a" }, { "meta": { @@ -1496,7 +1577,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Cyber Drill Exercise " + "value": "Cyber Drill Exercise ", + "uuid": "dcb183d1-11b5-464c-893a-21e132cb7b51" }, { "meta": { @@ -1513,7 +1595,8 @@ "date": "February 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.", - "value": "Cancer Ransomware FAKE" + "value": "Cancer Ransomware FAKE", + "uuid": "ef747d7f-894e-4c0c-ac0f-3fa1ef3ef17f" }, { "meta": { @@ -1531,7 +1614,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Poses as Microsoft Copyright 2017 and requests ransom in bitcoins.", - "value": "UpdateHost Ransomware" + "value": "UpdateHost Ransomware", + "uuid": "ed5b30b0-2949-410a-bc4c-3d90de93d033" }, { "meta": { @@ -1548,7 +1632,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 10 bitcoins.", - "value": "Nemesis Ransomware" + "value": "Nemesis Ransomware", + "uuid": "b5942085-c9f2-4d1a-aadf-1061ad38fb1d" }, { "meta": { @@ -1576,7 +1661,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Domain KZ is used, therefore it is assumed that the decrypter is from Kazakhstan. Coded in Javascript", - "value": "Evil Ransomware" + "value": "Evil Ransomware", + "uuid": "57933295-4a0e-4f6a-b06b-36807ff150cd" }, { "meta": { @@ -1594,7 +1680,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.", - "value": "Ocelot Ransomware (FAKE RANSOMWARE)" + "value": "Ocelot Ransomware (FAKE RANSOMWARE)", + "uuid": "054b9fbd-72fa-464f-a683-a69ab3936d69" }, { "meta": { @@ -1614,7 +1701,8 @@ "date": "January 2017" }, "description": "It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "SkyName Ransomware" + "value": "SkyName Ransomware", + "uuid": "00b8ff33-1504-49a4-a025-b761738eed68" }, { "meta": { @@ -1637,7 +1725,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 155$ inbitcoins. Creator of ransomware is called Mafia. Based on HiddenTear", - "value": "MafiaWare Ransomware" + "value": "MafiaWare Ransomware", + "uuid": "e5a60429-ae5d-46f4-a731-da9e2fcf8b92" }, { "meta": { @@ -1674,7 +1763,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 3 bitcoins. Extesion depends on the config file. It seems Globe is a ransomware kit.", - "value": "Globe3 Ransomware" + "value": "Globe3 Ransomware", + "uuid": "fe16edbe-3050-4276-bac3-c7ff5fd4174a" }, { "meta": { @@ -1695,7 +1785,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg", - "value": "BleedGreen Ransomware" + "value": "BleedGreen Ransomware", + "uuid": "fbb3fbf9-50d7-4fe1-955a-fd4defa0cb08" }, { "meta": { @@ -1714,7 +1805,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Original name is Mission 1996 or Mission: “Impossible” (1996) (like the movie)", - "value": "BTCamant Ransomware" + "value": "BTCamant Ransomware", + "uuid": "a5826bd3-b457-4aa9-a2e7-f0044ad9992f" }, { "meta": { @@ -1733,7 +1825,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.", - "value": "X3M Ransomware" + "value": "X3M Ransomware", + "uuid": "192bc3e8-ace8-4229-aa88-37034a11ef5b" }, { "meta": { @@ -1753,7 +1846,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "GOG Ransomware" + "value": "GOG Ransomware", + "uuid": "c3ef2acd-cc5d-4240-80e7-47e85b46db96" }, { "meta": { @@ -1771,7 +1865,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.1 Bitcoins. Original name is TrojanRansom.", - "value": "EdgeLocker" + "value": "EdgeLocker", + "uuid": "ecfa106d-0aff-4f7e-a259-f00eb14fc245" }, { "meta": { @@ -1790,7 +1885,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Fake name: Microsoft Corporation. Based on HiddenTear", - "value": "Red Alert" + "value": "Red Alert", + "uuid": "f762860a-5e7a-43bf-bef4-06bd27e0b023" }, { "meta": { @@ -1807,7 +1903,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "First" + "value": "First", + "uuid": "ed26fcf3-47fb-45cc-b5f9-de18f6491934" }, { "meta": { @@ -1823,7 +1920,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Written on Delphi. The user requests the victim to get in touch with him through ICQ to get the ransom and return the files.", - "value": "XCrypt Ransomware" + "value": "XCrypt Ransomware", + "uuid": "fd5bb71f-80dc-4a6d-ba8e-ed74999700d3" }, { "meta": { @@ -1841,7 +1939,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "7Zipper Ransomware" + "value": "7Zipper Ransomware", + "uuid": "d8ec9e54-a4a4-451e-9f29-e7503174c16e" }, { "meta": { @@ -1862,7 +1961,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 170$ or EUR in Bitcoins.", - "value": "Zyka Ransomware" + "value": "Zyka Ransomware", + "uuid": "7b7c8124-c679-4201-b5a5-5e66e6d52b70" }, { "meta": { @@ -1877,7 +1977,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.", - "value": "SureRansom Ransomeware (Fake)" + "value": "SureRansom Ransomeware (Fake)", + "uuid": "a9365b55-acd8-4b70-adac-c86d121b80b3" }, { "meta": { @@ -1900,7 +2001,8 @@ "date": "January 2017" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.", - "value": "Netflix Ransomware" + "value": "Netflix Ransomware", + "uuid": "1317351f-ec8f-4c76-afab-334e1384d3d3" }, { "meta": { @@ -1932,7 +2034,8 @@ "date": " December 2016" }, "description": "It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.", - "value": "Merry Christmas" + "value": "Merry Christmas", + "uuid": "72cbed4e-b26a-46a1-82be-3d0154fdd2e5" }, { "meta": { @@ -1946,7 +2049,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Seoirse is how in Ireland people say the name George. Ransom is 0.5 Bitcoins.", - "value": "Seoirse Ransomware" + "value": "Seoirse Ransomware", + "uuid": "bdf807c2-74ec-4802-9907-a89b1d910296" }, { "meta": { @@ -1966,7 +2070,8 @@ "date": "November/December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.", - "value": "KillDisk Ransomware" + "value": "KillDisk Ransomware", + "uuid": "8e067af6-d1f7-478a-8a8e-5154d2685bd1" }, { "meta": { @@ -1985,7 +2090,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.", - "value": "DeriaLock Ransomware" + "value": "DeriaLock Ransomware", + "uuid": "c0d7acd4-5d64-4571-9b07-bd4bd0d27ee3" }, { "meta": { @@ -2004,7 +2110,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "BadEncript Ransomware" + "value": "BadEncript Ransomware", + "uuid": "43bfbb2a-9416-44da-81ef-03d6d3a3923f" }, { "meta": { @@ -2021,7 +2128,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the creator is puff69.", - "value": "AdamLocker Ransomware" + "value": "AdamLocker Ransomware", + "uuid": "5e7d10b7-18ec-47f7-8f13-6fd03d10a8bc" }, { "meta": { @@ -2039,7 +2147,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.", - "value": "Alphabet Ransomware" + "value": "Alphabet Ransomware", + "uuid": "dd356ed3-42b8-4587-ae53-95f933517612" }, { "meta": { @@ -2060,7 +2169,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru", - "value": "KoKoKrypt Ransomware" + "value": "KoKoKrypt Ransomware", + "uuid": "d672fe4f-4561-488e-bca6-20385b53d77f" }, { "meta": { @@ -2078,7 +2188,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.5 bitcoins. The name of the creator is staffttt, he also created Fake CryptoLocker", - "value": "L33TAF Locker Ransomware" + "value": "L33TAF Locker Ransomware", + "uuid": "791a6720-d589-4cf7-b164-08b35b453ac7" }, { "meta": { @@ -2095,7 +2206,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PClock4 Ransomware" + "value": "PClock4 Ransomware", + "uuid": "b78be3f4-e39b-41cc-adc0-5824f246959b" }, { "meta": { @@ -2113,7 +2225,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses VBS-script to send a voice message as the first few lines of the note.", - "value": "Guster Ransomware" + "value": "Guster Ransomware", + "uuid": "ffa7ac2f-b216-4fac-80be-e859a0e0251f" }, { "meta": { @@ -2130,7 +2243,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png", - "value": "Roga" + "value": "Roga", + "uuid": "cd1eb48e-070b-418e-8d83-4644a388f8ae" }, { "meta": { @@ -2150,7 +2264,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Creator is staffttt and the ransom is 0.5 botcoins.", - "value": "CryptoLocker3 Ransomware" + "value": "CryptoLocker3 Ransomware", + "uuid": "4094b021-6654-49d5-9b80-a3666a1c1e44" }, { "meta": { @@ -2170,7 +2285,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is 1.0 bitcoins.", - "value": "ProposalCrypt Ransomware" + "value": "ProposalCrypt Ransomware", + "uuid": "4cf270e7-e4df-49d5-979b-c13d8ce117cc" }, { "meta": { @@ -2186,7 +2302,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker demands 0.2 bitcoins. The ransomware poses as a Window update.", - "value": "Manifestus Ransomware " + "value": "Manifestus Ransomware ", + "uuid": "e62ba8f5-e7ce-44ab-ac33-713ace192de3" }, { "meta": { @@ -2210,7 +2327,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The name of the hacker is humanpuff69 and he requests 0.5 bitcoins. The encryption password is based on the computer name", - "value": "EnkripsiPC Ransomware" + "value": "EnkripsiPC Ransomware", + "uuid": "52caade6-ba7b-474e-b173-63f4332aa808" }, { "meta": { @@ -2228,7 +2346,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. So far the victims are from Belarus and Germany.", - "value": "BrainCrypt Ransomware" + "value": "BrainCrypt Ransomware", + "uuid": "ade6ec5e-e082-43cb-9b82-ff8c0f4d7e56" }, { "meta": { @@ -2244,7 +2363,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 0.2 bitcoins.", - "value": "MSN CryptoLocker Ransomware" + "value": "MSN CryptoLocker Ransomware", + "uuid": "7de27419-9874-4c3f-b75f-429a507ed7c5" }, { "meta": { @@ -2259,7 +2379,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom is in the amount is 0.3 bitcoins. The ransomware is disguises themselves as Adobe Systems, Incorporated. RaaS", - "value": "CryptoBlock Ransomware " + "value": "CryptoBlock Ransomware ", + "uuid": "7b0df78e-8f00-468f-a6ef-3e1bda2a344c" }, { "meta": { @@ -2277,7 +2398,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "AES-NI Ransomware " + "value": "AES-NI Ransomware ", + "uuid": "69c9b45f-f226-485f-9033-fcb796c315cf" }, { "meta": { @@ -2295,7 +2417,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker of this ransomware tends to make lots of spelling errors in his requests. With Italian text that only targets the Test folder on the user's desktop", - "value": "Koolova Ransomware" + "value": "Koolova Ransomware", + "uuid": "ff6b8fc4-cfe0-45c1-9814-3261e39b4c9a" }, { "meta": { @@ -2321,7 +2444,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 1bitcoin.", - "value": "Fake Globe Ransomware" + "value": "Fake Globe Ransomware", + "uuid": "e03873ef-9e3d-4d07-85d8-e22a55f60c19" }, { "meta": { @@ -2338,7 +2462,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "V8Locker Ransomware" + "value": "V8Locker Ransomware", + "uuid": "45862a62-4cb3-4101-84db-8e338d17e283" }, { "meta": { @@ -2355,7 +2480,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.", - "value": "Cryptorium (Fake Ransomware)" + "value": "Cryptorium (Fake Ransomware)", + "uuid": "96bd63e5-99bd-490c-a23a-e0092337f6e6" }, { "meta": { @@ -2372,7 +2498,8 @@ "date": "December 2016" }, "description": "It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).", - "value": "Antihacker2017 Ransomware" + "value": "Antihacker2017 Ransomware", + "uuid": "efd64e86-611a-4e10-91c7-e741cf0c58d9" }, { "meta": { @@ -2388,7 +2515,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg", - "value": "CIA Special Agent 767 Ransomware (FAKE!!!)" + "value": "CIA Special Agent 767 Ransomware (FAKE!!!)", + "uuid": "e479e32e-c884-4ea0-97d3-3c3356135719" }, { "meta": { @@ -2401,7 +2529,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker request your IP address in return for the decryption.", - "value": "LoveServer Ransomware " + "value": "LoveServer Ransomware ", + "uuid": "d1698a73-8be8-4c10-8114-8cfa1c399eb1" }, { "meta": { @@ -2421,7 +2550,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The hacker requests 2 bitcoins in return for the files.", - "value": "Kraken Ransomware" + "value": "Kraken Ransomware", + "uuid": "51737c36-11a0-4c25-bd87-a990bd479aaf" }, { "meta": { @@ -2435,7 +2565,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is 0.25 bitcoins and the nickname of the hacker is FRC 2016.", - "value": "Antix Ransomware" + "value": "Antix Ransomware", + "uuid": "8a7e0615-b9bd-41ab-89f1-62d041350e99" }, { "meta": { @@ -2454,7 +2585,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… The ransom is R$950 which is due in 5 days. (R$ is a Brazilian currency) Based off of Hidden-Tear", - "value": "PayDay Ransomware " + "value": "PayDay Ransomware ", + "uuid": "70324b69-6076-4d00-884e-7f9d5537a65a" }, { "meta": { @@ -2468,7 +2600,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.", - "value": "Slimhem Ransomware" + "value": "Slimhem Ransomware", + "uuid": "76b14980-e53c-4209-925e-3ab024210734" }, { "meta": { @@ -2483,7 +2616,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!", - "value": "M4N1F3STO Ransomware (FAKE!!!!!)" + "value": "M4N1F3STO Ransomware (FAKE!!!!!)", + "uuid": "94a3be6b-3a83-40fb-85b2-555239260235" }, { "meta": { @@ -2497,7 +2631,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… CHIP > DALE", - "value": "Dale Ransomware" + "value": "Dale Ransomware", + "uuid": "abe6cbe4-9031-46da-9e1c-89d9babe6449" }, { "meta": { @@ -2515,7 +2650,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Based on the idiotic open-source ransomware called CryptoWire", - "value": "UltraLocker Ransomware" + "value": "UltraLocker Ransomware", + "uuid": "3a66610b-5197-4af9-b662-d873afc81b2e" }, { "meta": { @@ -2534,7 +2670,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "AES_KEY_GEN_ASSIST Ransomware" + "value": "AES_KEY_GEN_ASSIST Ransomware", + "uuid": "d755510f-d775-420c-83a0-b0fe9e483256" }, { "meta": { @@ -2552,7 +2689,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Code Virus Ransomware " + "value": "Code Virus Ransomware ", + "uuid": "a23d7c45-7200-4074-9acf-8789600fa145" }, { "meta": { @@ -2569,7 +2707,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "FLKR Ransomware" + "value": "FLKR Ransomware", + "uuid": "1cdc34ce-43b7-4df1-ae8f-ae0acbe5e4ad" }, { "meta": { @@ -2591,7 +2730,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png", - "value": "PopCorn Time Ransomware" + "value": "PopCorn Time Ransomware", + "uuid": "c1b3477b-cd7f-4726-8744-a2c44275dffd" }, { "meta": { @@ -2608,7 +2748,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.", - "value": "HackedLocker Ransomware" + "value": "HackedLocker Ransomware", + "uuid": "c2624d8e-da7b-4d94-b06f-363131ddb6ac" }, { "meta": { @@ -2628,7 +2769,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "GoldenEye Ransomware" + "value": "GoldenEye Ransomware", + "uuid": "ac7affb8-971d-4c05-84f0-172b61d007d7" }, { "meta": { @@ -2647,7 +2789,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "Sage Ransomware" + "value": "Sage Ransomware", + "uuid": "3e5a475f-7467-49ab-917a-4d1f590ad9b4" }, { "meta": { @@ -2667,7 +2810,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… This hacker requests 4 bitcoins for ransom.", - "value": "SQ_ Ransomware" + "value": "SQ_ Ransomware", + "uuid": "5024f328-2595-4dbd-9007-218147e55d5f" }, { "meta": { @@ -2690,7 +2834,8 @@ "date": "December 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc…", - "value": "Matrix" + "value": "Matrix", + "uuid": "42ee85b9-45f8-47a3-9bab-b695ac271544" }, { "meta": { @@ -2707,7 +2852,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Satan666 Ransomware" + "value": "Satan666 Ransomware", + "uuid": "03d92e7b-95ae-4c5b-8b58-daa2fd98f7a1" }, { "meta": { @@ -2726,7 +2872,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear", - "value": "RIP (Phoenix) Ransomware" + "value": "RIP (Phoenix) Ransomware", + "uuid": "5705df4a-42b0-4579-ad9f-8bfa42bae471" }, { "meta": { @@ -2746,7 +2893,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on RemindMe", - "value": "Locked-In Ransomware or NoValid Ransomware" + "value": "Locked-In Ransomware or NoValid Ransomware", + "uuid": "777f0b78-e778-435f-b4d5-e40f0b7f54c3" }, { "meta": { @@ -2757,7 +2905,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Chartwig Ransomware" + "value": "Chartwig Ransomware", + "uuid": "37fff5f8-8e66-43d3-a075-3619b6f2163d" }, { "meta": { @@ -2774,7 +2923,8 @@ "date": "November 2016" }, "description": "It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [www-hash-part-]+[number]+[.crypter]", - "value": "RenLocker Ransomware (FAKE)" + "value": "RenLocker Ransomware (FAKE)", + "uuid": "957850f7-081a-4191-9e5e-cf9ff27584ac" }, { "meta": { @@ -2790,7 +2940,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Thanksgiving Ransomware" + "value": "Thanksgiving Ransomware", + "uuid": "459ea908-e39e-4274-8866-362281e24911" }, { "meta": { @@ -2808,7 +2959,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CockBlocker Ransomware" + "value": "CockBlocker Ransomware", + "uuid": "3a40c5ae-b117-45cd-b674-a7750e3f3082" }, { "meta": { @@ -2826,7 +2978,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on the idiotic open-source ransomware called CryptoWire", - "value": "Lomix Ransomware" + "value": "Lomix Ransomware", + "uuid": "e721b7c5-df07-4e26-b375-fc09a4911451" }, { "meta": { @@ -2847,7 +3000,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. https://3.bp.blogspot.com/--jubfYRaRmw/WDaOyZXkAaI/AAAAAAAACQE/E63a4FnaOfACZ07s1xUiv_haxy8cp5YCACLcB/s1600/ozoza2.png", - "value": "OzozaLocker Ransomware" + "value": "OzozaLocker Ransomware", + "uuid": "d20b0d12-1a56-4339-b02b-eb3803dc3e6e" }, { "meta": { @@ -2868,7 +3022,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Crypute Ransomware" + "value": "Crypute Ransomware", + "uuid": "5539c8e7-2058-4757-b9e3-71ff7d41db31" }, { "meta": { @@ -2890,7 +3045,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "NMoreira Ransomware" + "value": "NMoreira Ransomware", + "uuid": "9490641f-6a51-419c-b3dc-c6fa2bab4ab3" }, { "meta": { @@ -2911,7 +3067,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransom amount is 349.99$ and the hacker seems to be from India. He disguises himself as Microsoft Support.", - "value": "VindowsLocker Ransomware" + "value": "VindowsLocker Ransomware", + "uuid": "b58e1265-2855-4c8a-ac34-bb1504086084" }, { "meta": { @@ -2930,7 +3087,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Here is the original ransomware under this name: http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html", - "value": "Donald Trump 2 Ransomware" + "value": "Donald Trump 2 Ransomware", + "uuid": "96c10791-258f-4b2b-a2cc-b5abddbdb285" }, { "meta": { @@ -2948,7 +3106,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Looks for C:\\Temp\\voldemort.horcrux", - "value": "Nagini Ransomware" + "value": "Nagini Ransomware", + "uuid": "46a35af7-9d05-4de4-a955-41ccf3d3b83b" }, { "meta": { @@ -2967,7 +3126,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ShellLocker Ransomware" + "value": "ShellLocker Ransomware", + "uuid": "a8ea7a67-c019-4c6c-8061-8614c47f153e" }, { "meta": { @@ -2991,7 +3151,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Chip Ransomware" + "value": "Chip Ransomware", + "uuid": "7487fd37-d4ba-4c85-b6f8-8d4d7d5b74d7" }, { "meta": { @@ -3013,7 +3174,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant", - "value": "Dharma Ransomware" + "value": "Dharma Ransomware", + "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b" }, { "meta": { @@ -3031,7 +3193,8 @@ "date": "November 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Angela Merkel Ransomware" + "value": "Angela Merkel Ransomware", + "uuid": "a9bb4ae1-b4da-49bb-aeeb-3596cb883860" }, { "meta": { @@ -3055,7 +3218,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoLuck Ransomware" + "value": "CryptoLuck Ransomware", + "uuid": "615b682d-4746-464d-8091-8869d0e6ea2c" }, { "meta": { @@ -3090,7 +3254,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Crypton Ransomware" + "value": "Crypton Ransomware", + "uuid": "117693d2-1551-486e-93e5-981945eecabd" }, { "meta": { @@ -3111,7 +3276,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. pretends to be a Windows optimization program called Windows-TuneUp", - "value": "Karma Ransomware" + "value": "Karma Ransomware", + "uuid": "51596eaa-6df7-4aa3-8df4-cec3aeffb1b5" }, { "meta": { @@ -3128,7 +3294,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "WickedLocker HT Ransomware" + "value": "WickedLocker HT Ransomware", + "uuid": "878c06be-95d7-4a0d-9dba-178ffc1d3e5e" }, { "meta": { @@ -3157,7 +3324,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoLocker Copycat", - "value": "PClock3 Ransomware" + "value": "PClock3 Ransomware", + "uuid": "6c38f175-b32a-40ef-8cad-33c2c8840d51" }, { "meta": { @@ -3179,7 +3347,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kolobo Ransomware" + "value": "Kolobo Ransomware", + "uuid": "f32f0bec-961b-4c01-9cc1-9cf409efd598" }, { "meta": { @@ -3200,7 +3369,8 @@ "date": "November 2016" }, "description": "This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "PaySafeGen (German) Ransomware" + "value": "PaySafeGen (German) Ransomware", + "uuid": "379d5258-6f11-4c41-a685-c2ff555c0cb9" }, { "meta": { @@ -3221,7 +3391,8 @@ "date": "November 2016" }, "description": "This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.", - "value": "Telecrypt Ransomware" + "value": "Telecrypt Ransomware", + "uuid": "2f362760-925b-4948-aae5-dd0d2fc21002" }, { "meta": { @@ -3240,7 +3411,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CerberTear Ransomware" + "value": "CerberTear Ransomware", + "uuid": "28808e63-e71f-4aaa-b203-9310745f87b6" }, { "meta": { @@ -3254,7 +3426,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Hidden Tear >> APT Ransomware + HYPERLINK \"https://id-ransomware.blogspot.ru/2016/05/remindme-ransomware-2.html\" \t \"_blank\" RemindMe > FuckSociety", - "value": "FuckSociety Ransomware" + "value": "FuckSociety Ransomware", + "uuid": "81c476c3-3190-440d-be4a-ea875e9415aa" }, { "meta": { @@ -3279,7 +3452,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Batch file; Passcode: AES1014DW256 or RSA1014DJW2048", - "value": "PayDOS Ransomware" + "value": "PayDOS Ransomware", + "uuid": "4818a48a-dfc2-4f35-a76d-e4fb462d6c94" }, { "meta": { @@ -3295,7 +3469,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "zScreenLocker Ransomware" + "value": "zScreenLocker Ransomware", + "uuid": "47834caa-2226-4a3a-a228-210a64c281b9" }, { "meta": { @@ -3314,7 +3489,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Gremit Ransomware" + "value": "Gremit Ransomware", + "uuid": "47512afc-ecf2-4766-8487-8f3bc8dddbf3" }, { "meta": { @@ -3331,7 +3507,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Hollycrypt Ransomware" + "value": "Hollycrypt Ransomware", + "uuid": "b77298c1-3f84-4ffb-a81b-36eab5c10881" }, { "meta": { @@ -3351,7 +3528,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "BTCLocker Ransomware" + "value": "BTCLocker Ransomware", + "uuid": "3f461284-85a1-441c-b07d-8b547be43ca2" }, { "meta": { @@ -3370,7 +3548,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. From the developer behind the Apocalypse Ransomware, Fabiansomware, and Esmeralda", - "value": "Kangaroo Ransomware" + "value": "Kangaroo Ransomware", + "uuid": "5ab1449f-7e7d-47e7-924a-8662bc2df805" }, { "meta": { @@ -3387,7 +3566,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "DummyEncrypter Ransomware" + "value": "DummyEncrypter Ransomware", + "uuid": "6bf055c6-acb2-4459-92b0-70d61616ab62" }, { "meta": { @@ -3408,7 +3588,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Encryptss77 Ransomware" + "value": "Encryptss77 Ransomware", + "uuid": "317cab8a-31a1-4a82-876a-94edc7afffba" }, { "meta": { @@ -3425,7 +3606,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "WinRarer Ransomware" + "value": "WinRarer Ransomware", + "uuid": "7ee22340-ed89-4e22-b085-257bde4c0fc5" }, { "meta": { @@ -3442,7 +3624,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Russian Globe Ransomware" + "value": "Russian Globe Ransomware", + "uuid": "30771cde-2543-4c13-b722-ff940f235b0f" }, { "meta": { @@ -3459,7 +3642,8 @@ "date": "November 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ZeroCrypt Ransomware" + "value": "ZeroCrypt Ransomware", + "uuid": "e999ca18-61cb-4419-a2fa-ab8af6ebe8dc" }, { "meta": { @@ -3477,7 +3661,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "RotorCrypt(RotoCrypt, Tar) Ransomware" + "value": "RotorCrypt(RotoCrypt, Tar) Ransomware", + "uuid": "63991ed9-98dc-4f24-a0a6-ff58e489c263" }, { "meta": { @@ -3494,7 +3679,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.", - "value": "Ishtar Ransomware" + "value": "Ishtar Ransomware", + "uuid": "30cad868-b2f1-4551-8f76-d17695c67d52" }, { "meta": { @@ -3513,7 +3699,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "MasterBuster Ransomware" + "value": "MasterBuster Ransomware", + "uuid": "07f859cd-9c36-4dae-a6fc-fa4e4aa36176" }, { "meta": { @@ -3534,7 +3721,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "JackPot Ransomware" + "value": "JackPot Ransomware", + "uuid": "04f1772a-053e-4f6e-a9af-3f83ab312633" }, { "meta": { @@ -3553,7 +3741,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Georgian ransomware", - "value": "ONYX Ransomeware" + "value": "ONYX Ransomeware", + "uuid": "927a4150-9380-4310-9f68-cb06d8debcf2" }, { "meta": { @@ -3572,7 +3761,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "IFN643 Ransomware" + "value": "IFN643 Ransomware", + "uuid": "ddeab8b3-5df2-414e-9c6b-06b309e1fcf4" }, { "meta": { @@ -3593,7 +3783,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Alcatraz Locker Ransomware" + "value": "Alcatraz Locker Ransomware", + "uuid": "2ad63264-8f52-4ab4-ad26-ca8c3bcc066e" }, { "meta": { @@ -3612,7 +3803,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Esmeralda Ransomware" + "value": "Esmeralda Ransomware", + "uuid": "ff5a04bb-d412-4cb3-9780-8d3488b7c268" }, { "meta": { @@ -3629,7 +3821,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "EncrypTile Ransomware" + "value": "EncrypTile Ransomware", + "uuid": "56e49b84-a250-4aaf-9f65-412616709652" }, { "meta": { @@ -3647,7 +3840,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG", - "value": "Fileice Ransomware Survey Ransomware" + "value": "Fileice Ransomware Survey Ransomware", + "uuid": "ca5d0e52-d0e4-4aa9-872a-0669433c0dcc" }, { "meta": { @@ -3667,7 +3861,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "CryptoWire Ransomeware" + "value": "CryptoWire Ransomeware", + "uuid": "4e6e45c2-8e13-49ad-8b27-e5aeb767294a" }, { "meta": { @@ -3693,7 +3888,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on Locky", - "value": "Hucky Ransomware" + "value": "Hucky Ransomware", + "uuid": "74f91a93-4f1e-4603-a6f5-aaa40d2dd311" }, { "meta": { @@ -3712,7 +3908,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Winnix Cryptor Ransomware" + "value": "Winnix Cryptor Ransomware", + "uuid": "e30e663d-d8c8-44f2-8da7-03b1a9c52376" }, { "meta": { @@ -3731,7 +3928,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Demands 10 BTC", - "value": "AngryDuck Ransomware" + "value": "AngryDuck Ransomware", + "uuid": "2813a5c7-530b-492f-8d77-fe7b1ed96a65" }, { "meta": { @@ -3750,7 +3948,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Lock93 Ransomware" + "value": "Lock93 Ransomware", + "uuid": "2912426d-2a26-4091-a87f-032a6d3d28c1" }, { "meta": { @@ -3766,7 +3965,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "ASN1 Encoder Ransomware" + "value": "ASN1 Encoder Ransomware", + "uuid": "dd99cc50-91f7-4375-906a-7d09c76ee9f7" }, { "meta": { @@ -3784,7 +3984,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif", - "value": "Click Me Ransomware" + "value": "Click Me Ransomware", + "uuid": "97bdadda-e874-46e6-8672-11dbfe3958c4" }, { "meta": { @@ -3801,7 +4002,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "AiraCrop Ransomware" + "value": "AiraCrop Ransomware", + "uuid": "e7a5c384-a93c-4ed4-8411-ca1e52396256" }, { "meta": { @@ -3826,7 +4028,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Base64 encoding, ROT13, and top-bottom swapping", - "value": "JapanLocker Ransomware" + "value": "JapanLocker Ransomware", + "uuid": "d579e5b6-c6fd-43d9-9213-7591cd324f94" }, { "meta": { @@ -3845,7 +4048,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. EDA2", - "value": "Anubis Ransomware" + "value": "Anubis Ransomware", + "uuid": "a6215279-37d8-47f7-9b1b-efae4178c738" }, { "meta": { @@ -3859,7 +4063,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "XTPLocker 5.0 Ransomware" + "value": "XTPLocker 5.0 Ransomware", + "uuid": "eef4bf49-5b1d-463a-aef9-538c5dc2f71f" }, { "meta": { @@ -3882,7 +4087,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Also encrypts executables", - "value": "Exotic Ransomware" + "value": "Exotic Ransomware", + "uuid": "eb22cb8d-763d-4cac-af35-46dc4f85317b" }, { "meta": { @@ -3899,7 +4105,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. NO POINT TO PAY THE RANSOM, THE FILES ARE COMPLETELY DESTROYED", - "value": "APT Ransomware v.2" + "value": "APT Ransomware v.2", + "uuid": "6ec0f43c-6b73-4f5e-bee7-a231572eb994" }, { "meta": { @@ -3921,7 +4128,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Windows_Security Ransonware" + "value": "Windows_Security Ransonware", + "uuid": "a57a8bc3-8c33-43e8-b237-25edcd5f532a" }, { "meta": { @@ -3939,7 +4147,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "NCrypt Ransomware" + "value": "NCrypt Ransomware", + "uuid": "d590865e-f3ae-4381-9d82-3f540f9818cb" }, { "meta": { @@ -3958,7 +4167,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. In devVenisRansom@protonmail.com", - "value": "Venis Ransomware" + "value": "Venis Ransomware", + "uuid": "b9cfe6f3-5970-4283-baf4-252e0491b91c" }, { "meta": { @@ -3975,7 +4185,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Enigma 2 Ransomware" + "value": "Enigma 2 Ransomware", + "uuid": "507506a3-3745-47fd-8d31-ef122317c0c2" }, { "meta": { @@ -3993,7 +4204,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. sample is set to encrypt only in 2017...", - "value": "Deadly Ransomware" + "value": "Deadly Ransomware", + "uuid": "a25e39b0-b601-403c-bba8-2f595e221269" }, { "meta": { @@ -4012,7 +4224,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Comrade Circle Ransomware" + "value": "Comrade Circle Ransomware", + "uuid": "db23145a-e15b-4cf7-9d2c-ffa9928750d5" }, { "meta": { @@ -4045,7 +4258,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Globe2 Ransomware" + "value": "Globe2 Ransomware", + "uuid": "5541471c-8d15-4aec-9996-e24b59c3e3d6" }, { "meta": { @@ -4064,7 +4278,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Kostya Ransomware" + "value": "Kostya Ransomware", + "uuid": "7d6f02d2-a626-40f6-81c3-14e3a9a2aea5" }, { "meta": { @@ -4081,7 +4296,8 @@ "date": "October 2016" }, "description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..", - "value": "Fs0ciety Locker Ransomware" + "value": "Fs0ciety Locker Ransomware", + "uuid": "ed3a4f8a-49de-40c3-9acb-da1b78f89c4f" }, { "meta": { @@ -4098,7 +4314,8 @@ "date": "September 2016" }, "description": "It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. After the files are decrypted, the shadow files are deleted using the following command: vssadmin.exe Delete Shadows /All /Quiet", - "value": "Erebus Ransomware" + "value": "Erebus Ransomware", + "uuid": "6a77c96b-1814-427f-83ca-fe7e0e40b1c0" }, { "meta": { @@ -4115,7 +4332,8 @@ "date": "May 2017" }, "description": "According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.", - "value": "WannaCry" + "value": "WannaCry", + "uuid": "d62ab8d5-4ba1-4c45-8a63-13fdb099b33c" }, { "value": ".CryptoHasYou.", @@ -4131,7 +4349,8 @@ "refs": [ "http://www.nyxbone.com/malware/CryptoHasYou.html" ] - } + }, + "uuid": "a0ce5d94-a22a-40db-a09f-a796d0bb4006" }, { "value": "777", @@ -4152,7 +4371,8 @@ "refs": [ "https://decrypter.emsisoft.com/777" ] - } + }, + "uuid": "cd9e9eaa-0895-4d55-964a-b53eacdfd36a" }, { "value": "7ev3n", @@ -4173,7 +4393,8 @@ "https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be", "http://www.nyxbone.com/malware/7ev3n-HONE$T.html" ] - } + }, + "uuid": "664701d6-7948-4e80-a333-1d1938103ba1" }, { "value": "8lock8", @@ -4189,7 +4410,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/" ] - } + }, + "uuid": "b70b6537-cf00-4bd1-a4e9-ae5ff2eb7504" }, { "value": "AiraCrop", @@ -4204,7 +4426,8 @@ "refs": [ "https://twitter.com/PolarToffee/status/796079699478900736" ] - } + }, + "uuid": "77919c1f-4ef8-41cd-a635-2d3118ade1f3" }, { "value": "Al-Namrood", @@ -4220,7 +4443,8 @@ "refs": [ "https://decrypter.emsisoft.com/al-namrood" ] - } + }, + "uuid": "0040dca4-bf2e-43cb-89ae-ab1b50f1183d" }, { "value": "ALFA Ransomware", @@ -4235,7 +4459,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/" ] - } + }, + "uuid": "888abc95-9e01-4cbc-a6e5-058eb9314f51" }, { "value": "Alma Ransomware", @@ -4254,7 +4479,8 @@ "https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter", "http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/" ] - } + }, + "uuid": "76a08868-345f-4566-a403-5f5e575dfee5" }, { "value": "Alpha Ransomware", @@ -4275,7 +4501,8 @@ "http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/", "https://twitter.com/malwarebread/status/804714048499621888" ] - } + }, + "uuid": "a27fff00-995a-4598-ba00-05921bf20e80" }, { "value": "AMBA", @@ -4291,7 +4518,8 @@ "refs": [ "https://twitter.com/benkow_/status/747813034006020096" ] - } + }, + "uuid": "8dd289d8-71bc-42b0-aafd-540dafa93343" }, { "value": "AngleWare", @@ -4306,7 +4534,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/844531418474708993" ] - } + }, + "uuid": "e06526ac-0083-44ab-8787-dd7278746bb6" }, { "value": "Anony", @@ -4318,7 +4547,8 @@ "refs": [ "https://twitter.com/struppigel/status/842047409446387714" ] - } + }, + "uuid": "5b94100d-83bb-4e30-be7a-6015c00356e0" }, { "value": "Apocalypse", @@ -4348,7 +4578,8 @@ "https://decrypter.emsisoft.com/apocalypse", "http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/" ] - } + }, + "uuid": "e38b8876-5780-4574-9adf-304e9d659bdb" }, { "value": "ApocalypseVM", @@ -4364,7 +4595,8 @@ "refs": [ "http://decrypter.emsisoft.com/download/apocalypsevm" ] - } + }, + "uuid": "5bc9c3a5-a35f-43aa-a999-fc7cd0685994" }, { "value": "AutoLocky", @@ -4380,7 +4612,8 @@ "refs": [ "https://decrypter.emsisoft.com/autolocky" ] - } + }, + "uuid": "803fa9e2-8803-409a-b455-3a886c23fae4" }, { "value": "Aw3s0m3Sc0t7", @@ -4392,7 +4625,8 @@ "refs": [ "https://twitter.com/struppigel/status/828902907668000770" ] - } + }, + "uuid": "dced0fe8-224e-47ef-92ed-5ab6c0536daa" }, { "value": "BadBlock", @@ -4406,7 +4640,8 @@ "http://www.nyxbone.com/malware/BadBlock.html", "http://www.nyxbone.com/images/articulos/malware/badblock/5.png" ] - } + }, + "uuid": "f1a30552-21c1-46be-8b5f-64bd62b03d35" }, { "value": "BaksoCrypt", @@ -4419,7 +4654,8 @@ "https://twitter.com/JakubKroustek/status/760482299007922176", "https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/" ] - } + }, + "uuid": "b21997a1-212f-4bbe-a6b7-3c703cbf113e" }, { "value": "Bandarchor", @@ -4440,7 +4676,8 @@ "https://reaqta.com/2016/03/bandarchor-ransomware-still-active/", "https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/" ] - } + }, + "uuid": "af50d07e-3fc5-4014-9ac5-f5466cf042bc" }, { "value": "Bart", @@ -4463,7 +4700,8 @@ "http://phishme.com/rockloader-downloading-new-ransomware-bart/", "https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky" ] - } + }, + "uuid": "3cf2c880-e0b5-4311-9c4e-6293f2a566e7" }, { "value": "BitCryptor", @@ -4475,7 +4713,8 @@ "refs": [ "https://noransom.kaspersky.com/" ] - } + }, + "uuid": "b5e9a802-cd17-4cd6-b83d-f36cce009808" }, { "value": "BitStak", @@ -4488,7 +4727,8 @@ "refs": [ "https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip" ] - } + }, + "uuid": "33e398fa-2586-415e-9b18-6ea2ea36ff74" }, { "value": "BlackShades Crypter", @@ -4508,7 +4748,8 @@ "refs": [ "http://nyxbone.com/malware/BlackShades.html" ] - } + }, + "uuid": "bf065217-e13a-4f6d-a5b2-ba0750b5c312" }, { "value": "Blocatto", @@ -4521,7 +4762,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/" ] - } + }, + "uuid": "a3e1cfec-aacd-4d84-aa7d-99ed6c17f26d" }, { "value": "Booyah", @@ -4530,7 +4772,8 @@ "synonyms": [ "Salami" ] - } + }, + "uuid": "eee75995-321f-477f-8b57-eee4eedf4ba3" }, { "value": "Brazilian", @@ -4547,7 +4790,8 @@ "http://www.nyxbone.com/malware/brazilianRansom.html", "http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png" ] - } + }, + "uuid": "f9cf4f0d-3efc-4d6d-baf2-7dcb96db1279" }, { "value": "Brazilian Globe", @@ -4562,7 +4806,8 @@ "refs": [ "https://twitter.com/JakubKroustek/status/821831437884211201" ] - } + }, + "uuid": "d2bc5ec4-1dd1-408a-a6f6-621986657dff" }, { "value": "BrLock", @@ -4572,11 +4817,13 @@ "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" ] - } + }, + "uuid": "889d2296-40d2-49f6-be49-cbdfbcde2246" }, { "value": "Browlock", - "description": "Ransomware no local encryption, browser only" + "description": "Ransomware no local encryption, browser only", + "uuid": "9769be50-8e0b-4f52-b7f6-98aeac0aaac4" }, { "value": "BTCWare Related to / new version of CryptXXX", @@ -4591,7 +4838,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/845199679340011520" ] - } + }, + "uuid": "8d60dec9-d43f-4d52-904f-40fb67e57ef7" }, { "value": "Bucbi", @@ -4601,7 +4849,8 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/" ] - } + }, + "uuid": "3510ce65-80e6-4f80-8cde-bb5ad8a271c6" }, { "value": "BuyUnlockCode", @@ -4613,7 +4862,8 @@ "ransomnotes": [ "BUYUNLOCKCODE.txt" ] - } + }, + "uuid": "289624c4-1d50-4178-9371-aebd95f423f9" }, { "value": "Central Security Treatment Organization", @@ -4629,7 +4879,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/" ] - } + }, + "uuid": "8ff729d9-aee5-4b85-a59d-3f57e105be40" }, { "value": "Cerber", @@ -4663,7 +4914,8 @@ "https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410", "https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/" ] - } + }, + "uuid": "190edf95-9cd9-4e4a-a228-b716d52a751b" }, { "value": "Chimera", @@ -4682,7 +4934,8 @@ "http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/", "https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/" ] - } + }, + "uuid": "27b036f0-afa3-4984-95b3-47fa344b1aa7" }, { "value": "Clock", @@ -4691,7 +4944,8 @@ "refs": [ "https://twitter.com/JakubKroustek/status/794956809866018816" ] - } + }, + "uuid": "af3b3bbb-b54d-49d0-8e58-e9c56762a96b" }, { "value": "CoinVault", @@ -4706,7 +4960,8 @@ "refs": [ "https://noransom.kaspersky.com/" ] - } + }, + "uuid": "15941fb1-08f0-4276-a61f-e2a306d6c6b5" }, { "value": "Coverton", @@ -4725,7 +4980,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/" ] - } + }, + "uuid": "36450e8c-ff66-4ecf-9c0f-fbfb27a72d63" }, { "value": "Cryaki", @@ -4737,7 +4993,8 @@ "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" ] - } + }, + "uuid": "2c11d679-1fb1-4bd7-9516-9c6f402f3c25" }, { "value": "Crybola", @@ -4746,7 +5003,8 @@ "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" ] - } + }, + "uuid": "93dcd241-f2d6-40f3-aee3-351420046a77" }, { "value": "CryFile", @@ -4767,7 +5025,8 @@ "ransomnotes": [ "http://virusinfo.info/showthread.php?t=185396" ] - } + }, + "uuid": "0d46e21d-8f1c-4355-8205-185fb7e041a7" }, { "value": "CryLocker", @@ -4788,7 +5047,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/" ] - } + }, + "uuid": "629f6986-2c1f-4d0a-b805-e4ef3e2ce634" }, { "value": "CrypMIC", @@ -4803,7 +5063,8 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/" ] - } + }, + "uuid": "82cb7a40-0a78-4414-9afd-028d6b3082ea" }, { "value": "Crypren", @@ -4820,7 +5081,8 @@ "http://www.nyxbone.com/malware/Crypren.html", "http://www.nyxbone.com/images/articulos/malware/crypren/0.png" ] - } + }, + "uuid": "a9f05b4e-6b03-4211-a2bd-6b4432eb3388" }, { "value": "Crypt38", @@ -4834,7 +5096,8 @@ "https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip", "https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption" ] - } + }, + "uuid": "12a96f43-8a8c-410e-aaa3-ba6735276555" }, { "value": "Crypter", @@ -4843,7 +5106,8 @@ "refs": [ "https://twitter.com/jiriatvirlab/status/802554159564062722" ] - } + }, + "uuid": "37edc8d7-c939-4a33-9ed5-dafbbc1e5b1e" }, { "value": "CryptFIle2", @@ -4857,7 +5121,8 @@ "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" ] - } + }, + "uuid": "5b0dd136-6428-48c8-b2a6-8e926a82dfac" }, { "value": "CryptInfinite", @@ -4869,7 +5134,8 @@ "refs": [ "https://decrypter.emsisoft.com/" ] - } + }, + "uuid": "2b0d60c3-6560-49ac-baf0-5f642e8a77de" }, { "value": "CryptoBit", @@ -4883,7 +5149,8 @@ "http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/", "http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml" ] - } + }, + "uuid": "1903ed75-05f7-4019-b0b7-7a8f23f22194" }, { "value": "CryptoDefense", @@ -4897,7 +5164,8 @@ "refs": [ "https://decrypter.emsisoft.com/" ] - } + }, + "uuid": "ad9eeff2-91b4-440a-ae74-ab84d3e2075e" }, { "value": "CryptoFinancial", @@ -4910,7 +5178,8 @@ "http://blog.talosintel.com/2016/07/ranscam.html", "https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/" ] - } + }, + "uuid": "383d7ebb-9b08-4874-b5d7-dc02b499c38f" }, { "value": "CryptoFortress", @@ -4923,7 +5192,8 @@ "ransomnotes": [ "READ IF YOU WANT YOUR FILES BACK.html" ] - } + }, + "uuid": "26c8b446-305c-4057-83bc-85b09630281e" }, { "value": "CryptoGraphic Locker", @@ -4935,7 +5205,8 @@ "ransomnotes": [ "wallpaper.jpg" ] - } + }, + "uuid": "58534bc4-eb96-44f4-bdad-2cc5cfea8c6f" }, { "value": "CryptoHost", @@ -4950,7 +5221,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/" ] - } + }, + "uuid": "dba2cf74-16a9-4ed8-8536-6542fda95999" }, { "value": "CryptoJoker", @@ -4965,7 +5237,8 @@ "GetYouFiles.txt", "crjoker.html" ] - } + }, + "uuid": "2fb307a2-8752-4521-8973-75b68703030d" }, { "value": "CryptoLocker", @@ -4979,7 +5252,8 @@ "https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html", "https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/" ] - } + }, + "uuid": "b35b1ca2-f99c-4495-97a5-b8f30225cb90" }, { "value": "CryptoLocker 1.0.0", @@ -4988,7 +5262,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/839747940122001408" ] - } + }, + "uuid": "8d5e3b1f-e333-4eed-8dec-d74f19d6bcbb" }, { "value": "CryptoLocker 5.1", @@ -4997,7 +5272,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/782890104947867649" ] - } + }, + "uuid": "e1412d2a-2a94-4c83-aed0-9e09523514a4" }, { "value": "CryptoMix", @@ -5051,7 +5327,8 @@ "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/", "https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/" ] - } + }, + "uuid": "c76110ea-15f1-4adf-a28d-c707374dbb3a" }, { "value": "CryptoRansomeware", @@ -5060,7 +5337,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/817672617658347521" ] - } + }, + "uuid": "de53f392-8794-43d1-a38b-c0b90c20a3fb" }, { "value": "CryptoRoger", @@ -5076,7 +5354,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/" ] - } + }, + "uuid": "b6fe71ba-b0f4-4cc4-b84c-d3d80a37eada" }, { "value": "CryptoShadow", @@ -5091,7 +5370,8 @@ "refs": [ "https://twitter.com/struppigel/status/821992610164277248" ] - } + }, + "uuid": "b11563ce-cced-4c8b-a3a1-0c4ff76aa0ef" }, { "value": "CryptoShocker", @@ -5107,7 +5387,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/" ] - } + }, + "uuid": "545b4b25-763a-4a5c-8dda-12142c00422c" }, { "value": "CryptoTorLocker2015", @@ -5123,7 +5404,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/" ] - } + }, + "uuid": "06ec3640-4b93-4e79-a8ec-e24b3d349dd5" }, { "value": "CryptoTrooper", @@ -5133,7 +5415,8 @@ "refs": [ "http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml" ] - } + }, + "uuid": "13fdf55f-46f7-4635-96b8-b4806c78a80c" }, { "value": "CryptoWall 1", @@ -5145,7 +5428,8 @@ "DECRYPT_INSTRUCTION.URL", "INSTALL_TOR.URL" ] - } + }, + "uuid": "5559fbc1-52c6-469c-be97-8f8344765577" }, { "value": "CryptoWall 2", @@ -5157,7 +5441,8 @@ "HELP_DECRYPT.URL", "HELP_DECRYPT.HTML" ] - } + }, + "uuid": "f2780d22-4410-4a2f-a1c3-f43807ed1f19" }, { "value": "CryptoWall 3", @@ -5173,7 +5458,8 @@ "https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/", "https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/" ] - } + }, + "uuid": "9d35fe47-5f8c-494c-a74f-23a7ac7f44be" }, { "value": "CryptoWall 4", @@ -5186,7 +5472,8 @@ "HELP_YOUR_FILES.HTML", "HELP_YOUR_FILES.PNG" ] - } + }, + "uuid": "f7c04ce6-dd30-4a94-acd4-9a3125bcb12e" }, { "value": "CryptXXX", @@ -5205,7 +5492,8 @@ "https://support.kaspersky.com/viruses/disinfection/8547", "http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information" ] - } + }, + "uuid": "255aac37-e4d2-4eeb-b8de-143f9c2321bd" }, { "value": "CryptXXX 2.0", @@ -5225,7 +5513,8 @@ "https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool", "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" ] - } + }, + "uuid": "e272d0b5-cdfc-422a-bb78-9214475daec5" }, { "value": "CryptXXX 3.0", @@ -5247,7 +5536,8 @@ "http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/", "http://blogs.cisco.com/security/cryptxxx-technical-deep-dive" ] - } + }, + "uuid": "60a50fe5-53ea-43f0-8a17-e7134f5fc371" }, { "value": "CryptXXX 3.1", @@ -5260,7 +5550,8 @@ "https://support.kaspersky.com/viruses/disinfection/8547", "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100" ] - } + }, + "uuid": "3f5a76ea-6b83-443e-b26f-b2b2d02d90e0" }, { "value": "CryPy", @@ -5276,7 +5567,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/" ] - } + }, + "uuid": "0b0f5f33-1871-461d-8e7e-b5e0ebc82311" }, { "value": "CTB-Faker", @@ -5295,7 +5587,8 @@ "DecryptAllFiles .txt", ".html" ] - } + }, + "uuid": "6212bf8f-07db-490a-8cef-ac42042076c1" }, { "value": "CTB-Locker WEB", @@ -5305,7 +5598,8 @@ "https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/", "https://github.com/eyecatchup/Critroni-php" ] - } + }, + "uuid": "555b2c6f-0848-4ac1-9443-e4c20814459a" }, { "value": "CuteRansomware", @@ -5327,7 +5621,8 @@ "https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool", "https://github.com/aaaddress1/my-Little-Ransomware" ] - } + }, + "uuid": "1a369bbf-6f03-454c-b507-15abe2a8bbb4" }, { "value": "Cyber SpLiTTer Vbs", @@ -5340,7 +5635,8 @@ "https://twitter.com/struppigel/status/778871886616862720", "https://twitter.com/struppigel/status/806758133720698881" ] - } + }, + "uuid": "587589df-ee42-43f4-9480-c65d6e1d7e0f" }, { "value": "Death Bitches", @@ -5355,7 +5651,8 @@ "refs": [ "https://twitter.com/JaromirHorejsi/status/815555258478981121" ] - } + }, + "uuid": "0f074c07-613d-43cb-bd5f-37c747d39fe2" }, { "value": "DeCrypt Protect", @@ -5367,7 +5664,8 @@ "refs": [ "http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/" ] - } + }, + "uuid": "c80c78ae-fc05-44cf-8b47-4d50c103ca70" }, { "value": "DEDCryptor", @@ -5381,7 +5679,8 @@ "http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/", "http://www.nyxbone.com/malware/DEDCryptor.html" ] - } + }, + "uuid": "496b6c3c-771a-46cd-8e41-ce7c4168ae20" }, { "value": "Demo", @@ -5396,7 +5695,8 @@ "refs": [ "https://twitter.com/struppigel/status/798573300779745281" ] - } + }, + "uuid": "b314d86f-92bb-4be3-b32a-19d6f8eb55d4" }, { "value": "DetoxCrypto", @@ -5406,7 +5706,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/" ] - } + }, + "uuid": "be094d75-eba8-4ff3-91f1-f8cde687e5ed" }, { "value": "Digisom", @@ -5418,7 +5719,8 @@ "refs": [ "https://twitter.com/PolarToffee/status/829727052316160000" ] - } + }, + "uuid": "c5b2a0bc-352f-481f-8c35-d378754793c0" }, { "value": "DirtyDecrypt", @@ -5427,7 +5729,8 @@ "refs": [ "https://twitter.com/demonslay335/status/752586334527709184" ] - } + }, + "uuid": "5ad8a530-3ab9-48b1-9a75-e1e97b3f77ec" }, { "value": "DMALocker", @@ -5445,7 +5748,8 @@ "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/" ] - } + }, + "uuid": "407ebc7c-5b05-488f-862f-b2bf6c562372" }, { "value": "DMALocker 3.0", @@ -5456,7 +5760,8 @@ "https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg", "https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/" ] - } + }, + "uuid": "ba39be57-c138-48d5-b46b-d996ff899ffa" }, { "value": "DNRansomware", @@ -5468,7 +5773,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/822500056511213568" ] - } + }, + "uuid": "45cae006-5d14-4c95-bb5b-dcf5555d7c78" }, { "value": "Domino", @@ -5485,7 +5791,8 @@ "http://www.nyxbone.com/malware/Domino.html", "http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/" ] - } + }, + "uuid": "7cb20800-2033-49a4-bdf8-a7da5a24f7f1" }, { "value": "DoNotChange", @@ -5503,7 +5810,8 @@ "refs": [ "https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/" ] - } + }, + "uuid": "2e6f4fa6-5fdf-4d69-b764-063d88ba1dd0" }, { "value": "DummyLocker", @@ -5515,7 +5823,8 @@ "refs": [ "https://twitter.com/struppigel/status/794108322932785158" ] - } + }, + "uuid": "55446b3a-fdc7-4c75-918a-2d9fb5cdf3ff" }, { "value": "DXXD", @@ -5531,7 +5840,8 @@ "https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/", "https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/" ] - } + }, + "uuid": "57108b9e-5af8-4797-9924-e424cb5e9903" }, { "value": "HiddenTear", @@ -5548,7 +5858,8 @@ "refs": [ "http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html" ] - } + }, + "uuid": "254f4f67-d850-4dc5-8ddb-2e955ddea287" }, { "value": "EduCrypt", @@ -5568,7 +5879,8 @@ "http://www.filedropper.com/decrypter_1", "https://twitter.com/JakubKroustek/status/747031171347910656" ] - } + }, + "uuid": "826a341a-c329-4e1e-bc9f-5d44c8317557" }, { "value": "EiTest", @@ -5581,7 +5893,8 @@ "https://twitter.com/BroadAnalysis/status/845688819533930497", "https://twitter.com/malwrhunterteam/status/845652520202616832" ] - } + }, + "uuid": "0a24ea0d-3f8a-428a-8b77-ef5281c1ee05" }, { "value": "El-Polocker", @@ -5598,7 +5911,8 @@ "qwer2.html", "locked.bmp" ] - } + }, + "uuid": "63d9cb32-a1b9-46c3-818a-df16d8b9e46a" }, { "value": "Encoder.xxxx", @@ -5614,7 +5928,8 @@ "http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/", "http://vms.drweb.ru/virus/?_is=1&i=8747343" ] - } + }, + "uuid": "f855609e-b7ab-41e8-aafa-62016f8f4e1a" }, { "value": "encryptoJJS", @@ -5626,7 +5941,8 @@ "ransomnotes": [ "How to recover.enc" ] - } + }, + "uuid": "3e5deef2-bace-40bc-beb1-5d9009233667" }, { "value": "Enigma", @@ -5645,7 +5961,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/" ] - } + }, + "uuid": "1b24d240-df72-4388-946b-efa07a9447bb" }, { "value": "Enjey", @@ -5654,7 +5971,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/839022018230112256" ] - } + }, + "uuid": "198891fb-26a4-455a-9719-4130bedba103" }, { "value": "Fairware", @@ -5663,7 +5981,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/" ] - } + }, + "uuid": "6771b42f-1d95-4b2e-bbb5-9ab703bbaa9d" }, { "value": "Fakben", @@ -5678,7 +5997,8 @@ "refs": [ "https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code" ] - } + }, + "uuid": "c308346a-2746-4900-8149-464a09086b55" }, { "value": "FakeCryptoLocker", @@ -5690,7 +6010,8 @@ "refs": [ "https://twitter.com/PolarToffee/status/812312402779836416" ] - } + }, + "uuid": "abddc01f-7d76-47d4-985d-ea6d16acccb1" }, { "value": "Fantom", @@ -5711,7 +6032,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/" ] - } + }, + "uuid": "35be87a5-b498-4693-8b8d-8b17864ac088" }, { "value": "FenixLocker", @@ -5727,7 +6049,8 @@ "https://decrypter.emsisoft.com/fenixlocker", "https://twitter.com/fwosar/status/777197255057084416" ] - } + }, + "uuid": "f9f54046-ed5d-4353-8b81-d92b51f596b4" }, { "value": "FILE FROZR", @@ -5736,7 +6059,8 @@ "refs": [ "https://twitter.com/rommeljoven17/status/846973265650335744" ] - } + }, + "uuid": "2a50f476-7355-4d58-b0ce-4235b2546c90" }, { "value": "FileLocker", @@ -5748,7 +6072,8 @@ "refs": [ "https://twitter.com/jiriatvirlab/status/836616468775251968" ] - } + }, + "uuid": "b92bc550-7edb-4f8f-96fc-cf47d437df32" }, { "value": "FireCrypt", @@ -5764,7 +6089,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/" ] - } + }, + "uuid": "721ba430-fd28-454c-8512-24339ef2235f" }, { "value": "Flyper", @@ -5776,7 +6102,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/773771485643149312" ] - } + }, + "uuid": "1a110f7e-8820-4a9a-86c0-db4056f0b911" }, { "value": "Fonco", @@ -5786,7 +6113,8 @@ "help-file-decrypt.enc", "/pronk.txt" ] - } + }, + "uuid": "3d75cb84-2f14-408d-95bd-f1316bf854e6" }, { "value": "FortuneCookie ", @@ -5795,7 +6123,8 @@ "refs": [ "https://twitter.com/struppigel/status/842302481774321664" ] - } + }, + "uuid": "2db3aafb-b219-4b52-8dfe-ce41416ebeab" }, { "value": "Free-Freedom", @@ -5810,7 +6139,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/812135608374226944" ] - } + }, + "uuid": "175ebcc0-d74f-49b2-9226-c660ca1fe2e8" }, { "value": "FSociety", @@ -5829,7 +6159,8 @@ "http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/", "https://twitter.com/siri_urz/status/795969998707720193" ] - } + }, + "uuid": "d1e7c0d9-3c96-41b7-a4a2-7eaef64d7b0f" }, { "value": "Fury", @@ -5838,7 +6169,8 @@ "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" ] - } + }, + "uuid": "291997b1-72b6-43ea-9365-b4d55eddca71" }, { "value": "GhostCrypt", @@ -5852,7 +6184,8 @@ "https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip", "http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/" ] - } + }, + "uuid": "3b681f76-b0e4-4ba7-a113-5dd87d6ee53b" }, { "value": "Gingerbread", @@ -5861,7 +6194,8 @@ "refs": [ "https://twitter.com/ni_fi_70/status/796353782699425792" ] - } + }, + "uuid": "c6419971-47f8-4c80-a685-77292ff30fa7" }, { "value": "Globe v1", @@ -5881,7 +6215,8 @@ "https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221", "http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/" ] - } + }, + "uuid": "b247b6e5-f51b-4bb5-8f5a-1628843abe99" }, { "value": "GNL Locker", @@ -5898,7 +6233,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/" ] - } + }, + "uuid": "390abe30-8b9e-439e-a6d3-2ee978f05fba" }, { "value": "Gomasom", @@ -5911,7 +6247,8 @@ "refs": [ "https://decrypter.emsisoft.com/" ] - } + }, + "uuid": "70b85861-f419-4ad5-9aa6-254db292e043" }, { "value": "Goopic", @@ -5923,11 +6260,13 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/" ] - } + }, + "uuid": "3229a370-7a09-4b93-ad89-9555a847b1dd" }, { "value": "Gopher", - "description": "Ransomware OS X ransomware (PoC)" + "description": "Ransomware OS X ransomware (PoC)", + "uuid": "ec461b8a-5390-4304-9d2a-a20c7ed6a9db" }, { "value": "Hacked", @@ -5943,7 +6282,8 @@ "refs": [ "https://twitter.com/demonslay335/status/806878803507101696" ] - } + }, + "uuid": "7f2df0cd-5962-4687-90a2-a49eab2b12bc" }, { "value": "HappyDayzz", @@ -5953,7 +6293,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/847114064224497666" ] - } + }, + "uuid": "e71c76f3-8274-4ec5-ac11-ac8b8286d069" }, { "value": "Harasom", @@ -5965,7 +6306,8 @@ "refs": [ "https://decrypter.emsisoft.com/" ] - } + }, + "uuid": "5cadd11c-002a-4062-bafd-aadb7d740f59" }, { "value": "HDDCryptor", @@ -5979,7 +6321,8 @@ "https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho", "blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/" ] - } + }, + "uuid": "95be4cd8-1d98-484f-a328-a5917a05e3c8" }, { "value": "Heimdall", @@ -5989,7 +6332,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/" ] - } + }, + "uuid": "c6d6ddf0-2afa-4cca-8982-ba2a7c0441ae" }, { "value": "Help_dcfile", @@ -6001,7 +6345,8 @@ "ransomnotes": [ "help_dcfile.txt" ] - } + }, + "uuid": "2fdc6daa-6b6b-41b9-9a25-1030101478c3" }, { "value": "Herbst", @@ -6014,7 +6359,8 @@ "refs": [ "https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware" ] - } + }, + "uuid": "6489895b-0213-4564-9cfc-777df58d84c9" }, { "value": "Hi Buddy!", @@ -6027,7 +6373,8 @@ "refs": [ "http://www.nyxbone.com/malware/hibuddy.html" ] - } + }, + "uuid": "a0d6563d-1e98-4e49-9151-39fbeb09ef76" }, { "value": "Hitler", @@ -6040,7 +6387,8 @@ "http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/", "https://twitter.com/jiriatvirlab/status/825310545800740864" ] - } + }, + "uuid": "8807752b-bd26-45a7-ba34-c8ddd8e5781d" }, { "value": "HolyCrypt", @@ -6053,7 +6401,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/" ] - } + }, + "uuid": "c71819a4-f6ce-4265-b0cd-24a98d84321c" }, { "value": "HTCryptor", @@ -6062,7 +6411,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/803288396814839808" ] - } + }, + "uuid": "728aecfc-9b99-478f-a0a3-8c0fb6896353" }, { "value": "HydraCrypt", @@ -6078,7 +6428,8 @@ "https://decrypter.emsisoft.com/", "http://www.malware-traffic-analysis.net/2016/02/03/index2.html" ] - } + }, + "uuid": "335c3ab6-8f2c-458c-92a3-2f3a09a6064c" }, { "value": "iLock", @@ -6090,7 +6441,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/817085367144873985" ] - } + }, + "uuid": "68e90fa4-ea66-4159-b454-5f48fdae3d89" }, { "value": "iLockLight", @@ -6099,7 +6451,8 @@ "extensions": [ ".crime" ] - } + }, + "uuid": "cb374ee8-76c0-4db8-9026-a57a51d9a0a1" }, { "value": "International Police Association", @@ -6114,7 +6467,8 @@ "refs": [ "http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe" ] - } + }, + "uuid": "a66fbb1e-ba59-48c1-aac8-8678b4a98dc1" }, { "value": "iRansom", @@ -6126,7 +6480,8 @@ "refs": [ "https://twitter.com/demonslay335/status/796134264744083460" ] - } + }, + "uuid": "4514ecd4-850d-446f-82cb-0668d2c94ffa" }, { "value": "JagerDecryptor", @@ -6141,7 +6496,8 @@ "refs": [ "https://twitter.com/JakubKroustek/status/757873976047697920" ] - } + }, + "uuid": "25a086aa-e25c-4190-a848-69d9f46fd8ab" }, { "value": "Jeiphoos", @@ -6159,7 +6515,8 @@ "http://www.nyxbone.com/malware/RaaS.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/" ] - } + }, + "uuid": "50014fe7-5efd-4639-82ef-30d36f4d2918" }, { "value": "Jhon Woddy", @@ -6172,7 +6529,8 @@ "https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip", "https://twitter.com/BleepinComputer/status/822509105487245317" ] - } + }, + "uuid": "fedd7285-d4bd-4411-985e-087954cee96d" }, { "value": "Jigsaw", @@ -6207,7 +6565,8 @@ "https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/", "https://twitter.com/demonslay335/status/795819556166139905" ] - } + }, + "uuid": "1e3384ae-4b48-4c96-b7c2-bc1cc1eda203" }, { "value": "Job Crypter", @@ -6227,11 +6586,13 @@ "http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html", "https://twitter.com/malwrhunterteam/status/828914052973858816" ] - } + }, + "uuid": "7c9a273b-1534-4a13-b201-b7a782b6c32a" }, { "value": "JohnyCryptor", - "description": "Ransomware" + "description": "Ransomware", + "uuid": "5af5be3e-549f-4485-8c2e-1459d4e5c7d7" }, { "value": "KawaiiLocker", @@ -6243,7 +6604,8 @@ "refs": [ "https://safezone.cc/resources/kawaii-decryptor.195/" ] - } + }, + "uuid": "b6d0ea4d-4e55-4b42-9d60-485d605d6c49" }, { "value": "KeRanger", @@ -6257,7 +6619,8 @@ "http://news.drweb.com/show/?i=9877&lng=en&c=5", "http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/" ] - } + }, + "uuid": "63292b32-9867-4fb2-9e59-d4983d4fd5d1" }, { "value": "KeyBTC", @@ -6274,7 +6637,8 @@ "refs": [ "https://decrypter.emsisoft.com/" ] - } + }, + "uuid": "3964e617-dde5-4c95-b4a0-e7c19c6e7d7f" }, { "value": "KEYHolder", @@ -6287,7 +6651,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml" ] - } + }, + "uuid": "66eda328-9408-4e98-ad27-572fd6b2acd8" }, { "value": "KillerLocker", @@ -6299,7 +6664,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/782232299840634881" ] - } + }, + "uuid": "ea8e7350-f243-4ef7-bc31-4648df8a4d96" }, { "value": "KimcilWare", @@ -6314,7 +6680,8 @@ "https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it", "http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/" ] - } + }, + "uuid": "950e2514-8a7e-4fdb-a3ad-5679f6342e5d" }, { "value": "Korean", @@ -6330,7 +6697,8 @@ "refs": [ "http://www.nyxbone.com/malware/koreanRansom.html" ] - } + }, + "uuid": "4febffe0-3837-41d7-b95f-e26d126275e4" }, { "value": "Kozy.Jozy", @@ -6351,7 +6719,8 @@ "http://www.nyxbone.com/malware/KozyJozy.html", "http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/" ] - } + }, + "uuid": "47b5d261-11bd-4c7b-91f9-e5651578026a" }, { "value": "KratosCrypt", @@ -6366,7 +6735,8 @@ "refs": [ "https://twitter.com/demonslay335/status/746090483722686465" ] - } + }, + "uuid": "cc819741-830b-4859-bb7c-ccedf3356acd" }, { "value": "KryptoLocker", @@ -6376,7 +6746,8 @@ "ransomnotes": [ "KryptoLocker_README.txt" ] - } + }, + "uuid": "e68d4f37-704a-4f8e-9718-b12039fbe424" }, { "value": "LanRan", @@ -6388,7 +6759,8 @@ "refs": [ "https://twitter.com/struppigel/status/847689644854595584" ] - } + }, + "uuid": "9e152871-fb16-475d-bf3b-f3b870d0237a" }, { "value": "LeChiffre", @@ -6404,7 +6776,8 @@ "https://decrypter.emsisoft.com/lechiffre", "https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/" ] - } + }, + "uuid": "ea1ba874-07e6-4a6d-82f0-e4ce4210e34e" }, { "value": "Lick", @@ -6419,7 +6792,8 @@ "refs": [ "https://twitter.com/JakubKroustek/status/842404866614038529" ] - } + }, + "uuid": "f2e76070-0cea-4c9c-8d6b-1d847e777575" }, { "value": "Linux.Encoder", @@ -6431,7 +6805,8 @@ "refs": [ "https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/" ] - } + }, + "uuid": "b4992483-a693-4e73-b39e-0f45c9f645b5" }, { "value": "LK Encryption", @@ -6440,7 +6815,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/845183290873044994" ] - } + }, + "uuid": "af52badb-3211-42b0-a1ac-e4d35d5829d7" }, { "value": "LLTP Locker", @@ -6457,7 +6833,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/" ] - } + }, + "uuid": "0cec6928-80c7-4085-ba47-cdc52177dfd3" }, { "value": "Locker", @@ -6466,7 +6843,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545" ] - } + }, + "uuid": "abc7883c-244a-44ac-9c86-559dafa4eb63" }, { "value": "LockLock", @@ -6482,7 +6860,8 @@ "refs": [ "https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/" ] - } + }, + "uuid": "7850bf92-394b-443b-8830-12f9ddbb50dc" }, { "value": "Locky", @@ -6527,7 +6906,8 @@ "https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/", "https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/" ] - } + }, + "uuid": "8d51a22e-3485-4480-af96-8ed0305a7aa6" }, { "value": "Lortok", @@ -6536,7 +6916,8 @@ "extensions": [ ".crime" ] - } + }, + "uuid": "bc23872a-7cd3-4a66-9d25-6b4e6f90cc4e" }, { "value": "LowLevel04", @@ -6545,7 +6926,8 @@ "extensions": [ "oor." ] - } + }, + "uuid": "d4fb0463-6cd1-45ac-a7d2-6eea8be39590" }, { "value": "M4N1F3STO", @@ -6554,15 +6936,18 @@ "refs": [ "https://twitter.com/jiriatvirlab/status/808015275367002113" ] - } + }, + "uuid": "f5d19af8-1c85-408b-818e-db50208d62b1" }, { "value": "Mabouia", - "description": "Ransomware OS X ransomware (PoC)" + "description": "Ransomware OS X ransomware (PoC)", + "uuid": "f9214319-6ad4-4c4e-bc6d-fb710f61da48" }, { "value": "MacAndChess", - "description": "Ransomware Based on HiddenTear" + "description": "Ransomware Based on HiddenTear", + "uuid": "fae8bf6e-47d1-4449-a1c6-761a4970fc38" }, { "value": "Magic", @@ -6576,7 +6961,8 @@ "DECRYPT_ReadMe1.TXT", "DECRYPT_ReadMe.TXT" ] - } + }, + "uuid": "31fa83fc-8247-4347-940a-e463acd66bac" }, { "value": "MaktubLocker", @@ -6592,7 +6978,8 @@ "refs": [ "https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/" ] - } + }, + "uuid": "ef6ceb04-243e-4783-b476-8e8e9f06e8a7" }, { "value": "MarsJoke", @@ -6610,7 +6997,8 @@ "https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/", "https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker" ] - } + }, + "uuid": "933bd53f-5ccf-4262-a70c-c01a6f05af3e" }, { "value": "Meister", @@ -6619,7 +7007,8 @@ "refs": [ "https://twitter.com/siri_urz/status/840913419024945152" ] - } + }, + "uuid": "ce5a82ef-d2a3-405c-ac08-3dca71057eb5" }, { "value": "Meteoritan", @@ -6632,7 +7021,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/844614889620561924" ] - } + }, + "uuid": "34f292d9-cb68-4bcf-a3db-a717362aca77" }, { "value": "MIRCOP", @@ -6651,7 +7041,8 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/", "http://www.nyxbone.com/malware/Mircop.html" ] - } + }, + "uuid": "7dd326a5-1168-4309-98b1-f2146d9cf8c7" }, { "value": "MireWare", @@ -6665,7 +7056,8 @@ "ransomnotes": [ "READ_IT.txt" ] - } + }, + "uuid": "9f01ded7-99f6-4863-b3a3-9d32aabf96c3" }, { "value": "Mischa", @@ -6684,7 +7076,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/" ] - } + }, + "uuid": "a029df89-2bb1-409d-878b-a67572217a65" }, { "value": "MM Locker", @@ -6703,7 +7096,8 @@ "refs": [ "https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered" ] - } + }, + "uuid": "b95aa3fb-9f32-450e-8058-67d94f196913" }, { "value": "Mobef", @@ -6726,7 +7120,8 @@ "http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/", "http://nyxbone.com/images/articulos/malware/mobef/0.png" ] - } + }, + "uuid": "681f212a-af1b-4e40-a718-81b0dc46dc52" }, { "value": "Monument", @@ -6735,7 +7130,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/844826339186135040" ] - } + }, + "uuid": "2702fb96-8118-4519-bd75-23eed40f25e9" }, { "value": "N-Splitter", @@ -6748,7 +7144,8 @@ "https://twitter.com/JakubKroustek/status/815961663644008448", "https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q" ] - } + }, + "uuid": "8ec55495-fb31-49c7-a720-40250b5e085f" }, { "value": "n1n1n1", @@ -6761,7 +7158,8 @@ "https://twitter.com/demonslay335/status/790608484303712256", "https://twitter.com/demonslay335/status/831891344897482754" ] - } + }, + "uuid": "a439b37b-e123-4b1d-9400-94aca70b223a" }, { "value": "NanoLocker", @@ -6774,7 +7172,8 @@ "refs": [ "http://github.com/Cyberclues/nanolocker-decryptor" ] - } + }, + "uuid": "03a91686-c607-49a8-a4e2-2054833c0013" }, { "value": "Nemucod", @@ -6793,7 +7192,8 @@ "http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/", "https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/" ] - } + }, + "uuid": "f1ee9ae8-b798-4e6f-8f98-874395d0fa18" }, { "value": "Netix", @@ -6808,7 +7208,8 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/" ] - } + }, + "uuid": "5d3ec71e-9e0f-498a-aa33-0433799e80b4" }, { "value": "Nhtnwcuf", @@ -6821,7 +7222,8 @@ "refs": [ "https://twitter.com/demonslay335/status/839221457360195589" ] - } + }, + "uuid": "1d8e8ca3-da2a-494c-9db3-5b1b6277c363" }, { "value": "NMoreira", @@ -6843,7 +7245,8 @@ "https://decrypter.emsisoft.com/nmoreira", "https://twitter.com/fwosar/status/803682662481174528" ] - } + }, + "uuid": "51f00a39-f4b9-4ed2-ba0d-258c6bf3f71a" }, { "value": "NoobCrypt", @@ -6853,7 +7256,8 @@ "https://twitter.com/JakubKroustek/status/757267550346641408", "https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/" ] - } + }, + "uuid": "aeb76911-ed45-4bf2-9a60-e023386e02a4" }, { "value": "Nuke", @@ -6867,7 +7271,8 @@ "!!_RECOVERY_instructions_!!.html", "!!_RECOVERY_instructions_!!.txt" ] - } + }, + "uuid": "e0bcb7d2-6032-43a0-b490-c07430d8a598" }, { "value": "Nullbyte", @@ -6880,7 +7285,8 @@ "https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip", "https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/" ] - } + }, + "uuid": "460b700b-5d03-43f9-99e7-916ff180a036" }, { "value": "ODCODC", @@ -6900,7 +7306,8 @@ "https://twitter.com/PolarToffee/status/813762510302183424", "http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png" ] - } + }, + "uuid": "f90724e4-c148-4479-ae1a-109498b4688f" }, { "value": "Offline ransomware", @@ -6922,7 +7329,8 @@ "https://support.kaspersky.com/viruses/disinfection/8547", "http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html" ] - } + }, + "uuid": "3c51fc0e-42d8-4ff0-b1bd-5c8c20271a39" }, { "value": "OMG! Ransomware", @@ -6938,7 +7346,8 @@ "ransomnotes": [ "how to get data.txt" ] - } + }, + "uuid": "7914f9c9-3257-464c-b918-3754c4d018af" }, { "value": "Operation Global III", @@ -6950,7 +7359,8 @@ "refs": [ "http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/" ] - } + }, + "uuid": "e5800883-c663-4eb0-b05e-6034df5bc6e0" }, { "value": "Owl", @@ -6969,7 +7379,8 @@ "refs": [ "https://twitter.com/JakubKroustek/status/842342996775448576" ] - } + }, + "uuid": "4bb11db7-17a0-4536-b817-419ae6299004" }, { "value": "PadCrypt", @@ -6986,7 +7397,8 @@ "http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/", "https://twitter.com/malwrhunterteam/status/798141978810732544" ] - } + }, + "uuid": "57c5df76-e72f-41b9-be29-89395f83a77c" }, { "value": "Padlock Screenlocker", @@ -6995,7 +7407,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/811635075158839296" ] - } + }, + "uuid": "8f41c9ce-9bd4-4bbd-96d7-c965d1621be7" }, { "value": "Patcher", @@ -7011,7 +7424,8 @@ "https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/", "https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/" ] - } + }, + "uuid": "e211ea8d-5042-48ae-86c6-15186d1f8dba" }, { "value": "Petya", @@ -7030,7 +7444,8 @@ "https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/", "https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/" ] - } + }, + "uuid": "7c5a1e93-7ab2-4b08-ada9-e82c4feaed0a" }, { "value": "Philadelphia", @@ -7045,7 +7460,8 @@ "https://decrypter.emsisoft.com/philadelphia", "www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/" ] - } + }, + "uuid": "6fd25982-9cf8-4379-a126-433c91aaadf2" }, { "value": "PizzaCrypts", @@ -7057,7 +7473,8 @@ "refs": [ "http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip" ] - } + }, + "uuid": "2482122b-1df6-488e-8867-215b165a4f66" }, { "value": "PokemonGO", @@ -7071,7 +7488,8 @@ "http://www.nyxbone.com/malware/pokemonGO.html", "http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/" ] - } + }, + "uuid": "8b151275-d4c4-438a-9d06-92da2835586d" }, { "value": "Polyglot", @@ -7082,7 +7500,8 @@ "https://support.kaspersky.com/8547", "https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/" ] - } + }, + "uuid": "b22cafb4-ccef-4935-82f4-631a6e539b8e" }, { "value": "PowerWare", @@ -7101,7 +7520,8 @@ "https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/", "http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/" ] - } + }, + "uuid": "9fa93bb7-2997-4864-aa0e-0e667990dec8" }, { "value": "PowerWorm", @@ -7111,7 +7531,8 @@ "ransomnotes": [ "DECRYPT_INSTRUCTION.html" ] - } + }, + "uuid": "b54d59d7-b604-4b01-8002-5a2930732ca6" }, { "value": "Princess Locker", @@ -7132,7 +7553,8 @@ "https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/", "https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/" ] - } + }, + "uuid": "7c8ff7e5-2cad-48e8-92e8-4c8226933cbc" }, { "value": "PRISM", @@ -7141,7 +7563,8 @@ "refs": [ "http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/" ] - } + }, + "uuid": "c0ebfb75-254d-4d85-9d02-a7af8e655068" }, { "value": "Ps2exe", @@ -7150,7 +7573,8 @@ "refs": [ "https://twitter.com/jiriatvirlab/status/803297700175286273" ] - } + }, + "uuid": "1da6653c-8657-4cdc-9eaf-0df9d2ebbf10" }, { "value": "R", @@ -7162,7 +7586,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/846705481741733892" ] - } + }, + "uuid": "f7cd8956-2825-4104-94b1-e9589ab1089a" }, { "value": "R980", @@ -7178,7 +7603,8 @@ "refs": [ "https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/" ] - } + }, + "uuid": "6a7ebb0a-78bc-4fdc-92ae-1b02976b5499" }, { "value": "RAA encryptor", @@ -7197,7 +7623,8 @@ "https://reaqta.com/2016/06/raa-ransomware-delivering-pony/", "http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/" ] - } + }, + "uuid": "b6d4faa1-6d76-42ff-8a18-238eb70cff06" }, { "value": "Rabion", @@ -7206,7 +7633,8 @@ "refs": [ "https://twitter.com/CryptoInsane/status/846181140025282561" ] - } + }, + "uuid": "4a95257a-6646-492f-93eb-d15dff7ce1eb" }, { "value": "Radamant", @@ -7227,7 +7655,8 @@ "http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/", "http://www.nyxbone.com/malware/radamant.html" ] - } + }, + "uuid": "674c3bf6-2e16-427d-ab0f-b91676a460cd" }, { "value": "Rakhni", @@ -7279,11 +7708,13 @@ "refs": [ "https://support.kaspersky.com/us/viruses/disinfection/10556" ] - } + }, + "uuid": "c85a41a8-a0a1-4963-894f-84bb980e6e86" }, { "value": "Ramsomeer", - "description": "Ransomware Based on the DUMB ransomware" + "description": "Ransomware Based on the DUMB ransomware", + "uuid": "5b81ea66-9a44-43d8-bceb-22e5b0582f8d" }, { "value": "Rannoh", @@ -7295,7 +7726,8 @@ "refs": [ "https://support.kaspersky.com/viruses/disinfection/8547" ] - } + }, + "uuid": "d45f089b-efc7-45f8-a681-845374349d83" }, { "value": "RanRan", @@ -7320,7 +7752,8 @@ "http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/", "https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/" ] - } + }, + "uuid": "e01a0cfa-2c8c-4e08-963a-4fa1e8cc6a34" }, { "value": "Ransoc", @@ -7330,11 +7763,13 @@ "https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles", "https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/" ] - } + }, + "uuid": "f0fcbac5-6216-4c3c-adcb-3aa06ab23340" }, { "value": "Ransom32", - "description": "Ransomware no extension change, Javascript Ransomware" + "description": "Ransomware no extension change, Javascript Ransomware", + "uuid": "d74e2fa6-6b8d-49ed-80f9-07b274eecef8" }, { "value": "RansomLock", @@ -7344,7 +7779,8 @@ "refs": [ "https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2" ] - } + }, + "uuid": "24f98123-192c-4e31-b2ee-4c77afbdc3be" }, { "value": "RarVault", @@ -7353,7 +7789,8 @@ "ransomnotes": [ "RarVault.htm" ] - } + }, + "uuid": "c8ee96a3-ac22-40c7-8ed2-df67aeaca08d" }, { "value": "Razy", @@ -7368,7 +7805,8 @@ "http://www.nyxbone.com/malware/Razy(German).html", "http://nyxbone.com/malware/Razy.html" ] - } + }, + "uuid": "f2a38c7b-054e-49ab-aa0e-67a7aac71837" }, { "value": "Rector", @@ -7383,7 +7821,8 @@ "refs": [ "https://support.kaspersky.com/viruses/disinfection/4264" ] - } + }, + "uuid": "08f519f4-df8f-4baf-b7ac-c7a0c66f7e74" }, { "value": "RektLocker", @@ -7399,7 +7838,8 @@ "refs": [ "https://support.kaspersky.com/viruses/disinfection/4264" ] - } + }, + "uuid": "5448f038-0558-45c7-bda7-76950f82846a" }, { "value": "RemindMe", @@ -7416,7 +7856,8 @@ "http://www.nyxbone.com/malware/RemindMe.html", "http://i.imgur.com/gV6i5SN.jpg" ] - } + }, + "uuid": "0120015c-7d37-469c-a966-7a0d42166e67" }, { "value": "Rokku", @@ -7433,7 +7874,8 @@ "refs": [ "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/" ] - } + }, + "uuid": "61184aea-e87b-467d-b36e-cfc75ccb242f" }, { "value": "RoshaLock", @@ -7442,7 +7884,8 @@ "refs": [ "https://twitter.com/siri_urz/status/842452104279134209" ] - } + }, + "uuid": "e88a7509-9c79-42c1-8b0c-5e63af8e25b5" }, { "value": "Runsomewere", @@ -7451,7 +7894,8 @@ "refs": [ "https://twitter.com/struppigel/status/801812325657440256" ] - } + }, + "uuid": "266b366b-2b4f-41af-a30f-eab1c63c9976" }, { "value": "RussianRoulette", @@ -7460,7 +7904,8 @@ "refs": [ "https://twitter.com/struppigel/status/823925410392080385" ] - } + }, + "uuid": "1149197c-89e7-4a8f-98aa-40ac0a9c0914" }, { "value": "SADStory", @@ -7469,7 +7914,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/845356853039190016" ] - } + }, + "uuid": "6d81cee2-6c99-41fb-8b54-6581422d85dc" }, { "value": "Sage 2.2", @@ -7482,7 +7928,8 @@ "https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate", "https://malwarebreakdown.com/2017/03/10/finding-a-good-man/" ] - } + }, + "uuid": "eacf3aee-ffb1-425a-862f-874e444a218d" }, { "value": "Samas-Samsam", @@ -7542,7 +7989,8 @@ "http://blog.talosintel.com/2016/03/samsam-ransomware.html", "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf" ] - } + }, + "uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d" }, { "value": "Sanction", @@ -7555,7 +8003,8 @@ "ransomnotes": [ "DECRYPT_YOUR_FILES.HTML" ] - } + }, + "uuid": "e7b69fbe-26ba-49df-aa62-a64525f89343" }, { "value": "Sanctions", @@ -7571,7 +8020,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/" ] - } + }, + "uuid": "7b517c02-9f93-44c7-b957-10346803c43c" }, { "value": "Sardoninir", @@ -7583,7 +8033,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/835955409953357825" ] - } + }, + "uuid": "6e49ecfa-1c25-4841-ae60-3b1c3c9c7710" }, { "value": "Satana", @@ -7599,7 +8050,8 @@ "https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/", "https://blog.kaspersky.com/satana-ransomware/12558/" ] - } + }, + "uuid": "a127a59e-9e4c-4c2b-b833-cabd076c3016" }, { "value": "Scraper", @@ -7608,7 +8060,8 @@ "refs": [ "http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/" ] - } + }, + "uuid": "c0c685b8-a59d-4922-add9-e572d5fd48cd" }, { "value": "Serpico", @@ -7618,7 +8071,8 @@ "refs": [ "http://www.nyxbone.com/malware/Serpico.html" ] - } + }, + "uuid": "bd4bfbab-c21d-4971-b70c-b180bcf40630" }, { "value": "Shark", @@ -7638,7 +8092,8 @@ "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/", "http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/" ] - } + }, + "uuid": "503c9910-902f-4bae-8c33-ea29db8bdd7f" }, { "value": "ShinoLocker", @@ -7651,7 +8106,8 @@ "https://twitter.com/JakubKroustek/status/760560147131408384", "http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/" ] - } + }, + "uuid": "bc029327-ee34-4eba-8933-bd85f2a1e9d1" }, { "value": "Shujin", @@ -7667,7 +8123,8 @@ "http://www.nyxbone.com/malware/chineseRansom.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/" ] - } + }, + "uuid": "b9963d52-a391-4e9c-92e7-d2a147d5451f" }, { "value": "Simple_Encoder", @@ -7683,7 +8140,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/" ] - } + }, + "uuid": "2709b2ff-a2be-49a9-b268-2576170a5dff" }, { "value": "SkidLocker", @@ -7703,7 +8161,8 @@ "http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/", "http://www.nyxbone.com/malware/SkidLocker.html" ] - } + }, + "uuid": "44b6b99e-b1d9-4605-95c2-55c14c7c25be" }, { "value": "Smash!", @@ -7712,7 +8171,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/" ] - } + }, + "uuid": "27283e74-abc6-4d8a-bcb6-a60804b8e264" }, { "value": "Smrss32", @@ -7724,7 +8184,8 @@ "ransomnotes": [ "_HOW_TO_Decrypt.bmp" ] - } + }, + "uuid": "cd21bb2a-0c6a-463b-8c0e-16da251f69ae" }, { "value": "SNSLocker", @@ -7742,7 +8203,8 @@ "http://nyxbone.com/malware/SNSLocker.html", "http://nyxbone.com/images/articulos/malware/snslocker/16.png" ] - } + }, + "uuid": "82658f48-6a62-4dee-bd87-382e76b84c3d" }, { "value": "Sport", @@ -7751,7 +8213,8 @@ "extensions": [ ".sport" ] - } + }, + "uuid": "9526efea-8853-42f2-89be-a04ee1ca4c7d" }, { "value": "Stampado", @@ -7771,7 +8234,8 @@ "https://cdn.streamable.com/video/mp4/kfh3.mp4", "http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/" ] - } + }, + "uuid": "6b8729b0-7ffc-4d07-98de-e5210928b274" }, { "value": "Strictor", @@ -7784,7 +8248,8 @@ "refs": [ "http://www.nyxbone.com/malware/Strictor.html" ] - } + }, + "uuid": "d75bdd85-032a-46b7-a339-257fd5656c11" }, { "value": "Surprise", @@ -7798,7 +8263,8 @@ "ransomnotes": [ "DECRYPTION_HOWTO.Notepad" ] - } + }, + "uuid": "6848b77c-92c8-40ec-90ac-9c14b9f17272" }, { "value": "Survey", @@ -7810,11 +8276,13 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/" ] - } + }, + "uuid": "11725992-3634-4715-ae17-b6f5ed13b877" }, { "value": "SynoLocker", - "description": "Ransomware Exploited Synology NAS firmware directly over WAN" + "description": "Ransomware Exploited Synology NAS firmware directly over WAN", + "uuid": "27740d5f-30cf-4c5c-812c-15c0918ce9f0" }, { "value": "SZFLocker", @@ -7826,7 +8294,8 @@ "refs": [ "http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/" ] - } + }, + "uuid": "a7845bbe-d7e6-4c7b-a9b8-dccbd93bc4b2" }, { "value": "TeamXrat", @@ -7842,7 +8311,8 @@ "refs": [ "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ] - } + }, + "uuid": "65a31863-4f59-4c66-bc2d-31e8fb68bbe8" }, { "value": "TeslaCrypt 0.x - 2.2.0", @@ -7869,7 +8339,8 @@ "http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/", "http://www.talosintel.com/teslacrypt_tool/" ] - } + }, + "uuid": "af92c71e-935e-4486-b4e7-319bf16d622e" }, { "value": "TeslaCrypt 3.0+", @@ -7887,7 +8358,8 @@ "http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/", "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/" ] - } + }, + "uuid": "bd19dfff-7c8d-4c94-967e-f8ffc19e7dd9" }, { "value": "TeslaCrypt 4.1A", @@ -7919,7 +8391,8 @@ "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", "https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain" ] - } + }, + "uuid": "ab6b8f56-cf2d-4733-8f9c-df3d52c05e66" }, { "value": "TeslaCrypt 4.2", @@ -7950,7 +8423,8 @@ "https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/", "http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/" ] - } + }, + "uuid": "eed65c12-b179-4002-a11b-7a2e2df5f0c8" }, { "value": "Threat Finder", @@ -7959,7 +8433,8 @@ "ransomnotes": [ "HELP_DECRYPT.HTML" ] - } + }, + "uuid": "c0bce92a-63b8-4538-93dc-0911ae46596d" }, { "value": "TorrentLocker", @@ -7992,7 +8467,8 @@ "https://twitter.com/PolarToffee/status/804008236600934403", "http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html" ] - } + }, + "uuid": "b817ce63-f1c3-49de-bd8b-fd56c3f956c9" }, { "value": "TowerWeb", @@ -8004,7 +8480,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/" ] - } + }, + "uuid": "4d470cf8-09b6-4d0e-8e5a-2f618e48c560" }, { "value": "Toxcrypt", @@ -8016,7 +8493,8 @@ "ransomnotes": [ "tox.html" ] - } + }, + "uuid": "08fc7534-fe85-488b-92b0-630c0d91ecbe" }, { "value": "Trojan", @@ -8035,7 +8513,8 @@ "https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip", "https://twitter.com/PolarToffee/status/811249250285842432" ] - } + }, + "uuid": "97673387-75ae-4da4-9a5f-38773f2492e7" }, { "value": "Troldesh orShade, XTBL", @@ -8059,7 +8538,8 @@ "http://www.nyxbone.com/malware/Troldesh.html", "https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/" ] - } + }, + "uuid": "6c3dd006-3501-4ebc-ab86-b06e4d555194" }, { "value": "TrueCrypter", @@ -8072,7 +8552,8 @@ "refs": [ "http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/" ] - } + }, + "uuid": "c46bfed8-7010-432a-8108-138f6d067000" }, { "value": "Turkish", @@ -8084,7 +8565,8 @@ "refs": [ "https://twitter.com/struppigel/status/821991600637313024" ] - } + }, + "uuid": "132c39fc-1364-4210-aef9-48f73afc1108" }, { "value": "Turkish Ransom", @@ -8100,7 +8582,8 @@ "refs": [ "http://www.nyxbone.com/malware/turkishRansom.html" ] - } + }, + "uuid": "174dd201-0b0b-4a76-95c7-71f8141684d0" }, { "value": "UmbreCrypt", @@ -8119,7 +8602,8 @@ "refs": [ "http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware" ] - } + }, + "uuid": "028b3489-51da-45d7-8bd0-62044e9ea49f" }, { "value": "UnblockUPC", @@ -8131,7 +8615,8 @@ "refs": [ "https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/" ] - } + }, + "uuid": "5a9f9ebe-f4c8-4985-8890-743f59d658fd" }, { "value": "Ungluk", @@ -8148,7 +8633,8 @@ "Hellothere.txt", "YOUGOTHACKED.TXT" ] - } + }, + "uuid": "bb8c6b80-91cb-4c01-b001-7b9e73228420" }, { "value": "Unlock92 ", @@ -8164,7 +8650,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/839038399944224768" ] - } + }, + "uuid": "dfe760e5-f878-492d-91d0-05fa45a2849d" }, { "value": "VapeLauncher", @@ -8173,7 +8660,8 @@ "refs": [ "https://twitter.com/struppigel/status/839771195830648833" ] - } + }, + "uuid": "7799247c-4e6a-4c20-b0b3-d8e6a8ab6783" }, { "value": "VaultCrypt", @@ -8198,7 +8686,8 @@ "refs": [ "http://www.nyxbone.com/malware/russianRansom.html" ] - } + }, + "uuid": "63a82b7f-9a71-47a8-9a79-14acc6595da5" }, { "value": "VBRANSOM 7", @@ -8210,7 +8699,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/817851339078336513" ] - } + }, + "uuid": "44a56cd0-8cd8-486f-972d-4b1b416e9077" }, { "value": "VenusLocker", @@ -8228,7 +8718,8 @@ "https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social", "http://www.nyxbone.com/malware/venusLocker.html" ] - } + }, + "uuid": "7340c6d6-a16e-4a01-8bb4-8ad3edc64d28" }, { "value": "Virlock", @@ -8241,7 +8732,8 @@ "http://www.nyxbone.com/malware/Virlock.html", "http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/" ] - } + }, + "uuid": "5c736959-6c58-4bf2-b084-7197b42e500a" }, { "value": "Virus-Encoder", @@ -8268,7 +8760,8 @@ "http://www.nyxbone.com/malware/virus-encoder.html", "http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/" ] - } + }, + "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215" }, { "value": "WildFire Locker", @@ -8286,7 +8779,8 @@ "refs": [ "https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/" ] - } + }, + "uuid": "31945e7b-a734-4333-9ea2-e52051ca015a" }, { "value": "Xorist", @@ -8310,7 +8804,8 @@ "https://support.kaspersky.com/viruses/disinfection/2911", "https://decrypter.emsisoft.com/xorist" ] - } + }, + "uuid": "0a15a920-9876-4985-9d3d-bb0794722258" }, { "value": "XRTN ", @@ -8319,7 +8814,8 @@ "extensions": [ ".xrtn" ] - } + }, + "uuid": "22ff9f8c-f658-46cc-a404-1a54e1b74569" }, { "value": "You Have Been Hacked!!!", @@ -8331,7 +8827,8 @@ "refs": [ "https://twitter.com/malwrhunterteam/status/808280549802418181" ] - } + }, + "uuid": "0810ea3e-1cd6-4ea3-a416-5895fb685c5b" }, { "value": "Zcrypt", @@ -8346,7 +8843,8 @@ "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/" ] - } + }, + "uuid": "7eed5e96-0219-4355-9a9c-44643272894c" }, { "value": "Zimbra", @@ -8361,7 +8859,8 @@ "refs": [ "http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/" ] - } + }, + "uuid": "07346620-a0b4-48d5-9158-5048741f5078" }, { "value": "Zlader", @@ -8379,7 +8878,8 @@ "refs": [ "http://www.nyxbone.com/malware/russianRansom.html" ] - } + }, + "uuid": "2195387d-ad9c-47e6-8f14-a49388b26eab" }, { "value": "Zorro", @@ -8394,7 +8894,8 @@ "refs": [ "https://twitter.com/BleepinComputer/status/844538370323812353" ] - } + }, + "uuid": "b2bd25e1-d41c-42f2-8971-ecceceb6ba08" }, { "value": "Zyklon", @@ -8406,7 +8907,8 @@ "extensions": [ ".zyklon" ] - } + }, + "uuid": "78ef77ac-a570-4fb9-af80-d04c09dff9ab" }, { "value": "vxLock", @@ -8415,7 +8917,8 @@ "extensions": [ ".vxLock" ] - } + }, + "uuid": "37950a1c-0035-49e0-9278-e878df0a10f3" }, { "value": "Jaff", @@ -8435,7 +8938,8 @@ "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html", "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/" ] - } + }, + "uuid": "8e3d44d0-6768-4b54-88b0-2e004a7f2297" }, { "value": "Uiwix Ransomware", @@ -8451,7 +8955,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/" ] - } + }, + "uuid": "369d6fda-0284-44aa-9e74-f6651416fec4" }, { "value": "SOREBRECT", @@ -8466,7 +8971,8 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/" ] - } + }, + "uuid": "34cedaf0-b1f0-4b5d-b7bd-2eadfc630ea7" }, { "value": "Cyron", @@ -8481,7 +8987,8 @@ "refs": [ "https://twitter.com/struppigel/status/899524853426008064" ] - } + }, + "uuid": "f597d388-886e-46d6-a5cc-26deeb4674f2" }, { "value": "Kappa", @@ -8496,7 +9003,8 @@ "refs": [ "https://twitter.com/struppigel/status/899528477824700416" ] - } + }, + "uuid": "3330e226-b71a-4ee4-8612-2b06b58368fc" }, { "value": "Trojan Dz", @@ -8511,7 +9019,8 @@ "refs": [ "https://twitter.com/struppigel/status/899537940539478016" ] - } + }, + "uuid": "1fe6c23b-863e-49e4-9439-aa9e999aa2e1" }, { "value": "Xolzsec", @@ -8523,7 +9032,8 @@ "refs": [ "https://twitter.com/struppigel/status/899916577252028416" ] - } + }, + "uuid": "f2930308-2e4d-4af5-b119-746be0fe7f2c" }, { "value": "FlatChestWare", @@ -8538,7 +9048,8 @@ "refs": [ "https://twitter.com/struppigel/status/900238572409823232" ] - } + }, + "uuid": "d29341fd-f48e-4caa-8a28-b17853b779d1" }, { "value": "SynAck", @@ -8553,7 +9064,8 @@ "ransomnotes": [ "RESTORE_INFO-[id].txt" ] - } + }, + "uuid": "04585cd8-54ae-420f-9191-8ddb9b88a80c" }, { "value": "SyncCrypt", @@ -8569,7 +9081,8 @@ "readme.html", "readme.png" ] - } + }, + "uuid": "83d10b83-9038-4dd6-b305-f14c21478588" }, { "value": "Bad Rabbit", @@ -8582,7 +9095,8 @@ "BadRabbit", "Bad-Rabbit" ] - } + }, + "uuid": "e8af6388-6575-4812-94a8-9df1567294c5" }, { "value": "Halloware", @@ -8594,7 +9108,8 @@ "extensions": [ "(Lucifer) [prepend]" ] - } + }, + "uuid": "b366627d-dbc0-45ba-90bc-5f5694f45e35" }, { "value": "StorageCrypt", @@ -8610,7 +9125,8 @@ "_READ_ME_FOR_DECRYPT.txt", "Warning\n\nYour documents, photos,databases,important files have been encrypted by RSA-4096 and AES-256!\nIf you modify any file, it may cause make you cannot decrypt!!!\n\nDon't waste your precious time to try decrypt the files.\nIf there is no key that we provide to you , NO ONE can decrypt your precious files, even Jesus.\n\nHow to decrypt your files ?\n\nYou have to pay for decryption in bitcoin\nTo decrypt your files,please following the steps below\n\n1,Pay 2.0 bitcoin to this address: [bitcoin_address]\n\nPay To : [bitcoin_address]\nAmount : 2.0\n\n2,After you have finished paying,Contact us and Send us your Decrypt-ID via email\n\n3,Once we have confimed your deal,You can use the tool we sent to you to decrypt all your files.\n\nHow to obtain bitcoin ?\n\nThe easiest way to buy bitcoin is LocalBitcoins site.\nYou have to register, click Buy bitcoins and select the seller\nby payment method and price\n\nhttps://localbitcoins.com/buy_bitcoins\n\nhttps://paxful.com/buy-bitcoin\n\nhttp://bitcointalk.org/\n\n If you have any questions please do not hesitate to contact us\n\nContact Email:JeanRenoAParis@protonmail.com\n\nDecrypt-ID:" ] - } + }, + "uuid": "0b920d03-971f-413c-8057-60d187192140" }, { "value": "HC7", @@ -8626,7 +9142,8 @@ "RECOVERY.txt", "ALL YOUR FILES WERE ENCRYPTED.\nTO RESTORE THIS FILE, YOU MUST SEND $700 BTC for MASCHINE\nOR $5,000 BTC FOR ALL NETWORK\nADDRESS: 15aM71TGtRZRrY97vdGcDEZeJYBWZhf4FP\nAFTER PAYMENT SENT EMAIL m4zn0v@keemail.me\nALONG WITH YOUR IDENTITY: VVNFUi1QQzA5\nNOT TO TURN OFF YOUR COMPUTER, UNLESS IT WILL BREAK" ] - } + }, + "uuid": "9325e097-9fea-490c-9b89-c2d40c166101" }, { "value": "HC6", @@ -8639,7 +9156,8 @@ "extensions": [ ".fucku" ] - } + }, + "uuid": "909fde65-e015-40a9-9012-8d3ef62bba53" }, { "value": "qkG", @@ -8648,7 +9166,8 @@ "refs": [ "https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/" ] - } + }, + "uuid": "1f3eab7f-da0a-4e0b-8a9f-cda2f146c819" }, { "value": "Scarab", @@ -8669,7 +9188,8 @@ "ransomnotes": [ "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" ] - } + }, + "uuid": "cf8fbd03-4510-41cc-bec3-712fa7609aa4" }, { "value": "File Spider", @@ -8685,7 +9205,8 @@ "HOW TO DECRYPT FILES.url", "As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool.\n\nThe good news is that there is still a chance to recover your files, you just need to have the right key.\n\nTo obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!\n\nRemember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.\n\nTo avoid any misunderstanding, please read Help section." ] - } + }, + "uuid": "3e75ce6b-b6de-4e5a-9501-8f9f847c819c" }, { "value": "FileCoder", @@ -8699,7 +9220,8 @@ "FindZip", "Patcher" ] - } + }, + "uuid": "091c9923-5939-4bde-9db5-56abfb51f1a2" }, { "value": "MacRansom", @@ -8709,7 +9231,8 @@ "refs": [ "https://objective-see.com/blog/blog_0x25.html" ] - } + }, + "uuid": "7574c7f1-5075-4230-aca9-d6c0956f1fac" }, { "value": "GandCrab", @@ -8724,7 +9247,8 @@ "GDCB-DECRYPT.txt", "---= GANDCRAB =---\n\nAttention!\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB \nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\nThe server with your key is in a closed network TOR. You can get there by the following ways:\n1. Download Tor browser - https://www.torproject.org/\n2. Install Tor browser\n3. Open Tor Browser\n4. Open link in tor browser:http://gdcbghvjyqy7jclk.onion/[id]\n5. Follow the instructions on this page\n\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser:\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\n\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\n\nDANGEROUS!\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!" ] - } + }, + "uuid": "5920464b-e093-4fa0-a275-438dffef228f" }, { "value": "ShurL0ckr", @@ -8734,7 +9258,8 @@ "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications" ], "date": "Febuary 2018" - } + }, + "uuid": "cc7f6da3-fafd-444f-b7e9-f0e650fb4d4f" }, { "value": "Cryakl", @@ -8749,7 +9274,8 @@ "extensions": [ ".fairytail" ] - } + }, + "uuid": "4f3e494e-0e37-4894-94b2-741a8100f07a" }, { "value": "Thanatos", @@ -8762,7 +9288,8 @@ "extensions": [ ".THANATOS" ] - } + }, + "uuid": "361d7a90-2fde-4fc7-91ed-fdce26eb790f" } ], "source": "Various", diff --git a/clusters/rat.json b/clusters/rat.json index c5948f4..e401f62 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -16,7 +16,8 @@ ] }, "description": "TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.", - "value": "TeamViewer" + "value": "TeamViewer", + "uuid": "8ee3c015-3088-4a5f-8c94-602c27d767c0" }, { "value": "JadeRAT", @@ -25,7 +26,8 @@ "refs": [ "https://blog.lookout.com/mobile-threat-jaderat" ] - } + }, + "uuid": "1cc8963b-5ad4-4e19-8e9a-57b0ff1ef926" }, { "meta": { @@ -38,7 +40,8 @@ ] }, "description": "Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.", - "value": "Back Orifice" + "value": "Back Orifice", + "uuid": "20204b13-8ad1-4147-9328-0a9a7ac010b6" }, { "meta": { @@ -52,7 +55,8 @@ "date": "1998" }, "description": "NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.", - "value": "Netbus" + "value": "Netbus", + "uuid": "81ff6e46-0ba4-458b-b3b0-750e86404cae" }, { "meta": { @@ -67,7 +71,8 @@ ] }, "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", - "value": "PoisonIvy" + "value": "PoisonIvy", + "uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0" }, { "meta": { @@ -81,7 +86,8 @@ "date": "1999" }, "description": "Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards (\"suBteN\") and swapping \"ten\" with \"seven\". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.", - "value": "Sub7" + "value": "Sub7", + "uuid": "d7369f05-65ce-4e10-916f-41f2f6d4ab59" }, { "meta": { @@ -91,7 +97,8 @@ "date": "2002" }, "description": "Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a \"RAT\". It is capable of infecting versions of Windows from 95 to 10.", - "value": "Beast Trojan" + "value": "Beast Trojan", + "uuid": "268a4f81-dbfd-4b20-9a54-24eba7a4c781" }, { "meta": { @@ -102,7 +109,8 @@ "date": "2004" }, "description": "Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).", - "value": "Bifrost" + "value": "Bifrost", + "uuid": "eb62bac0-68fd-4b17-af4f-89c6900ee414" }, { "meta": { @@ -112,7 +120,8 @@ "date": "2010" }, "description": "Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.", - "value": "Blackshades" + "value": "Blackshades", + "uuid": "3a1fc564-3705-4cc0-8f80-13c58d470d34" }, { "meta": { @@ -126,7 +135,8 @@ "date": "2008" }, "description": "DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.", - "value": "DarkComet" + "value": "DarkComet", + "uuid": "8a21ae06-d257-48a0-989b-1c9aebedabc2" }, { "meta": { @@ -136,7 +146,8 @@ "date": "2002" }, "description": "Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.", - "value": "Lanfiltrator" + "value": "Lanfiltrator", + "uuid": "826e73f8-2241-4c99-848d-8597d685cfd3" }, { "meta": { @@ -146,7 +157,8 @@ ] }, "description": "Win32.HsIdir is an advanced remote administrator tool systems was done by the original author HS32-Idir, it is the development of the release made since 2006 Copyright © 2006-2010 HS32-Idir.", - "value": "Win32.HsIdir" + "value": "Win32.HsIdir", + "uuid": "569d539f-f949-4156-8896-108ea8352fbc" }, { "meta": { @@ -158,7 +170,8 @@ "date": "2002" }, "description": "Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K", - "value": "Optix Pro" + "value": "Optix Pro", + "uuid": "4ce3247b-203a-42a8-aaa0-05558c50894e" }, { "meta": { @@ -174,7 +187,8 @@ "date": "1998" }, "description": "Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker's remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus. ", - "value": "Back Orifice 2000" + "value": "Back Orifice 2000", + "uuid": "91f8a1d8-c816-45e1-8c26-17a7305ca375" }, { "meta": { @@ -187,7 +201,8 @@ ] }, "description": "The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another ", - "value": "RealVNC" + "value": "RealVNC", + "uuid": "e1290288-84d4-4b32-858d-db4ed612de44" }, { "meta": { @@ -208,7 +223,8 @@ "date": "2011" }, "description": "Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware. ", - "value": "Adwind RAT" + "value": "Adwind RAT", + "uuid": "b76d9845-815c-4e77-9538-6b737269da2f" }, { "meta": { @@ -216,7 +232,8 @@ "https://www.virustotal.com/en/file/b31812e5b4c63c5b52c9b23e76a5ea9439465ab366a9291c6074bfae5c328e73/analysis/1359376345/" ] }, - "value": "Albertino Advanced RAT" + "value": "Albertino Advanced RAT", + "uuid": "eff22ed3-81fc-4055-bd1d-76e1f191f487" }, { "meta": { @@ -226,7 +243,8 @@ ] }, "description": "The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.", - "value": "Arcom" + "value": "Arcom", + "uuid": "cd167b01-dc63-4576-b4a1-5ee707aa392b" }, { "meta": { @@ -235,7 +253,8 @@ ] }, "description": "BlackNix rat is a rat coded in delphi. ", - "value": "BlackNix" + "value": "BlackNix", + "uuid": "f3e79212-0e35-40d2-a1d6-37b629a8138e" }, { "meta": { @@ -246,7 +265,8 @@ "date": "2012" }, "description": "Blue Banana is a RAT (Remote Administration Tool) created purely in Java", - "value": "Blue Banana" + "value": "Blue Banana", + "uuid": "9b515229-36f6-4b93-9889-36116a12fd74" }, { "meta": { @@ -256,7 +276,8 @@ "date": "2013" }, "description": "Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.", - "value": "Bozok" + "value": "Bozok", + "uuid": "41f45758-0376-42a8-bc07-8f2ffbee3ad2" }, { "meta": { @@ -266,7 +287,8 @@ ] }, "description": "ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.", - "value": "ClientMesh" + "value": "ClientMesh", + "uuid": "03eb6742-9a17-4aed-95e4-d8a0b0abefc3" }, { "meta": { @@ -277,7 +299,8 @@ "date": "2011" }, "description": "CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim's passwords and can also get the screen shots of his computer's screen.", - "value": "CyberGate" + "value": "CyberGate", + "uuid": "c3cf4e88-704b-4d7c-8185-ee780804f3d3" }, { "meta": { @@ -285,7 +308,8 @@ "http://meinblogzumtesten.blogspot.lu/2013/05/dark-ddoser-v56c-cracked.html" ] }, - "value": "Dark DDoSeR" + "value": "Dark DDoSeR", + "uuid": "3c026104-6129-4749-9b41-07c28d9e84c4" }, { "meta": { @@ -299,7 +323,8 @@ "date": "2005" }, "description": "In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as ‘Dark RAT’ – a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.", - "value": "DarkRat" + "value": "DarkRat", + "uuid": "7135cc9c-a7bf-44fc-b74b-80de9edd9438" }, { "meta": { @@ -307,7 +332,8 @@ "https://sites.google.com/site/greymecompany/greame-rat-project" ] }, - "value": "Greame" + "value": "Greame", + "uuid": "e880a029-bb01-4a64-baa3-b13fc2af4e9d" }, { "meta": { @@ -317,7 +343,8 @@ "date": "2003" }, "description": "HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.", - "value": "HawkEye" + "value": "HawkEye", + "uuid": "8414f79c-a879-44b6-b154-4992aa12dff1" }, { "meta": { @@ -330,7 +357,8 @@ "date": "2012" }, "description": "jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.", - "value": "jRAT" + "value": "jRAT", + "uuid": "1df62d96-88f8-473c-94a2-252eb360ba62" }, { "meta": { @@ -340,7 +368,8 @@ "date": "2013" }, "description": "jSpy is a Java RAT. ", - "value": "jSpy" + "value": "jSpy", + "uuid": "669a0e4d-9760-49fc-bdf5-0471f84e0c76" }, { "meta": { @@ -349,7 +378,8 @@ ] }, "description": "Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.", - "value": "LuxNET" + "value": "LuxNET", + "uuid": "aad1038d-4d50-4a3e-88f3-cd9d154dc45c" }, { "meta": { @@ -362,7 +392,8 @@ "date": "2012" }, "description": "NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.", - "value": "NJRat" + "value": "NJRat", + "uuid": "7fb493bb-756b-42a2-8f6d-59e254f4f2cc" }, { "meta": { @@ -372,7 +403,8 @@ "date": "2002" }, "description": "Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora’s structure is based on advanced client / server architecture. was configured using modern technology.", - "value": "Pandora" + "value": "Pandora", + "uuid": "59485642-d233-4167-9f51-bd1d74285c23" }, { "meta": { @@ -385,7 +417,8 @@ ] }, "description": "Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.", - "value": "Predator Pain" + "value": "Predator Pain", + "uuid": "42a97a5d-ee33-492a-b20f-758ecdbf1aed" }, { "meta": { @@ -395,7 +428,8 @@ "date": "2007" }, "description": "Remote administration tool", - "value": "Punisher RAT" + "value": "Punisher RAT", + "uuid": "e49af83c-fd2f-4540-92dc-97c7b84a9458" }, { "meta": { @@ -406,7 +440,8 @@ ] }, "description": "This is tool that allow you to control your computer form anywhere in world with full support to unicode language. ", - "value": "SpyGate" + "value": "SpyGate", + "uuid": "1c3df89a-1f30-4ccb-acb4-5dee4b470b55" }, { "meta": { @@ -418,7 +453,8 @@ ] }, "description": "RAT", - "value": "Small-Net" + "value": "Small-Net", + "uuid": "1dd0c7f8-a6fb-4912-9de9-deb43f384fdb" }, { "meta": { @@ -427,7 +463,8 @@ ] }, "description": "Vantom is a free RAT with good option and very stable.", - "value": "Vantom" + "value": "Vantom", + "uuid": "6e5a1fcb-f730-4d8d-890a-ef133782a7d2" }, { "meta": { @@ -436,7 +473,8 @@ ] }, "description": "Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.", - "value": "Xena" + "value": "Xena", + "uuid": "b9d5ab11-dd6f-49ba-8117-ce16f71ff11c" }, { "meta": { @@ -446,7 +484,8 @@ "date": "2010" }, "description": "This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware. ", - "value": "XtremeRAT" + "value": "XtremeRAT", + "uuid": "3b6b55fb-595c-40c5-bbc5-dbe244b15026" }, { "meta": { @@ -456,7 +495,8 @@ "date": "2012" }, "description": "NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.", - "value": "Netwire" + "value": "Netwire", + "uuid": "e3113a0e-a65b-4119-8bc2-1c8d9d18c2db" }, { "meta": { @@ -466,7 +506,8 @@ "date": "2001" }, "description": "Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .", - "value": "Gh0st RAT" + "value": "Gh0st RAT", + "uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3" }, { "meta": { @@ -475,7 +516,8 @@ ] }, "description": "Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.", - "value": "Plasma RAT" + "value": "Plasma RAT", + "uuid": "af534ddb-d0c6-47c0-82be-058c8bd5c6e1" }, { "meta": { @@ -484,7 +526,8 @@ ] }, "description": "Babylon is a highly advanced remote administration tool with no dependencies. The server is developed in C++ which is an ideal language for high performance and the client is developed in C#(.Net Framework 4.5)", - "value": "Babylon" + "value": "Babylon", + "uuid": "ad1c9a50-3cd2-446a-ab31-9ecb62980d61" }, { "meta": { @@ -493,7 +536,8 @@ ] }, "description": "RAT", - "value": "Imminent Monitor" + "value": "Imminent Monitor", + "uuid": "f52a5252-ef53-4935-81c8-96fffcd1b952" }, { "meta": { @@ -502,7 +546,8 @@ ] }, "description": "DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation – even allows attackers to fully take over the mobile phone and steal, record the victim’s private data wilfully.", - "value": "DroidJack" + "value": "DroidJack", + "uuid": "7f032293-bfa2-4595-803d-c84519190861" }, { "meta": { @@ -512,7 +557,8 @@ "date": "2014" }, "description": "Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface", - "value": "Quasar RAT" + "value": "Quasar RAT", + "uuid": "6efa425c-3731-44fd-9224-2a62df061a2d" }, { "meta": { @@ -523,7 +569,8 @@ "date": "2014" }, "description": "Dendroid is malware that affects Android OS and targets the mobile platform. It was first discovered in early of 2014 by Symantec and appeared in the underground for sale for $300. Some things were noted in Dendroid, such as being able to hide from emulators at the time. When first discovered in 2014 it was one of the most sophisticated Android remote administration tools known at that time. It was one of the first Trojan applications to get past Google's Bouncer and caused researchers to warn about it being easier to create Android malware due to it. It also seems to have follow in the footsteps of Zeus and SpyEye by having simple-to-use command and control panels. The code appeared to be leaked somewhere around 2014. It was noted that an apk binder was included in the leak, which provided a simple way to bind Dendroid to legitimate applications.", - "value": "Dendroid" + "value": "Dendroid", + "uuid": "ea3a8c25-4adb-4538-bf11-55259bdba15f" }, { "meta": { @@ -533,7 +580,8 @@ "date": "2016" }, "description": "A Java R.A.T. program", - "value": "Ratty" + "value": "Ratty", + "uuid": "a51f07ae-ab2c-45ee-aa9c-1db7873e7bb4" }, { "meta": { @@ -543,7 +591,8 @@ ] }, "description": "Java RAT", - "value": "RaTRon" + "value": "RaTRon", + "uuid": "48b6886b-67a9-4815-92a2-1b7aca24d4ac" }, { "meta": { @@ -552,7 +601,8 @@ ], "date": "2006" }, - "value": "Arabian-Attacker RAT" + "value": "Arabian-Attacker RAT", + "uuid": "f966a936-19f9-4b6b-95b3-0ff102e26303" }, { "meta": { @@ -562,7 +612,8 @@ ] }, "description": "Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.", - "value": "Androrat" + "value": "Androrat", + "uuid": "ce70bf96-0629-4c7d-8ed8-2315fab0ed42" }, { "meta": { @@ -571,7 +622,8 @@ ] }, "description": "Remote Administrator", - "value": "Adzok" + "value": "Adzok", + "uuid": "3560c833-3d28-4888-b0b8-1951ecac57a2" }, { "meta": { @@ -584,7 +636,8 @@ ], "date": "2010" }, - "value": "Schwarze-Sonne-RAT" + "value": "Schwarze-Sonne-RAT", + "uuid": "99860df7-565d-47e4-a086-c4af1623b626" }, { "meta": { @@ -592,10 +645,12 @@ "https://www.indetectables.net/viewtopic.php?t=24245" ] }, - "value": "Cyber Eye RAT" + "value": "Cyber Eye RAT", + "uuid": "729f1b02-ce0c-41a4-8d4e-c7c1f5475c4b" }, { - "value": "Batch NET" + "value": "Batch NET", + "uuid": "9501172b-a81a-49bb-90ce-31f2fb78a130" }, { "meta": { @@ -603,7 +658,8 @@ "https://leakforums.net/thread-530663" ] }, - "value": "RWX RAT" + "value": "RWX RAT", + "uuid": "62c5b489-8750-4fab-aca3-b233af789831" }, { "meta": { @@ -613,7 +669,8 @@ "date": "2010" }, "description": "Spy-Net is a software that allow you to control any computer in world using Windows Operating System.He is back using new functions and good options to give you full control of your remote computer.Stable and fast, this software offer to you a good interface, creating a easy way to use all his functions", - "value": "Spynet" + "value": "Spynet", + "uuid": "66bfd62e-6626-4104-af37-a44244204ac8" }, { "meta": { @@ -621,7 +678,8 @@ "https://leakforums.net/thread-559871" ] }, - "value": "CTOS" + "value": "CTOS", + "uuid": "b9d7d5b8-7cf4-4650-a88a-5f4e991c45d6" }, { "meta": { @@ -629,7 +687,8 @@ "https://github.com/mwsrc/Virus-RAT-v8.0-Beta" ] }, - "value": "Virus RAT" + "value": "Virus RAT", + "uuid": "9107fc0d-6705-4fc2-b621-e5ac42afef90" }, { "meta": { @@ -637,7 +696,8 @@ "http://www.atelierweb.com/products/" ] }, - "value": "Atelier Web Remote Commander" + "value": "Atelier Web Remote Commander", + "uuid": "c51188d6-d489-4a18-a9a8-e38365f0bc10" }, { "meta": { @@ -646,7 +706,8 @@ ] }, "description": "A distributed, parallelized (Map Reduce) wrapper around Apache™ RAT to allow it to complete on large code repositories of multiple file types where Apache™ RAT hangs forev", - "value": "drat" + "value": "drat", + "uuid": "5ee39172-7ba3-477c-9772-88841b4be691" }, { "meta": { @@ -655,7 +716,8 @@ ] }, "description": "MoSucker is a powerful backdoor - hacker's remote access tool.", - "value": "MoSucker" + "value": "MoSucker", + "uuid": "611ed43b-b869-4419-a487-6f7393125eb3" }, { "meta": { @@ -666,7 +728,8 @@ ], "date": "2002" }, - "value": "Theef" + "value": "Theef", + "uuid": "f5154f40-46c1-4a0d-9814-cb5e5adf201b" }, { "meta": { @@ -677,7 +740,8 @@ "date": "2002" }, "description": "ProRat is a Microsoft Windows based backdoor trojan, more commonly known as a Remote Administration Tool. As with other trojan horses it uses a client and server. ProRat opens a port on the computer which allows the client to perform numerous operations on the server (the machine being controlled). ", - "value": "ProRat" + "value": "ProRat", + "uuid": "cae67963-63d2-4c8b-8358-a03556f20b7b" }, { "meta": { @@ -685,7 +749,8 @@ "https://sites.google.com/site/greymecompany/setro-rat-project" ] }, - "value": "Setro" + "value": "Setro", + "uuid": "6b1b2415-b42f-41c4-8c35-077844a9c4dc" }, { "meta": { @@ -693,7 +758,8 @@ "http://www.connect-trojan.net/2015/03/indetectables-rat-v.0.5-beta.html" ] }, - "value": "Indetectables RAT" + "value": "Indetectables RAT", + "uuid": "36912ecf-9411-44fa-b14d-ec3b6896b0e2" }, { "meta": { @@ -701,7 +767,8 @@ "https://luminosity.link/" ] }, - "value": "Luminosity Link" + "value": "Luminosity Link", + "uuid": "0f2c6cd4-675a-4c41-acf5-1b0bc3625375" }, { "meta": { @@ -710,7 +777,8 @@ ], "date": "2015" }, - "value": "Orcus" + "value": "Orcus", + "uuid": "30a1a10e-4155-43a6-854a-3b43bc2a3f9c" }, { "meta": { @@ -718,7 +786,8 @@ "http://www.connect-trojan.net/2014/10/blizzard-rat-lite-v1.3.1.html" ] }, - "value": "Blizzard" + "value": "Blizzard", + "uuid": "a7e4c2ff-6747-48e4-99c4-5c638c167fc0" }, { "meta": { @@ -727,7 +796,8 @@ "http://telussecuritylabs.com/threats/show/TSL20150122-06" ] }, - "value": "Kazybot" + "value": "Kazybot", + "uuid": "6c553273-f3f8-4e66-b764-9a9ae83a2f35" }, { "meta": { @@ -736,10 +806,12 @@ ], "date": "2014" }, - "value": "BX" + "value": "BX", + "uuid": "f6cc85de-81da-4276-a87c-45e3a00b67b5" }, { - "value": "death" + "value": "death", + "uuid": "b7095617-3320-4118-9f28-7d4356e2571a" }, { "meta": { @@ -747,7 +819,8 @@ "https://rubear.me/threads/sky-wyder-2016-cracked.127/" ] }, - "value": "Sky Wyder" + "value": "Sky Wyder", + "uuid": "866f97d7-faa9-49e2-b704-7406c1ee2565" }, { "meta": { @@ -757,7 +830,8 @@ ], "date": "2017" }, - "value": "DarkTrack" + "value": "DarkTrack", + "uuid": "f60dc9e3-2053-446c-89a0-ad69906de6e4" }, { "meta": { @@ -767,7 +841,8 @@ "date": "2017" }, "description": "Free, Open-Source Remote Administration Tool. xRAT 2.0 is a fast and light-weight Remote Administration Tool coded in C# (using .NET Framework 2.0).", - "value": "xRAT" + "value": "xRAT", + "uuid": "509aff15-ba17-4582-b1a0-b0ed89df01d8" }, { "meta": { @@ -775,7 +850,8 @@ "http://sakhackingarticles.blogspot.lu/2014/08/biodox-rat.html" ] }, - "value": "Biodox" + "value": "Biodox", + "uuid": "43e91752-23f5-41c6-baa3-74d6fc0f2cad" }, { "meta": { @@ -784,7 +860,8 @@ ] }, "description": "Offense RAT is a free renote administration tool made in Delphi 9.", - "value": "Offence" + "value": "Offence", + "uuid": "a9caa398-ba8b-4a64-8970-67761c7efc76" }, { "meta": { @@ -793,7 +870,8 @@ ], "date": "2009" }, - "value": "Apocalypse" + "value": "Apocalypse", + "uuid": "d5d3f9de-21b5-482e-b716-5f2f13182990" }, { "meta": { @@ -802,7 +880,8 @@ ], "date": "2013" }, - "value": "JCage" + "value": "JCage", + "uuid": "0d756293-6cbc-4973-8df8-7d6ab0cd51e0" }, { "meta": { @@ -812,7 +891,8 @@ ] }, "description": "Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).", - "value": "Nuclear RAT" + "value": "Nuclear RAT", + "uuid": "1b0f4481-f205-493a-a167-59669a64b6fc" }, { "meta": { @@ -821,7 +901,8 @@ ] }, "description": "C++ REMOTE CONTROL PROGRAM", - "value": "Ozone" + "value": "Ozone", + "uuid": "1a4d6958-45fe-41ca-b545-bdf28fba14fa" }, { "meta": { @@ -829,7 +910,8 @@ "https://github.com/alienwithin/xanity-php-rat" ] }, - "value": "Xanity" + "value": "Xanity", + "uuid": "66c3e21d-1cb9-43b4-bd1b-2d9ac839a628" }, { "meta": { @@ -837,7 +919,8 @@ "Dark Moon" ] }, - "value": "DarkMoon" + "value": "DarkMoon", + "uuid": "18a4e501-c6e3-45e9-beee-25421b0c7bcb" }, { "meta": { @@ -847,7 +930,8 @@ "https://trickytamilan.blogspot.lu/2016/03/xpert-rat.html" ] }, - "value": "Xpert" + "value": "Xpert", + "uuid": "bdb25a20-4c6c-4fdb-ac05-5f81fb6c15a7" }, { "meta": { @@ -859,13 +943,16 @@ ] }, "description": "This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network. This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.", - "value": "Kiler RAT" + "value": "Kiler RAT", + "uuid": "c01ef312-dfd6-403f-a8b5-67fc11a550a7" }, { - "value": "Brat" + "value": "Brat", + "uuid": "7109e2b0-8c05-4d2b-a37f-c00d799f0c02" }, { - "value": "MINI-MO" + "value": "MINI-MO", + "uuid": "32ea7a67-9649-4bd3-b194-f37f04c208ba" }, { "meta": { @@ -880,7 +967,8 @@ "date": "2010" }, "description": "Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.", - "value": "Lost Door" + "value": "Lost Door", + "uuid": "8007f2be-ba4f-445e-8a15-6c2bfe769c49" }, { "meta": { @@ -889,7 +977,8 @@ ] }, "description": "Loki RAT is a php RAT that means no port forwarding is needed for this RAT, If you dont know how to setup this RAT click on tutorial.", - "value": "Loki RAT" + "value": "Loki RAT", + "uuid": "70e6875b-34b5-4f97-8403-210defbc040d" }, { "meta": { @@ -897,7 +986,8 @@ "https://github.com/BahNahNah/MLRat" ] }, - "value": "MLRat" + "value": "MLRat", + "uuid": "83929545-ef07-469c-ab55-c59155a66cc6" }, { "meta": { @@ -907,7 +997,8 @@ "https://ranger-exploit.com/spycronic-v1-02-1/" ] }, - "value": "SpyCronic" + "value": "SpyCronic", + "uuid": "71289654-0217-44d7-8762-b609b3eace80" }, { "meta": { @@ -917,7 +1008,8 @@ "date": "2015" }, "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python ", - "value": "Pupy" + "value": "Pupy", + "uuid": "bdb420be-5882-41c8-b439-02bbef69d83f" }, { "meta": { @@ -927,7 +1019,8 @@ "date": "2002" }, "description": "Nova is a proof of concept demonstrating screen sharing over UDP hole punching.", - "value": "Nova" + "value": "Nova", + "uuid": "eea78fd1-11ae-432a-9422-d5e774eb8ff2" }, { "meta": { @@ -943,7 +1036,8 @@ ], "date": "1998" }, - "value": "BD Y3K RAT" + "value": "BD Y3K RAT", + "uuid": "62f8b6aa-f3df-4789-9348-b16db59f345e" }, { "meta": { @@ -953,7 +1047,8 @@ "date": "2003" }, "description": "Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.", - "value": "Turkojan" + "value": "Turkojan", + "uuid": "29f7cf0f-b422-4966-9298-c8b4cb54deac" }, { "meta": { @@ -962,7 +1057,8 @@ ] }, "description": "TINY is a set of programs that lets you control a DOS computer from any Java-capable machine over a TCP/IP connection. It is comparable to programs like VNC, CarbonCopy, and GotoMyPC except that the host machine is a DOS computer rather than a Windows one.", - "value": "TINY" + "value": "TINY", + "uuid": "c9fd50a0-35c8-4dfd-baeb-8043182e864c" }, { "meta": { @@ -977,7 +1073,8 @@ "date": "2008" }, "description": "sharK is an advanced reverse connecting, firewall bypassing remote administration tool written in VB6. With sharK you will be able to administrate every PC (using Windows OS) remotely.", - "value": "SharK" + "value": "SharK", + "uuid": "ff471870-7c9a-4122-ba89-489fc819660b" }, { "meta": { @@ -992,7 +1089,8 @@ ] }, "description": "Backdoor.Snowdoor is a Backdoor Trojan Horse that allows unauthorized access to an infected computer. It creates an open C drive share with its default settings. By default, the Trojan listens on port 5,328.", - "value": "Snowdoor" + "value": "Snowdoor", + "uuid": "ed4590cd-d636-46bc-a92d-d90b9548db51" }, { "meta": { @@ -1000,7 +1098,8 @@ "https://www.nulled.to/topic/155464-paradox-rat/" ] }, - "value": "Paradox" + "value": "Paradox", + "uuid": "5d4123f6-c344-45ee-83e9-c5656d38e604" }, { "meta": { @@ -1009,13 +1108,16 @@ ] }, "description": "Android RAT", - "value": "SpyNote" + "value": "SpyNote", + "uuid": "ea727e26-b3de-44f8-86c5-11a912c7a8aa" }, { - "value": "ZOMBIE SLAYER" + "value": "ZOMBIE SLAYER", + "uuid": "b7b6db54-db6a-463c-a2a2-3a0da1f7fe32" }, { - "value": "HTTP WEB BACKDOOR" + "value": "HTTP WEB BACKDOOR", + "uuid": "69b002ee-1be8-44e2-9295-8299b97a5773" }, { "meta": { @@ -1024,7 +1126,8 @@ ] }, "description": "Net Monitor for Employees lets you see what everyone's doing - without leaving your desk. Monitor the activity of all employees. Plus you can share your screen with your employees PCs, making demos and presentations much easier.", - "value": "NET-MONITOR PRO" + "value": "NET-MONITOR PRO", + "uuid": "376671ff-2131-4150-b1f4-7870f6adf8ae" }, { "meta": { @@ -1036,7 +1139,8 @@ ] }, "description": "Affordable remote control software for all your customer support and help desk needs.", - "value": "DameWare Mini Remote Control" + "value": "DameWare Mini Remote Control", + "uuid": "ba157c90-8f94-45f2-8395-001e76eee506" }, { "meta": { @@ -1045,7 +1149,8 @@ ] }, "description": "Remote Utilities is a free remote access program with some really great features. It works by pairing two remote computers together with what they call an \"Internet ID.\" You can control a total of 10 PCs with Remote Utilities.", - "value": "Remote Utilities" + "value": "Remote Utilities", + "uuid": "903846e2-5fa7-42c9-98bf-00d05473c9e3" }, { "meta": { @@ -1058,7 +1163,8 @@ "date": "2011" }, "description": "Ammyy Admin is a completely portable remote access program that's extremely simple to setup. It works by connecting one computer to another via an ID supplied by the program.", - "value": "Ammyy Admin" + "value": "Ammyy Admin", + "uuid": "9025f09b-a3fe-4711-89b8-bee6037681f8" }, { "meta": { @@ -1067,7 +1173,8 @@ ] }, "description": "UltraVNC works a bit like Remote Utilities, where a server and viewer is installed on two PCs, and the viewer is used to control the server.", - "value": "Ultra VNC" + "value": "Ultra VNC", + "uuid": "12f03025-467b-49b3-ba7b-2a152e38eae5" }, { "meta": { @@ -1076,11 +1183,13 @@ ] }, "description": "AeroAdmin is probably the easiest program to use for free remote access. There are hardly any settings, and everything is quick and to the point, which is perfect for spontaneous support.", - "value": "AeroAdmin" + "value": "AeroAdmin", + "uuid": "6dd8f7ac-a90b-4155-843d-b95f1f4e0e81" }, { "description": "Windows Remote Desktop is the remote access software built into the Windows operating system. No additional download is necessary to use the program.", - "value": "Windows Remote Desktop" + "value": "Windows Remote Desktop", + "uuid": "07c792c4-2f78-4eba-a6a3-3ba28e098886" }, { "meta": { @@ -1089,7 +1198,8 @@ ] }, "description": "RemotePC, for good or bad, is a more simple free remote desktop program. You're only allowed one connection (unless you upgrade) but for many of you, that'll be just fine.", - "value": "RemotePC" + "value": "RemotePC", + "uuid": "e4ae4f4e-a751-4633-a54e-c747508ff3b8" }, { "meta": { @@ -1101,7 +1211,8 @@ ] }, "description": "Seecreen (previously called Firnass) is an extremely tiny (500 KB), yet powerful free remote access program that's absolutely perfect for on-demand, instant support.", - "value": "Seecreen" + "value": "Seecreen", + "uuid": "b9df1fb3-17b7-430b-8c23-f1d321c1265c" }, { "meta": { @@ -1110,7 +1221,8 @@ ] }, "description": "Chrome Remote Desktop is an extension for the Google Chrome web browser that lets you setup a computer for remote access from any other Chrome browser.", - "value": "Chrome Remote Desktop" + "value": "Chrome Remote Desktop", + "uuid": "6583d982-a5cb-47e0-a3b0-bc18cadaeb53" }, { "meta": { @@ -1119,7 +1231,8 @@ ] }, "description": "AnyDesk is a remote desktop program that you can run portably or install like a regular program.", - "value": "AnyDesk" + "value": "AnyDesk", + "uuid": "7d71d21e-68f0-4595-beee-7c353471463d" }, { "meta": { @@ -1128,7 +1241,8 @@ ] }, "description": "LiteManager is another remote access program, and it's strikingly similar to Remote Utilities, which I explain on the first page of this list. However, unlike Remote Utilities, which can control a total of only 10 PCs, LiteManager supports up to 30 slots for storing and connecting to remote computers, and also has lots of useful features.", - "value": "LiteManager" + "value": "LiteManager", + "uuid": "0c8a877b-6c9c-43a7-9688-d90a098d8710" }, { "meta": { @@ -1137,7 +1251,8 @@ ] }, "description": "Comodo Unite is another free remote access program that creates a secure VPN between multiple computers. Once a VPN is established, you can remotely have access to applications and files through the client software.", - "value": "Comodo Unite" + "value": "Comodo Unite", + "uuid": "9b990bc7-ff88-4658-90de-806711462c55" }, { "meta": { @@ -1146,7 +1261,8 @@ ] }, "description": "ShowMyPC is a portable and free remote access program that's nearly identical to UltraVNC but uses a password to make a connection instead of an IP address.", - "value": "ShowMyPC" + "value": "ShowMyPC", + "uuid": "185adc84-ad02-4559-aacc-50b2d690640c" }, { "meta": { @@ -1155,7 +1271,8 @@ ] }, "description": "join.me is a remote access program from the producers of LogMeIn that provides quick access to another computer over an internet browser.", - "value": "join.me" + "value": "join.me", + "uuid": "204b457d-9729-460b-991b-943171c55fa7" }, { "meta": { @@ -1164,7 +1281,8 @@ ] }, "description": "DesktopNow is a free remote access program from NCH Software. After optionally forwarding the proper port number in your router, and signing up for a free account, you can access your PC from anywhere through a web browser.", - "value": "DesktopNow" + "value": "DesktopNow", + "uuid": "82a2bcba-0f31-4a45-bddb-559db9819fad" }, { "meta": { @@ -1173,10 +1291,12 @@ ] }, "description": "Another free and portable remote access program is BeamYourScreen. This program works like some of the others in this list, where the presenter is given an ID number they must share with another user so they can connect to the presenter's screen.", - "value": "BeamYourScreen" + "value": "BeamYourScreen", + "uuid": "a31bf7d6-70a9-4f5f-a38e-88e173ad444c" }, { - "value": "Casa RAT" + "value": "Casa RAT", + "uuid": "ef164438-e4bd-4c56-a8e6-e5e64bc8dd5a" }, { "meta": { @@ -1186,7 +1306,8 @@ "date": "2005" }, "description": "Bandook is a FWB#++ reverse connection rat (Remote Administration Tool), with a small size server when packed 30 KB, and a long list of amazing features", - "value": "Bandook RAT" + "value": "Bandook RAT", + "uuid": "3482922d-b58c-482f-8363-f63f52fcdb43" }, { "meta": { @@ -1195,13 +1316,15 @@ ], "date": "2009" }, - "value": "Cerberus RAT" + "value": "Cerberus RAT", + "uuid": "180145d0-f4e3-4ab3-b5bb-ce17f7fec0db" }, { "value": "Syndrome RAT", "meta": { "date": "2010" - } + }, + "uuid": "db9bcc9a-27ec-4a58-a481-d978b4954ad7" }, { "meta": { @@ -1211,13 +1334,15 @@ "date": "2002" }, "description": "Snoopy is a Remote Administration Tool. Software for controlling user computer remotely from other computer on local network or Internet.", - "value": "Snoopy" + "value": "Snoopy", + "uuid": "fffbcd87-f028-4c4a-9e94-312e4e954450" }, { "value": "5p00f3r.N$ RAT", "meta": { "date": "2010" - } + }, + "uuid": "f592c850-4867-4fa1-a303-151b953710d7" }, { "meta": { @@ -1226,13 +1351,15 @@ ], "date": "2011" }, - "value": "P. Storrie RAT" + "value": "P. Storrie RAT", + "uuid": "9287c2db-99e6-4d3b-bb32-3054e2e96e39" }, { "value": "xHacker Pro RAT", "meta": { "date": "2007" - } + }, + "uuid": "832dad3c-6483-4d3c-ad02-8336dea90682" }, { "meta": { @@ -1241,7 +1368,8 @@ ] }, "description": "Backdoor.NetDevil allows a hacker to remotely control an infected computer.", - "value": "NetDevil" + "value": "NetDevil", + "uuid": "281563d8-14f8-43a8-a0cb-2f0198f7146c" }, { "meta": { @@ -1250,7 +1378,8 @@ ] }, "description": "In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports.\nDigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.", - "value": "NanoCore" + "value": "NanoCore", + "uuid": "6c3c111a-93af-428a-bee0-feacbee0237d" }, { "description": "The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family", @@ -1260,7 +1389,8 @@ "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" ], "date": "2017" - } + }, + "uuid": "8c49da10-2b59-42c4-81e6-75556decdecb" }, { "description": "NetSupport Manager continues to deliver the very latest in remote access, PC support and desktop management capabilities. From a desktop, laptop, tablet or smartphone, monitor multiple systems in a single action, deliver hands-on remote support, collaborate and even record or play back sessions. When needed, gather real-time hardware and software inventory, monitor services and even view system config remotely to help resolve issues quickly.", @@ -1270,19 +1400,22 @@ "http://www.netsupportmanager.com/index.asp" ], "date": "1989" - } + }, + "uuid": "d6fe0674-f55b-46ea-bf87-78fa0fa6ac97" }, { "value": "Vortex", "meta": { "date": "1998" - } + }, + "uuid": "2a47361d-584b-493f-80a4-37c74c30cf1b" }, { "value": "Assassin", "meta": { "date": "2002" - } + }, + "uuid": "eac2e921-d71e-45fd-abff-4902968f910d" }, { "value": "Net Devil", @@ -1294,7 +1427,8 @@ "synonyms": [ "NetDevil" ] - } + }, + "uuid": "2be434d3-03df-4236-9e7e-130c2efa8b33" }, { "value": "A4Zeta", @@ -1303,7 +1437,8 @@ "http://www.megasecurity.org/trojans/a/a4zeta/A4zeta_b2.html" ], "date": "2002" - } + }, + "uuid": "9a0b6acf-e913-446a-a4cd-35eb9046febe" }, { "value": "Greek Hackers RAT", @@ -1312,7 +1447,8 @@ "http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0" ], "date": "2002" - } + }, + "uuid": "77e7ad24-3412-4536-ae4c-1971317f4231" }, { "value": "MRA RAT", @@ -1321,7 +1457,8 @@ "http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0" ], "date": "2002" - } + }, + "uuid": "de4974d1-1a1b-4a67-835b-172ebbdcfafd" }, { "value": "Sparta RAT", @@ -1330,19 +1467,22 @@ "http://www.connect-trojan.net/2015/09/sparta-rat-1.2-by-azooz-ejram.html" ], "date": "2002" - } + }, + "uuid": "c1086221-a498-4ec9-ac33-85e4790136ae" }, { "value": "LokiTech", "meta": { "date": "2003" - } + }, + "uuid": "ff97af70-011c-4d7c-9ae6-1e41ea5dfc12" }, { "value": "MadRAT", "meta": { "date": "2002" - } + }, + "uuid": "5c65f5ec-c629-4d12-9078-08a4bb7522eb" }, { "value": "Tequila Bandita", @@ -1351,7 +1491,8 @@ "http://www.connect-trojan.net/2013/07/tequila-bandita-1.3b2.html" ], "date": "2004" - } + }, + "uuid": "831879d3-5492-46b1-b174-491e6b413232" }, { "value": "Toquito Bandito", @@ -1360,7 +1501,8 @@ "http://www.megasecurity.org/trojans/t/toquitobandito/Toquitobandito_all.html" ], "date": "2004" - } + }, + "uuid": "79861bda-8c72-4b90-876e-854b9daf32eb" }, { "description": "MofoTro is a new rat coded by Cool_mofo_2.", @@ -1372,7 +1514,8 @@ "http://www.megasecurity.org/trojans/m/mofotro/Mofotro_beta1.5.html" ], "date": "2006" - } + }, + "uuid": "fa0a7929-3876-4866-9c01-a5d168379816" }, { "description": "Written in Delphi", @@ -1382,7 +1525,8 @@ "http://www.megasecurity.org/trojans/h/hav/Havrat1.2.html" ], "date": "2007" - } + }, + "uuid": "3a2176f2-138d-4939-958c-70992abddca3" }, { "description": "ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.", @@ -1392,7 +1536,8 @@ "https://attack.mitre.org/wiki/Software/S0126" ], "date": "2007" - } + }, + "uuid": "9223bf17-7e32-4833-9574-9ffd8c929765" }, { "description": "4H RAT is malware that has been used by Putter Panda since at least 2007.", @@ -1402,7 +1547,8 @@ "https://attack.mitre.org/wiki/Software/S0065" ], "date": "2007" - } + }, + "uuid": "d8aad68d-a68f-42e1-b755-d5f383b73401" }, { "description": "", @@ -1415,31 +1561,36 @@ "synonyms": [ "Dark NET RAT" ] - } + }, + "uuid": "ba285e93-d330-4efc-ad00-a84433575e2c" }, { "value": "CIA RAT", "meta": { "date": "2008" - } + }, + "uuid": "b82d0ec7-3918-4252-9c8f-b4d17b14c596" }, { "value": "Minimo", "meta": { "date": "2008" - } + }, + "uuid": "71a72669-4d7b-49a5-95a3-bbefbb2152bf" }, { "value": "miniRAT", "meta": { "date": "2008" - } + }, + "uuid": "2b640955-05d4-46f7-9b34-c697f4e927e4" }, { "value": "Pain RAT", "meta": { "date": "2008" - } + }, + "uuid": "17958627-0c27-4536-8839-5c91d51866bc" }, { "description": "PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.", @@ -1453,7 +1604,8 @@ "Korplug" ], "date": "2005 or 2008" - } + }, + "uuid": "663f8ef9-4c50-499a-b765-f377d23c1070" }, { "description": "The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.", @@ -1464,7 +1616,8 @@ "https://www.itnews.com.au/news/shadowbrokers-release-unitedrake-nsa-malware-472771" ], "date": "2008" - } + }, + "uuid": "41d4b98f-8ec2-4e8d-938c-42a776b422ee" }, { "description": "Written in Visual Basic", @@ -1474,19 +1627,22 @@ "http://www.megasecurity.org/trojans/m/mega/Megatrojan1.0.html" ], "date": "2008" - } + }, + "uuid": "4c053709-5349-4630-8462-dde28c8433eb" }, { "value": "Venomous Ivy", "meta": { "date": "2009" - } + }, + "uuid": "9b5eb899-fc44-43f5-9a28-cdac4bc6a784" }, { "value": "Xploit", "meta": { "date": "2010" - } + }, + "uuid": "286fc965-b019-49b1-937c-740b95a368bb" }, { "value": "Arctic R.A.T.", @@ -1498,7 +1654,8 @@ "Artic" ], "date": "2010" - } + }, + "uuid": "3ff21b18-8be5-45fd-9d42-d5ab9dddfa4c" }, { "value": "GOlden Phoenix", @@ -1507,7 +1664,8 @@ "http://www.connect-trojan.net/2014/02/golden-phoenix-rat-0.2.html" ], "date": "2010" - } + }, + "uuid": "422ff7d4-0106-4e87-8eae-8cbd6c789540" }, { "value": "GraphicBooting", @@ -1516,19 +1674,22 @@ "http://www.connect-trojan.net/2014/10/graphicbooting-rat-v0.1-beta.html?m=0" ], "date": "2010" - } + }, + "uuid": "06b18c56-0894-4bca-a373-21e1576ddd7c" }, { "value": "Pocket RAT", "meta": { "date": "2010" - } + }, + "uuid": "76313bca-2551-4f0c-b427-e413cbb728b0" }, { "value": "Erebus", "meta": { "date": "2010" - } + }, + "uuid": "ee73e375-3ac2-4ce0-b24b-74fd82d52864" }, { "value": "SharpEye", @@ -1538,13 +1699,15 @@ "http://www.connect-trojan.net/2014/02/sharpeye-rat-1.0-beta-2.html" ], "date": "2010" - } + }, + "uuid": "c42394f8-5f35-4797-9393-8289ab8ad3ad" }, { "value": "VorteX", "meta": { "date": "2010" - } + }, + "uuid": "58e2e2ee-5c25-4a13-abfc-2a6c85d978fa" }, { "value": "Archelaus Beta", @@ -1553,7 +1716,8 @@ "http://www.connect-trojan.net/2014/02/archelaus-rat-beta.html" ], "date": "2010" - } + }, + "uuid": "ccd38085-f3bc-4fb0-ae24-99a45964dd8e" }, { "description": "C# RAT (Remote Adminitration Tool) - Educational purposes only", @@ -1563,7 +1727,8 @@ "https://github.com/hussein-aitlahcen/BlackHole" ], "date": "2011" - } + }, + "uuid": "2ea1f494-cf18-49fb-a043-36555131dd7c" }, { "value": "Vanguard", @@ -1572,7 +1737,8 @@ "http://ktwox7.blogspot.lu/2010/12/vanguard-remote-administration.html" ], "date": "2010" - } + }, + "uuid": "9de3e8d7-c501-4926-a82f-6e147d66c06d" }, { "value": "Ahtapod", @@ -1581,7 +1747,8 @@ "http://www.ibtimes.co.uk/turkish-journalist-baris-pehlivan-jailed-terrorism-was-framed-by-hackers-says-report-1577481" ], "date": "2011" - } + }, + "uuid": "dd2c3283-095d-4895-85cd-6a01e0616968" }, { "meta": { @@ -1591,7 +1758,8 @@ "date": "2012" }, "description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.", - "value": "FINSPY" + "value": "FINSPY", + "uuid": "6ac125c8-6f00-490f-a43b-30b36d715431" }, { "description": "Seed is a firewall bypass plus trojan, injects into default browser and has a simple purpose: to be compact (4kb server size) and useful while uploading bigger and full trojans, or even making Seed download them somewhere. Has computer info, process manager, file manager, with download, create folder, delete, execute and upload. And a remote download function. Everything with a easy to use interface, reminds an instant messenger.", @@ -1601,13 +1769,15 @@ "http://www.nuclearwintercrew.com/Products-View/25/Seed_1.1/" ], "date": "2004 or 2011" - } + }, + "uuid": "4c0ec00c-7fd4-4d8b-b1c9-6a12035fe992" }, { "value": "SharpBot", "meta": { "date": "2011" - } + }, + "uuid": "126d167b-c47e-42a5-91fa-5af157f6df30" }, { "value": "TorCT PHP RAT", @@ -1616,25 +1786,29 @@ "https://github.com/alienwithin/torCT-PHP-RAT" ], "date": "2012" - } + }, + "uuid": "14210ee4-e0bf-49f9-8d7a-13180dadda6b" }, { "value": "A32s RAT", "meta": { "date": "2012" - } + }, + "uuid": "564dc473-e3a7-466b-afa0-591db218c05e" }, { "value": "Char0n", "meta": { "date": "2012" - } + }, + "uuid": "6faf9e5a-517f-4f7c-b720-7b7d537f65ef" }, { "value": "Nytro", "meta": { "date": "2012" - } + }, + "uuid": "25d23e76-72b1-4d47-9c80-9610a91e4945" }, { "value": "Syla", @@ -1643,7 +1817,8 @@ "http://www.connect-trojan.net/2013/07/syla-rat-0.3.html" ], "date": "2012" - } + }, + "uuid": "bcbe2297-5ebf-48fe-936c-6f850f23383c" }, { "description": "Cobalt Strike is software for Adversary Simulations and Red Team Operations.", @@ -1653,7 +1828,8 @@ "https://www.cobaltstrike.com/" ], "date": "2012" - } + }, + "uuid": "ca44dd5e-fd9e-48b5-99cb-0b2629b9265f" }, { "description": "The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.", @@ -1667,7 +1843,8 @@ "VIPER" ], "date": "2012" - } + }, + "uuid": "3eca2d5f-41bf-4ad4-847f-df18befcdc44" }, { "description": "hcdLoader is a remote access tool (RAT) that has been used by APT18.", @@ -1677,7 +1854,8 @@ "https://attack.mitre.org/wiki/Software/S0071" ], "date": "2012" - } + }, + "uuid": "12bb8f4f-af29-49a0-8c2c-d28468f28fd8" }, { "value": "Crimson", @@ -1686,7 +1864,8 @@ "http://www.connect-trojan.net/2015/01/crimson-rat-3.0.0.html" ], "date": "2012" - } + }, + "uuid": "8d8efbc6-d1b7-4ec8-bab3-591edba337d0" }, { "value": "KjW0rm", @@ -1695,7 +1874,8 @@ "http://hack-defender.blogspot.fr/2015/12/kjw0rm-v05x.html" ], "date": "2013" - } + }, + "uuid": "a7bffc6a-5b47-410b-b039-def16050adcb" }, { "value": "Ghost", @@ -1707,31 +1887,36 @@ "Ucul" ], "date": "2013" - } + }, + "uuid": "22f43398-47b2-4851-866a-b9ed0d355bf2" }, { "value": "9002", "meta": { "date": "2013" - } + }, + "uuid": "21029a2d-85d7-40d0-9b87-8e8c414bf470" }, { "value": "Sandro RAT", "meta": { "date": "2014" - } + }, + "uuid": "ad630149-e7d4-4ca0-9877-ef37743d00a3" }, { "value": "Mega", "meta": { "date": "2014" - } + }, + "uuid": "d0d7dc33-1c12-4a5a-b421-79f4761bd1b1" }, { "value": "WiRAT", "meta": { "date": "2014" - } + }, + "uuid": "af66d0c1-15c9-4a0b-b0cc-4208914707e6" }, { "value": "3PARA RAT", @@ -1739,13 +1924,15 @@ "refs": [ "https://books.google.fr/books?isbn=2212290136" ] - } + }, + "uuid": "59fb0222-0e7d-4f5f-92ac-e68012fb927d" }, { "value": "BBS RAT", "meta": { "date": "2014" - } + }, + "uuid": "6e754ac7-0ffb-4510-9f70-4b74ab7bc868" }, { "description": "KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look.", @@ -1760,7 +1947,8 @@ "synonyms": [ "KONNI" ] - } + }, + "uuid": "5b930a23-7d88-481f-8791-abc7b3dd93d2" }, { "value": "Felismus RAT", @@ -1770,7 +1958,8 @@ "refs": [ "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ] - } + }, + "uuid": "1a35d040-1e0e-402b-8174-43e5c3c81922" }, { "description": "Xsser mRAT is a piece of malware that targets iOS devices that have software limitations removed. The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user's device and executes remote commands as directed by its command-and-control (C2) server.", @@ -1784,7 +1973,8 @@ "mRAT" ], "date": "2014" - } + }, + "uuid": "b1abae3d-e1a1-4c50-a3b0-9509c594a600" }, { "description": "GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.", @@ -1795,7 +1985,8 @@ "http://securityaffairs.co/wordpress/51202/cyber-crime/govrat-2-0-attacks.html" ], "date": "2015" - } + }, + "uuid": "b6ddc2c6-5890-4c60-9b10-4274d1a9cc22" }, { "value": "Rottie3", @@ -1804,13 +1995,15 @@ "https://www.youtube.com/watch?v=jUg5--68Iqs" ], "date": "2015" - } + }, + "uuid": "2e44066e-bb4f-41f9-86d3-495f83df5195" }, { "value": "Killer RAT", "meta": { "date": "2015" - } + }, + "uuid": "983d5ac0-2e26-4793-8bab-fce33ae4e46d" }, { "value": "Hi-Zor", @@ -1819,7 +2012,8 @@ "https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat" ], "date": "2015" - } + }, + "uuid": "d22a3e65-75e5-4970-b424-bdc06ec33dba" }, { "description": "Quaverse RAT or QRAT is a fairly new Remote Access Tool (RAT) introduced in May 2015. This RAT is marketed as an undetectable Java RAT. As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim's computer. On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns. ", @@ -1832,13 +2026,15 @@ "QRAT" ], "date": "2015" - } + }, + "uuid": "3d7cbe3f-ba90-46f7-89a2-21aa52871404" }, { "value": "Heseber", "meta": { "date": "2015" - } + }, + "uuid": "69d1f7e0-d7df-4e86-bec5-b7df696c5bcf" }, { "description": "Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it. ", @@ -1850,7 +2046,8 @@ "https://www.cyber.nj.gov/threat-profiles/trojan-variants/cardinal" ], "date": "2015" - } + }, + "uuid": "cb23f563-a8b9-4427-9884-594e8d3cc836" }, { "description": "Works on all Android, Windows, Linux and Mac devices!", @@ -1860,7 +2057,8 @@ "https://omnirat.eu/en/" ], "date": "2015" - } + }, + "uuid": "f091dfcb-07f4-4414-849e-c644e7327d94" }, { "value": "Jfect", @@ -1869,7 +2067,8 @@ "https://www.youtube.com/watch?v=qKdoExQFb68" ], "date": "2015" - } + }, + "uuid": "10193e70-8bb7-4e48-b8f0-7692f2052c89" }, { "description": "Trochilus is a remote access trojan (RAT) first identified in October 2015 when attackers used it to infect visitors of a Myanmar website. It was then used in a 2016 cyber-espionage campaign, dubbed \"the Seven Pointed Dagger,\" managed by another group, \"Group 27,\" who also uses the PlugX trojan. Trochilus is primarily spread via emails with a malicious .RAR attachment containing the malware. The trojan's functionality includes a shellcode extension, remote uninstall, a file manager, and the ability to download and execute, upload and execute, and access the system information. Once present on a system, Trochilus can move laterally in the network for better access. This trojan operates in memory only and does not write to the disk, helping it evade detection. ", @@ -1880,7 +2079,8 @@ "http://securityaffairs.co/wordpress/43889/cyber-crime/new-rat-trochilus.html" ], "date": "2015" - } + }, + "uuid": "8204723f-aefc-4c90-9178-8fe53e8d6f33" }, { "description": "Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be ‘reinstalled’ after system restart.", @@ -1890,7 +2090,8 @@ "https://www.alienvault.com/blogs/security-essentials/matryoshka-malware-from-copykittens-group" ], "date": "2015" - } + }, + "uuid": "33b86249-5455-4698-a5e5-0c9591e673b9" }, { "description": "First discovered by Trend Micro in June, Mangit is a new malware family being marketed on both the Dark web and open internet. Users have the option to rent the trojan's infrastructure for about $600 per 10-day period or buy the source code for about $8,800. Mangit was allegedly developed by \"Ric\", a Brazilian hacker, who makes himself available via Skype to discuss rental agreements. Once the malware is rented or purchased, the user controls a portion of the Mangit botnet, the trojan, the dropper, an auto-update system, and the server infrastructure to run their attacks. Mangit contains support for nine Brazillian banks including Citibank, HSBC, and Santander. The malware can also be used to steal user PayPal credentials. Mangit has the capability to collect banking credentials, receive SMS texts when a victim is accessing their bank account, and take over victim's browsers. To circumvent two-factor authentication, attackers can use Mangit to lock victim's browsers and push pop-ups to the victim asking for the verification code they just received.", @@ -1902,7 +2103,8 @@ "http://news.softpedia.com/news/new-malware-mangit-surfaces-as-banking-trojan-as-a-service-505458.shtml" ], "date": "2016" - } + }, + "uuid": "05ecfb96-f9ec-4dab-b7d3-86b8cb3fe7b5" }, { "value": "LeGeNd", @@ -1912,7 +2114,8 @@ "http://www.connect-trojan.net/2016/11/legend-rat-v1.9-by-ahmed-ibrahim.html" ], "date": "2016" - } + }, + "uuid": "20336460-828e-4f18-bbe6-14f3579b5f5a" }, { "description": "Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malware’s author didn’t bother obfuscating the RAT’s source code. This raised a question mark with the researchers, who couldn’t explain why VirusTotal scanners couldn’t pick it up as a threat right away.Revenge, which was written in Visual Basic, also didn’t feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.", @@ -1922,7 +2125,8 @@ "http://www.securitynewspaper.com/2016/08/31/unsophisticated-revenge-rat-released-online-free-exclusive/" ], "date": "2016" - } + }, + "uuid": "80c94c22-b294-4622-8934-e89a235d586f" }, { "value": "vjw0rm 0.1", @@ -1931,7 +2135,8 @@ "https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en" ], "date": "2016" - } + }, + "uuid": "bf86d7a6-80af-4d22-a092-f822bf7201d2" }, { "description": "ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco's Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of \"kgf2016@yonsei.ac.kr,\" the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, \"Request Help\" and attached malicious HWP filename, \"I'm a munchon person in Gangwon-do, North Korea.\" The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.", @@ -1945,7 +2150,8 @@ "ROKRAT" ], "date": "2016" - } + }, + "uuid": "38e68703-1db4-4b97-80e9-a0afd099da58" }, { "description": "Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).", @@ -1958,7 +2164,8 @@ "qrat" ], "date": "2016" - } + }, + "uuid": "179288c9-4ff1-4a7e-b728-35dd2e6aac43" }, { "description": "MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.", @@ -1969,7 +2176,8 @@ "https://attack.mitre.org/wiki/Software/S0149" ], "date": "2016" - } + }, + "uuid": "f266754c-d0aa-4918-95a3-73b28eaa66e3" }, { "description": "Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time.", @@ -1979,7 +2187,8 @@ "https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2" ], "date": "2016" - } + }, + "uuid": "f647cca0-7416-47e9-8342-94b84dd436cc" }, { "description": "The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims’ web navigation and interrupt online banking session at will. After taking over a victim’s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.", @@ -1989,7 +2198,8 @@ "https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/" ], "date": "2016" - } + }, + "uuid": "d840e5af-3e6b-49af-ab82-fb4f8740bf55" }, { "description": "Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most… ", @@ -1999,7 +2209,8 @@ "https://github.com/Screetsec/TheFatRat" ], "date": "2016" - } + }, + "uuid": "90b4addc-e9ff-412d-899e-7204c89c0bdb" }, { "description": "Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.", @@ -2009,7 +2220,8 @@ "http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html" ], "date": "2016" - } + }, + "uuid": "ad6a1b4a-6d79-40d4-adb7-1d7ca697347e" }, { "description": "Dubbed Rurktar, the tool hasn’t had all of its functionality implemented yet, but G DATA says “it is relatively safe to say [it] is intended for use in targeted spying operations.” The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.", @@ -2019,7 +2231,8 @@ "http://www.securityweek.com/rurktar-malware-espionage-tool-development" ], "date": "2017" - } + }, + "uuid": "40bce827-4049-46e4-8323-3ab58f0f00bc" }, { "description": "RATAttack is a remote access trojan (RAT) that uses the Telegram protocol to support encrypted communication between the victim's machine and the attacker. The Telegram protocol also provides a simple method to communicate to the target, negating the need for port forwarding. Before using RATAttack, the attacker must create a Telegram bot and embed the bot's Telegram token into the trojan's configuration file. When a system is infected with RATAttack, it connects to the bot's Telegram channel. The attacker can then connect to the same channel and manage the RATAttack clients on the infected host machines. The trojan's code was available on GitHub then was taken down by the author on April 19, 2017.", @@ -2029,7 +2242,8 @@ "https://www.cyber.nj.gov/threat-profiles/trojan-variants/ratattack" ], "date": "2017" - } + }, + "uuid": "2384b62d-312f-43e2-ab47-68c9fcca1541" }, { "description": "So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.", @@ -2039,7 +2253,8 @@ "https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/" ], "date": "2017" - } + }, + "uuid": "9da7b7b2-f514-4114-83c0-ce3a5f635d2e" }, { "description": "", @@ -2049,7 +2264,8 @@ "https://revcode.eu/" ], "date": "2017" - } + }, + "uuid": "5a3463d3-ff2a-41e2-9186-55da8c88b349" }, { "description": "Android Remote Administration Tool", @@ -2059,7 +2275,8 @@ "https://github.com/AhMyth/AhMyth-Android-RAT" ], "date": "2017" - } + }, + "uuid": "b1df2bb1-7fd4-4a25-93c3-fe1f2c7cf529" }, { "value": "Socket23", @@ -2069,13 +2286,15 @@ "https://www.virusbulletin.com/uploads/pdf/magazine/1999/199908.pdf" ], "date": "1998" - } + }, + "uuid": "da7c818f-5f3b-415c-b885-cf0a71d6e89e" }, { "value": "PowerRAT", "meta": { "date": "2017" - } + }, + "uuid": "b3620451-8871-4078-bbf9-aa5bab641299" }, { "description": "Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the \"most sophisticated Mac spyware ever\", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.", @@ -2086,7 +2305,8 @@ "https://objective-see.com/blog/blog_0x25.html" ], "date": "2017" - } + }, + "uuid": "b7cea5fe-d3fe-47cf-ba82-104c90e130ff" }, { "description": "Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection. ", @@ -2096,7 +2316,8 @@ "http://blog.talosintelligence.com/2017/03/dnsmessenger.html" ], "date": "2017" - } + }, + "uuid": "ee8ccb36-2596-43a3-a044-b8721dbeb2ab" }, { "value": "PentagonRAT", @@ -2105,7 +2326,8 @@ "http://pentagon-rat.blogspot.fr/" ], "date": "2017" - } + }, + "uuid": "d208daa3-6ecd-4faf-8492-04f7b5b2dd28" }, { "description": "NewCore is a remote access trojan first discovered by Fortinet researchers while conducting analysis on a China-linked APT campaign targeting Vietnamese organizations. The trojan is a DLL file, executed after a trojan downloader is installed on the targeted machine. Based on strings in the code, the trojan may be compiled from the publicly-available source code of the PcClient and PcCortr backdoor trojans.", @@ -2116,25 +2338,29 @@ "https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations" ], "date": "2017" - } + }, + "uuid": "6a505bfc-87fe-4bd2-97d7-394a3c29611d" }, { "value": "Deeper RAT", "meta": { "date": "2010" - } + }, + "uuid": "d7739c15-07af-4cfd-9eea-a28ed90cbfa5" }, { "value": "Xyligan", "meta": { "date": "2012" - } + }, + "uuid": "0a75f34a-eaca-4ed8-b2f2-3f713c7a0693" }, { "value": "H-w0rm", "meta": { "date": "2013" - } + }, + "uuid": "ca6e2e9b-6b5a-447b-9561-295c807a6484" }, { "description": "On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary’s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs —’file download’ or ‘file upload,’ for example—and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim’s network, simply by wrapping commands. ", @@ -2143,7 +2369,8 @@ "refs": [ "https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928" ] - } + }, + "uuid": "7362581a-a7d1-4060-b225-e227f2df2b60" }, { "description": "According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.", @@ -2152,7 +2379,8 @@ "refs": [ "https://www.us-cert.gov/ncas/alerts/TA17-318A" ] - } + }, + "uuid": "e0bea149-2def-484f-b658-f782a4f94815" }, { "description": "Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon added various new features to the code and released an updated version in June. The attacks with the latest variants we found in September have following characteristics.\nTargets personnel or organizations related to South Korea or video games industry\nDistributes malware through Google Drive\nObtains C2 address from GitHub\nUses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.", @@ -2161,7 +2389,8 @@ "refs": [ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" ] - } + }, + "uuid": "03694200-80c2-433d-9797-09eafcad1075" }, { "description": "The EFF/Lookout report describes CrossRat as a “newly discovered desktop surveillanceware tool…which is able to target Windows, OSX, and Linux.”", @@ -2170,7 +2399,8 @@ "refs": [ "https://digitasecurity.com/blog/2018/01/23/crossrat/" ] - } + }, + "uuid": "696125b9-7a91-463a-9e6b-b4fc381b8833" } ] } diff --git a/clusters/sector.json b/clusters/sector.json index 66f78af..34edd92 100644 --- a/clusters/sector.json +++ b/clusters/sector.json @@ -1,361 +1,480 @@ { "values": [ { - "value": "Unknown" + "value": "Unknown", + "uuid": "3ff4e243-7e26-4535-b911-fdda2f724aa2" }, { - "value": "Other" + "value": "Other", + "uuid": "03655488-3d11-4fbf-8fe6-6148aaa01b83" }, { - "value": "Academia - University" + "value": "Academia - University", + "uuid": "98821a86-3c11-474b-afab-3c84af061407" }, { - "value": "Activists" + "value": "Activists", + "uuid": "0a62f502-0a51-44ac-82a3-0a965b98c7a9" }, { - "value": "Aerospace" + "value": "Aerospace", + "uuid": "12f90076-f03d-4a2d-9f33-7a274dc462bb" }, { - "value": "Agriculture" + "value": "Agriculture", + "uuid": "e2214f48-0cdd-4110-ba59-e703282adf2c" }, { - "value": "Arts" + "value": "Arts", + "uuid": "b5283132-9245-4a5f-b4bc-1937fd80d80a" }, { - "value": "Bank" + "value": "Bank", + "uuid": "19cc9f22-e682-4808-a96c-82e573703dff" }, { - "value": "Chemical" + "value": "Chemical", + "uuid": "306f828d-8eb8-4adb-bee9-3211bf2a4ff7" }, { - "value": "Citizens" + "value": "Citizens", + "uuid": "f50c1d4d-9d7c-4076-b5d4-e86dd5de4628" }, { - "value": "Civil Aviation" + "value": "Civil Aviation", + "uuid": "ed13b6c9-c32c-4a58-82a7-ce64dc7fa086" }, { - "value": "Country" + "value": "Country", + "uuid": "89e7e93a-394f-48e3-ba70-501df2f010c0" }, { - "value": "Culture" + "value": "Culture", + "uuid": "8c645d4e-8fcc-48a8-9656-5135cfbc10a6" }, { - "value": "Data Broker" + "value": "Data Broker", + "uuid": "0a2c80eb-ae5d-4d5e-b6fd-2703bc6a750d" }, { - "value": "Defense" + "value": "Defense", + "uuid": "9df5fb28-2298-4030-9db3-8cdef35bee14" }, { - "value": "Development" + "value": "Development", + "uuid": "96b329b2-2f04-4ce7-8ef2-bf3d898028c9" }, { - "value": "Diplomacy" + "value": "Diplomacy", + "uuid": "33cbaf17-7600-47f7-87c7-39640874a1b4" }, { - "value": "Education" + "value": "Education", + "uuid": "19eca562-123d-449b-af33-5a36e5279b12" }, { - "value": "Electric" + "value": "Electric", + "uuid": "ac2dad84-5194-41bb-9edd-aad8d42f828f" }, { - "value": "Electronic" + "value": "Electronic", + "uuid": "04e0eef9-d7e8-4280-86bb-cc9897be8e08" }, { - "value": "Employment" + "value": "Employment", + "uuid": "474e6647-ff06-4a9b-8061-a1a43baf8b15" }, { - "value": "Energy" + "value": "Energy", + "uuid": "3a94474b-7e23-4e06-9129-faea7ef55af8" }, { - "value": "Entertainment" + "value": "Entertainment", + "uuid": "beb9d5d6-53df-4e99-8fa8-e52880fbe740" }, { - "value": "Environment" + "value": "Environment", + "uuid": "8291a998-e888-4351-87ec-c6da6b06bff6" }, { - "value": "Finance" + "value": "Finance", + "uuid": "75597b7f-54e8-4f14-88c9-e81485ece483" }, { - "value": "Food" + "value": "Food", + "uuid": "9ade7eff-e2ce-4f05-85de-bb6b70444db4" }, { - "value": "Game" + "value": "Game", + "uuid": "64493b1b-04eb-4f4d-94c7-65c3713131de" }, { - "value": "Gas" + "value": "Gas", + "uuid": "851c28c6-2e80-4d63-959b-44037931175b" }, { - "value": "Government, Administration" + "value": "Government, Administration", + "uuid": "6012ecea-dcc8-490c-b368-e2e06b2cb62f" }, { - "value": "Health" + "value": "Health", + "uuid": "4649fe79-cb8f-4aa3-b3e0-e67d4161fcb0" }, { - "value": "Higher education" + "value": "Higher education", + "uuid": "b822d660-fad3-40da-b4db-9bbf8fe23b27" }, { - "value": "Hotels" + "value": "Hotels", + "uuid": "909f4de6-91ea-44b6-9c8f-5983fd4877c2" }, { - "value": "Infrastructure" + "value": "Infrastructure", + "uuid": "641af156-12d0-4fb4-b89d-971cd454914f" }, { - "value": "Intelligence" + "value": "Intelligence", + "uuid": "7aeb79bf-cc1a-49b5-b2ec-5b1fe4a7e295" }, { - "value": "IT" + "value": "IT", + "uuid": "3f18e5e7-c77d-4890-9d09-412a39a822e5" }, { - "value": "IT - Hacker" + "value": "IT - Hacker", + "uuid": "342d0a71-584c-4e3f-9b2d-1dc5b5e53e97" }, { - "value": "IT - ISP" + "value": "IT - ISP", + "uuid": "872de996-e069-4cd9-b227-d5ca01dc020c" }, { - "value": "IT - Security" + "value": "IT - Security", + "uuid": "6d9dbde3-25de-48b9-ab98-361c4211e6be" }, { - "value": "Justice" + "value": "Justice", + "uuid": "784e59ae-89bb-4bc8-82c8-7fab6ca5fb8a" }, { - "value": "Manufacturing" + "value": "Manufacturing", + "uuid": "5cacd8fb-a3d4-4ed7-84b5-d69378038591" }, { - "value": "Maritime" + "value": "Maritime", + "uuid": "82ac6245-8691-4216-a6dd-8c99ebb8ce51" }, { - "value": "Military" + "value": "Military", + "uuid": "5aec0d78-53b2-4fcf-b165-537494b866e4" }, { - "value": "Multi-sector" + "value": "Multi-sector", + "uuid": "e10093ef-ccbf-4c24-9093-61e856c05ccd" }, { - "value": "News - Media" + "value": "News - Media", + "uuid": "a0499041-2b4e-43aa-8fe3-04c2de23abdd" }, { - "value": "NGO" + "value": "NGO", + "uuid": "d2f31b1f-a9b1-4f5b-b2b3-1aa2732a0608" }, { - "value": "Oil" + "value": "Oil", + "uuid": "5875cc3f-d0a5-445e-abb2-08411fc82522" }, { - "value": "Payment" + "value": "Payment", + "uuid": "0d688425-afb5-4f71-8b5a-f9be7d2d1551" }, { - "value": "Pharmacy" + "value": "Pharmacy", + "uuid": "8d7aa230-d07f-46e8-a099-6f1753793b84" }, { - "value": "Police - Law enforcement" + "value": "Police - Law enforcement", + "uuid": "36432a96-225a-4c90-b0f5-44eaee45e306" }, { - "value": "Research - Innovation" + "value": "Research - Innovation", + "uuid": "738939b4-c93f-4972-938a-7eb1f60188b9" }, { - "value": "Satellite navigation" + "value": "Satellite navigation", + "uuid": "40082760-ed9e-4fcb-8bfa-2341d81d5e22" }, { - "value": "Security systems" + "value": "Security systems", + "uuid": "23429f36-298a-4ac6-8db9-87223bef9cbf" }, { - "value": "Social networks" + "value": "Social networks", + "uuid": "61809257-9f13-4910-b824-f483c4334bb5" }, { - "value": "Space" + "value": "Space", + "uuid": "595be3ad-bfb3-4bea-b81a-2fef618a1075" }, { - "value": "Steel" + "value": "Steel", + "uuid": "cdc8b76f-a8df-4d30-81c1-bdb4935c718d" }, { - "value": "Telecoms" + "value": "Telecoms", + "uuid": "0de938bd-4efa-4c7a-9244-71a79317d142" }, { - "value": "Think Tanks" + "value": "Think Tanks", + "uuid": "3c70895b-573b-450c-ad0a-98b0e1a9741e" }, { - "value": "Trade" + "value": "Trade", + "uuid": "4fef12b1-0bee-4855-81fb-9b7d2c5a1dec" }, { - "value": "Transport" + "value": "Transport", + "uuid": "e93eb8db-72b1-4407-be3e-8cfea8f9efee" }, { - "value": "Travel" + "value": "Travel", + "uuid": "33a4f4fe-9bc3-4d43-b5ab-64fcc35882cf" }, { - "value": "Turbine" + "value": "Turbine", + "uuid": "69b8bfcd-600e-45d8-962a-ce09ed0914ab" }, { - "value": "Tourism" + "value": "Tourism", + "uuid": "bf0753fd-cb62-440d-a2c5-1adfb037676e" }, { - "value": "Life science" + "value": "Life science", + "uuid": "87eae00d-b973-46db-83a2-1f520aebcd44" }, { - "value": "Biomedical" + "value": "Biomedical", + "uuid": "58282b0e-10d4-4294-8845-6f41a1e79730" }, { - "value": "High tech" + "value": "High tech", + "uuid": "cd4dfa11-5f4a-4d02-a2cc-35603261e631" }, { - "value": "Opposition" + "value": "Opposition", + "uuid": "18daafae-a923-4cf5-bf87-d8b35dd297e2" }, { - "value": "Political party" + "value": "Political party", + "uuid": "a93f281c-1fb4-471d-88ba-dfe5f3af13ff" }, { - "value": "Hospitality" + "value": "Hospitality", + "uuid": "d1aa1165-981a-4d9f-aece-c130c5034e1b" }, { - "value": "Automotive" + "value": "Automotive", + "uuid": "79e7755d-d7fa-4bbc-b956-e296c614745e" }, { - "value": "Metal" + "value": "Metal", + "uuid": "3a7dae7d-2590-4e80-9c13-c22048a09f8a" }, { - "value": "Railway" + "value": "Railway", + "uuid": "02847338-fe03-4073-9f5b-c6fedc244b04" }, { - "value": "Water" + "value": "Water", + "uuid": "26282f7e-8db4-4369-8af1-3981f6a93350" }, { - "value": "Smart meter" + "value": "Smart meter", + "uuid": "62487559-c0e5-4250-af48-d43fa2e61b82" }, { - "value": "Retai" + "value": "Retai", + "uuid": "a26ae91b-df10-4c6f-b7bc-14c7ba13f21d" }, { - "value": "Retail" + "value": "Retail", + "uuid": "6ce2374c-2c81-4298-a941-666bf4258c00" }, { - "value": "Technology" + "value": "Technology", + "uuid": "ff403f0f-67d0-494c-aff9-1d748b7e7d8d" }, { - "value": "engineering" + "value": "engineering", + "uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc" }, { - "value": "Mining" + "value": "Mining", + "uuid": "7508db07-ffd1-4137-9941-718f18370c4c" }, { - "value": "Sport" + "value": "Sport", + "uuid": "e8355f07-48c7-497b-9a14-3c2a6325ef3d" }, { - "value": "Restaurant" + "value": "Restaurant", + "uuid": "5eee85f4-f8dc-4dea-9ba2-af1e9f957097" }, { - "value": "Semi-conductors" + "value": "Semi-conductors", + "uuid": "5b9bb2f4-3e03-46b9-ab65-a7f99b726a32" }, { - "value": "Insurance" + "value": "Insurance", + "uuid": "c4f35266-0f80-4948-9c0a-f4681ed0d507" }, { - "value": "Legal" + "value": "Legal", + "uuid": "94a7ffd4-d2e4-4324-be71-f274e84de089" }, { - "value": "Shipping" + "value": "Shipping", + "uuid": "64483d7b-71a4-4130-803e-2c614a098d8b" }, { - "value": "Logistic" + "value": "Logistic", + "uuid": "934bc859-ebc4-48d7-adb7-5accd4f0f965" }, { - "value": "Construction" + "value": "Construction", + "uuid": "4b5c230d-70b8-4748-a27c-bec121c436d8" }, { - "value": "Industrial" + "value": "Industrial", + "uuid": "3153215a-784d-478e-a147-3410a5b43b39" }, { - "value": "Communication equipment" + "value": "Communication equipment", + "uuid": "f4e11fd2-f2a2-4d09-8ed4-7ef978ccc03b" }, { - "value": "Security Service" + "value": "Security Service", + "uuid": "886e517c-0331-445e-9c4b-ebe08aeb01cd" }, { - "value": "Tax firm" + "value": "Tax firm", + "uuid": "138159c5-0b29-46a5-91e2-fe01f7e7111d" }, { - "value": "Television broadcast" + "value": "Television broadcast", + "uuid": "13fe4a5d-8d86-4875-b763-02bc5705810f" }, { - "value": "Separatists" + "value": "Separatists", + "uuid": "d6335a0a-dfa2-4150-804b-86d06139e38a" }, { - "value": "Dissidents" + "value": "Dissidents", + "uuid": "c2f32e7c-6162-4999-ac3b-356007446d18" }, { - "value": "Digital services" + "value": "Digital services", + "uuid": "5a9da7ef-57b8-4a22-88be-b8b6556fd447" }, { - "value": "Digital infrastructure" + "value": "Digital infrastructure", + "uuid": "a10c2362-3ee9-4741-b5a5-c2fd1c7c730f" }, { - "value": "Security actors" + "value": "Security actors", + "uuid": "0904672b-c18a-450e-88d6-6a94dd0eb25a" }, { - "value": "eCommerce" + "value": "eCommerce", + "uuid": "7e1ec8ba-24c4-4ad4-a596-7532ecbd0fbd" }, { - "value": "Islamic forums" + "value": "Islamic forums", + "uuid": "c529331a-e2a9-4ba9-bb92-d4f88ae3704b" }, { - "value": "Journalist" + "value": "Journalist", + "uuid": "ea95dce2-c2fc-48cb-95c7-d9200811f030" }, { - "value": "Streaming service" + "value": "Streaming service", + "uuid": "2287c024-9643-43ef-8776-858d3994b9ac" }, { - "value": "Puplishing industry" + "value": "Puplishing industry", + "uuid": "97e018e8-e03b-48ff-8add-1059f035069a" }, { - "value": "Publishing industry" + "value": "Publishing industry", + "uuid": "867cbcb3-8baa-476f-bec5-ceb36e9b1e09" }, { - "value": "Islamic organisation" + "value": "Islamic organisation", + "uuid": "3929f589-ac94-4a6a-8360-122e06484db8" }, { - "value": "Casino" + "value": "Casino", + "uuid": "2e7ad54f-7637-4268-a9b9-cb2975d6bab9" }, { - "value": "Consulting" + "value": "Consulting", + "uuid": "87ad7866-bdfa-4a22-a4f3-c411fecb1d0d" }, { - "value": "Online marketplace" + "value": "Online marketplace", + "uuid": "737a196b-7bab-460b-b199-d6626fca1af1" }, { - "value": "DNS service provider" + "value": "DNS service provider", + "uuid": "e48c0afc-afab-4ced-9a8b-a28d4a2efa08" }, { - "value": "Veterinary" + "value": "Veterinary", + "uuid": "4bc73e7c-d174-4faf-9176-d0ccc8ccfbbf" }, { - "value": "Marketing" + "value": "Marketing", + "uuid": "ee5720bb-c638-46f8-bdf2-55579bf37eb2" }, { - "value": "Video Sharing" + "value": "Video Sharing", + "uuid": "55d12d41-c558-4cdf-b2c5-f246403ca68f" }, { - "value": "Advertising" + "value": "Advertising", + "uuid": "b018010e-272e-4ca9-8551-073618d7f2ad" }, { - "value": "Investment" + "value": "Investment", + "uuid": "40d66f31-36c2-42ff-97c6-97b34b5ce04e" }, { - "value": "Accounting" + "value": "Accounting", + "uuid": "6edffd60-443c-4238-b368-362b47340d8b" }, { - "value": "Programming" + "value": "Programming", + "uuid": "855f40e1-074e-4818-8082-696a54adf13f" }, { - "value": "Managed Services Provider" + "value": "Managed Services Provider", + "uuid": "f9260307-f792-4e60-8aa5-e2b4f84adadb" }, { - "value": "Lawyers" + "value": "Lawyers", + "uuid": "56eee132-fc01-410c-ada0-44d713443bf2" }, { - "value": "Civil society" + "value": "Civil society", + "uuid": "9c1f6a5b-d9de-4cce-a024-7437cb20e24e" }, { - "value": "Petrochemical" + "value": "Petrochemical", + "uuid": "1f1c762b-1e39-4989-8679-cc1f9cb08349" }, { - "value": "Immigration" + "value": "Immigration", + "uuid": "bfd171a5-33f5-4c79-81c5-3dda99dae559" } ], "version": 1, diff --git a/clusters/tds.json b/clusters/tds.json index 6432908..aa61de8 100644 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -10,7 +10,8 @@ "type": [ "Commercial" ] - } + }, + "uuid": "94c57fc0-4477-4643-b539-55ba8c455df6" }, { "value": "BlackTDS", @@ -22,7 +23,8 @@ "type": [ "Underground" ] - } + }, + "uuid": "d5c0cf8d-8ed0-4fa2-a2e6-7274516ea1c8" }, { "value": "ShadowTDS", @@ -31,7 +33,8 @@ "type": [ "Underground" ] - } + }, + "uuid": "2680a4b1-84d1-4af0-8126-4429a90f8ef8" }, { "value": "Sutra", @@ -43,7 +46,8 @@ "type": [ "Commercial" ] - } + }, + "uuid": "67f21003-bbc8-4993-b615-f990e539929f" }, { "value": "SimpleTDS", @@ -58,7 +62,8 @@ "type": [ "OpenSource" ] - } + }, + "uuid": "aa179c37-1a8a-4761-841a-cc940e19d7be" }, { "value": "BossTDS", @@ -70,7 +75,8 @@ "type": [ "Commercial" ] - } + }, + "uuid": "5a483b4b-671a-4113-9b99-a115d2d2d644" }, { "value": "BlackHat TDS", @@ -82,7 +88,8 @@ "type": [ "Underground" ] - } + }, + "uuid": "36aa3b2d-4927-45e5-be08-f30144fd1909" }, { "value": "Futuristic TDS", @@ -91,7 +98,8 @@ "type": [ "Underground" ] - } + }, + "uuid": "19d8eab9-72d5-4f22-affb-c0d6aed66346" }, { "value": "Orchid TDS", @@ -100,7 +108,8 @@ "type": [ "Underground" ] - } + }, + "uuid": "ec0048f2-a7b2-4a71-83de-6e8fe4fef252" } ], "version": 3, diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f413928..c91c51c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -21,13 +21,15 @@ ] }, "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", - "value": "Comment Crew" + "value": "Comment Crew", + "uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be" }, { "meta": { "country": "CN" }, - "value": "Stalker Panda" + "value": "Stalker Panda", + "uuid": "36843742-adf1-427c-a7c0-067d74b4aeaf" }, { "value": "Nitro", @@ -40,7 +42,8 @@ "synonyms": [ "Covert Grove" ] - } + }, + "uuid": "0b06fb39-ed3d-4868-ac42-12fff6df2c80" }, { "value": "Codoso", @@ -59,7 +62,8 @@ "APT 19", "Sunshop Group" ] - } + }, + "uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c" }, { "meta": { @@ -67,7 +71,8 @@ "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf" ] }, - "value": "Dust Storm" + "value": "Dust Storm", + "uuid": "9e71024e-817f-45b0-92a0-d886c30bc929" }, { "value": "Karma Panda", @@ -77,7 +82,8 @@ "refs": [ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] - } + }, + "uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee" }, { "meta": { @@ -86,7 +92,8 @@ "temp.bottle" ] }, - "value": "Keyhole Panda" + "value": "Keyhole Panda", + "uuid": "ad022538-b457-4839-8ebd-3fdcc807a820" }, { "meta": { @@ -95,7 +102,8 @@ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, - "value": "Wet Panda" + "value": "Wet Panda", + "uuid": "ba8973b2-fd97-4aa7-9307-ea4838d96428" }, { "meta": { @@ -105,7 +113,8 @@ ] }, "value": "Foxy Panda", - "description": "Adversary group targeting telecommunication and technology organizations." + "description": "Adversary group targeting telecommunication and technology organizations.", + "uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd" }, { "meta": { @@ -114,7 +123,8 @@ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, - "value": "Predator Panda" + "value": "Predator Panda", + "uuid": "1969f622-d64a-4436-9a34-4c47fcb2535f" }, { "meta": { @@ -123,7 +133,8 @@ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, - "value": "Union Panda" + "value": "Union Panda", + "uuid": "7195b51f-500e-4034-a851-bf34a2728dc8" }, { "meta": { @@ -132,7 +143,8 @@ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, - "value": "Spicy Panda" + "value": "Spicy Panda", + "uuid": "4959652d-72fa-46e4-be20-4ec686409bfb" }, { "meta": { @@ -141,7 +153,8 @@ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, - "value": "Eloquent Panda" + "value": "Eloquent Panda", + "uuid": "432b0304-768f-4fb9-9762-e745ef524ec7" }, { "meta": { @@ -149,7 +162,8 @@ "LadyBoyle" ] }, - "value": "Dizzy Panda" + "value": "Dizzy Panda", + "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe" }, { "meta": { @@ -169,7 +183,8 @@ ] }, "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", - "value": "Putter Panda" + "value": "Putter Panda", + "uuid": "0ca45163-e223-4167-b1af-f088ed14a93d" }, { "meta": { @@ -189,7 +204,8 @@ ] }, "value": "UPS", - "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'" + "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'", + "uuid": "d144c83e-2302-4947-9e24-856fbf7949ae" }, { "meta": { @@ -210,7 +226,8 @@ ] }, "value": "DarkHotel", - "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'" + "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'", + "uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d" }, { "meta": { @@ -232,7 +249,8 @@ ] }, "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", - "value": "IXESHE" + "value": "IXESHE", + "uuid": "48146604-6693-4db1-bd94-159744726514" }, { "meta": { @@ -241,7 +259,8 @@ "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" ] }, - "value": "APT 16" + "value": "APT 16", + "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf" }, { "meta": { @@ -260,7 +279,8 @@ ] }, "value": "Aurora Panda", - "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'" + "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'", + "uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb" }, { "meta": { @@ -278,7 +298,8 @@ ] }, "value": "Wekby", - "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'" + "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'", + "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c" }, { "meta": { @@ -291,7 +312,8 @@ ] }, "value": "Tropic Trooper", - "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'" + "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'", + "uuid": "4fd409a9-db86-46a5-bdf2-b6c8ee397a89" }, { "meta": { @@ -320,7 +342,8 @@ ] }, "value": "Axiom", - "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'" + "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'", + "uuid": "24110866-cb22-4c85-a7d2-0413e126694b" }, { "meta": { @@ -341,7 +364,8 @@ ] }, "description": "Adversary group targeting financial, technology, non-profit organisations.", - "value": "Shell Crew" + "value": "Shell Crew", + "uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4" }, { "meta": { @@ -360,7 +384,8 @@ ] }, "value": "Naikon", - "description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'" + "description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'", + "uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff" }, { "meta": { @@ -374,7 +399,8 @@ "https://securelist.com/spring-dragon-updated-activity/79067/" ] }, - "value": "Lotus Blossom" + "value": "Lotus Blossom", + "uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d" }, { "meta": { @@ -386,7 +412,8 @@ "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" ] }, - "value": "Lotus Panda" + "value": "Lotus Panda", + "uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8" }, { "meta": { @@ -399,7 +426,8 @@ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" ] }, - "value": "Hurricane Panda" + "value": "Hurricane Panda", + "uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb" }, { "meta": { @@ -424,7 +452,8 @@ ] }, "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", - "value": "Emissary Panda" + "value": "Emissary Panda", + "uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32" }, { "meta": { @@ -443,7 +472,8 @@ "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" ] }, - "value": "Stone Panda" + "value": "Stone Panda", + "uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c" }, { "meta": { @@ -458,7 +488,8 @@ "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" ] }, - "value": "Nightshade Panda" + "value": "Nightshade Panda", + "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45" }, { "meta": { @@ -471,7 +502,8 @@ "https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/" ] }, - "value": "Hellsing" + "value": "Hellsing", + "uuid": "af482dde-9e47-48d5-9cb2-cf8f6d6303d3" }, { "meta": { @@ -480,7 +512,8 @@ "https://kc.mcafee.com/corporate/index?page=content&id=KB71150" ] }, - "value": "Night Dragon" + "value": "Night Dragon", + "uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d" }, { "meta": { @@ -500,7 +533,8 @@ "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/" ] }, - "value": "Mirage" + "value": "Mirage", + "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8" }, { "meta": { @@ -517,7 +551,8 @@ "motive": "Espionage" }, "value": "Anchor Panda", - "description": "PLA Navy" + "description": "PLA Navy", + "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104" }, { "meta": { @@ -529,7 +564,8 @@ "https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/" ] }, - "value": "NetTraveler" + "value": "NetTraveler", + "uuid": "b80f4788-ccb2-466d-ae16-b397159d907e" }, { "meta": { @@ -544,7 +580,8 @@ ] }, "value": "Ice Fog", - "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well." + "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well.", + "uuid": "32c534b9-abec-4823-b223-a810f897b47b" }, { "meta": { @@ -558,7 +595,8 @@ ] }, "value": "Pitty Panda", - "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials" + "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials", + "uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189" }, { "value": "Roaming Tiger", @@ -566,7 +604,8 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" ] - } + }, + "uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d" }, { "meta": { @@ -575,7 +614,8 @@ "Sneaky Panda" ] }, - "value": "Beijing Group" + "value": "Beijing Group", + "uuid": "da754aeb-a86d-4874-b388-d1d2028a56be" }, { "meta": { @@ -584,7 +624,8 @@ "Shrouded Crossbow" ] }, - "value": "Radio Panda" + "value": "Radio Panda", + "uuid": "c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e" }, { "value": "APT.3102", @@ -593,7 +634,8 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/" ] - } + }, + "uuid": "f33fd440-93ee-41e5-974a-be9343e18cdf" }, { "meta": { @@ -611,13 +653,15 @@ "http://www.crowdstrike.com/blog/whois-samurai-panda/" ] }, - "value": "Samurai Panda" + "value": "Samurai Panda", + "uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7" }, { "meta": { "country": "CN" }, - "value": "Impersonating Panda" + "value": "Impersonating Panda", + "uuid": "b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1" }, { "meta": { @@ -633,7 +677,8 @@ "TH3Bug" ] }, - "value": "Violin Panda" + "value": "Violin Panda", + "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40" }, { "meta": { @@ -643,7 +688,8 @@ ] }, "description": "A group targeting dissident groups in China and at the boundaries.", - "value": "Toxic Panda" + "value": "Toxic Panda", + "uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761" }, { "meta": { @@ -660,7 +706,8 @@ ] }, "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.", - "value": "Temper Panda" + "value": "Temper Panda", + "uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b" }, { "meta": { @@ -674,7 +721,8 @@ "KeyBoy" ] }, - "value": "Pirate Panda" + "value": "Pirate Panda", + "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee" }, { "meta": { @@ -692,7 +740,8 @@ ] }, "value": "Flying Kitten", - "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry." + "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", + "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48" }, { "meta": { @@ -708,7 +757,8 @@ ] }, "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.", - "value": "Cutting Kitten" + "value": "Cutting Kitten", + "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e" }, { "meta": { @@ -733,7 +783,8 @@ ] }, "value": "Charming Kitten", - "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors." + "description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.", + "uuid": "f98bac6b-12fd-4cad-be84-c84666932232" }, { "meta": { @@ -744,7 +795,8 @@ ] }, "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.", - "value": "APT33" + "value": "APT33", + "uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10" }, { "meta": { @@ -757,7 +809,8 @@ ] }, "description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.", - "value": "Magic Kitten" + "value": "Magic Kitten", + "uuid": "2e77511d-f72f-409e-9b64-e2a15efe9bf4" }, { "meta": { @@ -780,7 +833,8 @@ ] }, "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", - "value": "Rocket Kitten" + "value": "Rocket Kitten", + "uuid": "f873db71-3d53-41d5-b141-530675ade27a" }, { "meta": { @@ -802,13 +856,15 @@ ] }, "value": "Cleaver", - "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies." + "description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies.", + "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810" }, { "meta": { "country": "IR" }, - "value": "Sands Casino" + "value": "Sands Casino", + "uuid": "1de1a64e-ea14-4e79-9e41-6958bdb6c0ff" }, { "meta": { @@ -819,7 +875,8 @@ "motive": "Hacktivism-Nationalist" }, "value": "Rebel Jackal", - "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region." + "description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.", + "uuid": "29af2812-f7fb-4edb-8cc4-86d0d9e3644b" }, { "meta": { @@ -828,7 +885,8 @@ "Vikingdom" ] }, - "value": "Viking Jackal" + "value": "Viking Jackal", + "uuid": "7f99ba32-421c-4905-9deb-006e8eda40c1" }, { "meta": { @@ -858,7 +916,8 @@ ] }, "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", - "value": "Sofacy" + "value": "Sofacy", + "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754" }, { "meta": { @@ -889,7 +948,8 @@ ] }, "value": "APT 29", - "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '" + "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering '", + "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a" }, { "meta": { @@ -921,7 +981,8 @@ "country": "RU" }, "value": "Turla Group", - "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'" + "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", + "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68" }, { "meta": { @@ -942,7 +1003,8 @@ ] }, "description": "A Russian group that collects intelligence on the energy industry.", - "value": "Energetic Bear" + "value": "Energetic Bear", + "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee" }, { "meta": { @@ -963,7 +1025,8 @@ "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid" ] }, - "value": "Sandworm" + "value": "Sandworm", + "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35" }, { "meta": { @@ -976,7 +1039,8 @@ ] }, "value": "TeleBots", - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group." + "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.", + "uuid": "b47250ec-2094-4d06-b658-11456e05fe89" }, { "meta": { @@ -998,7 +1062,8 @@ "motive": "Cybercrime" }, "description": "Groups targeting financial organizations or people with significant financial assets.", - "value": "Anunak" + "value": "Anunak", + "uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb" }, { "meta": { @@ -1013,7 +1078,8 @@ "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" ] }, - "value": "TeamSpy Crew" + "value": "TeamSpy Crew", + "uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445" }, { "meta": { @@ -1022,13 +1088,15 @@ "http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/" ] }, - "value": "BuhTrap" + "value": "BuhTrap", + "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb" }, { "meta": { "country": "RU" }, - "value": "Berserk Bear" + "value": "Berserk Bear", + "uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624" }, { "meta": { @@ -1037,21 +1105,24 @@ "FIN4" ] }, - "value": "Wolf Spider" + "value": "Wolf Spider", + "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57" }, { "meta": { "country": "RU" }, "value": "Boulder Bear", - "description": "First observed activity in December 2013." + "description": "First observed activity in December 2013.", + "uuid": "85b40169-3d1c-491b-9fbf-877ed57f32e0" }, { "meta": { "country": "RU" }, "value": "Shark Spider", - "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets." + "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.", + "uuid": "7dd7a8df-9012-4d14-977f-b3f9f71266b4" }, { "meta": { @@ -1061,7 +1132,8 @@ ] }, "value": "Union Spider", - "description": "Adversary targeting manufacturing and industrial organizations." + "description": "Adversary targeting manufacturing and industrial organizations.", + "uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd" }, { "meta": { @@ -1076,7 +1148,8 @@ "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, - "value": "Silent Chollima" + "value": "Silent Chollima", + "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7" }, { "meta": { @@ -1103,7 +1176,8 @@ ] }, "value": "Lazarus Group", - "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman." + "description": "Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.", + "uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376" }, { "meta": { @@ -1116,7 +1190,8 @@ "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" ] }, - "value": "Viceroy Tiger" + "value": "Viceroy Tiger", + "uuid": "e2b87f81-a6a1-4524-b03f-193c3191d239" }, { "meta": { @@ -1126,7 +1201,8 @@ ], "country": "US" }, - "value": "Pizzo Spider" + "value": "Pizzo Spider", + "uuid": "dd9806a9-a600-48f8-81fb-07f0f1b7690d" }, { "meta": { @@ -1138,7 +1214,8 @@ "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" ] }, - "value": "Corsair Jackal" + "value": "Corsair Jackal", + "uuid": "59d63dd6-f46f-4334-ad15-30d2e1ee0623" }, { "value": "SNOWGLOBE", @@ -1155,7 +1232,8 @@ "Animal Farm" ] }, - "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007." + "description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.", + "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab" }, { "meta": { @@ -1169,7 +1247,8 @@ ] }, "description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear", - "value": "Deadeye Jackal" + "value": "Deadeye Jackal", + "uuid": "4265d44e-8372-4ed0-b428-b331a5443d7d" }, { "meta": { @@ -1182,7 +1261,8 @@ ] }, "value": "Operation C-Major", - "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro." + "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro.", + "uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905" }, { "meta": { @@ -1195,7 +1275,8 @@ "country": "AE" }, "value": "Stealth Falcon", - "description": "Group targeting Emirati journalists, activists, and dissidents." + "description": "Group targeting Emirati journalists, activists, and dissidents.", + "uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0" }, { "meta": { @@ -1208,7 +1289,8 @@ ] }, "value": "ScarCruft", - "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer." + "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.", + "uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338" }, { "meta": { @@ -1222,7 +1304,8 @@ "country": "RU" }, "value": "Pacifier APT", - "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail." + "description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail.", + "uuid": "32db3cc1-bb79-4b08-a7a4-747a37221afa" }, { "meta": { @@ -1232,7 +1315,8 @@ ] }, "description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder", - "value": "HummingBad" + "value": "HummingBad", + "uuid": "12ab5c28-5f38-4a2f-bd40-40e9c500f4ac" }, { "meta": { @@ -1250,7 +1334,8 @@ ] }, "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", - "value": "Dropping Elephant" + "value": "Dropping Elephant", + "uuid": "18d473a5-831b-47a5-97a1-a32156299825" }, { "meta": { @@ -1259,7 +1344,8 @@ ] }, "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", - "value": "Operation Transparent Tribe" + "value": "Operation Transparent Tribe", + "uuid": "0b36d80d-5966-4c91-945b-1ac85552aa7b" }, { "meta": { @@ -1270,7 +1356,8 @@ ] }, "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", - "value": "Scarlet Mimic" + "value": "Scarlet Mimic", + "uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e" }, { "meta": { @@ -1281,7 +1368,8 @@ "country": "BR" }, "description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.", - "value": "Poseidon Group" + "value": "Poseidon Group", + "uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d" }, { "meta": { @@ -1299,7 +1387,8 @@ "country": "CN" }, "description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.", - "value": "DragonOK" + "value": "DragonOK", + "uuid": "a9b44750-992c-4743-8922-129880d277ea" }, { "meta": { @@ -1314,7 +1403,8 @@ "country": "CN" }, "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", - "value": "Threat Group-3390" + "value": "Threat Group-3390", + "uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045" }, { "meta": { @@ -1327,7 +1417,8 @@ ] }, "description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.", - "value": "ProjectSauron" + "value": "ProjectSauron", + "uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7" }, { "meta": { @@ -1341,14 +1432,16 @@ "country": "CN" }, "value": "APT 30", - "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches." + "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", + "uuid": "f26144c5-8593-4e78-831a-11f6452d809b" }, { "meta": { "country": "CN" }, "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", - "value": "TA530" + "value": "TA530", + "uuid": "4b79d1f6-8333-44b6-ac32-d1ea7e47e77f" }, { "meta": { @@ -1358,7 +1451,8 @@ "country": "RU" }, "description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.", - "value": "GCMAN" + "value": "GCMAN", + "uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0" }, { "meta": { @@ -1369,7 +1463,8 @@ "country": "CN" }, "description": "Suckfly is a China-based threat group that has been active since at least 2014", - "value": "Suckfly" + "value": "Suckfly", + "uuid": "5abb12e7-5066-4f84-a109-49a037205c76" }, { "meta": { @@ -1378,14 +1473,16 @@ ] }, "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", - "value": "FIN6" + "value": "FIN6", + "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302" }, { "meta": { "country": "LY" }, "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", - "value": "Libyan Scorpions" + "value": "Libyan Scorpions", + "uuid": "815cbe98-e157-4078-9caa-c5a25dd64731" }, { "meta": { @@ -1397,7 +1494,8 @@ "https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/" ] }, - "value": "TeamXRat" + "value": "TeamXRat", + "uuid": "43ec65d1-a334-4c44-9a44-0fd21f27249d" }, { "meta": { @@ -1422,7 +1520,8 @@ ] }, "value": "OilRig", - "description": "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access." + "description": "OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. \r\n\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:\r\n\r\n-Organized evasion testing used the during development of their tools.\r\n-Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\n-Custom web-shells and backdoors used to persistently access servers.\r\n\r\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.", + "uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba" }, { "meta": { @@ -1431,7 +1530,8 @@ ] }, "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", - "value": "Volatile Cedar" + "value": "Volatile Cedar", + "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a" }, { "meta": { @@ -1441,7 +1541,8 @@ ] }, "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.", - "value": "Malware reusers" + "value": "Malware reusers", + "uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632" }, { "value": "TERBIUM", @@ -1450,7 +1551,8 @@ "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" ] - } + }, + "uuid": "46670c51-fea4-45d6-bdd4-62e85a5c7404" }, { "value": "Molerats", @@ -1467,7 +1569,8 @@ "Extreme Jackal", "Moonlight" ] - } + }, + "uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde" }, { "value": "PROMETHIUM", @@ -1481,7 +1584,8 @@ "StrongPity" ], "country": "TR" - } + }, + "uuid": "43894e2a-174e-4931-94a8-2296afe8f650" }, { "value": "NEODYMIUM", @@ -1490,7 +1594,8 @@ "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" ] - } + }, + "uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb" }, { "value": "Packrat", @@ -1499,7 +1604,8 @@ "refs": [ "https://citizenlab.org/2015/12/packrat-report/" ] - } + }, + "uuid": "fe344665-d153-4d31-a32a-1509efde1ca7" }, { "value": "Cadelle", @@ -1509,7 +1615,8 @@ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "country": "IR" - } + }, + "uuid": "03f13462-003c-4296-8784-bccea16710a9" }, { "value": "Chafer", @@ -1519,7 +1626,8 @@ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "country": "IR" - } + }, + "uuid": "ddd95696-3d9a-4d0c-beec-a34d396182f3" }, { "value": "PassCV", @@ -1529,7 +1637,8 @@ "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" ], "country": "CN" - } + }, + "uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965" }, { "value": "Sath-ı Müdafaa", @@ -1537,7 +1646,8 @@ "meta": { "country": "TR", "motive": "Hacktivists-Nationalists" - } + }, + "uuid": "a03e2b4b-617f-4d28-ac4b-9943f792aa22" }, { "value": "Aslan Neferler Tim", @@ -1549,7 +1659,8 @@ "Phantom Turk" ], "motive": "Hacktivists-Nationalists" - } + }, + "uuid": "23410d3f-c359-422d-9a4e-45f8fdf0c84a" }, { "value": "Ayyıldız Tim", @@ -1560,7 +1671,8 @@ "Crescent and Star" ], "motive": "Hacktivists-Nationalists" - } + }, + "uuid": "ab1771de-25bb-4688-b132-eabb5d6452a1" }, { "value": "TurkHackTeam", @@ -1571,7 +1683,8 @@ "Turk Hack Team" ], "motive": "Hacktivists-Nationalists" - } + }, + "uuid": "7ae74dc6-ded3-4873-a803-abb4160d10c0" }, { "value": "Equation Group", @@ -1586,7 +1699,8 @@ "Lamberts", "EQGRP" ] - } + }, + "uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840" }, { "value": "Greenbug", @@ -1597,7 +1711,8 @@ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" ], "country": "IR" - } + }, + "uuid": "47204403-34c9-4d25-a006-296a0939d1a2" }, { "value": "Gamaredon Group", @@ -1606,7 +1721,8 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution" ] - } + }, + "uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb" }, { "meta": { @@ -1620,7 +1736,8 @@ ] }, "value": "Hammer Panda", - "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia." + "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia.", + "uuid": "1f2762d9-a4b5-4457-ac51-00be05be9e23" }, { "meta": { @@ -1636,7 +1753,8 @@ ] }, "value": "Infy", - "description": "Infy is a group of suspected Iranian origin." + "description": "Infy is a group of suspected Iranian origin.", + "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e" }, { "meta": { @@ -1647,7 +1765,8 @@ ] }, "value": "Sima", - "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora." + "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.", + "uuid": "80f9184d-1df3-4ad0-a452-cdb90fe57216" }, { "meta": { @@ -1661,7 +1780,8 @@ ] }, "value": "Blue Termite", - "description": "Blue Termite is a group of suspected Chinese origin active in Japan." + "description": "Blue Termite is a group of suspected Chinese origin active in Japan.", + "uuid": "a250af72-f66c-4d02-9f36-ab764ce9fe85" }, { "meta": { @@ -1671,7 +1791,8 @@ ] }, "value": "Groundbait", - "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics." + "description": "Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.", + "uuid": "8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73" }, { "meta": { @@ -1682,7 +1803,8 @@ "country": "US" }, "value": "Longhorn", - "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally." + "description": "Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.", + "uuid": "2f3311cd-8476-4be7-9005-ead920afc781" }, { "meta": { @@ -1691,7 +1813,8 @@ ] }, "value": "Callisto", - "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions." + "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", + "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f" }, { "meta": { @@ -1712,7 +1835,8 @@ ] }, "value": "APT32", - "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests." + "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.", + "uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7" }, { "value": "SilverTerrier", @@ -1722,7 +1846,8 @@ "refs": [ "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" ] - } + }, + "uuid": "acbfd9e4-f78c-4ae0-9b52-c35ed679e546" }, { "value": "WildNeutron", @@ -1738,7 +1863,8 @@ "Morpho", "Sphinx Moth" ] - } + }, + "uuid": "e7df3572-0c96-4968-8e5a-803ef4219762" }, { "value": "PLATINUM", @@ -1751,7 +1877,8 @@ "synonyms": [ "TwoForOne" ] - } + }, + "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a" }, { "value": "ELECTRUM", @@ -1764,7 +1891,8 @@ "synonyms": [ "Sandworm" ] - } + }, + "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c" }, { "meta": { @@ -1776,7 +1904,8 @@ ] }, "description": "FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.", - "value": "FIN8" + "value": "FIN8", + "uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73" }, { "value": "El Machete", @@ -1786,7 +1915,8 @@ "https://securelist.com/blog/research/66108/el-machete/", "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html" ] - } + }, + "uuid": "827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3" }, { "value": "Cobalt", @@ -1799,7 +1929,8 @@ "Cobalt group", "Cobalt gang" ] - } + }, + "uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe" }, { "meta": { @@ -1808,7 +1939,8 @@ "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" ] }, - "value": "TA459" + "value": "TA459", + "uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314" }, { "meta": { @@ -1817,7 +1949,8 @@ ], "country": "RU" }, - "value": "Cyber Berkut" + "value": "Cyber Berkut", + "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8" }, { "meta": { @@ -1827,7 +1960,8 @@ "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/" ] }, - "value": "Tonto Team" + "value": "Tonto Team", + "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26" }, { "value": "Danti", @@ -1835,7 +1969,8 @@ "refs": [ "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" ] - } + }, + "uuid": "fb745fe1-5478-4d47-ad3d-7389fa4a6f77" }, { "value": "APT5", @@ -1843,7 +1978,8 @@ "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html" ] - } + }, + "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795" }, { "meta": { @@ -1855,7 +1991,8 @@ "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" ] }, - "value": "APT 22" + "value": "APT 22", + "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842" }, { "meta": { @@ -1870,7 +2007,8 @@ "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" ] }, - "value": "Tick" + "value": "Tick", + "uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8" }, { "meta": { @@ -1881,7 +2019,8 @@ ], "country": "CN" }, - "value": "APT 26" + "value": "APT 26", + "uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11" }, { "meta": { @@ -1890,7 +2029,8 @@ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, - "value": "Sabre Panda" + "value": "Sabre Panda", + "uuid": "67adfa07-869f-4052-9d56-b88a51489902" }, { "meta": { @@ -1899,7 +2039,8 @@ "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" ] }, - "value": "Big Panda" + "value": "Big Panda", + "uuid": "06e89270-ca1b-4cd4-85f3-940d23c76766" }, { "meta": { @@ -1908,7 +2049,8 @@ "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" ] }, - "value": "Poisonous Panda" + "value": "Poisonous Panda", + "uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c" }, { "value": "Ghost Jackal", @@ -1916,7 +2058,8 @@ "refs": [ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] - } + }, + "uuid": "7ad01582-d6a7-4a40-a0ee-7727e268cd15" }, { "meta": { @@ -1925,7 +2068,8 @@ "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" ] }, - "value": "TEMP.Hermit" + "value": "TEMP.Hermit", + "uuid": "73c636ae-e55c-4167-bf40-315789698adb" }, { "meta": { @@ -1938,7 +2082,8 @@ "https://www.threatconnect.com/china-superman-apt/" ] }, - "value": "Mofang" + "value": "Mofang", + "uuid": "999f3008-2b2f-467d-ab4d-c5a2fd80b344" }, { "meta": { @@ -1953,7 +2098,8 @@ "http://www.clearskysec.com/tulip/" ] }, - "value": "CopyKittens" + "value": "CopyKittens", + "uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae" }, { "value": "EvilPost", @@ -1961,7 +2107,8 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ] - } + }, + "uuid": "9035bfbf-a73f-4948-9df2-bd893e9cafef" }, { "meta": { @@ -1971,7 +2118,8 @@ ] }, "value": "SVCMONDR", - "description": "The referenced link links this group to Temper Panda" + "description": "The referenced link links this group to Temper Panda", + "uuid": "70b80bcc-58e3-4a09-a3bf-98c0412bb7d3" }, { "value": "Test Panda", @@ -1980,7 +2128,8 @@ "refs": [ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] - } + }, + "uuid": "cd6ac640-9ae9-4aa9-89cd-89b95be1a3ab" }, { "meta": { @@ -1990,7 +2139,8 @@ "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" ] }, - "value": "Madi" + "value": "Madi", + "uuid": "d5dacda0-12c2-4e80-bdf2-1c5019ec40e2" }, { "meta": { @@ -1999,7 +2149,8 @@ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] }, - "value": "Electric Panda" + "value": "Electric Panda", + "uuid": "69059ec9-45c9-4961-a07e-6b2f2228f0ce" }, { "meta": { @@ -2014,7 +2165,8 @@ "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919" ] }, - "value": "Maverick Panda" + "value": "Maverick Panda", + "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b" }, { "meta": { @@ -2023,7 +2175,8 @@ "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/" ] }, - "value": "Kimsuki" + "value": "Kimsuki", + "uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3" }, { "value": "Snake Wine", @@ -2031,7 +2184,8 @@ "refs": [ "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" ] - } + }, + "uuid": "7b6ba207-94de-4f94-bc7f-52cd0dafade5" }, { "value": "Careto", @@ -2042,7 +2196,8 @@ "synonyms": [ "The Mask" ] - } + }, + "uuid": "069ba781-b2d9-4403-9d9d-c599f5e0181d" }, { "meta": { @@ -2051,7 +2206,8 @@ "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ] }, - "value": "Gibberish Panda" + "value": "Gibberish Panda", + "uuid": "b07cf296-7ab9-4b85-a07e-421607c212b0" }, { "meta": { @@ -2060,7 +2216,8 @@ "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml" ] }, - "value": "OnionDog" + "value": "OnionDog", + "uuid": "5898e11e-a023-464d-975c-b36fb1639e69" }, { "meta": { @@ -2072,7 +2229,8 @@ "http://www.crowdstrike.com/blog/whois-clever-kitten/" ] }, - "value": "Clever Kitten" + "value": "Clever Kitten", + "uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be" }, { "meta": { @@ -2080,7 +2238,8 @@ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, - "value": "Andromeda Spider" + "value": "Andromeda Spider", + "uuid": "e85ab78c-5e86-403c-b444-9cdcc167fb77" }, { "value": "Cyber Caliphate Army", @@ -2095,7 +2254,8 @@ "United Cyber Caliphate", "UUC" ] - } + }, + "uuid": "76f6ad4e-2ff3-4ccb-b81d-18162f290af0" }, { "meta": { @@ -2104,7 +2264,8 @@ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, - "value": "Magnetic Spider" + "value": "Magnetic Spider", + "uuid": "430ba885-cd24-492e-804c-815176ed9b1e" }, { "meta": { @@ -2113,7 +2274,8 @@ "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf" ] }, - "value": "Group 27" + "value": "Group 27", + "uuid": "73e4728a-955e-426a-b144-8cb95131f2ca" }, { "meta": { @@ -2121,7 +2283,8 @@ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, - "value": "Singing Spider" + "value": "Singing Spider", + "uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50" }, { "meta": { @@ -2134,7 +2297,8 @@ "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html" ] }, - "value": "Cyber fighters of Izz Ad-Din Al Qassam" + "value": "Cyber fighters of Izz Ad-Din Al Qassam", + "uuid": "22c2b363-5d8f-4b04-96db-1b6cf4d7e8db" }, { "meta": { @@ -2144,7 +2308,8 @@ ], "country": "CN" }, - "value": "APT 6" + "value": "APT 6", + "uuid": "1a2592a3-eab7-417c-bf2d-9c0558c2b3e7" }, { "value": "AridViper", @@ -2166,7 +2331,8 @@ "Arid Viper", "APT-C-23" ] - } + }, + "uuid": "0cfff0f4-868c-40a1-b9b4-0d153c0b33b6" }, { "meta": { @@ -2174,7 +2340,8 @@ "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" ] }, - "value": "Dextorous Spider" + "value": "Dextorous Spider", + "uuid": "445c7b62-028b-455e-9d65-74899b7006a4" }, { "value": "Unit 8200", @@ -2187,7 +2354,8 @@ "synonyms": [ "Duqu Group" ] - } + }, + "uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02" }, { "meta": { @@ -2199,7 +2367,8 @@ ], "country": "RU" }, - "value": "White Bear" + "value": "White Bear", + "uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6" }, { "meta": { @@ -2208,7 +2377,8 @@ "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" ] }, - "value": "Pale Panda" + "value": "Pale Panda", + "uuid": "43992f81-fd29-4228-94e0-c3aa3e65aab7" }, { "meta": { @@ -2217,7 +2387,8 @@ "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" ] }, - "value": "Mana Team" + "value": "Mana Team", + "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994" }, { "meta": { @@ -2226,7 +2397,8 @@ ] }, "description": "Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates. ", - "value": "Sowbug" + "value": "Sowbug", + "uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5" }, { "meta": { @@ -2235,7 +2407,8 @@ ] }, "description": "The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.", - "value": "MuddyWater" + "value": "MuddyWater", + "uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b" }, { "meta": { @@ -2246,7 +2419,8 @@ ] }, "description": "In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.", - "value": "MoneyTaker" + "value": "MoneyTaker", + "uuid": "7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f" }, { "value": "Microcin", @@ -2256,7 +2430,8 @@ "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", "https://cdn.securelist.com/files/2017/09/Microcin_Technical_4PDF_eng_final_s.pdf" ] - } + }, + "uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632" }, { "meta": { @@ -2266,7 +2441,8 @@ ] }, "value": "Dark Caracal", - "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information." + "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.", + "uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94" }, { "value": "Nexus Zeta", @@ -2275,7 +2451,8 @@ "refs": [ "https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7" ] - } + }, + "uuid": "8c21ce09-33c3-412c-bb55-323765e89a60" }, { "value": "APT37", diff --git a/clusters/tool.json b/clusters/tool.json index 2f1abb5..87981c0 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -28,7 +28,8 @@ ] }, "description": "Banking Malware", - "value": "Tinba" + "value": "Tinba", + "uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc" }, { "meta": { @@ -47,7 +48,8 @@ ] }, "description": "Malware", - "value": "PlugX" + "value": "PlugX", + "uuid": "f4b159ea-97e5-483b-854b-c48a78d562aa" }, { "meta": { @@ -59,7 +61,8 @@ ] }, "description": " Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "value": "MSUpdater" + "value": "MSUpdater", + "uuid": "f85d2d5a-6e3c-44e4-bd3b-6100c04b4ba9" }, { "meta": { @@ -71,7 +74,8 @@ ] }, "description": "A password sthealing tool regularly used by attackers", - "value": "Lazagne" + "value": "Lazagne", + "uuid": "d0394d50-5316-4405-aa77-1070bdf68b6a" }, { "meta": { @@ -88,7 +92,8 @@ ] }, "description": "Poison Ivy is a RAT which was freely available and first released in 2005.", - "value": "Poison Ivy" + "value": "Poison Ivy", + "uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54" }, { "meta": { @@ -100,7 +105,8 @@ ] }, "description": "In March 2016, Unit 42 observed this new Poison Ivy variant we’ve named SPIVY being deployed via weaponized documents leveraging CVE-2015-2545.", - "value": "SPIVY" + "value": "SPIVY", + "uuid": "a3d2e7fe-a8e4-48c7-8d47-b9430898af08" }, { "meta": { @@ -114,7 +120,8 @@ "https://www.crowdstrike.com/blog/whois-anchor-panda/" ] }, - "value": "Torn RAT" + "value": "Torn RAT", + "uuid": "32a67552-3b31-47bb-8098-078099bbc813" }, { "meta": { @@ -129,7 +136,8 @@ "https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat" ] }, - "value": "OzoneRAT" + "value": "OzoneRAT", + "uuid": "e3010d81-94e2-43a9-98ed-61925b02be6e" }, { "meta": { @@ -146,7 +154,8 @@ ] }, "description": "ZeGhots is a RAT which was freely available and first released in 2014.", - "value": "ZeGhost" + "value": "ZeGhost", + "uuid": "c7706d12-fb62-4db6-bbe3-fef2da0181e7" }, { "meta": { @@ -162,7 +171,8 @@ ] }, "description": "Trojan (RAT) linked to current targeted attacks and others dating back to at least early 2009", - "value": "Elise Backdoor" + "value": "Elise Backdoor", + "uuid": "d70fd29d-590e-4ed5-b72f-6ce0142019c6" }, { "meta": { @@ -178,7 +188,8 @@ ] }, "description": "A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.", - "value": "Trojan.Laziok" + "value": "Trojan.Laziok", + "uuid": "7ccd3821-e825-4ff8-b4be-92c9732ce708" }, { "meta": { @@ -197,7 +208,8 @@ ] }, "description": "Android-based malware", - "value": "Slempo" + "value": "Slempo", + "uuid": "f8047de2-fefc-4ee0-825b-f1fae4b20c09" }, { "meta": { @@ -219,7 +231,8 @@ ] }, "description": "We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.", - "value": "PWOBot" + "value": "PWOBot", + "uuid": "17de0952-3841-44d3-b03a-cc90e123d2b8" }, { "meta": { @@ -235,7 +248,8 @@ ] }, "description": "We recently came across a cyber attack that used a remote access Trojan (RAT) called Lost Door, a tool currently offered on social media sites. What also struck us the most about this RAT (detected as BKDR_LODORAT.A) is how it abuses the Port Forward feature in routers.", - "value": "Lost Door RAT" + "value": "Lost Door RAT", + "uuid": "6d0b7543-a6e5-49fc-832e-bd594460187c" }, { "meta": { @@ -251,7 +265,8 @@ "Jorik" ] }, - "value": "njRAT" + "value": "njRAT", + "uuid": "a860d257-4a39-47ec-9230-94cac67ebf7e" }, { "meta": { @@ -269,7 +284,8 @@ "Atros2.CKPN" ] }, - "value": "NanoCoreRAT" + "value": "NanoCoreRAT", + "uuid": "a8111fb7-d4c4-4671-a6f9-f62fea8bad60" }, { "meta": { @@ -283,7 +299,8 @@ "Sakurel" ] }, - "value": "Sakula" + "value": "Sakula", + "uuid": "f6c137f0-979c-4ce2-a0e5-2a080a5a1746" }, { "meta": { @@ -294,7 +311,8 @@ "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html" ] }, - "value": "Hi-ZOR" + "value": "Hi-ZOR", + "uuid": "e8fbb7b4-2f27-4028-975a-485d4c2dd977" }, { "meta": { @@ -309,7 +327,8 @@ "TROJ_DLLSERV.BE" ] }, - "value": "Derusbi" + "value": "Derusbi", + "uuid": "eff68b97-f36e-4827-ab1a-90523c16774c" }, { "meta": { @@ -327,7 +346,8 @@ "Wmonder" ] }, - "value": "EvilGrab" + "value": "EvilGrab", + "uuid": "c9b4ec27-0a43-4671-a967-bcac5df0e056" }, { "meta": { @@ -348,7 +368,8 @@ "AGENT.ABQMR" ] }, - "value": "Trojan.Naid" + "value": "Trojan.Naid", + "uuid": "170db76b-93f7-4fd1-97fc-55937c079b66" }, { "meta": { @@ -365,7 +386,8 @@ ] }, "description": "Backdoor.Moudoor, a customized version of Gh0st RAT", - "value": "Moudoor" + "value": "Moudoor", + "uuid": "46fd9884-208c-43c7-8ec3-b9fabce30b30" }, { "meta": { @@ -381,7 +403,8 @@ ] }, "description": "APT that infected hundreds of high profile victims in more than 40 countries. Known targets of NetTraveler include Tibetan/Uyghur activists, oil industry companies, scientific research centers and institutes, universities, private companies, governments and governmental institutions, embassies and military contractors.", - "value": "NetTraveler" + "value": "NetTraveler", + "uuid": "59b70721-6fed-4805-afa5-4ff2554bef81" }, { "meta": { @@ -399,7 +422,8 @@ ] }, "description": "APT used As part of Operation SMN, Novetta analyzed recent versions of the Winnti malware. The samples, compiled from mid- to late 2014, exhibited minimal functional changes over the previous generations Kaspersky reported in 2013.", - "value": "Winnti" + "value": "Winnti", + "uuid": "9b3a4cff-1c5a-4fd6-b49c-27240b6d622c" }, { "meta": { @@ -415,7 +439,8 @@ ] }, "description": "Ease Credential stealh and replay, A little tool to play with Windows security.", - "value": "Mimikatz" + "value": "Mimikatz", + "uuid": "7f3a035d-d83a-45b8-8111-412aa8ade802" }, { "meta": { @@ -428,7 +453,8 @@ ] }, "description": "Backdoor attribued to APT1", - "value": "WEBC2" + "value": "WEBC2", + "uuid": "b5be84b7-bf2c-40d0-85a9-14c040881a98" }, { "meta": { @@ -444,7 +470,8 @@ ] }, "description": "Symantec has observed Buckeye activity dating back to 2009, involving attacks on various organizations in several regions. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization’s network in 2009. The group delivered Backdoor.Pirpi through malicious attachments or links in convincing spear-phishing emails.", - "value": "Pirpi" + "value": "Pirpi", + "uuid": "4859330d-c6a5-4b9c-b45b-536ec983cd4a" }, { "meta": { @@ -456,7 +483,8 @@ ] }, "description": "RARSTONE is a Remote Access Tool (RAT) discovered early 2013 by TrendMicro, it’s characterized by a great affinity with the other RAT know as Plug is and was used in April for phishing campaigns that followed the dramatic attack to the Boston Marathon.", - "value": "RARSTONE" + "value": "RARSTONE", + "uuid": "5d2dd6ad-6bb2-45d3-b295-e125d3399c8d" }, { "meta": { @@ -472,7 +500,8 @@ ] }, "description": "Backspace is a Backdoor that targets the Windows platform. This malware is reportedly associated with targeted attacks against Association of Southeast Asian Nations (ASEAN) members (APT30).", - "value": "Backspace" + "value": "Backspace", + "uuid": "cd6c5f27-cf7e-4529-ae9c-ab5b85102bde" }, { "meta": { @@ -485,7 +514,8 @@ ] }, "description": "Backdoor user by he Naikon APT group", - "value": "XSControl" + "value": "XSControl", + "uuid": "2e3712e3-fd7b-43d1-8b4f-2ba7fc551bbb" }, { "meta": { @@ -502,7 +532,8 @@ ] }, "description": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main variants known as Scout and Norton.", - "value": "Neteagle" + "value": "Neteagle", + "uuid": "0ee08ab5-140c-44c3-9b0a-4a352500b14e" }, { "meta": { @@ -517,14 +548,17 @@ ] }, "description": "In November 2014, the experts of the G DATA SecurityLabs published an article about ComRAT, the Agent.BTZ successor. We explained that this case is linked to the Uroburos rootkit.", - "value": "Agent.BTZ" + "value": "Agent.BTZ", + "uuid": "da079741-05e6-458c-b434-011263dc691c" }, { "description": "RAT bundle with standard VNC (to avoid/limit A/V detection).", - "value": "Heseber BOT" + "value": "Heseber BOT", + "uuid": "b1b7e7d8-3778-4783-9cc7-9ec04b146031" }, { - "value": "Agent.dne" + "value": "Agent.dne", + "uuid": "93fe1644-a7a6-4e5a-bc3b-88984b251fde" }, { "meta": { @@ -543,7 +577,8 @@ ] }, "description": "Waterbug is the name given to the actors who use the malware tools Trojan.Wipbot (also known as Tavdig and Epic Turla)", - "value": "Wipbot" + "value": "Wipbot", + "uuid": "36c0faf0-428e-4e7f-93c5-824bb0495ac9" }, { "meta": { @@ -562,14 +597,17 @@ ] }, "description": "Family of related sophisticated backdoor software - Name comes from Microsoft detection signature – anagram of Ultra (Ultra3) was a name of the fake driver). A macOS version exists but appears incomplete and lacking features...for now!", - "value": "Turla" + "value": "Turla", + "uuid": "22332d52-c0c2-443c-9ffb-f08c0d23722c" }, { - "value": "Winexe" + "value": "Winexe", + "uuid": "811bdec0-e236-48ae-b27c-1a8fe0bfc3a9" }, { "description": "RAT initialy identified in 2011 and still actively used.", - "value": "Dark Comet" + "value": "Dark Comet", + "uuid": "9ad11139-e928-45cf-a0b4-937290642e92" }, { "meta": { @@ -577,7 +615,8 @@ "WinSpy" ] }, - "value": "Cadelspy" + "value": "Cadelspy", + "uuid": "38d6a0a1-0388-40d4-b8f4-1d58eeb9a07d" }, { "meta": { @@ -585,7 +624,8 @@ "http://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/" ] }, - "value": "CMStar" + "value": "CMStar", + "uuid": "e81b96a2-22e9-445e-88c7-65b67c2299ec" }, { "meta": { @@ -596,7 +636,8 @@ "iRAT" ] }, - "value": "DHS2015" + "value": "DHS2015", + "uuid": "d6420953-0e85-4330-abc2-3a8b9dda046b" }, { "meta": { @@ -608,7 +649,8 @@ ] }, "description": "Gh0st Rat is a well-known Chinese remote access trojan which was originally made by C.Rufus Security Team several years ago.", - "value": "Gh0st Rat" + "value": "Gh0st Rat", + "uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f" }, { "meta": { @@ -620,7 +662,8 @@ ] }, "description": "Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages). ", - "value": "Fakem RAT" + "value": "Fakem RAT", + "uuid": "eead5605-0d79-4942-a6c2-efa6853cdf6b" }, { "meta": { @@ -632,7 +675,8 @@ "BKDR_HUPIGON" ] }, - "value": "MFC Huner" + "value": "MFC Huner", + "uuid": "a5a48311-afbf-44c4-8045-46ffd51cd4d0" }, { "meta": { @@ -642,7 +686,8 @@ ] }, "description": "Blackshades Remote Access Tool targets Microsoft Windows operating systems. Authors were arrested in 2012 and 2014.", - "value": "Blackshades" + "value": "Blackshades", + "uuid": "8c3202d5-1671-46ec-9d42-cb50dbe2f667" }, { "meta": { @@ -660,7 +705,8 @@ ] }, "description": "backdoor used by apt28 ", - "value": "CHOPSTICK" + "value": "CHOPSTICK", + "uuid": "0a32ceea-fa66-47ab-8bde-150dbd6d2e40" }, { "meta": { @@ -679,7 +725,8 @@ ] }, "description": "backdoor used by apt28\n\nSedreco serves as a spying backdoor; its functionalities can be extended with dynamically loaded plugins. It is made up of two distinct components: a dropper and the persistent payload installed by this dropper. We have not seen this component since April 2016.", - "value": "EVILTOSS" + "value": "EVILTOSS", + "uuid": "6374fc53-9a0d-41ba-b9cf-2a9765d69fbb" }, { "meta": { @@ -697,7 +744,8 @@ ] }, "description": "backdoor", - "value": "GAMEFISH" + "value": "GAMEFISH", + "uuid": "43cd8a09-9c80-48c8-9568-1992433af60a" }, { "meta": { @@ -709,7 +757,8 @@ ] }, "description": "downloader - Older version of CORESHELL", - "value": "SOURFACE" + "value": "SOURFACE", + "uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa" }, { "meta": { @@ -727,7 +776,8 @@ ] }, "description": "credential harvester", - "value": "OLDBAIT" + "value": "OLDBAIT", + "uuid": "6d1e2736-d363-49aa-9054-9c9e4ac0c520" }, { "meta": { @@ -739,7 +789,8 @@ ] }, "description": "downloader - Newer version of SOURFACE", - "value": "CORESHELL" + "value": "CORESHELL", + "uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd" }, { "meta": { @@ -747,7 +798,8 @@ "Havex" ] }, - "value": "Havex RAT" + "value": "Havex RAT", + "uuid": "d7183f66-59ec-4803-be20-237b442259fc" }, { "meta": { @@ -756,37 +808,48 @@ ] }, "description": "RAT initially written in VB.", - "value": "KjW0rm" + "value": "KjW0rm", + "uuid": "b3f7a454-3b23-4149-99aa-0132323814d0" }, { - "value": "TinyTyphon" + "value": "TinyTyphon", + "uuid": "1b591586-e1ef-4a32-8dae-791aca5ddf41" }, { - "value": "Badnews" + "value": "Badnews", + "uuid": "48ca79ff-ea36-4a47-8231-0f7f0db0e09e" }, { - "value": "LURK" + "value": "LURK", + "uuid": "fcece2f7-e0ef-44e0-aa9f-578c2a56f532" }, { - "value": "Oldrea" + "value": "Oldrea", + "uuid": "f2e17736-9575-4a91-92ab-bb82bb0bf900" }, { - "value": "AmmyAdmin" + "value": "AmmyAdmin", + "uuid": "d1006b04-3015-49ea-9414-a968a0f74106" }, { - "value": "Matryoshka" + "value": "Matryoshka", + "uuid": "cb6c49ab-b9ac-459f-b765-05cbe2e63b0d" }, { - "value": "TinyZBot" + "value": "TinyZBot", + "uuid": "e2cc27a2-4146-4f08-8e80-114a99204cea" }, { - "value": "GHOLE" + "value": "GHOLE", + "uuid": "43a0d8a7-558d-4104-8a24-55e6e7a503db" }, { - "value": "CWoolger" + "value": "CWoolger", + "uuid": "005b46a2-9498-473a-bee2-0db91e5fb327" }, { - "value": "FireMalv" + "value": "FireMalv", + "uuid": "6ef11b6e-d81a-465b-9dce-fab5c6fe807b" }, { "meta": { @@ -799,58 +862,76 @@ ] }, "description": "Regin (also known as Prax or WarriorPride) is a sophisticated malware toolkit revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download including malware discovered at Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but that some of the earliest samples date from 2003. The name Regin is first found on the VirusTotal website on 9 March 2011.", - "value": "Regin" + "value": "Regin", + "uuid": "0cf21558-1217-4d36-9536-2919cfd44825" }, { - "value": "Duqu" + "value": "Duqu", + "uuid": "809b54c3-dd6a-4ec9-8c3a-a27b9baa6732" }, { - "value": "Flame" + "value": "Flame", + "uuid": "d7963066-62ed-4494-9b8c-4b8b691a7c82" }, { - "value": "Stuxnet" + "value": "Stuxnet", + "uuid": "1b63293f-13f0-4c25-9bf6-6ebc023fc8ff" }, { - "value": "EquationLaser" + "value": "EquationLaser", + "uuid": "21f7a57b-7778-4b3e-9b50-5289ae3b445d" }, { - "value": "EquationDrug" + "value": "EquationDrug", + "uuid": "3e0c2d35-87cb-40f9-b341-a6c8dbec697e" }, { - "value": "DoubleFantasy" + "value": "DoubleFantasy", + "uuid": "fb8828a4-76de-467d-9f52-528984aa9b8d" }, { - "value": "TripleFantasy" + "value": "TripleFantasy", + "uuid": "a4cebcc4-9e9b-415f-aa05-dd71c4e288fe" }, { - "value": "Fanny" + "value": "Fanny", + "uuid": "1e25d254-3f03-4752-b8d6-023a23e7d4ae" }, { - "value": "GrayFish" + "value": "GrayFish", + "uuid": "2407bd9a-a3a4-40c4-86de-be6965243c67" }, { - "value": "Babar" + "value": "Babar", + "uuid": "57b221bc-7ed6-4080-bc66-813d17009485" }, { - "value": "Bunny" + "value": "Bunny", + "uuid": "5589c428-792b-4439-b0db-07862765d96b" }, { - "value": "Casper" + "value": "Casper", + "uuid": "63b3e6fb-9bb8-43dc-9cbf-7681b049b5d6" }, { - "value": "NBot" + "value": "NBot", + "uuid": "97fa32d6-5d1d-43df-b765-4a0e31d7f179" }, { - "value": "Tafacalou" + "value": "Tafacalou", + "uuid": "835943ed-75d7-4225-9075-a8e2b2136fad" }, { - "value": "Tdrop" + "value": "Tdrop", + "uuid": "4d81c146-56e1-45d2-b0e4-75d0acec8102" }, { - "value": "Troy" + "value": "Troy", + "uuid": "9825aa1f-6414-4f26-8487-605dd6c718d1" }, { - "value": "Tdrop2" + "value": "Tdrop2", + "uuid": "aff99aad-5231-4f14-8e68-67e87fb13b5c" }, { "meta": { @@ -861,7 +942,8 @@ "Sensode" ] }, - "value": "ZXShell" + "value": "ZXShell", + "uuid": "5b9dc67e-bae4-44f3-b58d-6d842a744104" }, { "meta": { @@ -869,7 +951,8 @@ "http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" ] }, - "value": "T9000" + "value": "T9000", + "uuid": "66575fb4-7f92-42d8-8c47-e68a26413081" }, { "meta": { @@ -880,7 +963,8 @@ "Plat1" ] }, - "value": "T5000" + "value": "T5000", + "uuid": "e957f773-f6d2-410f-8163-5f0c17a7bde2" }, { "meta": { @@ -888,7 +972,8 @@ "http://www.symantec.com/connect/blogs/trojantaidoor-takes-aim-policy-think-tanks" ] }, - "value": "Taidoor" + "value": "Taidoor", + "uuid": "cda7d605-23d0-4f93-a585-1276f094c04a" }, { "meta": { @@ -896,7 +981,8 @@ "http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/" ] }, - "value": "Swisyn" + "value": "Swisyn", + "uuid": "1688dc7a-0ef9-49a9-a467-5231a5552b41" }, { "meta": { @@ -904,10 +990,12 @@ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks" ] }, - "value": "Rekaf" + "value": "Rekaf", + "uuid": "cfe948c6-b8a6-437a-9d82-d81660e0287b" }, { - "value": "Scieron" + "value": "Scieron", + "uuid": "267bf78e-f430-47b6-8ba0-1ae31698c711" }, { "meta": { @@ -915,7 +1003,8 @@ "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" ] }, - "value": "SkeletonKey" + "value": "SkeletonKey", + "uuid": "7709fedd-5083-4b54-bcd8-af3f76f6d171" }, { "meta": { @@ -923,7 +1012,8 @@ "http://labs.alienvault.com/labs/index.php/2011/another-sykipot-sample-likely-targeting-us-federal-agencies/" ] }, - "value": "Skyipot" + "value": "Skyipot", + "uuid": "72e2b7b5-2718-4942-9ca2-17fa6730261f" }, { "meta": { @@ -931,13 +1021,16 @@ "http://www.threatconnect.com/news/threatconnect-enables-healthy-networking-biomed-life-sciences-industry/" ] }, - "value": "Spindest" + "value": "Spindest", + "uuid": "447735ac-82e4-4c97-b048-56b7e47203ef" }, { - "value": "Preshin" + "value": "Preshin", + "uuid": "d87326a3-fb94-448c-9615-8ec036c1df3a" }, { - "value": "Oficla" + "value": "Oficla", + "uuid": "b3ea33fd-eaa0-4bab-9bd0-12534c9aa987" }, { "meta": { @@ -945,10 +1038,12 @@ "http://researchcenter.paloaltonetworks.com/2014/10/new-indicators-compromise-apt-group-nitro-uncovered/" ] }, - "value": "PCClient RAT" + "value": "PCClient RAT", + "uuid": "f68d2200-cb9d-42de-9e5e-be2a8f674c5e" }, { - "value": "Plexor" + "value": "Plexor", + "uuid": "8fb00a59-0dec-4d7f-bd53-9826b3929f39" }, { "meta": { @@ -956,7 +1051,8 @@ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] }, - "value": "Mongall" + "value": "Mongall", + "uuid": "aa3aa21f-bc4e-4fb6-acd2-f4b6de482dfe" }, { "meta": { @@ -964,7 +1060,8 @@ "http://www.clearskysec.com/dustysky/" ] }, - "value": "NeD Worm" + "value": "NeD Worm", + "uuid": "eedcf785-d011-4e17-96c4-6ff39138ada0" }, { "meta": { @@ -972,7 +1069,8 @@ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] }, - "value": "NewCT" + "value": "NewCT", + "uuid": "c5e3766c-9527-47c3-94db-f10de2c56248" }, { "meta": { @@ -980,7 +1078,8 @@ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] }, - "value": "Nflog" + "value": "Nflog", + "uuid": "b2ec2dca-5d49-4efa-9a9e-75126346d1ed" }, { "meta": { @@ -988,7 +1087,8 @@ "http://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/" ] }, - "value": "Janicab" + "value": "Janicab", + "uuid": "c3c20c4b-e12a-42e5-960a-eea4644014f4" }, { "meta": { @@ -999,7 +1099,8 @@ "Jiripbot" ] }, - "value": "Jripbot" + "value": "Jripbot", + "uuid": "05e2ccec-7050-47cf-b925-50907f57c639" }, { "meta": { @@ -1007,7 +1108,8 @@ "http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html" ] }, - "value": "Jolob" + "value": "Jolob", + "uuid": "4d4528ff-6260-4b5d-b2ea-6e11ca02c396" }, { "meta": { @@ -1015,7 +1117,8 @@ "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ] }, - "value": "IsSpace" + "value": "IsSpace", + "uuid": "b9707a57-d15f-4937-b022-52cc17f6783f" }, { "value": "Emotet", @@ -1026,7 +1129,8 @@ "synonyms": [ "Geodo" ] - } + }, + "uuid": "3f7616bd-f1de-46ee-87c2-43c0c2edaa28" }, { "meta": { @@ -1036,7 +1140,8 @@ "BS2005" ] }, - "value": "Hoardy" + "value": "Hoardy", + "uuid": "25cd01bc-1346-4415-8f8d-d3656309ef6b" }, { "meta": { @@ -1044,7 +1149,8 @@ "http://www.secureworks.com/research/threats/htran/" ] }, - "value": "Htran" + "value": "Htran", + "uuid": "f3bfe513-2a65-49b5-9d64-a66541dce697" }, { "meta": { @@ -1055,13 +1161,16 @@ "TokenControl" ] }, - "value": "HTTPBrowser" + "value": "HTTPBrowser", + "uuid": "08e2c9ef-aa62-429f-a6e5-e901ff6883cd" }, { - "value": "Disgufa" + "value": "Disgufa", + "uuid": "3a57bb24-b493-4698-bf46-6465c6cf5446" }, { - "value": "Elirks" + "value": "Elirks", + "uuid": "c0ea7b89-d246-4eb7-8de4-b4e17e135051" }, { "meta": { @@ -1072,7 +1181,8 @@ "Ursnif" ] }, - "value": "Snifula" + "value": "Snifula", + "uuid": "75b01a1e-3269-4f4c-bdba-37af4e9c3f54" }, { "meta": { @@ -1085,7 +1195,8 @@ "Graftor" ] }, - "value": "Aumlib" + "value": "Aumlib", + "uuid": "f3ac3d86-0fa2-4049-bfbc-1970004b8d32" }, { "meta": { @@ -1093,7 +1204,8 @@ "http://www.fireeye.com/blog/technical/threat-intelligence/2014/07/spy-of-the-tiger.html" ] }, - "value": "CTRat" + "value": "CTRat", + "uuid": "f78cfa32-a629-421e-94f7-1e696bba2892" }, { "meta": { @@ -1104,7 +1216,8 @@ "Newsripper" ] }, - "value": "Emdivi" + "value": "Emdivi", + "uuid": "a8395aae-1496-417d-98ee-3ecbcd9a94a0" }, { "meta": { @@ -1117,7 +1230,8 @@ "RIPTIDE" ] }, - "value": "Etumbot" + "value": "Etumbot", + "uuid": "91583583-95c0-444e-8175-483cbebc640b" }, { "meta": { @@ -1125,7 +1239,8 @@ "Loneagent" ] }, - "value": "Fexel" + "value": "Fexel", + "uuid": "ba992105-373e-484a-ac81-2464deba93b7" }, { "meta": { @@ -1133,7 +1248,8 @@ "http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" ] }, - "value": "Fysbis" + "value": "Fysbis", + "uuid": "bb929d1d-de95-4c3d-be79-55db3152dba1" }, { "meta": { @@ -1141,7 +1257,8 @@ "https://blog.bit9.com/2013/02/25/bit9-security-incident-update/" ] }, - "value": "Hikit" + "value": "Hikit", + "uuid": "06953055-92ed-4936-8ffd-d9d72ab6bef6" }, { "meta": { @@ -1154,7 +1271,8 @@ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ] }, - "value": "Hancitor" + "value": "Hancitor", + "uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64" }, { "meta": { @@ -1162,7 +1280,8 @@ "https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear" ] }, - "value": "Ruckguv" + "value": "Ruckguv", + "uuid": "d70bd6a8-5fd4-42e8-8e39-fb18daeccdb2" }, { "meta": { @@ -1170,7 +1289,8 @@ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" ] }, - "value": "HerHer Trojan" + "value": "HerHer Trojan", + "uuid": "0798f8d2-1099-4122-8735-5a116264d3db" }, { "meta": { @@ -1178,7 +1298,8 @@ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" ] }, - "value": "Helminth backdoor" + "value": "Helminth backdoor", + "uuid": "7bc1110b-fdc5-4501-a19b-e86304da4eb9" }, { "meta": { @@ -1186,7 +1307,8 @@ "http://williamshowalter.com/a-universal-windows-bootkit/" ] }, - "value": "HDRoot" + "value": "HDRoot", + "uuid": "d2c1a439-585a-48bc-8176-c0c46dfac270" }, { "meta": { @@ -1194,7 +1316,8 @@ "https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html" ] }, - "value": "IRONGATE" + "value": "IRONGATE", + "uuid": "5514e486-6158-40d8-b258-047938b8ee20" }, { "meta": { @@ -1202,7 +1325,8 @@ "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ] }, - "value": "ShimRAT" + "value": "ShimRAT", + "uuid": "487f26a5-8531-4ec6-bfa4-691834b156b8" }, { "meta": { @@ -1220,7 +1344,8 @@ ] }, "description": "APT28's second-stage persistent macOS backdoor. This backdoor component is known to have a modular structure featuring various espionage functionalities, such as key-logging, screen grabbing and file exfiltration. This component is available for Osx, Windows, Linux and iOS operating systems.\n\nXagent is a modular backdoor with spying functionalities such as keystroke logging and file exfiltration. Xagent is the group’s flagship backdoor and heavily used in their operations. Early versions for Linux and Windows were seen years ago, then in 2015 an iOS version came out. One year later, an Android version was discovered and finally, in the beginning of 2017, an Xagent sample for OS X was described.", - "value": "X-Agent" + "value": "X-Agent", + "uuid": "3e2c99f9-66cd-48be-86e9-d7c1c164d87c" }, { "meta": { @@ -1228,7 +1353,8 @@ "XTunnel" ] }, - "value": "X-Tunnel" + "value": "X-Tunnel", + "uuid": "6d180bd7-3c77-4faf-b98b-dc2ab5f49101" }, { "meta": { @@ -1236,7 +1362,8 @@ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] }, - "value": "Foozer" + "value": "Foozer", + "uuid": "e4137f66-be82-4da7-96e6-e37ab33ea34f" }, { "meta": { @@ -1244,7 +1371,8 @@ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] }, - "value": "WinIDS" + "value": "WinIDS", + "uuid": "82875947-fafb-467a-82df-0d2e37111b97" }, { "meta": { @@ -1252,7 +1380,8 @@ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ] }, - "value": "DownRange" + "value": "DownRange", + "uuid": "56349213-b73e-4a30-8188-08de1a77b960" }, { "meta": { @@ -1260,7 +1389,8 @@ "https://www.arbornetworks.com/blog/asert/mad-max-dga/" ] }, - "value": "Mad Max" + "value": "Mad Max", + "uuid": "d3d56dd0-3409-470a-958b-a865fdd158f9" }, { "meta": { @@ -1272,7 +1402,8 @@ ] }, "description": "Crimson is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims", - "value": "Crimson" + "value": "Crimson", + "uuid": "858edfb8-793a-430b-8acc-4310e7d2f0d3" }, { "meta": { @@ -1284,7 +1415,8 @@ ] }, "description": "Operation Groundbait based on our research into the Prikormka malware family. This includes detailed technical analysis of the Prikormka malware family and its spreading mechanisms, and a description of the most noteworthy attack campaigns.", - "value": "Prikormka" + "value": "Prikormka", + "uuid": "67ade442-63f2-4319-bdcd-d2564b963ed6" }, { "meta": { @@ -1293,7 +1425,8 @@ ] }, "description": "This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations.", - "value": "NanHaiShu" + "value": "NanHaiShu", + "uuid": "7abd6950-7a07-4d9e-ade1-62414fa50619" }, { "meta": { @@ -1302,7 +1435,8 @@ ] }, "description": "Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well.", - "value": "Umbreon" + "value": "Umbreon", + "uuid": "2a18f5dd-40fc-444b-a7c6-85f94b3eee13" }, { "meta": { @@ -1311,7 +1445,8 @@ ] }, "description": "Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.", - "value": "Odinaff" + "value": "Odinaff", + "uuid": "e2fa7aea-fb33-4efc-b61b-ccae71b32e7d" }, { "meta": { @@ -1323,7 +1458,8 @@ ] }, "description": "Unit 42 has observed a new version of Hworm (or Houdini) being used within multiple attacks. This blog outlines technical details of this new Hworm version and documents an attack campaign making use of the backdoor. Of the samples used in this attack, the first we observed were June 2016, while as-of publication we were still seeing attacks as recently as mid-October, suggesting that this is likely an active, ongoing campaign.", - "value": "Hworm" + "value": "Hworm", + "uuid": "e5f7bb36-c982-4f5a-9b29-ab73d2c5f70e" }, { "meta": { @@ -1335,7 +1471,8 @@ ] }, "description": "Backdoor.Dripion was custom developed, deployed in a highly targeted fashion, and used command and control servers disguised as antivirus company websites.", - "value": "Backdoor.Dripion" + "value": "Backdoor.Dripion", + "uuid": "9dec36a3-b7df-477d-8f38-90aed47ca7cf" }, { "meta": { @@ -1353,13 +1490,16 @@ ] }, "description": "Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. A significant amount of additional functionality can be provided through downloadable plugins, including such things as remote control options and shell command execution.", - "value": "Adwind" + "value": "Adwind", + "uuid": "ab4694d6-7043-41f2-b328-d93bec9c1b22" }, { - "value": "Bedep" + "value": "Bedep", + "uuid": "066f8ad3-0c99-43eb-990c-8fae2c232f62" }, { - "value": "Cromptui" + "value": "Cromptui", + "uuid": "c4d80484-9486-4d5f-95f3-f40cc2de45ea" }, { "meta": { @@ -1371,13 +1511,16 @@ ] }, "description": "Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer has been infected, Dridex attackers can steal banking credentials and other personal information on the system to gain access to the financial records of a user.", - "value": "Dridex" + "value": "Dridex", + "uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da" }, { - "value": "Fareit" + "value": "Fareit", + "uuid": "652b5242-b790-4695-ad0e-b79bbf78f351" }, { - "value": "Gafgyt" + "value": "Gafgyt", + "uuid": "5fe338c6-723e-43ed-8165-43d95fa93689" }, { "meta": { @@ -1388,7 +1531,8 @@ "https://blog.gdatasoftware.com/2015/03/24274-the-andromeda-gamarue-botnet-is-on-the-rise-again" ] }, - "value": "Gamarue" + "value": "Gamarue", + "uuid": "b9f00c61-6cd1-4112-a632-c8d3837a7ddd" }, { "meta": { @@ -1397,10 +1541,12 @@ ] }, "description": "The Necurs botnet is a distributor of many pieces of malware, most notably Locky.", - "value": "Necurs" + "value": "Necurs", + "uuid": "97d34770-44cc-4ecb-bdce-ba11581c0e2a" }, { - "value": "Palevo" + "value": "Palevo", + "uuid": "af0ea2b8-97ae-4ec1-a2c5-8f5dd0c9537b" }, { "meta": { @@ -1413,11 +1559,13 @@ "https://en.wikipedia.org/wiki/Akbot" ] }, - "value": "Akbot" + "value": "Akbot", + "uuid": "ac2ff27d-a7cb-46fe-ae32-cfe571dc614d" }, { "description": "Upatre is a Trojan downloader that is used to set up other threats on the victim's PC. Upatre has been used recently in several high profile Trojan attacks involving the Gameover Trojan. ", - "value": "Upatre" + "value": "Upatre", + "uuid": "99d9110d-85a4-4819-9f85-05e4b73aa5f3" }, { "meta": { @@ -1426,7 +1574,8 @@ ] }, "description": "Vawtrak is an information stealing malware family that is primarily used to gain unauthorised access to bank accounts through online banking websites.", - "value": "Vawtrak" + "value": "Vawtrak", + "uuid": "e95dd1ba-7485-4c02-bf2e-14beedbcf053" }, { "meta": { @@ -1435,7 +1584,8 @@ ] }, "description": "Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework", - "value": "Empire" + "value": "Empire", + "uuid": "525ce93a-76a1-441a-9c45-0eac64d0ed12" }, { "meta": { @@ -1444,7 +1594,8 @@ ] }, "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive. ", - "value": "Explosive" + "value": "Explosive", + "uuid": "0155c3b1-8c7c-4176-aeda-68678dd99992" }, { "meta": { @@ -1454,7 +1605,8 @@ ] }, "description": "The actors used a new version of “KeyBoy,” a custom backdoor first disclosed by researchers at Rapid7 in June 2013. Their work outlined the capabilities of the backdoor, and exposed the protocols and algorithms used to hide the network communication and configuration data", - "value": "KeyBoy" + "value": "KeyBoy", + "uuid": "74167065-90b3-4c29-807a-79b6f098e45b" }, { "meta": { @@ -1466,11 +1618,13 @@ ] }, "description": "The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware...", - "value": "Yahoyah" + "value": "Yahoyah", + "uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539" }, { "description": "Delphi RAT used by Sofacy.", - "value": "Tartine" + "value": "Tartine", + "uuid": "67f0b6cb-a484-4b8c-aacb-88a7238568b0" }, { "meta": { @@ -1482,7 +1636,8 @@ ] }, "description": "Mirai (Japanese for \"the future\") is malware that turns computer systems running Linux into remotely controlled \"bots\", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH and the October 2016 Dyn cyberattack.", - "value": "Mirai" + "value": "Mirai", + "uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5" }, { "value": "Masuta", @@ -1494,10 +1649,12 @@ "synonyms": [ "PureMasuta" ] - } + }, + "uuid": "1d4dec2c-915a-4fef-ba7a-633421bd0848" }, { - "value": "BASHLITE" + "value": "BASHLITE", + "uuid": "55f8fb60-6339-4bc2-baa0-41e698e11f95" }, { "meta": { @@ -1506,7 +1663,8 @@ ] }, "description": "BlackEnergy is a trojan which has undergone significant functional changes since it was first publicly analysed by Arbor Networks in 2007. It has evolved from a relatively simple DDoS trojan into a relatively sophisticated piece of modern malware with a modular architecture, making it a suitable tool for sending spam and for online bank fraud, as well as for targeted attacks. BlackEnergy version 2, which featured rootkit techniques, was documented by SecureWorks in 2010. The targeted attacks recently discovered are proof that the trojan is still alive and kicking in 2014. We provide a technical analysis of the BlackEnergy family, focusing on novel functionality and the differences introduced by new lite variants. We describe the most notable aspects of the malware, including its techniques for bypassing UAC, defeating the signed driver requirement in Windows and a selection of BlackEnergy2 plug-ins used for parasitic file infections, network discovery and remote code execution and data collection.", - "value": "BlackEnergy" + "value": "BlackEnergy", + "uuid": "5a22cad7-65fa-4b7a-a7aa-7915a6101efa" }, { "meta": { @@ -1518,13 +1676,16 @@ ] }, "description": "Trojan.Seaduke is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.", - "value": "Trojan.Seaduke" + "value": "Trojan.Seaduke", + "uuid": "3449215f-2650-48bb-a4fb-6549654cbccc" }, { - "value": "Backdoor.Tinybaron" + "value": "Backdoor.Tinybaron", + "uuid": "2b6b35fb-2ed4-46ce-b603-62ca2b9b2812" }, { - "value": "Incognito RAT" + "value": "Incognito RAT", + "uuid": "307803df-6537-4e4d-a1c8-f219f278e564" }, { "meta": { @@ -1536,7 +1697,8 @@ "https://twitter.com/Timo_Steffens/status/814781584536719360" ] }, - "value": "DownRage" + "value": "DownRage", + "uuid": "ab5c4362-c369-4c78-985d-04ba1226ea32" }, { "meta": { @@ -1544,7 +1706,8 @@ "https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan" ] }, - "value": "Chthonic" + "value": "Chthonic", + "uuid": "783f61a1-8210-4145-b801-53f71b909ebf" }, { "value": "GeminiDuke", @@ -1553,7 +1716,8 @@ "refs": [ "https://attack.mitre.org/wiki/Software/S0049" ] - } + }, + "uuid": "6a28a648-30c0-4d1d-bd67-81a8dc6486ba" }, { "value": "Zeus", @@ -1567,7 +1731,8 @@ "Trojan.Zbot", "Zbot" ] - } + }, + "uuid": "0ce448de-c2bb-4c6e-9ad7-c4030f02b4d7" }, { "value": "Shifu", @@ -1579,7 +1744,8 @@ "derivated_from": [ "Shiz" ] - } + }, + "uuid": "67d712c8-d254-4820-83fa-9a892b87923b" }, { "value": "Shiz", @@ -1588,7 +1754,8 @@ "refs": [ "https://securityintelligence.com/tag/shiz-trojan-malware/" ] - } + }, + "uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941" }, { "value": "MM Core", @@ -1604,7 +1771,8 @@ "BaneChant", "StrangeLove" ] - } + }, + "uuid": "74bd8c09-73d5-4ad8-ab1f-e94a4853c936" }, { "value": "Shamoon", @@ -1613,7 +1781,8 @@ "refs": [ "https://en.wikipedia.org/wiki/Shamoon" ] - } + }, + "uuid": "776b1849-8d5b-4762-8ba1-cbbaddb4ce3a" }, { "meta": { @@ -1622,7 +1791,8 @@ ] }, "description": "According to MalwareHunterTeam and other researchers that have looked at the malware's source code, GhostAdmin seems to be a reworked version of CrimeScene, another botnet malware family that was active around 3-4 years ago.", - "value": "GhostAdmin" + "value": "GhostAdmin", + "uuid": "a68f1b43-c742-4f90-974d-2e74ec703e44" }, { "meta": { @@ -1632,7 +1802,8 @@ ] }, "description": "Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)", - "value": "EyePyramid Malware" + "value": "EyePyramid Malware", + "uuid": "52c2499f-c74f-4bab-bad2-c278e798654c" }, { "meta": { @@ -1641,7 +1812,8 @@ ] }, "description": "LuminosityLink is a malware family costing $40 that purports to be a system administration utility", - "value": "LuminosityLink" + "value": "LuminosityLink", + "uuid": "f586d3e4-39fc-489a-808b-03f590bfe092" }, { "meta": { @@ -1655,7 +1827,8 @@ ] }, "description": "Floki Bot, described recently by Dr. Peter Stephenson from SC Magazine, is yet another bot based on the leaked Zeus code. However, the author came up with various custom modifications that makes it more interesting.", - "value": "Flokibot" + "value": "Flokibot", + "uuid": "8034978b-3a32-4662-b1bf-b525e59e469f" }, { "meta": { @@ -1664,7 +1837,8 @@ ] }, "description": "Most recently, we have observed the same group targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, this group began using a new downloader known as ZeroT to install the PlugX remote access Trojan (RAT) and added Microsoft Compiled HTML Help (.chm) as one of the initial droppers delivered in spear-phishing emails.", - "value": "ZeroT" + "value": "ZeroT", + "uuid": "ff00fa92-b32e-46b6-88ca-98357ebe3f54" }, { "meta": { @@ -1673,7 +1847,8 @@ ] }, "description": "Cylance dubbed this family of malware StreamEx, based upon a common exported function used across all samples ‘stream’, combined with the dropper functionality to append ‘ex’ to the DLL file name. The StreamEx family has the ability to access and modify the user’s file system, modify the registry, create system services, enumerate process and system information, enumerate network resources and drive types, scan for security tools such as firewall products and antivirus products, change browser security settings, and remotely execute commands. The malware documented in this post was predominantly 64-bit, however, there are 32-bit versions of the malware in the wild. ", - "value": "StreamEx" + "value": "StreamEx", + "uuid": "9991ace8-1a62-498c-a9ef-19d474deb505" }, { "meta": { @@ -1685,7 +1860,8 @@ ] }, "description": "Remote Access Trojan", - "value": "adzok" + "value": "adzok", + "uuid": "d08201b8-9774-41a1-abdb-c7f3828139b0" }, { "meta": { @@ -1697,7 +1873,8 @@ ] }, "description": "Remote Access Trojan", - "value": "albertino" + "value": "albertino", + "uuid": "18c31de5-41b3-4a92-a6ee-23b74cc2797d" }, { "meta": { @@ -1709,7 +1886,8 @@ ] }, "description": "Remote Access Trojan", - "value": "arcom" + "value": "arcom", + "uuid": "00dcba51-126f-4758-8273-9770ddf9031c" }, { "meta": { @@ -1721,7 +1899,8 @@ ] }, "description": "Remote Access Trojan", - "value": "blacknix" + "value": "blacknix", + "uuid": "0a5d5825-0ab9-48ff-a5d9-b6b131b65833" }, { "meta": { @@ -1733,7 +1912,8 @@ ] }, "description": "Remote Access Trojan", - "value": "bluebanana" + "value": "bluebanana", + "uuid": "df7deaa3-2a2c-4460-8674-20ec24e89fba" }, { "meta": { @@ -1745,7 +1925,8 @@ ] }, "description": "Remote Access Trojan", - "value": "bozok" + "value": "bozok", + "uuid": "cff2e174-52b8-4304-903a-012f97d70b7c" }, { "meta": { @@ -1757,7 +1938,8 @@ ] }, "description": "Remote Access Trojan", - "value": "clientmesh" + "value": "clientmesh", + "uuid": "26785174-0b89-4cec-9ed0-5a72a0ff4c49" }, { "meta": { @@ -1769,7 +1951,8 @@ ] }, "description": "Remote Access Trojan", - "value": "cybergate" + "value": "cybergate", + "uuid": "f6e6540e-c21f-4202-ac46-185e735215db" }, { "meta": { @@ -1781,7 +1964,8 @@ ] }, "description": "Remote Access Trojan", - "value": "darkcomet" + "value": "darkcomet", + "uuid": "15949ecb-1f2b-4f59-9cf7-5751694e8fba" }, { "meta": { @@ -1793,7 +1977,8 @@ ] }, "description": "Remote Access Trojan", - "value": "darkrat" + "value": "darkrat", + "uuid": "c9e6e42a-65c0-418e-ab77-09bcdb1214a3" }, { "meta": { @@ -1805,7 +1990,8 @@ ] }, "description": "Remote Access Trojan", - "value": "gh0st" + "value": "gh0st", + "uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f" }, { "meta": { @@ -1817,7 +2003,8 @@ ] }, "description": "Remote Access Trojan", - "value": "greame" + "value": "greame", + "uuid": "43e400b3-918b-4a2c-9a69-7166c81a835b" }, { "meta": { @@ -1829,7 +2016,8 @@ ] }, "description": "Remote Access Trojan", - "value": "hawkeye" + "value": "hawkeye", + "uuid": "3edd9d1b-e15d-4411-a67f-01e04701e95d" }, { "meta": { @@ -1841,7 +2029,8 @@ ] }, "description": "Remote Access Trojan", - "value": "javadropper" + "value": "javadropper", + "uuid": "3a80cc5e-ae91-4aa4-aa2b-8f538861acbe" }, { "meta": { @@ -1853,7 +2042,8 @@ ] }, "description": "Remote Access Trojan", - "value": "lostdoor" + "value": "lostdoor", + "uuid": "3fcebce8-fb31-4edb-ae88-7fb0d90d440c" }, { "meta": { @@ -1865,7 +2055,8 @@ ] }, "description": "Remote Access Trojan", - "value": "luxnet" + "value": "luxnet", + "uuid": "df6ccb07-a26c-427a-9d93-5fed2609a1d4" }, { "meta": { @@ -1877,7 +2068,8 @@ ] }, "description": "Remote Access Trojan", - "value": "pandora" + "value": "pandora", + "uuid": "2c215062-5739-4859-bd82-9639ae1d1756" }, { "meta": { @@ -1889,7 +2081,8 @@ ] }, "description": "Remote Access Trojan", - "value": "poisonivy" + "value": "poisonivy", + "uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5" }, { "meta": { @@ -1901,7 +2094,8 @@ ] }, "description": "Remote Access Trojan", - "value": "predatorpain" + "value": "predatorpain", + "uuid": "6762975d-ddbc-4871-ab14-4796c9f38307" }, { "meta": { @@ -1913,7 +2107,8 @@ ] }, "description": "Remote Access Trojan", - "value": "punisher" + "value": "punisher", + "uuid": "0d8d212a-d327-406e-8954-5b20158a9966" }, { "meta": { @@ -1925,7 +2120,8 @@ ] }, "description": "Remote Access Trojan", - "value": "qrat" + "value": "qrat", + "uuid": "c3a784ee-cef7-4604-a5ba-ec7b193a5152" }, { "meta": { @@ -1937,7 +2133,8 @@ ] }, "description": "Remote Access Trojan", - "value": "shadowtech" + "value": "shadowtech", + "uuid": "d5e53ee4-1114-4801-83c9-58c633049aff" }, { "meta": { @@ -1949,7 +2146,8 @@ ] }, "description": "Remote Access Trojan", - "value": "smallnet" + "value": "smallnet", + "uuid": "73ee15e9-ffb3-496d-ae65-fad50e675bdd" }, { "meta": { @@ -1961,7 +2159,8 @@ ] }, "description": "Remote Access Trojan", - "value": "spygate" + "value": "spygate", + "uuid": "408ff7f3-f30c-481f-a3e7-2c69b375f7d9" }, { "meta": { @@ -1973,7 +2172,8 @@ ] }, "description": "Remote Access Trojan", - "value": "template" + "value": "template", + "uuid": "244be9e7-4f68-4fd8-9abd-ee6ca591aa00" }, { "meta": { @@ -1985,7 +2185,8 @@ ] }, "description": "Remote Access Trojan", - "value": "tapaoux" + "value": "tapaoux", + "uuid": "b7b4c682-090b-4da2-abc2-541fd3157579" }, { "meta": { @@ -1997,7 +2198,8 @@ ] }, "description": "Remote Access Trojan", - "value": "vantom" + "value": "vantom", + "uuid": "aba90e76-ce56-4660-a498-90eeb1f0195b" }, { "meta": { @@ -2009,7 +2211,8 @@ ] }, "description": "Remote Access Trojan", - "value": "virusrat" + "value": "virusrat", + "uuid": "aa054c62-3595-4c65-97ee-209029cc6004" }, { "meta": { @@ -2021,7 +2224,8 @@ ] }, "description": "Remote Access Trojan", - "value": "xena" + "value": "xena", + "uuid": "87596188-4c1f-494c-8713-21d5fa062580" }, { "meta": { @@ -2033,7 +2237,8 @@ ] }, "description": "Remote Access Trojan", - "value": "xtreme" + "value": "xtreme", + "uuid": "2d4e2910-4b25-4562-ad88-b35dd678a117" }, { "meta": { @@ -2045,7 +2250,8 @@ ] }, "description": "Remote Access Trojan", - "value": "darkddoser" + "value": "darkddoser", + "uuid": "505629dc-6b81-424e-a452-164629a7a66f" }, { "meta": { @@ -2057,7 +2263,8 @@ ] }, "description": "Remote Access Trojan", - "value": "jspy" + "value": "jspy", + "uuid": "8abd10df-2c31-4895-8ec1-270603078f47" }, { "meta": { @@ -2069,7 +2276,8 @@ ] }, "description": "Remote Access Trojan", - "value": "xrat" + "value": "xrat", + "uuid": "c76e2ee8-52d1-4a55-81df-5542d232ca32" }, { "meta": { @@ -2078,7 +2286,8 @@ ] }, "description": "Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.", - "value": "PupyRAT" + "value": "PupyRAT", + "uuid": "4d6dec19-b0bc-4698-87ed-272823c45d95" }, { "meta": { @@ -2087,7 +2296,8 @@ ] }, "description": "Linux Arm malware spread via RFIs in cgi-bin scripts. This backdoor executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.", - "value": "ELF_IMEIJ" + "value": "ELF_IMEIJ", + "uuid": "acb6ae45-d4e2-48a1-ab72-86e72004c27a" }, { "meta": { @@ -2096,7 +2306,8 @@ ] }, "description": "KHRAT is a small backdoor that has three exports (functions), namely, K1, K2, and K3. K1 checks if the current user is an administrator. If not, it uninstalls itself by calling the K2 function.", - "value": "KHRAT" + "value": "KHRAT", + "uuid": "72b702d9-43c3-40b9-b004-8d0671225fb8" }, { "meta": { @@ -2105,7 +2316,8 @@ ] }, "description": "The Trochilus RAT is a threatening RAT (Remote Access Trojan) that may evade many anti-virus programs. The Trochilus RAT is currently being used as part of an extended threat campaign in South East Asia. The first appearance of the Trochilus RAT in this campaign, which has been active since August of 2015, was first detected in the summer of 2015. The Trochilus RAT is currently being used against civil society organizations and government computers in the South East Asia region, particularly in attacks directed towards the government of Myanmar.", - "value": "Trochilus" + "value": "Trochilus", + "uuid": "5e15e4ca-0e04-4af1-ab2a-779dbcad545d" }, { "meta": { @@ -2114,7 +2326,8 @@ ] }, "description": "The MoonWind sample used for this analysis was compiled with a Chinese compiler known as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan,", - "value": "MoonWind" + "value": "MoonWind", + "uuid": "76ec1827-68a1-488f-9899-2b788ea8db64" }, { "description": "Chrysaor is spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software and infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first identified on iOS and analyzed by Citizen Lab and Lookout.", @@ -2127,7 +2340,8 @@ "Pegasus", "Pegasus spyware" ] - } + }, + "uuid": "9d7c772b-43f1-49cf-bc70-7a7cd2ed34c8" }, { "meta": { @@ -2137,7 +2351,8 @@ ] }, "description": "The trojan serves as a backdoor. It can be controlled remotely.", - "value": "Sathurbot" + "value": "Sathurbot", + "uuid": "35849d8f-5bac-475b-82f8-7d555f37de12" }, { "meta": { @@ -2146,7 +2361,8 @@ ] }, "description": "The AURIGA malware family shares a large amount of functionality with the BANGAT backdoor. The malware family contains functionality for keystroke logging, creating and killing processes, performing file system and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. The AURIGA malware contains a driver component which is used to inject the malware DLL into other processes. This driver can also perform process and IP connection hiding. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the \"Microsoft corp\" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.", - "value": "AURIGA" + "value": "AURIGA", + "uuid": "316c87d4-4404-42ab-9887-f9e321aed93c" }, { "meta": { @@ -2155,7 +2371,8 @@ ] }, "description": "The BANGAT malware family shares a large amount of functionality with the AURIGA backdoor. The malware family contains functionality for keylogging, creating and killing processes, performing filesystem and registry modifications, spawning interactive command shells, performing process injection, logging off the current user or shutting down the local machine. In addition, the malware also implements a custom VNC like protocol which sends screenshots of the desktop to the C2 server and accepts keyboard and mouse input. The malware communicates to its C2 servers using SSL, with self signed SSL certificates. The malware family will create a copy of cmd.exe to perform its C2 activity, and replace the \"Microsoft corp\" strings in the cmd.exe binary with different values. The malware family typically maintains persistence through installing itself as a service.", - "value": "BANGAT" + "value": "BANGAT", + "uuid": "fa9b2176-1248-4d59-8da2-c31c7501a81d" }, { "meta": { @@ -2164,7 +2381,8 @@ ] }, "description": "BISCUIT provides attackers with full access to an infected host. BISCUIT capabilities include launching an interactive command shell, enumerating servers on a Windows network, enumerating and manipulating process, and transferring files. BISCUIT communicates using a custom protocol, which is then encrypted using SSL. Once installed BISCUIT will attempt to beacon to its command/control servers approximately every 10 or 30 minutes. It will beacon its primary server first, followed by a secondary server. All communication is encrypted with SSL (OpenSSL 0.9.8i).", - "value": "BISCUIT" + "value": "BISCUIT", + "uuid": "f1e05a12-ca50-41ab-a963-d7df5bcb141d" }, { "meta": { @@ -2173,7 +2391,8 @@ ] }, "description": "BOUNCER will load an extracted DLL into memory, and then will call the DLL's dump export. The dump export is called with the parameters passed via the command line to the BOUNCER executable. It requires at least two arguments, the IP and port to send the password dump information. It can accept at most five arguments, including a proxy IP, port and an x.509 key for SSL authentication. The DLL backdoor has the capability to execute arbitrary commands, collect database and server information, brute force SQL login credentials, launch arbitrary programs, create processes and threads, delete files, and redirect network traffic.", - "value": "BOUNCER" + "value": "BOUNCER", + "uuid": "52d9a474-fc37-48b5-8e39-4394194b9573" }, { "meta": { @@ -2182,7 +2401,8 @@ ] }, "description": "This family of malware uses Google Calendar to retrieve commands and send results. It retrieves event feeds associated with Google Calendar, where each event contains commands from the attacker for the malware to perform. Results are posted back to the event feed. The malware authenticates with Google using the hard coded email address and passwords. The malware uses the deprecated ClientLogin authentication API from Google. The malware is registered as a service dll as a persistence mechanism. Artifacts of this may be found in the registry.", - "value": "CALENDAR" + "value": "CALENDAR", + "uuid": "e2c18713-0a95-4092-a0e9-76358512daad" }, { "meta": { @@ -2191,7 +2411,8 @@ ] }, "description": "The COMBOS malware family is an HTTP based backdoor. The backdoor is capable of file upload, file download, spawning a interactive reverse shell, and terminating its own process. The backdoor may decrypt stored Internet Explorer credentials from the local system and transmit the credentials to the C2 server. The COMBOS malware family does not have any persistence mechanisms built into itself.", - "value": "COMBOS" + "value": "COMBOS", + "uuid": "fa38b79c-9774-45a0-831c-24c6c8d39a22" }, { "meta": { @@ -2203,7 +2424,8 @@ ] }, "description": "his family of malware is a backdoor capable of file upload and download as well as providing remote interactive shell access to the compromised machine. Communication with the Command & Control (C2) servers uses a combination of single-byte XOR and Base64 encoded data in the Cookie and Set-Cookie HTTP header fields. Communication with the C2 servers is over port 80. Some variants install a registry key as means of a persistence mechanism. The hardcoded strings cited include a string of a command in common with several other APT1 families.", - "value": "COOKIEBAG" + "value": "COOKIEBAG", + "uuid": "63be3d30-0c8d-4c0a-8eee-6c96880734cb" }, { "meta": { @@ -2212,7 +2434,8 @@ ] }, "description": "Members of this malware family are backdoors that provide file downloading, process listing, process killing, and reverse shell capabilities. This malware may also add itself to the Authorized Applications list for the Windows Firewall.", - "value": "DAIRY" + "value": "DAIRY", + "uuid": "2a56538f-7c21-44b3-b438-5baa025ed005" }, { "meta": { @@ -2221,7 +2444,8 @@ ] }, "description": "Members of this family of malware are utilities designed to extract email messages and attachments from Outlook PST files. One part of this utility set is an executable, one is a dll. The malware may create a registry artifact related to the executable.", - "value": "GETMAIL" + "value": "GETMAIL", + "uuid": "5abd7dee-cca1-4bee-9b82-da3f9be2970b" }, { "meta": { @@ -2230,7 +2454,8 @@ ] }, "description": "This family of malware is a utility designed to upload files to Google Docs. Nearly all communications are with docs.google.com are SSL encrypted. The malware does not use Google's published API to interact with their services. The malware does not currently work with Google Docs. It does not detect HTTP 302 redirections and will get caught in an infinite loop attempting to parse results from Google that are not present.", - "value": "GDOCUPLOAD" + "value": "GDOCUPLOAD", + "uuid": "4bb4320f-9379-43ba-ba8c-09dfece39000" }, { "meta": { @@ -2242,7 +2467,8 @@ ] }, "description": "GLOOXMAIL communicates with Google's Jabber/XMPP servers and authenticates with a hard-coded username and password. The malware can accept commands over XMPP that includes file upload and download, provide a remote shell, sending process listings, and terminating specified processes. The malware makes extensive use of the open source gloox library (http://camaya.net/gloox/, version 0.9.9.12) to communicate using the Jabber/XMPP protocol. All communications with the Google XMPP server are encrypted.", - "value": "GLOOXMAIL" + "value": "GLOOXMAIL", + "uuid": "a379f09b-5cec-4bdb-9735-125cef2de073" }, { "meta": { @@ -2254,7 +2480,8 @@ ] }, "description": "A family of downloader malware, that retrieves an encoded payload from a fixed location, usually in the form of a file with the .jpg extension. Some variants have just an .exe that acts as a downloader, others have an .exe launcher that runs as a service and then loads an associated .dll of the same name that acts as the downloader. This IOC is targeted at the downloaders only. After downloading the file, the malware decodes the downloaded payload into an .exe file and launches it. The malware usually stages the files it uses in the %TEMP% directory or the %WINDIR%\\Temp directory.", - "value": "GOGGLES" + "value": "GOGGLES", + "uuid": "4bc55eb3-7c92-4668-a75a-d5e291387613" }, { "meta": { @@ -2263,7 +2490,8 @@ ] }, "description": "Members of this family are full featured backdoors that communicates with a Web-based Command & Control (C2) server over SSL. Features include interactive shell, gathering system info, uploading and downloading files, and creating and killing processes, Malware in this family usually communicates with a hard-coded domain using SSL on port 443. Some members of this family rely on launchers to establish persistence mechanism for them. Others contains functionality that allows it to install itself, replacing an existing Windows service, and uninstall itself. Several variants use %SystemRoot%\\Tasks or %WinDir%\\Tasks as working directories, additional malware artifacts may be found there.", - "value": "GREENCAT" + "value": "GREENCAT", + "uuid": "21a1d15c-acdd-49d1-aa8e-8d5b311024f0" }, { "meta": { @@ -2272,7 +2500,8 @@ ] }, "description": " This family of malware is a backdoor that provides reverse shell, process creation, system statistics collection, process enumeration, and process termination capabilities. This family is designed to be a service DLL and does not contain an installation mechanism. It usually communicates over port 443. Some variants use their own encryption, others use SSL.", - "value": "HACKFASE" + "value": "HACKFASE", + "uuid": "aef3e40b-d295-4663-a2d0-585512b3ae44" }, { "meta": { @@ -2281,7 +2510,8 @@ ] }, "description": " This family of malware is designed to operate as a service and provides remote command execution and file transfer capabilities to a fixed IP address or domain name. All communication with the C2 server happens over port 443 using SSL. This family can be installed as a service DLL. Some variants allow for uninstallation.", - "value": "HELAUTO" + "value": "HELAUTO", + "uuid": "7c05c816-481f-499e-9545-d48b635dc2eb" }, { "meta": { @@ -2290,7 +2520,8 @@ ] }, "description": "This family of malware is a backdoor that tunnels its connection through a preconfigured proxy. The malware communicates with a remote command and control server over HTTPS via the proxy. The malware installs itself as a Windows service with a service name supplied by the attacker but defaults to IPRIP if no service name is provided during install.", - "value": "KURTON" + "value": "KURTON", + "uuid": "616c7c32-110e-4bb3-8e99-4c2aeb8f8272" }, { "meta": { @@ -2299,7 +2530,8 @@ ] }, "description": "LIGHTBOLT is a utility with the ability to perform HTTP GET requests for a list of user-specified URLs. The responses of the HTTP requests are then saved as MHTML files, which are added to encrypted RAR files. LIGHTBOLT has the ability to use software certificates for authentication.", - "value": "LIGHTBOLT" + "value": "LIGHTBOLT", + "uuid": "57e43779-0665-427c-abcb-997c1c0ced8d" }, { "meta": { @@ -2308,7 +2540,8 @@ ] }, "description": "LIGHTDART is a tool used to access a pre-configured web page that hosts an interface to query a database or data set. The tool then downloads the results of a query against that web page to an encrypted RAR file. This RAR file (1.rar) is renamed and uploaded to an attacker controlled FTP server, or uploaded via an HTTP POST with a .jpg extension. The malware will execute this search once a day. The target webpage usually contains information useful to the attacker, which is updated on a regular basis. Examples of targeted information include weather information or ship coordinates.", - "value": "LIGHTDART" + "value": "LIGHTDART", + "uuid": "986f6b0f-51f8-4f83-bb38-8354a83a7f32" }, { "meta": { @@ -2317,7 +2550,8 @@ ] }, "description": "LONGRUN is a backdoor designed to communicate with a hard-coded IP address and provide the attackers with a custom interactive shell. It supports file uploads and downloads, and executing arbitrary commands on the compromised machine. When LONGRUN executes, it first loads configuration data stored as an obfuscated string inside the PE resource section. The distinctive string thequickbrownfxjmpsvalzydg is used as part of the input to the decoding algorithm. When the configuration data string is decoded it is parsed and treated as an IP and port number. The malware then connects to the host and begins interacting with it over a custom protocol.", - "value": "LONGRUN" + "value": "LONGRUN", + "uuid": "5a2fc164-f6cf-4528-b85f-f2319545c8ad" }, { "meta": { @@ -2326,7 +2560,8 @@ ] }, "description": "This family of malware will beacon out at random intervals to the remote attacker. The attacker can run programs, execute arbitrary commands, and easily upload and download files. This IOC looks for both the dropper file and the backdoor.", - "value": "MANITSME" + "value": "MANITSME", + "uuid": "25db921d-d753-4fb1-b51b-961d7fdae6f4" }, { "meta": { @@ -2336,7 +2571,8 @@ ] }, "description": "This malware utility is a set of two files that operate in conjunction to extract email messages and attachments from an Exchange server. In order to operate successfully, these programs require authentication credentials for a user on the Exchange server, and must be run from a machine joined to the domain that has Microsoft Outlook installed (or equivalent software that provides the Microsoft 'Messaging API' (MAPI) service).", - "value": "MAPIGET" + "value": "MAPIGET", + "uuid": "bf08965f-03a5-4cf6-83fb-8d3c9e9398ee" }, { "meta": { @@ -2345,7 +2581,8 @@ ] }, "description": "This family of malware consists of backdoors that attempt to fetch encoded commands over HTTP. The malware is capable of downloading a file, downloading and executing a file, executing arbitrary shell commands, or sleeping a specified interval.", - "value": "MINIASP" + "value": "MINIASP", + "uuid": "ea9c7068-1c28-4826-a7d1-7ac04760e5c9" }, { "meta": { @@ -2354,7 +2591,8 @@ ] }, "description": "The NEWSREELS malware family is an HTTP based backdoor. When first started, NEWSREELS decodes two strings from its resources section. These strings are both used as C2 channels, one URL is used as a beacon URL (transmitting) and the second URL is used to get commands (receiving). The NEWSREELS malware family is capable of performing file uploads, downloads, creating processes or creating an interactive reverse shell.", - "value": "NEWSREELS" + "value": "NEWSREELS", + "uuid": "5abc6792-be17-48ee-a765-29cffa4242ee" }, { "meta": { @@ -2363,7 +2601,8 @@ ] }, "description": "The SEASALT malware family communicates via a custom binary protocol. It is capable of gathering some basic system information, file system manipulation, file upload and download, process creation and termination, and spawning an interactive reverse shell. The malware maintains persistence by installing itself as a service.", - "value": "SEASALT" + "value": "SEASALT", + "uuid": "7429aaf8-85a8-4ae9-b583-c7eec0f5b0cb" }, { "meta": { @@ -2372,7 +2611,8 @@ ] }, "description": "STARSYPOUND provides an interactive remote shell over an obfuscated communications channel. When it is first run, it loads a string (from the executable PE resource section) containing the beacon IP address and port. The malware sends the beacon string \"*(SY)# \" to the remote system, where is the hostname of the victim system. The remote host responds with a packet that also begins with the string \"*(SY)# cmd\". This causes the malware to launch a new cmd.exe child process. Further communications are forwarded to the cmd.exe child process to execute. The commands sent to the shell and their responses are obfuscated when sent over the network.", - "value": "STARSYPOUND" + "value": "STARSYPOUND", + "uuid": "d0220108-48d7-4056-babc-189048f37a59" }, { "meta": { @@ -2381,7 +2621,8 @@ ] }, "description": "This family of malware provides a backdoor over the network to the attackers. It is configured to connect to a single host and offers file download over HTTP, program execution, and arbitrary execution of commands through a cmd.exe instance.", - "value": "SWORD" + "value": "SWORD", + "uuid": "96fb29fa-7c3a-4124-baf5-cc5f99b2a05f" }, { "meta": { @@ -2393,7 +2634,8 @@ ] }, "description": " This malware family is a full-featured backdoor capable of file uploading and downloading, arbitrary execution of programs, and providing a remote interactive command shell. All communications with the C2 server are sent over HTTP to a static URL, appending various URL parameters to the request. Some variants use a slightly different URL.", - "value": "TABMSGSQL" + "value": "TABMSGSQL", + "uuid": "d5a4cbe7-81c9-4a52-80ee-07ca3f625844" }, { "meta": { @@ -2402,7 +2644,8 @@ ] }, "description": "The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-ECLIPSE family is distinguished by the presence of 'eclipse' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.", - "value": "TARSIP-ECLIPSE" + "value": "TARSIP-ECLIPSE", + "uuid": "049590f1-3f3a-4670-a341-d6d29fbb123f" }, { "meta": { @@ -2411,7 +2654,8 @@ ] }, "description": "The TARSIP malware family is a backdoor which communicates over encoded information in HTTPS headers. Typical TARSIP malware samples will only beacon out to their C2 servers if the C2 DNS address resolves to a specific address. The capability of TARSIP backdoors includes file uploading, file downloading, interactive command shells, process enumeration, process creation, process termination. The TARSIP-MOON family is distinguished by the presence of 'moon' in .pdb debug strings present in the malware samples. It does not provide a built in mechanism to maintain persistence.", - "value": "TARSIP-MOON" + "value": "TARSIP-MOON", + "uuid": "dbce78ac-5729-4bd1-b7c0-6bc0344564bc" }, { "meta": { @@ -2420,7 +2664,8 @@ ] }, "description": "The WARP malware family is an HTTP based backdoor written in C++, and the majority of its code base is borrowed from source code available in the public domain. Network communications are implemented using the same WWW client library (w3c.cpp) available from www.dankrusi.com/file_69653F3336383837.html. The malware has system survey functionality (collects hostname, current user, system uptime, CPU speed, etc.) taken directly from the BO2K backdoor available from www.bo2k.com. It also contains the hard disk identification code found at www.winsim.com/diskid32/diskid32.cpp. When the WARP executing remote commands, the malware creates a copy of the ?%SYSTEMROOT%\\system32\\cmd.exe? file as '%USERPROFILE%\\Temp\\~ISUN32.EXE'. The version signature information of the duplicate executable is zeroed out. Some WARP variants maintain persistence through the use of DLL search order hijacking.", - "value": "WARP" + "value": "WARP", + "uuid": "29917fb3-6c56-4659-a203-5885c4a8e70f" }, { "meta": { @@ -2429,7 +2674,8 @@ ] }, "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is capable of downloading and executing a file. All variants represented here are the same file with different MD5 signatures. This malware attempts to contact its C2 once a week (Thursday at 10:00 AM). It looks for commands inside a set of HTML tags, part of which are in the File Strings indicator term below.", - "value": "WEBC2-ADSPACE" + "value": "WEBC2-ADSPACE", + "uuid": "2d8043b4-48ef-4992-a04a-c342cbbb4f87" }, { "meta": { @@ -2438,7 +2684,8 @@ ] }, "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware family is a only a downloader which operates over the HTTP protocol with a hard-coded URL. If directed, it has the capability to download, decompress, and execute compressed binaries.", - "value": "WEBC2-AUSOV" + "value": "WEBC2-AUSOV", + "uuid": "e2a27431-28ea-42e3-a0cc-72f29828c292" }, { "meta": { @@ -2447,7 +2694,8 @@ ] }, "description": " A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware is a backdoor capable of downloading files and updating its configuration. Communication with the command and control (C2) server uses a combination of single-byte XOR and Base64 encoded data wrapped in standard HTML tags. The malware family installs a registry key as a persistence mechanism.", - "value": "WEBC2-BOLID" + "value": "WEBC2-BOLID", + "uuid": "a601e1b0-c0bc-4665-9639-4dc5e588520c" }, { "meta": { @@ -2456,7 +2704,8 @@ ] }, "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The family of malware provides the attacker with an interactive command shell, the ability to upload and download files, execute commands on the system, list processes and DLLs, kill processes, and ping hosts on the local network. Responses to these commands are encrypted and compressed before being POSTed to the server. Some variants copy cmd.exe to Updatasched.exe in a temporary directory, and then may launch that in a process if an interactive shell is called. On initial invocation, the malware also attempts to delete previous copies of the Updatasched.exe file.", - "value": "WEBC2-CLOVER" + "value": "WEBC2-CLOVER", + "uuid": "d7fa0245-2cff-475f-9d8c-3728c83ac194" }, { "meta": { @@ -2465,7 +2714,8 @@ ] }, "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware act only as downloaders and droppers for other malware. They communicate with a hard-coded C2 server, reading commands embedded in HTML comment fields. Some variants are executables which act upon execution, others are DLLs which can be attached to services or loaded through search order hijacking.", - "value": "WEBC2-CSON" + "value": "WEBC2-CSON", + "uuid": "950a8038-eeec-44a0-b3db-a557e5796416" }, { "meta": { @@ -2474,7 +2724,8 @@ ] }, "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-DIV variant searches for the strings \"div safe:\" and \" balance\" to delimit encoded C2 information. If the decoded string begins with the letter \"J\" the malware will parse additional arguments in the decoded string to specify the sleep interval to use. WEBC2-DIV is capable of downloading a file, downloading and executing a file, or sleeping a specified interval.", - "value": "WEBC2-DIV" + "value": "WEBC2-DIV", + "uuid": "54be66ea-fd26-4f25-b4af-d10d16fa919f" }, { "meta": { @@ -2483,7 +2734,8 @@ ] }, "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This malware is a variant on the GREENCAT family, using a fixed web C2. This family is a full featured backdoor which provides remote command execution, file transfer, process and service enumeration and manipulation. It installs itself persistently through the current user's registry Run key.", - "value": "WEBC2-GREENCAT" + "value": "WEBC2-GREENCAT", + "uuid": "bfe69071-17bf-466f-97fd-669b72053137" }, { "meta": { @@ -2492,7 +2744,8 @@ ] }, "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-HEAD variant communicates over HTTPS, using the system's SSL implementation to encrypt all communications with the C2 server. WEBC2-HEAD first issues an HTTP GET to the host, sending the Base64-encoded string containing the name of the compromised machine running the malware.", - "value": "WEBC2-HEAD" + "value": "WEBC2-HEAD", + "uuid": "4ef97a7e-5686-44cb-ad91-7a393f32f39b" }, { "meta": { @@ -2501,7 +2754,8 @@ ] }, "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-KT3 variant searches for commands in a specific comment tag. Network traffic starting with *!Kt3+v| may indicate WEBC2-KT3 activity.", - "value": "WEBC2-KT3" + "value": "WEBC2-KT3", + "uuid": "e2afc267-9674-4ca3-807f-47678fb40da4" }, { "meta": { @@ -2510,7 +2764,8 @@ ] }, "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-QBP variant will search for two strings in a HTML comment. The first will be \"2010QBP \" followed by \" 2010QBP//--\". Inside these tags will be a DES-encrypted string. ", - "value": "WEBC2-QBP" + "value": "WEBC2-QBP", + "uuid": "84f3bacf-abd5-445e-a98a-5b02f1eaac92" }, { "meta": { @@ -2519,7 +2774,8 @@ ] }, "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. This family of malware will set itself up as a service and connect out to a hardcoded web page and read a modified base64 string from this webpage. The later versions of this malware supports three commands (earlier ones are just downloaders or reverse shells). The first commands will sleep the malware for N number of hours. The second command will download a binary from the encoded HTML comment and execute it on the infected host. The third will spawn an encoded reverse shell to an attacker specified location and port.", - "value": "WEBC2-RAVE" + "value": "WEBC2-RAVE", + "uuid": "9e36feee-e7d2-400a-960e-5f2bd6ac0c15" }, { "meta": { @@ -2528,7 +2784,8 @@ ] }, "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.", - "value": "WEBC2-TABLE" + "value": "WEBC2-TABLE", + "uuid": "269fee27-f275-44e9-a0db-bebf14d2f83c" }, { "meta": { @@ -2537,7 +2794,8 @@ ] }, "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-TABLE variant looks for web pages containing 'background', 'align', and 'bgcolor' tags to be present in the requested Web page. If the data in these tags are formatted correctly, the malware will decode a second URL and a filename. This URL is then retrieved, written to the decoded filename and executed.", - "value": "WEBC2-TOCK" + "value": "WEBC2-TOCK", + "uuid": "3213c61f-100c-4174-b50b-c7e256ae5474" }, { "meta": { @@ -2546,7 +2804,8 @@ ] }, "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of malware provide remote command shell and remote file download and execution capabilities. The malware downloads a web page containing a crafted HTML comment that subsequently contains an encoded command. The contents of this command tell the malware whether to download and execute a program, launch a reverse shell to a specific host and port number, or to sleep for a period of time. ", - "value": "WEBC2-UGX" + "value": "WEBC2-UGX", + "uuid": "d155c213-02bd-4992-a410-a541a1c1eb40" }, { "meta": { @@ -2555,7 +2814,8 @@ ] }, "description": "A WEBC2 backdoor is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. Members of this family of backdoor malware talk to specific Web-based Command & Control (C2) servers. The backdoor has a limited command set, depending on version. It is primarily a downloader, but it classified as a backdoor because it can accept a limited command set, including changing local directories, downloading and executing additional files, sleeping, and connecting to a specific IP & port not initially included in the instruction set for the malware. Each version of the malware has at least one hardcoded URL to which it connects to receive its initial commands. This family of malware installs itself as a service, with the malware either being the executable run by the service, or the service DLL loaded by a legitimate service. The same core code is seen recompiled on different dates or with different names, but the same functionality. Key signatures include a specific set of functions (some of which can be used with the OS-provided rundll32.exe tool to install the malware as a service), and hardcoded strings used in communication with C2 servers to issue commands to the implant.", - "value": "WEBC2-Y21K" + "value": "WEBC2-Y21K", + "uuid": "215f6352-324f-4735-9fda-ffec0daaa2d2" }, { "meta": { @@ -2564,7 +2824,8 @@ ] }, "description": "The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL. The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'. The embedded link can direct the malware to download and execute files.", - "value": "WEBC2-YAHOO" + "value": "WEBC2-YAHOO", + "uuid": "d49f372e-c4ee-47bd-bc98-e3877fabaf9e" }, { "meta": { @@ -2573,7 +2834,8 @@ ] }, "description": "HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string.", - "value": "HAYMAKER" + "value": "HAYMAKER", + "uuid": "d71604d2-a17e-4b4e-82be-19cb54f93161" }, { "meta": { @@ -2582,7 +2844,8 @@ ] }, "description": "BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell.", - "value": "BUGJUICE" + "value": "BUGJUICE", + "uuid": "90124cc8-1205-4e63-83ad-5c45a110b1e6" }, { "meta": { @@ -2591,7 +2854,8 @@ ] }, "description": "SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell. Persistence is maintained through a Run registry key.", - "value": "SNUGRIDE" + "value": "SNUGRIDE", + "uuid": "6a42aa10-5b7e-43b0-8c58-414cdaeda453" }, { "meta": { @@ -2600,7 +2864,8 @@ ] }, "description": "QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past.", - "value": "QUASARRAT" + "value": "QUASARRAT", + "uuid": "4d58ad7d-b5ee-4efb-b6af-6c70aadb326a" }, { "meta": { @@ -2615,7 +2880,8 @@ ] }, "description": "Hacking Team’s \"DaVinci\" Remote Control System is able, the company says, to break encryption and allow law enforcement agencies to monitor encrypted files and emails (even ones encrypted with PGP), Skype and other Voice over IP or chat communication. It allows identification of the target’s location and relationships. It can also remotely activate microphones and cameras on a computer and works worldwide. Hacking Team claims that its software is able to monitor hundreds of thousands of computers at once, all over the country. Trojans are available for Windows, Mac, Linux, iOS, Android, Symbian and Blackberry.", - "value": "da Vinci RCS" + "value": "da Vinci RCS", + "uuid": "37709067-e55e-473b-bb1c-312a27714d0c" }, { "meta": { @@ -2625,7 +2891,8 @@ ] }, "description": "LATENTBOT, a new, highly obfuscated BOT that has been in the wild since mid-2013. It has managed to leave hardly any traces on the Internet, is capable of watching its victims without ever being noticed, and can even corrupt a hard disk, thus making a PC useless.", - "value": "LATENTBOT" + "value": "LATENTBOT", + "uuid": "635d260f-39d9-4d3f-99ec-d2560cb5d694" }, { "meta": { @@ -2637,7 +2904,8 @@ ] }, "description": "Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.", - "value": "FINSPY" + "value": "FINSPY", + "uuid": "dd4358a4-7a43-42f7-8322-0f941ee61e57" }, { "meta": { @@ -2646,127 +2914,158 @@ ] }, "description": "HackingTeam Remote Control System (RCS) Galileo hacking platform", - "value": "RCS Galileo" + "value": "RCS Galileo", + "uuid": "8a15832a-2cb1-47cc-8916-c16a507f7154" }, { "description": "RedHat 7.0 - 7.1 Sendmail 8.11.x exploit", - "value": "EARLYSHOVEL" + "value": "EARLYSHOVEL", + "uuid": "80c7b1bf-c35f-4831-90ce-0699f6173f1b" }, { "description": "root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86", - "value": "EBBISLAND (EBBSHAVE)" + "value": "EBBISLAND (EBBSHAVE)", + "uuid": "370331a1-2178-4369-afb7-ce2da134a2ba" }, { "description": "remote Samba 3.0.x Linux exploit", - "value": "ECHOWRECKER" + "value": "ECHOWRECKER", + "uuid": "0381c40e-81c6-4a18-b5b6-48b7eef211c7" }, { "description": "appears to be an MDaemon email server vulnerability", - "value": "EASYBEE" + "value": "EASYBEE", + "uuid": "7f96b58d-0f41-46cd-8141-c53d2a03fb81" }, { "description": "an IBM Lotus Notes exploit that gets detected as Stuxnet", - "value": "EASYPI" + "value": "EASYPI", + "uuid": "4f3df03f-336d-4a2b-a500-47e93a4259e6" }, { "description": "an exploit for IBM Lotus Domino 6.5.4 & 7.0.2", - "value": "EWOKFRENZY" + "value": "EWOKFRENZY", + "uuid": "c8fedb97-4f7e-48d1-8f2a-5e0562c1fba0" }, { "description": "an IIS 6.0 exploit that creates a remote backdoor", - "value": "EXPLODINGCAN" + "value": "EXPLODINGCAN", + "uuid": "f843ef63-9e42-42d0-84a0-40d863985088" }, { "description": "a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010)", - "value": "ETERNALROMANCE" + "value": "ETERNALROMANCE", + "uuid": "b5c5174e-36a2-4b53-aed7-91b006514c8b" }, { "description": "a SMB exploit (MS09-050)", - "value": "EDUCATEDSCHOLAR" + "value": "EDUCATEDSCHOLAR", + "uuid": "342a64db-f130-4ac2-96d2-a773fb2bf86d" }, { "description": "a SMB exploit for Windows XP and Server 2003 (MS10-061)", - "value": "EMERALDTHREAD" + "value": "EMERALDTHREAD", + "uuid": "32cd0bfb-9269-43ba-9c43-9fc484a30ad0" }, { "description": "a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2", - "value": "EMPHASISMINE" + "value": "EMPHASISMINE", + "uuid": "48393a71-3814-48ab-805b-a7914e006814" }, { "description": "Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users", - "value": "ENGLISHMANSDENTIST" + "value": "ENGLISHMANSDENTIST", + "uuid": "ce484c02-b538-4351-ba7e-48c7d05c013f" }, { "description": "0-day exploit (RCE) for Avaya Call Server", - "value": "EPICHERO" + "value": "EPICHERO", + "uuid": "7120af74-6589-44a4-aee6-0f8fd3808d54" }, { "description": "SMBv1 exploit targeting Windows XP and Server 2003", - "value": "ERRATICGOPHER" + "value": "ERRATICGOPHER", + "uuid": "a82fa4a0-1904-4c03-9fc4-7cbcd255ce58" }, { "description": "a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)", - "value": "ETERNALSYNERGY" + "value": "ETERNALSYNERGY", + "uuid": "b4547fe9-25c9-40b6-9256-07f1ed7548c4" }, { "description": "SMBv2 exploit for Windows 7 SP1 (MS17-010)", - "value": "ETERNALBLUE" + "value": "ETERNALBLUE", + "uuid": "e5b14d3e-ae59-495e-bdcb-f9d876db3f87" }, { "description": "a SMBv1 exploit", - "value": "ETERNALCHAMPION" + "value": "ETERNALCHAMPION", + "uuid": "4aee9bfe-f01d-44ea-9edd-91ecad88413a" }, { "description": "Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers", - "value": "ESKIMOROLL" + "value": "ESKIMOROLL", + "uuid": "4a8db2c4-04fb-49e0-b688-1bc5d8354072" }, { "description": "RDP exploit and backdoor for Windows Server 2003", - "value": "ESTEEMAUDIT" + "value": "ESTEEMAUDIT", + "uuid": "5d9131be-c3bb-44ac-9c4d-19fcc97d2efd" }, { "description": "RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)", - "value": "ECLIPSEDWING" + "value": "ECLIPSEDWING", + "uuid": "406ad0a9-b1fc-4edc-aa20-692a69f349a6" }, { "description": "exploit for IMail 8.10 to 8.22", - "value": "ETRE" + "value": "ETRE", + "uuid": "3aaef939-132c-4cfb-9243-20918373ccfe" }, { "description": "an exploit framework, similar to MetaSploit", - "value": "FUZZBUNCH" + "value": "FUZZBUNCH", + "uuid": "3de1aa96-24cd-4790-babc-df0b2d657bdb" }, { "description": "implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not detected by any AV vendors", - "value": "ODDJOB" + "value": "ODDJOB", + "uuid": "d20f9a41-db27-4d53-995e-547f86ff3d1e" }, { "description": "utility which Bypasses authentication for Oracle servers", - "value": "PASSFREELY" + "value": "PASSFREELY", + "uuid": "b68ac0c5-124a-4f22-9c99-0c1cd42bdee3" }, { "description": "check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE", - "value": "SMBTOUCH" + "value": "SMBTOUCH", + "uuid": "48cf4f29-41a2-4244-bb25-377362eaa3ae" }, { "description": "Check if the target is running some RPC", - "value": "ERRATICGOPHERTOUCH" + "value": "ERRATICGOPHERTOUCH", + "uuid": "a122b8e0-1249-4c77-8ef7-6b9caf48ab4f" }, { "description": "check if the running IIS version is vulnerable", - "value": "IISTOUCH" + "value": "IISTOUCH", + "uuid": "7b4bf6dd-d191-429b-a5ee-9305093aa1ec" }, { "description": "get info about windows via RPC", - "value": "RPCOUTCH" + "value": "RPCOUTCH", + "uuid": "2c9e90ea-7421-4101-97a6-ebe095bd29ad" }, { "description": "used to connect to machines exploited by ETERNALCHAMPIONS", - "value": "DOPU" + "value": "DOPU", + "uuid": "f1657aac-a6be-4383-8cd6-06b833acf07c" }, { "description": "covert surveillance tools", - "value": "FlexSpy" + "value": "FlexSpy", + "uuid": "71d6e949-69df-4d64-9637-136780226f49" }, { "value": "feodo", @@ -2775,7 +3074,8 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2010/10/feodosoff-a-new-botnet-on-the-rise.html" ] - } + }, + "uuid": "372cdc12-d909-463c-877a-175f97f7abb5" }, { "value": "Cardinal RAT", @@ -2784,7 +3084,8 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" ] - } + }, + "uuid": "1d9fbf33-faea-40c1-b543-c7b39561f0ff" }, { "description": "The REDLEAVES implant consists of three parts: an executable, a loader, and the implant shellcode. The REDLEAVES implant is a remote administration Trojan (RAT) that is built in Visual C++ and makes heavy use of thread generation during its execution. The implant contains a number of functions typical of RATs, including system enumeration and creating a remote shell back to the C2.", @@ -2793,7 +3094,8 @@ "refs": [ "https://www.us-cert.gov/ncas/alerts/TA17-117A" ] - } + }, + "uuid": "179f7228-6fcf-4664-a084-57bd296d0cde" }, { "description": "Kazuar is a fully featured backdoor written using the .NET Framework and obfuscated using the open source packer called ConfuserEx. Unit 42 researchers have uncovered a backdoor Trojan used in an espionage campaign. The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. During our analysis of this malware we uncovered interesting code paths and other artifacts that may indicate a Mac or Unix variant of this same tool also exists. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver. We suspect the Kazuar tool may be linked to the Turla threat actor group (also known as Uroburos and Snake), who have been reported to have compromised embassies, defense contractors, educational institutions, and research organizations across the globe. A hallmark of Turla operations is iterations of their tools and code lineage in Kazuar can be traced back to at least 2005. If the hypothesis is correct and the Turla threat group is using Kazuar, we believe they may be using it as a replacement for Carbon and its derivatives. Of the myriad of tools observed in use by Turla Carbon and its variants were typically deployed as a second stage backdoor within targeted environments and we believe Kazuar may now hold a similar role for Turla operations.", @@ -2802,7 +3104,8 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" ] - } + }, + "uuid": "a5399473-859b-4c64-999b-a3b4070cd513" }, { "description": "Many links indicate, that this bot is another product of the people previously involved in Dyreza. It seems to be rewritten from scratch – however, it contains many similar features and solutions to those we encountered analyzing Dyreza (read more).", @@ -2817,7 +3120,8 @@ "TrickBot", "TrickLoader" ] - } + }, + "uuid": "a7dbd72f-8d53-48c6-a9db-d16e7648b2d4" }, { "description": "Netskope Threat Research Labs recently discovered a Phishing-as-a-Service (PhaaS) platform named Hackshit, that records the credentials of the phished bait victims. The phished bait pages are packaged with base64 encoding and served from secure (HTTPS) websites with “.moe” top level domain (TLD) to evade traditional scanners. “.moe” TLD is intended for the purpose of ‘The marketing of products or services deemed’. The victim’s credentials are sent to the Hackshit PhaaS platform via websockets. The Netskope Active Platform can proactively protect customers by creating custom applications and a policy to block all the activities related to Hackshit PhaaS.", @@ -2826,7 +3130,8 @@ "refs": [ "https://resources.netskope.com/h/i/352356475-phishing-as-a-service-phishing-revamped" ] - } + }, + "uuid": "02d2ed4a-ce3f-430b-a8da-5b9750c148ca" }, { "value": "Moneygram Adwind", @@ -2834,7 +3139,8 @@ "refs": [ "https://myonlinesecurity.co.uk/new-guidelines-from-moneygram-malspam-delivers-a-brand-new-java-adwind-version/" ] - } + }, + "uuid": "6c6e717d-03c5-496d-83e9-13bdaa408348" }, { "description": " Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or a drive-by download. When executed, Banload downloads other malware, often banking Trojans, on the victim’s system to carry out further infections.", @@ -2846,7 +3152,8 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/banload-limits-targets-via-security-plugin/", "https://securingtomorrow.mcafee.com/mcafee-labs/banload-trojan-targets-brazilians-with-malware-downloads/" ] - } + }, + "uuid": "d279bc1c-baa6-49aa-ab1b-7d012ae8db4e" }, { "description": "This small application is used to download other malware. What makes the bot interesting are various tricks that it uses for deception and self protection.", @@ -2858,7 +3165,8 @@ "synonyms": [ "Dofoil" ] - } + }, + "uuid": "81f41bae-2ba9-4cec-9613-776be71645ca" }, { "description": "The analyzed sample has a recent compilation date (2017-06-24) and is available on VirusTotal. It starts out by resolving several Windows functions using API hashing (CRC32 is used as the hashing function).", @@ -2867,7 +3175,8 @@ "refs": [ "https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/" ] - } + }, + "uuid": "c740c46b-1d95-42b5-ac3d-2bbab071b859" }, { "description": "Win.Worm.Fadok drops several files. %AppData%\\RAC\\mls.exe or %AppData%\\RAC\\svcsc.exe are instances of the malware which are auto-started when Windows starts. Further, the worm drops and opens a Word document. It connects to the domain wxanalytics[.]ru.", @@ -2880,7 +3189,8 @@ "synonyms": [ "Win32/Fadok" ] - } + }, + "uuid": "6243b2d1-381b-4aa4-a59f-839afcdf03f2" }, { "description": "Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets.", @@ -2889,7 +3199,8 @@ "refs": [ "https://phishme.com/loki-bot-malware/" ] - } + }, + "uuid": "9085faf1-e5ec-4e51-83eb-92620afda7be" }, { "description": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. \nThroughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time. In this article, we will analyse this evolution:", @@ -2898,7 +3209,8 @@ "refs": [ "http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" ] - } + }, + "uuid": "24ee55e3-697f-482f-8fa8-d05999df40cd" }, { "description": "Recently, Palo Alto Networks researchers discovered an advanced Android malware we’ve named “SpyDealer” which exfiltrates private data from more than 40 apps and steals sensitive messages from communication apps by abusing the Android accessibility service feature. SpyDealer uses exploits from a commercial rooting app to gain root privilege, which enables the subsequent data theft.", @@ -2907,7 +3219,8 @@ "refs": [ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/" ] - } + }, + "uuid": "f86b4977-228d-4b31-854d-8bdc92db4653" }, { "value": "CowerSnail", @@ -2916,7 +3229,8 @@ "refs": [ "https://securelist.com/cowersnail-from-the-creators-of-sambacry/79087/" ] - } + }, + "uuid": "6da16d56-eaf9-475d-a7e0-4a11e0200c14" }, { "description": "In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae. In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.", @@ -2928,7 +3242,8 @@ "synonyms": [ "trojan-banker.androidos.svpeng.ae" ] - } + }, + "uuid": "a33df440-f112-4a5e-a290-3c65dae6091d" }, { "description": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.", @@ -2940,7 +3255,8 @@ "refs": [ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" ] - } + }, + "uuid": "9334c430-0d83-4893-8982-66a1dc1a2b11" }, { "description": "Like TwoFace, the IntrudingDivisor webshell requires the threat actor to authenticate before issuing commands. To authenticate, the actor must provide two pieces of information, first an integer that is divisible by 5473 and a string whose MD5 hash is “9A26A0E7B88940DAA84FC4D5E6C61AD0”. Upon successful authentication, the webshell has a command handler that uses integers within the request to determine the command to execute - To complete", @@ -2952,7 +3268,8 @@ "refs": [ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" ] - } + }, + "uuid": "bb2bd10b-b36d-4390-bf60-bd8d2d7cedec" }, { "description": "Attacks that use completely fileless malware are a rare occurrence, so we thought it important to discuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via an autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more difficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.", @@ -2961,7 +3278,8 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/" ] - } + }, + "uuid": "c602edae-b186-4c60-a4f6-8785d6aa0eb0" }, { "value": "EngineBox Malware", @@ -2970,7 +3288,8 @@ "refs": [ "https://isc.sans.edu/diary/22736" ] - } + }, + "uuid": "17839df6-aa15-4269-b4b1-9e7ae8cfec1e" }, { "value": "Joao", @@ -2979,7 +3298,8 @@ "refs": [ "https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/" ] - } + }, + "uuid": "673d05fa-4066-442c-bdb6-0c0a2da5ae62" }, { "value": "Fireball", @@ -2988,7 +3308,8 @@ "refs": [ "https://www.cylance.com/en_us/blog/threat-spotlight-is-fireball-adware-or-malware.html" ] - } + }, + "uuid": "968df869-7f60-4420-989f-23dfdbd58668" }, { "value": "ShadowPad", @@ -2997,7 +3318,8 @@ "refs": [ "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf" ] - } + }, + "uuid": "2448a4e1-46e3-4c42-9fd1-f51f8ede58c1" }, { "value": "IoT_reaper", @@ -3006,7 +3328,8 @@ "refs": [ "http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/" ] - } + }, + "uuid": "6052becf-3060-444c-8ed7-d4a3901ae7dd" }, { "value": "FormBook", @@ -3016,7 +3339,8 @@ "https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html", "https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/" ] - } + }, + "uuid": "c7e7063b-b2a2-4046-8a19-94dea018eaa0" }, { "value": "Dimnie", @@ -3025,7 +3349,8 @@ "refs": [ "https://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/" ] - } + }, + "uuid": "9fed4326-a7ad-4c58-ab87-90ac3957d82f" }, { "value": "ALMA Communicator", @@ -3034,7 +3359,8 @@ "refs": [ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/" ] - } + }, + "uuid": "45de0d28-5a20-4190-ae21-68067e36e316" }, { "value": "Silence", @@ -3043,7 +3369,8 @@ "refs": [ "https://securelist.com/the-silence/83009/" ] - } + }, + "uuid": "304fd753-c917-4008-8f85-81390c37a070" }, { "value": "Volgmer", @@ -3052,7 +3379,8 @@ "refs": [ "https://www.us-cert.gov/ncas/alerts/TA17-318B" ] - } + }, + "uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931" }, { "value": "Nymaim", @@ -3061,7 +3389,8 @@ "refs": [ "https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0" ] - } + }, + "uuid": "d36f4834-b958-4f32-aff0-5263e0034408" }, { "value": "GootKit", @@ -3076,7 +3405,8 @@ "synonyms": [ "Gootkit" ] - } + }, + "uuid": "07ffcf9f-b9c0-4b22-af4b-78527427e6f5" }, { "value": "Agent Tesla", @@ -3085,7 +3415,8 @@ "refs": [ "https://www.agenttesla.com/" ] - } + }, + "uuid": "f8cd62cb-b9d3-4352-8f46-0961cfde104c" }, { "value": "Ordinypt", @@ -3097,7 +3428,8 @@ "synonyms": [ "HSDFSDCrypt" ] - } + }, + "uuid": "1d46f816-d159-4457-b98e-c34307d90655" }, { "value": "StrongPity2", @@ -3109,7 +3441,8 @@ "refs": [ "https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/" ] - } + }, + "uuid": "d422e7c9-a2ac-45b2-9804-61d16a6e30e7" }, { "value": "wp-vcd", @@ -3119,7 +3452,8 @@ "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-campaign-is-back/", "https://www.bleepingcomputer.com/news/security/wp-vcd-wordpress-malware-spreads-via-nulled-wordpress-themes/" ] - } + }, + "uuid": "99de56dc-92c5-4540-91bc-a6cd1e3a3c7f" }, { "value": "MoneyTaker 5.0", @@ -3128,7 +3462,8 @@ "refs": [ "https://www.group-ib.com/blog/moneytaker" ] - } + }, + "uuid": "0acb6f04-7e51-44bb-843c-4bb55a3647d5" }, { "value": "Quant Loader", @@ -3138,7 +3473,8 @@ "https://www.bleepingcomputer.com/news/security/quant-loader-is-now-bundled-with-other-crappy-malware/", "https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released-quant-loader-sold-russian-underground" ] - } + }, + "uuid": "2d1aadfb-03c1-4580-b6ac-f12c6941067d" }, { "value": "SSHDoor", @@ -3147,7 +3483,8 @@ "refs": [ "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/" ] - } + }, + "uuid": "f258f96c-8281-4b24-8aa7-4e23d1a5540e" }, { "value": "TRISIS", @@ -3160,7 +3497,8 @@ "synonyms": [ "TRITON" ] - } + }, + "uuid": "8a45d1a5-8157-4303-a47a-352282065059" }, { "value": "OSX.Pirrit", @@ -3174,7 +3512,8 @@ "synonyms": [ "OSX/Pirrit" ] - } + }, + "uuid": "e2b7ddc2-2fce-4ef9-9054-609e74a8775e" }, { "value": "GratefulPOS", @@ -3183,7 +3522,8 @@ "refs": [ "https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season" ] - } + }, + "uuid": "4cfe3f22-96b8-4d3d-a6cc-85835d9471e2" }, { "value": "PRILEX", @@ -3192,7 +3532,8 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" ] - } + }, + "uuid": "523e8772-0610-424c-bcfb-9123bcb8328f" }, { "value": "CUTLET MAKER", @@ -3201,7 +3542,8 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/" ] - } + }, + "uuid": "c03e7054-6013-4f69-994d-7cdaa41588ed" }, { "value": "Satori", @@ -3214,7 +3556,8 @@ "synonyms": [ "Okiru" ] - } + }, + "uuid": "1ad4697b-3388-48ed-8621-85abebf5dbbf" }, { "value": "PowerSpritz", @@ -3223,7 +3566,8 @@ "refs": [ "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ] - } + }, + "uuid": "5629bc84-58eb-42d9-adc6-cd0eeb08ccaf" }, { "value": "PowerRatankba", @@ -3232,7 +3576,8 @@ "refs": [ "https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf" ] - } + }, + "uuid": "1f1be19e-d1b5-408b-90a0-03ad27cc8924" }, { "value": "Ratankba", @@ -3241,7 +3586,8 @@ "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" ] - } + }, + "uuid": "64b3c66b-fc70-4b5a-83a9-866cde2ccb0b" }, { "value": "USBStealer", @@ -3250,7 +3596,8 @@ "refs": [ "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ] - } + }, + "uuid": "44909efb-7cd3-42e3-b225-9f3e96b5f362" }, { "value": "Downdelph", @@ -3259,7 +3606,8 @@ "refs": [ "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/" ] - } + }, + "uuid": "837a295c-15ff-41c0-9b7e-5f2fb502b00a" }, { "value": "CoinMiner", @@ -3268,7 +3616,8 @@ "refs": [ "https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/" ] - } + }, + "uuid": "89bd2020-2594-45c4-8957-522c0ac41370" }, { "value": "FruitFly", @@ -3277,7 +3626,8 @@ "refs": [ "https://objective-see.com/blog/blog_0x25.html#FruitFly" ] - } + }, + "uuid": "6a6525b9-4656-4973-ab45-588592395d0c" }, { "value": "MacDownloader", @@ -3289,7 +3639,8 @@ "synonyms": [ "iKitten" ] - } + }, + "uuid": "14f08f6f-7f58-48a8-8469-472244ffb571" }, { "value": "Empyre", @@ -3301,7 +3652,8 @@ "synonyms": [ "Empye" ] - } + }, + "uuid": "cf55bbb8-37eb-4cc6-ac14-7b42b950c687" }, { "value": "Proton", @@ -3310,7 +3662,8 @@ "refs": [ "https://objective-see.com/blog/blog_0x25.html#Proton" ] - } + }, + "uuid": "a495d254-7092-4a63-9872-3a82c13fe2dd" }, { "value": "Mughthesec", @@ -3319,7 +3672,8 @@ "refs": [ "https://objective-see.com/blog/blog_0x25.html" ] - } + }, + "uuid": "4e2f0af2-6d2d-4a49-adc9-fae3745fcb72" }, { "value": "Pwnet", @@ -3328,7 +3682,8 @@ "refs": [ "https://objective-see.com/blog/blog_0x25.html" ] - } + }, + "uuid": "29e52693-b325-4c14-93de-8f2ff9dca8bf" }, { "value": "CpuMeaner", @@ -3337,7 +3692,8 @@ "refs": [ "https://objective-see.com/blog/blog_0x25.html" ] - } + }, + "uuid": "5bc62523-dc80-46b4-b5cb-9caf44c11552" }, { "value": "Travle", @@ -3349,7 +3705,8 @@ "synonyms": [ "PYLOT" ] - } + }, + "uuid": "9d689318-2bc1-4bfb-92ee-a81fea35434f" }, { "value": "Digmine", @@ -3358,7 +3715,8 @@ "refs": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/" ] - } + }, + "uuid": "d248a27c-d036-4032-bc70-803a1b0c8148" } ] } diff --git a/tools/add_missing_uuid.py b/tools/add_missing_uuid.py new file mode 100644 index 0000000..229a9b3 --- /dev/null +++ b/tools/add_missing_uuid.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +import json +import argparse +import uuid + +parser = argparse.ArgumentParser(description='Add missing uuids in clusters') +parser.add_argument("-f", "--filename", required=True, help="name of the cluster") +args = parser.parse_args() + +with open(args.filename) as json_file: + data = json.load(json_file) + json_file.close() + + for value in data['values']: + if 'uuid' not in value: + value['uuid'] = str(uuid.uuid4()) + +with open(args.filename, 'w') as json_file: + json.dump(data, json_file, indent=4)