Relations to add

[Delta-Sierra]

• Related --> Mirai --> Mirai Sora --> Mirai Owari

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> SmokeLoader (tool) - dropped-by

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> Kraken Cryptor Ransomware (ransomware -should be added-) - dropped-by

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> Smoke Loader (mitre-entreprise-malware) - dropped-by

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> GandCrab Ransomware (ransomware) - dropped-by

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> SAVEfiles (ransomware) - dropped-by

• uses/used-by --> APT28 (threat-actor) - uses --> LoJax (tool) - used-by

• variant-of --> BankBot (android) --> Razdel (android or banking - galaxy to choose)

[Delta-Sierra]

Self-reminder (can be moved): Might be interesting to find a easy way to manage reciprocal relationships, such as dropped(dropper)/dropped-by or uses/used-by for instance

[Delta-Sierra]

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> CoalaBot (tool -to add-) - dropped-by

[Delta-Sierra]

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> SAVEFiles (ransomware) - dropped-by

• variant-of --> Panda Banker (Banker) --> Zeus (Banker)

---

ref: https://www.bleepingcomputer.com/news/security/new-backdoor-ties-notpetya-and-industroyer-to-telebots-group/

• uses/used-by --> TeleBots Group --> NotPetya

• uses/used-by --> TeleBots Group --> Industroyer

• uses/used-by --> TA530 --> August (tool)

---

• variant-of --> File-Locker (ransomware) --> Hidden Tear (ransomware)

[Delta-Sierra]

• uses/used-by --> APT 10 --> Quasar RAT

• Related (probably) --> MVP Ransomware --> Scarab Ransomware ref: https://twitter.com/siri_urz/status/1039077365039673344

• Related --> Scarab-DiskDoctor (Ransomware) --> Scarab (Ransomware)

  ref: https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/

• uses/used-by --> HookAds --> Fallout

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> DanaBot banking Trojan - dropped-by

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> Nocturnal information stealer - dropped-by

• dropped/dropped-by --> Fallout (exploit-kit) - dropped --> GlobeImposter ransomware - dropped-by

---

• Possibly related: --> EnyBeny Nuclear Ransomware --> EnyBeny Horsuke Ransomware

• probably related --> EQ ransomware --> Globeimposter

---

• uses/used-by --> TA505 (threat actor) - uses --> ServHelper backdoor - used-by

• uses/used-by --> TA505 (threat actor) - uses --> FlawedGrace remote access trojan (RAT) - used-by

---

• is part of (?) --> Lazarus Group - contains --> STARDUST CHOLLIMA - is part of

---

APT10 Associated malware: HAYMAKER, SNUGRIDE, BUGJUICE, QUASARRAT

---

Princess Ransomware Variant --> Princess Evolution

Razdel is BankBot variant

[SteveClement]

@Delta-Sierra could you label this accordingly, it seems to be WiP of some sorts?

[Delta-Sierra]

This can be considered as WIP indeed. Or a kind of memo.