Quantcast
Channel: Cisco Talos Blog
Viewing all 2039 articles
Browse latest View live

Threat Roundup for March 15 to March 22

March 22, 2019, 11:27 am
$
0
0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 15 and March 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Ransomware.Gandcrab-6900355-0
    Ransomware
    GandCrab is ransomware that encrypts documents, photos, databases and other important files using the file extension ".GDCB", ".CRAB" or ".KRAB". GandCrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and GrandSoft.
     
  • Win.Trojan.Remcos-6898089-0
    Trojan
    Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. Remcos is commonly delivered through Microsoft Office Documents with macros, sent as attachments on malicious emails.
     
  • Win.Malware.Autoit-6897734-0
    Malware
    Autoit is a malware family leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions.
     
  • Win.Ransomware.Cerber-6896901-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
     
  • Win.Malware.Zbot-6896522-0
    Malware
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
     
  • Win.Malware.Ursnif-6896385-0
    Malware
    Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits.
     
  • Win.Packed.Kovter-6895460-0
    Packed
    Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
     
  • Win.Malware.Upatre-6894504-0
    Malware
    Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware.
     
  • Doc.Downloader.Emotet-6894115-0
    Downloader
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
     
  • Win.Trojan.NetWire-6893426-1
    Trojan
    NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails.
     

Threats

Win.Ransomware.Gandcrab-6900355-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • Value Name: xbnykvblxlz
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 66[.]171[.]248[.]178
Domain Names contacted by malware. Does not indicate maliciousness
  • carder[.]bit
  • ransomware[.]bit
  • ns2[.]wowservers[.]ru
Files and or directories created
  • %AppData%\Microsoft\jfwwxp.exe
File Hashes
  • 19b5f589a31dd4b6fd6fcda9e529f04adee6628740cfb4354b7fde94ca4c8fe8
  • 2870e29273fac8161c571505e2081afe0aa8c9e198150923f9efcb15a0379e66
  • 31bbc9f6a7d5b5c248c6379afcf7c7026fb0f3b521016d918edba1fad085a9cc
  • 3e9ae9bb1061f2335cbca35ddfe71f7b93d8ff14a79c362b7a5e22a3c19f5af0
  • 3f18aeab0f40e3f957807fdb6142cafcfd4faeac39b0f31df9e869cca981cb70
  • 5a6f4af9f4c0230111b39ff7cf127db182738ed735fa72183f935f272491b53d
  • 635cd9d2065acf51745629ff92e41c8b331d25376868cfde5ec3dfab91cd0026
  • 961b6caacf88d67139309a5dbec806301a1e7fc8eec7db166d9d0d0120346cad
  • a8d145d01780227cecb322d69d173248c122c5c5b5ffe74c28e1ef89958b4dd7
  • c4e78e775a53a51eefc2b5dd4ce161bd1794119a02481e03b9917aba5279d9c0
  • cfb324eb0b95048aa3248b4475902e575da996b63ff86cf78211424ec8c1c561
  • e43d30708069f2ec0b0237144b23e2d337521174530caefd04728fcc0cbbfd6e
  • fcefe7d20db180411dd0f1ae2749e622738d9b8e6cca09a01b870551823ccbd3

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella




Win.Trojan.Remcos-6898089-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
  • <HKCU>\SOFTWARE\IYFIZFIFK-HKLTVU
    • Value Name: exepath
  • <HKCU>\SOFTWARE\IYFIZFIFK-HKLTVU
    • Value Name: licence
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: Wordpads
Mutexes
  • Remcos_Mutex_Inj
  • iyfizfifk-HKLTVU
IP Addresses contacted by malware. Does not indicate maliciousness
  • 194[.]5[.]98[.]147
  • 103[.]200[.]5[.]128
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\Temp\install.vbs
  • %TEMP%\pyrogenetic.exe
  • %TEMP%\pyrogenetic.vbs
  • %ProgramFiles%\Wordpads\Wordpads.exe
File Hashes
  • 0a1d151c7170baace5e771feb217ee3a685f8af2ddf5c51571d321b2253fa48a
  • 2b6ea3f861899440039f30018f2593a3202b27e3a7f7adec5d5a3703dce3ed59
  • 2c125850f874973b605b04f2ca76d4ae3476bd495890a55f1be3d74de4ca5015
  • 2ea12c4cf9c0c9a3926e0f77333a5e74faf1f4956ab4a599bfd1be6410a4a348
  • 34ce4dbec1155384abd4eab34fa0bc7ca1ead6ae2c4be9a54299e051100245fa
  • 55f209afba93e7a881ad14761b1349349548843a388af32e084a58fe51bc1d34
  • 616ece9b51f1fead02cbc893af7f76240a84a39a9096b4d6cdb066b6ad8a7f4d
  • 786fd0f58b0731ae1326c434ff77bb3f40405dc0fd9f2814d8b41265325920de
  • b76d7be62eb4b198c540220e8b697e01fa80e42465ba314992002175b6593bae
  • bdeea19cc4255537c110faa58fb74721e6503d8815cc62b0fe14a77eba0c4bef
  • c4d675f3f5941b6488fc4c3ecf540c106ef21aa8b8be858cd9ed750888947032
  • c5d8569dbe75f1725774befcd82f1f0cabd8baf07759d60f9b2691870954408f
  • d414046e1fa2ab58f5cb5ea84db538bec4ccff435a7d7c2aab826ebfd584a518
  • dcedf388c083bb55821749ed00e80c96e2aef01fe0e1a26bfdba8b9b8b3d1556
  • e6d04db2794d86b03d8deb2d8c902f76dda946240dc8fbc82d7509c722fa571a
  • e8649923e071a79f7810eddb32257d5782e39428da217cd5aa34af4c821cb0f6
  • fa73eb7829ef969e79d43f647136bdcac25a9b3739961b0653e7bab640966f12

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Malware.Autoit-6897734-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • altspace
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • charlesprofile[.]website
Files and or directories created
  • %UserProfile%\archiveint\adalsql.exe
  • %System32%\Tasks\Gfxv4_0
File Hashes
  • 0df27d70990f8b8ec8b3df25cf1eb9666bf92526095da227080a0372c60aa588
  • 287d43060fcca28466206776b5a147e83d3fd7de4230f1cd909953daa12d0156
  • 43e9ecb0c189695bbb533ec47746edf76778aa1a8b0266f5ac267f79f5cef03d
  • 4634ecfa0699f7408c84fc3c2cdb42601d372777237eec1fe0a58868ef693c1a
  • 5721c80fb52b4db900819b1738db0ad82c502eb7d79e152edb9f2e371f3c9664
  • 6635eb7fc5c7c454b6c5c19018820e249318c34305420cf27392c171df491635
  • 6b327d6a88a18c1167637a8878bf441cfcf567e9c1e19a95c27b93c16e69b45e
  • 7642637e654417d9add1a62ac596cb8d1d84f793749e9e4cc92a117e33d56133
  • 87d5cafaf2e1bb5f56caa5aebd24fbf9941db0e079ba854fb9aaf3bce4c819b2
  • 93cfe8d255a490ac9f173ceb7618a019a25b9246b87e0493acaa20dda799950c
  • d8c4ea9786f6ddc62da7b3555b3efb138ca0c4a0348be83ecec060618db2c276
  • e4503c499e82fa0bce07fd10fdcf132d4a0933d309973b94823366d97a05c4e6
  • e48da123e2e08dd9f62abb56e630b8edfe4ea7977149bda53522bebacfb10d00
  • f51011fa1fbfdf0be75a9300931d33b850b601a01d1a4bfab33c346e3fdde5f2
  • f5bbc3ec89ae91eb6a25cbdb66c4a95b1756298815a50a9e0ce2f27ba57a878f
  • f95c285f6632fecd805fab3e79d018ab4e34e2c230adac317a94ca55b15fd35b

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Ransomware.Cerber-6896901-0


Indicators of Compromise


Registry Keys
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value Name: SCRNSAVE.EXE
Mutexes
  • shell.{381828AA-8B28-3374-1B67-35680555C5EF}
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • cerberhhyed5frqa[.]vmfu48[.]win
Files and or directories created
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.html
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.txt
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.url
  • %SystemDrive%\Documents and Settings\All Users\# DECRYPT MY FILES #.vbs
  • %AppData%\Microsoft\Internet Explorer\apXmmhm1Ka.cerber (copy)
  • %AllUsersProfile%\Microsoft\Dr Watson\tMYvM36CEP.cerber (copy)
File Hashes
  • 001b33940ee8465748b743f0df809eae3a2a08a78af15243312584cce53393c1
  • 01906006204a9a84fd0dd7d061aacbb093d09a8192c65cc55e3be6edd164c908
  • 02f66c7648b064b49da5218664d1f5abbe954c6a02f46db9dac77358a0d9b92f
  • 0830faf3346becd79a49df77f0d181c66bed86d1771622f0b8315e288ba29e77
  • 0affee8e0b6dce3ec8c453b6a7ac92648bea9006a63c77b7efd36537adabf5b4
  • 0d899afe8df44ba83ee7b02f621100ed721dd0bd9411d6d0a6e3935baa65cc0f
  • 0df1130e9f23b007643dd0ed3375528cb08d0496b195401078fbd27d2fa5de10
  • 0f3c4c70da6c8a58c0f6844eabc40773e0622f8a1e3f13370538112634ae0079
  • 127d0879d93ff4fb65ff40d723480e62e0144483f4be7da0a739ceae9c446d3f
  • 133a9faa5bd0bd157660e67bf208cdea7cde346836df7ed3f0619edf9e652313
  • 1ab65651d3c70301f55f31fa294e215b1c72e9aa7f87d894e493b5e25d2d35d2
  • 1ad4afdcb9a62b69473149a0e70c38822be0f566b6759922f730c074bffcd09c
  • 1cd3e3a997e017a9ad7883dbee9ba8c71f416e56e1113c96d13290dd998ad8da
  • 1df2e8bb31a42361b916a71aa2e816dcc7279b93a80b2613d5dd8681f007cec1
  • 20e0fc147c170e25c8ba1dbb4e6d0dcafa6771659ba101b67e5b2176d41fb81e
  • 2232654770e8440f3d4629753cc78bcc97b054c5df003ac3908da5b20d058659
  • 2b5295639ab89940a16a9b7dc80f7eefbe065fd0bcbdb7d1c783cebd93dd9db8
  • 2dae95760c360eadeba55f370e3e78e9761f436539ffc3cc1e8e91395722ab4b
  • 2e87382ab956e8db123f80f8ecffeb61c4461b5c77d6deed2952c68b9a96f3d8
  • 2ffc4d2116734e50078268c07b7b972d9d127e9d83513d331d13788c7c941990
  • 31235847a5b061a60d79ad9f634455bfc95ce68667ec4df1fc479d147c794649
  • 320281163724c2d356f3ba9e7ccab33fa06b584f841dcbed783cb65432f1498c
  • 3374ca6683d9bb5434fa192eebe615ba6a609cbd8063c47eca42c47bb480e886
  • 3444fa109868538f1b25a0b4e1e8b1b8545ae88e0dc4a71161e64a868826d301
  • 369dc38935f947829cfa4c85e8262a594ef9bd1ece3479c980d90e62ebfeea68

Coverage


Screenshots of Detection

AMP




Umbrella



Malware



Win.Malware.Zbot-6896522-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value Name: AppInit_DLLs
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 216[.]218[.]206[.]69
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\PROGRA~3\Mozilla\thfirxd.exe
  • %System32%\Tasks\aybbmte
  • %SystemDrive%\PROGRA~3\Mozilla\lygbwac.dll
File Hashes
  • 00ffecb86e72d9357a6bbd15b6354fc9213033f748d9b51b597fcc365a9e1f7d
  • 010d598fc0465864690982eec5f30ef48c713916ef4e45a8d8d49420342df428
  • 018edfb60377a0c076e1297bb407cd42b16ffb2c08d4d2aa32b860b061ca5ed3
  • 01bce31e9de13c804a18643616bc34f64bd1c5b25bf8a10f422e2ad19fb7730c
  • 02701dff6c0a0f71b66c9cf69bd895129e810a1a13bcb18be9a8388ff7821b89
  • 02b10171ce53f9592cb441792f91f1d2a7ea1af92e8a814e3bbc42b647afff2c
  • 02c63a651be113f6b1816a357a97af54141e2bd6d9ce4aa2827a629031b8eaf7
  • 02e7cf905bba1542c36e54c120d57c583f6bf33fc15a4fea4e8a41187801b041
  • 0491fc85d831a1f252b61ad87941db7174c53c1b849bc3fa67604251bdbc7fe0
  • 060b3e97fe90a1c725a41fb0ffd3a01ff7b34c74f1460b68dcf05b668dd5521c
  • 06b7d5b411bc5c2b50aa6a257b0799dfa4e098a249602c39a3a43160539087e3
  • 06dea51ea8ec0bbe9578024339ef207c8cac340ca608b519c22999e109514b47
  • 082549d3ad41312e5014c2ada5b99d6dfabc29f09b19ef4d1d9a7ec1297e8356
  • 08807c13e43fd5d202c97c68e25c6178445a65cb0c8f957ff3dc17a293b11020
  • 08d6916f9a64fc2e725d578d1c11c1f77894edc35373d7d308e039bc85e889a7
  • 0997d72a90fbb50cc4fd395c6d9b5bc38f622f5bd66befc055fad32c19ae686e
  • 0a5e7372e854b6ab82834abfaef00be3a1713ae3c921f3d693112482b8d91dff
  • 0aa62de7c50e0d0498ff66687e0ed5ce905f7fe5014b765586ca64c283c2b595
  • 0bca5fd01e55d40ca9d324e0011f56de76cab17d399f6655019f85cbe16ae060
  • 0c3fea106ea5b2d0f943580279e0ddc729e210716ba82344a619ab901438511e
  • 0d08edbe5a8d68b1a6c29fd0956514036a94638e6443db85c37c8e532d15a2c4
  • 0d9c6fe9e4172a80ad9c912eebeecf2baa094012552267ad70d49d6f583add8f
  • 0e9189428c742936b52149e2579844257ab381570b9c13d440fb3304b7cfd935
  • 0ee3a3afec6551c3cdc20836f7d3ae8ac1b20cd7dfa6a14e379ca975d9b342b5
  • 0f18e6faa5e6bc9e81e5cb5c51a7cbd03589eedae7565d1b270fdb803c78c437

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Ursnif-6896385-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 91[.]134[.]203[.]113
Domain Names contacted by malware. Does not indicate maliciousness
  • kkariannekatrina[.]company
  • f61leeii[.]com
  • qmitchelkp[.]com
Files and or directories created
  • %LocalAppData%\Temp\~DFDEB0FC636A1346E9.TMP
  • %LocalAppData%\Temp\~DFCE77235CFE7E5202.TMP
  • %LocalAppData%\Temp\~DFD0DDA0AA1947567A.TMP
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFA0E5.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFBF00.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DFD9FC.tmp
File Hashes
  • 002c189b365fecdd1a985d49bb4fb006c15efc47b1000defbdd6f4af1c11a19a
  • 02a860f30efb515b8c290d7eec3aaacc31e13db934b950c12c46c2b418f44c6f
  • 0698973ada3bb251a5d7d24af6532bfe757f26e21c5ccb4683ea90fa22000d31
  • 0bf3ad196d5c033b96508b82a4627371b410a4171a112fe87749ffa35148e700
  • 4e8a9df93d31b02390be3f76e8092bb8dd1296da7b583f0ef7d1e0a4b621f5c9
  • 50e11389b6a65a77dd2806b0101c00c3ecab05c885904d8ed93fd7d5a22caa29
  • 65365868838db8f45660946e8cf4e48420fef2f191087adff2c8525e1e9b92ab
  • 68ac70dcad46e80bb89338cc239d9c7942a4d7baeb39c783cf7f3f41338afee6
  • 72ea94949e5a93a9470f528c2e19fee632f1c35e6592e7466d230fcd4425adca
  • 8b07ef958d6f3f94cb45580d4aaa99202870f35e6c309d94894c5601c861cfff
  • 8ee22466de53f493c666b1f805bfad58f4b9d33b657e266dd65724efb96002e7
  • 9124364a4c9db508a438403d4742db5ba39542753f2a67e4b1f77854962ca1d2
  • ae0f77690e47a8662efaa1507002e3924c2d0986e6c1cd39d3d775e53ad982d2
  • af421716811ae86cf1b9cb4c1615ae152515f3dcbe3bef603737d663839bf520
  • b6ed38788fd409ada58fb0446d839eed07783e79b829e75ef031d67a53a3b62b
  • b90a9ca23c1b2667d8a8a8e14bd3ccec4f928734e91dc28af26e69dafb991668
  • f5bad2d671dc5b30fdbc93304e2d9b194033cc307099eae1d58cee17a2cb717a

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Win.Packed.Kovter-6895460-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\FC6A75BE78
    • Value Name: b97dea2a
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
    • Value Name: 99297e9b
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: cafa44a6
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: b612d32f
Mutexes
  • C59C87A31F74FB56
  • 1315B41013857E19
IP Addresses contacted by malware. Does not indicate maliciousness
  • 97[.]12[.]118[.]34
  • 95[.]173[.]120[.]56
  • 90[.]243[.]251[.]205
  • 96[.]18[.]11[.]140
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %LocalAppData%\recol\PqIpWoU.asARM
  • %LocalAppData%\Temp\ay35fayo.2m3.ps1
  • %LocalAppData%\Temp\uipfcjr2.khy.psm1
File Hashes
  • 352bc4694ee225e59f50875fbfbe2502a0223daa22b94eafed6e997e71588433
  • ae9789ced159c8fe284e49c8352a66070b8a52bc256847be11ad0890da6b1a99
  • b93e29b1ed93143a85a7d6cff2cd87b5c12e8923bea9f50923dbae429c950f2f
  • dbebf2bbd28c1bf5b327a09fef96cba4078ce033b52488ce936dd53e92302437
  • dffa4d8bbde6b5efbc79a4a05df2e4528f5dc991783e81844685bdf1c175b716
  • e1161786aaf5ce7cf3938e1a105a150f3e7e6c4ab44e1b6dc26004b07dbcc6cc
  • e4d4dfa171983e794cf68492fcfd6bb7312b953d22ae03df64213a5dd6496ee3
  • e79f05d135d2c8524a190bd7d22d20674a21c149cc379299011390b932e056af
  • f7c9f1a37f688b54b3494696c2ac6898fb6945038f4306737299750bec901b20
  • fa6adb0b0a129ada90e2dcef5dcd34c2cae28496689630e7f0415882f12e608a

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Upatre-6894504-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\FC6A75BE78
    • Value Name: 0521341d
  • <HKLM>\SOFTWARE\WOW6432NODE\6C5692EEDA48CF842254
    • Value Name: 4DE9F1CC8F5AEB40A9
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 139[.]59[.]81[.]114
Domain Names contacted by malware. Does not indicate maliciousness
  • ncaappraisers[.]com
Files and or directories created
  • %LocalAppData%\Temp\opera_autoupdater.exe
  • %LocalAppData%\Temp\wadly.exe
File Hashes
  • 15e6ce12614b3b296ddd76343b5703d87beb736b162128aedca6499e40ccdfed
  • 1ad3cf284008b50456bdfd4b8b6bdb0558e5667c34d1406bd7f879b33e8cf6f5
  • 24ebabc590cff41db4261eea662c91d3e3d48bc7da2be03009fddac26861117b
  • 3ea2036f27be61f73ef313f78a094c767164becbcbbfc9c4c7a33f3160d9f2bf
  • 498d367976283785672c2c695e29ad7b20a2b0157dc1dc13acef67426da96e58
  • 4c9b775952a0b574d258a982b0fe3bfca25f450b7e4ddc76a20981432135afa3
  • 5d9721eff25abcb7d7a4af4af2d0dd568b181375186ef20a024cb9408a1b3975
  • 68c841e9b1e4d2b2cb65177913d0a7152decd5ecc15f9d424897f2b277ef75c8
  • 7f26231615eab934cf6cf7d54c9ded34b04fc068fd9ee274b4037843ca22c69d
  • 80e7912b1921cfb610b2b43d5ca74c3aa5c6c3edce4aac9bb554b58dc9ddd6e9
  • 81c52a86cae959eac3382cb9b72a8afb47db16746b9e9c3b9254dc0353174530
  • 886515171b4b044976140bcfe2036796c80320072f54ad60078203d7523aad1c
  • 8a53bf2d3220ef740147699a1a801cc58e4b48052b9c5569f3659ba1a26e3a6f
  • 8b241d4a533f3f6ac4819a22e7c1dd7f18556e1f6f835584973902e63ababb66
  • 945055c780e4f5855616bab1b2b94807ae603c6b2c8cedfb0dd5f32a4c07a784
  • a3438650289b8b3025f6d08414af69cafc016080868a0a30d48239716eea2420
  • a95e1d9364069d02e6f844461cd9e7525f1c3f7a07960486403fee266f0fe8c1
  • abb26593cd2fa77ee16fb0640465ec21592cda8d370c13a2fb74836e065b8f69
  • c036fcf79a071d900b32100d015fc16bff5d82044139b6098eebc98009d2b056
  • ca0bbd8f09581c6c0920c782a06d66e5cad25ce672f22e4ca0dde4ea98b905a6
  • e45189ab53b35195f4676bc9081a605dc28cc79e26047763ccf2661d82120221
  • ed75f96c614623b6c1aaa793cd8239c86049635d75406339ec778e7ba23eb317
  • f9ccc2fe7e013cc9ee47eecc3dde93f6bae4aadc00a421254ed6fe35370b6984
  • fcc0294acfcd7e2231d83841cb31e88363f75efab063c79c4a193f2c0cc26460

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Doc.Downloader.Emotet-6894115-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
IP Addresses contacted by malware. Does not indicate maliciousness
  • 181[.]197[.]2[.]252
  • 94[.]73[.]147[.]237
Domain Names contacted by malware. Does not indicate maliciousness
  • emseenerji[.]com
Files and or directories created
  • %UserProfile%\208.exe
  • %WinDir%\SysWOW64\SCwdrA.exe
  • %LocalAppData%\Temp\CVR478.tmp
  • %LocalAppData%\Temp\iidzocqo.viy.psm1
  • %LocalAppData%\Temp\oflithzz.nz2.ps1
File Hashes
  • 2ed65e9a1e796862f97eeebdf46152caf4f7f4204b801287bafe5b11e948ee1b
  • 4c9295e6906108f3dc926a9591a148e4e2636a893d4d2505b35a0d030635462a
  • 563991d43d484069890ca97745c1d7267c918afc260d31a52ec5bfc899a30c94
  • 848b0b2455cb049ec8dfa798592de326b67abe036ae7a637c8aa3ab9e91f5cb7
  • a06d630f62bc13cb49c794bf934a4a3dbe8cf63f352304e71c056199a065958f
  • a42af575f713389ca1b0cd0156dceb753c1728cfe7c0e7a6036c53aef2d2d3fc
  • b9f83bd5eebbdabf1cc5ff8587ca2f12a91f4905538e65587b35bd8bf1132e9c
  • bf0ee1f25309aea8e27968f5d927fe8d05a66437cb86102d367305e61ec9f5d6
  • c60eb3d68445ab0471aceef71bf75182d9d2f92e3ef3ab4fb148d8852dd2c5d0
  • c9bdfb2d6ac9e493bc391b2f64b48d8d5cde10645ea921951b23112e6d73545c
  • d818fd24d2ee5426ca535b7c966021cafbe7bcbb68b9d6ce420b9006859f2df0
  • f3d7d9b36113ffc6aa4388f4d2f3f52349a3ba0984f9adc696b1a6d9db4108e0
  • f832543e87f24eaa23f85c8976b79d7e49d1b4899f5358ba54a71b7c5f803e2d

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware




Win.Trojan.NetWire-6893426-1


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: internat.exe
Mutexes
  • AlIgmljN
IP Addresses contacted by malware. Does not indicate maliciousness
  • 194[.]5[.]99[.]194
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %AppData%\Install\Host.exe
  • %UserProfile%\nltest\print.exe
File Hashes
  • 1388ba005085c7a25e2680d0f7ee1d81c49924f3b555b4b6dbec68dddbf9b0e3
  • 189525aa17b231ea223cd3c09443662341f908afc3973d88753ef78570b408ba
  • 1cc74120569cff7c550b730223d0aed91a334c66f4dc2aa751e723e7c2ac2a14
  • 1d9c379630d8d65bed03e26b9564651f0c16ae675ddcbf56ba607a107de27221
  • 24f0f08e4774c2f4d1411ea8b57fcae3b37266830601f6ec30899126d93881f6
  • 26917f6538fa6e8796c3c18c5f018370f6491adc63f4f466365d0c0186e9dd41
  • 286a254ceeb034dc7417e5b9fab7141472a1db6500900f951775b07cd07f22c6
  • 44cf94db97f1af9478f75e1df1afe36931fd741e1717601cc2e3d1d228c8b6c7
  • 47571de1a9a22ae99d0cc5ac1d788a238dc1bdd416d32db63ffde7041bc98d1a
  • 4eea828a9f2ff26440954da153a19d9667592a2c47206b7b5e161751794e3307
  • 50b2adbbbba3fb086169174cd9c64a4f536c455231ae3dc93fb1ed6a71e48cad
  • 530a89d43c4bd1ce99fd7dea8fa148158508653bd56063288da3e1086f274fe9
  • 609676ce7da214d0340436956d1c4733a019811a6ffed5a74e5fa680ccfcdb0b
  • 624b38be3943d4580a7bfe3d22a82dc451e9d5b4e8367886dda182e477e926d3
  • 62b5df538e8e6a1737a0125202ca3a0d99610c08a839bb181cd6abaa9e768ceb
  • 633c5f260bd8794b962c85de11f8eed31bb1bd14b5a11b9de564d6a06796ee7e
  • 7220e58e3625c5d26b7be8450b1d8db9e10cdc4cca9173f372f2e7935fae18c3
  • 7e366ff68193007a80f04d0cf6b33841dfc1a46b815992f241a51120cabab9ba
  • 82a165f62e5c7727289e037c1dc4061aeb894403227a27b7366104ecd5cd08a9
  • 8602358388e40b49cecbbc9e04e9863e95c7b24be53c053098b65553e252d74a
  • 8f1ec1fa3db18ab4d7f716d55f67efb65e126742e7a0b3e276822d516bf53182
  • 9b4f90c1ec5a35213b196fb4e0444f86a5ab394d0111a696ab197fbb5006cdb9
  • a0aeb2aa7b2b833ff153bb372a6e3feadf04cf45035e49168331f26d9c887ec1
  • a2327077fa20fc6c10e72031cb249a874531b376ad335bf5367f6a13566db109
  • a513a5d7c1fcabdd53896d054eac221dcba70f4636b8d3c2f306f121ada943bf

Coverage


Screenshots of Detection

AMP



ThreatGrid



Search

Cisco Talos adds new Content Category

March 25, 2019, 6:00 am
$
0
0
Our goal at Cisco Talos is to provide detailed and actionable information in order to let customers decide how best to protect their networks and users based on their needs.

To this end, Cisco Talos is adding a new content category to Talos Intelligence. Starting on April 3, supported Cisco platforms using Talos Intelligence will receive a new "Not Actionable" category. This category applies to sites that Cisco Talos has analyzed, but due to the nature of the site, a more specific category cannot be applied.

Some customers require more restrictive policies to be enforced on their networks but have found that blocking uncategorized URLs too prohibitive for their users. The Not Actionable category includes sites that previously would be blocked if the customer restricted access to uncategorized sites. Sites labeled “Not Actionable” may not load any content or remain unresponsive when directly loaded into a browser, the domains may not currently be reachable, or they are primarily composed of dynamically generated media that does not fit into a more specific category. Cisco Talos does not recommend that customers write blocking policies based solely on the Not Actionable category designation but should use it in conjunction with web reputation intelligence.

Additional details may be found on the Talos Intelligence Categories page.

Vulnerability Spotlight: Multiple vulnerabilities in GOG Galaxy Games

March 26, 2019, 7:59 am
$
0
0


Richard Johnson and Tyler Bohan of Cisco Talos discovered these vulnerabilities.

Executive summary

The GOG Galaxy video game launcher contains multiple vulnerabilities that could allow a malicious actor to carry out a variety of attacks. GOG Galaxy Games is a video game storefront that allows users to purchase new games and launch them from their desktop. 

In accordance with our coordinated disclosure policy, Cisco Talos worked with GOG to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

GOG Galaxy Updater Temp directory insecure file permissions local privilege elevation vulnerability (TALOS-2018-0722/CVE-2018-4048)

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy's `Temp` directory. An attacker can overwrite executables of the Desktop Galaxy Updater to exploit this vulnerability and execute arbitrary code with SYSTEM privileges. By default, GOG Galaxy extracts the executables for the automatic update function in a directory that allows anyone on the system to have "full control." This allows all users to read, write or modify arbitrary files related to the GOG Galaxy Updater Service. The executables include sensitive data, such as a root CA, as well as executables that will be run with SYSTEM privileges once they are installed, allowing an attacker to overwrite them prior to installation to achieve arbitrary code execution with SYSTEM privileges.

For more information, read the full advisory here.

GOG Galaxy Games directory insecure file permissions local privilege elevation vulnerability (TALOS-2018-0723/CVE-2018-4049)

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy's “Games” directory. An attacker can overwrite executables of installed games to exploit this vulnerability and execute arbitrary code with elevated privileges. By default, GOG Galaxy installs games in a directory that allows anyone on the system to have "full control." This allows all users to read, write or modify arbitrary files in the “Games” directory. If the installed games include a privileged installer component, such as a DirectX installer, Visual Studio redistributable, the attack can obtain Administrative access. Users can also elevate to other user accounts by overwriting arbitrary executables.

For more information, read the full advisory here.

GOG Galaxy Games changeFolderPermissionsAtPath privilege escalation vulnerability (TALOS-2018-0724/CVE-2018-4050)

An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy Games. An attacker can globally adjust folder permissions leading to the execution of arbitrary code with elevated privileges. The vulnerability arises in the `changeFolderPermissionsAtPath`. This function takes a path as its first argument and changes the permissions of the folder and all files located there to be globally readable writeable and executable. This could allow an attacker to change privileged folders on the file system crossing a privilege boundary and creating an exploitable situation.

For more information, read the full advisory here.

GOG Galaxy Games createFolderAtPath privilege escalation vulnerability (TALOS-2018-0725/CVE-2018-4051)

An exploitable local privilege escalation vulnerability exists in the privileged helper tool of GOG Galaxy's Games, version 1.2.47 for macOS. An attacker can globally create directories and subdirectories on the root file system, as well as change the permissions of existing directories. The vulnerability arises in the `createFolderAtPath`. This function takes a path as its first argument and creates a folder at that location. The function also builds any nested directories that are needed. These directories are owned by a root wheel but have global read write and execute set abilities. This creates a privilege escalation vulnerability, allowing an attacker to modify the root file system.

For more information, read the full advisory here.

GOG Galaxy Games fillProcessInformationForPids information leak vulnerability (TALOS-2018-0726/CVE-2018-4052)

An exploitable local information leak vulnerability exists in the privileged helper tool of GOG Galaxy's Games. An attacker can pass a PID and receive information running on it that would usually only be accessible to the root user. The vulnerability arises in the `fillProcessInformationForPids`. If an attacker passes in values of root processes during this function, sensitive information is returned, creating an information disclosure vulnerability.

For more information, read the full advisory here.

GOG Galaxy Games privileged helper denial-of-service vulnerability (TALOS-2018-0727/CVE-2018-4053)

An exploitable local denial-of-service vulnerability exists in the privileged helper tool of GOG Galaxy's Games. An attacker can send malicious data to the root-listening service, causing the application to terminate and become unavailable. Each function in the privileged helper expects a closure to be passed along for the reply. There is no checking the type or validity of the closure before using it. By passing in a null value, the program responds with a particular stack trace. It may be possible to send in an alternative type for the closure to gain code execution. However, as it is, there is a denial-of-service vulnerability, leading to a lack of availability of resources.

For more information, read the full advisory here.

Versions tested

Talos tested and confirmed that GOG Galaxy, version 1.2.48.36 is affected by this vulnerability.

Conclusion

Users are encouraged to update to the latest version of GOG Galaxy Games here as soon as possible in order to avoid these vulnerabilities. As they all come from different functions, there is no one, clear workaround and they can only be fixed through this patch.

Coverage
The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48433, 48434

Cyber Security Week in Review (March 28)

March 28, 2019, 2:00 pm
$
0
0

Welcome to this week's Cyber Security Week in Review, where Cisco Talos runs down all of the news we think you need to know in the security world.

Top headlines this week

  • ASUS had to release an emergency fix for a malware that may have accidentally deployed to their machines. Attackers may have implanted the backdoor, “known as ShadowHammer” and disguised it as a legitimate ASUS update. ASUS released a new firmware version that promises “multiple security verification mechanisms” to reduce the chance of future attacks, and started using an “enhanced end-to-end encryption mechanisms.
  • Facebook kept hundreds of thousands of users’ passwords stored in plaintext for years. The social media site says it has no information to indicate employees with access to that data abused the privileges. Reportedly, between 200 million and 600 million users may have had their passwords stored in plaintext and searchable by more than 20,000 Facebook employees.
  • Attackers are increasingly working together to spread banking trojans. A new report states that there’s been a recent uptick in the spread of certain trojans, including IcedID, with evidence that they are working with longstanding droppers. Snort rules 49544 - 49547, 49549 and 49550 can protect users from the IcedID trojan.

From Talos

  • GOG Galaxy Games contains multiple vulnerabilities that could allow a malicious actor to carry out a variety of attacks. Talos tested and confirmed that GOG Galaxy, version 1.2.48.36 is affected by these vulnerabilities. Snort rules 48433 and 48434 protects users from the exploitation of these vulnerabilities. 
  • Cisco Talos is adding a new content category to Talos Intelligence. Starting on April 3, supported Cisco platforms using Talos Intelligence will receive a new "Not Actionable" category. This category applies to sites that Cisco Talos has analyzed, but due to the nature of the site, a more specific category cannot be applied.

The rest of the news

  • WordPress patched major vulnerabilities in two of its plugins that were being exploited by attackers in the wild. If exploited, the bugs could allow attackers to run extensions over top of the content management system. Users of the Social Warfare plugin can use Snort rules 49527 and 49528 to stay protected. 
  • The U.S. Federal Emergency Management Agency mistakenly leaked the personal identifiable of disaster survivors. The agency says it has no information that would indicate the information was being used maliciously. At one time, the agency said it shared more information with a third-party contractor than necessary, including the PIIs.
  • Norwegian aluminum producer Norsk Hydro lost an estimated $40 million in the one week after it was struck with a ransomware attack. The company says its Building Systems unit is still almost completely shut down, and its Extruded Solutions unit was, at one point, running at 50 percent of its normal capacity. 
  • Cisco released patches for 27 vulnerabilities in IOS XE. The company also warned that two small office routers, the RV320 and RV325, are still open to attack. As of Thursday morning, no patches were available for those two routers. Snort users should use rules 49606 - 49612 and 49588 - 49591 to protect themselves from these bugs.
  • iOS 12.2 included fixes for more than 50 vulnerabilities in Apple products. The bugs fixed existed in some high-profile apps, including Contacts, FaceTime, Mail and Messages. There was also a vulnerability in WebKit when using Safari that could have allowed sites to access the user’s microphone without any notification. 

Threat Roundup for March 22 to March 29

March 29, 2019, 10:04 am
$
0
0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 22 and March 29. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • PUA.Win.Adware.Dealply-6911925-0
    Adware
    DealPly is an adware program that installs an add-on for web browsers and displays malicious ads.
     
  • Win.Malware.Razy-6911785-0
    Malware
    Razy is oftentimes a generic detection name for a Windows trojan. They collect sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting/creating a value in the registry for persistence.
     
  • Win.Malware.Emotet-6910311-0
    Malware
    Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails.
     
  • Win.Packed.Zbot-6911628-0
    Packed
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
     
  • Win.Malware.Sakurel-6911517-0
    Malware
    Sakurel is a variant of the Sakula trojan (first surfaced in November 2012)that downloads potentially malicious files onto the compromised computer. It also enables an adversary to run interactive commands and upload files to the C2 host.
     
  • Win.Malware.Triusor-6911670-0
    Malware
    Triusor is a highly polymorphic malware family. All the binaries are packed and obfuscated to hinder the static analysis. The malware contains code that complicates the dynamic analysis. Once it is executed, the samples perform code injection.
     
  • Win.Malware.Lunam-6911603-0
    Malware
    Lunam is a trojan that contains Autorun-worm functionality. It injects into the Windows system to change permissions. It also disables anti-virus security suites or the Windows firewall and changes browser settings
     

Threats

PUA.Win.Adware.Dealply-6911925-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 239[.]255[.]255[.]250
  • 172[.]217[.]12[.]206
  • 172[.]217[.]12[.]163
  • 172[.]217[.]10[.]67
  • 172[.]217[.]10[.]35
  • 224[.]0[.]0[.]251
  • 216[.]1[.]28[.]82
  • 172[.]217[.]15[.]99
  • 62[.]212[.]73[.]98
  • 100[.]43[.]94[.]16
  • 5[.]45[.]205[.]241
  • 5[.]45[.]205[.]244
  • 100[.]43[.]94[.]15
  • 172[.]217[.]10[.]109
Domain Names contacted by malware. Does not indicate maliciousness
  • accounts[.]google[.]com
  • www[.]gstatic[.]com
  • ssl[.]gstatic[.]com
  • update[.]googleapis[.]com
  • clients2[.]google[.]com
  • redirector[.]gvt1[.]com
  • _googlecast[.]_tcp[.]local
  • clientservices[.]googleapis[.]com
  • download[.]yandex[.]ru
  • dl[.]xetapp[.]us
  • xetapp[.]com
  • cdn[.]yandex[.]net
  • cache-ash03[.]cdn[.]yandex[.]net
  • r7---sn-mv-2iae[.]gvt1[.]com
  • YBFXNRZPPP
  • IJTEPYX
  • GVJDSZTMWUXYXZ
Files and or directories created
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsk2.tmp\INetC.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\y_installer.exe
  • %TEMP%orary Internet Files\Content.IE5\X1IF8CSM\downloader[1].exe
  • \TEMP\Google Chrome\chrome.setup.exe
  • %WinDir%\Temp\gui2E57.tmp
File Hashes
  • 00123316d0d50612ae581d310b722adcfe97939180f3d02034deb8a4935db073
  • 005d28b3585939c62cdf9de3c8622d7d11a4a8e48a2066bea1a37e6bd59f19e6
  • 01b53d747656c8975c8dc26f6d1cf869209cb1cdc91e1b1d1ab0d2421e82c6dc
  • 03d4f4533bca92fc7f4f8b789b5406cde3dfa8e0f51587d442ab65576b051379
  • 0584466198891f6726a8bebd13bb5566deb9eaa7f9c39086959e43558576e5eb
  • 08aa13cd31f3a41d553f852cc15ae35104bb8fdea8ddc4183b60d3570733990c
  • 08d3879f6a6413026a2a3c0a2af5949fabd241f26be53081b72a03f71618fe3a
  • 08e5212e369cadc9997c0fa6ab388299424f3854c872e267b74195d2f64ff501
  • 09fbdc8c40da22238392ffc7d45c1aaba3a1fa4073ab5177fc799b722e12f252
  • 0b3af8d26acf742223b6dac474c571bf743bb72f58063279b408515cb3ebfbb7
  • 0d7b69e58899e6a43eb7b2827d9d00b208c30c22ee46852d96b80dafae7a04e2
  • 0e6a6dcb6e595f45cf8fe16af2f9bae5eaa8ce3b9169ac340d289c76957e22b1
  • 11445175b675b5ee7b10d5b28480db8c827e2ebe768b0834733e76dbf22b8ad6
  • 115e00754759406773da16c1b0668f88f23e5ea124e1d588a483bb2c56764b74
  • 11732b1aac1328bae5eb1b96aa697216b8ee6f1253f151a7d757bc4542f0c791
  • 11b4e49162f47d330544617a8f0fe6593329ce4d1cc839602460085444df70b8
  • 1210b7eb9b7c3b8c4718c77d7cff8856982b66080ad3c2331d45e4e8deac22ab
  • 1259006aa8f53918b989be47ca6a6cbe0e3335acea98ab1944c851879c3f42c1
  • 126892e91774e5ad27d17b80b48b781cb47d8087e2555bb4afa4bfbcb26e2f60
  • 12a3a0f24d76144112dbe76f48a82e41ada02464e9bb412a100a67dfb4c73165
  • 14176d5bcf716484d40e3a53c7e9038115fe74cb0a4f13f8a2f814e6cd2b361c
  • 15d3b56e2b9727161bca8cf336cff5db3673ba4a0d764216ab77818a2994567c
  • 164fbcde41707cbda009ec59bc09b66c7e24a6a2725b45f235074b30952cc1d0
  • 169a9b9d6722fa3a4336063814a5ad1ffefcb7a8f7e124fcdc2e64793201cd44
  • 17a7101429c0d488610f9d47c489cc220db79ed501db1f362840c879cdd7f25c

Coverage


Screenshots of Detection

AMP




ThreatGrid




Malware




Win.Malware.Razy-6911785-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\TEMP\b35ab4f64eca00d5aea7ffefd5a39385a8412c6149e5b668ed283dca017891ef.exe
  • %SystemDrive%\375278630.exe
  • %SystemDrive%\old_375278630.exe (copy)
File Hashes
  • 3a05c43d6d78b963868d6a5c753adfbc15278a8e28f53d88cfbd872547ec3aec
  • 41b538fe12a5e63e8098e697f74bf54eecb3110ac76e40815691962a8d9d3f09
  • 533084e836d9450028b1bdf1513af2a608ee34fed7b8e3a72e68840b838ab5b1
  • 815131146c5665a49b103b24c32a55cde259e2019d3f1b086d822aedbb8ab3db
  • 838db2a9ceaf95fd2eaaec1c09707c763e6d7c349d62c9d9cb6037ed43dab1bc
  • 84c8d09cdbf087971625951be2cd3a3d284b079917e9511b6b3195e1b37caa6b
  • 9d5a0d566dcbeccb9d5f4a6f566491169d4c40730308907e37ff56a655646f2f
  • b35ab4f64eca00d5aea7ffefd5a39385a8412c6149e5b668ed283dca017891ef
  • bf78cb5fe8652c2d8fefbb2180266763b54d6714de861496373fd4d3383f1fb0
  • c1d8276493d369115b9c7cd2bf4aeb7cc19541daac649febe0fb9e5d921d67b1
  • d33d6e3c9eea1d11b5264243a78ee3224d2c25d80ba50dc654d5b8f78d3c8560
  • d67cae05ddf102085c273532565eb11060311ef323a493dc0892876e5ad6fb42
  • e643beed5c1dc1b4a28e8f0c6cc2452a8f5199b1225d6bc3231c3d805ca32085

Coverage


Screenshots of Detection

AMP



ThreatGrid



Malware



Win.Malware.Emotet-6910311-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\startedturned
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: Type
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: ErrorControl
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: ImagePath
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: DisplayName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: WOW64
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: ObjectName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\STARTEDTURNED
    • Value Name: Description
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
IP Addresses contacted by malware. Does not indicate maliciousness
  • 190[.]48[.]129[.]88
  • 186[.]71[.]61[.]94
  • 189[.]250[.]182[.]236
  • 188[.]48[.]145[.]96
  • 189[.]155[.]152[.]129
  • 187[.]136[.]144[.]197
  • 189[.]236[.]193[.]173
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\SysWOW64\XS0hFlArdwCf0zhrY35.exe
File Hashes
  • 02dc761ae5a8a5542891efd4c7c5e5f60c52b34fc2934aa0d4f2995a02ac2bc4
  • 0f5c870d9dd71cd8d69d94ae0bedbc1f6d9a987819b3267e5b418448ae2d5d06
  • 1f34fd280d7c58e27f43025d09b39a77227fe79b1256e11e546beee969661ae8
  • 3e0482cb8f6a4f2d5be6c231595b00e609d0ce1838e82557d831f9a040b736ff
  • 40e798c3b6a17cea35eec9d36e19769d08b5943d6a268fd604982700a5190cf5
  • 453660efedf6d54a62413366943f253ce66ae2b7e86279cc97422f10ad70c3de
  • 4c95516e8c914ae60f88d592755325a681dfb733b5d0bbd61bf9fc531df54488
  • 61739f55965706a048c60f1e71be620da070ff36a14c4d73979144725e580513
  • 7184a99a2bd5bf6db7ba4da71339f43bbfde3609ed2cc4be8b1d907306d14428
  • 762234da23e0457add13183b41711504bbd2feff7c7c72074491c6a072111bd7
  • 8f0e47da47bd92eb6b9378f45b5ac9a5f74272d9cca6579163167f05437a02d3
  • 9e7f5171472e332c77f8b7d0579269e57c8134b159c88a68855b7f72ca170ad3
  • ae9c8e66b79f89482e2f000f45d038c1d34f9fd273bdce7e39bb41f74ddd5feb
  • c8a066be1844023052522a57c358b1a8f2b33efebbc4e9d4571bb853782490cc
  • dc411454126d314aa4163c446bc127acb4f5d3089c04307cc3b2a80d788b32eb
  • e022960903709ba6bc0686a41ecba98dddbeb2afc45c8ec3ef6612d3ca7154af
  • e1c8d1494031d4e48044da56b6f9e42a4debfee273bb23c34bfcaf01f24d03ba
  • fa57b2fa7dff02e445be673d1c20e09c6e15515b05b729c5ae29c38cf4ca1918

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Packed.Zbot-6911628-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 207[.]148[.]248[.]143
Domain Names contacted by malware. Does not indicate maliciousness
  • aatextiles[.]com
Files and or directories created
  • %LocalAppData%\Temp\budha.exe
File Hashes
  • 006fcf37a0eb468cc72fd889b5a681d95408211c72ff26f9622bf6f34deac34a
  • 032c2e1170585576a48dac78598f2c6e0cff6660a2357aaf530bc48a09a88bf5
  • 03f24818854c539e345eadf79579b18a07bae62cb0694e57f2fa38dcfaab2b6e
  • 04d1f5ec23449c4f732acc9871df1bc0273ebd7decaecf4a23cf0d36c9492050
  • 053b92b9d7df8f0da498304efe8630b1a52206cc4ec97d72e4372ea4feeebeaf
  • 0577c05d5a14456d6ecaf2e89f44fe2765fddc26e4ad1a8be0561883546b5ce1
  • 064718741b944136613994295d0bfd2aaa4e8e0ccc4ce926cb8e5fea73d99b43
  • 07bd1541aba14c60addc1eb4850c14c227d826ecfd0ddd27705c15aad8b321f8
  • 07cb9376ea9258a4589f0c163035139c6ee8198df832dffa0de6cbc4995e1f10
  • 0862089c5b5460b063b4d31e5f1f86e196e5c9eb2d5bad1ddaeba547dfa468f1
  • 089c5bcad0f614fd269e5965bbb1511def4900f291ea8a4f4a1aca40216ac937
  • 08fed1af781ac399a40d43f2e24b63407523e0b14f95b9eb6e4684ef41dbf8da
  • 093b2949f7eeb6b39257a2c8f39e13bb9db57d67d061c27e27ef6e277a6ea8b5
  • 097259c049318a5db1857e229b1ee7c9d94ec345a18520d8575fdf35eac82176
  • 0b7f0baf87ed9c40db3b4e815d8f6c7f0bd7b8e7d7206995ca8a5ace51abbf28
  • 0c63edade791db8a62b82efe5a939cbf8d4871ae591bf15c76fa33b644a82b0b
  • 0dd82df5bb5e22a46bb144b4160979a35c5e797312c0fb0bbbc8c9d9ebb4338a
  • 0e26f8c0c7c9135596c7509af558f395b448c1e86bb5aee9390ee273bd7e94f8
  • 0edbb5f72d21295d80038f417a5820d9b14b5a9f925ee7fc4729bad033e7102c
  • 0efda7d9834bfa4a6376a3ee2015d46839617a459b1a1e6f6ad4bbe18f3c1460
  • 11f616a534a8ddd2c4a6f568170ba94fd6201f3e32df93a9c1a3ddde65280bb5
  • 1219a20531c12eb6eee26c29cd0eabfd5b5576891529b2d47b6d13607481d1de
  • 123730b855330b05fb55d5c2cd2aa8f7afb7949370c4271b3d826880c22f89ba
  • 1341bafd3d3de435258abc5bd5b45a7930cb4c8755cbabdee1b7df022cfb5119
  • 1378a83d0b13060d77f0312292b79f374633475dffeaebaea7b4bcef0639dd3f

Coverage


Screenshots of Detection

AMP



ThreatGrid




Win.Malware.Sakurel-6911517-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • \BaseNamedObjects\I-Worm.PlutonX
IP Addresses contacted by malware. Does not indicate maliciousness
  • 204[.]11[.]56[.]48
  • 184[.]22[.]175[.]13
  • 216[.]218[.]206[.]69
Domain Names contacted by malware. Does not indicate maliciousness
  • citrix[.]vipreclod[.]com
Files and or directories created
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MicroMedia\MediaCenter.exe
  • \My Downloads\Winzip 8.0 Full Downloader.exe
  • \My Downloads\The Neverending Story Part I ISO - Full Downloader.exe
  • \My Downloads\The Eye Of Kraken ISO - Full Downloader.exe
  • \My Downloads\The Thing Crack.exe
  • \My Downloads\Zidane-ScreenInstaler Crack.exe
  • %WinDir%\rundll32_.exe
  • \My Downloads\The Thing Full Downloader.exe
  • \My Downloads\The Eye Of Kraken Full Downloader.exe
  • \My Downloads\ZoneAlarm Firewall Full Downloader.exe
  • \My Downloads\Xbox.info Crack.exe
File Hashes
  • 21d0875cb4b3a6eaa8aaedc10df7ac41491933d83bf5737ac2b153b04bbaaa25
  • 31729931bcf1f4880d7ba572162c9de25e4c492da45dde394388a589db572973
  • 47d4dc07f53d47045c9429f7c58b9a3f7a2b1f4f9896372de24aaab6a195006b
  • 59dcec5311f321bc0271b412fbdf3a3afc7e081b7248cc34ee41b705a71de37a
  • 5fea4433f887675fff05d18a1e73b51c711075743f5effd0124d386161eb714e
  • 7b98c5758daae76d49f2cc088385920c8c0025e605170a76db82e076461cf4cf
  • 8486bbbd2b8dd837bfb5ffdefeb3bd6462696792ce768bf4d4bd07f60b0b6023
  • a55672ffa051c6331e51e36e050a37a1822c3e4ad3b23c32fbc712101c1841cc
  • c12dcb306f9f3d54aeb93672fb67bbb6e02e7bfd02606a24964902ea5c31988b
  • cc8b72eab90eddc9495b3168f7f5e56b61831c7f5828a8c2ac019d7821ae05ce
  • f3dc6f0e865e4aee50a83467eec156c3d38ca856edffb75714cfec73d692965e
  • f9a769450b23e9b2e7dd54092f84b902cab433ed83ad9cd3aa7dbb915fe7c3a9

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Triusor-6911670-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • ---
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %WinDir%\SysWOW64\URTTEMP\regtlib.exe
  • %SystemDrive%\System Volume Information\_restore{2DD8912A-F65A-4BB8-A47E-3B7997479CBD}\RP1\A0000192.exe
  • %SystemDrive%\System Volume Information\_restore{2DD8912A-F65A-4BB8-A47E-3B7997479CBD}\RP1\A0000193.exe
File Hashes
  • 03aff9a48d8198ce8c40f2b0ad2a922bc0e80f598f66d97b75c12c89aec0bfce
  • 048d526df6efc4adc3b9e6ad2ef8936ba423fa5a8401a67365093206690a74f8
  • 05f6b95ebcb80d1d4fc67a3fa37b5575dcaefb5f19af24a22e1593e43a6828da
  • 0eb229b7c25a75faf6408b0b34a8e6318fd0de237399b20abea960cce1e74a33
  • 118a87e2a3491c374cbdf2a322a7c526fa4313774198ca094a2b9b5167010045
  • 134006bdec93b2bb61a839d95e006ac336c7bc139860200874ad9ac720fa1716
  • 13565a1b840b26a75e10d2860210c2eec745e738e967dfc992ce68498f05e37b
  • 14dc5638711af0d523fa82bed60f12e2072f18f6aad26c3d7118140778ba8111
  • 1c221eb1e17a85f205833b23ed2b6ab314715fe9c4742d189ba91ad0d9e56a7f
  • 2079a72947018cb8aee28ac29aae59049eb55eeae62b274dc4432d4e10ae4b2b
  • 27a45ef2fca67f3ad606ef9a321d2c06718b19906c13d2836976200cadbb8cdd
  • 280dd92b330515c2643f9608d93a4035eab996694423b6fca2e3bd95bd2e97a5
  • 299bbeb900d33999fb20b9c38b772590161e9f815de24049e066ab90e33dac34
  • 2b3b5caa2b92330216ec6bdd6bae21221b29086e128a3fb176f20525432042f9
  • 335900e28645a0958e3c97c62f5d4ded50e4f87a980a19c35269bbf433e006cd
  • 34c13a759df60c7ba1360a54f01bcdf791dac658fcaf10c57455b45ee4d016f5
  • 37710f05180b0678f4d3bd7672d4ca37d030ff452c19ef76e64142b96c960f9d
  • 3d7c4d54cee4d196a7cd556ce8e3b4689721d734119327337c9bc2744927484a
  • 42de9566d55d8f6ce77ba26caafae8185bd5dc3f1309c5b2bc9d733eafa84a9c
  • 436a31762430ce02a1bb023d82302fa21e4a00be29e9f1bac8547a78ec0ae5a6
  • 4888619469ca159498876d4e744005bb19e9d9dff35aab73d5ecfb5a706bc691
  • 4efa26b70dc73146483af6f5fe626d983d2a11d26f652938617dba46598b9e2d
  • 4f8339dfff27003cbe79b1be2527da1948c44d70ae08c7a54d3babadb5e3e147
  • 51881a2de30681cd4f4ebb00bd8512bb4a96448c1cb2d7756b686913c5e2d06a
  • 52b9af1d286700f44cf182dd18f521707ae9886caa8dbada02613f7d94c1bad8

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Lunam-6911603-0


Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value Name: ShowSuperHidden
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value Name: HideFileExt
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
    • Value Name: SuperHidden
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED\FOLDER\HIDEFILEEXT
    • Value Name: DefaultValue
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
    • Value Name: PC
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value Name: avscan
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
  • \Autorun.inf
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avscan.exe
  • %WinDir%\W_X_C.vbs
  • %WinDir%\hosts.exe
  • %WinDir%\W_X_C.bat
  • \Rahasia_Ku.exe
  • \usb.exe
File Hashes
  • 268360c9cb3592f64adf615a6cbd3f9dd799c3dbac53ebf42991400f95ef47ff
  • 2f0bb43a6456a418be91581203c6bae6c32ff2d6397b1ffabab8026e9182f0d9
  • 35d132fbcaded5414ae1a2b1b4ef24c6a8c4756a43149b3da77f6aef8a572213
  • 48acda29ed39adbddc39578160cdc8a01c4c50ead27fea48a8b9a6b42c43a1d3
  • 589367bc5cbad71d471ab9089c9afa2b48f6492f994b4e1f30e35d7c97529d85
  • 716d112abbcfc643dabaa7671862689c4f93c1ee42b5c2d7761335184c277dc2
  • 758af45b0efa214661c2f555f721d77fa378c91de8feec5f510116b701049000
  • 80aa6589cdf6d87c1edca15d9fd1759347b3a1d9e3536ad21edbb35c27a4a832
  • d0e0d54cde79126e6417b1b6650aee61d9bef995cb5eea17ea418e207c163f81
  • ea6acafa5950c15740e1b1f6a9975283b484e775318720bedc9b90f8f258e45b
  • f20e50dbe18dee4e864259f99ffc8b7b6c2a41e6a821093502746e1daf8efabe

Coverage


Screenshots of Detection

AMP



ThreatGrid



Registration for the 2019 Talos Threat Research Summit is now open

March 29, 2019, 12:47 pm
$
0
0

The Talos Threat Research Summit is officially back.

Registration is open now for the second year of our conference by defenders, for defenders. Tickets sold out quickly last year for our inaugural event, so act quickly.

This year’s Research Summit will take place on June 9 in San Diego, Calif. — the same day Cisco Live kicks off. A pass to the Talos Threat Research Summit will not provide you access to the rest of Cisco Live.

This summit is designed to assist you in keeping your users and network safer. Our roster of experienced speakers will share their deep expertise in network defense, tracking the bad guys and identifying trends in the threat landscape. The exact speaker list will be released on the registration site in the near future. The goal of the summit is that you will leave with up-to-date, actionable intel you can take back to your network and use immediately.  There are also opportunities for networking with your defense-focused peers and security leaders.

Here’s what you can expect:

  • A one-day program featuring a curated agenda
  • Insights from industry leaders
  • Peer networking opportunities
  • Discussion focused on defender and defense strategies and tactics

Registration information:

The Talos Threat Research Summit is an add-on to Cisco Live registration, but can also be purchased without a full Cisco Live registration. If you have already registered for Cisco Live, you can add the Talos Threat Summit for $199. You may also register for the Summit without a Cisco Live registration for the same price. All options will be displayed to you during the registration process.





Threat Source (April 4)

April 4, 2019, 11:00 am
$
0
0

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit— our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos


Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.  

Cyber Security Week in Review

  • Some Facebook users are being prompted to enter their email accounts’ password when signing up. Facebook says it will stop the practice, and reiterated that it never stored those passwords on any servers.
  • Facebook CEO Mark Zuckerberg last week pushed for the U.S. to adopt stronger internet privacy and election laws. Zuckerberg proposed in an interview that the federal government create an independent body that would set definitions for what terrorist content and hate speech are and should, therefore, be banned online.
  • Google’s latest security bulletin warns of three critical vulnerabilities in the Android operating system. These bugs could allow an attacker to remotely take over a device by tricking the user into opening a malicious file.
  • Australia and Singapore introduced new laws that impose harsh punishments on websites that do not remove violent content quickly. The countries hope to reduce the amount of pro-terrorist content circulating online. 
  • The parent company behind Planet Hollywood and Buca di Beppo says more than 2 million customers had their credit card information stolen. The restaurants say a credit card skimming malware existed on their point-of-sale system for months. 
  • Bayer, one of the largest chemicals companies in the world, says it suffered a cyber attack, but no data was taken. The German company said an APT spied on its networks for months, but it so far has not discovered any “data outflow.”
  • Two third-party app developers may have publicly exposed more than 2 million Facebook users’ personal records. Security researchers say they discovered the two data sets on exposed Amazon Web Services S3 servers.
  • A major cryptocurrency exchange in South Korea says it lost millions of dollars worth of currencies in a heist. Bithumb says it believes the attack was carried out by a group of insiders.
  • Cisco says two patches released earlier this year for its routers do not work properly. The company says its seen live attacks on the RV320 and RV325 routers and are working on a new fix.

Notable recent security issues

Description: Microsoft recently discovered a serious vulnerability in Huawei’s PCManager that could allow attackers to alter the Windows 10 kernel in Huawei’s line of MateBook machines. The Chinese tech company patched the bug in January, but it was just disclosed last week. An attacker could exploit this vulnerability by tricking the user into running a malicious application.
Snort SIDs:49628 - 49632

Description: Cisco released a slew of patches last week to fix 24 vulnerabilities in its IOS operating system. The company also warned customers that two routers in its RV line are open to attack, and no fix is available as of yet. Fifteen of the bugs exist on IOS XE, which runs on Cisco networking gear such as switches, routers and controllers.

Most prevalent malware files this week

MD5: a7608ce0baea081df610eb9accb4400e
Typical Filename: 
emotet_e1_d98edcaf8acdd135b38ad5d6ce503e59868555f5acb6aaa95017ec758a6603ac_2019-03-26__175503.exe_
Claimed Product: Advanced PDF Converter
Detection Name: W32.d98edcaf8a.Malspam.MRT.Talos

MD5: 97911a1da380f874393cf15982c6b1b9
Typical Filename: spoolsv.exe
Claimed Product: Microsoft® Windows® Operating System
Detection Name: W32.GenericKD:Trojan.22co.1201

MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product: 易语言程序
Detection Name: Win.Dropper.Armadillo::1201

MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: u.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201

Top spams stats for this week

Top 5 spam subjects observed
  • "Microsoft account team"
  • "Award Information."
  • "3-D Secure"
  • "Re: Action Required: You failed our monthly validity check."
  • "ATTENTION: FUND BENEFICIARY 191.98.183.155"
Top 5 most used ASNs for sending spam
  • 8075 Microsoft Corporation
  • 20792 VISTEC Internet Service GmbH
  • 15169 Google LLC
  • 1832 Southern Methodist University
  • 46664 VolumeDrive

Hiding in Plain Sight

April 5, 2019, 6:00 am
$
0
0
This blog was written by Jon Munshaw and Jaeson Schultz.


Cisco Talos is continually working to ensure that our threat intelligence not only accounts for the latest threats but also new versions of old threats, such as spam. This often means pursuing cybercriminals wherever they congregate. However, instead of wheeling-and-dealing using hidden servers on some mysterious dark web address, a surprisingly large number of cyber scofflaws prefer to operate right out in the open using social media. For example, Facebook is host to dozens of groups that serve as online marketplaces and exchanges for cybercriminals. Talos saw spam from services advertised in these Facebook groups show up in our own telemetry data, indicating a potential impact to Cisco customers from these groups.

Over the past several months, Cisco Talos has tracked several groups on Facebook where shady (at best) and illegal (at worst) activities frequently take place. The majority of these groups use fairly obvious group names, including "Spam Professional," "Spammer & Hacker Professional," "Buy Cvv On THIS SHOP PAYMENT BY BTC 💰💵," and "Facebook hack (Phishing)." Despite the fairly obvious names, some of these groups have managed to remain on Facebook for up to eight years, and in the process acquire tens of thousands of group members.

In all, Talos has compiled a list of 74 groups on Facebook whose members promised to carry out an array of questionable cyber dirty deeds, including the selling and trading of stolen bank/credit card information, the theft and sale of account credentials from a variety of sites, and email spamming tools and services. In total, these groups had approximately 385,000 members.

These Facebook groups are quite easy to locate for anyone possessing a Facebook account. A simple search for groups containing keywords such as "spam," "carding," or "CVV" will typically return multiple results. Of course, once one or more of these groups has been joined, Facebook's own algorithms will often suggest similar groups, making new criminal hangouts even easier to find. Facebook seems to rely on users to report these groups for illegal and illicit activities to curb any abuse.

Talos initially attempted to take down these groups individually through Facebook's abuse reporting functionality. While some groups were removed immediately, other groups only had specific posts removed. Eventually, through contact with Facebook's security team, the majority of malicious groups was quickly taken down, however new groups continue to pop up, and some are still active as of the date of publishing. Talos continues to cooperate with Facebook to identify and take down as many of these groups as possible.

This is not a new problem for Facebook. In April 2018, security reporter Brian Krebs alerted the social media site to dozens of Facebook groups wherein hackers routinely offered a variety of services including carding (the theft of credit card information), wire fraud, tax refund fraud and distributed denial-of-service (DDoS) attacks. Months later, though the specific groups identified by Krebs had been permanently disabled, Talos discovered a new set of groups, some having names remarkably similar, if not identical, to the groups reported on by Krebs.

Inside the online criminal flea market


Many of the activities on these pages are outright illegal. For example, we discovered several posts where users were selling credit card numbers and their accompanying CVVs, sometimes with identification documents or photos belonging to the victims.
Others products and services were also promoted. We saw spammers offering access to large email lists, criminals offering assistance moving large amounts of cash, and sales of shell accounts at various organizations, including government.
We even saw users offering the ability to forge/edit identification documents.
The majority of the time, these sellers asked for payment in the form of cryptocurrencies. Others employ the use of so-called "middlemen" who act as a go-between between the buyer and the seller of the information and take a cut of the profits. These users usually promoted the use of PayPal accounts to complete the transaction.

It's unclear based on these groups how successful or legitimate some of the users are. There are often complaints posted by group members who have been scammed by other group members. In most groups, there is a particular etiquette and form to the posts. Typically sellers will describe what they have versus what they want. Almost all transactions are "you first" (written as "U_f," "uf," etc.), meaning the person interested in making the purchase or trade has to pay or provide their service or product up front. Like many other Facebook groups, these scammer groups also exist as a forum for scammers to share jokes about some of their less successful campaigns.

Scammers in the wild


One thing is certain, even though some group members only seem to be out to scam other members, others are out in the wild committing crimes that show up in Talos' data. For example, below is a post from one of the Facebook groups that Talos was monitoring. In the post, the spammer is advertising spamming services, promising to land their Apple-themed phish into the inbox folder at Hotmail and Yahoo. They helpfully included a screenshot demonstrating the spam they received into their inbox.
Talos was able to locate examples of this same phish in our telemetry data. Based on the email samples Talos recovered for analysis, the attackers had attached a PDF file that claimed to be an invoice for a purchase at Apple. The PDF included links to view or cancel your order.
An analysis inside the ThreatGrid malware sandbox indicates that when the user selects to either view or cancel the order, the link directs the victim to a phishing website that was located at a recently registered domain: appleid[.]apple.com.verifysecureinfomanage.info. The phishing website itself was created using "16Shop," an infamous phishing kit that is known to target Apple users.
Cisco Umbrella's Investigate indicates that the IP address used to host the phishing domain is also home to many other suspicious-looking domain names that have likely been used for similar scams in the past.
This is not the only example in our data that we found regarding this type of illicit activity that was followed by posts in Facebook groups selling the same tools, techniques or services used by the scammer. Some group members do indeed "walk the walk" when it comes to perpetrating these sorts of online crimes.

Conclusion


Social media has provided tools enabling individuals from all over the globe to congregate and share ideas. This is one of social media's defining features. However, the underlying computer algorithms that help us connect, suggesting new friends or networks, are not intelligent enough to distinguish benign activities from the unethical or outright illegal. So far, Facebook has apparently relied on these communities to police themselves, which for obvious reasons, these criminal communities are reticent to do. As a consequence of this, a substantial number of cyber-scammers have continued to proliferate and profit from illegal activities. Operating with impunity, these attackers relentlessly probe cyber-defenses of enterprises everywhere. This is a high-stakes endeavor because an attacker with even the smallest foothold inside an organization can do considerable damage.

To combat these motivated adversaries, we need to work together. Social media platforms should continue their efforts, both manual and automated, aimed at identifying and removing malicious groups. Security teams and vendors must work together to actively share information, take action and inform our customers. Businesses need to be diligent about their protection and cyber hygiene efforts. And finally, consumers need to become as informed and skeptical as possible. Attacks like spam prey on the individual as an entry point.

Note: If users encounter malicious groups in Facebook, they can always report the groups through Facebook's "report" function, which is located at the top of the group's page in the drop-down menu under the "... More" button.

Search

Beers with Talos Ep. #50: Operating under the cover of… nothing

April 5, 2019, 9:51 am
$
0
0


Beers with Talos (BWT) Podcast Ep. No. 50 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded March 29, 2019 - Matt and Joel are both on the road this week, and Omar Santos from Cisco PSIRT joins the crew to discuss malware posing as ransomware and defending against supply chain attacks. We go deeper on the Talos story exposing criminal groups operating in the open on social media platforms like Facebook and the implications of criminal groups leveraging social networking. Facebook has removed the disclosed groups, so we discuss the best-effort ways to play whack-a-mole with bad guys on the open web.

The timeline:

  • 01:00 — Roundtable: Holy crap. Will Nigel’s own nephew get to be a Mighty Red??
  • 12:15 — Locker Goga: Disruptive, but less than useful as ransomware
  • 19:35 — Asus backdoor: How big was it? What are your defenses against supply chain attacks?
  • 38:30 — Criminal hacking marketplaces activity in plain sight
  • 49:00 — Parting shots and closing thoughts: Talos Threat Research Summit reg is open!

The links:

==========

Featuring: Craig Williams (@Security_Craig) and Nigel Houghton (@EnglishLFC) with special guest Omar Santos (@SantosOmar)

Hosted by Mitch Neff (@MitchNeff).

Subscribe via iTunes (and leave a review!)


Subscribe to the Threat Source newsletter


Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

Threat Roundup for March 29 to April 5

April 5, 2019, 10:10 am
$
0
0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 29 and April 05. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Vobfus-6919817-0
    Malware
    Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
     
  • Win.Malware.Barys-6919339-0
    Malware
    This is a trojan and downloader that allows malicious actors to upload files to a victim's computer.
     
  • Win.Malware.Zbot-6919277-0
    Malware
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
     
  • Win.Malware.Autoit-6919193-0
    Malware
    Autoit is a malware family leveraging the well-known AutoIT automation tool, widely used by system administrators. AutoIT exposes a rich scripting language that allows to write fully functional malicious software. This family will install itself on the system and contact a C2 server to receive additional instructions.
     
  • Win.Virus.Expiro-6918982-0
    Virus
    Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks.
     
  • Win.Trojan.Winwebsec-6918829-0
    Trojan
    A that masquerades as legitimate antivirus software, alerting users to nonexistent threats. It disables Windows Defender and Windows System Restore. It also may block users from accessing websites or programs until they buy the "antivirus" software.
     
  • Win.Trojan.Emotet-6918815-0
    Trojan
    Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
     

Threats

Win.Malware.Vobfus-6919817-0


Indicators of Compromise


Registry Keys
  • N/A
Mutexes
  • Local\MSCTF.Asm.MutexDefault1
  • \BaseNamedObjects\A
  • A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 208[.]91[.]197[.]66
Domain Names contacted by malware. Does not indicate maliciousness
  • ns1[.]backdates1[.]net
  • ns1[.]backdates2[.]com
  • ns1[.]backdates4[.]com
  • ns1[.]backdates2[.]net
  • ns1[.]backdates11[.]com
  • ns1[.]backdates17[.]com
  • ns1[.]backdates8[.]com
  • ns1[.]backdates15[.]com
  • ns1[.]backdates3[.]net
  • ns1[.]backdates1[.]com
  • ns1[.]backdates3[.]com
  • ns1[.]backdates5[.]com
  • ns1[.]backdates1[.]org
  • ns1[.]backdates9[.]com
  • ns1[.]backdates10[.]com
  • ns1[.]backdates16[.]com
  • ns1[.]backdates1[.]net[.]example[.]org
  • ns1[.]backdates15[.]com[.]example[.]org
  • ns1[.]backdates4[.]com[.]example[.]org
  • ns1[.]backdates9[.]com[.]example[.]org
  • ns1[.]backdates8[.]com[.]example[.]org
  • ns1[.]backdates11[.]com[.]example[.]org
  • ns1[.]backdates17[.]com[.]example[.]org
  • ns1[.]backdates2[.]net[.]example[.]org
  • ns1[.]backdates16[.]com[.]example[.]org
  • ns1[.]backdates3[.]com[.]example[.]org
  • ns1[.]backdates10[.]com[.]example[.]org
  • ns1[.]backdates3[.]net[.]example[.]org
  • ns1[.]backdates1[.]com[.]example[.]org
Files and or directories created
  • \??\E:\autorun.inf
  • %System32%\winevt\Logs\System.evtx
  • \autorun.inf
  • \??\E:\System Volume Information.exe
  • \$RECYCLE.BIN.exe
  • \??\E:\$RECYCLE.BIN.exe
  • \Secret.exe
  • \??\E:\Passwords.exe
  • \??\E:\Porn.exe
  • \??\E:\Secret.exe
  • \??\E:\Sexy.exe
  • \??\E:\x.mpeg
  • \Passwords.exe
  • \Porn.exe
  • \Sexy.exe
  • %HOMEPATH%\Passwords.exe
  • %HOMEPATH%\Porn.exe
  • %HOMEPATH%\Sexy.exe
  • %HOMEPATH%\c\Passwords.exe
  • %HOMEPATH%\c\Porn.exe
  • %HOMEPATH%\c\Secret.exe
  • %HOMEPATH%\c\Sexy.exe
  • %HOMEPATH%\Secret.exe
  • %HOMEPATH%\c\autorun.inf
  • %HOMEPATH%\seofuaj.exe
  • %HOMEPATH%\RCX9D65.tmp
  • %HOMEPATH%\RCX9DC4.tmp
  • %HOMEPATH%\RCX9E23.tmp
  • %HOMEPATH%\RCX9E91.tmp
  • %HOMEPATH%\RCX9EEF.tmp
  • %HOMEPATH%\RCX9F5E.tmp
  • %HOMEPATH%\c\RCXAE6C.tmp
  • %HOMEPATH%\c\RCXAEDA.tmp
  • %HOMEPATH%\c\RCXAF39.tmp
  • %HOMEPATH%\c\RCXAFA7.tmp
  • %HOMEPATH%\c\RCXB015.tmp
  • %HOMEPATH%\c\RCXB083.tmp
  • \??\E:\seofuaj.exe
  • \seofuaj.exe
File Hashes
  • 046c299741954c07ca5feab9039d7a7208c9e5dad3fca354041acdecab550cf9
  • 057d66787c6ee44bd9d8015f563c3b6e2eab4a83bfe2eee53e1b7d0006e0df84
  • 05f0f24b4fc446cf95fe3be015fe0f61908d1b5cbb1706a14c2e393886454f38
  • 0b5716a756064ebe398f0e164f8d7e0dd747ca50795e3624b5574fd78e92059d
  • 119bb2c3b038c70448cbb9a4a8f8eeed1071d2174f5d1907a01d348f1740927e
  • 1506a6d7439fab0a6b3c775fdde0627bacafa4760900c0f111edce4d55a03a50
  • 1bd8db7ee7413001573a689ae4ebcb29da7652717f35ecbd735a87f3d621586b
  • 272c48ac067319a1c8d51717c5f34b34ac4db4f970f9fccc5915d7bf77123ecb
  • 2bd2f27610560eea9d652b3b8c44225a4b66ef349350e53fff8b42406f74ad3d
  • 2dd8cc3597a6e411b7f258c2ecb78aacd54d9cadb3807997b2b00c1a4e07e178
  • 368d741aef2ab6e41a4696f5d28dee169580dfff4cc69a5946faaec3d14925bb
  • 3b6a66df8369ac8bf26e8402989d29534b7d7e1c7e460d970f50416e2afe5ffe
  • 40466788e57d5200867dcfd7a3f2c18004b8317c19a0528af585c537edfc1201
  • 4a67a46ce70cd36aab995cd0a04621a4050cac0488bab6c433efb1324c6b4513
  • 4b77f7be93f7a27a30a87f5d3fd611d54ead6b62a18a12dcfca3bd65f3081e86
  • 4cbbeba77a0e8af025aeb17352a36b6c75687a00827ecac1f9dfac206603ab52
  • 4ce11c03c2fd40bd58f7044d9bf17fce4118e31cc058113a8cb6d68b0fe2cbc7
  • 5312c2573551bf4ea733031528f4e79b8b1c675c2a05e4059c06cf9c2706b9e1
  • 5ebbf7f1ffdb7f5a5483ad26971c20bf7ffdea7fd1566260d6e4875ff9a477c1
  • 61707b56cec807908e713dd8acbcc2ee8b7359c9c3e8eb826e53fca3fa0de866
  • 62312807fa51f896940f2480b29a133365a146eccb5c5775faf886f3238b2f9a
  • 66c85f135b970fd774f2582202458bd083ecf71bc1f80cd195706d7b354bb601
  • 689860f079fe900589e3c70af6932587b44135439b48cde5462537008a9537f4
  • 6c863b2f65224fbc6d85702cf9cf48b120a851ec4c2f7e76b21c9c56b5427d82
  • 6fc3ab28e7177cf2ca67f6d3a945979b6bdce37eea446d21cef54181a673a35c

Coverage


Screenshots of Detection

AMP




ThreatGrid




Umbrella



Win.Malware.Barys-6919339-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
    • Value Name: Index
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
    • Value Name: Path
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
    • Value Name: Id
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 216[.]218[.]206[.]69
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %System32%\config\SYSTEM
  • %System32%\config\SOFTWARE.LOG1
  • %ProgramData%\Mozilla\thfirxd.exe
  • %ProgramData%\Mozilla\thfirxd.exe
  • %System32%\Tasks\aybbmte
  • %ProgramData%\Mozilla\lygbwac.dll
  • %ProgramData%\Mozilla\lygbwac.dll
  • %HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll
  • %HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe
  • %SystemRoot%\Tasks\kylaxsk.job
File Hashes
  • 0869ac4f786a1f544abdab137e4470e008b50ae49e740f4137d2457805e4ded4
  • 0db104c871e5214fc4365b34cfdc74c4e0330668da0399653865f43d96b58160
  • 106af8294406803fa0773813b3d827acdacc00e2faabb99d215afd091226b7b2
  • 1ea3c3bd8673dec3901d7f82b77f8e8bfad3bd51bd80d7796b2a9b7e07a98339
  • 223b3d2d4ada9ab9423efa187c1d230503ebd37fecca1209f3afcb9c15d961db
  • 2ecbd255bd3f1a60450a1b7df2d3643ad517372e9a74b41fb2981d31ceeb017a
  • 4034f9ff4d3fb10e1afe93e12e97183f8859b5c745cde8e9a52cbe0c93a7524c
  • 4b89e180490dd4da410bedbccb5c98cb78901b752eedeea3588c25a833117b8b
  • 50136cda2cb504a1c9dc6344b24d1b46c5c24c87b97fb33da23ab52346217f95
  • 5316ea912b78ff5f98cffbd4104bc5f57abc07946e53a0e7b4ed4100e9a511e0
  • 58007a4c73c96932b44d67ec7c6db050ed18577f2cc5eec427be6a2b6a962dd6
  • 5a5c3aa34c245fb90404cba3d98ab53445683ed8dc470bad316707915ad1fbe7
  • 5e0b77a4db61b89aa98faa07433c12366cef0b747b677005df139c18a48e8643
  • 60a0121cfcffdd898bb452aa464bc9dd0cf658b11285b4ba917c480046503370
  • 6b4864ef87cbc0b4884075a60f5bfbdb39e84405fd6f7f01b019c81013ef9b68
  • 7e777487165f72a5d42608e2bc4c3fb8ccf0c2aa0c059c53f4c05d6318803be6
  • 809c104c5546b025e8680f612573ed4e1123a19cab555deb9984407d69c18abd
  • 84d35bea78f59fcb33cc45d7ea6eca8d9cb1b9b1a1a5c493e88e020386c1eb43
  • 868b8e6f1301f54178839130eaefc5bbf2e6aa1c78e6054389a1f2d0b02a1bcd
  • a0aa2c03d0f4e9caed5f0a1e52e59423944864ad2d9ccdcd54b271d7133bbf2f
  • a6e84c3b4c46fbb17f9ae770c2244579ab3e7b82621290d977ff93b539b9bf37
  • afecfc0b7e4c6218fcfb546ce088cbd6b5087358a5e44bab9595df720e1a7490
  • bb04cca5245d8ddda41a24339ab63e8519bffd83a2bbcf80e74c2945bd1420c5
  • bf211d2a71ff102c2c4fc3d41afb7f9a4f46e37aea06b64d86cddca372438d44
  • da42054f51ba5744d7b2be271b96bc220002a1c5dee7580c540746a6f8436dc5

Coverage


Screenshots of Detection

AMP





ThreatGrid



Win.Malware.Zbot-6919277-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
    • Value Name: aybbmte.job
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
    • Value Name: Path
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
    • Value Name: Id
Mutexes
  • N/A
IP Addresses contacted by malware. Does not indicate maliciousness
  • 216[.]218[.]206[.]69
  • 116[.]255[.]235[.]9
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • %ProgramData%\Mozilla\thfirxd.exe
  • %ProgramData%\Mozilla\lygbwac.dll
  • %ProgramData%\Mozilla\lygbwac.dll
  • %HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll
  • %HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe
File Hashes
  • 19300406a8fedba8513085fa93004d3330024e3a97d685c34bf4404e15e9beea
  • 1d8005f6fecbb238db1b40e6cb7afc2baf323c0059883f0bb7b11c01c1067026
  • 276dab07147db188ff45e12e53ec462af42e1973a4687a2b2e3e9301c15db929
  • 2a0588520f7752424195cc36e6843d09ec850b6c7a41e966af58f3ebee8353c0
  • 33626a9cd5105d595872d76146629d1b440bb625383ac30f71c7f9ff369982f3
  • 35b7a37a7bd1ad371add7f0d3a3d9e3f9d8dc22894d0949c775f9eec5fd60104
  • 3832485cab5a4ea92c616b24bf79374a4999eb76119e2e14e40c7f693a71ea1c
  • 408f335dc58fa9fe44e16c4f76813c3cb6bca1821134cd3eaacc162787d74ee7
  • 424171b94775b10d108095adb1a29f3ee6b8918e2bc3e6b96d62ea8a9c2ff01a
  • 42c89f9e463771c6de93ecbd94210a7242234ca512ba2d68e4133e7835ce9f46
  • 466731dc06288c6288b2b306ecd2d457d23624b32dc8a6ba950f2344a4ec0228
  • 4e90c6ace53e3278aec3df081252e46b6d6f32e3786c862895fc724595bdfd09
  • 54f29401d5a69da03b8e1ed390e76a94b0967ae4859d885db5abd5a8632a8ce1
  • 58b1da3642367b1f8f80a018befaaeaa91ddbc0187d56f52c62eebeb06ac4291
  • 5c41aca107b6f288e5436c5722150e62845d594a89dd31de98865f87a1618880
  • 6ce10269595ec82e081472bddbdfd235086f6205dd836464e68c11b29b56a96c
  • 701fd08f2dcd10f75e462feaeedbc04c5d640d57e7203bfecf490c79b8da50ab
  • 795fb4569df188d5ce7ec1448d5088ffa7dc79bf60ea02e0fde15a2e8b4d0868
  • 79af5e9ff5b60e9ac555bf82c43d01b20d7a2d4faa85fff2651883cff52be4e8
  • 7dcde4f60dd8f1caf3c37047cbde35c00ff4c70d2bb6e33ac6811c0f2d0a7742
  • 84ab81138637667e9a304c70f6332d6e07a7fe01cada75b87501e1119654fe62
  • 88fd82e899034dfaeaf5fb3fa40ee31849e35dc781718119207c049a506d47b8
  • 8be6442f102a1a607ba44cb708e1b78c847a17d583e8caf673885613ac58eb35
  • 8d6f9213c8611b2d23dbe7ad43749c20332f35926c72eb71d4b8bc125b80730f
  • 8fe26438c3bd8257c7c09e13bcb06f049a65cdeef64fdf6260048b97c839c72c

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Malware.Autoit-6919193-0


Indicators of Compromise


Registry Keys
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
  • <HKCU>\Software\Microsoft\SystemCertificates\My
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: ProxyBypass
  • <HKCU>\Software\Microsoft\RAS AutoDial
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\Certificates
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CRLs
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA\CTLs
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\Certificates
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CRLs
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\Root
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CRLs
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\ROOT\CTLs
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLs
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
  • <HKLM>\Software\Wow6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
  • <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\TrustedPeople
  • <HKCU>\Software\Policies\Microsoft\SystemCertificates\trust
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CTLs
  • <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\trust
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CRLs
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\TRUST\CTLs
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
  • <HKCU>\SOFTWARE\MICROSOFT\RAS AUTODIAL\Default
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\OK3KMXI9HE
    • Value Name: inst
Mutexes
  • 3749282D282E1E80C56CAE5A
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex
  • eed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-2580483871-590521980-3826313501-500
  • dxdiag
  • \BaseNamedObjects\dxdiag
IP Addresses contacted by malware. Does not indicate maliciousness
  • 62[.]173[.]139[.]203
  • 85[.]143[.]175[.]2
  • 107[.]173[.]219[.]120
Domain Names contacted by malware. Does not indicate maliciousness
  • jfnutts[.]com
  • jamesxx[.]dynu[.]net
Files and or directories created
  • %APPDATA%\D282E1\1E80C5.lck
  • \PC*\MAILSLOT\NET\NETLOGON
  • \lsass
  • %APPDATA%\D282E1
  • %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
  • \samr
  • %APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred
  • %APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\7bfba4ab-37fb-49ad-95de-c46116256232
  • %ProgramFiles%\Microsoft DN1
  • %ProgramData%\images.exe
  • %LOCALAPPDATA%\Microsoft Vision
  • %HOMEPATH%\Documents\20190401
  • %TEMP%\~DF3968B9D4F94E63DD.TMP
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\.url
  • %TEMP%\4vlsgi4i.nxw.ps1
  • %TEMP%\gs2vkrhw.jd3.psm1
  • %TEMP%\1xjo2rvg.l3o.psm1
  • %HOMEPATH%\.exe
  • %HOMEPATH%\.vbs
  • %HOMEPATH%\Start Menu\Programs\Startup\.url
File Hashes
  • 00e6268b7676fe162515c9b4191ae17186d708961a5545cf2b0e76e0d702a035
  • 02f9a5389aea7c071f277a51bbd449d845b7e5acb5a94c5e795bd283415569be
  • 055f89ea1016a672124bf38461d7a04632c9caf270714a783b34fa014e038c57
  • 06e27b85a1994a896d81cf423bbf9bbff1bbc5d89d26d4aa8b0fbbfa6b824d13
  • 0837fda8e72d32584a4c53dcc8f7ca75f38eae979d178f6db434e9521fbe82e8
  • 11a4e3e12cec6041bdf9508c56a7d75a00992f59c929172eabd8725a89904970
  • 15159b94f3fbf990f53b9df0a5f08b66fb1548e84d48c99a7537be84bece2062
  • 1f450f566e7896c60524017d006bb01902e854371313abb8d8f62038de2ecc7b
  • 21705746b4eb464753d99cc7999db91a55ca4a8a08ab53b8031c969adc47d899
  • 31cdf98e7e648986edabcbf58a70030ff882d2ec08106440b2b97b7d17d890f5
  • 468bd5cd0779eec9d11b325e5dd7aa7721e7189a04b7d92a236279d1cbab4439
  • 4e46d7ddef280bb91c73f15975b610d3bc4be014d29f05dade4860932cd63913
  • 556b0f36507a9da9bc8236d6328ac25b7d42e7d62d859ccb6163d117d9d39ccc
  • 64c2d4517abd6081f6401ee4237132f087177b8891d9840ae9e69fdd128dc9b0
  • 7254eb9ebb64ad0916d7678e8d01fca31a18d73f970a64394f9fc88069590929
  • 8594f3e2f19d3512830312737a9706fb8a3a92ab8d4afad9f2005c8d6c644db7
  • 8616e952c063ad624242745f595803a39931e134bd319b57cc36251e73aad3cb
  • 8acab560aa72f1d6a39b1bcdc48334e51cb9654fb21185da22413434bb01d22c
  • 9104f6034c2e99c2fd8d3158be68b20a93ba51f0d25b6e4908094f75cc3234ad
  • 977eb4729a3f3f20fdda9cc7cb4ba5e5e6066f3e9f0d05874b9978bcd6471532
  • a428bb2458b74579874a41d9ebb463835dc938777b7a21f52454af4e52856603
  • b1aa39eef0e0f815f9c91993cc24e786cf050f17e818f103416e7dd95727b911
  • c0406b0fedfb94e25ddd6b04947830c82460f5080999ad08fd5abc23fcf004dd
  • d9e637657dacc3e665fa5abbaa30443f474a299c0fa61b801409233a62e8440d
  • dad963b9062233185343b7564500514c8e51ed1056f717615e7885524a5ba8a6

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella


Win.Virus.Expiro-6918982-0


Indicators of Compromise


Registry Keys
  • <HKLM>\Software\Microsoft\WBEM\CIMOM
  • <HKCU>\Software\Microsoft\SystemCertificates\MY
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
    • Value Name: Start
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\4
    • Value Name: 1406
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\75
    • Value Name: AeFileID
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V2.0.50727_64
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLR_OPTIMIZATION_V4.0.30319_32
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\COMSYSAPP
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\IEETWCOLLECTORSERVICE
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MOZILLAMAINTENANCE
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSISERVER
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\OSE
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\UI0DETECT
    • Value Name: Start
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VDS
    • Value Name: Type
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS
    • Value Name: Type
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMIAPSRV
    • Value Name: Type
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WMIAPSRV
    • Value Name: Start
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v2.0.50727\NGENService\State
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v2.0.50727\NGENService\ListenedState
  • <HKLM>\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State
  • <HKLM>\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\S-1-5-21-2580483871-590521980-3826313501-500
    • Value Name: EnableNotifications
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\0
    • Value Name: 2103
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\1
    • Value Name: 2103
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\2
    • Value Name: 2103
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONES\3
    • Value Name: 2103
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
    • Value Name: CheckSetting
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
    • Value Name: CheckSetting
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
    • Value Name: CheckSetting
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
    • Value Name: CheckSetting
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
    • Value Name: CheckSetting
Mutexes
  • Global\LOADPERF_MUTEX
  • ASP.NET_Perf_Library_Lock_PID_640
  • BITS_Perf_Library_Lock_PID_640
  • ESENT_Perf_Library_Lock_PID_640
  • Lsa_Perf_Library_Lock_PID_640
  • MSDTC Bridge 3.0.0.0_Perf_Library_Lock_PID_640
  • MSDTC Bridge 4.0.0.0_Perf_Library_Lock_PID_640
  • MSDTC_Perf_Library_Lock_PID_640
  • Outlook_Perf_Library_Lock_PID_640
  • PerfDisk_Perf_Library_Lock_PID_640
  • PerfNet_Perf_Library_Lock_PID_640
  • PerfOS_Perf_Library_Lock_PID_640
  • PerfProc_Perf_Library_Lock_PID_640
  • RemoteAccess_Perf_Library_Lock_PID_640
  • SMSvcHost 3.0.0.0_Perf_Library_Lock_PID_640
  • SMSvcHost 4.0.0.0_Perf_Library_Lock_PID_640
  • ServiceModelEndpoint 3.0.0.0_Perf_Library_Lock_PID_640
  • ServiceModelOperation 3.0.0.0_Perf_Library_Lock_PID_640
  • ServiceModelService 3.0.0.0_Perf_Library_Lock_PID_640
  • Spooler_Perf_Library_Lock_PID_640
  • TapiSrv_Perf_Library_Lock_PID_640
  • Tcpip_Perf_Library_Lock_PID_640
  • TermService_Perf_Library_Lock_PID_640
  • Windows Workflow Foundation 3.0.0.0_Perf_Library_Lock_PID_640
  • Windows Workflow Foundation 4.0.0.0_Perf_Library_Lock_PID_640
  • WmiApRpl_Perf_Library_Lock_PID_640
  • aspnet_state_Perf_Library_Lock_PID_640
  • rdyboost_Perf_Library_Lock_PID_640
  • usbhub_Perf_Library_Lock_PID_640
  • kkq-vx_mtx1
  • gazavat-svc
  • kkq-vx_mtx89
  • kkq-vx_mtx91
  • kkq-vx_mtx92
  • kkq-vx_mtx93
  • kkq-vx_mtx94
  • kkq-vx_mtx95
  • kkq-vx_mtx96
  • kkq-vx_mtx97
  • kkq-vx_mtx98
  • kkq-vx_mtx99
  • kkq-vx_mtx31
  • kkq-vx_mtx32
  • kkq-vx_mtx33
  • kkq-vx_mtx29
  • gazavat-svc_29
IP Addresses contacted by malware. Does not indicate maliciousness
  • N/A
Domain Names contacted by malware. Does not indicate maliciousness
  • N/A
Files and or directories created
  • \srvsvc
  • %APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
  • %CommonProgramFiles%\Microsoft Shared\OFFICE14\MSOXMLED.EXE
  • %CommonProgramFiles%\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
  • %ProgramFiles%\Java\jre6\bin\javaw.exe
  • %ProgramFiles%\Java\jre6\bin\javaws.exe
  • %ProgramFiles%\Java\jre6\bin\unpack200.exe
  • %ProgramFiles%\Java\jre7\bin\jabswitch.exe
  • %ProgramFiles%\Java\jre7\bin\java.exe
  • %ProgramFiles%\Java\jre7\bin\javacpl.exe
  • %ProgramFiles%\Java\jre7\bin\javaw.exe
  • %ProgramFiles%\Java\jre7\bin\javaws.exe
  • %ProgramFiles%\Java\jre7\bin\jp2launcher.exe
  • %ProgramFiles%\Java\jre7\bin\ssvagent.exe
  • %ProgramFiles%\Java\jre7\bin\unpack200.exe
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
  • %CommonProgramFiles%\Microsoft Shared\ink\ConvertInkStore.exe
  • %CommonProgramFiles%\Microsoft Shared\ink\InputPersonalization.exe
  • %CommonProgramFiles%\Microsoft Shared\ink\ShapeCollector.exe
  • %CommonProgramFiles%\Microsoft Shared\ink\TabTip.exe
  • %ProgramFiles%\DVD Maker\DVDMaker.exe
  • %ProgramFiles%\Internet Explorer\ieinstal.exe
  • %CommonProgramFiles(x86)%\microsoft shared\source engine\ose.exe
  • %ProgramFiles(x86)%\microsoft office\office14\groove.exe
  • %ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.exe
  • %CommonProgramFiles%\microsoft shared\officesoftwareprotectionplatform\osppsvc.exe
  • %SystemRoot%\ehome\ehsched.exe
  • %SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.exe
  • %SystemRoot%\microsoft.net\framework64\v4.0.30319\mscorsvw.exe
  • %SystemRoot%\microsoft.net\framework\v2.0.50727\mscorsvw.exe
  • %SystemRoot%\microsoft.net\framework\v4.0.30319\mscorsvw.exe
  • %System32%\alg.exe
  • %System32%\dllhost.exe
  • %System32%\fxssvc.exe
  • %System32%\ieetwcollector.exe
  • %System32%\msdtc.exe
  • %System32%\msiexec.exe
  • %System32%\snmptrap.exe
  • %System32%\sppsvc.exe
  • %System32%\ui0detect.exe
  • %System32%\vds.exe
  • %System32%\vssvc.exe
  • %System32%\wbem\wmiApsrv.exe
  • %System32%\wbengine.exe
  • %CommonProgramFiles%\Microsoft Shared\ink\mip.exe
  • %System32%\FXSSVC.exe
  • %System32%\UI0Detect.exe
  • %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock
  • %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat
  • %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
  • %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
  • %ProgramFiles%\Internet Explorer\ielowutil.exe
  • %SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog
  • %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
  • %ProgramFiles%\Internet Explorer\iexplore.exe
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.vir
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.vir
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.vir
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.vir
  • %CommonProgramFiles%\Microsoft Shared\OFFICE14\MSOXMLED.vir
  • %CommonProgramFiles%\Microsoft Shared\VSTO\10.0\VSTOInstaller.vir
  • %CommonProgramFiles%\Microsoft Shared\ink\ConvertInkStore.vir
  • %CommonProgramFiles%\Microsoft Shared\ink\ShapeCollector.vir
  • %ProgramFiles%\DVD Maker\DVDMaker.vir
  • %ProgramFiles%\Internet Explorer\ieinstal.vir
  • %ProgramFiles%\Internet Explorer\ielowutil.vir
  • %ProgramFiles%\Internet Explorer\iexplore.vir
  • %ProgramFiles%\Java\jre6\bin\java.vir
  • %ProgramFiles%\Java\jre6\bin\javaw.vir
  • %ProgramFiles%\Java\jre6\bin\javaws.vir
  • %ProgramFiles%\Java\jre6\bin\unpack200.vir
  • %ProgramFiles%\Java\jre7\bin\jabswitch.vir
  • %ProgramFiles%\Java\jre7\bin\java.vir
  • %ProgramFiles%\Java\jre7\bin\javacpl.vir
  • %ProgramFiles%\Java\jre7\bin\javaw.vir
  • %ProgramFiles%\Java\jre7\bin\javaws.vir
  • %ProgramFiles%\Java\jre7\bin\jp2launcher.vir
  • %ProgramFiles%\Java\jre7\bin\ssvagent.vir
  • %ProgramFiles%\Java\jre7\bin\unpack200.vir
  • %CommonProgramFiles(x86)%\microsoft shared\source engine\ose.vir
  • %ProgramFiles(x86)%\microsoft office\office14\groove.vir
  • %ProgramFiles(x86)%\mozilla maintenance service\maintenanceservice.vir
  • %SystemRoot%\ehome\ehsched.vir
  • %SystemRoot%\microsoft.net\framework64\v2.0.50727\mscorsvw.vir
  • %SystemRoot%\microsoft.net\framework\v2.0.50727\mscorsvw.vir
  • %SystemRoot%\microsoft.net\framework\v4.0.30319\mscorsvw.vir
  • %System32%\alg.vir
  • %System32%\dllhost.vir
  • %System32%\fxssvc.vir
  • %System32%\ieetwcollector.vir
  • %System32%\msiexec.vir
  • %System32%\snmptrap.vir
  • %System32%\ui0detect.vir
  • %System32%\vds.vir
  • %System32%\vssvc.vir
  • %System32%\wbem\wmiApsrv.vir
  • %System32%\wbengine.vir
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.vir
  • \MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.vir
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\ose.vir
  • \MSOCache\All Users\{91140000-0011-0000-0000-0000000FF1CE}-C\setup.vir
  • %CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppsvc.vir
  • %CommonProgramFiles%\Microsoft Shared\ink\TabTip.vir
  • %CommonProgramFiles%\Microsoft Shared\ink\mip.vir
  • %SystemRoot%\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.vir
  • %System32%\msdtc.vir
  • %System32%\msiexec.vir
  • %System32%\sppsvc.vir
  • %SystemRoot%\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{C0F5CDA5-94A5-411C-9D50-E0AEC7EA25A6}.crmlog
  • %APPDATA%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\29a1f50d-6e60-4de9-b56c-1a6439e5baa1
File Hashes
  • 57d65c0c068da7ec72e8c9ba0c6f9a354917bae5127f55de1635a6d5d471d60b
  • 6e16f59631c0382f8902123e8f021656235724d3b76ec33913dcd813f567df4e
  • a9a42f7c8d67d59137bcdb813ff2c92277fcf778599e349062be332960b91c62
  • ad6d8581a541cc8622b132e171627324d8e02c4ba2a3804e0f6763d336207a01
  • ad73a287c879b1ac9605f5889064373e95f3db526e98c3349a48d63c549c23c2
  • b0aa80111d23dd578815c935aa529f30a5f10b38e6ef799a402f7819bb077d89
  • b21649f76ec9cce8d3937f512c8d9a841979d1b90cb3f24ca2eb1a0d97c615f0
  • b9e9f61ba07393c6da51ea20c3764b0088f0fc9cfc6be99d355fe1f5aec82f8f
  • ba649d6fbcade5b73b2a761f4d40702c2a21195fed22285213959abebd818833
  • c11d1f5a9c5056c439ddfef99150dd0a817c728c73dbcee9d80956389164b9d0
  • c56268667843181e7aad8cb849496a530be0a7916cfda65e34942bb8e0b909bd
  • c7f0f4fde7c85f456e95bfdbe2a5ab25f07a8e749c11e62b8be2e56587d9ebaf
  • c9785ee70ca68ac41cb78fd83e37fc33837c10d3d82ad2188b2554ef14c2a345
  • cc7f00cab330786e2de92e1fb3b36baed5868da2f66744d9d058072e9b5587b9
  • d7d5248e70e3ebfd772783ef78f22d7843596fda42231659373827504ce9ca2b
  • dc78031890299fa4a8ee415a90ed95a79dc060a2a55342d7d60da8c468bf5288
  • dd198d756ce002a3eab75e4faedb6e48cfd27032ad4e9f4643f454b613b616dc
  • ee3c63c6c9d0c5887b22a820d1b97b44ec97ee212f819d9ad478a6846e6a5f87
  • faab282b345611411cbe53e35c94f2c56c9314bb4211a20ebfb6b17d85366cf4
  • fac8e1f9ef6b06eff6e7ec4a5c088644f21f82882daf674e27e699fa9563357b
  • ffb30a4ba399b607cb0b72fc67353a75609c28f66c73d41cc5f13fecc8f400c1

Coverage


Screenshots of Detection

AMP



ThreatGrid



Win.Trojan.Winwebsec-6918829-0


Indicators of Compromise


Registry Keys
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value Name: PnpInstanceID
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
    • Value Name: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
    • Value Name: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
    • Value Name: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: AutoDetect
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2
  • <HKCU>\Software
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
    • Value Name: AntiVirusOverride
  • <HKLM>\SOFTWARE\WOW6432NODE\Microsoft
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • <HKLM>\SYSTEM\CONTROLSET001\ENUM\WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_HARDDISK&REV_2.5+#1-0000:00:1D.7-2&0#
    • Value Name: CustomPropertyHwIdKey
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\svc
  • <HKLM>\System\CurrentControlSet\Services\luafv
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Live Security Platinum
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
    • Value Name: RPSessionInterval
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\LUAFV
    • Value Name: Start
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Mutexes
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex
  • Local\MSCTF.Asm.MutexDefault1
  • DBWinMutex
  • Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_1024.db!dfMaintainer
  • Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_256.db!dfMaintainer
  • Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_32.db!dfMaintainer
  • Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_96.db!dfMaintainer
  • Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!ThumbnailCacheInit
  • Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwReaderRefs
  • Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!rwWriterMutex
  • Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_sr.db!dfMaintainer
  • 539D542E222D2DDE0101049AB5EC2432
  • ..MTX
  • 529C532D212C2CDD00000399B4EB2331
  • 56A05731253030E10404079DB8EF2735
  • 57A15832263131E20505089EB9F02836
  • 5AA45B35293434E508080BA1BCF32B39
  • \BaseNamedObjects\5B4FD7CC222D2DDE0101F14FD252FD4F
  • \BaseNamedObjects\5A4ED6CB212C2CDD0000F04ED151FC4E
IP Addresses contacted by malware. Does not indicate maliciousness
  • 116[.]255[.]235[.]9
Domain Names contacted by malware. Does not indicate maliciousness
  • www[.]w3[.]org
Files and or directories created
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
  • %HOMEPATH%\Desktop\Live Security Platinum.lnk
  • %ProgramData%\529C532D212C2CDD00000399B4EB2331
  • %ProgramData%\529C532D212C2CDD00000399B4EB2331\529C532D212C2CDD00000399B4EB2331.exe
  • %ProgramData%\529C532D212C2CDD00000399B4EB2331\529C532D212C2CDD00000399B4EB2331
  • %ProgramData%\5A4ED6CB212C2CDD0000F04ED151FC4E\5A4ED6CB212C2CDD0000F04ED151FC4E
  • %ProgramData%\5A4ED6CB212C2CDD0000F04ED151FC4E\5A4ED6CB212C2CDD0000F04ED151FC4E.exe
File Hashes
  • 04311b0a06d95014390434149f1dae9f1c8e399e678fe80903d515501b4ac04a
  • 0ee9b85dd0d097210d138ac73b5687d8de17e4880131360a258295b0ece85006
  • 35512788e3ec6bf939840d6ac94191b7976b4309bb26bf91eb00b461beb29ad3
  • 420a929f0ce0a6194d82a41b1674f2e2fbc78278c0723c37a2bcd038aa997301
  • 4ce41686ffaea1f9c80d2bbe00bbbe0a1da864a038a0a48066f209bbc98cb969
  • 520eefe6fde2fe435b885080259ae7357c291de05c7d3df8ae69095e48a1ca1d
  • 73208a63a25abaec555e1621f991b167ccd40eac8b06d330fd2642d157d028d1
  • 7340137319da76ae915a176658a9f577847aac97908d2ab1edaa289c092f8954
  • b34930cdd050eb0968301ec594091dd714f516547bc41f37390031655f282577
  • b7192f768a639280169016309758dd5e4d5be76a96850b7eab52c25198ecdafa
  • e639df0b0afa8a5fafd40064339d75b7098de98068ed9b9d1e20da9e3649d25e

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Trojan.Emotet-6918815-0


Indicators of Compromise


Registry Keys
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
    • Value Name: Collection
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
    • Value Name: DhcpScopeID
  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value Name: PnpInstanceID
  • <HKU>\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE
    • Value Name: _CurrentObjectId_
  • <A>\{32DE27EC-AB30-11E8-A007-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
    • Value Name: CurrentLru
  • <HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
    • Value Name: Type
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\5A-54-99-D2-86-6F
    • Value Name: WpadDecisionReason
  • <HKLM>\SOFTWARE\Microsoft\ESENT\Process\guiddefribbon\DEBUG
Mutexes
  • Global\I98B68E3C
  • Global\M98B68E3C
  • \BaseNamedObjects\Global\M3C28B0E4
  • \BaseNamedObjects\Global\I3C28B0E4
IP Addresses contacted by malware. Does not indicate maliciousness
  • 212[.]227[.]15[.]158
  • 72[.]167[.]238[.]29
  • 216[.]40[.]42[.]5
  • 74[.]208[.]5[.]5
  • 74[.]208[.]5[.]15
  • 196[.]25[.]211[.]150
  • 97[.]74[.]135[.]10
  • 173[.]201[.]192[.]158
  • 67[.]195[.]228[.]95
  • 192[.]211[.]51[.]147
  • 74[.]6[.]141[.]43
  • 74[.]202[.]142[.]72
  • 184[.]106[.]54[.]10
  • 173[.]201[.]193[.]101
  • 196[.]11[.]146[.]149
  • 193[.]252[.]22[.]84
  • 64[.]98[.]36[.]5
  • 74[.]6[.]137[.]75
  • 173[.]194[.]204[.]108
  • 64[.]90[.]62[.]162
  • 107[.]6[.]16[.]19
  • 208[.]84[.]244[.]49
  • 69[.]168[.]106[.]36
  • 74[.]208[.]5[.]13
  • 107[.]14[.]166[.]78
  • 173[.]201[.]192[.]101
  • 212[.]227[.]15[.]138
  • 40[.]97[.]124[.]18
  • 107[.]14[.]166[.]72
  • 65[.]254[.]228[.]100
  • 74[.]202[.]142[.]71
  • 190[.]95[.]221[.]182
  • 200[.]58[.]118[.]149
  • 190[.]226[.]40[.]3
  • 200[.]24[.]13[.]80
  • 18[.]211[.]9[.]206
  • 64[.]250[.]117[.]68
  • 200[.]45[.]191[.]16
  • 69[.]156[.]240[.]33
  • 64[.]59[.]136[.]142
  • 89[.]19[.]2[.]235
  • 192[.]185[.]4[.]138
  • 64[.]85[.]73[.]16
  • 200[.]50[.]175[.]25
  • 200[.]40[.]31[.]18
  • 209[.]249[.]170[.]98
  • 65[.]182[.]102[.]90
  • 200[.]58[.]113[.]90
  • 173[.]203[.]187[.]187
  • 52[.]96[.]38[.]82
  • 31[.]172[.]86[.]183
  • 186[.]64[.]119[.]135
  • 192[.]185[.]16[.]118
  • 50[.]87[.]144[.]197
  • 190[.]96[.]118[.]53
  • 67[.]241[.]81[.]253
  • 154[.]0[.]163[.]40
  • 174[.]136[.]30[.]150
  • 190[.]15[.]222[.]14
  • 200[.]58[.]110[.]122
  • 205[.]204[.]67[.]142
  • 158[.]69[.]99[.]42
  • 162[.]144[.]71[.]101
  • 74[.]205[.]78[.]113
  • 121[.]78[.]246[.]33
  • 200[.]58[.]123[.]107
  • 201[.]220[.]211[.]7
  • 173[.]0[.]129[.]16
  • 190[.]224[.]160[.]116
  • 200[.]107[.]202[.]6
  • 188[.]165[.]208[.]226
  • 66[.]96[.]134[.]1
  • 103[.]15[.]48[.]91
  • 50[.]23[.]248[.]182
  • 179[.]60[.]208[.]2
  • 192[.]185[.]107[.]140
  • 192[.]185[.]90[.]238
  • 108[.]179[.]234[.]88
  • 162[.]241[.]2[.]35
  • 192[.]185[.]185[.]176
  • 108[.]167[.]189[.]42
  • 108[.]167[.]160[.]249
  • 59[.]124[.]1[.]19
  • 192[.]185[.]184[.]94
  • 192[.]185[.]26[.]156
  • 108[.]167[.]181[.]188
  • 192[.]185[.]2[.]182
  • 98[.]136[.]96[.]84
  • 207[.]249[.]74[.]109
  • 83[.]170[.]124[.]82
  • 159[.]203[.]163[.]219
  • 184[.]150[.]200[.]201
  • 50[.]87[.]150[.]177
  • 190[.]107[.]22[.]116
  • 66[.]195[.]202[.]115
  • 69[.]16[.]228[.]14
  • 66[.]96[.]147[.]110
  • 190[.]124[.]215[.]2
  • 50[.]87[.]59[.]65
  • 187[.]157[.]85[.]132
  • 200[.]119[.]246[.]201
  • 96[.]116[.]224[.]179
  • 69[.]175[.]31[.]212
  • 188[.]121[.]52[.]82
  • 200[.]58[.]110[.]40
  • 69[.]61[.]0[.]198
  • 50[.]62[.]176[.]244
  • 104[.]236[.]244[.]101
  • 67[.]222[.]2[.]148
  • 14[.]49[.]39[.]215
  • 192[.]185[.]37[.]19
  • 162[.]217[.]70[.]59
  • 192[.]185[.]190[.]90
  • 192[.]185[.]136[.]209
  • 192[.]185[.]76[.]191
  • 192[.]185[.]129[.]8
  • 192[.]254[.]185[.]112
  • 192[.]185[.]4[.]23
  • 66[.]96[.]147[.]103
  • 108[.]163[.]221[.]2
  • 190[.]11[.]243[.]146
  • 66[.]71[.]241[.]102
  • 212[.]83[.]168[.]160
  • 62[.]210[.]127[.]136
  • 50[.]62[.]176[.]42
  • 64[.]26[.]60[.]221
  • 67[.]225[.]221[.]173
  • 67[.]241[.]81[.]253
  • 190[.]96[.]118[.]53
Domain Names contacted by malware. Does not indicate maliciousness
  • imap[.]1and1[.]co[.]uk
  • mail[.]gmail[.]com
  • imap[.]gmail[.]com
  • smtp[.]secureserver[.]net
  • pop[.]1and1[.]com
  • smtp[.]1and1[.]es
  • MAIL[.]GMAIL[.]COM
  • mail[.]1and1[.]co[.]uk
  • smtp[.]live[.]com
  • smtp[.]mail[.]com
  • pop[.]secureserver[.]net
  • mail[.]secureserver[.]net
  • pop3[.]telkomsa[.]net
  • imap[.]secureserver[.]net
  • secure[.]emailsrvr[.]com
  • mail[.]multisistemas[.]com[.]mx
  • pop[.]infinitummail[.]com
  • smtp[.]mail[.]yahoo[.]com
  • smtp[.]telkomsa[.]net
  • outlook[.]office365[.]com
  • smtpout[.]secureserver[.]net
  • imap[.]comcast[.]net
  • smtp[.]vodamail[.]co[.]za
  • smtp[.]orange[.]fr
  • imap[.]mail[.]com
  • mail[.]biz[.]rr[.]com
  • pop[.]biz[.]rr[.]com
  • correoweb[.]iess[.]gob[.]ec
  • smtp[.]roadrunner[.]com
  • mail[.]basculasmagnino[.]com[.]ar
  • smtp[.]infinitummail[.]com
  • smtp[.]windstream[.]net
  • smtp[.]shaw[.]ca
  • correo[.]movistarcloud[.]com[.]ve
  • smtp[.]arnet[.]com[.]ar
  • pop[.]broadband[.]rogers[.]com
  • pop[.]hostcentric[.]com
  • smtp[.]arnetbiz[.]com[.]ar
  • smtp[.]broadband[.]rogers[.]com
  • gator4126[.]hostgator[.]com
  • mail[.]dotster[.]com
  • adinet[.]com[.]uy
  • mail[.]mi[.]com[.]co
  • imap[.]bell[.]net
  • pop[.]everyone[.]net
  • mail[.]chikool[.]cl
  • smtp[.]mailplug[.]co[.]kr
  • royalmabati[.]com
  • mail[.]infovia[.]com[.]ar
  • mail[.]pomonatowing[.]co[.]za
  • mail[.]tmmchealthcare[.]com
  • mail[.]interdns[.]co[.]uk
  • mail[.]hazari[.]com[.]pk
  • smtp[.]tesapparel[.]com
  • mail[.]empresasjayir[.]cl
  • mail[.]serbanc[.]cl
  • mail[.]shineaccesorios[.]com[.]ar
  • mail[.]teambuildingempresarial[.]com
  • smtp[.]berabevudigital[.]com[.]ar
  • mail[.]conduto[.]com
  • gator4216[.]hostgator[.]com
  • smtp[.]terra[.]com[.]mx
  • webmail[.]carbonesdesantander[.]com
  • smtp[.]mail[.]yahoo[.]com[.]ar
  • correo2[.]redynet[.]com[.]ar
  • mail[.]freightlineroftoledo[.]com
  • mail[.]ebmworld[.]cu
  • smtp[.]dreamhost[.]com
  • p3plcpnl0728[.]prod[.]phx3[.]secureserver[.]net
  • mail[.]oxigenoshoes[.]com[.]ar
  • newmaq[.]com[.]bo
  • sintcom[.]com[.]mx
  • mail[.]inttegrain[.]com[.]mx
  • email8[.]luxsci[.]com
  • pop[.]itcsa[.]net
  • mail[.]grupodemejoracontinua[.]com[.]mx
  • mail[.]dtpressnorte[.]com[.]ar
  • pop[.]cbacontadores[.]com[.]uy
  • gator4012[.]hostgator[.]com
  • mail[.]ahesan[.]com[.]mx
  • mail2[.]isysa[.]com[.]mx
  • mail[.]peltier[.]net
  • pop[.]moorwaymanagement[.]com
  • mail[.]ykkip[.]com
  • mail[.]refridcol[.]com
  • mail[.]digosaautopartes[.]com[.]mx
  • mail[.]merzey[.]com
  • pop[.]icon1[.]ca
  • mail[.]cablenettv[.]com[.]ar
  • mail[.]petrovalle[.]com[.]ar
  • md-ht-2[.]webhostbox[.]net
  • iceschool[.]com[.]pe
  • imap[.]europe[.]secureserver[.]net
  • mail[.]hblseguros[.]com[.]co
  • mail[.]bell[.]net
  • mail[.]listo[.]com[.]co
  • pop[.]mcargo[.]net
  • mail[.]heyas[.]com[.]ar
  • mail[.]sedicomsa[.]com
  • filter1[.]nsbasicmail[.]com
  • mail[.]iphsa[.]com[.]mx
  • mail[.]seproacr[.]com
  • pop[.]startlogic[.]com
  • cowealth[.]com[.]tw
  • mailbox[.]carrossierprocolor[.]com
  • mail[.]enviro5[.]com
  • grupomycasa[.]com
  • mail[.]cssialtda[.]com
  • mail[.]diligroup[.]com
  • mail[.]salon53[.]mx
  • imap[.]tiendasenforma[.]com
  • pop3[.]sld[.]cu
  • smtp[.]ipv4networks[.]net
  • mail[.]navarac[.]com
  • gator3161[.]hostgator[.]com
  • mail[.]ramasa[.]com[.]mx
  • mail[.]tradequimsa[.]com
  • pop[.]premium-soft[.]com
  • mail[.]comodoro[.]coop
  • mail[.]distribuidoralamaro[.]com
  • mail[.]gaiasrl[.]com[.]ar
  • server1[.]cosefa[.]com[.]ar
  • lamallorquina[.]com[.]uy
  • mail[.]dycindustrial[.]cl
  • mail[.]ibs[.]mx
  • MAIL[.]BELL[.]NET
  • mail[.]kinderland[.]com[.]ar
  • mail[.]metropolitainerefrigeration[.]com
  • frbb[.]utn[.]edu[.]ar
  • mail[.]manchesterdental[.]co[.]uk
  • p3plcpnl0515[.]prod[.]phx3[.]secureserver[.]net
  • mail[.]lodis[.]cl
  • mail[.]lionquick[.]com
  • eclipse[.]websitewelcome[.]com
Files and or directories created
  • %SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
  • %SystemRoot%\SysWOW64\kyGqvfpU.exe
File Hashes
  • 02a0a4800d92ba59432af6e47480ede2769bd53d7af7840ce9a8ee7097ae0003
  • 079dd41f7437110d28bbd3c0f6bacb2f0cd1b23cb899772e8c380124be044fac
  • 09ad52e3866b1cd1629f5206c38d968ed82977026dfa79f3f9313625fce9298c
  • 16969a648499623f5b6d61785673c445035bcfa90d4303b88b922d76e6d95728
  • 1ab5e8be2711179c75581141bdaacf4b1fbc1806806d73e53b94e2286e150569
  • 2ca9efb4e856be7af3bbaa2c22108ab30a0aa30203b5accdd2787f4d4bda0315
  • 337af19fb5a1403b332b77a5c6958387ba9150d225d32c6474d5807fb5e9c21c
  • 43e226bd92a81a17a2f73a0e9f2f0ea7dee5c7756a4a6d476483cdf456024fdf
  • 49116b29290b3878908d64fc78d1fc92c21f9add774c8a3b2e55e8763f8a8267
  • 503c9111d0fc0efb4a3290c977dd8f0f6cf4925de69bf644fbbdf03857ca1776
  • 521c964fe97018ae915a3762dbf31a2397f7c283a494f19671354d5a179dcf3a
  • 524622e92156fb4e155e18f820b2897f60b49b2e0533ed449ab99642b16ef887
  • 52f83952d33df5dea2440d6a0211c004a41b6543f64edc6b9428c2b55897d45b
  • 53523d8333a3e913bb53523269c22af0e38d26bae9f637f2617acef7dabab06e
  • 5353758894e7cfaee0376ac38e76a1c366b1d0ea19911affdd23f2cbdc12d020
  • 53c708d13bb6526de05446fdef04d9d9f183f825596c89cc92d8e7aced3acbd0
  • 53d075b5be564101c888a82187527845404a2df42e7ae774937f9630da98fc3a
  • 559028389697aa6b223920c69441d68dddf5c1d46d7be8b3fb0d23af183d477c
  • 5844365b389ab2865c1c032561da07954e1b8312a61fe612672d7c11aca908c9
  • 5971aaaa42335a059f017e6586776f5b5de40590b4e68dfca8124811e372300e
  • 64cffcac96694cf3ffce2b7ff2962176f0fea267093ea4970d2aac3d53038fea
  • 67f41f532423939b59a2f0b890028ec7b9de5ec71b7e8bd0a8aee7906101174b
  • 689685a2edd6b0cabc8ca0fcbcf39e53e4da57d65dfe0e2658964dfb8cca39dd
  • 6cfc0383c421992c8d4e0f8a9a13e705e67b1735ad71520eacc1351c9e8cdc14
  • 78a0a5844a1ca119d94bcaea5ac5b8e256f2711b76eaccdffd0089c18f079e2d

Coverage


Screenshots of Detection

AMP




ThreatGrid




Umbrella



Microsoft Patch Tuesday — April 2019: Vulnerability disclosures and Snort coverage

April 9, 2019, 5:00 am
$
0
0















Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated “critical” and 58 that are considered “important.” This release also includes a critical advisory covering a security update to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Critical vulnerabilities

Microsoft disclosed 16 critical vulnerabilities this month, four of which we will highlight below.

CVE-2019-0753 is a remote code execution vulnerability in the Microsoft Scripting Engine that exists in the way the Internet Explorer web browser handles objects in memory. The bug could allow an attacker to corrupt the system in a way that would allow them to gain the same rights as the current user and execute code remotely. In order to trigger this vulnerability, the attacker needs to convince the user to open a specially crafted website in Internet Explorer. They could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2019-0790CVE-2019-0791, CVE-2019-0792CVE-2019-0793 and CVE-2019-0795 are all remote code execution vulnerabilities that arise when the Microsoft XML Core Services MSXML parser processes user input. An attacker could exploit any of these bugs to take control of the user’s system. A user could trigger these vulnerabilities by visiting an attacker-created web page that contains malicious MSXML.

The other critical vulnerabilities are:

Important vulnerabilities

This release also contains 58 important vulnerabilities, eight of which we will highlight below.

CVE-2019-0732 is a feature bypass vulnerability in several versions of the Windows operating system that could allow an attacker to bypass Windows Device Guard. This bug exists because Windows improperly handles calls to the LUAFV driver. An attacker could exploit this vulnerability by accessing the local machine and then running a malicious program, giving them the ability to evade a User Mode Code Integrity policy on the machine.

CVE-2019-0752 is a remote code execution vulnerability in the Microsoft Scripting Engine that exists in the way the Internet Explorer web browser handles objects in memory. The bug could allow an attacker to corrupt the system in a way that would allow them to gain the same rights as the current user and execute code remotely. In order to trigger this vulnerability, the attacker needs to convince the user to open a specially crafted website in Internet Explorer. They could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the Internet Explorer rendering engine.

CVE-2019-0790 and CVE-2019-0795 are remote code execution vulnerabilities that arise when the Microsoft XML Core Services MSXML parser processes user input. An attacker could exploit any of these bugs to take control of the user’s system. A user could trigger these vulnerabilities by visiting an attacker-created web page that contains malicious MSXML.

CVE-2019-0801 is a remote code execution vulnerability in Microsoft Office that arises when the software attempts to open PowerPoint or Excel files. An attacker could exploit this bug by tricking the user into clicking on a specially crafted URL file that points to an Excel or PowerPoint file, causing the file to download.

CVE-2019-0803 and CVE-2019-0859 are elevation of privilege vulnerabilities in some versions of Windows that exist when the Win32k component improperly handles objects in memory. If exploited, an attacker could gain the ability to run arbitrary code in kernel mode. An attacker could exploit this bug by logging onto the system and then running a specially crafted application.

CVE-2019-0822 is a remote code execution vulnerability that exists in the way Microsoft Graphics Components handles objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted file, eventually allowing them to execute arbitrary code in the context of the current user.

The other important vulnerabilities are:

Coverage 

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755

Gustuff banking botnet targets Australia

April 9, 2019, 10:45 am
$
0
0

Vitor Ventura authored this post.

Executive summary

Cisco Talos has uncovered a new Android-based campaign targeting Australian financial institutions. As the investigation progressed, Talos came to understand that this campaign was associated with the "ChristinaMorrow" text message spam scam previously spotted in Australia.

Although this malware's credential-harvest mechanism is not particularly sophisticated, it does have an advanced self-preservation mechanism. Even though this is not a traditional remote access tool (RAT), this campaign seems to target mainly private users. Aside from the credential stealing, this malware also includes features like the theft of users' contact list, collecting phone numbers associated names, and files and photos on the device. But that doesn't mean companies and organizations are out of the woods. They should still be on the lookout for these kinds of trojans, as the attackers could target corporate accounts that contain large amounts of money.

The information collected by the malware and the control over the victim's mobile device allows their operators to perform more complex social engineering attacks. A motivated attacker can use this trojan to harvest usernames and passwords and then reuse them to login into the organization's system where the victim works. This is a good example where two-factor authentication based on SMS would fail since the attacker can read the SMS. Corporations can protect themselves from these side-channel attacks by deploying client-based two-factor authentication, such as Duo Security.

One of the most impressive features of this malware is its resilience. If the command and control (C2) server is taken down, the malicious operator can still recover the malware control by sending SMS messages directly to the infected devices. This makes the taking down and recovery of the network much harder and poses a considerable challenge for defenders.

The campaign


The malware's primary infection vector is SMS. Just like the old-school mail worms that used the victim's address book to select the next victims, this banking trojan's activation cycle includes the exfiltration of the victim's address book. The trojan will receive instructions from the C2 to spread.
Spread command from C2

The victim receives the command sendSMSMass. Usually, this message targets four or five people at a time. The body contains a message and URL. Again, the concept is that new victims are more likely to install the malware if the SMS comes from someone they know. When a victim tries to access the URL in the SMS body, the C2 will check if the mobile device meets the criteria to receive the malware (see infrastructure section). If the device does not meet the criteria, it won't receive any data, otherwise, it will be redirected to a second server to receive a copy of the malware to install on their device.

The domain on this campaign was registered on Jan. 19, 2019. However, Talos has identified that was used at least since November 2018. During the investigation, Talos was also able to determine that the same infrastructure has been used to deploy similar campaigns using different versions of the malware.
Distribution of victims.

Talos assess with high confidence that this campaign is targeting Australian financial institutions based on several factors. Our Umbrella telemetry shows that the majority of the request comes from Australia and the majority of the phone numbers infected have the international indicative for Australia. Finally, the specific overlays are designed for Australian financial institutions, and Australia is one of the geographic regions that is accepted by the C2.
DNS queries distribution over time

The campaign doesn't seem to be growing at a fast pace. Our data shows, on average, about three requests per hour to the drop host. This request is only made upon installation, but there is no guarantee that it will be installed. This data, when analyzed with the number of commands to send SMSs that Talos received during the investigation, lead us to conclude that the malicious operator is aggressively spreading the malware, but that doesn't seem to result in the same number of new infections.
Examples of the overlays available to the malware

Above, you can see examples of the injections that distributed to the malware as part of this specific campaign.

While doing our investigation we were able to identify other malware packages with different names. Some of these might have been used on old campaigns or were already prepared for new campaigns.

Malware technical details


During our investigation, researchers uncovered a malware known as "Gustuff." . Given the lack of indicators of compromise, we decided to check to see if this was the same malware we had been researching. Our Threat Intelligence and Interdiction team found the Gustuff malware being advertised in the Exploit.in forum as a botnet for rent. The seller, known as "bestoffer," was, at some point, expelled from the forum.

Gustuff advertising screenshot

The companies advertised in the image above were from Australia, which matches up with the campaign we researched. The screenshots provided by the author align with the advertised features and the features that we discovered while doing our analysis.
Admin panel

The administration panel shows the application configuration, which matches the commands from the C2.
Country selection

The administration console screenshots also show the ability to filter the results by country. In this case, "AU" is the code shown, which is Australia.

Based on this information, Talos assesses with high confidence that the malware is the same and this is, in fact, the Gustuff malware.

Design


In the manifest, the malware requests a large number of permissions. However, it doesn't request permissions like BIND_ADMIN. To perform some of its activities, the malware does not need high privileges inside the device, as we will explain ahead.
Permissions in the manifest

This malware is designed to avoid detection and analysis. It has several protections in place, both in the C2 and the malware's code. The code is not only obfuscated but also packed. The packer, besides making the static analysis more complex, will break the standard debugger.
Manifest activity declaration

Class list inside the dex file

The main malware classes are packed, to a point where the class defined in the manifest has a handler for the MAIN category that does not exist in the DEX file.
Error when trying to debug the malware using the Android Studio IDE.

One of the side effects of this packer is the inability of Android Studio IDE to debug the code. This happens because the IDE executes the code from the Android debug bridge (ADB) by calling the activity declared in the manifest by name. Since the class does not exist at startup, the application does not run on the debugger. Although Talos analyzed the unpacked version of the code, the packer analysis is beyond the scope of this post.
Check code for emulators

As part of its defense, the malware payload first checks for emulators to prevent analysis on sandboxes. It checks for different kinds of emulators, including QEMU, Genymotion, BlueStacks and Bignox. If the malware determines that is not running on an emulator, it then performs additional checks to ensure that it won't be detected.
Code to check the existence of SafetyNet Google API

It also checks if the Android SafetyNet is active and reporting back to the C2. This helps the C2 define what actions it can do before being detected on the mobile device.
List of anti-virus packages that are checked

The payload goes a long way to protect itself and checks for anti-virus software installed on the mobile device. The trojan uses the Android Accessibility API to intercept all interactions between the user and the mobile device.

The Android developer documentation describes the accessibility event class as a class that "represents accessibility events that are seen by the system when something notable happens in the user interface. For example, when a button is clicked, a view is focused, etc."

For each interaction, the malware will check if the generator is a package that belongs to the anti-virus list, the malware will abuse another feature of the Accessibility API. There is a function called "performGlobalAction" with the description below.

Android documentation describes that function as "a global action. Such an action can be performed at any moment, regardless of the current application or user location in that application. For example, going back, going home, opening recents, etc."

The trojan calls this function with the action GLOBAL_ACTION_BACK, which equals the pressing of the back button on the device, thus canceling the opening of the anti-virus application.
The same event interception is used to place the webview overlay when the user tries to access the targeted applications, allowing it to display its overlay, thus intercepting the credentials.

The beaconing only starts after the application is installed and removed from the running tasks.
Beaconing information

The ID is generated for each installation of the malware, while the token remains unique. Some of the checks performed previously are immediately sent to the C2, like the safetyNet, admin and defaultSMSApp. The beaconing is sent to the URL http://<SERVER>/api/v2/get.php with an interval of 60 seconds.

Answer from the C2

The C2 will check the country field, if it's empty or if the country is not targeted, it will reply with a "Unauthorized" answer. Otherwise, it will return a JSON encoded "OK," and if that is the case, the command to be executed.
List of available commands

The command names are self-explanatory. The command will be issued as an answer to the beaconing, and the result will be returned to the URL http://<SERVER>/api/v2/set_state.php
Example of the command "changeServer"

The commands are issued in a JSON format, and the obfuscation is part of the malware code and not added by the packer. It is a custom obfuscation partly based on base85 encoding, which is in itself unusual, in malware. Base85 encoding is usually used on pdf and postscript documentsThe configuration of the malware is stored in custom preferences files, using the same obfuscation scheme.

Activation cycle


As we have explained above, the malware has several defence mechanisms. Beside the obfuscation and the environment checks, the malware also has some interesting anti-sandbox mechanisms.

After installation, the user needs to run the application. The user needs to press the "close" button to finish the installation. However, this won't close the application, it will send it to the background, instead. While the application is in the background, although the service is already running, the beaconing will not start. The beaconing will only start after the application is removed from the background, ultimately stopping it. This will be the trigger for the service to start the beaconing.

As mentioned previously, the beaconing is done every 60 seconds. However, no command is received from the C2 until the inactiveTime field (see beaconing information image above) has at least the value of 2000000. This time resets every time the user performs some activity.

After the checks, the malware becomes active, but first, it goes through seven steps, each one calling a different command:
  1. uploadPhoneNumbers: Exfiltrates all phone numbers that are in the contact list. Aside from the natural value of phone numbers associated with the names of their owners. Using the SMS has an initial infection vector is another possibility for the exfiltration. One of the purposes of the exfiltration of the contact list is to use them to attack other victims using SMS as an initial vector.
  2. checkApps: Asks the malware to see if the packages sent as parameters are installed. The malware contains a list of 209 packages hardcoded in its source code. However, the C2 can send an updated list.
    3. List of packages received from the C2

  3. adminNumber: Setup of the admin phone number. In our case, the administrator phone number belongs to a mobile network in Australia.
    4. Phone number for administration

  4. changeServer: At this point, the malware changes the C2 to a new host, even though the API and communication protocol continues to be the same.
    5. Change server request

    The URL's for the new server is obfuscated, preventing easy network identification.

  5. changeActivity: This command will set up the webview to overlay any of the target activities.
    6. changeActivity command

    The webview injects are not hosted on the C2, they are hosted on a completely different server.

  6. params: This command allows the malicious operator to change configuration parameters in the malware. During this stage of the activation cycle, the malware increases the beaconing time to avoid detection.
    7. Command to change the beaconing

  7. changeArchive: The final command of the activation cycle is the download of an archive. This archive is stored in the same host has the webviews. The archive is a ZIP containing several files, which is protected with a password.
Change archive command

After this activation cycle, the malware will start the collection of information activities and dissemination.

Malicious activity


Once the activation cycle ends, the trojan will start its malicious activities. These activities depend on the device configuration. Depending if the victim has any of the targeted applications, the anti-virus installed or geographic location, the malware can harvest credentials from the targeted applications, exfiltrate all personal information or simply use the victim's device to send SMS to spread the trojan

The malware deploys overlaying webviews to trick the user and eventually steal their login credentials. These are adapted to the information the malicious operator wants to retrieve. The first webview overlay is created on step 6 of the activation cycle.
Pin request overlay

This overlay asks the user to provide their PIN to unlock the mobile device, which is immediately exfiltrated to the C2. The last step of the activation cycle is the download of a password-protected ZIP file. This file contains all HTML, CSS and PNG files necessary to create overlays. Talos found 189 logos from banks to cryptocurrency exchanges inside the archive, all of which could be targeted. The archive also contained all the necessary codes to target Australian financial institutions. The overlays are activated by the malicious operator using the command changeActivity, as seen on step 5 of the activation cycle. In this case, we can see that the HTML code of the overlay is stored in the C2 infrastructure. However, since the archive that is downloaded into the device has all the necessary information and the malicious actor has access to the device via SMS, the malicious operator can keep its activity even without the C2 infrastructure.

Infrastructure


The infrastructure supporting this malware is rather complex. It is clear that on all stages there are at least two layers.

The infrastructure has several layers, although not being very dynamic, still has several layers each one providing some level of protection. All the IP addresses belong to the same company Hetzner, an IP-hosting firm in Germany.

Coverage

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise (IOCs)

Domains


Facebook-photos-au.su
Homevideo2-12l.ml
videohosting1-5j.gq

URLs

hxxp://88.99.227[.]26/html2/2018/GrafKey/new-inj-135-3-dark.html
hxxp://88.99.227[.]26/html2/arc92/au483x.zip
hxxp://94.130.106[.]117:8080/api/v1/report/records.php
hxxp://88.99.227[.]26/html2/new-inj-135-3-white.html
hxxp://facebook-photos-au[.]su/ChristinaMorrow
hxxp://homevideo2-12l[.]ml/mms3/download_3.php

IP addresses

78.46.201.36
88.99.170.84
88.99.227.26
94.130.106.117
88.99.174.200
88.99.189.31

Hash

369fcf48c1eb982088c22f86672add10cae967af82613bee6fb8a3669603dc48
b2d4fcf03c7a8bf135fbd3073bea450e2e6661ad8ef2ab2058a3c04f81fc3f3e
8f5d5d8419a4832d175a6028c9e7d445f1e99fdc12170db257df79831c69ae4e
a5ebcdaf5fd10ec9de85d62e48cc97a4e08c699a7ebdeab0351b86ab1370557d
84578b9b2c3cc1c7bbfcf4038a6c76ae91dfc82eef5e4c6815627eaf6b4ae6f6
89eecd91dff4bf42bebbf3aa85aa512ddf661d3e9de4c91196c98f4fc325a018
9edee3f3d539e3ade61ac2956a6900d93ba3b535b6a76b3a9ee81e2251e25c61
0e48e5dbc3a60910c1460b382d28e087a580f38f57d3f82d4564309346069bd1
c113cdd2a5e164dcba157fc4e6026495a1cfbcb0b1a8bf3e38e7eddbb316e01f
1819d2546d9c9580193827c0d2f5aad7e7f2856f7d5e6d40fd739b6cecdb1e9e
b213c1de737b72f8dd7185186a246277951b651c64812692da0b9fdf1be5bf15
453e7827e943cdda9121948f3f4a68d6289d09777538f92389ca56f6e6de03f0
0246dd4acd9f64ff1508131c57a7b29e995e102c74477d5624e1271700ecb0e2
88034e0eddfdb6297670d28ed810aef87679e9492e9b3e782cc14d9d1a55db84
e08f08f4fa75609731c6dd597dc55c8f95dbdd5725a6a90a9f80134832a07f2e
01c5b637f283697350ca361f241416303ab6123da4c6726a6555ac36cb654b5c
1fb06666befd581019af509951320c7e8535e5b38ad058069f4979e9a21c7e1c

Additional information

Packages monitored

pin.secret.access
com.chase.sig.android
com.morganstanley.clientmobile.prod
com.wf.wellsfargomobile
com.citi.citimobile
com.konylabs.capitalone
com.infonow.bofa
com.htsu.hsbcpersonalbanking
com.usaa.mobile.android.usaa
com.schwab.mobile
com.americanexpress.android.acctsvcs.us
com.pnc.ecommerce.mobile
com.regions.mobbanking
com.clairmail.fth
com.grppl.android.shell.BOS
com.tdbank
com.huntington.m
com.citizensbank.androidapp
com.usbank.mobilebanking
com.ally.MobileBanking
com.key.android
com.unionbank.ecommerce.mobile.android
com.mfoundry.mb.android.mb_BMOH071025661
com.bbt.cmol
com.sovereign.santander
com.mtb.mbanking.sc.retail.prod
com.fi9293.godough
com.commbank.netbank
org.westpac.bank
org.stgeorge.bank
au.com.nab.mobile
au.com.bankwest.mobile
au.com.ingdirect.android
org.banksa.bank
com.anz.android
com.anz.android.gomoney
com.citibank.mobile.au
org.bom.bank
com.latuabancaperandroid
com.comarch.mobile
com.jpm.sig.android
com.konylabs.cbplpat
by.belinvestbank
no.apps.dnbnor
com.arkea.phonegap
com.alseda.bpssberbank
com.belveb.belvebmobile
com.finanteq.finance.ca
pl.eurobank
pl.eurobank2
pl.noblebank.mobile
com.getingroup.mobilebanking
hr.asseco.android.mtoken.getin
pl.getinleasing.mobile
com.icp.ikasa.getinon
eu.eleader.mobilebanking.pekao
softax.pekao.powerpay
softax.pekao.mpos
dk.jyskebank.mobilbank
com.starfinanz.smob.android.bwmobilbanking
eu.newfrontier.iBanking.mobile.SOG.Retail
com.accessbank.accessbankapp
com.sbi.SBIFreedomPlus
com.zenithBank.eazymoney
net.cts.android.centralbank
com.f1soft.nmbmobilebanking.activities.main
com.lb.smartpay
com.mbmobile
com.db.mobilebanking
com.botw.mobilebanking
com.fg.wallet
com.sbi.SBISecure
com.icsfs.safwa
com.interswitchng.www
com.dhanlaxmi.dhansmart.mtc
com.icomvision.bsc.tbc
hr.asseco.android.jimba.cecro
com.vanso.gtbankapp
com.fss.pnbpsp
com.mfino.sterling
cy.com.netinfo.netteller.boc
ge.mobility.basisbank
com.snapwork.IDBI
com.lcode.apgvb
com.fact.jib
mn.egolomt.bank
com.pnbrewardz
com.firstbank.firstmobile
wit.android.bcpBankingApp.millenniumPL
com.grppl.android.shell.halifax
com.revolut.revolut
de.commerzbanking.mobil
uk.co.santander.santanderUK
se.nordea.mobilebank
com.snapwork.hdfc
com.csam.icici.bank.imobile
com.msf.kbank.mobile
com.bmm.mobilebankingapp
net.bnpparibas.mescomptes
fr.banquepopulaire.cyberplus
com.caisseepargne.android.mobilebanking
com.palatine.android.mobilebanking.prod
com.ocito.cdn.activity.creditdunord
com.fullsix.android.labanquepostale.accountaccess
mobi.societegenerale.mobile.lappli
com.db.businessline.cardapp
com.skh.android.mbanking
com.ifs.banking.fiid1491
de.dkb.portalapp
pl.pkobp.ipkobiznes
pl.com.suntech.mobileconnect
eu.eleader.mobilebanking.pekao.firm
pl.mbank
pl.upaid.nfcwallet.mbank
eu.eleader.mobilebanking.bre
pl.asseco.mpromak.android.app.bre
pl.asseco.mpromak.android.app.bre.hd
pl.mbank.mnews
eu.eleader.mobilebanking.raiffeisen
pl.raiffeisen.nfc
hr.asseco.android.jimba.rmb
com.advantage.RaiffeisenBank
pl.bzwbk.ibiznes24
pl.bzwbk.bzwbk24
pl.bzwbk.mobile.tab.bzwbk24
com.comarch.mobile.investment
com.android.vending
com.snapchat.android
jp.naver.line.android
com.viber.voip
com.gettaxi.android
com.whatsapp
com.tencent.mm
com.skype.raider
com.ubercab
com.paypal.android.p2pmobile
com.circle.android
com.coinbase.android
com.walmart.android
com.bestbuy.android
com.ebay.gumtree.au
com.ebay.mobile
com.westernunion.android.mtapp
com.moneybookers.skrillpayments
com.gyft.android
com.amazon.mShop.android.shopping
com.comarch.mobile.banking.bgzbnpparibas.biznes
pl.bnpbgzparibas.firmapp
com.finanteq.finance.bgz
pl.upaid.bgzbnpp
de.postbank.finanzassistent
pl.bph
de.comdirect.android
com.starfinanz.smob.android.sfinanzstatus
de.sdvrz.ihb.mobile.app
pl.ing.mojeing
com.ing.mobile
pl.ing.ingksiegowosc
com.comarch.security.mobilebanking
com.comarch.mobile.investment.ing
com.ingcb.mobile.cbportal
de.buhl.finanzblick
pl.pkobp.iko
pl.ipko.mobile
pl.inteligo.mobile
de.number26.android
pl.millennium.corpApp
eu.transfer24.app
pl.aliorbank.aib
pl.corelogic.mtoken
alior.bankingapp.android
com.ferratumbank.mobilebank
com.swmind.vcc.android.bzwbk_mobile.app
de.schildbach.wallet
piuk.blockchain.android
com.bitcoin.mwallet
com.btcontract.wallet
com.bitpay.wallet
com.bitpay.copay
btc.org.freewallet.app
org.electrum.electrum
com.xapo
com.airbitz
com.kibou.bitcoin
com.qcan.mobile.bitcoin.wallet
me.cryptopay.android
com.bitcoin.wallet
lt.spectrofinance.spectrocoin.android.wallet
com.kryptokit.jaxx
com.wirex
bcn.org.freewallet.app
com.hashengineering.bitcoincash.wallet
bcc.org.freewallet.app
com.coinspace.app
btg.org.freewallet.app
net.bither
co.edgesecure.app
com.arcbit.arcbit
distributedlab.wallet
de.schildbach.wallet_test
com.aegiswallet
com.plutus.wallet
com.coincorner.app.crypt
eth.org.freewallet.app
secret.access
secret.pattern

Vulnerability Spotlight: Adobe Acrobat Reader remote code execution

April 10, 2019, 5:58 am
$
0
0

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.

Executive summary

There is a remote code execution vulnerability in Adobe Acrobat Reader that could occur if a user were to open a malicious PDF on their machine using the software. Acrobat is the most widely used PDF reader on the market, making the potential target base for these bugs fairly large. The program supports embedded JavaScript code in the PDF to allow for interactive PDF forms, giving the potential attacker the ability to precisely control memory layout and creating an additional attack surface.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that the issue is resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Adobe Acrobat Reader DC text field value remote code execution vulnerability (TALOS-2018-0774/CVE-2019-7125)

A specific JavaScript code embedded in a PDF file can lead to a heap corruption when opening a PDF document in Adobe Acrobat Reader DC 2019.10.20069. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. The vulnerability in this advisory is the same as TALOS-2018-0704 (CVE-2018-19716), which was disclosed in December 2018, as it wasn't properly patched to cover all cases.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Adobe Acrobat Reader DC, version 2019.010.20069 is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 48293, 48294

Sextortion profits decline despite higher volume, new techniques

April 11, 2019, 10:37 am
$
0
0
Post authored by Nick Biasini and Jaeson Schultz.

Sextortion spammers continue blasting away at high volume. The success they experienced with several high-profile campaigns last year has led these attackers to continue transmitting massive amounts of sextortion email. These sextortion spammers have been doing everything they can to keep their approach fresh. Not only does this help sextortionists evade spam filters, increasing their chances of landing in recipients' inboxes, but it also ups their chances of finding a message that has language that resonates, convincing potential victims that the perceived threat is indeed real. Let's take a look at some of the recent changes we've seen in the sextortion email landscape.

Sextortion profits decline sharply


In an effort to see how lucrative sextortion schemes continue to be, Cisco Talos revisited some of the larger campaigns we had seen since the beginning of 2019. We selected one of the highest volume campaigns for deeper analysis: sextortion messages containing "Subject: <username> : <password>." The same attackers behind the "Aaron Smith" campaigns last year, which we wrote about in October, are behind these new efforts.

After collating all the email samples we could find in SpamCop, we then extracted the Bitcoin addresses where victims were asked to deposit their extortion payments. Talos identified over 1 million sextortion emails transmitted by these sextortionists between January and March 2019. However, after reviewing the targets, we found only 29,000 unique email recipients. This means that each user is receiving an average of 38 emails from this one sextortion campaign. This seems like a counter-intuitive approach since after a user receives one or maybe two of these emails, the effectiveness is going to be greatly reduced. However, that doesn't mean at least some of the targets aren't paying up.

The reuse of Bitcoin addresses are rampant in this campaign, with only about 9,000 unique Bitcoin addresses among the entire set of messages. We began an analysis of these addresses to determine how many Bitcoins have been deposited into the attackers' accounts. After pulling the current value of these addresses, we were able to find ~3.5 BTC in the addresses, which equals about $17,000. These returns are quite disappointing when compared with the $150,000 these same attackers obtained in just two months of sextortion attacks last fall. Rather than face the harsh reality that fewer victims continue to fall for their scams, however, sextortionists are redoubling their efforts.

A lot of simple tricks and nonsense

For a large sextortion spam campaign, there is no greater nemesis than the anti-spam filter. Messages reusing the same content over and over are quite easy to identify and preempt into the trash bin as they arrive. Last year, many of the sextortion emails we encountered varied some of the wording inside the emails but did not make much effort to try and bypass anti-spam filters. For example, below is the HTML body from one of the messages sent last October as a part of the "Aaron Smith" sextortion campaign.
Now, however, these same attackers have taken to designing their messages with the objective of improving their performance against anti-spam filters. From the perspective of the victim, the message itself is still as readable as it ever was. However, the underlying code that the mail client uses to render the message has become much more complex. In the example below, the attackers are using a combination of the username in comments, plain text letters and HTML character entities.
Since tricks like this aren't guaranteed to bypass anti-spam filters, spammers have also dusted off some crusty old techniques dating from back in 2005: image spam. The concept of image spam is simple enough — instead of transmitting the body of the email as text, spammers include only an image of the text, leaving very little for the anti-spam system to examine. Below is an example of a sextortion message using this image spam technique. Unfortunately for the attackers, this tactic wasn't thought through completely. The sextortion email asks the victim to copy and paste the Bitcoin address, but this is impossible to do, as the text is inside the image.

Scammers offer "proof"

Besides varying the technical and structural details of their messages, sextortion spammers are similarly freshening up their social engineering approach. Previously, in order to convince recipients that the lies in the sextortion email were true, many early sextortion campaigns included victim's passwords that attackers had obtained from publicly available data breaches. Other techniques we saw early on included supposedly sending the sextortion email from the same address as the recipient (The emails are coming from *inside* the house!!) Now, sextortion attackers are once again upping the ante by offering "proof" associated with their extortion claims.

Sextortion messages from this particular campaign include a ZIP file attachment which purportedly contains evidence. When extracted, this file prompts the user to visit a URL, and then extracts a file, "Password.txt," that contains the same URL and instructions, plus another ZIP file. A variation of this same technique includes a similar setup with the instructions to get the password in the email itself, as is shown in the example below.
At this point, the URLs have resulted in dead links or non-existent pages. However, if the link is active, the user is prompted with a request to purchase the password for $50. This would ensure that the actor would at least get some money from the victim.

Another campaign switched from attaching ZIP files to PDFs. These PDFs then link to a webpage, which is redirecting to a Cryptonator — a cryptocurrency wallet — portal requesting $25 for the ZIP file. This may be an indication that the initial effort of sending a ZIP file directly is not paying off as well as expected.
If you try to decompress the ZIP file without a password, some of the files will decompress and others will not. What the user will see is some directories being created that appear to be associated with a free digital audio recorder, editor and mixer. There are files that would appear interesting to the user as well, but those files, obviously, do not extract.
Without paying for the password, we have been unable to identify the contents of these files, but they are likely just some sort of innocuous junk data. Ideally, the adversary is hoping that just the presence of these files is enough to persuade the users to pay the ransom, and unfortunately, it appears to have worked. During the investigation, we were able to find a small number of victims that appear to have paid the extortion payment into the attackers' Bitcoin addresses.

Conclusion

Early success has led to a proliferation of sextortion spam, but profits from these types of scams are declining rapidly. Going back to their inception months ago, the adversaries have made hundreds of thousands of dollars with little more than publicly available data and some ingenuity. Users need to understand that these sextortion attempts are nothing but a sham, and the threat isn't backed up by real data. Unfortunately, the reality is that it is still far too easy to extort users with the threat of exposure without any real data backing it up and the bad guys are continuing to cash in on users' own paranoia.

As always, users are encouraged to use strong, unique passwords for accounts online and to rotate those passwords regularly. This type of simple password hygiene can greatly reduce the success of these types of attacks and protect the user from real account compromise impacts. In today's internet, having usernames and passwords breached is a part of being online, and users need to be prepared for that eventuality. Using multi-factor authentication for those critical accounts is a great additional step users can take to help eliminate some of the risks. As the efficacy of sextortion scams continues to decline, Talos expects attackers to pivot to one of the many other tricks they have up their sleeves.

Coverage


Email Security can block malicious emails sent by threat actors as part of their campaign.













IOC

Email Subjects:

  • Ticket: #<Random Number>
  • Re: #<Random Number>
  • RE: Case #<Random Number>
  • Subject: <Username> : <Password>

Attachments:

  • <Random String>_Proof#<Random Number from subject>.zip
  • <Random String>_Proof#<Random Number from subject>.pdf

Threat Source (April 11)

April 11, 2019, 11:00 am
$
0
0

Newsletter compiled by Jonathan Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

If you haven’t yet, there’s still time to register for this year’s Talos Threat Research Summit— our second annual conference by defenders, for defenders. This year’s Summit will take place on June 9 in San Diego — the same day Cisco Live kicks off in the same city. We sold out last year, so hurry to register!

We made waves this week with an article on malicious groups on Facebook. We discovered thousands of users who were offering to buy and sell various malicious services, such as carding, spamming and the creation of fake IDs. News outlets across the globe covered this story, including NBC News, Forbes and WIRED.

There’s also new research on the Gustuff malware. Researchers discovered this banking trojan earlier this year, and recently, we tracked it targeting Australian users in the hopes of stealing their login credentials to financial services websites.

Finally, we also have our weekly Threat Roundup, which you can find on the blog every Friday afternoon. There, we go over the most prominent threats we’ve seen (and blocked) over the past week.

Upcoming public engagements with Talos


Location: Salt Lake City, Utah
Date: April 25
Speaker: Nick Biasini
Synopsis: Join Nick Biasini as he takes part in a day-long education event on all things Cisco. Nick will be specifically highlighting the work that Talos does as one part of the many breakout sessions offered at Cisco Connect. This session will cover a brief overview of what Talos does and how we operate. Additionally, he'll discuss the threats that are top-of-mind for our researchers and the trends that you, as defenders, should be most concerned about.  

Cyber Security Week in Review

  • WikiLeaks founder Julian Assange was arrested in London on Thursday after being extradited from the Ecuadorian embassy. Hours later, the U.S. formally charged him with conspiracy to commit computer intrusion. WikiLeaks is responsible for leaking thousands of classified government documents over the years.
  • Amazon workers reportedly listen to some conversations with Alexa devices in order to improve the software’s voice recognition technology. A handful of employees transcribe the recordings, annotate them and then feed it back into the software.
  • Yahoo agreed to a $118 million settlement with users over a 2013 data breach. The company, which is now owned by Verizon, affected 3 billion users worldwide, but Yahoo kept it quiet for years.
  • The U.S. government released a warning regarding the new “HOPLIGHT” malware that appears to originate from North Korea. According to a report from the FBI and Department of Homeland Security, the malware has the ability to read, write and move files, connect to a remote host, and upload and download files, among other functions.
  • Verizon patched a vulnerability in some of its routers that could have allowed an attacker to gain root privileges. This could allow them to target other devices on the network, such as internet-of-things equipment. 
  • Security researchers bypassed the Samsung Galaxy S10’s fingerprint scanner with a 3-D printed model. This means that attackers could potentially steal users’ fingerprints and then be able to gain physical access to their devices.
  • Three recent spam campaigns are spreading the TrickBot malware via malicious attachments that disguise themselves as tax documents. The attackers spoof ADP and Paychex, two producers of human resources and payment software.
  • Cybersecurity companies are pledging to help users remove so-called "stalkerware" from users' smartphones. The companies say they will send alerts to users if this software, which is traditionally used to track other users, is dected on their device.

Notable recent security issues

Title: Microsoft patches 74 vulnerabilities, 14 critical
Description: Microsoft released its monthly security update Tuesday, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 74 vulnerabilities, 16 of which are rated “critical” and 58 that are considered “important.” This release also includes a critical advisory covering a security update to Adobe Flash Player. This month’s security update covers security issues in a variety of Microsoft’s products, including the Chakra Scripting Engine, Microsoft Office and Windows 10.
Snort SIDs: 45632, 45635, 46548, 46549, 49380, 49381, 49688, 49689, 49692 - 49711, 49716 - 49723, 49727 - 49747, 49750 - 49755

Title:Adobe fixes vulnerabilities in Flash Player, Acrobat
Description: Adobe patched vulnerabilities in 15 of its products this week as part of its monthly security update. The vulnerabilities disclosed include critical memory corruption bugs in Shockwave, as well as remote code execution vulnerabilities in Acrobat Reader.
Snort SIDs: 48293, 49294

Most prevalent malware files this week

SHA 256:d05a8eaf45675b2e0cd6224723ededa92c8bb9515ec801b8b11ad770e9e1e7ed
MD5: 6372f770cddb40efefc57136930f4eb7
Typical Filename: maftask.zip
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Gt32supportgeeks::tpd

SHA 256:3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256:8f236ac211c340f43568e545f40c31b5feed78bdf178f13abe498a1f24557d56
MD5: 4cf6cc9fafde5d516be35f73615d3f00
Typical Filename: max.exe
Claimed Product:易语言程序
Detection Name: Win.Dropper.Armadillo::1201

SHA 256:46bc86cff88521671e70edbbadbc17590305c8f91169f777635e8f529ac21044
MD5: b89b37a90d0a080c34bbba0d53bd66df
Typical Filename: cab.exe
Claimed Product: Orgs ps
Detection Name: W32.GenericKD:Trojangen.22ek.1201

SHA 256:790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
MD5: 147ba798e448eb3caa7e477e7fb3a959
Typical Filename: ups.exe
Claimed Product: TODO: <产品名>
Detection Name: W32.Variant:XMRig.22fc.1201

Top spams stats for this week

Top 5 spam subjects observed
  • "Help Desk: Planned maintenance for Tuesday 9th"
  • "Iron Mountain Australia Group Pty Ltd - Invoice Number AUS402803"
  • "Fwd: Netflix statement Of Payment."
  • "Please approve - Allina"
  • "Your Netflix Membership Has Been Suspended"
Top 5 most used ASNs for sending spam
  • 8075 Microsoft Corporation
  • 3136 State of WI Dept. of Administration
  • 6276 OVH SAS
  • 8560 1&1 Internet SE
  • 16509 Amazon.com, Inc.
Search

Threat Roundup for April 5 to April 12

April 12, 2019, 9:53 am
$
0
0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 05 and April 12. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

  • Win.Malware.Eyooun-6931755-0
    Malware
    Eyooun downloads and installs additional malicious and non-malicious programs onto the system.
     
  • Doc.Malware.Sagent-6932497-0
    Malware
    Sagent launches PowerShell through macros in Microsoft Office documents. The PowerShell then downloads unwanted software from remote websites.
     
  • Win.Malware.Emotet-6933520-0
    Malware
    Emotet is a banking trojan that remains relevant due to its ability to evolve and bypass antivirus products. It is commonly spread via malicious email attachments and links.
     
  • Win.Worm.Scar-6934835-0
    Worm
    Scar will download and execute files to the system while attempting to spread to other machines by copying itself to removable media.
     
  • Win.Worm.Aspxor-6935052-0
    Worm
    Aspxor botnet has the capabilities to send spam, download and execute other samples. This botnet is known for collecting credentials from infected computers.
     
  • Win.Malware.Vbkeylog-6935273-0
    Malware
    This generic family will attempt to deceive the infected computer's users into receiving a payment or getting personal data.
     
  • Win.Malware.Zbot-6935412-0
    Malware
    Zbot, also known as Zeus, is trojan that steals information such as banking credentials using a variety of methods, including key-logging and form-grabbing.
     
  • Win.Ransomware.Cerber-6935713-0
    Ransomware
    Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
     
  • Win.Trojan.Winwebsec-6935682-0
    Trojan
    Winwebsec installs itself to a compromised system as a "anti-malware" software with desktop links and various persistence techniques (Windows service, Registry Run key, etc.). This family is known for using fake alerts for malware found on the system to deceive users into buying services before the "malware" can be removed.
     
  • Win.Malware.Tovkater-6936213-0
    Malware
    This malware is able to download and upload files, inject malicious code and install additional malware.
     

Threats

Win.Malware.Eyooun-6931755-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP6\PARAMETERS
Value Name: DisabledComponents		34
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: GlobalAssocChangedCounter		23
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\APPLICATIONDESTINATIONS
Value Name: MaxEntries		18
<HKLM>\SOFTWARE\MICROSOFT\TRACING\WCLGSITA_RASAPI32
Value Name: FileDirectory		8
<HKLM>\SOFTWARE\MICROSOFT\TRACING\WCLGSITA_RASMANCS
Value Name: FileDirectory		8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\DIRECTDRAW\MOSTRECENTAPPLICATION
Value Name: ID		7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION
Value Name: svchost.exe		5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LYPWXAWN
Value Name: WOW64		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ISFCQMJB
Value Name: DisplayName		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IUGPWHEJ
Value Name: WOW64		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OJIKFFNJ
Value Name: name		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PSCEGPBN
Value Name: DisplayName		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QSWARNLV
Value Name: WOW64		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\ATDUWYIG
Value Name: WOW64		2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\OTMYZEPH
Value Name: DisplayName		2
MutexesOccurrences
CommLogDbgStrMutex61
\BaseNamedObjects\CommLogDbgStrMutex61
DBWinMutex32
8Bc0E7-2F5D-49c0-A6D6-appadvert19
Local\MSIMGSIZECacheMutex14
openbox12
adkuai8_client_newdown11
adkuai8_newdown11
04AEB7B0-04A8-04A82810F7B640-8A4A82810F7B610
Local\__DDrawCheckExclMode__7
Local\__DDrawExclMode__7
Local\DDrawDriverObjectListMutex7
Local\DDrawWindowListMutex7
Local\InternetExplorerDOMStoreQuota2
Local\http://www.baidu.com/2
Local\DirectSound DllMain mutex (0x00000174)1
fc23890639e7d704fbd1b52b749200a51
fccb83f4591c45a062aa5389a08b9eef1
8e92460d25c534d048fd1c88e802f7e81
dbc843e527e2b5c81be3562287f89d3c1
5d25335e7777648b50dc7504f83b06da1
Local\DirectSound DllMain mutex (0x000005AC)1
73b50e38332dbd8c708884de7b44d0f01
efc928dd753ae98b928ed12919a305ca1
53279609cec7acce6827bdec60299b7d1
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
18[.]223[.]92[.]14542
116[.]28[.]63[.]21442
122[.]152[.]212[.]22432
218[.]65[.]30[.]4130
117[.]41[.]234[.]9230
122[.]224[.]34[.]10325
150[.]138[.]92[.]6224
18[.]218[.]183[.]2123
222[.]214[.]218[.]23920
113[.]105[.]164[.]3120
120[.]55[.]244[.]21219
175[.]126[.]163[.]12414
42[.]62[.]4[.]6213
47[.]92[.]249[.]15212
120[.]77[.]171[.]3712
47[.]107[.]83[.]21212
219[.]150[.]218[.]11912
125[.]88[.]158[.]21211
219[.]145[.]240[.]8611
219[.]145[.]240[.]8511
219[.]145[.]240[.]8411
106[.]122[.]250[.]21210
150[.]138[.]92[.]10610
219[.]150[.]218[.]449
59[.]110[.]185[.]1049
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
wj[.]center[.]oldlist[.]info61
ecount[.]2019cn[.]com54
nj9qq[.]cn42
top[.]sefcg[.]com23
pack[.]1e5[.]com22
ad[.]uuuwin[.]com19
ks2[.]we2019[.]com14
imgwx4[.]2345[.]com13
tv[.]2345[.]com13
imgwx3[.]2345[.]com13
imgwx2[.]2345[.]com13
imgwx1[.]2345[.]com13
imgwx5[.]2345[.]com13
mini[.]sefcg[.]com13
log2[.]nagirl[.]cn13
LOG2[.]NAGIRL[.]CN13
union[.]lm33[.]com12
liosm231[.]com12
list[.]adkuai8[.]com11
p2p[.]adkuai8[.]com11
down02[.]adkuai8[.]com11
ipaddress[.]adkuai8[.]com11
tongji[.]adkuai8[.]com11
log[.]uinfo[.]soomeng[.]com10
next[.]91xiaba[.]com10
See JSON for more IOCs
Files and or directories createdOccurrences
%HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\C5MZMU22\desktop.ini59
%TEMP%\SSL40
%TEMP%\SSL\cert.db40
%TEMP%\SSL\Small DigiCert Baltimore Root 2.cer34
%SystemRoot%\SysWOW64\Log31
%TEMP%\h2u31tg4.exe30
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\config[1].zip30
\PC*\MAILSLOT\NET\NETLOGON23
%HOMEPATH%\Desktop\¿³°×Öí±¬9999¼¶ÉñÆ÷.lnk23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\190[1].ico23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\215[1].ico23
\DosDevices\C:\Windows\System32\wfp\wfpdiag.etl23
%System32%\wfp\wfpdiag.etl23
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\procelist[1].ini22
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\018[1].exe19
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V0100009.log14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000B.log14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000D.log14
%LOCALAPPDATA%\Microsoft\Windows\WebCache\V010000F.log14
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\mini[1].htm13
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\hideconfig[1].zip13
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\6YL4T24G\classicTv_tvHotMini[1].htm12
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7V3XNPL2\LOLO[1].png12
%SystemRoot%\api-ms-win-cx0-l1-01-19.dll12
%SystemRoot%\SysWOW64\del.bat12
See JSON for more IOCs
File Hashes
  • 002a3ee5d238a80bd8c3759d8478d7d9098af54cbcbd264bcd78ad172c7fded5
  • 0066dccf58f6d2ea4e303e870aea20c25d0c945a4b5c6796548acb20ae2dd268
  • 015d9a05e3595d8902031dda87e999396a9a2b5267195e35f3752cef08a37b50
  • 0181a703fa74afdd4640b52de9338b0dd6e14446c0635bebf8883999cfa0be01
  • 090f9030986cdb1413bc9f5c6901952e23be5f6c48b7ce0f9858e92e91142d26
  • 09d3b0027fba2e0419841177734b811e506aed12d758d75d77a1f71ebb1b16bf
  • 09f0116a571ccf405cf2b83507fb2d3c139a8f9fe7ce9fc77595c7c66d4f9a53
  • 0f0d5f033b1096e209857c255edb94e30306087a172edb5816f4464c92a9870c
  • 1029ddb2e83f17e8318199afb81a4434de65e12728552f66255cd7814b7cce0f
  • 159a0f8cc9ed369de6b89806b3d29a287183dc15deb59ea916d246d736385684
  • 179662d10fbf28f36e7fbf9d61e20ecf01ea0efe03223e19aad2e24a4ae56bb0
  • 19fb21319fb6479eb23cf06f3298f991466dbd1954c320db749e6f4ee727a27c
  • 1ac81f029e1fc5c7c11045d910ba3882946bd6535369675c6b443c35ef2e5c18
  • 1f78e240a8cdfda72e443b39cbfdf4faab1ed8092cdf9b02bdc7456dffbe1f47
  • 1fb5ec3d10289d0f00460070da92853ba1d90dbebd6dc6a8266a09ad3c36a154
  • 208d2e1fdf8b87f1b37644e57f340b984c8d68de8ba02525c61b6158b9d6e539
  • 24b4b426368e29fe933d6b427d1ae47e31fb346b2392e2161a67add890bae196
  • 2d60ced2eef863bc23232f4c3a80be8545902f2efa4dd9eab7f680a5643d8289
  • 2ec0873e6ce50626bccb3217c8fe10fd421604dd5fe45fa58c6f54b90b369d6b
  • 30944e432f0f25fda774cfe7090a9cef872b02bd754636a1176e98f7298c5780
  • 3291d369e4f69353b221ef184731f93c80f3762de2114d4b4f1a6b200f66aab8
  • 388259027de10322e1da522901d84a83bc8a5585d2d61a47b4ecd9c87cc30d26
  • 3960aa9d31ec0dacc0f11edbebc8820e4f929bdfc2943aec52dea840c456e264
  • 39d8b6f916b96060c7e55c468fb066a51ccd5a8c1e0f3d43fa29dc12dad129f0
  • 3a328a6515c449cf1f1807ede10f790014b5905cda161828d3eea7750a7d2264
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Umbrella



Doc.Malware.Sagent-6932497-0


Indicators of Compromise


Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect		10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D22-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D32-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D42-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D52-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\INTERFACE\{8BD21D62-EC42-11CE-9E0D-00AA006002F3} 10
<HKCR>\WOW6432NODE\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\INTERFACE\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\WOW6432NODE\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\INTERFACE\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F} 10
<HKCR>\WOW6432NODE\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776} 10
<HKCR>\INTERFACE\{79176FB2-B7F2-11CE-97EF-00AA006D2776} 10
<HKCR>\WOW6432NODE\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 10
<HKCR>\INTERFACE\{4C5992A5-6926-101B-9992-00000B65C6F9} 10
<HKCR>\WOW6432NODE\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 10
<HKCR>\INTERFACE\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D} 10
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\INTERFACE\{47FF8FE0-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\WOW6432NODE\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 10
<HKCR>\INTERFACE\{47FF8FE1-6198-11CF-8CE8-00AA006CB389} 10
MutexesOccurrences
Global\I98B68E3C10
Global\M98B68E3C10
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
89[.]188[.]124[.]14510
190[.]117[.]82[.]10310
190[.]0[.]32[.]20610
104[.]18[.]35[.]1637
104[.]18[.]34[.]1633
43[.]229[.]62[.]1861
104[.]2[.]2[.]1531
201[.]165[.]102[.]491
187[.]189[.]210[.]1431
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
xoso[.]thememanga[.]com10
Files and or directories createdOccurrences
\EVENTLOG10
%APPDATA%\Microsoft\Forms10
%APPDATA%\Microsoft\Forms\WINWORD.box10
%HOMEPATH%\80.exe10
\REGISTRY\MACHINE\SOFTWARE\Classes\.doc1
%System32%\WindowsPowerShell\v1.0\Certificate.format.ps1xml1
%SystemRoot%\SysWOW64\A7Nx4PQT5.exe1
%SystemRoot%\SysWOW64\N6yvu6lNl.exe1
%SystemRoot%\SysWOW64\g6iqfJhcB0Xc88E.exe1
%SystemRoot%\SysWOW64\f9XnJqVa5Bt6Sf.exe1
%SystemRoot%\SysWOW64\9yMQn0Zw.exe1
%SystemRoot%\SysWOW64\c33fB.exe1
%SystemRoot%\SysWOW64\aThVJIMunDfvC.exe1
%SystemRoot%\SysWOW64\SqxzR9tB3STZYB9o1.exe1
%SystemRoot%\SysWOW64\WyFb5EUyZBFDn5Gb.exe1
%SystemRoot%\SysWOW64\TYVGTeXwXGD.exe1
File Hashes
  • 310c672343531ecc8fb2bc22b979a34f6e3c3d6c56eaad0dadeecade3e6c64d9
  • 60973bfc7ccac458d9ac4b7192a40774316b04d86cdb106b0c205d75778b7c65
  • b3ff81bf64f077e1b466d3696c3528f9c644d503b515473b16803610f240dd05
  • d1d756451258f60d10e1c46540438f9a7c9ad84bfe7b4a1cb944ae02e456d3aa
  • dfcb889cbff15a54eab56367f8f5da6855cf534ad732938eb4cc472a77c231a0
  • e39863e66ab0f1bf0b8d35f2715d3de220f6bb3d0c28b68d8f14d53ed1acb7e4
  • e8ca6c66c79cca9404a9f6a6920ff02010dc799435381a97fd5c57cf0c3abb41
  • e9a0aabcf4e854ca4b16e9ebd2d228b2e581abc12d27ef34b9f8a5978d224128
  • eba143b8f9ea163949037b683622c1cf9672e9a4e63513ecd20ebe1aff4e3ff5
  • f4282b6fc250485ebd045d3008195a5c3e2b385c5caaada93ea221f53326d3ec

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella



Malware



Win.Malware.Emotet-6933520-0


Indicators of Compromise


Registry KeysOccurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoDetect		16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
Value Name: SavedLegacySettings		16
<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\sourcebulk 16
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SOURCEBULK
Value Name: Description		16
<HKLM>\SOFTWARE\Microsoft\ESENT\Process\guiddefribbon\DEBUG 16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}
Value Name: WpadDecisionTime		16
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\A4-E3-E4-11-EC-FD
Value Name: WpadDetectedUrl		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\2c-28-30-ca-41-e3 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\2c-28-30-ca-41-e3 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\c0-21-36-0e-b0-2b 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\c0-21-36-0e-b0-2b 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\c8-7c-48-93-48-f7 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\c8-7c-48-93-48-f7 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\24-f7-27-10-2d-94 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\24-f7-27-10-2d-94 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\dc-35-3c-bc-55-73 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\dc-35-3c-bc-55-73 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\46-b9-fc-8e-0c-36 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\46-b9-fc-8e-0c-36 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\e2-85-af-73-a1-bc 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A}\e2-85-af-73-a1-bc 1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\46-B9-FC-8E-0C-36
Value Name: WpadDecisionTime		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\E2-85-AF-73-A1-BC
Value Name: WpadDecisionTime		1
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\24-F7-27-10-2D-94
Value Name: WpadDecisionTime		1
MutexesOccurrences
Global\I98B68E3C16
Global\M98B68E3C16
\BaseNamedObjects\Global\M3C28B0E416
\BaseNamedObjects\Global\I3C28B0E416
Global\Nx534F51BC1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
43[.]229[.]62[.]18615
190[.]0[.]32[.]20615
187[.]189[.]210[.]14315
201[.]165[.]102[.]4915
89[.]188[.]124[.]14515
104[.]2[.]2[.]15315
190[.]117[.]82[.]10315
208[.]100[.]26[.]2511
5[.]196[.]133[.]2061
198[.]187[.]30[.]2491
104[.]236[.]135[.]1191
71[.]78[.]158[.]1901
190[.]219[.]231[.]691
208[.]180[.]217[.]1731
181[.]31[.]182[.]1381
201[.]249[.]117[.]1231
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat16
%System32%\guiddefribbon.exe (copy)2
%SystemRoot%\SysWOW64\SBp2VS8N7jU.exe1
%SystemRoot%\SysWOW64\yXRDTc.exe1
%SystemRoot%\SysWOW64\LvO5IJ1Sr5t.exe1
%SystemRoot%\SysWOW64\5kQW.exe1
%SystemRoot%\SysWOW64\Nsa7bjsedHZNrMyW.exe1
%SystemRoot%\SysWOW64\MZ5WK.exe1
%SystemRoot%\SysWOW64\FxiHy64z3NDOiHEgC.exe1
%SystemRoot%\SysWOW64\hlaVhqNG.exe1
%SystemRoot%\SysWOW64\Ahfk9lC4PqeGiyhY.exe1
%SystemRoot%\SysWOW64\xdm5D3NLE.exe1
%SystemRoot%\SysWOW64\2o75cQI.exe1
%SystemRoot%\SysWOW64\oxJI2FKrOP.exe1
%SystemRoot%\SysWOW64\MoSv9WL5Pn2Rd22eN.exe1
%SystemRoot%\SysWOW64\LQRA42.exe1
%SystemRoot%\SysWOW64\MVED6NriD.exe1
File Hashes
  • 07bb6313dc4e4e47fffe542787f7e5f085f7a0b827a3614a666b8ba122895a5b
  • 1317735faa4586cd57e311b7fa5462675b19b6767898bbc9fd1ea438e9b269a1
  • 1cfb22555921bcd42ea2976527cedebe9b0a70a24ca2f4695d61496956a9fb65
  • 34dc74f395344d40e6ce6e08f73ea822d83107c276e230862aa7f20ec24677d9
  • 5bcbb702d1936de97fc26a33767f7d1b1973455d7a783dae80246fae99024b98
  • 6123a5957f13a02e1752a9242f68f2cec27443ea0e4fbea65edde4c05a48ec38
  • 642b1802bb2c429da4521e8fd159498cf814ab43df41d2213ccf4c8e7bf3a58f
  • 67121ec06c244e75ba3c217b6ec7c9ea795f71bb673c87ced115a7bae939b6a2
  • 67b8cdfe8f7b193723a6db03fb8f2246710ba6b4bfd2681134175f98150d307a
  • 7581c79cd28ae473538de22e69f00d8a0642937621a08d6a304e7bae7cc1f467
  • 86630ccb5c7e8d248e28446f27f2faf21d2712e18b3b6fb7749c9dd0d82c2752
  • 87989bca4fcdaf8bde36f1893ce293da2f11c330cdd0f9746956241d6fac63da
  • a8caf1e24c6972c1338eb4cc5d061fe7b6618657720b375e43385c9118b3aad9
  • bdc575561b7b6ccd315cc5aa6c0f05d346201917e05490ff9203ee804b9d4fd7
  • c6f1c07bbf320307ab784db15f0dc7ecc09c2f96150cda7126569a2d77935b2a
  • e1226793b90a2c765d227e365b24271282c85ba9b7b5eb642f9f4b145ba0b932

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Worm.Scar-6934835-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft		32
MutexesOccurrences
DSKQUOTA_SIDCACHE_MUTEX32
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
175[.]126[.]123[.]21920
67[.]228[.]31[.]2253
64[.]186[.]131[.]471
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
byvolker[.]co[.]cc19
canappe[.]co[.]cc1
getvolkerdns[.]co[.]cc1
killervolk-dns[.]co[.]cc1
Files and or directories createdOccurrences
\??\E:\autorun.inf32
\autorun.inf32
\AUTORUN.INF32
\??\E:\AUTORUN.INF32
%System16%\svcrcs.exe32
\??\E:\UsbDrivers.exe23
\UsbDrivers.exe23
\??\E:\Setup.exe8
\Setup.exe8
\??\E:\open=Setup.exe1
\open=Setup.exe1
File Hashes
  • 0801e6c88de29d1418e3c7e89c72ff0e9147607f1c36ea657f60c557bc2ca91c
  • 08c755993f57b3c2adb4893504683394b81e9dba822ccd6bdad9dc9710155078
  • 096b4a3371120250dbd0c85c19730f92d0beaa3af16d73a44c6c81e81e0371f8
  • 11566d54a186019e24e0fe51ecfcc8a6e954c3ff0ec58e89130c81c2c9fe3652
  • 18bc9b638b1770d6b76de5be46ecc50d2b2a428053b131b02cf76d9feac9566f
  • 22afe3eae9acd98fa25f5e06a7f3fa2716aa6af527d1232e5ba4c95e199b851b
  • 25fb8e7a4039c200fa74246ae62629e6a1db5400e2c8ebe14b041f0dc2bc60f7
  • 391483fc42fa770ae9a6e0bb615536b9c3f1a908931d5222d4f1eab68a50c91f
  • 3b62f8abfdb792b3419ac346fcbc5d004a9b67dc1b5a93b2eda4da53fc27263d
  • 3be4799debfab2081853244700668d7303752272978941b551d21e6cfc476a69
  • 424c3baead90385b2fd8cc6ef98534119ce5ea41f9488c0e64d1829ae61ec957
  • 453b4a1818de6d3e8d67632e31bcca085cd8f5e44e775a7959246eaa4c925d2d
  • 4a800c7c54850630561ffe6d54a3390a93192c7fa6301f5d6ea9368f2c6421bb
  • 4ec4bcca36e92304469192ab25d97cacb192413f4092a37a5f1e76575beaa0de
  • 55562749de33d7cc4f93d0342514467c31b975907d9f0dcd8ec78f735ce6b1d8
  • 5b642baf8e06c96a72ee7e8e55f98bd25a6180fce57fa25c2691782a23c76794
  • 5efacdb03391aa114a6dcac90a6f8f8562c0a2e666185f1f8f63065364993143
  • 6178e5bcda89cd0c4760545b3208cf56ce26fc9fe51551d1389505d30de75830
  • 621bc4bb35821d5a7784bda820acd368d863b2430974952f83a14051693c2fda
  • 75504f094939ab33f14cdf1a6c1be3cad5ae7f89d48d925fca65222062ea27e5
  • 8320a5187226606270a82f0acf50449a11d3bc6bfed10618e7a7d79ea4564401
  • 86ebccdb2f90a5b5ca49911155eac4d05769138d8f72856d4cd9be2323037b29
  • 871aaaf9a80009c78539d2a8b1bbfee432c1afc08511d25e057373731f06a061
  • 8fd6c4a70953f044073299ad6ba883d94d7be1a723d8aaa908435318509cda05
  • 915c2d8d8bf3391aee7ee8a4d732cd861aa30eba8219b240b66041a860a32cc0
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP



ThreatGrid



Malware



Win.Worm.Aspxor-6935052-0


Indicators of Compromise


Registry KeysOccurrences
N/A-
MutexesOccurrences
2GVWNQJz125
Djjwy&22bsqobnaHhdGwemvt(&11839)25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
217[.]115[.]50[.]22817
93[.]186[.]181[.]6215
194[.]85[.]183[.]214
46[.]55[.]222[.]2412
222[.]124[.]166[.]1210
82[.]116[.]211[.]1610
209[.]170[.]120[.]1639
186[.]115[.]122[.]678
216[.]218[.]206[.]691
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%SystemRoot%\SoftwareDistribution\DataStore\Logs\tmp.edb1
%HOMEPATH%\Local Settings\Application Data\ksgxpasi.exe1
%HOMEPATH%\Local Settings\Application Data\joorwdum.exe1
%HOMEPATH%\Local Settings\Application Data\unfdefqq.exe1
%HOMEPATH%\Local Settings\Application Data\ahnatfuo.exe1
%LOCALAPPDATA%\ffueegqn.exe1
%LOCALAPPDATA%\hahxwkrq.exe1
%LOCALAPPDATA%\erhipkjf.exe1
%LOCALAPPDATA%\qrfcduvn.exe1
%LOCALAPPDATA%\bbpikrlh.exe1
%LOCALAPPDATA%\gbmscrrf.exe1
%LOCALAPPDATA%\uhotvrfs.exe1
%LOCALAPPDATA%\vwaffned.exe1
%LOCALAPPDATA%\wscftndd.exe1
%LOCALAPPDATA%\fapgaxbx.exe1
%LOCALAPPDATA%\kselhlpe.exe1
%LOCALAPPDATA%\lupjoaow.exe1
%LOCALAPPDATA%\oxhojtxr.exe1
%LOCALAPPDATA%\bgnifxtm.exe1
%LOCALAPPDATA%\annimrmg.exe1
%LOCALAPPDATA%\teconvea.exe1
%LOCALAPPDATA%\jwclsdrd.exe1
%LOCALAPPDATA%\txfqjufq.exe1
%LOCALAPPDATA%\ridhufao.exe1
%LOCALAPPDATA%\ndfgutar.exe1
See JSON for more IOCs
File Hashes
  • 0212de9641f40da0e6bdad747f807eca71356ddc298263c20676321863326f70
  • 098631c475084bd57815d245af1252c70bb4b918df059844aa167ec189bc955b
  • 0c5634fd44849ef51ac6f7133cdea66da960a64a6c165bf038f17d97610ce5d9
  • 195b4c47c63c9d6fbd745da31721b086e931c0d60c1759e414c564cea4e1d6c2
  • 1ccb17748bc70035a00a5ea94d223e1e425163e191bfb92271d191d7ced3347d
  • 1f5286c16b783ebbcf24cd92cae2f1eb50d69e6f4cc0d0c97408f03abe1de161
  • 29614ffd96412f26a5cf2fee3648e4954c2ac095543b3633e03dfaab12d1ff60
  • 29de1a963a1f1bf15435da9020a2eadfa9d3054160e545b49b89135a6eaac2a9
  • 2c85e5a8a1c3e5c0e6fcf4902780824c9014298ff01f823ae8f4d2633f64c0b4
  • 2ebd4a5e0954ef8cfa8f338caf6bc6763e6519c9be2b71e31186f91b29312e13
  • 37d5963a73acccd5b60d59e27c19fc30c1806679724338e1d4962d04748934f9
  • 386ecf6b47b1f1d71b3797adb0335a806452d3346e108b758594f07dfcb49f97
  • 3b03b188ac995d7fcab65e70b9ada8d2b126313318a981ec396a2111a34bfd64
  • 40ebfa0f7b15bd9a0827c9c597340b1ab91a0b352232052094dbbf6e951617b9
  • 4ad58e6014e62529af11bdc456bd4fec94ee3138f6e8c679a963512709a72452
  • 5147b90fa72506bd6c47bed8b03f82f8eab5e6ab6f6216289680429ed915422e
  • 543cb5dba99c251147551c65e8db498b1b16f2084933596159006482ce1be633
  • 5d19478d27e1697220d54e158ecbe4190287c34f507d46717f06195acee8507d
  • 601d8a181beb7451b6d45b6938a398b8c09bfba4d858b5de52d79ad55ff733fc
  • 64816d8573edd50f3ba63d0c1b9e491e461dea9f4dab78b85986959346d7769c
  • 65f8b7cf030977bb60ae0e21b3514d4407090de968c505ccdaed0ea73d2b882d
  • 66bff41b7bad9cd835e0e698cfc574a576caf819a3c9abecc473eb8ec31a53a2
  • 68e6f59b6c52c804dcebebbc2eb54ad7a00c9e0302f429bfef2300d33abdc4a3
  • 6d610fd8891c60bd39978d90f76e803a878fd1bb36061e7a970ad79af20accd2
  • 70d71ecfbb763f5e97379bc3d75412e56aec4574affadc1d4bcb09a2fc70d923
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Vbkeylog-6935273-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\DIRECT3D\MOSTRECENTAPPLICATION
Value Name: Name		5
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
Value Name: {FFE2A43C-56B9-4BF5-9A79-CC6D4285608A} {00000122-0000-0000-C000-000000000046} 0xFFFF		5
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
\TEMP\NewBitmapImage.bmp2
\TEMP\taximg.bmp1
\TEMP\tooooos.txt1
\TEMP\jon.bmp1
\TEMP\SureTools.txt1
\TEMP\rum.txt1
\TEMP\SLIPUSD124.985,67(1).jpg1
\TEMP\TAXFILE.bmp1
\SureTools.txt1
\rum.txt1
\tooooos.txt1
File Hashes
  • 44414ef55e3f6368f1df92f06a5f29f4dda15554720b7cb4a7ad22ef73023ce6
  • 5164b6fd11a2fb210d88ee920b95a62e8ba0904797c015f2edf20fe519678777
  • 64ab1d27afd0c17215e56c0c97b2de6e8862573cf8663e60832d5d14ab9f635c
  • 940f6e0c84f2ea9db97ce376fdfd8b111f3fd50ddcac3d303b5b9d69a7a89dd5
  • 98408e5c6a013289ce93486234965b89f164c568f5f772d9082d6ddbfab7c506
  • 99773cfde40fbf0a2e681cbb27b64616c4e401b47ad88255be843c3084e41e29
  • b698ccf0db3ef9d598333cdb998beabbc0e59ba6a528e02a2870687b863ff0a3
  • dce28ef0578d3d8d14159a098ef4f8f15995996c2c2e512caa456d8c0f5114dd
  • f0b0138e46957c77c6b40f7c2ed6b16bf7aea25cd02ac62e4298b559de2b385b
  • f1632ccc48b023eeab044ed42093e748e501c0afdde9b97d22d27ad09b01dbea
  • f51e016793c920faad2abe8da9d14a6d6ecd1f73b8ccd68d583b4ddcbf9341fa

Coverage


Screenshots of Detection

AMP



ThreatGrid



Malware



Win.Malware.Zbot-6935412-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: aybbmte.job.fp		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AYBBMTE
Value Name: Index		25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FF46FC7D-1E0D-46F8-87EC-94D0FDA83668}
Value Name: DynamicInfo		14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{F2B28AC6-1443-43F4-9832-8315397F35E8}
Value Name: data		14
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{088B2EE3-A639-491E-B1E6-84AE447D785F}
Value Name: DynamicInfo		7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{94669170-5F40-43E0-9D77-69BC9146DF72}
Value Name: data		7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9C9693B0-E894-414D-8675-6B58133E665B}
Value Name: DynamicInfo		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{6E1FF505-4705-412B-825D-ECE026885614}
Value Name: data		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{48716312-C151-484D-9EC0-E5B4883DF1B7}
Value Name: DynamicInfo		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{90EA3D0B-BA3B-4356-A2CD-915E5BB4CF7B}
Value Name: data		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{65579417-B766-4127-BD16-88A7D90F9ADD}
Value Name: DynamicInfo		1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{E4AA06C0-45E2-4E4D-B133-96D82B197EA1}
Value Name: data		1
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%ProgramData%\Mozilla\thfirxd.exe25
%System32%\Tasks\aybbmte25
%ProgramData%\Mozilla\lygbwac.dll25
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll25
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe25
%SystemRoot%\Tasks\kylaxsk.job25
File Hashes
  • 038925296d4fdaa55efcfa1ad8c02ce08d6f3673bc042fed1bd20d9f29fad5d3
  • 0ca97f5d0c9e6de090568cb7285db362d7210c45e2213be617fdd4ba2ae8dc7d
  • 109de4dba47129449293624f674a90a8d6381d5f827e4192f1efc97e4b08748e
  • 4155d902b22a775b172e7d86d4958e9088d571bfda7810fd6eceaa5bfb44e847
  • 56d02ae6de618c67968b5c6ca583372e1388c89424f2c2118aac6a8548b909ce
  • 5880016db066b6d864c72234d1404cb0ac8953a0ca35b1edae8fc1c8c6c8a7b2
  • 591e2322c4e4a65b02694f0066ef6c18ceff25c50ea0c118591170af3e4e9cce
  • 5a48b66eb3c6581073bd8b85f9a8151364f089dd91997d82ec42709f3f813def
  • 697000ba4047468f1005194dcbd2ae90e444a7e1a8b52c3904a3001358387af9
  • 89a3ecc59f1bd6d62f71b2dccbf03e433d99cee9f9e8d961e19d5e3ca7bb3f15
  • 95ce736766aa931ba16df831dabc530f64e9e9a6d1a134e6931987fa1c8fd544
  • a3309cb7bf90a6f6220bbf9a6b018d5f41334407a431b5101874e4d3436382ff
  • b28ca331d6466f83028b9e8c4e9fd6511dad0a599859ea21f8dd02618eabc1d4
  • c27265eca8f4f1d0606e3e6acc971721410f7430d3b8c487b128fee5a910f8cd
  • c6b0d5b496baca826833a12e9863292ecdd92931ce682d61a74ee62e97c39382
  • cf9e75a01b1ee5093c7ca244f5568becd535c6e9f56885a11a25dc1e9621d502
  • d5587aef2b6a77a22904f8cff993d6e35a832f7552f8f3124c772b1700077622
  • d7fb034de95b8ef46570d15391cb1c8181e2145076831813563a947d8d1616db
  • dc68ea18ef5b981d2fefd632a9e7fe51bc03c5058dcff708b9aa255e9ebbfe06
  • e1c784eada950c0b8a9ff1a533d95252bf4cf36314b8b52aaef1ce51c3fe3704
  • eb84091df0b6ea62d38e2240201dc93fbb5db4b878c595937cd9ff77508dacc1
  • ec5dd84f2cd6083165187eff18bb55f382719977092eaeea642868d062926970
  • ed8887e64560574df7491a6ba7feff32433fed157e02f39ce86fb8689d5a2207
  • f443021ba52b571fa16f440f171e85430eb6d925882bdffc339de6917b6e13b6
  • f4fd6c5f9fdeb3196e09b5ee9854f0c06d320c8cfe8c7fc04e234c35cfcc26b7
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Ransomware.Cerber-6935713-0


Indicators of Compromise


Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run		54
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun		54
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: SCRNSAVE.EXE		54
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D}
Value Name: Component_00		54
<HKU>\Control Panel\Desktop 42
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F95BF9F7-D3F3-4AC5-8A3F-4B59850DD369}
Value Name: DynamicInfo		31
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\HANDSHAKE\{99EF6702-6773-48D3-992B-6F4C187FAC71} 17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHELL EXTENSIONS\CACHED
Value Name: {FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214FA-0000-0000-C000-000000000046} 0xFFFF		12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\IEXPLORE
Value Name: Blocked		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\IEXPLORE
Value Name: Blocked		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\IEXPLORE
Value Name: Blocked		11
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
Value Name: Window_Placement		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\STAGINGINFO\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Active		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}\CURRENT MEDIA
Value Name: Set		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\IEXPLORE
Value Name: LoadTimeArray		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{DBC80044-A445-435B-BC74-9C25C1C588A9}\IEXPLORE
Value Name: LoadTimeArray		11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ipconfig		2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: ipconfig		2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\COMPATIBILITYADAPTER\SIGNATURES
Value Name: ipconfig.job.fp		2
MutexesOccurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}54
Local\VERMGMTBlockListFileMutex14
Local\!BrowserEmulation!SharedMemory!Mutex14
Local\URLBLOCK_DOWNLOAD_MUTEX14
Local\URLBLOCK_HASHFILESWITCH_MUTEX14
cversions.1.m14
GeneratingSchemaGlobalMapping14
cversions.2.m14
_SHuassist.mtx13
{5312EE61-79E3-4A24-BFE1-132B85B23C3A}13
Local\Shell.CMruPidlList13
Local\InternetShortcutMutex13
Local\ExplorerIsShellMutex13
CDBurnNotify13
Global\CDBurnExclusive13
{C20CD437-BA6D-4ebb-B190-70B43DE3B0F3}12
!PrivacIE!SharedMem!Mutex11
ALTTAB_RUNNING_MUTEX11
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}8
_!SHMSFTHISTORY!_5
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_13883
\BaseNamedObjects\shell.{3AFC1C93-3B52-BB89-3222-3835B13B7C57}3
Local\URLBLOCK_FILEMAPSWITCH_MUTEX_10842
\BaseNamedObjects\shell.{2DA495A3-711D-597E-268E-77F8D29EB324}2
\BaseNamedObjects\shell.{37AB6120-3C1B-909E-8A46-BA7ED26D587E}2
See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
31[.]184[.]235[.]9531
31[.]184[.]235[.]9431
31[.]184[.]235[.]9331
31[.]184[.]234[.]9031
31[.]184[.]235[.]9231
31[.]184[.]234[.]9131
31[.]184[.]235[.]9131
31[.]184[.]234[.]9231
31[.]184[.]235[.]9031
31[.]184[.]234[.]9331
31[.]184[.]234[.]9431
31[.]184[.]234[.]9531
31[.]184[.]234[.]9631
31[.]184[.]234[.]9731
31[.]184[.]234[.]9831
31[.]184[.]234[.]9931
31[.]184[.]235[.]9931
31[.]184[.]235[.]9831
31[.]184[.]235[.]9731
31[.]184[.]235[.]9631
31[.]184[.]235[.]21431
31[.]184[.]235[.]21531
31[.]184[.]235[.]21231
31[.]184[.]235[.]21331
31[.]184[.]235[.]21831
See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
ipinfo[.]io54
onion[.]to23
cerberhhyed5frqa[.]onion[.]to23
ip-api[.]com19
freegeoip[.]net18
en[.]wikipedia[.]org5
www[.]collectionscanada[.]ca5
alpha3[.]suffolk[.]lib[.]ny[.]us5
www[.]archives[.]gov5
www[.]vitalrec[.]com5
www[.]cdc[.]gov5
4kqd3hmqgptupi3p[.]u57u1e[.]top1
4kqd3hmqgptupi3p[.]hlu8yz[.]top1
4kqd3hmqgptupi3p[.]58na23[.]top1
4kqd3hmqgptupi3p[.]132z80[.]top1
4kqd3hmqgptupi3p[.]asd3r3[.]top1
4kqd3hmqgptupi3p[.]h9ihx3[.]top1
4kqd3hmqgptupi3p[.]ep493u[.]top1
4kqd3hmqgptupi3p[.]h079j8[.]top1
4kqd3hmqgptupi3p[.]fgkr56[.]top1
4kqd3hmqgptupi3p[.]azwsxe[.]top1
Files and or directories createdOccurrences
%HOMEPATH%\NTUSER.DAT54
%HOMEPATH%\ntuser.dat.LOG154
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}54
%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\json[1].json54
%HOMEPATH%\ntuser.ini38
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.html37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.txt37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.url37
%APPDATA%\Microsoft\Office\Recent\# DECRYPT MY FILES #.vbs37
%HOMEPATH%\# DECRYPT MY FILES #.html37
%HOMEPATH%\# DECRYPT MY FILES #.txt37
%HOMEPATH%\# DECRYPT MY FILES #.url37
%HOMEPATH%\# DECRYPT MY FILES #.vbs37
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js36
%APPDATA%\Adobe\Acrobat\9.0\TMGrpPrm.sav36
%APPDATA%\Microsoft\Outlook\Outlook.xml36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.html36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.txt36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.url36
%APPDATA%\Adobe\Acrobat\9.0\# DECRYPT MY FILES #.vbs36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.html36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.txt36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.url36
%APPDATA%\Adobe\Acrobat\9.0\JavaScripts\# DECRYPT MY FILES #.vbs36
%APPDATA%\Microsoft\Outlook\# DECRYPT MY FILES #.html36
See JSON for more IOCs
File Hashes
  • 0209aa718b9b606b5cad5f9783ef1eb441ab1b6ff63283855e8b6d74f4649ec5
  • 03050ca0e3c1e6fc7a9782b5791aeccc77a1f07a7a8a675feb6e756226174410
  • 04043499a4936537e774dc6a381ccaeab8bb853d84819b9be12de2931d6646de
  • 0468b2231ea7059a58566e1a77d170f9c3a7e417d0221e8d7ca0747607bba2c3
  • 0680c78425029623806a8fd8f305523564e52bb68779ccffd698b78e218e249e
  • 087fa7d28264fc9c06eb7031891b68794c67b7b571176194e313c227437a1ea8
  • 09b4791e9e2eed217cf3df60f0386b010dccfc12a0b8c67b3cd2007fdbfb8e74
  • 0adb55a70a4c9f9e2bfcd33bb7c7b7b2f5d309b5ad006e7364aca2fbcda6c505
  • 0ca6bf5961f23df78cd48d7cde29d58b7d23e22598f784d04a1ca0676a466c0a
  • 0cf92c126ff4860a912d3e5d9d21c546edf434b46a1ea8bdddaf1eace91bc7ce
  • 0d7b033bd7734735b8e101b820be42c37e6957dd556da8b26f05f50edc3cb96f
  • 0dc0bfebad2716cfc4eb1b6d2853929d110fa2589af4d662d0c35231e9e1e291
  • 0eb148582c01d74361a630671d8c4d7f2577cbf09bea123f16df962e4b7d3df8
  • 0fa00710b9232318f7288b3723436ccc51714089030fabe581a00cd057b71865
  • 0fcb3e096368ecbe9d96c2c88ef721c29b596db298a6790a27ccab7bffe5a12b
  • 103517b74d9bc58c6a54d0a635ef45417540aeb5d8b5809ad110abb4685b0c2b
  • 10de95456a338a6f0edc9cd277ed314380a335dcc8e921e6eb7b40b526bca0fc
  • 130cd09e0e050acf6b75411b57c1146cd6f177f765e8cde272bd45b641e068d8
  • 13f983ebe9787626f1fe2e6615ad9c8cbc997b363ad9c2f91a1295a9a1db65db
  • 1677324000e28746b206c781a6b653f87b69e144c18d5f366aa9f0f2af83a8b7
  • 1768e3f32fe5c938f3baed815000b18020b10dd8ac440aa4bef7258cab863395
  • 177644a4e59f0f0b468e176972895a55b724fc19db205f555e98c06851982084
  • 179f11a15d4a284bf8e10002663f744bee9903bb2c8eae9e22308a49bca9ff03
  • 17f46c0701439f25126d59dd4b3b8c4cb131e260cc199bb8bb61414128fd3aef
  • 18adeddd8205122987da070c640e8eaf72e2e4bc5f2f58491a5e83f7ed6c2c25
  • See JSON for more IOCs

Coverage


Screenshots of Detection

AMP




ThreatGrid



Umbrella




Malware



Win.Trojan.Winwebsec-6935682-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify		10
<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start		10
<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System 10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: ConsentPromptBehaviorAdmin		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth		10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER\svc 10
<HKLM>\System\CurrentControlSet\Services\luafv 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\LUAFV
Value Name: Start		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE
Value Name: RPSessionInterval		10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS DEFENDER
Value Name: DisableAntiSpyware		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 98BE0FA9BB7E8E3C000098BD76F2948C		10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: 98BE0FA9BB7E8E3C000098BD76F2948C		10
<HKLM>\SYSTEM\CONTROLSET001\ENUM\WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_GENERIC&PROD_HARDDISK&REV_2.5+#1-0000:00:1D.7-2&0#
Value Name: CustomPropertyHwIdKey		3
<HKCU>\Software\Microsoft\Installer\Products\98BE0FA9BD7E903C000098BD76F2968C 3
<HKCU>\SOFTWARE\MICROSOFT\INSTALLER\PRODUCTS\98BE0FA9BD7E903C000098BD76F2968C 3
MutexesOccurences
98BE0FA9BB7E8E3C000098BD76F2948C10
98BE0FA9BC7E8F3C000098BD76F2958C3
98BE0FA9BCBE8F7C000098BD76F295CC3
98BE0FA9BD7E903C000098BD76F2968C3
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
123[.]108[.]108[.]4210
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
N/A-
Files and or directories createdOccurrences
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.exe10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C.ico10
%ProgramData%\98BE0FA9BB7E8E3C000098BD76F2948C\98BE0FA9BB7E8E3C000098BD76F2948C3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Care Antivirus\System Care Antivirus.lnk3
%HOMEPATH%\Desktop\System Care Antivirus.lnk3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Care Antivirus3
File Hashes
  • 10b34c1a0b739cd6c12e2926372afcd0cbf6f95be9d1b45038144bd3efb5eb79
  • 1a448e78d2668f4dad016aca5092107f4d1ee19dadf8886e8a0ec4e2b550b317
  • 26a08a46deffe995ba67d9aaf547b55a265fe513a8293d51f3f9f0b3d944808c
  • 72f94e87b1fa1393360d9cacbdebb1ffebd5754c7d93121e0e887eacb8529c87
  • 8725d076eb421b4e4737792ad07647db9a263e4da2f0436bccd6c8ff9f752d39
  • b18e5830f0e557d72ba6ba2dbb59da23cf8e2539148efc51ed01a0364210b06d
  • b4b5fdc7fcf6f86a9ffba97a9d2e159f0078e9ffc090deb948660a3c8e5cdd07
  • d45ba937d7d532907d5da3fc979a96b1efa5e9c9a4c6b5c45f683925a9524ac2
  • d54730e93be5c4d17de56a904aa56610c06fdf425083277343c9ece4ecc922df
  • e165145377ae247117657cb0172fd7767907dd1ee5d4a698cbf58a6f4af03624

Coverage


Screenshots of Detection

AMP




ThreatGrid



Win.Malware.Tovkater-6936213-0


Indicators of Compromise


Registry KeysOccurrences
<HKLM>\System\CurrentControlSet\Control\Session Manager 14
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\SESSION MANAGER
Value Name: PendingFileRenameOperations		14
<HKLM>\SYSTEM\ControlSet001\Control\Session Manager 10
MutexesOccurrences
N/A-
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
185[.]53[.]178[.]61
185[.]147[.]15[.]51
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
MIRRACLEZ[.]CLUB10
mirraclez[.]club10
zaltzburgopportunity[.]top4
binocularhearing[.]top4
CARIBZ[.]CLUB2
flowergroup[.]top1
binoculuz[.]club1
BINOCULUZ[.]CLUB1
backverge[.]top1
gaslight[.]metimes[.]ru1
BACKVERGE[.]TOP1
frock[.]encours[.]ru1
caribz[.]club1
lurk[.]ecolleague[.]ru1
simpledrive[.]top1
Files and or directories createdOccurrences
masrra11.exe8
imasrr13.exe4
%LocalAppData%\Temp\nsnD405.tmp2
%LocalAppData%\Temp\nscD4B1.tmp\nsJSON.dll1
%LocalAppData%\Temp\nsnD010.tmp\INetC.dll1
%LocalAppData%\Temp\nsnD010.tmp\Y gamemonitor.dll1
%LocalAppData%\Temp\nsnD010.tmp\cmutil.dll1
%LocalAppData%\Temp\nsnD010.tmp\colbact.dll1
%LocalAppData%\Temp\nsnD010.tmp\icrub.exe1
%LocalAppData%\Temp\nsnD010.tmp\nsJSON.dll1
%LocalAppData%\Temp\nsiD435.tmp\INetC.dll1
%LocalAppData%\Temp\nsiD435.tmp\X shmgrate.exe1
%LocalAppData%\Temp\nsiD435.tmp\Y gamemonitor.dll1
%LocalAppData%\Temp\nsiD435.tmp\Z shmgrate.exe1
%LocalAppData%\Temp\nsiD435.tmp\cmutil.dll1
%LocalAppData%\Temp\nsiD435.tmp\colbact.dll1
%LocalAppData%\Temp\nsiD435.tmp\msimn.exe1
%LocalAppData%\Temp\nsiD435.tmp\nsJSON.dll1
%LocalAppData%\Temp\nsiD435.tmp\shmgrate.exe1
%LocalAppData%\Temp\nsiD435.tmp\xantacla.exe1
%LocalAppData%\Temp\nsiDC21.tmp\INetC.dll1
%LocalAppData%\Temp\nsiDC21.tmp\X shmgrate.exe1
%LocalAppData%\Temp\nsiDC21.tmp\Y gamemonitor.dll1
%LocalAppData%\Temp\nsiDC21.tmp\Z shmgrate.exe1
%LocalAppData%\Temp\nsiDC21.tmp\cmutil.dll1
See JSON for more IOCs
File Hashes
  • 4f8cf035324575449ee73dcfcc1ecededc5d1f3f8a4cec2f0e85455516207eb0
  • 9fc837165be91f7c7042e1dbcc4db8dd38d002f9214b861db6214c636055bac4
  • a40c7290af61e7f34282faf839982f9fbb33db423751ce59d11a156140e711ef
  • bd9f2de34957bcd509e47fcd7cd7e7f2af01b0e5078c0823680cdcd1d753341a
  • c880d5254c7e1d5723862100c2d57bd3cbcaad6560437ac59bd1071172980197
  • cd69efb3bb139a1675b90690635f8584896fc10c1f85be17f92206f8d856289d
  • d6dc00609f709cc451cb61f1d77fc84e8572494ebc3ba0de80518f7ab234384e
  • e82dd6108b2272e13f6365d75943de81b4196cfa4d885a78a2ac3665249ba2c5
  • f102bc0d0ebe8adf4486b0567c9ab493faa619aa1ae48ac3572ecb23b2de9836
  • f997bc9973d1bac7be25513c9ef80783949069a00732fd630e74876a3019dd3b
  • fcec660083595a7956cc13f9815ce23edcfbfa3e82c150a2f0fe6c0449433ce0
  • fd7696f075bb712bd4d7f14dad9c297d99669d3b1c61e51ee2dae4cfa897b9ff
  • fdac4b0e291a27c91cd3050c4e811d4fe33bb2189e44015d0d5a88f168441815
  • fef0d09e80bce24d232f60977972934eb9b1a984f4b42fac5a9d9ebd93757127

Coverage


Screenshots of Detection

AMP



ThreatGrid




Umbrella



Vulnerability Spotlight: Multiple vulnerabilities in Shimo VPN's helper tool

April 15, 2019, 7:37 am
$
0
0


Discovered by Tyler Bohan of Cisco Talos.

Overview

Cisco Talos is disclosing a series of vulnerabilities found in the Shimo VPN Helper Tool. Shimo VPN is a popular VPN client for MacOS that can be used to connect multiple VPN accounts to one application. These specific vulnerabilities were found in the “helper tool,” a feature that Shimo VPN uses to accomplish some of its privileged work.

These vulnerabilities are being released without a patch, per our disclosure policy, after repeated attempts were made to communicate with the vendor.

Vulnerability Details

TALOS-2018-0673

TALOS-2018-0673/CVE-2018-4004 is a privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the disconnectService function. The vulnerability requires local access to the machine but could allow a non-root user to kill privileged processes on the system. 

Detailed vulnerability information can be found here.

TALOS-2018-0674

TALOS-2018-0674/CVE-2018-4005 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the configureRoutingWithCommand function. The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root.  

Detailed vulnerability information can be found here.

TALOS-2018-0675

TALOS-2018-0675 / CVE-2018-4006 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the writeConfig functionality. The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root. 

Detailed vulnerability information can be found here.

TALOS-2018-0676

TALOS-2018-0676 / CVE-2018-4007 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the deleteConfig functionality. The vulnerability requires local access to the machine but could allow an attacker to delete any protected file on the system. 

Detailed vulnerability information can be found here.

TALOS-2018-0677

TALOS-2018-0677 / CVE-2018-4008 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service, specifically the RunVpncScript command. The vulnerability requires local access to the machine. The command takes a user-supplied script argument and executes it under root context.  

Detailed vulnerability information can be found here.

TALOS-2018-0678

TALOS-2018-0678 / CVE-2018-4009 is an exploitable privilege escalation vulnerability that resides in the Shimo VPN helper service due to improper validation of code signing.  The vulnerability requires local access to the machine but could allow an attacker to escalate their privileges to root.  

Detailed vulnerability information can be found here.

Known Vulnerable Versions

Shimo VPN 4.1.5.1




Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 47801 - 47804

Vulnerability Spotlight: Denial of service in VMWare Workstation 15

April 15, 2019, 8:47 am
$
0
0

Piotr Bania of Cisco Talos discovered this vulnerability.

Executive summary

VMware Workstation 15 contains an exploitable denial-of-service vulnerability. Workstation allows users to run multiple operating systems on a Linux or Windows PC. An attacker could trigger this particular vulnerability from VMware guest user mode to cause a denial-of-service condition through an out-of-bounds read. This vulnerability only affects Windows machines.

In accordance with our coordinated disclosure policy, Cisco Talos worked with VMware to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

VMware Workstation 15 vertex shader functionality denial-of-service vulnerability (TALOS-2018-0762/CVE-2019-5516)

An exploitable denial-of-service vulnerability exists in VMware Workstation 15. A specially crafted vertex shader can cause denial-of-service issues. An attacker can provide a specially crafted shader file to trigger this vulnerability. This vulnerability can be triggered from VMware guest, affecting VMware host, leading to a vmware-vmx.exe process crash on host.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that VMware Workstation 15 (15.0.2 build-10952284) with Windows 10 x64 as guestVM is affected by this vulnerability.

CoverageThe following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 49045, 49046

New HawkEye Reborn Variant Emerges Following Ownership Change

April 15, 2019, 9:37 am
$
0
0
Edmund Brumaghin and Holger Unterbrink authored this blog post.

Executive summary


Malware designed to steal sensitive information has been a threat to organizations around the world for a long time. The emergence of the greyware market and the increased commercialization of keyloggers, stealers, and remote access trojans (RATs) has magnified this threat by reducing the barrier to entry for attackers. In many cases, the adversaries leveraging these tools do not need to possess programming skills or in-depth computer science expertise, as they are now being provided as commercial offerings across the cybercriminal underground. We have previously released in-depth analyses of these types of threats and how malicious attackers are leveraging them to attack organizations with Remcos in August and Agent Tesla in October.

HawkEye is another example of a malware kit that is actively being marketed across various hacking forums. Over the past several months, Talos observed ongoing malware distribution campaigns attempting to leverage the latest version of the HawkEye keylogger/stealer, HawkEye Reborn v9, against organizations to steal sensitive information and account credentials for use in additional attacks and account compromise.

History of HawkEye


HawkEye is a malware kit that has been around for several years and has seen continuous development and iterations since at least 2013. It is commonly sold on various hacking forums as a keylogger and stealer that can be used to monitor systems and exfiltrate information from those systems. It features robust stealing capabilities as it can be used to obtain sensitive information from a variety of different applications. This information can then be transmitted to the attacker using protocols such as FTP, HTTP, and SMTP. Talos has recently identified several changes concerning HawkEye Reborn in the latest version, HawkEye Reborn v9.

In December 2018, a thread on HackForums described a change in the ownership and ongoing development of the HawkEye keylogger.
Shortly following this exchange, new posts began to appear that were attempting to market and sell new versions of HawkEye (HawkEye Reborn v9), with these new posts also referencing the change in ownership of the project moving forward.
HawkEye Reborn v9 is currently marketed as an "Advance Monitoring Solution." It is currently being sold using a licensing model, with purchasers gaining access to the software and updates for different periods based on a tiered pricing model.
HawkEye Reborn v9 also features a Terms of Service agreement that provides some additional insight. While the seller specifies that HawkEye Reborn should only be used on systems with permission, they also explicitly forbid scanning of HawkEye Reborn executables using antivirus software, likely an attempt to minimize the likelihood that anti-malware solutions will detect HawkEye Reborn binaries.
Following these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts.
As with other malware that we wrote about last year, while the developer claims that the software should only be used on systems with permission, or "for educational purposes," malicious attackers have been continuously leveraging it against various targets around the world.

Distribution campaigns


For several months during the last half of 2018 and continuing into 2019, Cisco Talos has observed ongoing malicious email campaigns that are being used to distribute versions of the HawkEye Reborn keylogger/stealer. The current version, HawkEye Reborn v9 has been modified from earlier versions and heavily obfuscated to make analysis more difficult.

The email campaigns that have been observed feature characteristics that are consistent with what is commonly seen with malspam campaigns, with the emails purporting to be associated with various documents such as invoices, bills of materials, order confirmations, and other corporate functions. An example of one of these emails is below:
Figure 1: Example email message

While the current email contains leverage malicious Microsoft Excel files, earlier campaigns have also been observed leveraging RTF and DOC files. Additionally, a small number of campaigns over this same period also made use of various file-sharing platforms like Dropbox for hosting the malicious documents rather than directly attaching them to the messages themselves.
Figure 2: Example malicious Excel document

Similar to the technique described in our previous blog about Remcos, the contents of the documents have been intentionally made to appear as if they are blurry, with the user being prompted to enable editing to have a clearer view of the contents.

Another interesting characteristic of the malicious documents is that the metadata associated with the document files themselves also matches that found in many of the malicious documents that were previously being used to spread Remcos.
Figure 3: Document metadata

Additionally, the creation and modification dates associated with these documents are shortly after we released a detailed analysis of Remcos distribution campaigns that were being observed throughout 2018.

Assuming the victim opens the attachment, the infection process begins as described in the following section.

Many of the distribution servers that are being used to host the HawkEye keylogger binaries that are retrieved during the infection process are hosting large numbers of malicious binaries and, in many cases, contain open directory listings that can be used to identify the scope of the infections that they are being used to facilitate. In many cases, additional stealers, RATs, and other malware were observed being hosted on the same web servers.

Analysis of HawkEye Reborn


The campaign starts with sending the aforementioned Excel sheets that exploit the well-known CVE-2017-11882 vulnerability, an arbitrary code execution bug in Microsoft Office. The exploit works similarly to what we saw with Agent Tesla in October. It leverages a buffer overflow in the Equation Editor, which occurs if someone hands over a font name that's too long. The shellcode starts after the MTEF font tag "08 13 36" in this case.


After execution in the Equation Editor (EQNEDT32.EXE) context, it downloads the malicious data from the malware server as you can see in the ThreatGrid Process Timeline screenshot below. After a successful download, it creates and starts the RegAsm.exe process.
This RegAsm.exe process is a heavily obfuscated AutoIT script compiled into a PE. After decompiling it from the PE file, it is heavily obfuscated and still almost unreadable.
We deobfuscated the script to understand how the infection process works. It first creates the "winrshost" mutex. Then, it extracts the final payload malware from two objects in the PE resource section (capisp1, appsruprov2).
It concatenates them and uses AES to decrypt the result, using the hardcoded key "pydbdio…" which is handed over to the DecryptData function (see above). The screen capture below shows the decryption function.
It then calls the StartAndPatchRegAsm function.
This function tries to find the original Microsoft RegAsm executable path. It hands over the decrypted buffer extracted from the resource section and the path from the original RegAsm executable to the start_protect_hexcode function.

Then it starts the process-hollowing shellcode, which is stored in the HEXCODE1 variable. This shellcode injects the final payload taken from the resource section into the original RegAsm.exe process. The shellcode in HEXCODE1 is very similar to this RunPE example.

The AutoIT script is offering a lot of other functions which are not used in this campaign, like anti-virtual machine detection, USB drive infection and others.

The final payload — which we found in the AutoIT PE file resource section and was started by the process-hollowing shellcode — is a .NET PE file that's obfuscated with ConfuserEx.
Deobfuscated, we can see it is the HawkEye Keylogger — Reborn v9, Version=9.0.1.6.

When HawkEye is executed, in line 34, 
byte[] byte_ = gclass.method_0()["0", GClass30.GEnum3.RCDATA].Byte_0;
it reads the encrypted configuration from the RCDATA resource and in line 33,
byte[] byte_2 = GClass29.smethod_12(byte_, GClass12.string_0);
and then decrypts this data with the Rijndael algorithm you can see below in the RijndaelManaged function to initialize the HawkEye configuration settings.

The decrypted configuration shows us the account used for exfiltration:
The main loop of HawkEye has the following functions:
This shows the rich feature set of HawkEye. The adversaries can get detailed information about the victim's machine, as you can see in the screenshot below.
Beside the system information, it steals passwords from common web browsers, Filezilla, Beyluxe Messenger, CoreFTP and the video game "Minecraft." It also starts a keylogger, steals clipboard content, takes screenshots from the desktop and pictures from the webcam.

Version 9 is still using the well-known MailPassView and WebBrowserPassView freeware tools from Nirsoft to steal web and email passwords. These tools are embedded in the PE file in the form of data which is decoded at runtime and added to the local resources. Then, they are using the process hollowing technique to hide the execution of these tools inside of the original Microsoft vbc.exe (VisualBasic Compiler) process. They are starting an instance of vbc.exe via ProcessCreate, injecting the tool and resume the threat. The stolen passwords are ending up in a temporary file, which is read in and added to the list of data to be exfiltrated. HawkEye offers the following exfiltration options based on the configuration: email, FTP, SFTP, HTTP POST to PanelURL API or ProxyURL.
As mentioned above, in the comments of the main loop section, it also comes with several anti-analysis features, including starting an anti-debugging thread or disabling certain AV-related programs via the Image File Execution Options (IFEO) evasion technique by registering invalid debuggers that redirect and effectively disable various system and security applications.

The following diagram summarizes the full infection process:

Conclusion


Recent changes in both the ownership and development efforts of the HawkEye Reborn keylogger/stealer demonstrate that this is a threat that will continue to experience ongoing development and improvement moving forward. HawkEye has been active across the threat landscape for a long time and will likely continue to be leveraged in the future as long as the developer of this kit can monetize their efforts. While the Terms of Service have been written in an attempt to absolve the developer of any wrongdoing, it is actively leveraged by malicious adversaries. Organizations should be aware of this and similar threats and deploy countermeasures such as Multi-Factor Authentication (MFA) solutions such as Duo, to help reduce the impact of credential theft within their environments. Talos continues to monitor this threat as it changes to ensure that customers remain protected from this and other threats as they continue to emerge and evolve.

Coverage

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of compromise


The following IOCs are associated with various malware distribution campaigns that were observed during the analysis of Hawkeye Reborn v9 activity.

Attachment hashes (SHA256)


A list of hashes observed to be associated with malicious email attachments can be found here.

PE32 hashes (SHA256)


A list of hashes observed to be associated with malicious PE32 executables can be found here.

Domains


The following domains have been observed to be associated with malware campaigns.

tfvn[.]com[.]vn
shirkeswitch[.]net
guideofgeorgia[.]org
gulfclouds[.]site
jhssourcingltd[.]com
kamagra4uk[.]com
pioneerfitting[.]com
positronicsindia[.]com
scseguros[.]pt
spldernet[.]com
toshioco[.]com
www[.]happytohelpyou[.]in

IP addresses


The following IP addresses have been observed to be associated with malware campaigns.

112.213.89[.]40
67.23.254[.]61
62.212.33[.]98
153.92.5[.]124
185.117.22[.]197
23.94.188[.]246
67.23.254[.]170
72.52.150[.]218
148.66.136[.]62
107.180.24[.]253
108.179.246[.]138
18.221.35[.]214
94.46.15[.]200
66.23.237[.]186
72.52.150[.]218

URLs:


The following URLs have been observed to be associated with malware campaigns.

https[:]//a[.]pomf[.]cat/
http[:]//pomf[.]cat/upload[.]php

DNS Hijacking Abuses Trust In Core Internet Service

April 17, 2019, 8:00 am
$
0
0



Authors: Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres.


Preface

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.


Executive Summary

Cisco Talos has discovered a new cyber threat campaign that we are calling "Sea Turtle," which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems.

The actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. The Department of Homeland Security (DHS) issued an alert about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names.

In the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities.

We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage, which we reported on in November 2018. The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars and registries. The level of access we presume necessary to engage in DNS hijacking successfully indicates an ongoing, high degree of threat to organizations in the targeted regions. Due to the effectiveness of this approach, we encourage all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious actors duplicating this attack methodology.

The threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first publicly confirmed case of a DNS registry compromise, highlighting the attacker's sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed.

This post provides the technical findings you would typically see in a Talos blog. We will also offer some commentary on the threat actor's tradecraft, including possible explanations about the actor's attack methodology and thought process. Finally, we will share the IOCs that we have observed thus far, although we are confident there are more that we have not seen.

Background on Domain Name Services and records management

The threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space. This section provides a brief overview of where DNS records are managed and how they are accessed to help readers better understand how these events unfolded.

The first and most direct way to access an organization's DNS records is through the registrar with the registrant's credentials. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an attacker was able to compromise an organization's network administrator credentials, the attacker would be able to change that particular organization's DNS records at will.

The second way to access DNS records is through a DNS registrar, sometimes called registrar operators. These registrars are typically ISPs, telecommunications providers, or web-hosting organizations. These registrars manage DNS records on behalf of the registrant through the domain registry. Records in the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP). EPP was detailed in the request for comment (RFC) 5730 as "a means of interaction between a registrar's applications and registry applications." If the attackers were able to obtain one of these EPP keys, they would be able to modify any DNS records that were managed by that particular registrar.

The third approach to gain access to DNS records is through one of the registries. There are currently 12 different registries that manage different parts of the domain registry. For example, Verisign manages all entities associated with the top-level domain (TLD) ".com." The domain registry is stored on 13 "named authorities in the delegation data for the root zone," according to ICANN. These registries manage entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs).

Finally, actors could target root zone servers to modify the records directly. It is important to note that there is no evidence during this campaign (or any other we are aware of) that the root zone servers were attacked or compromised. We highlight this as a potential avenue that attackers would consider. The root DNS servers issued a joint statement that stated, "There are no signs of lost integrity or compromise of the content of the root [server] zone…There are no signs of clients having received unexpected responses from root servers."

Assessed Sea Turtle DNS hijacking methodology

It is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary objective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle:
  1. Established a means to control the DNS records of the target.
  2. Modified DNS records to point legitimate users of the target to actor-controlled servers.
  3. Captured legitimate user credentials when users interacted with these actor-controlled servers.
The diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals.

Redirection Attack Methodology Diagram


Operational tradecraft

Initial access

The threat actors behind the Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails. Talos believes that the threat actors have exploited multiple known CVEs to either gain initial access or to move laterally within an affected organization. Based on our research, we know the actor utilizes the following known exploits:
  • CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin
  • CVE-2014-6271: RCE affecting GNU bash system, specifically the SMTP (this was part of the Shellshock CVEs)
  • CVE-2017-3881: RCE by unauthenticated user with elevated privileges Cisco switches
  • CVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811
  • CVE-2017-12617: RCE affecting Apache web servers running Tomcat
  • CVE-2018-0296: Directory traversal allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls
  • CVE-2018-7600: RCE for Website built with Drupal, aka "Drupalgeddon"
As of early 2019, the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure. In mid-February, Packet Clearing House, an internet exchange point that manages a core component of the domain name system, provided the first confirmation about this aspect of the actors' tactics when it publicly revealed that it had been compromised by a spear-phishing email.

As with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete. The actor in question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the observed behavior of the actor, not their complete capabilities.

Globalized DNS hijacking activity as an infection vector

During a typical incident, the actor would modify the NS records for the targeted organization, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries. The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days. This type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world. Other cybersecurity firms previously reported some aspects of this activity. Once the actor-controlled name server was queried for the targeted domain, it would respond with a falsified "A" record that would provide the IP address of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances, the threat actors modified the time-to-live (TTL) value to one second. This was likely done to minimize the risk of any records remaining in the DNS cache of the victim machine.

During 2019, we observe the following name servers being used in support of the Sea Turtle campaign:



Domain
Active Timeframe
ns1[.]intersecdns[.]com
March - April 2019
ns2[.]intersecdns[.]com
March - April 2019
ns1[.]lcjcomputing[.]com
January 2019
ns2[.]lcjcomputing[.]com
January 2019


Credential harvesting: Man-in-the-middle servers

Once the threat actors accessed a domain's DNS records, the next step was to set up a man-in-the-middle (MitM) framework on an actor-controlled server.

The next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials. Once these credentials were captured, the user would then be passed to the legitimate service. to evade detection, the actors performed "certificate impersonation," a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization. For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider, such as Let's Encrypt or Comodo. This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected "SSL padlock" in the URL bar.

When the victim entered their password into the attacker's spoofed webpage, the actor would capture these credentials for future use. The only indication a victim received was a brief lag between when the user entered their information and when they obtained access to the service. This would also leave almost no evidence for network defenders to discover, as legitimate network credentials were used to access the accounts.

In addition to the MitM server IP addresses published in previous reports, Talos identified 16 additional servers leveraged by the actor during the observed attacks. The complete list of known malicious IP addresses are in the Indicators of Compromise (IOC) section below.

Credential harvesting with compromised SSL certificates

Once the threat actors appeared to have access to the network, they stole the organization's SSL certificate. The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials. This allowed the actors to expand their access into the targeted organization's network. The stolen certificates were typically only used for less than one day, likely as an operational security measure. Using stolen certificates for an extended period would increase the likelihood of detection. In some cases, the victims were redirected to these actor-controlled servers displaying the stolen certificate.

One notable aspect of the campaign was the actors' ability to impersonate VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the attackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network. This MitM capability would allow the threat actors to harvest additional VPN credentials.

As an example, DNS records indicate that a targeted domain resolved to an actor-controlled MitM server. The following day, Talos identified an SSL certificate with the subject common name of "ASA Temporary Self Signed Certificate" associated with the aforementioned IP address. This certificate was observed on both the actor-controlled IP address and on an IP address correlated with the victim organization.

In another case, the attackers were able to compromise NetNod, one of the registries, who acknowledged the compromise in a public statement. Using this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TDL of Saudi Arabia (.sa). It is likely that there are additional Saudi Arabia-based victims from this attack.

In one of the more recent campaigns on March 27, 2019, the threat actors targeted the Sweden-based consulting firm Cafax. On Cafax's public webpage, the company states that one of their consultants actively manages the i[.]root-server[.]net zone. NetNod managed this particular DNS server zone. We assess with high confidence that this organization was targeted in an attempt to re-establish access to the NetNod network, which was previously compromised by this threat actor.

Primary and secondary victims



We identified 40 different organizations that have been targeted during this campaign. The victim organizations appear to be broadly grouped into two different categories. The first group of victims, which we refer to as primary victims, were almost entirely located in the Middle East and North Africa. Some examples of organizations that were compromised include:
  • Ministries of foreign affairs
  • Military organizations
  • Intelligence agencies
  • Prominent energy organizations
The second cluster of victim organizations were likely compromised to help enable access to these primary targets. These organizations were located around the world; however, they were mostly concentrated in the Middle East and North Africa. Some examples of organizations that were compromised include:
  • Telecommunications organizations
  • Internet service providers
  • Information technology firms
  • Registrars
  • One registry

Notably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on IANA for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs.

How is this tradecraft different?

The threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to perform operations for over two years and have been undeterred by public reports documenting various aspects of their activity. This cyber threat campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations.

In order to distinguish this activity from the previous reporting on other attackers, such as those affiliated with DNSpionage, below is a list of traits that are unique to the threat actors behind the Sea Turtle campaign:
  • These actors perform DNS hijacking through the use of actor-controlled name servers.
  • These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage ccTLDs.
  • These actors use Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers to gain the initial round of credentials.
  • Once they have access to the network, they steal the organization's legitimate SSL certificate and use it on actor-controlled servers.

Why was it so successful?

We believe that the Sea Turtle campaign continues to be highly successful for several reasons. First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains.

The threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network.

The threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials.

We will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed.

Mitigation strategy

In order to best protect against this type of attack, we compiled a list of potential actions. Talos suggests using a registry lock service, which will require an out-of-band message before any changes can occur to an organization's DNS record. If your registrar does not offer a registry lock service, we recommend implementing multi-factor authentication, such as DUO, to access your organization's DNS records. If you suspect you were targeted by this type of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network administrators can monitor passive DNS record on their domains, to check for abnormalities.

Coverage

CVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin
SID: 2281

CVE-2014-6271: RCE affecting GNU bash system, specific the SMTP (this was part of the Shellshock CVEs)
SID: 31975 - 31978, 31985, 32038, 32039, 32041 - 32043, 32069, 32335, 32336

CVE-2017-3881: RCE for Cisco switches
SID: 41909 - 41910

CVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811
SID: 43424 - 43432

CVE-2017-12617: RCE affecting Apache web servers running Tomcat
SID: 44531

CVE-2018-0296: Directory traversal to gain unauthorized access to Cisco Adaptive Security Appliances (ASAs) and Firewalls
SID: 46897

CVE-2018-7600: RCE for Website built with Drupal aka "Drupalgeddon"
SID: 46316

Indicators of Compromise

The threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor.



IP address
Month
Year
Country of targets
199.247.3.191
November
2018
Albania, Iraq
37.139.11.155
November
2018
Albania, UAE
185.15.247.140
January
2018
Albania
206.221.184.133
November
2018
Egypt
188.166.119.57
November
2018
Egypt
185.42.137.89
November
2018
Albania
82.196.8.43
October
2018
Iraq
159.89.101.204
December - January
2018-2019
Turkey, Sweden, Syria, Armenia, US
146.185.145.202
March
2018
Armenia
178.62.218.244
December - January
2018-2019
UAE, Cyprus
139.162.144.139
December
2018
Jordan
142.54.179.69
January - February
2017
Jordan
193.37.213.61
December
2018
Cyprus
108.61.123.149
February
2019
Cyprus
172.21.1.8
March
2019
Cyprus
212.32.235.160
September
2018
Iraq
198.211.120.186
September
2018
Iraq
146.185.143.158
September
2018
Iraq
146.185.133.141
October
2018
Libya
185.203.116.116
May
2018
UAE
95.179.150.92
November
2018
UAE
174.138.0.113
September
2018
UAE
128.199.50.175
September
2018
UAE
139.59.134.216
July - December
2018
United States, Lebanon
45.77.137.65
March - April
2019
Syria, Sweden
142.54.164.189
March - April
2019
Syria
199.247.17.221
March
2019
Sweden


The following list contains the threat actor name server domains and their IP address.

Domain
Active Timeframe
IP address
ns1[.]intersecdns[.]com
March - April 2019
95.179.150.101
ns2[.]intersecdns[.]com
March - April 2019
95.179.150.101
ns1[.]lcjcomputing[.]com
January 2019
95.179.150.101
ns2[.]lcjcomputing[.]com
January 2019
95.179.150.101
Viewing all 2039 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>