Friday, May 4, 2018

Threat Round Up for April 27 to May 04


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between April 27 and May 4. As with previous roundups, this post isn't meant to be an in-depth analysis. We'll summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats is non-exhaustive and current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org or ClamAV.net.

The most prevalent threats highlighted in this roundup are:

  • Win.Dropper.Yakes-6527307-0
    Dropper
    This malware family sets up persistence on target systems by adding a registry entry to HKLM\Software\Microsoft\CurrentUser\Run. It also uses netsh.exe to modify Windows Firewall rules to allow a DLL to communicate externally.
  • Win.Ransomware.GandCrab-6526409-1
    Ransomware
    Gandcrab is a piece of ransomware that encrypts documents, photos, databases and other important files, and adds the file extension ".GDCB" or ".CRAB".
  • Win.Dropper.Tiggre-6526413-0
    Dropper
    This malware is a trojan spyware. It will exfiltrates information from the victim's PC and sends it to a command and control (C2) server controller by the threat actor.


Threats


Win.Dropper.Yakes-6527307-0



Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: internat.exe
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • Value: stplck
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Shas
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs
  • <HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig
Mutexes
  • N/A
IP Addresses
  • N/A
Domain Names
  • N/A
Files and or directories created
  • N/A
File Hashes
  • 212459961e8c3c574cefadaf422e3226c169f01593d480cdf303dceae56e200d
  • c4a606577fe097b9f3eb9ad1bf3e3d95f917383c765ba929b428fdb8bd17f44c
  • ac7b2901d2dffff27e27c4e2889f729496b94c4ffef3802391f7aefd837f6109
  • 50d4bc39a6a426f9980a64bc464703dabe3ea4fa183265c66cb3d1c8adf82ddf
  • e5bf1ff23ec9b7977e28643ba1102adb96576166de6e749c15f0fd54e8379a45
  • 1d0a138b233dd25cfba925034778bc05e911407633385de30ebe15be61984bae
  • bf131b8194cdc3073adc2913e3133d049361cc0d8ffd09161e71c537abbc9b46
  • 4b581e236cd18568b32a67356c31a86799393edaad60af2b8dbba8babe3ebeb1
  • 0d6f846d3a96d84279a28b990201473882ffa08d733300b0da19e7897580d0e1
  • d77b972781dcf37a1c6a8f3d17077db8ef83f01f0e6449595836dafde9dabd13
  • 76dc4a0faea60ed479dca96a57faa6eb4249665d32f23530ae57ebe63a1911b3
  • f8d14cf852d1a450866d4749733dca06ce08f0b48534874b46218d671526eef5
  • d377c493b98ffbf9dcc3b9938441f628de5bef99078b1351b6c0088f3ca87483
  • ff06a02731588c4dd5b78584f5342739f4b65c37cfb34d73380d8e98a66fa18e
  • d76273353bf949dafe1afb1ee27c19efd1221e8cc3bc9eb7cba1d18089b7ff4f
  • c2ff1b2e48e269a22f10d7a89d2483af007fad5ac21d417e213802aaa0403870
  • cc52ae1383c424b2481b3e975aa0b6c93061e63c28b7f93935222e474b75fae6
  • 39cd2440d772085b1f2b84e524363a6e260eef6f2031300b9b6e02e433010419
  • 3a5cff60f6dce5a0f264921838486ce9a7f48c2d897eb57886211bc99130d132
  • 14b2f4fb032f20cedbdd692dcc1a8cefcd445a94198f58adc474fee8dc7d57af
  • cd5ac2fd508dc3db95995fc643090f73581d937ac7620e058b7bef011e5c7eed
  • 3015144e74631e7990953621367f33a673dea745154e904147532239ae5fedc6
  • 26498d8b242924cad96dea24b39d5df88850c24c5e567db646c8d20891e87ab2
  • 35f0da1890f512f1185cf1502306c641cc9a6a28060b387e33d638bda22a5e96
  • ed57490c6876bf5d420841bdf5bf79002c323ea29b1e4b74093eb40290abb821

Coverage


Screenshots of Detection

AMP


ThreatGrid







Win.Ransomware.GandCrab-6526409-1



Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: SavedLegacySettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: DefaultConnectionSettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
    • Value: azpprnrnrcq
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: UNCAsIntranet
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
    • Value: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoConfigURL
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value: PnpInstanceID
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Mutexes
  • N/A
IP Addresses
  • 66[.]171[.]248[.]178
Domain Names
  • NS2[.]VIRMACH[.]RU
  • politiaromana[.]bit
  • ns1[.]virmach[.]ru
  • ns2[.]virmach[.]ru
  • ipv4bot[.]whatismyipaddress[.]com
  • malwarehunterteam[.]bit
  • NS1[.]VIRMACH[.]RU
  • gdcb[.]bit
Files and or directories created
  • %AppData%\Microsoft\auzyuj.exe
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\7TZAD419.htm
File Hashes
  • 7b9b8f829674aa2eb6a64413c242597e3a2f6f4b1aa4c9f6309be3877180209f
  • 6c1521794b8232598e0fee70656da09528e8acac1e3ccb443e8cc9efb4a43d83
  • eb27a047448f0d5901cda8d4e47854a26acd602bc3d89eebdc0768ad053b0c2f
  • d880eed2076d1e0ce0d019e029b503dae291aa620f5624ba7c40f21a0f425e77
  • 311746c6767acda1e4cb18471642a1fea312a5e00aa69098c8f84de0846da311
  • 7a89a0ac5ef495b7198dbdf91d06f21b976a70ad693c1236116a5eb0dac087a7
  • 8b59359e89fbddfd85ac6af0641ebec1881aa7c28a6479205b876abdc47fc8bb
  • 740528b18d963721e598cbf35e42df5929cd0c3ee90c41853063174c05d5d689
  • d1901ded57b17e405c68f235db33d7be48cef6b0a9a45eb58de7b771b7582004
  • dd387d1748454444a8990cae3d0a46b9c11d5addc9830bac55013a2db15dbd16
  • 022995fa1ce1451aac2d87c8b85cdddd68f5bea4563c3af98987c4d3dca2f824
  • 6b3a7117a457273d4016243892b86456ae9d1acd35eb770702363ce55b938e1a
  • d71337186b871ad011ae9b1f568290997ec445f468702273a68a7f5366bfb2d9
  • dd57a216c5482daa9ffe0764e144bda881fd5e47d27c5b716d2d71ae471bc624
  • 7c99916b0478a4cbc8c94aeea5aa6b90f8056461c4881fdb645dabe98a1ee190
  • 2f73091f77c899d4ad8df765088d7602081e0a570cb1d26da030c64781ab0172
  • 4b64922b694e26c5abcd2bf8ba9954520009e4c1088e4ce9417fb2d06a2c79db
  • f7961fecbaf223b8318e50cbea4822c3a7da106ecb2a8411d03af5aee6328812
  • a62bd1ff7efca64002d5831c3ea43cb713f8501e2c83bd30ab60d91047d45a72
  • 9b162db4b38c2b650d2521e1de8c56cb0fc5b56aebcedf27c9d35f51e12a717a
  • 0678aafb4eb91d68de4c9354e4a254ece02422cbb43157ae06b5b925a1165992
  • eea453fe669f09bc36259544063528ceac9153caf597e5ca27801cfb7e8db3be
  • 4b53ebc0f9a4678c012151171718731e98d45f806b170ca04c7b2510b0e7c116
  • af2705303549459628dfa11354c4fa16ecf13c45453d16c819a8cd6c26d5cee1
  • 280d97ae7c5e478c185f5ea86e5fd214b0023539f7623be7c9500489309f85a1

Coverage

Screenshots of Detection

AMP


ThreatGrid







Win.Dropper.Tiggre-6526413-0



Indicators of Compromise


Registry Keys
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: SavedLegacySettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
    • Value: DefaultConnectionSettings
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
    • Value: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: UNCAsIntranet
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • Value: DhcpDomain
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS
    • Value: DhcpNameServer
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpDefaultGateway
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpDomain
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpNameServer
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpSubnetMaskOpt
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpInterfaceOptions
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpNetbiosOptions
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
    • Value: DhcpNameServerList
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS
    • Value: DhcpScopeID
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
    • Value: CachePrefix
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
    • Value: Collection
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
    • Value: CachePrefix
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoDetect
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyOverride
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value: AutoConfigURL
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: ProxyBypass
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value: IntranetName
  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value: PnpInstanceID
  • <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • <HKLM>\Software\Wow6432Node\Microsoft\DownloadManager
Mutexes
  • N/A
IP Addresses
  • 104[.]238[.]156[.]230
  • 45[.]76[.]241[.]231
Domain Names
  • down[.]kaidandll[.]com
  • api[.]new-api[.]com
Files and or directories created
  • %LocalAppData%\AdService
File Hashes
  • d51890673d1a7cd7de5eecd76a54211b3cebb15058ec22dce44bfabb3ef86ec0
  • 939d208be5589007d24178a92620411e2c6d84387c790699e57cb52e063a5348
  • 03d61dc3fc8d70e0075081d3e02f520861f342f7ec1c4b1cbaf895f995d38b4f
  • 77d36423c105319a4797d0c70acd6858416cf87111ff843eef23e2b30ad0b473
  • c87547487236791ff3dc1d6daef854825fb49f0ad5c96b69037dba7b08185841
  • 9cbb5dbb783671ffbfa65ce3b5053259536de48f0d64312e5c46e6cf49d9c901
  • ae6f4e3c68704c99db60617c09405ffcd914141f6147f7234bc5639105fb702b
  • 876b2e195cbc70915501f15a41b6f4e5b447985683427ba36d392bb0907ad021
  • 575d3e31f44e5af6fb84ad47d6b5556338b3f092847e49366358a0523b34cda0
  • b5ace9a48d9b304066b4d355921495cf32d3a8b303b2f82800ef11556b310474

Coverage


Screenshots of Detection

AMP


ThreatGrid

No comments:

Post a Comment