Friday, May 26, 2017

Threat Round-up for May 19 - May 26

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 19 and May 26. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:

  • Pdf.Tool.HeapSprayHeuristic-6316003-1
    JS Heap Spray
    PDFs leverage embedded JavaScript to exploit vulnerabilities or at the very least gain access to additional functionality provided by JavaScript. Typical exploitation techniques require a heap spray where JavaScript is used to copy the same data many times throughout the process' memory.
     
  • Win.Dropper.Terdot-6320310-0
    Dropper
    This dropper is served by Terror exploit kit, which will inject process like Explorer, to perform download for additionals binaries, and continue infection. The Dropper similar has been seen to deploy Zeus variants
     
  • Win.Trojan.Vbkrypt-10134
    Trojan
    VbKrypt is a VisualBasic based trojan. It can be leveraged to perform any nefarious action on the infected system such as installing additional malware, logging keystrokes, stealing files, or remotely controlling the system.
     
  • Win.Trojan.EternalRocks1
    Worm
    Eternalrock uses seven NSA exploits to infect victims and the CnC communication is based on Tor. The exploits are downloaded after 24h and then the samples start scanning the internet for vulnerable SMB services. The first stage downloads some necessary components and then drops another samples that has the described behavior.
     
  • Win.Trojan.Adylkuzz-6317076-0
    Miner
    Adylkuzz is a cryptocurrency miner used to mine the Monero cryptocurrency. It has seen a recent increase in installations from attackers using EternalBlue and DoublePulsar. See http://blog.talosintelligence.com/2017/05/adylkuzz-uiwix-eternalrocks.html for more information.
     
  • Win.Ransomware.WannaCry
    Ransomware Worm
    The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet. http://blog.talosintelligence.com/2017/05/wannacry.html
     
  • Win.Ransomware.Jaff
    Ransomware
    Jaff is ransomware that is primarily spread via large scale email campaigns. See the Talos Blog https://blog.talosintelligence.com/2017/05/jaff-ransomware.html for more information about this threat.
     

Threats

Pdf.Tool.HeapSprayHeuristic-6316003-1

Indicators of Compromise

Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 52[.]173[.]193[.]166
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 526fef47936e460808fff7c605ee12e2cebe50234e7731680b545fb0863a6245
  • 1b955f1bdc1eb61524cbd6caff84d1690551a5f7cb07b67e65cec78406c562c6
  • 303aa9197752835d7f677a9961973371f8277f095768ad13df4b29f00a3206ff
  • 594e36206836ac8a910adc18b412ed1c6c0bf5b46b90675b25bbbd6a7d9d238b
  • 6a09e69f91c613b8b5b71cafd6ccb8fb2145892e3db2015228e0a27d18850a3c
  • 8981e4350f4029e50f683b03938d55feae334e6873ccedff84e9b722bf99cc5d
  • a0dba623d4dc2b4fa03c0893ad08030a21401581a43ac0ebb6170a3ebc7b1eef
  • a80528b75ba4f54800a2008c83adc147fcdfe3dc097cb92a4925df18c01b0e0f
  • b1c3f1633acc80169cfe12ed884eed0d5d8912a28e05c43a9290113df4684bfd
  • f2ade3ddc5aa8cf52e01c0eba084a16eecb217b421c87e739223aff0cf8237cc
  • 0567f4f2b9038c3a14eb5224140f22d7f07f99ca47b1d78d661343ef5cd50f5a
  • 13220c18bd003aabd0260bbd40577aa3df827074ee72940e1dc76c746037e3a6
  • 20ebeb7a52b841a483a1a1cb4337b529c7ad873b400009e52876c07291c46126
  • 2341bb05ff14d4bae8b1c14fa9c709d5cec15ca3e0af6dbddf58d2d9d2ff4518
  • 3385717cf4ceecad964116000d5394c52c3aa215fe483046c764c69490b75337
  • 39a9434665b02c1598e94b8aa73b67ccd6d848ec34cfd0c49bc56d9c02032e8b
  • 4ffd0c052cdba787983d6e05260fd1cac66f3550cbabf55b297cd099d1ede8be
  • 60d47e644f644aa6f2842a118ee32cf2f16eb9f6726cf6b9d2ffdb5812be3cf1
  • 6a72fe8202c34d505ca13ca34c48fc3398569cf5944b456711c115cdb9e38213
  • 7a5c157a670543cba8bdda942636e43ad9a95c8265091b1e1e3f20a9c0407031
  • 7ffc81ebfc069c013205e045d5f984f6017c7503dfaaed9728c315de68dceebe
  • a4ee1555b4586e3f28281ef0f2a367bca417de496d3224e473d6cf874a6abc22
  • ab01b3d5b25265b38eb8dfdfdc6a7e67eebee5c6cbde9afcf66442a82c01bf06
  • bb5cb32aff4fbaa252a4d2bc581e4777d4c106804a7e1f4092799be863baaa52
  • cf14adcac22fc30533057eccd40a82ff41eff433263b43c94515c94c5106460a

Coverage


Screenshots of Detection

AMP


ThreatGrid




Win.Dropper.Terdot-6320310-0

Indicators of Compromise

Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • emptysand[.]ru
  • dogpaste[.]ru
Files and or directories created
  • N/A
File Hashes
  • 9ae356843ccbda7747e45b292fcf0c3eebbcc4a93101752a0007c9abaa79037a
  • b9c8630f52d70a8e813e8c46911a1b010fae44ffa786f6a935cb7ffcd7077dda
  • 5aaccf14351ea3bf2b60e9a67ae04eeaca5904fb6802f6d1c05ad27b985fd32d

Coverage


Screenshots of Detection

AMP
 


ThreatGrid


Umbrella




Win.Trojan.Vbkrypt-10134

Indicators of Compromise

Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
    • Value: C:\Documents and Settings\Administrator\Application Data\Directory\Windowsdef.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: WindowsDef
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE
    • Value: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Gwogr.bat
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE
    • Value: C:\Documents and Settings\Administrator\Application Data\Directory\Windowsdef.exe
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
    • Value: C:\Documents and Settings\Administrator\Application Data\bot.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: UNCAsIntranet
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
    • Value: DoNotAllowExceptions
Mutexes
  • Local\ZonesCounterMutex
  • 1BZ5FV6FEI
  • Local\ZonesLockedCacheCounterMutex
  • Local\ZonesCacheCounterMutex
  • Local\ZoneAttributeCacheCounterMutex
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %AppData%\Directory\Windowsdef.exe
  • %AppData%\bot.exe
File Hashes
  • 12cb31c388e382c74397a579992e1f2652464d45630b8c7ae01e6fab03402e10
  • 082898025d2f21461b3d818d2452b900f3401881fc5d719d40855e461bd03b84
  • 724ddead0de7d84c07d4de7d871303530ef2b426ab454150d5fd907a0bb2f339
  • e437019d08da1936c43214ca6370ebe74b3ddb60a3d80cfa4a26cd3ba606b2f1
  • 3350127c80a88cc69cf7b88993c96ff0497b0b9492eea637cfb9fa13fec04951
  • 6de059771fa64f404f04a43f89512d5f29f0860fd413ebf98371c77664558c99

Coverage


Screenshots of Detection

AMP


ThreatGrid







Win.Trojan.EternalRocks1

Indicators of Compromise

Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKCU>\Software\Microsoft\SystemCertificates\My
  • <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\Certificates
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\Certificates
  • <HKLM>\SOFTWARE\Wow6432Node
Mutexes
  • Global\20b70e57-1c2e-4de9-99e5-69f369006912
  • \BaseNamedObjects\Global\20b70e57-1c2e-4de9-99e5-69f369006912
  • {8F6F0AC4-B9A1-45fd-A8CF-72FDEFF}
IP Addresses
  • 82[.]195[.]75[.]101
  • 176[.]9[.]43[.]26
  • 193[.]23[.]244[.]244
  • 52[.]173[.]193[.]166
  • 134[.]19[.]177[.]109
  • 72[.]21[.]81[.]200
  • 192[.]168[.]1[.]245
  • 208[.]83[.]223[.]34
  • 195[.]154[.]12[.]146
  • 192[.]168[.]1[.]1
  • 131[.]188[.]40[.]189
  • 192[.]168[.]1[.]255
Domain Names
  • cs9[.]wpc[.]v0cdn[.]net
  • archive[.]torproject[.]org
  • api[.]nuget[.]org
  • listera[.]torproject[.]org
Files and or directories created
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\Tor\cached-microdescs.new
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\Microsoft.Win32.TaskScheduler.dll
  • \Program Files\Microsoft Updates\SharpZLib.zip
  • %SystemDrive%\Program Files\Microsoft Updates\temp\tor.zip
  • %SystemDrive%\Program Files\Microsoft Updates\Tor\torrc
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\Microsoft.Win32.TaskScheduler.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\Microsoft.Win32.TaskScheduler.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %WinDir%\Tasks\Microsoft Tor Host.job
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\JetBrains.Annotations.dll
  • %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net452\JetBrains.Annotations.dll
  • \Program Files\Microsoft Updates\temp\Tor\Data\Tor\geoip6
  • \Program Files\Microsoft Updates\Tor\lock
  • %SystemDrive%\Program Files\Microsoft Updates\Microsoft.Win32.TaskScheduler.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %WinDir%\inf\setupapi.app.log
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\Microsoft.Win32.TaskScheduler.XML
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\Microsoft.Win32.TaskScheduler.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\_rels\.rels
  • %SystemDrive%\Program Files\Microsoft Updates\taskhost.exe
  • \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RBR0L40R\taskscheduler.2.5.23[1].nupkg
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\Microsoft.Win32.TaskScheduler.XML
  • \Program Files\Microsoft Updates\taskhost.exe
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net452\Microsoft.Win32.TaskScheduler.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\JetBrains.Annotations.dll
  • %System32%\Tasks\Microsoft\Windows\Tcpip\TorHost
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\JetBrains.Annotations.xml
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\JetBrains.Annotations.xml
  • \Program Files\Microsoft Updates\svchost.exe
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\SharpZLib\[Content_Types].xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\it\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\Tor\state
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\temp\tor.zip
  • %SystemDrive%\Program Files\Microsoft Updates\SharpZLib\package\services\metadata\core-properties\e83d3d4df9744968925840934872efc3.psmdcp
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PR82RPGC\sharpziplib.0.86.0[1].nupkg
  • \Program Files\Microsoft Updates\temp\Tor\Data\Tor\geoip
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\JetBrains.Annotations.xml
  • \Program Files\Microsoft Updates\Microsoft.Win32.TaskScheduler.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for SharpZLib.zip\SharpZipLib.nuspec
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\SharpZLib\SharpZipLib.nuspec
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\JetBrains.Annotations.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\JetBrains.Annotations.xml
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net452\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\JetBrains.Annotations.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\JetBrains.Annotations.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\Microsoft.Win32.TaskScheduler.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\package\services\metadata\core-properties\b413d53c92364baa9958fdda02cd8e9a.psmdcp
  • \Program Files\Microsoft Updates\Tor\hidden_service\private_key
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\JetBrains.Annotations.xml
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\Microsoft.Win32.TaskScheduler.XML
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PA6YO4MJ\taskscheduler.2.5.23[1].nupkg
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\Microsoft.Win32.TaskScheduler.XML
  • \Program Files\Microsoft Updates\Tor\torrc
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\JetBrains.Annotations.dll
  • \Program Files\Microsoft Updates\Tor\cached-microdesc-consensus
  • %System32%\wdi\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}\{125d5171-5282-4ec7-bad7-3e6ee4a208bf}\snapshot.etl
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\svchost.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\JetBrains.Annotations.xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\JetBrains.Annotations.xml
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\Microsoft.Win32.TaskScheduler.dll
  • \Program Files\Microsoft Updates\SharpZLib\package\services\metadata\core-properties\e83d3d4df9744968925840934872efc3.psmdcp
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net452\Microsoft.Win32.TaskScheduler.XML
  • %SystemDrive%\Program Files\Microsoft Updates\temp\Tor\Data\Tor\geoip
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler.zip
  • \Program Files\Microsoft Updates\TaskScheduler\TaskScheduler.nuspec
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\Microsoft.Win32.TaskScheduler.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\JetBrains.Annotations.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\JetBrains.Annotations.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\JetBrains.Annotations.xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\Microsoft.Win32.TaskScheduler.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\TaskScheduler.nuspec
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\[Content_Types].xml
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\Microsoft.Win32.TaskScheduler.XML
  • \Program Files\Microsoft Updates\Tor\cached-certs
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\JetBrains.Annotations.dll
  • \Program Files\Microsoft Updates\Tor\hidden_service\hostname
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net452\JetBrains.Annotations.xml
  • \Users\Administrator\ntuser.dat.LOG1
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\temp\Tor\Data\Tor\geoip6
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\Microsoft.Win32.TaskScheduler.XML
  • %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.0.regtrans-ms
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\it\Microsoft.Win32.TaskScheduler.resources.dll
  • \srvsvc
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net452\JetBrains.Annotations.xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\JetBrains.Annotations.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\de\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\SharpZLib\SharpZipLib.nuspec
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\7PC6MCEK\sharpziplib.0.86.0[1].nupkg
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net20\Microsoft.Win32.TaskScheduler.XML
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net35\de\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\Microsoft.Win32.TaskScheduler.dll
  • \Program Files\Microsoft Updates\TaskScheduler.zip
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\JetBrains.Annotations.xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for SharpZLib.zip\_rels\.rels
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net35\Microsoft.Win32.TaskScheduler.dll
  • \Program Files\Microsoft Updates\TaskScheduler\[Content_Types].xml
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\JetBrains.Annotations.xml
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net40\de\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\SharpZLib.zip
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\JetBrains.Annotations.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\Microsoft.Win32.TaskScheduler.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net40\Microsoft.Win32.TaskScheduler.XML
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\lib\net452\es\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net452\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\Microsoft.Win32.TaskScheduler.XML
  • \TEMP\64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\fr\Microsoft.Win32.TaskScheduler.resources.dll
  • \Program Files\Microsoft Updates\TaskScheduler\lib\net20\es\Microsoft.Win32.TaskScheduler.resources.dll
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net40\Microsoft.Win32.TaskScheduler.XML
  • %SystemDrive%\Program Files\Microsoft Updates\TaskScheduler\lib\net20\Microsoft.Win32.TaskScheduler.XML
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for TaskScheduler.zip\TaskScheduler.nuspec
File Hashes
  • 64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15
  • 94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97
  • ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa

Coverage



Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot




Win.Trojan.Adylkuzz-6317076-0

Indicators of Compromise

Registry Keys
  • N/A
Mutexes
  • RasPbFile
  • Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7
IP Addresses
  • 4[.]14[.]36[.]139
  • 212[.]83[.]129[.]195
  • 52[.]173[.]193[.]166
  • 212[.]129[.]46[.]87
  • 45[.]77[.]28[.]163
  • 112[.]139[.]223[.]108
  • 212[.]129[.]46[.]191
  • 212[.]129[.]44[.]155
  • 212[.]129[.]44[.]157
  • 212[.]129[.]44[.]156
  • 45[.]76[.]51[.]128
Domain Names
  • icanhazip[.]com
  • aa1[.]super5566[.]com
  • xmr[.]crypto-pool[.]fr
  • 08[.]super5566[.]com
Files and or directories created
  • %WinDir%\Fonts\wuauser.exe
  • %WinDir%\Fonts\id.txt
  • %WinDir%\Temp\s1vs._Miner_.log
  • %WinDir%\Fonts\msiexev.exe
  • %WinDir%\Temp\s1vs.1_.exe
  • %WinDir%\Fonts\history.txt
File Hashes
  • 8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233
  • 6f74f7c01503913553b0a6118b0ea198c5a419be86fca4aaae275663806f68f3
  • d73c9230811f1075d5697679b6007f5c15a90177991e238c5adc3ed55ce04988
  • 51d435cf247b602c104b8d1fb275918c1fa7395a138b26a8aef77b40bf3f09ba
  • c2d982b902af50dd01f299d2220314000ea319b836af33f8006a813b9b2cfb17
  • da22bc77a46f2235f6e399a4bb175488bf7d71912f03ff72a34a7515ef13e11b

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot






Win.Ransomware.WannaCry

Indicators of Compromise

Registry Keys
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: Wallpaper
  • <HKCU>\Software\WanaCrypt0r
  • <HKLM>\Software\Wow6432Node\WanaCrypt0r
Mutexes
  • MsWinZonesCacheCounterMutexA
IP Addresses
  • N/A
Domain Names
  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[[.]]com
Files and or directories created
  • %SystemDrive%\b.wnry
  • %SystemDrive%\c.wnry
  • %SystemDrive%\r.wnry
  • %SystemDrive%\s.wnry
  • %SystemDrive%\taskdl.exe
  • %SystemDrive%\taskse.exe
  • %SystemDrive%\t.wnry
  • %SystemDrive%\u.wnry
File Hashes
  • b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
  • 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
  • 055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622
  • e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b
  • 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

Coverage

Screenshots of Detection

AMP

ThreatGrid


Screenshot






Win.Ransomware.Jaff

Indicators of Compromise

Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 84[.]242[.]240[.]62
Domain Names
  • panaceya-n[.]ru
Files and or directories created
  • \TEMP\ratchet20.exe
File Hashes
  • 03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47
  • d8bb054fa738d7ba1b88f65e2b7dcf40a234bec8ec318e472380b603ed9ba0dc
  • b9434c5fd5eefb8fb182024ecd3da4888222cae8a230fc0a778a7b712746f9f3
  • 64580b7bb2eedf6e2d2f5e773b34a62f5065c4cb167cd4ed0791050f425c546e
  • 8dbaab384ecd5386d960d1dddd7fd50ab3a30389dd5b8e516c5d873d77a1bbf9
  • aca726cb504599206e66823ff2863eb80c6a5f16ff71ca9fcdd907ad39b2d852
  • 341267f4794a49e566c9697c77e974a99e41445cf41d8387040049ee1b8b2f3b
  • e081c4557f4153d2fc9102fabc55aa6acdf8e1e11062529c728f4506b0d981b9
  • 5f1fcdfb951dc4642ce136a5d3e6bc42021f8e0cd631975a5eb3842da020531c
  • 0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f
  • f61d07cd7d32a6cb9ead8e82f43ef84cf54a89ef571d9b2a9cb0ecaf5319f5db
  • 387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092
  • a0f72a7e67bfed40031c52a706b45de3787958729a308b5f15e754341022ed8e
  • 6b5759c6c3d7c7c21859023b4fcc443aa5343759a7a08c3870c5269e5c34a958
  • 94195aa110563ab1bd2542fb71806df5921c4c730036aa8faeaf537dcc01162c
  • 2bc87f1bbfdb23fe503ef89bcbf6908ffd7218433e0fbfa51282c0dc51dece01
  • d1537972d7ac8f5f7c675c14027336715cb0bf91fe440d792e990d0efbd52710

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot

No comments:

Post a Comment