Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 28 and July 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:
Threat Name Type Description Win.Packed.Bladabindi-7008528-0
Packed
njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone.
Win.Trojan.Gamarue-7008527-0
Trojan
Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Worm.Vobfus-7008428-0
Worm
Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
Win.Packed.Zeroaccess-7008376-0
Packed
ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
Win.Malware.Upatre-7004553-0
Malware
Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.Gh0stRAT-7003946-0
Dropper
Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Malware.Ramnit-7003027-0
Malware
Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Dropper.TrickBot-7003081-0
Dropper
Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.
Win.Malware.RevengeRAT-7004697-0
Malware
The RevengeRAT remote access tool allows the operator to perform a wide range of actions on the infected system, including eavesdropping on the user, exfiltrating data, and running additional malicious software.
Threat Breakdown Win.Packed.Bladabindi-7008528-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
14
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
14
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
14
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
14
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
14
<HKCU>\Software\c7434f9594f3950a2e05d45cc97e0b51
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c7434f9594f3950a2e05d45cc97e0b51
14
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c7434f9594f3950a2e05d45cc97e0b51
14
<HKCU>\SOFTWARE\C7434F9594F3950A2E05D45CC97E0B51
Value Name: [kl]
14
Mutexes Occurrences c7434f9594f3950a2e05d45cc97e0b51
14
Unknown
10
Global\ecc6d100-9d83-11e9-a007-00501e3ae7b5
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences starwydadi[.]ddns[.]net
14
Files and or directories created Occurrences %TEMP%\winup.exe
14
%TEMP%\dw.log
10
%TEMP%\89A2.dmp
1
File Hashes 02391e42f63b5367dd990e4327dc12dfaa24ea51e96a2ae52ba3de90c732d112
02c044948ea9f53a2ab5740af1688038ed5f0b863ce1de01caf8add16dd7f595
02c34b54efedc2927061af36e7726f1545b18842ab4df21e033e90d2d153dd45
03423dab0bddc03e0cffd0f9a5b9860fc58d4cf8a3b18b6f41afe66f6b193d97
044f80bf00154486576861f9305f13aeb3152893ccc1894e89237d5964cb3791
069615e1617ba0247fee741f107516e7bf67ba227d34d44b301bb1053f2b252b
077287b6cedd20cbf323939a3d14f080ddc1489dcf9d4989764cb09cd577b205
07dc6f0502e5689ec3cc8bc8e91323084bcb028fed68a1d407c1d25364e7ad07
07f3a667a62d0ec2cb36bafd67e0b2c8e59a62223179bfb3fe8629195bbb8ed4
090856974744db766df4757083b3dadb518dfd0e3ef1c96eee63cd7076151c4c
0c5faa63bdaa0026ab4ddbce9ccb3dfb31226befc7f5e1b38873a1d2e299f1c2
0ec95d587d006803cad956a88e6a5812c3ece5b03716cdfd9fe94ce0dd3725ee
0eed80e6a87334a1c24891bb9a0fe5c8b9cd8a92167eabcbae1b5728dc5a1e93
0f56694a00ff58c317303cdf6976e81a95cb71156e79c29ee97a32cf8600c233
0fd0606df5a28446ba55b449c8276477f3dc17dadfd8897b02fddd8e70f4dc3c
101a22afcaa749c11d119751cf03c96b8fdd2bdfc759e30a1215d19fcb4ce0c2
117c818509b04bb51ccd89cffb9e59b71dc32d73d372d01517094d1516cc58d9
13e1e5dd28c015f418232c75d88a742e5102bda4b276e90c60dc588281b0e20d
14f0f8c7ab95de503728d70d30efeae2df255f2919e9ffb61d86c728d79d54d6
154d32a8d39c2a55e71a23e126cbb141bf2a860cef997a092bd5e987f463fb64
15b960b6c2eeaed4f2d8ea53172d1bfc403a36e570c92e2a569ed4b7e781e304
1711e3dd4c2a37ee762798b13e78b2aaf1f92862089055e36d4e3889bd3cacb9
179102ea1a9e3eeac268236fe006e250625376764e931f22dd41125ddf640f6f
1804e34830d4f49a6e9686d195fdd7c178fccc31841385e8fc9a712bcd22a711
18d89015080e39d8bd13c550ecef302727f58beea070897cb62d53162b7707ed*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Win.Trojan.Gamarue-7008527-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Manager
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Manager
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050452834348584929485695758050\winmgr.exe
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050452048050540508045\winmgr.exe
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050324589790225392040235\winmgr.exe
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-505045204850142040560305045\winmgr.exe
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050402562050603850256869070\winmgr.exe
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050452042050540508045405080\winmgr.exe
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050452048050540508045405040\winmgr.exe
1
Mutexes Occurrences t6
6
trk16
6
t50
4
trk12
3
t59
2
t20
2
t18
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 195[.]22[.]26[.]248
24
199[.]247[.]8[.]13
24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences srv1300[.]ru
24
srv1400[.]ru
24
srv1000[.]ru
24
srv1100[.]ru
24
srv1200[.]ru
24
TRKHAUS[.]RU
12
ad[.]yieldmanager[.]com
5
audience[.]tapad[.]com
5
docbook[.]org
2
nwalsh[.]com
2
Files and or directories created Occurrences \??\E:\autorun.inf
24
\autorun.inf
24
\??\E:\Secret.exe
24
\??\E:\Documents.exe
24
\??\E:\Movies.exe
24
\??\E:\Pictures.exe
24
\??\E:\windrv.exe
24
\??\E:\Private.exe
24
\Documents.exe
24
\Movies.exe
24
\Pictures.exe
24
\Private.exe
24
\Secret.exe
24
\windrv.exe
24
\??\E:\Music.exe
20
\Music.exe
20
\??\E:\Porn.exe
12
\??\E:\505050.exe
12
\505050.exe
12
\505040.exe
12
\Porn.exe
12
E:\505040.exe
12
%TEMP%\njabdkadwvuiajkdlawuvi1ba
9
%TEMP%\05 - Exchange.mp3
6
%TEMP%\g3OdSbf__bigger.jpeg
6
*See JSON for more IOCs
File Hashes 1f4cf029dfbf7eb7ab7349a996c714929ad997be0e09311777b84b75d8f2163b
459a89a03a6f46e5901f2c2ce54b2c47dd12777eb4b0d95caa7cf00394b5a862
50fcf4110822d9272e706ac3661f5374a00ffed48da20f6f1503c612288ca2a9
59c9b977a95e516ffffd77a72e16314a80df92cd1d59b0b16f7e1f06e72a2398
5b31e2845b9ff0c262f09eb2ea2b4cc6896eb78402c4fddf41c76fe1ebf37b79
673dfd5ddcc565679db5739f992e0b4de8c61c1628aa151cf690278afe28fa23
86982deca7af6d4d0cf0118afec263b97d4a5975eec187093d1f730334e35144
8ce0ab86f7d3fb858373ae9bc44dc058d7f4322d56d38d0b32e485c9bb27c630
9ad466fb4e695905f2c8328fef7b4917c4c97ca2377c2002ad5cea3892b69a62
a004a9cf108c93981ad0f5891215169376336c9e13cffb2fe56e68d1af5d75f6
aecde0e15dae5f0fdac6f927f39341b40158898554b25739c7cfbbc88442ddb7
b07245addc6dac3ec4c4e258016ca457d56474ad93c11b43d0b55b6f4a5e5b5d
b383ca1d776204776c643a020e71bcce8990ec6768de84e7ed6fe5bef7d692d7
c3f480a13b31de10baca5e1973ff774453c6c298b13781ace209523f055a9d74
c6faca00d7e4fa656c574de14d475bccd353aa622495a8a475f4fc52031c658d
c79b3cc43f74d8b0afc8db7b1d7fefe694076b06b97c7dde85f561cdb132c529
d0293d2660844495ee219f03a9a0a13ba8b364c510f65c8325367649db499cc6
d5c3e89984dcf0346a8726bd95bc00bfc269bb96c991db729c3068aa08e18f01
d6029469cfe0aa53e619ac0a3311f9b56663be048ed51e3fdb6fdde6a5e4f07c
d871f17f1609e257ee0586cc9bce74acf1d0289cf9a8264b62cb4ba82b6a94c3
d97fe58b643226abaa1f9bf4ef8acd0c7810cab3d048503f4a84cd0cf196b970
e7ba39323ddb88229cb9339e051da857a2ed5c243f2d8ea41dbd6ae70117eaf6
e8531ab3f02f293c3eb42067ba92ee8cf1513201fd4089ad0db570dc2218cb2c
ec58b08efd428ad04d32f3d883b1a693cfe97fff89385d9fc8b01535b2ec2052
ef8bb975c2ec5413dfd82ea1b161ad50ba684f7f01b1e2a8bf12a41ac8a58148*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Win.Worm.Vobfus-7008428-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVSVC.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EWIDO.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CPF.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMAUTO.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WERFAULT.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\UI0DETECT.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CTFMON.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WUAUCLT.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIJACKTHIS.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAM.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMGUI.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSERVICE.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SBIESVC.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEWUAU.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEBITS.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIECRYPTO.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEDCOMLAUNCH.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIERPCSS.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SBIECTRL.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBOFIX.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIDEC.EXE
Value Name: Debugger
13
Mutexes Occurrences ©Úü×À»¢Íéõèò©
13
\BaseNamedObjects\
13
Local\https://www.hugedomains.com/
13
Local\https://tiny.cc/
11
Local\https://www.google.com/
1
Local\https://www.ashleymadison.com/
1
Local\https://www.jcpenney.com/
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 72[.]21[.]81[.]200
13
172[.]217[.]12[.]138
13
172[.]217[.]9[.]238
13
72[.]52[.]179[.]175
13
216[.]87[.]78[.]25
13
172[.]217[.]10[.]227
13
18[.]211[.]9[.]206
13
107[.]22[.]223[.]163
13
204[.]79[.]197[.]200
12
104[.]25[.]37[.]108
12
67[.]225[.]218[.]50
12
192[.]241[.]240[.]89
12
23[.]20[.]239[.]12
12
185[.]53[.]179[.]29
11
104[.]25[.]38[.]108
11
172[.]217[.]6[.]226
11
104[.]20[.]2[.]47
11
104[.]20[.]3[.]47
11
172[.]217[.]10[.]36
10
172[.]217[.]12[.]131
9
104[.]28[.]29[.]32
9
104[.]20[.]218[.]42
8
172[.]217[.]15[.]72
8
172[.]217[.]15[.]100
8
13[.]107[.]21[.]200
7
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences fonts[.]gstatic[.]com
13
static[.]hugedomains[.]com
13
c[.]statcounter[.]com
13
www[.]directorio-w[.]com
13
sstatic1[.]histats[.]com
13
www[.]easycaptchas[.]com
13
www[.]hugedomains[.]com
13
secure[.]statcounter[.]com
13
HDRedirect-LB6-54290b28133ca5af[.]elb[.]us-east-1[.]amazonaws[.]com
13
directorio-w[.]com
13
cdnjs[.]cloudflare[.]com
12
bit[.]ly
12
www[.]gstatic[.]com
12
www[.]google-analytics[.]com
12
parking[.]parklogic[.]com
12
www[.]qseach[.]com
12
tiny[.]cc
12
cdn[.]pubguru[.]com
12
ajax[.]googleapis[.]com
11
ib[.]adnxs[.]com
11
securepubads[.]g[.]doubleclick[.]net
11
www[.]googletagservices[.]com
11
d1lxhc4jvstzrp[.]cloudfront[.]net
11
ssl[.]google-analytics[.]com
11
fastlane[.]rubiconproject[.]com
11
*See JSON for more IOCs
Files and or directories created Occurrences \??\E:\autorun.inf
13
\autorun.inf
13
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js
13
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\prefs.js
13
%HOMEPATH%\27F6471627473796E696D64614
13
%HOMEPATH%\27F6471627473796E696D64614\winlogon.exe
13
%System32%\drivers\etc\hosts
13
\??\E:\$RECYCLE.BIN .LnK
13
\$RECYCLE.BIN .LnK
13
\??\E:\System Volume Information .Lnk
13
\System Volume Information .Lnk
13
%HOMEPATH%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
13
\??\E:\lE8z54f35yL4uFzESl0145FQ0e8zzsyhXVP
13
\??\E:\lE8z54f35yL4uFzESl0145FQ0e8zzsyhXVP\S-1-3-01-4631041401-4114748267-464015834-1505
13
\??\E:\lE8z54f35yL4uFzESl0145FQ0e8zzsyhXVP\S-1-3-01-4631041401-4114748267-464015834-1505\Desktop.ini
13
\lE8z54f35yL4uFzESl0145FQ0e8zzsyhXVP\S-1-3-01-4631041401-4114748267-464015834-1505\Desktop.ini
13
%HOMEPATH%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\Z17N57WM\www.hugedomains[1].xml
10
%APPDATA%\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
3
%APPDATA%\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
3
File Hashes c037253e276f68915f94a880ef6092f6a2a9e2a22dde3752b1a189e7392bb1c2
c9664af8c4a783ba1837929d8fbe97222a9e08ef44849d0bd3fbdd5fd3771056
d79ea7f8669da09b2a8871d5d52c046e5730edd4806228bff088fdcf60dc492f
e2dfd666cf32d2825de8a84339c1a2329ccfd986164fad48190a9420b37c32d9
e895fb316f2c6e59edd5b57c98df52ac7a8cff2b08f7e6fbd57623e6608d7c70
ef995680626316921a87d60298208aa1a7337e6b8582e859fa12027909512ea1
f0e508c2ac7a24a070a1478f9cc27e3a78357fa7c3f76ca3592637eafcd5dec8
f12b6897b528bee20e2cb54f5b445d141948ae5361b6ef21b495777ecc92aaf2
f67f73d39c0fade143d1cc30c8a5f1b823ef4cf91dc45314fb51e714d179c3fe
f9722379fe4ce4cd008143cb3c4cfeb4b5b4ba695ddaf1fee839a9ab368d1d8d
fa4c827d119b5a98f40027dcbbdc9c3bddfdc38511772de7e4ade6bffbd5b2f9
fb4ff852fbee72185cc989143092f2f580c4997b51504da59bd873024254660e
fb854a98e62eaab30f6bdb26d2ab655770dbec021e4dc62bc276fa761ff0d165Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid
Umbrella Win.Packed.Zeroaccess-7008376-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
10
<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\Epoch
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Type
10
Mutexes Occurrences Global\{9a937ad1-c80e-6934-b9b5-3afedfb64be2}
10
{9a937ad1-c80e-6934-b9b5-3afedfb64be2}
10
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]200
10
64[.]210[.]151[.]32
10
13[.]107[.]21[.]200
5
83[.]133[.]123[.]20
5
208[.]100[.]26[.]251
1
154[.]214[.]250[.]73
1
62[.]60[.]251[.]244
1
180[.]215[.]207[.]110
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences promos[.]fling[.]com
10
12geg23[.]cdn104[.]uploadetchosting[.]com
2
12geg22[.]cdn104[.]uploadetchosting[.]com
2
12geg1q[.]cdn104[.]uploadetchosting[.]com
1
12geg1s[.]cdn104[.]uploadetchosting[.]com
1
12geg1t[.]cdn104[.]uploadetchosting[.]com
1
12geg1w[.]cdn104[.]uploadetchosting[.]com
1
12geg1y[.]cdn104[.]uploadetchosting[.]com
1
12geg21[.]cdn104[.]uploadetchosting[.]com
1
Files and or directories created Occurrences %TEMP%\IXP000.TMP
10
%TEMP%\IXP000.TMP\TMP4351$.TMP
10
@
10
L
10
U
10
%System32%\logfiles\scm\e22a8667-f75b-4ba9-ba46-067ed4429de8
10
\systemroot\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}
10
\systemroot\system32\services.exe
10
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\@
10
%System32%\services.exe
10
%TEMP%\IXP000.TMP\C32938~1.EXE
10
%TEMP%\IXP000.TMP\reloaded.exe
10
%APPDATA%\msrfa.dll
1
%APPDATA%\pibis.dll
1
%APPDATA%\wisnge.dll
1
%APPDATA%\wsrmg.dll
1
%APPDATA%\nscizr.dll
1
%APPDATA%\wshufx.dll
1
%APPDATA%\bgnsoc.dll
1
%APPDATA%\mcrdr.dll
1
%APPDATA%\zrshu.dll
1
%APPDATA%\mstemf.dll
1
File Hashes 1a45f21c4e9da8fe25dee15d791d14525ff229c3e0330d17af76477391c9cd5e
37ac22156718afc2837f23f12e032530f464083c7204644aa3ce2fb0676a149d
5ca82ac85c65d79b8069ec7b41b3ab212d22bf014eaccd712ed30294a23cfa6f
6c2df30ebf956363eed646fa1032395186c303e20e859f561d0bda1ebc5de002
8b91726726c5b33f1a4aa3efa0184209bee0fb26c919d748f078e887d3ddd0f8
9127e176fa15d685992b36d6781d79dee5c5994431a021d13f78f3328168cd04
b9aa60607427eedf69bfa2058c0476f8b673955ba7701b710a44ba02edcf9c36
c5f5861f4c4a560396fa5c20394515b5147d97427cba2e37c5d114738d9dcf31
d239e098f814f0350a81ade67000be01f91a8007833823d5f2e6c782a3b5552b
f40030bec4290e152e63064e90b4fda8f3314f5b1ac98eb298f2993c85b93f24Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.Upatre-7004553-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
14
<HKCU>\SOFTWARE\MICROSOFT\Vunadiikify
1
<HKCU>\Software\Microsoft\Ejluzaduy
1
<HKCU>\Software\Microsoft\Hofoaldyospa
1
<HKCU>\Software\Microsoft\Byypjecykuan
1
<HKCU>\Software\Microsoft\Pekuymgu
1
<HKCU>\SOFTWARE\MICROSOFT\Uswyloyhujmo
1
<HKCU>\Software\Microsoft\Weqyireluz
1
<HKCU>\Software\Microsoft\Ahulbupagupi
1
<HKCU>\Software\Microsoft\Yvuwdefusuyx
1
<HKCU>\SOFTWARE\MICROSOFT\YVUWDEFUSUYX
Value Name: 16864bd5
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Kapya
1
<HKCU>\SOFTWARE\MICROSOFT\YVUWDEFUSUYX
Value Name: 2ai47ccj
1
<HKCU>\SOFTWARE\MICROSOFT\YVUWDEFUSUYX
Value Name: 1b0jgcdj
1
<HKCU>\SOFTWARE\MICROSOFT\Ifrytaacpiu
1
<HKCU>\SOFTWARE\MICROSOFT\IFRYTAACPIU
Value Name: ebecgbi
1
<HKCU>\SOFTWARE\MICROSOFT\IFRYTAACPIU
Value Name: 9e6eb40
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Syyqx
1
<HKCU>\SOFTWARE\MICROSOFT\IFRYTAACPIU
Value Name: 1eb88i7e
1
<HKCU>\SOFTWARE\MICROSOFT\Asohubtafib
1
<HKCU>\SOFTWARE\MICROSOFT\ASOHUBTAFIB
Value Name: 292fjjef
1
<HKCU>\SOFTWARE\MICROSOFT\ASOHUBTAFIB
Value Name: 24a073d5
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Hoavt
1
<HKCU>\SOFTWARE\MICROSOFT\ASOHUBTAFIB
Value Name: 3jcbf77
1
<HKCU>\Software\Microsoft\Ocidrajiasze
1
Mutexes Occurrences Global\{C30C6CF2-932B-408E-55BA-04D54CAC27C8}
16
Global\{566D79B0-8669-D5EF-55BA-04D54CAC27C8}
16
Global\{C8D239CA-C613-4B50-55BA-04D54CAC27C8}
16
Global\{C8D239CB-C612-4B50-55BA-04D54CAC27C8}
16
Local\{73DE6ED9-9100-F05C-55BA-04D54CAC27C8}
16
Local\{A9348FD8-7001-2AB6-55BA-04D54CAC27C8}
16
Local\{A9348FDF-7006-2AB6-55BA-04D54CAC27C8}
16
Global\{73DE6ED9-9100-F05C-55BA-04D54CAC27C8}
16
Global\{A5D858EA-A733-265A-55BA-04D54CAC27C8}
16
Global\{A9348FD8-7001-2AB6-55BA-04D54CAC27C8}
16
Global\{A9348FDF-7006-2AB6-55BA-04D54CAC27C8}
16
Local\{C8D239CA-C613-4B50-55BA-04D54CAC27C8}
16
Local\{C8D239CB-C612-4B50-55BA-04D54CAC27C8}
16
Local\{E9745CFB-A322-6AF6-55BA-04D54CAC27C8}
16
Global\{B665CB4B-3492-35E7-031D-B06E1A0B9373}
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 184[.]168[.]131[.]241
16
68[.]235[.]37[.]83
16
94[.]64[.]68[.]197
16
190[.]37[.]207[.]199
16
71[.]91[.]43[.]179
16
79[.]187[.]164[.]155
16
63[.]227[.]34[.]28
16
178[.]116[.]48[.]217
16
86[.]135[.]144[.]6
16
94[.]189[.]230[.]78
16
206[.]190[.]252[.]6
16
86[.]140[.]35[.]54
16
59[.]90[.]26[.]49
16
123[.]203[.]139[.]252
16
86[.]158[.]144[.]27
16
75[.]87[.]87[.]199
16
84[.]234[.]151[.]23
16
222[.]96[.]81[.]59
16
172[.]245[.]217[.]122
16
58[.]252[.]57[.]193
16
103[.]14[.]195[.]20
16
108[.]230[.]237[.]240
16
172[.]217[.]10[.]68
10
172[.]217[.]10[.]36
4
18[.]233[.]6[.]11
4
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences kofinyame[.]com
16
california89[.]com
16
www[.]california89[.]com
16
fquxszdtduirtabaguyqcyxwgu[.]com
3
kbbqhhqsthaoflrodxoftwjn[.]ru
3
vkljvwgzxtaltwdpso[.]ru
3
eivsovswuswxlrecqxytmv[.]biz
3
izfupirthqqhtdmrsgizi[.]org
3
aqyldvcucbivwcuzltqszlwuiv[.]com
3
dqxcpjxrkpvkrscvoibusskxkcx[.]com
3
kfeyrgzheujramjvdebmfih[.]biz
3
llbmbyozculfxljkrdaetkzofv[.]info
3
qxwguplvcyswhiciqoylyhijrcvo[.]biz
3
belzrwyugfulnrtsvwwjfzttk[.]ru
3
ofdyvgdenbrwizswrgrshnvifzemam[.]info
3
tobeugnjhuczhucepcedyfyx[.]net
3
dieqgetxwlvwcxklrjboffi[.]info
3
emfetgfafeeygpxvshmbyxwsof[.]biz
3
xwlvzlnvzlwkplbtodmrtgl[.]com
3
jnaqjrmfjzcepvcxgcyeaxhwcy[.]org
3
mrbyprkqkemlnpzbtjnwkkvts[.]org
3
lfydktrtcydhfuycuxcp[.]com
3
nvzpfuwvmfbadnvvjrhipskem[.]net
3
lixsgurgbcmamxkqkqijfapcmrk[.]info
2
qkhfeydhaixcdvkbgihqqhq[.]com
2
*See JSON for more IOCs
Files and or directories created Occurrences %HOMEPATH%\NTUSER.DAT
16
%HOMEPATH%\ntuser.dat.LOG1
16
%TEMP%\budha.exe
16
%TEMP%\kilf.exe
16
kilf.exe
16
%SystemRoot%\SysWOW64\secur32.dll
14
%SystemRoot%\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
12
%SystemRoot%\SysWOW64\winhttp.dll
10
%SystemRoot%\SysWOW64\webio.dll
7
%TEMP%\OVQEBB9.bat
1
%APPDATA%\Awdei\tyun.exe
1
%TEMP%\QXY4CCB.bat
1
%APPDATA%\Ingue\epxiur.exe
1
%TEMP%\RSQ2CE0.bat
1
%APPDATA%\Olvyq\juwe.exe
1
%TEMP%\PJM7E60.bat
1
%APPDATA%\Almenu
1
%APPDATA%\Almenu\anozyb.exe
1
%TEMP%\YYN5BA3.bat
1
%APPDATA%\Jasit\xequ.exe
1
%TEMP%\KMN5AE0.bat
1
%APPDATA%\Azwia\wiziny.exe
1
%TEMP%\JWJ9A47.bat
1
%APPDATA%\Comomi\afve.exe
1
%TEMP%\NYW5A92.bat
1
*See JSON for more IOCs
File Hashes 014f7b0000b4959505cc055eb5c91283919f7e9596b9d375a15966808f3cac40
03ef7f307a4014590af1936ce69ef7f7e77fd34ecc1b553f4064a2fd4481b799
084cbb7cd8627cdfe63f8519f09a8100aac4710de7d396149d345182ce078d93
14726cda4db95441c35a350011f5ded8d832f2c8a6ab181c3c4a4fb73056ae6e
6a3eff21994abc3ae6c3c7a2d81e2f6c9e710ae4874e25db0a51213de4133c0d
7218bc90b23ce5f58e339e7e4caa68405ee10ad314c0765c92d0885f1ce3fce7
76bf6463c9751e4f8c6df80dff89dd58deeada57edc0dfaa3fcb88c5b676e3d9
7befc280a73717d09d831778e63173b1d48bf65d6d5a0da3055571a6d434bc6a
7c1b33a4ffaca8cd292d24c9b0a275629e931e0378d49305680e759d87b19aa5
8d8215b512830f6285f8248e6408e3f0e61535f32775f8c01b234c52729ce497
a05880b5a7d66ee3c976cba4553e48421da2c87d25540e81db739771217516e5
cc192820453aaf77261330c8caaf91436cbc5912e0307e9940b7265089c14705
cc908625e97f5ee851b27f69d492b90cedd17576612a8005f2a709960010a5da
ccf99adebff70749af314d4414ef84fb4577ccb7bbd4816f3623a2013954d4c0
d4bda6c737fb1ea8ba4d486dc9d129c35e24faede3b17f6dd6d5f154a0e269f5
eb75f7cc2bef48e82fe540a53e39a53a78442e41b283917bb83bd050975447b4Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Win.Dropper.Gh0stRAT-7003946-0 Indicators of Compromise Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SVCSHOST
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SVCSHOST
1
Mutexes Occurrences 546634635.3322.org
3
kent.wicp.net
3
23.95.28.181
3
58.55.149.231
2
59233086.f3322.org
2
58.55.154.119
1
www.zmr321.com
1
\BaseNamedObjects\122.0.114.49
1
122.0.114.139
1
23.245.118.14
1
mantou0314.f3322.org
1
yanjianlong.f3322.org
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 174[.]128[.]255[.]251
3
174[.]128[.]255[.]253
3
23[.]95[.]28[.]181
3
58[.]55[.]149[.]231
2
122[.]114[.]141[.]107
2
58[.]55[.]154[.]119
1
122[.]0[.]114[.]49
1
122[.]0[.]114[.]139
1
23[.]245[.]118[.]14
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences 546634635[.]3322[.]org
3
kent[.]wicp[.]net
3
59233086[.]f3322[.]org
2
www[.]zmr321[.]com
1
mantou0314[.]f3322[.]org
1
yanjianlong[.]f3322[.]org
1
File Hashes 065b0891dd2f1f140a304d6083a42920f479e9f78449653dda3e3f4773d65f64
0e3ca15c7fbb7290152a4352eb9f128d371a61748bf574629b1e20e88194f39a
16ae0bbd83dfbf5d842d830eb025a48afeb882d280cd2667178a64c5e4e52aa7
2c3bb3de7dc1618182cc870473e21773ec64a7907a7a8b908ba84aa3dfc1ccb8
3fc973ba80cdb771e03afcede4504b916e2271ee061371132943e69a6851d0a6
72ad952cd9fb882a07fc5076925ef9f54c99c1e2b8d787c6b7da5efe93d2320d
7947b164011507462d16333b66ff489f62d0d07c063886a65fc1119c434595b4
7c23edb038674293f17bcd1f54ce09257155f50167c291b898369b7f67a0543d
7dd7075d773df6b6adbceecb7670aeba729b409c4eab34fa43ee12cec71d961f
8099dfc84e82896b7ffd60989d80dcf3e6d201119fe41c297be02efa198d4c97
8e985850c2689d00fb7a806b008798980036f4d2ec139e1b7ee50aa7adb2a1da
908e09cdf2eacbb1361d94c86d393c0149634d927ba537862db5c26ee1fdd1d5
9a744852496a014e1346262aab597cdc6d7c86cc1254a6b3f1e2f0509e011f49
9d83339f74a26f74ab4b32835f4e56224bf4455f52d78e4e1597a36f63dc34ca
9e2ae029580b63672ebed5d256f22745cda92397969ae98db888275c74c33492
a9c39431622634720eb6af8bed7440508c1b76d955377bb98ff6b4a5f3cd476e
bc6a883c9ea0eb02da0590ad56eee63fffff733fb530fb901e449c41fd63dee4
d94e3332f0f9181e0fe3e4dc6da12024a66ac9bd27e3e2e8a2805cd99de34552
e1645442bba1f21d0a3243661dca6d4bae3dd28150e03f5d959f1c8bf61fca64
e880f061dc1f2f08585787d07c55ae03e212408f9e2e6ee8b6d392be694f2663
fb0f9a707cc2ab33dd9370aac07dd7c0f354bc6780de8c0c54c69f7d828e8e1e
fd514b2dfc176298d8b6b4885079cdb43a7c374fdd914850c50aad7c8791b455Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.Ramnit-7003027-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
10
Mutexes Occurrences {7930D12C-1D38-EB63-89CF-4C8161B79ED4}
10
\BaseNamedObjects\{137A1518-4964-635A-544B-7A4CB2C11D0D}
10
\BaseNamedObjects\{137A1A2C-4964-635A-544B-7A4CB2C11D0D}
10
\BaseNamedObjects\{137A2419-4964-635A-544B-7A4CB2C11D0D}
10
\BaseNamedObjects\{137A1A2D-4964-635A-544B-7A4CB2C11D0D}
10
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB6991D0D}
1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB4951D0D}
1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB8651D0D}
1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB6891D0D}
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 208[.]100[.]26[.]251
9
172[.]217[.]12[.]142
9
46[.]165[.]254[.]214
9
89[.]185[.]44[.]100
4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ryfgpvevpka[.]com
9
FXOPHXMRRY[.]COM
9
rijyjgrqrod[.]com
9
wqebvfqhvdwd[.]com
9
xkfkhlwxmy[.]com
9
hpujpcor[.]com
9
msdsspdwrtmjjjrgeew[.]com
9
hwlfiogofk[.]com
9
yogtmphumejfhm[.]com
9
ATIUTTVAQR[.]COM
9
MKYJFUMSG[.]COM
9
okjndyeu3017uhe[.]com
9
JIFGMEOA[.]COM
9
xfqtdsyao[.]com
9
vbtwrlpdfbcvqgrfxa[.]com
9
ifshcrwujqprjwuwt[.]com
9
TTGFETOSRTL[.]COM
9
bujynaslvjlmf[.]com
9
gyjijwyrhwyugui[.]com
9
urjpwtnytfyiaaly[.]com
9
fqxonymdkdmjjfceuf[.]com
9
PLOOWSETHQB[.]COM
9
hkdagrtomfuev[.]com
9
yephjhhcg[.]com
9
OHEFDIGIK[.]COM
9
*See JSON for more IOCs
Files and or directories created Occurrences \Boot\BCD
10
\Boot\BCD.LOG
10
%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat
10
%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat.LOG1
10
%HOMEPATH%\NTUSER.DAT
10
%HOMEPATH%\ntuser.dat.LOG1
10
%LOCALAPPDATA%\bolpidti
10
%LOCALAPPDATA%\bolpidti\judcsgdy.exe
10
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe
10
\Device\HarddiskVolume3
10
%SystemRoot%\bootstat.dat
10
%TEMP%\guewwukj.exe
10
%TEMP%\yowhywvr.exe
10
%HOMEPATH%\Local Settings\Application Data\hmqphkgx\pseqpmjy.exe
10
%HOMEPATH%\Local Settings\Application Data\jpnfmrvn.log
10
%HOMEPATH%\Start Menu\Programs\Startup\pseqpmjy.exe
10
%ProgramData%\wtvakgao.log
10
File Hashes 00848dceedd7c2271a182e97c8e5ad7c947af0350f4dc2ace6f600d1f1eaf9c8
07f659c6e3ac188112a9cbec06ed454711f8450b4cef0b59c95a8db0acfe8137
1a82f19a88827586a4dd959c3ed10c2c23f62a1bb3980157d9ba4cd3c0f85821
2a4d1cdf8ceb39bcdd782e2fca4c01390218ad32862d0df40eac079875dfdf89
2e6bebb485ed1ac9bf88e8fa2bb54fe0493e792771d33876b229008b13d4a85f
3fdedad406e3f100e8a216ae7477366a47998f14893adf97f647777c692e4151
5943564ab3d38d4a9a0df32352dd5d2b04ccb76294e68a5efcbad5745d397de3
8ab75a0bc7167646928afd8eea3c3450f2c9529e7d58ed2a87f4f32885017f30
f18fba4d2779d4407f522bf5a9287e9b9117c92aa92bcaa843f69cf842e1d7d5
ff66f9cf0c4ffa299fff1b03a92daa2070087301ea89cba2c03d58a9480fa843Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Win.Dropper.TrickBot-7003081-0 Indicators of Compromise Registry Keys Occurrences <HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender
9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\services\
9
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\services\
9
<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions
9
<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths
9
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
2
Mutexes Occurrences 316D1C7871E00
9
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 116[.]203[.]16[.]95
3
194[.]87[.]94[.]225
3
104[.]20[.]16[.]242
2
82[.]146[.]48[.]241
2
194[.]87[.]93[.]84
2
216[.]239[.]34[.]21
1
216[.]239[.]36[.]21
1
198[.]27[.]74[.]146
1
52[.]202[.]139[.]131
1
82[.]146[.]48[.]44
1
82[.]202[.]226[.]189
1
78[.]155[.]199[.]124
1
195[.]133[.]147[.]140
1
209[.]205[.]188[.]238
1
73[.]252[.]252[.]62
1
185[.]21[.]149[.]41
1
67[.]209[.]219[.]92
1
80[.]87[.]198[.]204
1
195[.]88[.]209[.]128
1
82[.]202[.]236[.]84
1
179[.]43[.]160[.]45
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences ip[.]anysrc[.]net
3
icanhazip[.]com
2
myexternalip[.]com
1
ipecho[.]net
1
checkip[.]amazonaws[.]com
1
wtfismyip[.]com
1
Files and or directories created Occurrences %TEMP%\4rQ7ipw
10
Modules
9
client_id
9
group_tag
9
%System32%\Tasks\services update
9
%APPDATA%\services\client_id
9
%APPDATA%\services\group_tag
9
%SystemRoot%\TEMP\4rQ7ipw
9
%APPDATA%\services
9
%TEMP%\nsb246C.tmp\System.dll
1
%TEMP%\nsgFCA0.tmp
1
%SystemRoot%\TEMP\nshF273.tmp
1
%TEMP%\nsg6A03.tmp\System.dll
1
%SystemRoot%\TEMP\nswC349.tmp
1
%SystemRoot%\TEMP\nswC349.tmp\System.dll
1
%SystemRoot%\TEMP\nsn69F3.tmp
1
%SystemRoot%\TEMP\nsn6A42.tmp
1
%SystemRoot%\TEMP\nsn6A42.tmp\System.dll
1
%SystemRoot%\TEMP\nsc1020.tmp
1
%SystemRoot%\TEMP\nss107F.tmp
1
%SystemRoot%\TEMP\nssDD4E.tmp
1
%SystemRoot%\TEMP\nss107F.tmp\System.dll
1
%SystemRoot%\TEMP\nssDD9D.tmp
1
%APPDATA%\services\67ff09786g26g98gef29fgb5035370fb293gb44g2d766fb0gff228fge797gbb6.exe
1
%SystemRoot%\TEMP\nssDD9D.tmp\System.dll
1
*See JSON for more IOCs
File Hashes 357b2a34ad3496df379c3ad774fa3be01969472363a53defb2642119ac1a8f51
57ee09685f15f98fde19efb4024260eb192fb33f1c755eb0fee118efd797fbb5
65ea62aa3ed8bb08e2519bb0cc54f39dde625e11517ef43f1ce9acf306df412f
664c4f020f49f18b5d4cb6952184a9f2472bfbc41d4922e8c43d8c8db3411930
a690c57af967f33edfd3e34448af5a3d0aeb6885262d1dec9150debb404241d0
a7e40660025a2f92bf5b27a429c2a65038932203d7d6c33168f01c47b34868fa
bd60a69a384090fbdf9c03ae483e5e3eddcfdbfb7d8d5ebee7d106a2e21d86e4
c2e6cb0575738459478d51904bf70fe81fc44c88b560e45b06a74571dcfbf83f
dde71d9ec99bef73f61f841af134463fc1e494522c35fa8534a668337082f107
e5a25723b4386688017c8a808488f7827c526b4848a05b23a85a65ed398fd035
fafa057ebb741166e290c0864d2392e34700a1fb2147e7d4817295db9adaaddbCoverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
N/A
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
N/A
WSA
N/A
Screenshots of Detection AMP ThreatGrid Win.Malware.RevengeRAT-7004697-0 Indicators of Compromise Mutexes Occurrences RV_MUTEX-BtNHuiGGjjtn
37
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 79[.]134[.]225[.]8
35
105[.]112[.]96[.]51
27
91[.]221[.]66[.]6
3
185[.]244[.]29[.]15
2
197[.]210[.]44[.]157
1
105[.]112[.]96[.]109
1
197[.]210[.]55[.]210
1
197[.]210[.]44[.]68
1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences mallorca[.]myftp[.]org
37
mbvd[.]hopto[.]org
37
Files and or directories created Occurrences %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\pcwrun.url
37
%APPDATA%\cdosys
37
%APPDATA%\cdosys\aadtb.exe
37
%APPDATA%\cdosys\pcwrun.vbs
37
%HOMEPATH%\Start Menu\Programs\Startup\pcwrun.url
25
File Hashes 043e6e31d0efe8f818b408a4f38ed07d33ff6c9e3ff5efe33440f426da6c65e9
08255fa9a6461fe91cc3c7cabb4d7cf1d0e34442916989f121c25c007d0e4f4e
14ff9bca2e40edf80f24f64944a187691436d26dec1c57e71c83e2f8d3cf8d83
172c143486841e0e24c436f8cc4548c46afb9db7f6bf52d857795f62b18124fb
1bfb8266eb0284cbda01b9405977691de3abd817d4575285aaef4f5065391ba8
232238e349a632c148ff162e31159a6ba7b19d89f9cdb43027c98c69d03756a9
2ee4332fa127a46c6bff99587d8ec99778a6eaa764d80d1abb874495f27605b5
33faa6cad2fe7aaf15771977673baed989f973cc3b6be562c5caa2de71c7d532
3c0ea80441e2824c506dc57154ccc1123e7c293856ba89c078269177f0bdc940
3f09b3040a82ce439e8147eeb19e109505866982e3a1150a79ea011e53920745
4209a07df4409b81df9fd0bdab4bfd0f45f15ee0acb57be1b28dc7409e7f8417
4e91a567c5de2bc40e9be1fd72065a17f98454f93bceb3c3f6bc01c95880ea8e
5683d55fcbaec725b59770d31bf272cf1aa99b8c1c4955eba6cf23204ebcca79
6db50a7f6a77e354d56b65175024df2baa70e7c161a05b2c876d65c09448f30b
6fb1ef865a16257408e954ca2d917eb50126767b9be5505d5772238b60eed25e
723617156eb76841485e598c6958b4b29261dc78f1187629a5c001f037a92920
75d8713483f5a769d1140c4eef300f27dcd39f3799f1106c3c6600a8dd44cccd
7ef273b2c04c40e249f250a5c12513587ac84125df78c870df5ca17c8833d3c9
82541fd5caae2acdff85558a535874361c3f5d6e2e6c27a821cc3bc4b9b50b35
951b10c3a12ebe5a4923c7ddac5d9b534e717cd86fa29dabd5c67d66dc73418d
a41d6ab21b948ce314ec0805d96ea7480da8a3a8de7691501c46cacf7bb2921c
a84a57b96eb296cf90c881bb18a19df7930aa114e97c12171ad1b238e45b3d31
a9230c56cec40f3238f21c7a5c5e1b79c63160275eacc814d12d637370e39333
ad9ecaf4f946fe463f98b468049de4563eb4d7666d12338cc7f6d555f4633c2d
ba048c20a4e0fb9ae726d05b10cf3097e245a14d2260e43a9f34c4adef004b7b*See JSON for more IOCs
Coverage Product Protection AMP
Cloudlock
N/A
CWS
Email Security
Network Security
Stealthwatch
N/A
Stealthwatch Cloud
N/A
Threat Grid
Umbrella
WSA
Screenshots of Detection AMP ThreatGrid Umbrella Exploit Prevention Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. Trickbot malware detected - (3094)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Atom Bombing code injection technique detected - (2529)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The
malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Madshi injection detected - (947)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Excessively long PowerShell command detected - (904)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Kovter injection detected - (583)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (545)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (528)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (166)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
PowerShell file-less infection detected - (63)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Installcore adware detected - (40)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
