Add in Mordor, CryptoMix & Jaff extensions

[kevross33]

Just some additional extensions. On another note what is people's views on clearing out some of the older extensions from earlier versions of families (i.e. Locky has 8 IOCs alone yet only osiris is being used). There is an argument to be made for older variants being identified as part of research but I am wondering about performance.

[KillerInstinct]

If performance is your hold-back then just combine the regexes. RE2 will have no issues.

            (".*\.locky$", ["Locky"]),
            (".*\.zepto$", ["Locky"]),
            (".*\.odin$", ["Locky"]),
            (".*\.shit$", ["Locky"]),
            (".*\.thor$", ["Locky"]),
            (".*\.aesir$", ["Locky"]),
            (".*\.zzzzz$", ["Locky"]),
            (".*\.osiris$", ["Locky"]),

to

            (".*\.(?:locky|zepto|odin|shit|thor|aesir|zzzzz|osiris)$", ["Locky"]),

[kevross33]

Oh thanks for the tip. I will make these changes

…

On 5 May 2017 6:05 p.m., "KillerInstinct" ***@***.***> wrote: If performance is your hold-back then just combine the regexes. RE2 will have no issues. (".*\.locky$", ["Locky"]), (".*\.zepto$", ["Locky"]), (".*\.odin$", ["Locky"]), (".*\.shit$", ["Locky"]), (".*\.thor$", ["Locky"]), (".*\.aesir$", ["Locky"]), (".*\.zzzzz$", ["Locky"]), (".*\.osiris$", ["Locky"]), to (".*\.(?:locky|zepto|odin|shit|thor|aesir|zzzzz|osiris)$", ["Locky"]), — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#254 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACTXtSmpKobSoKyhIkIWJIo659MpA83Bks5r21YOgaJpZM4NN07h> .