Friday, June 23, 2017

Threat Round-up for June 16 - June 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.

This week's most prevalent threats are:
  • Doc.Macro.StrObfuscation-6329879-0
    VB Macro
    Microsoft Office macros can be obfuscated in various ways. A recent resurgence of malicious Word documents include the use of a string obfuscation to mask the intended functionality
     
  • Win.Dropper.skypee-6329923-0
    Dropper
    This malware is a trojan dropper that is used to steal banking information and user credentials. It leverages Visual Basic code to install itself and establish persistence. Characteristics this malware exhibits include connecting to different domains to POST data using URI patterns like /http/image.php or /admin/image.php.
     
  • Win.Worm.Untukmu-5949608-0
    Worm
    Untukmu, also known as Brontok, is a worm spread through email or infected USB drives. It stores several copies of itself on different places on the hard disk, including system directories. It gains persistence by modifying registry keys and creating an entry in the Startup directory. IT also modifies several system configuration parameters to disable the registry editor and the shell, as well as modify the safeboot shell to prevent the user from cleaning the machine.
     
  • Win.Trojan.Shifu-6330434-1
    Trojan
    This well-known malware family contains counter measures to protect itself from analysis. It gathers details about its victims by stealing user's login credentials for online banking business.
     
  • Win.Trojan.Blackshades-6327385-1
    Trojan
    Blackshades is a prevalent trojan with many capabilities including logging keystrokes, recording video from webcams, and downloading and executing additional malware.
     
  • Win.Ransomware.BTCWare-6329927-0
    Ransomware
    BTCWare is active Windows ransomware that was first discovered a few months ago. Since then, it has undergone various changes, including changes to the encrypted file extension & the cipher used to encrypt such files. Earlier variants relied on weaker cryptography options that included RC4, allowing brute force recovery of the private key in some cases. There was also a noted variant that had its private RSA key leaked online. This recent variant relies on AES-256 with improvements to the handling of the private key generation.
     
  • Doc.Dropper.Agent-6330744-0
    Office Macro Downloader
    This is an obfuscated Office Macro downloader that leverages Powershell to download a malicious payload executable. The host that these samples attempt to download the next stage from currently does not resolve.
     
  • Win.Trojan.Yakes-6330794-0
    Trojan
    Yakes is a trojan which installs itself on a machine via a .vbs script in the Startup folder, and then allows its packager to connect to the infected machine. IPs and domain names of the CnC server as well as mutex names vary depending on the packager.
     
  • Win.Ransomware.Locky-6330799-0
    Ransomware
    Throughout the majority of 2016, Locky was the dominant ransomware in the threat landscape. It was an early pioneer when it came to using scripting formats Windows hosts would natively handle, like .js, .wsf, and .hta. These scripting formats acted as a vehicle to deliver the payload via email campaigns. Recent in-depth look: http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
     
  • Win.Trojan.DownloaderJava-6330457-0
    Downloader
    This sample is a .NET downloader. It downloads additional Java files from an hardcoded URL and they are executed. This binary is actively sent as attachment in an ongoing spam campaign.
     

Threats

Doc.Macro.StrObfuscation-6329879-0

Indicators of Compromise

Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • 185[.]165[.]29[.]36
  • 52[.]173[.]193[.]166
Domain Names
  • N/A
Files and or directories created
  • %TEMP%\<random_string>.txt
  • %TEMP%\<random_string>.txt
  • %TEMP%\<random_string>.js
  • %TEMP%\<random_string>.txt
  • %TEMP%\<random_string>.txt
File Hashes
  • b64e77a8b76986e6929e48507b5f8fed9c0eb339f058fa5a31d38920e25c3a8c
  • 9bcbbba6636b99da1ab567813af8226fb22ab47509326c6501d22e40efa1464c
  • 79a89d266bcf1b8c829b823203fce8e69159246469c14ac355f615c2dd783e01
  • b96f975a2c7cfb03e53e35f365e3f16e51c2370b15970693c7dd2201f08ddb1c
  • 3e4c9f8828897c19e264a2a066d9c181edf08885b6fafdec833aa683259aced9
  • 79a89d266bcf1b8c829b823203fce8e69159246469c14ac355f615c2dd783e01
  • 48487be062791d86b66d10cbdd54ce1b1dfbfe99a86bfd8c3b2ba6be7df28f6e
  • 3e4c9f8828897c19e264a2a066d9c181edf08885b6fafdec833aa683259aced9
  • b64e77a8b76986e6929e48507b5f8fed9c0eb339f058fa5a31d38920e25c3a8c
  • e0e134db8de265d9ecd2f174cd143da54a4a922d64abfff704488ded3c7b3bdf
  • 9bcbbba6636b99da1ab567813af8226fb22ab47509326c6501d22e40efa1464c
  • 02840c7ca57b46ba7d6b40f93e0054dd180a290b30c2a8397fcd646ef30cfdf6
  • 6f39761c2c1fcd6975505a47828f9dec483c8ec730ba68eb05e09ef60a91c879
  • b96f975a2c7cfb03e53e35f365e3f16e51c2370b15970693c7dd2201f08ddb1c

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot




Win.Dropper.skypee-6329923-0

Indicators of Compromise

Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: skypee
Mutexes
  • 1505527138
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 35b8bf77573eef9acef8b19521e43ce3d440a5e02ccf6deda05ae58eeac3cfe8
  • 09aa51458f73755e4e58a7d59853f07d685d7e7dc48971117b1e9392a1aa416f
  • 99e7ecbe795d7d6a03c4965b2ac7d79544a6772a97ccaca909f66bfe174fa023
  • 26ef58faf48e58dc0680c6b595436dbba01ea3c8fca809858fcfc47d66b56914
  • 0d983d4ee06e08b4e1df021c17792a8352c8ff4b2d3e6ee4f7fe53ce30122d66
  • 0b5800e19bdb4c43ab1469ce88af3d807eaa7620697a4b88368ab6beef098240
  • 3a5c13ed645ab7571c2a6ba27fd689e748e7d42de35bc076d18ad76070a13d14
  • a6f34f3a70ea64adccfbd983abfebe9dc46741064da0520582b09ce6d6a966ee
  • 5ac152e574c091986561d8055d0b0a97fab1267c6dfba69d169ac9c41a5bc390
  • f33a3141ee599c94ff60b40be0c0d18c66732640a809b4319a0140eb7827bafb
  • 7f7fe90b586671e59c6769e4202871fb10573983de7fbe7ca7ad3a97af7395af
  • dd8826ffbe107318163ed2716231ccf588453308bbcd3c798720e7586c059f99
  • 2b3d33238a64134c347db9a3f5b9f0fbecfe62199f081c3c44fb5f1b0948e7cc
  • e336b8976fb83889c3027ed084a02f9de97f90787304bfa87c58be8dd8035e20
  • 7f990624c65a28f0803e19c5a37d34567a921d17531899a384f2077c1c6f5dff
  • c62ef9ef0c92b95740f8a67c9879d3c2f951655cccc20c310140668265d8135f
  • bb5f19265e7b5094cdf55c401bae987cf895bf885cf485c3c627c1fe267e9bfd
  • f5d55f9539e753fe3a4e0de50bb3c6347ee9928c0f6db33e5f6b6e4af179da0f
  • 2948da52a96f06cfc4bfb7d4d079201aaa3ef89de1cc144462973107c4962435
  • 77ca8909ec71c9086e569cb2acbf4c766dd60f758a5ccc938402d3f176636ae3
  • c80fbdbba34721670043965c3b02832df7f8cb1c5b5c57b04dbb5ee6346d5994
  • 8c2579168922d065854582cc486a0bb43f8accb60ccc01ad1035894012ac2e83
  • de8f2233c54d10ae9b51325cefb5dfad644acc225d4ddacb5c77ed89b6b1a645
  • f5f11cc63feec411864cdc27f1d0d186b5173cf443876450e445d47d29b8ada6
  • 1ca9f0b54357839435e64dd26d74fb365622b54395f56bf25985db0e7470a355
  • 68ed0c9628c7764c5b3826309fe5db06a5380e7f1c8ebfb8f62c68d12d135b49

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Worm.Untukmu-5949608-0

Indicators of Compromise

Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\OFFICE\12.0\OUTLOOK\RESILIENCY\STARTUPITEMS
    • Value: w+%
  • <HKCU>\SOFTWARE\MICROSOFT\OFFICE\12.0\OUTLOOK\RESILIENCY\STARTUPITEMS
    • Value: l:(
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: LogonAdministrator
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
    • Value: DisableMSI
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
    • Value: DisableSR
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: SCRNSAVE.EXE
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
    • Value: NoFolderOptions
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
    • Value: FullPathAddress
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
    • Value: DisableRegistryTools
  • <HKCU>\CONTROL PANEL\DESKTOP
    • Value: ScreenSaveTimeOut
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
    • Value: DisableCMD
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: xk
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
    • Value: DisableConfig
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
    • Value: Debugger
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
    • Value: Shell
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MENUORDER\START MENU
    • Value: Order
  • <HKCU>\Software\Microsoft\Office\12.0\Outlook\Resiliency\StartupItems
  • <HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command
  • <HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open
  • <HKLM>\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • \Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  • \Documents and Settings\Administrator\Local Settings\Application Data\winlogon.exe
  • \Documents and Settings\Administrator\Local Settings\Application Data\smss.exe
  • \Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  • \Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\SMSS.EXE
  • %System32%\shell.exe
  • \Documents and Settings\All Users\Start Menu\Programs\Startup\Empty.pif
  • \Documents and Settings\Administrator\Local Settings\Application Data\lsass.exe
  • \XK\Folder.htt
  • \Documents and Settings\Administrator\Local Settings\Application Data\csrss.exe
  • %WinDir%\xk.exe
  • \Data Administrator.exe
  • \Documents and Settings\Administrator\Local Settings\Application Data\services.exe
  • %System32%\IExplorer.exe
  • \Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\LSASS.EXE
  • %System32%\Mig2.scr
  • \Documents and Settings\Administrator\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  • \xk.exe
  • \XK\New Folder.exe
File Hashes
  • 26fbb2aa5a28de5e149e0178dacb964333c852bbca2a1416d860e5edc84cbe04
  • b5e7b1b06efe80a081a2cbdff0fab4539be0797b2351ab4e1b247303586d1340
  • 36890fa6756c252bc89abb88ec9da140cd87937eb5223af05e4e8ef36ec019c9
  • 34c9c0d2fbb403f7e8068ce49071da6dbeadc4ad995101388c9ad092e38f90de

Coverage


Screenshots of Detection

AMP


ThreatGrid




Win.Trojan.Shifu-6330434-1

Indicators of Compromise

Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: IntelPowerAgent[0-9]
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • DGA Domains
  • adtejoyo1377[.]tk
Files and or directories created
  • %PROGRAMDATA%\[a-z0-9]{8}.exe
  • %APPDATA%\[a-z0-9]{8}.exe
File Hashes
  • 280a3734efd7e54a32c8719c0efe0365df6b14e8ac54e301736c8ff9829da424
  • 5283c7d5db5b5629b5b58534bcf6cd7607f0d015d740ca91ee85ade420b7460f
  • 2271a2e9d72580e98331792d94fca75e5a0c1dfee958d79652adf9eaab3ee266
  • fc9a9633b8ab0b78a820c74bda57ab608316c81d6ed6b469e7487ce3712bf62b
  • 3ad0138c2d8842f3aef8b045e05e28e441b81ea8444dce0b6799f4ec65c70540
  • 23045a27de525a0d8c85390414ac4458a32bdbd6f9dc8f0e39b32dad3f89fa55
  • 55768ac9504b8e612b380fc0984277f0576dd8d129a5363e73d4d2a9baff5c7e
  • 06144d28c5d1db06fa8f78fdcb651145d6500483a9b1fe26c62a510dbe1763b7
  • bace9b3e3220c6e9f6281f4d4a1eabb9223e6093ccc9876c600a31671b790ed2
  • fbaab6ab727898b1ff27fdffec49bbe00976474b93741b1fca5eeb38f1f25099
  • 0c4a32e9eaeb38e1b30ad44f52c4f8ea3f2e3f522d9b2281ecd3701383b20cfa
  • 252db718eb383331a34cbe53c0b9889c80452e19bc06007e740eaa23e2ef2a8f
  • ca9c3f80a3faaaf001f3fdb37e1cf9abb14a1628be2a9f6ba4e0cc51ed708cb9
  • 27922f495e54bf51cb7329a75c533ca4a1ab8323f1f781dfd027571a37c7485f
  • f1dcb8e18a764d300267f2bc0873bf8ec15385cec7ab1d2871e43f238f86a6f1
  • a9639bd0930f2db17de0321f99ce70355f1dba17b4aa6f5444a4c2490738e255
  • c0522065fbce82a74d13361c88be210f62a8633c9a59203cea0ce6722619092b
  • f7e904b2eb8c5280d008cdf93e10fab87df6bb2423bdf1e8f7bb203f63c15ede
  • 280a3734efd7e54a32c8719c0efe0365df6b14e8ac54e301736c8ff9829da424
  • e2404f8fb7f080cb0b344c1f006cde4a00143641633bb454069773d616a9106e
  • b232dccdb27873c64616d2cefcf2dd81f7958ec8778e31da7f1688a68fda4249

Coverage


Screenshots of Detection

AMP


ThreatGrid

Umbrella




Win.Trojan.Blackshades-6327385-1

Indicators of Compromise

Registry Keys
  • HKU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
  • <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mutexes
  • LVLWU6KG22
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • \Documents and Settings\Administrator\Local Settings\Temp\jd7018sy8tv.exe.jpg
  • %AppData%\D6GM5WGET8
  • %AppData%\JD7018SY8TV.exe.tmp
  • %AppData%\JD7018SY8TV.exe
File Hashes
  • 017a3ea76063f364f9d7a70ecde761e22005b74fce020e798e6151d3806dd251
  • 0620a1061f4c14acbaa3b5b70bab4894aae33bc9f30bc8623ea9f63ddc953088
  • 0743dd7863c03515d74a1832592c1409bdff0d30aac4f45ba73dc99ef3c1e5e3
  • 086be8b2789ccb88f60c71773de7c22cf1d97aa72d2b21a3cde9248cc7321606
  • 0a3e9d5ec49cc97f1c9fc2a59e53462d0d2fe6fa1f448e69e401e63769dafe0a
  • 0ba95e35fcde6b1b3f49d1267e3dea8f2a8b4acb5633bc3acb3aefe9bf3e7680
  • 0d58482c771ef85649f1375f6ab61c48c380c7694b3ad7552af1bdc1ec724890
  • 1014e1c1246a6c7cbb519ed711a2168955ee4b4222baae5be911f981088604db
  • 15a64cded5bcf3dc911bfeb3a5701a376dea51f9f8530dc0949ba6e6f4339cc4
  • 18039335deeaf295164f5e24c5afbcc50fa27f2eaf5733be2cf51bcf01f664c3

Coverage


Screenshots of Detection

AMP


ThreatGrid




Win.Ransomware.BTCWare-6329927-0

Indicators of Compromise

Registry Keys
  • N/A
Mutexes
  • ONYONLOCK
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • %WinDir%\SoftwareDistribution\DataStore\DataStore.edb
  • %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk
  • %System32%\config\SysEvent.Evt
  • %System32%\config\WindowsPowerShell.evt
  • %UserProfile%\Desktop\!#_RESTORE_FILES_#!
File Hashes
  • 0951b80a41f06f8062c85c80be0276c6a1328edb2a501ed69ed25083303724d2
  • 0b5b4111df2b4b2f78ec053db14ea5c74965ec13f1902570b06697d71a77dcd7
  • 1cde4818229f719153565dd84b01d3927928e7a2b6a61684ee932520f55250a9
  • 3f9b9062ca3497614ac021146b229b07786774934f98a261547b24df5cc5b263
  • 6617035053954a5131d401061c58831e181ddfde221f402029d5ed4bd39561dd
  • 6b4363a419208d6fe093f5a95b55653560d236e1a302f98d22fdfc36488ebcb1
  • 72653d3a882901867143579131a6e9dff2f72a647afe21035c1deda0c4c943b0
  • 741950e9be430267efff601fca1a7c21b65b904658fa46f9e618ea50787faaac
  • 79afde5a759bcd71165b547f7a310fa06674c565a2e81af0304bc1a4527bfa1b
  • 7bd14a6ceacc14e67e84add894d432c6383676ea89265b36515014cd136851e3
  • 7c19bc3a4ad7cddcd78eee053b408779c25a56c9666e9cc9d76ea617aaa0934d
  • 7f86548bdcd97e3faa3e8df0bd6b6aac7c05ed9d445a2bb7973a4d6efd39bd6a
  • 880d25776e08769a75c43bf9a69f9f7cafcc46546690270fa36785195f327d97
  • 8bbaa450526bc2933d462ae24439148273434ff342e0a0774d5e37af4bb16864
  • 97b88ae6bee56ae6193c7908eaabac9be579861868cc575cc345c1d1bca1e302
  • cef0439b7b483900323614d6cf2eb341019d747aaa0feb81710ef836d330ca9c
  • d0ab335e86e665edbab58240ae6aa691fa4802ae831c0204e71f90a34ae66983
  • db5fefc3b8349efa907ed2812c869b10d8de109ff005fe8aac15eaa4c8efdcb8
  • eb843f4f80ae2e58b569f916239c6208601eece08efb334ae12b8658e3436987
  • ed3118f96c7e87ea768a40acc574b2ff3cae3a3cdf2419ccb30c750a876d5f30
  • f7850a2efe397098859d8c3d0ed0b4fa93f87148382e250f094d12f021bc8460
  • f9d27f4f3231cd80b19b30de4426aecada466e18ee785e82d5afa59e986b4d16

Coverage


Screenshots of Detection

AMP


ThreatGrid




Doc.Dropper.Agent-6330744-0

Indicators of Compromise

Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • wi92[.]js2-order[.]pl
Files and or directories created
  • %AppData%.exe
File Hashes
  • 0033b70080a9ee615a371a5c18c373bc9a703a9b5dbcac39a2584a328a49bb87
  • 3a8abf2f7fade51114fde4251ff98b23093e07a7545be3568f3da7ba730bb995
  • 3a93346632f58a112708b761154a170be06de1b6a0583f58053cfb1fce09c780
  • 6465c7ce45a1430e55cf10e43732892a1f86fa90646adf5628dd6d72dd849e8f
  • 6ab9d03a0fc72b377712f262601db2f14561e6f285d9742e956416409bba3e64
  • 8daded1c8acd270c0371e6c24310dacb4d841c801b707594823f371ce601f29b
  • 9b23fd1d89331bddc13063391bea1c03fbaf813a584554cd43b1d6bb6574992a
  • d19a574a36079ca7885ae142c0f24578743eb98cca7f57df3c2258c8dbb874bc
  • d31705a64e38340872f6b9e8287e0297d4fd13cb8373295ce0d9ffdf6947e43f
  • e545a49f26d1482225dd25bf0b2790a1f6d5f96bda9afd90ec8cd38b7b20ec07
  • f048103ee6f0902b3025729301ce9bbbfee35272bc594be2a6cbd7da72f6f4c4

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


Screenshot




Win.Trojan.Yakes-6330794-0

Indicators of Compromise

Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: 35bbded46273bc9f6fa3fc5557dba9af
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: 35bbded46273bc9f6fa3fc5557dba9af
  • <HKCU>\Software\35bbded46273bc9f6fa3fc5557dba9af
  • <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Mutexes
  • qazwsxedc
  • 35bbded46273bc9f6fa3fc5557dba9af
IP Addresses
  • 105[.]154[.]213[.]56
  • 52[.]173[.]193[.]166
Domain Names
  • pokas12[.]ddns[.]net
Files and or directories created
  • %TEMP%\IXP000.TMP\1.xyz
  • %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\x.vbs
  • %TEMP%\server.exe
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
File Hashes
  • be73fc08bed6bba6c25688c150da18e26314c5d670d741d52c457e01f0a1ad0e
  • f1055f9d223106263dd0d8879be304da2cbe83428c2277a8b42c96c762121a1b
  • a5024be1b974fc16ca190a26a01bef35e02aceaa4c8fe8a3938084e22d623ce2
  • eb319d0c53ec709a0482cf58a65b615fcba38a2b44b41e832b4804c6aba68280
  • 75d9b6086aa9bd51596733a163bd568cc648978ac68e7ebdd817654b4c7e6fed
  • d323180a15cf584a184aa63a0044ec7701cb9d75769386bec21992ffd585d9dc
  • eeb4c5448c1a4a8723f860c7ce30889c2c5d018abe17df43fae2f6d23a713568
  • 4657c3f05d44048fdfc41190e652413ba2508565aa9185fa1a0670a2536a95cc
  • c585135463d4fce5053f47c255747524585b98c1c3f8dc305beefa17d2fcfa9e
  • c99d37d2cfc2861254d1bb82cc6b41617e659e8f0430e63cd20f44778a3bfaac

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Ransomware.Locky-6330799-0

Indicators of Compromise

Registry Keys
  • N/A
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • .*\loptr-5e5a.htm
  • <GUID>.loptr
File Hashes
  • 091141f6b67540ba8848f1b081ad40d5f6d8172c878d40046f82ab0234acf3db
  • 7f4777245025c96d936d14b3b4a718be35ced59558f090e1197adfca5d9573b2
  • 26074772fa68db08f463c66deeabe064bcd9d48032430bbbdf27ffdf8967e8c5
  • 85fa592bf685966d8da1cf72f2c6c092b40664de9c17d9cc4894f8f08e06f567
  • 49184047c840287909cf0e6a5e00273c6d60da1750655ad66e219426b3cf9cd8
  • e7b8d8e3c19b6b3cc4a6eafced463f08176330fe243d8a9fcd20aedc5af17806

Coverage


Screenshots of Detection

AMP


ThreatGrid


Screenshot





Win.Trojan.DownloaderJava-6330457-0

Indicators of Compromise

Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: miZPeWpyLHr
  • <HKCU>\Software\Microsoft\SystemCertificates\My
  • <HKLM>\Software\Wow6432Node\Microsoft\SystemCertificates\TrustedPublisher
  • <HKCU>\Software\Microsoft\Windows Script Host\Settings
  • <HKLM>\SOFTWARE\WOW6432NODE\Microsoft
  • <HKCU>\Software\Microsoft\SystemCertificates\TrustedPublisher
  • <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\TrustedPublisher
  • <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters
  • <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Root
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLs
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLs
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\CA
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SystemCertificates
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
  • <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TrustedPeople
  • <HKCU>\Software\Microsoft\SystemCertificates\trust
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\DISALLOWED\CTLs
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLs
  • <HKCU>\Software\Microsoft\SystemCertificates\Disallowed
  • <HKLM>\Software\Wow6432Node\Microsoft\EnterpriseCertificates\Disallowed
  • <HKCU>\Software\Policies\Microsoft\SystemCertificates\CA
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\Certificates
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUST\CRLs
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TrustedPublisher
  • <A>\{C108F07B-312C-11E7-8D90-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
  • <HKLM>\SYSTEM\CONTROLSET001\Control\DeviceClasses
  • <HKLM>\SYSTEM\CONTROLSET001\Control\CoDeviceInstallers
  • <HKLM>\SOFTWARE\MICROSOFT\ENTERPRISECERTIFICATES\Root
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\Certificates
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\Certificates
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\Certificates
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLs
  • <HKLM>\Software\Microsoft\SystemCertificates\TrustedPeople
  • <A>\{C108F07B-312C-11E7-8D90-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\A93\Indexes
  • <HKLM>\SOFTWARE\WOW6432NODE\Policies
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\PRINT\PRINTERS\Fax\PrinterDriverData
  • <HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLs
Mutexes
  • N11463_-4521624950585898-1497978066453
  • Local\__DDrawExclMode__
  • Local\__DDrawCheckExclMode__
  • RasPbFile
IP Addresses
  • 149[.]210[.]145[.]237
Domain Names
  • nup[.]pw
Files and or directories created
  • %AppData%\.qjava\Java\lib\jfr.jar
  • %AppData%\.qjava\Java\lib\rt.jar
  • %AppData%\.qjava\Java\lib\jfr\default.jfc
  • %AppData%\1497978066454.jar
  • %AppData%\.qjava\Java\lib\javafx.properties
  • %AppData%\.q7z.exe
  • %TEMP%\_0.15066600419658372851713423405977803.class
  • %WinDir%\Temp\FXSTIFFDebugLogFile.txt
  • \Users\Administrator\UlBrZNAMJSJ\iMCImxZnYcm.KwyVDG
  • %TEMP%\tmpA3A6.8e4d0709-e282-42fd-a717-9d512ecd2cb0.7z
  • %TEMP%\_0.32579030377917368405753216876059627.class
  • \TEMP\c9bd2f466d2c1500af5414f03f7d5c908cafdd602c23a8136cf82054233f7791.exe
  • %TEMP%\Windows7851854962857713622.dll
  • \Users\Administrator\fUTkALeaTxM\ID.txt
  • %AppData%\Oracle\lib\fontconfig.properties.src
  • %AppData%\.qjava\Java\lib\ext\cldrdata.jar
  • %TEMP%\tmpA3A6.tmp
  • \Users\Administrator\UlBrZNAMJSJ\ID.txt
  • %AppData%\Oracle\lib\jfr\profile.jfc
  • %TEMP%\tmpA395.tmp
File Hashes
  • c9bd2f466d2c1500af5414f03f7d5c908cafdd602c23a8136cf82054233f7791
  • a49fb3f2f4a8e5d996b49d51eae11ec11dca3a1aa2db319ed004d898c4484bf2
  • b0f8ca0c55a07bc4a9a12ee6dade6843aa9ca875ebd082759b2a85727fe64f83
  • 26c487810b80460a69711463dc3ffaa8d0ca6cc21dbf2856660fc1ceed23af53
  • 555bdc43352d19ed64b7580206208462bfd3be9038bcb92c0898d2861f995c4b
  • 3977f37224326f7508ed5f086fc4161d2f8d2aacff62f7c05d29243a8f401fa8
  • a84eef3d331514764cb72146a376f61e3cf2189fa7d2f81d1a7e99b41fafaedf

Coverage


Screenshots of Detection

AMP


ThreatGrid


Umbrella


No comments:

Post a Comment