Today, Talos is publishing a glimpse into the most prevalent threats we've observed between September 22 and September 29. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

The most prevalent threats highlighted in this round up are:

  • Doc.Downloader.Jrat-6336393-1
    Downloader
    Malicious Office documents containing an embedded OLE object which can be an executable or Java JAR module mainly to contact certain domain and download additional malicious code
  • Doc.Dropper.Agent-6336814-0
    Office Macro Downloader
    This is an obfuscated Office Macro downloader that attempts to download a malicious payload executable.
  • Doc.Macro.DownloadExe-6336397-0
    Office Macro
    This set of downloaders use hardcoded URLs to download and execute a sample on the machine. The VBA contains no obfuscation and contains just enough functionality to accomplish its task.
  • Doc.Macro.VBSDownloader-6336817-0
    Downloader
    The macros in these Word documents are base64 encoded and, when executed, download additional malicious files from an obfuscated list of URLs.
  • Win.Ransomware.TorrentLocker-6336835-0
    Ransomware
    TorrentLocker uses AES encryption to encrypt files on an infected host before demanding a ransom payment in Bitcoin. Code is unpacked from a series of strings through character replacement, selective subset parsing, and a final conversion that is written to the stack for later execution. Spawned child processes and additional binary drops follow afterward.
  • Win.Spyware.CCBkdr-6336251-2
    APT Supply chain attack
    Version 5.33 of CCleaner was compromised before vendor signing and was distributed with a backdoor module embedded. More information available at /avast-distributes-malware and /ccleaner-c2-concern
  • Win.Trojan.Beeldeb-6336738-0
    Trojan
    Win.Trojan.Beeldeb-6336738-0 is a self-executing AutoIT script. The malware payload is injected into a dropped executable. Further, the malware adds itself to the startup folder for persistence.
  • Win.Trojan.Cossta-237
    Trojan
    Win.Trojan.Cossta-237 is a trojan that will download additional files and potentially receive further instructions from its operator.
  • Win.Worm.Untukmu-5949608-0
    Worm
    This worm is highly malicious and contains several anti-analysis mechanisms such as anti-debugging techniques as well as to avoid its removal also in SafeBoot. After the infection it gains persistence and disable cmd and the registry editor.

Threats

Doc.Downloader.Jrat-6336393-1

Indicators of Compromise
Registry Keys

  • N/A Mutexes
  • N/A IP Addresses
  • N/A Domain Names
  • mike22[.]linkpc[.]net Files and or directories created
  • %AppData%\Microsoft\Office\Recent\ITT Tender - ABB -3600002386- Provision of Supply and Installation.LNK File Hashes
  • 1508a8ab14c4639853c9f2e598a142756517bd078f505274b5783ddda8fed0a0
  • 1570586012e23a7de3a8fd965bdc2d3a96175fd8a77d284827c1ed6d58944a7e
  • 339ceac2076e833babc1ac838848ab2787af062835a24f05e0bf20ab1ec79ccf
  • 6f276350ce399502dbf870702e1a09ee39b591b93ebface9d3214ce9822aed61
  • 7dd8b4746bf2de079b3b66e9d5e0492cde0a3838311252176a8831c3fd64b33b
  • 7e4ef415a75cea7d3d610c44c0fa51d0fba956cc8136784115641054cd470fa0
  • 9394e12d1fe6d3627f5f928aff4a15699aa129e44fd4fd9eba29f6ad5a4f7556
  • a5dfb783b89232fcc317194d267b8cf7204ae457d86eb5cdf703a656c03f1b71
  • a601c81547e7180d284e2fa701599615070653cceaf63108a11c40821edbf024
  • baba92ad2bf34ef95611656722344af6b60f731e7cdc4a341f64658837976899
  • bb4793538712834408cd9b3b58c1edf8da81906ffc12e25766fb40ddabe1c383
  • 50c1020efca0698519c89b468fc25926d1bad2eeb421482d9c17b6ab24535217
  • d29a6afc4b35eef25811664369471688a0ecd89fc2a5eb676de9c5518c9914f2
  • db4d85d172b31413c1f93162053032a9a2e26b273dfdea8b7506ee8ca982e32f
  • f745e3687dabecb07c033a70db4f8c2cb14b9fc75c896304f6e9ed4dc6e3a1ba
  • fff6555400d65b28590cdde1a1f1a8731f02e8c21c1a9f167d53dc1054cc865a
  • 522a804aeee581c63049d0a5983a558c2a3225c4b14814cf0acb8912b79260d6

Coverage


Screenshots of Detection AMP


ThreatGrid


Umbrella



Doc.Dropper.Agent-6336814-0

Indicators of Compromise
Registry Keys

  • N/A Mutexes
  • N/A IP Addresses
  • N/A Domain Names
  • acsbaroda[.]com
  • a[.]pomf[.]cat
  • b[.]reich[.]io
  • directlink[.]cz
  • nusacitracipta[.]co[.]id
  • u[.]teknik[.]io
  • wallpaperbekasi[.]co[.]id
  • www[.]b-f-v[.]info
  • www[.]noosabookkeepers[.]com[.]au
  • www[.]powerplusscable[.]com
  • www[.]styrenpack[.]com  Files and or directories created
  • \Users\Administrator\Documents\20170920\PowerShell_transcript.PC.Pbzg9q9Z.20170920011010.txt
  • \TEMP\Quotation_211.xls
  • %AppData%\Microsoft\Office\Recent\Quotation_211.LNK
  • %AppData%\Microsoft\Office\Recent\277336261.xls.LNK
  • %AppData%\Jaty\WebHelper.exe File Hashes
  • 760d89498b3029b1c6fdc5feefa16170589a4b61414c6b1e9d76611031ab0bd5
  • 19dc470f8c9a1a4e9e24707b68c43138178e81d4ec74e358941756667633c5b7
  • 1d14387de0375c84c8c334fb4d29c8ec4e3c24cd9969bcd3acbb77cb65f77a11
  • a80e8da4851eccfad1b8c2b930389a1980dcdab0d193073a4d3dac2d6a0e73d7
  • f84e3b79c16a77db33d1f5ee66fa13d15f25fed78d219d77dfe83268650cd944
  • d1e2655394e9ffd7f7d502840ace6b0de7369c938abee8c1ddc84dcf73486dd3
  • 81b61e9dd4682b079e0b1df3250640c99e0228d4bdcbef5f18bf4bd8fedbff09
  • 5af528ce89a31516eb1b5303b0789b56ab64ad16d7d15193c8b24b5ac3ff22a0
  • a9fec7f8f911f431dd9934092903974c3206feefac7308f48087ab02fbc24927
  • 93a1ddd820a187fd8db5ce8d595958fcfb34ea5c01b5971b359f318f8fe7bb3b
  • 4eb507bf63d6273548238a6c7e6831b6b29363c1c37e9176b7c72a6c3faa862d
  • cffb8b6c103a443159c94dadd5058c3c083d906600f0db6291ab0e2f4c005b68
  • 127cae520479d08e0bfa1b569ace82203cd8154f49f7a8569bfbc54d4c8c6da8
  • dfca64bac0dd845e4e0d98a0f0ce3ae235cddf2f6506fabb7923a2d5e0da3129
  • c1f97901518b6dab1c4516a7f400430030011c26f52cd429299d4331938b70bd
  • c3baeac24f2416d21e64df05b568600c3be76a6365e7cb5b8dbfdfe64ae95c46
  • ac535056dcd65160165ad9e53bc5bc4e08b61ce129fb37d7f7b727c4e1a875df
  • af9f674bc5a26324b62f8c5a67f256b6133b2ec26a25a7c93564fe048ae4afd4
  • 2b06143fffe0099302b2ec0b6f40b5aac115f37c61db32a3be6e0ed13d8eee85
  • 2eba0e3bb658230fe8617038b6be0f58d042a8bb13dd4d9169e775263f82eab3
  • 304c6f454f0efca218002c12009518c27e63186dd5de57b652cf2d4d14c7f0a4
  • b75f01bb44d8a7f402bf01683230ff71138509344bd13d7c199855a321c26b30
  • 5b5b1960bb43c0c115080b3393aaa263137141d53f6b173b24f6c08cbe86d2f8
  • 51d6c81b77f098af1b463f72d236d44b21d873f3c8360004ac93ba803db620a9
  • f4eb5c188028bd80eaf5e822fd6e80e6d2826215e6698668202b72aedabc3daf
  • d8b26ec2609f02379d8b8489f0b52f060e1d5f2dea369dbb675c408c29f83401
  • 81dea09c54a4f26cc078d1b341d5172ceeb5229861621e99552854c564747c83
  • 80c8b5fad0efae1c96e51d97a3ae2ee0e3c9d802691e7178da29b12f23b0f2a0
  • 5742ca6839d7b0b6e56f5406fcb744180bc76e81f7ebdc626b432ab3c1b3de81
  • c1fb997c7dd23f0bb6f19e20029650fc890beca44fbe2f50e21a001b3aa1d319
  • 2159c51a8951b68089524aec9cbb7ba171da57baf733bd12c7d7741d8f17e55b
  • bef55fe81de1a2eb2c0a9e647619a483093b031f5c797d5a8e32bb787356e33a
  • 7f0a79692fc21938be2f2acab035a56049a9444a8e380d62615546efd0862335
  • e618be36548c349562bbdc6c4d68efcb2c86b4354037e9014fd91eea3ec0a0ca
  • 100b1db7896fbd9c4415a96aed0383babbc43ac1f6ae589d408d39532ce9125b
  • f48ecc2b672bc937370ef812eb1b23e3e76e680a2a96aff2d58af8331eb75cfe
  • da2ee40c1fcf98c416132ddf8d4a533f387fcc2214772588bf2ab0967a7d1ede
  • b5fd96e20d32e4f805c4b157037b8e382ff2ce3564fad2f5b3d3c7b6247ea1e2
  • bfc11420c2e7d86d66ca3c4cd495a47b7882d6abbb7a8cc87a58ce9e3daaacaa
  • 5f5e981122a6264042e5b79860200c894538cb134d2c93d3f15750ec9443c7f2
  • 76a940a6ef4397c6b7c8d1ba0dca3e891c2d526f58c03c766d041b98a8791e54
  • 5056b55b83863c4ac1ed6ee66e4d2dc0de8b56416dd96cf712f5b889aeff5cdf
  • f9e29f39b89918fcf26237c5002cd98a2a001c37690720ba537eebd0e72a56cd
  • 6264bc92083a561dd31c38fc752589eb7e8dd65fa2b6c792d2dd247b5f63ff98
  • 544eac3c9205cc3ecaf57283c823050df3bfe4ce78d0c7e38592ef333cc8bdc8
  • dce3ff33424c5e43795ffba7ad33ee8a301606e3c4406e2cd1d07cf6d789ac8e
  • 633dd2217d33b8a60f3ca98905bb7119d7d63e8db50525452c5bfe5449b7885d
  • 6386f608f5f0fb7007ecf808b9a96048c4fc1fe3c20637332b9da1e5094972c5
  • 60d4c6a68368b14ce9aa0b6b3e8eb91e92f823f6524a49e4e7cc265353982898
  • 9804648f30f0a4af07a729f3bf0aa2cf23ed4174c8a1a9ffd98694efb3c51e2c

Coverage


Screenshots of Detection AMP


ThreatGrid


Umbrella



Doc.Macro.DownloadExe-6336397-0

Indicators of Compromise
Registry Keys

  • N/A Mutexes
  • N/A IP Addresses
  • 66[.]55[.]90[.]17
  • 52[.]179[.]17[.]38 Domain Names
  • a[.]pomf[.]cat Files and or directories created
  • \TEMP\~$L Receipt.doc
  • %TEMP%\CVRFC94.tmp.cvr
  • \TEMP\gkmgax.exe
  • \TEMP\DHL Receipt.doc
  • \srvsvc
  • %AppData%\Microsoft\Office\Recent\runme.doc.LNK
  • %SystemDrive%\~$runme.doc
  • %AppData%\Microsoft\Office\Recent\DHL Receipt.LNK File Hashes
  • 9fa533406df0d2d165f46f37d1167fdb97ff388a5e84b60bfd75921c6f44ff6c
  • 74805a5b0a8171f723627c8b061805a6c9c098e7ce1ea83378a774769bc7a1c6
  • f861caffda478a4227bf06323ef32407f774274cdacf2e5e23506d67a08cd89c
  • 9fa533406df0d2d165f46f37d1167fdb97ff388a5e84b60bfd75921c6f44ff6c
  • 0ef4406f5608ad25b4c61d37b6ece1b71c2738814528af550dde14917d2cb4e3
  • f8dcc75be0d1354741606663aebb95e477fe1d4e46246e677fc0e414b7dd354f
  • 216f09c6eff72fae7d6511a73be7530e80980ff6305e4dd2656c96aec29f242e
  • 265de60479b8d8bd46b56a7bec778d6ef9c62a9053e42c6a632d52cdc16a9490

Coverage


Screenshots of Detection AMP


ThreatGrid


Umbrella



Doc.Macro.VBSDownloader-6336817-0

Indicators of Compromise
Registry Keys

  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value: ProxyBypass Mutexes
  • Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
  • Local\ZonesLockedCacheCounterMutex
  • Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
  • \BaseNamedObjects\Global\I9B0091C
  • RasPbFile
  • Local\WinSpl64To32Mutex_e39d_0_3000
  • Local\MSCTF.Asm.MutexDefault1
  • \BaseNamedObjects\MD99F8B3
  • Local\10MU_ACB10_S-1-5-5-0-58054
  • Local\ZonesCacheCounterMutex
  • Local\10MU_ACBPIDS_S-1-5-5-0-58054
  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • \BaseNamedObjects\Global\M9B0091C IP Addresses
  • 50[.]63[.]119[.]1 Domain Names
  • lymanite[.]com Files and or directories created
  • %SystemDrive%\~$c69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0.doc
  • \TEMP\gescanntes-Dokument-07170222835.doc
  • \Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24E5C5A3-7CF5-41D8-94C1-47B41F61C27E}.tmp
  • %AppData%\Microsoft\Office\Recent\fac69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0.doc.LNK
  • %TEMP%\64388.exe
  • %AppData%\Microsoft\Templates\~$Normal.dotm
  • \TEMP\~$scanntes-Dokument-07170222835.doc
  • %AppData%\Microsoft\Office\Recent\gescanntes-Dokument-07170222835.LNK
  • %SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\42994.exe
  • %AppData%\Microsoft\Office\Recent\Local Disk (C).LNK
  • %TEMP%\CVR26FE.tmp.cvr
  • \Users\Administrator\Documents\20170926\PowerShell_transcript.PC.sJClvqz1.20170926112823.txtFile Hashes
  • fac69c4b9785cdc861c8fae99998a1ad011cf2e98456a1891bd29bcc990897f0
  • 0274541153434372cb7c0bdc7f55c5b70a48ab0c22907611a89139d2073826bf
  • 12b2acf3a81b16850fec270f521ba9b749a340f1357f225e495462822409da12
  • 1d1407735650c83e62a561a1ea5cdc798aa1cdc92653f5e722dc8b22b5ed9a7c
  • 2b4bbedb5119cd52c44fe035ee5b00b520792db60207ffd6ce3cdc339901346d
  • 476e8075ba4866c0a78253dcb19961b28f150aa207d50b575b0d07fdcca4aa13
  • 477bbf5395742a4e45331d71c6de3191729fbbf5914457ccfef7eb9d3e8697c7
  • 4cfd3f25f178f5ae5dd5c5438a4bc3cd0af2ca712a5a59388612697d4b4424d4
  • 5bb5975dd0b781d5fab3721ae66463e64825fccfdcf876bcb8899c2571ed04f4
  • 5dc91a43bfcf5f4b4c2a759220e9eacec671bc275572b6feeca274d9c4836829
  • 61411a7a585f12f1d3e60eb084e9dac648217b922a3d68ce4024b26a6fcce3cc
  • 69b35b1bffd2d36c06d4598de38fa4364e726044623d89bc73fc1e9b31f57e71
  • 6c0bf54da7ee15bf99b7ff6be57ee8331d8335a1d15513227c6ada04c841c4de
  • 71cc8b291e0a1ad38ed9142eb112f56c4a8a3eb00d130bfa27e5c40a08bc9e43
  • 75eb214657020fd9b6f2d533d3c12724cf1de2adbb925d7abfd744e6ff73633d
  • 7cc1a551e6060d0e7a38423a2247edd4a84b6cca927f996d2bc056269dedb6e6
  • 908b6ea63e3e916377fe0319886bf4b55c7aaddde27292b9dce5930eede5622a
  • a2fe92fa39d6b0f9dbfebd83be179524fadb87b11e555eee96c606af7d34ce73
  • b6bfdbfcbb5097912ad8bdf9cec2592a162a27b7c367193d1fdd10d9db5182dc
  • b7651bd99dda94f6bf962b473872690ee145c38546cd7b3f8bb477976d9a8617
  • c77d0bee9502f8d4c3afc1729a7ab9721ffce9bf2b7759d086e436370af4ff5c
  • d621d5dea6a95c31650a4c46aaf507625a8e18f33b5a4a22e8a801c25dc77a49
  • d919139e4965ad6c55b7f08e2f919aac5fd8deb0fd90cf65f2bd4a4aa5bd2dd8
  • d9c9e1fece032140a4754096b08a4eb147598a36f8b582c796b8764ff6cd9a91
  • df5c68270b14d82a523a503a717de1ccfe1739c62956e7a58aa8441f117b7344

Coverage


Screenshots of Detection AMP


ThreatGrid


Umbrella


Screenshot



Win.Ransomware.TorrentLocker-6336835-0

Indicators of Compromise
Registry Keys

  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value: etejasix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value: ProxyEnable
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
  • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value: AutoConfigURL
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
  • Value: ProxyOverride
  • <HKLM>\SYSTEM\CurrentControlSet\Services\VSS\Diag\Shadow Copy Optimization Writer
  • <HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Mutexes
  • \BaseNamedObjects\Global\otydesuxofyjyxufexycaga
  • Global\otydesuxofyjyxufexycaga
  • \BaseNamedObjects\Global\yjacitumaxicuqexyfitywoqewyquwy
  • qazwsxedc
  • Global\yjacitumaxicuqexyfitywoqewyquwy IP Addresses
  • N/A Domain Names
  • wrygsxi[.]zotebsca[.]net
  • atawgce[.]zotebsca[.]net
  • adez[.]zotebsca[.]net
  • uluxkqopy[.]zotebsca[.]net
  • efedaluc[.]zotebsca[.]net
  • mxed[.]zotebsca[.]net
  • omywuw[.]zotebsca[.]net
  • imjmawfcoja[.]zotebsca[.]net
  • evycoroz[.]zotebsca[.]net
  • erivequt[.]zotebsca[.]net
  • aqyjo[.]zotebsca[.]net
  • usuhazepug[.]zotebsca[.]net
  • avev[.]zotebsca[.]net
  • fhuga[.]zotebsca[.]net
  • uqydjnwn[.]zotebsca[.]net
  • evehasuruzo[.]zotebsca[.]net
  • ypyhi[.]zotebsca[.]net
  • epabojyluko[.]zotebsca[.]net
  • iqesex[.]zotebsca[.]net
  • ywapivuqexe[.]zotebsca[.]net
  • ihodi[.]zotebsca[.]net
  • rtacin[.]zotebsca[.]net
  • aliragifut[.]zotebsca[.]net
  • eztcu[.]zotebsca[.]net
  • ukajusi[.]zotebsca[.]net
  • okypag[.]zotebsca[.]net
  • ubapimiwdj[.]zotebsca[.]net Files and or directories created
  • %WinDir%\edaraxoz.exe
  • %AppData%\uqetukykopefyvij\02000000
  • %AllUsersProfile%\uqetukykopefyvij\02000000
  • %AppData%\uqetukykopefyvij\01000000
  • %AllUsersProfile%\uqetukykopefyvij\01000000
  • %AppData%\uqetukykopefyvij\00000000
  • %AllUsersProfile%\uqetukykopefyvij\00000000
  • %WinDir%\ukavdnlj.exe File Hashes
  • 1a78a5c1c4ebb8a0047cbb4a8a27782212603d71cae2aeb033bceab76795a294
  • 4312486eb32d7edc49d437a598d7e0453e8c9d1222b8b9ba429c73e0598db1a9
  • 58f36594d9502e3e8e135d0a449e5c07a62ae6fcd34a32c5c4d9243cb28d958b
  • 5c66755aeeed65c21c8d9774baebd79c962311a57b733cb19d4d2bb6a0eb52c3
  • ae7a23e9b4c2645c26dce4a83a97953fa5ca008570aa9ac32e0826369593a099
  • ba4fe6e91aae42e7a12747422443a361201898a4a5d2454472cf8d42b8d5cc52
  • bf795a1676a6dd795fb6915ecfbfdc200687907cae8769c55b9e26328b026f88
  • cc07ae7275b177c6882cffce894389383ca2c76af5dc75094453699252c9c831

Coverage


Screenshots of Detection AMP


ThreatGrid


Umbrella



Win.Spyware.CCBkdr-6336251-2

Indicators of Compromise
Registry Keys

  • <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
  • Value: NID
  • <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
  • Value: TCID
  • <HKLM>\HKLM\SOFTWARE\Piriform\Agomo
  • Value: MUID Mutexes
  • N/A IP Addresses
  • 216[.]126[.]225[.]148Domain Names
  • N/A Files and or directories created
  • N/A File Hashes
  • 04622bcbeb45a2bd360fa0adc55a2526eac32e4ce8f522eaeb5bee1f501a7d3d
  • 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
  • 30b1dfd6eae2e473464c7d744a094627e5a70a89b62916457e30e3e773761c48
  • 53c6ad85a6b0db342ce07910d355dad53765767b4b9142912611ec81bee0f322
  • 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
  • 8562c9bb71391ab40d4e6986836795bcf742afdaff9a936374256056415c5e25
  • 8a8485d2ba00eafaad2dbad5fad741a4c6af7a1eedd3010ad3693d128d94afab
  • dbf648e5522c693a87a76657e93f4d44bfd8031c0b7587f8b751c110d3a6e09f
  • 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
  • 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
  • 27a098761e8fbf4f0a7587adeee8eb787c0224b231b3891fa9323d4a9831f7e5
  • 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f
  • 2c020ffa3436a69a1b884b5b723909c095e5e58406439287ac4c184a3c3c7da7
  • 76cd0370af69d5c76e08673976972fee53764fca67f86fcf0db208b87b7341d6
  • 8038ea1b72a720f86397fd2ee1f386bb832e5cbd8e12f97e11e0c787bde9e47e
  • dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
  • e8e02191c1b38c808d27a899ac164b3675eb5cadd3a8907b0ffa863714000e72
  • f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

Coverage


Screenshots of Detection AMP


ThreatGrid


Umbrella


Screenshot



Win.Trojan.Beeldeb-6336738-0

Indicators of Compromise
Registry Keys

  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 Mutexes
  • \BaseNamedObjects\hTGfNaKIQ4lPz IP Addresses
  • 41[.]45[.]138[.]91
  • 156[.]203[.]64[.]64 Domain Names
  • microsoft[.]net[.]linkpc[.]net Files and or directories created
  • %TEMP%\EqEhol.exe
  • %TEMP%\JTVxon.txt
  • %TEMP%\NJiSUL
  • %AppData%\njisul\NJiSUL
  • %AppData%\njisul\EqEhol.exe
  • %AppData%\njisul\fXMlDZ.exe
  • %AppData%\njisul\JTVxon.txt
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\gmail.lnk File Hashes
  • bb8e4aec824aa052fdda739abb8472caf2bd6c34d1773248ea3072e5c024140a
  • 2c89cbab497a1a5219b5d66f1ba39473b6ffc15ec4f53a2bb09c070a15a537e8
  • 36e92852d67e66cb3c99312f107f83080605c2badf787108f619d6b54e6c85fc
  • 1e76a00a1e6e4265ad5ff364d3139a62013a9628d90edd7e6a155e7f0a8193e8
  • 07de12cf4c78151a0bdd6d8dcf8b5d0b91f51b606fd8ec0774e54fcb16e3440a
  • e15dc2879dccd3c62d77169fe77d869455e61e2706006da829013d55b42107ba
  • ca07844200067101a91d23604a7fb425ee8b47a66567a953103a9949f66d74cc
  • c4cf29d4e6a6b905e08534108ab07318d5704d91df50c9d5477b998a19395eff
  • a864f592f8fd01a57cf8302056a413e4a688f6cfa2beae8c5e136a40384f7b56
  • eea366f807de6e4a0834e9fcf8dc0847b7ab4707314191448950a22cc0dbfa76

Coverage


Screenshots of Detection AMP


ThreatGrid



Win.Trojan.Cossta-237

Indicators of Compromise
Registry Keys

  • <HKLM>\SYSTEM\ControlSet001\Services\Alerter Mutexes
  • \BaseNamedObjects\44-41 IP Addresses
  • N/A Domain Names
  • wenrou88[.]3322[.]org Files and or directories created
  • %SystemDrive%\Program Files\Microsoft Explorer\AAA.exe File Hashes
  • e8feccbab518346c0ec9ea3787f3b09994e41ca278aa537bc753fa1d6b40d1c4
  • b955412a8b6ec7d48b70bc2ed05226755c2b418a075fd0e3f98ba52086caa495
  • de37309306863d4a1b6f12a9c6e047fd93a9645f8acdbcc2f36f65d00226af2d
  • 2e3b79c0bc90f46218700afba5d5a55cb00832969a00f254ec113d342d76a992
  • 38a58d5c41f91b483ae727e922039848e14410c485db577cd0e21ee28e8fa250
  • 424e36fd9975a43f25fad06e0282833d1280bcd9e6d5ef8221dc322fd16fbaa0
  • 83062a56de8404db9311d60c87cccc4c25a8887952e695e5ffa0ac2600606706
  • 94bc3ce60f0750456467c4262543e1196eb8a3294fcd79441ef7250e8fdf7885
  • 5ed30bc2f7412875ccba2ade6e124154eda0788d555978ab6b60a69dbdf0bac1
  • f81a1362894fa49b7008cffe93365ef2158180be9a935ae17acc2bafa8f983d9
  • 6e678b7d3a7a46f20a19079644f0d879f03b1cad83e441ca64a4c0d1076d9ebb
  • f9e9a3d7b7bffae8cda1b3ff4c893933eff386b26fd035fa4bb61c7c31bf2690
  • 53c7cececf2d29386f3184e588c5a0ec558292ff227891d3ce5605f82a5f9688
  • dfbafa207c90d3d4e20dabe7620f901e1abe30fa0fa4dd06bfabe852f8f1f0bc

Coverage


Screenshots of Detection AMP


ThreatGrid


Umbrella



Win.Worm.Untukmu-5949608-0

Indicators of Compromise
Registry Keys

  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
  • Value: DisableMSI
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value: System Monitoring
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
  • Value: NoFolderOptions
  • <HKCU>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM
  • Value: DisableCMD
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
  • Value: DisableRegistryTools
  • <HKCU>\CONTROL PANEL\DESKTOP
  • Value: ScreenSaveTimeOut
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CABINETSTATE
  • Value: FullPathAddress
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value: xk
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
  • Value: DisableConfig
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT
  • Value: AlternateShell
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
  • Value: Debugger
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\INSTALLER
  • Value: LimitSystemRestoreCheckpointing
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
  • Value: Userinit
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value: internat.exe
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
  • Value: DisableRegistryTools
  • <HKCU>\CONTROL PANEL\DESKTOP
  • Value: SCRNSAVE.EXE
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\AEDEBUG
  • Value: Auto
  • <HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS NT\SYSTEMRESTORE
  • Value: DisableSR
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
  • Value: HideFileExt
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
  • Value: ShowSuperHidden
  • <HKCU>\CONTROL PANEL\DESKTOP
  • Value: ScreenSaverIsSecure
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value: MSMSGS
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value: LogonAdministrator
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
  • Value: Hidden
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
  • Value: CheckSetting
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
  • Value: Shell
  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
  • Value: NoFolderOptions
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
  • Value: ServiceAdministrator
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System\
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
  • <HKLM>\SOFTWARE\CLASSES\lnkfile\shell\open\command
  • <HKCU>\Control Panel\Desktop\
  • <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\SystemRestore
  • <HKLM>\SOFTWARE\CLASSES\batfile\shell\open\command
  • <HKCU>\Software\Policies\Microsoft\Windows\System\
  • <HKLM>\SOFTWARE\CLASSES\piffile\shell\open\command
  • <HKLM>\SYSTEM\CurrentControlSet\Control\SafeBoot\
  • <HKLM>\SOFTWARE\CLASSES\LNKFILE\SHELL\open
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug
  • <HKLM>\SOFTWARE\CLASSES\lnkfile
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Run\
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
  • <HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Installer
  • <HKLM>\SOFTWARE\CLASSES\exefile
  • <HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
  • <HKLM>\SOFTWARE\CLASSES\exefile\shell\open\command
  • <HKLM>\SOFTWARE\CLASSES\LNKFILE\shell
  • <HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\System\
  • <HKLM>\SOFTWARE\CLASSES\comfile\shell\open\command Mutexes
  • N/A IP Addresses
  • N/A Domain Names
  • N/A Files and or directories created
  • %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
  • %WinDir%\setupact.log
  • %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
  • %System32%\wdi\LogFiles\BootCKCL.etl
  • %WinDir%\Tasks\SCHEDLGU.TXT
  • %System32%\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2580483871-590521980-3826313501-500_UserData.bin
  • %System32%\wfp\wfpdiag.etl File Hashes
  • 9e0419794e2d948623f74a1443a553946334beaaa1c902ddc2741b1586a3bd89
  • 6735181a112e87550dba81d667012250ff78959cdfe4852043c35895a4a53635
  • fdb82a1a0c8b84d22d87e373d37a09cbbee481eca77a695f0a42b0ce8e7d15fb
  • 1c3d3774371a96d8dac17ef186e1d10e6520fc82d9325974f4191d437bfa106a
  • c7e85bc2b8120dec204e5592ab9254e90030cf3a13a2281d047c1d0bcb878d10

Coverage


Screenshots of Detection AMP


ThreatGrid