As usual, we are bringing you the weekly Threat Roundup to highlight the most prevalent threats we've seen between June 15 and 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and is current as of the date of publication. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
The most prevalent threats highlighted in this round up are:
- Win.Dropper.Generic-6584427-0
Dropper
This dropper attempts to allocate a memory region with the flag PAGE_EXECUTE_READWRITE to later inject malicious code and then execute it. These samples also contain TLS callback entries, which allow malware authors to execute malicious code before the debugger has a chance to pause at the traditional entry point. - Win.Dropper.Fareit-6584428-0
Dropper
Fareit dropper injects code into legitimate system processes, usually through an evasion technique called process hollowing. Some samples may use VB scripts to execute some of its malicious activities and modifies autorun registry keys to maintain persistence on the host. - Win.Dropper.Zbot-6584477-0
Dropper
Zbot (AKA Zeus bot) is info stealing malware targeting users banking credentials. You can read more on our blog https://talosintelligence.com/zeus_trojan. - Win.Trojan.Generic-6584512-1
Trojan
This trojan is sometimes related to the Emotet malware family. It creates a copy of itself in system directories such as C:\Windows\SysWOW64\. It is also capable of uploading files with information about the infected system to remote servers and adds a file as a Service in the System Registry Current Control Set. - Win.Malware.Installcore-6584374-1
Malware
This adware creates a copy of itself in %APPDATA% with the "tmp" extension. Some samples contain a library reference to the SetWindowsHookEx function that could be use to monitor keyboard or other user input, which could indicate keylogger capabilities. - Win.Trojan.Jaik-6584366-1
Trojan
Jaik contains a library reference to the VisualBasic runtime DLL, which allows the process to run Visual Basic scripts directly or internally. It also attempts to allocate a memory region with the flag PAGE_EXECUTE_READWRITE to later inject malicious code and then execute it.
Threats
Win.Dropper.Generic-6584427-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
- <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LruList
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\33fd244257221b4aa4a1d9e6cacf8474
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4c8f4917d8ab2943a2b2d4227b0585bf
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5309edc19dc6c14cbad5ba06bdbdabd9
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\82fa2a40d311b5469a626349c16ce09b
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9e71065376ee7f459f30ea2534981b83
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a88f7dcf2e30234e8288283d75a65efb
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d33fc3b19a738142b2fc0c56bd56ad8c
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\df18513432d1694f96e6423201804111
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ecd15244c3e90a4fbd0588a41ab27c55
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\10000000090A2
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN Mutexes
- 8-3503835SZBFHHZ
- O957R401SY5ZZzJz IP Addresses
- 198.54.117.218
- 104.27.180.157
- 184.168.221.104
- 52.72.89.116
- 64.98.145.30
- 107.173.153.58
- 162.213.249.103
- 180.76.141.40
- 217.76.128.34
- 104.237.136.127 Domain Names
- www.dingjian1688.com
- www.tradewindsonlinemall.com
- www.mewqaccmertgroup.com
- www.holymedgap.com
- www.tealeurope.com
- www.clinicaslipedema.com
- www.christynhomes.com
- www.oliver-group.com
- www.eloloans.com
- www.yourdready.com
- www.cinderellagames.com Files and or directories created
- %AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
- %LocalAppData%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol
- \PC*\MAILSLOT\NET\NETLOGON
- %AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
- %WinDir%\AppCompat\Programs\RecentFileCache.bcf
- %ProgramFiles% (x86)\Bzv1lxh98
- %ProgramFiles% (x86)\Bzv1lxh98\igfxnpttjhuh.exe
- %LocalAppData%\Temp\Bzv1lxh98
- %LocalAppData%\Temp\Bzv1lxh98\igfxnpttjhuh.exe
- %ProgramFiles% (x86)\Bzv1lxh98\igfxnpttjhuh.exe
- %AppData%\O957R401
- %AppData%\O957R401\O95log.ini
- %AppData%\O957R401\O95logim.jpeg
- %AppData%\O957R401\O95logrc.ini
- %AppData%\O957R401\O95logim.jpeg
- %AppData%\O957R401\O95logrc.ini
- \TEMP\tmpQDq_1r.exe File Hashes
- 20c27455b4a86eda29e494e4241f95599175133f8d852759be88641654374ef6
- 286a7c32ede0a4650e399ee1fefc347d9265befc3381eacefdc63937e19cd6d4
- 349a7f3b6c5cdb14d58b7eb8d2256a593f3097bf22960504d6d094472fbd1366
- 3522d25848b5fe656d1fb100ae5d546f376569f8441f5c0e7745f4ac234a5c55
- 7165fc0f622effb44f6893555e898f3cafea60858923409863e0e2528536999d
- 7dd9adc72effd65e28191edfd0e282eb4375c3206983fdfae255d12d2f407e91
- a6e515869be77e1f332df975ca719a54544a0fa56698607788294215369b2ff6
- bf9274591ed4a439d9b5d8fd6e4c620804e7c33130c8cdc8258df3de7f330fd6
- e1f0bfaa87925d5f89b9ccc3196246b26296a1ea305ab3bab6e681a78d130bf4
- e3f0529b2f75ca2930b2bc3dc22d2ada08491abf7a3f384e8ef81ae91ef2b25d
- fcf94877a6daa05e2e22d70f2d2deb469a655d77a8318a7d2b038a331364e780
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Dropper.Fareit-6584428-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- <HKLM>\Software\Microsoft\Fusion\GACChangeNotification\Default
- <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Mutexes
- N/A IP Addresses
- 216.146.43.71 Domain Names
- checkip.dyndns.org Files and or directories created
- %AppData%\MDU Resources Group Inc\MDU Resources Group Inc.exe
- %AppData%\MDU Resources Group Inc\MDU Resources Group Inc.exe
- %AppData%\MDU Resources Group Inc File Hashes
- 09aee7d45b4d4990fbfe44fbc41d908d363c3c6b3a68a633b6d0d88819dd8203
- 0ab5ea239c3b4a2eae0c9a8d7fe6fbfceb877e542a823bf971e712efaac84a00
- 0ad759f72f4c8fcfb84067b4b53776763c2e5b663ee1617f15135918a056bc4f
- 21793b775320c182c4db6ffd742445ddddc9dd4925ef1ca979ed6a35c617fd45
- 27a501fb263df4360b53753c91a66bda55541d7e0b43e5698665978f537a2eb8
- 2ff4ee2c05c59076e923c0ee07a27a2f8434fcfe047d341538b1ea8cdfa6729d
- 3ac4b5cd646a722924118e761366480c83ab278dbb5416a5e58e0eddf3a1b903
- 406d5dc4de69215015543a52be7d3bafdeb7191adc98084563d55b5996659ce4
- 437068cc219c152d4bef83c2dd6916e0c0a090eb607c68018c28c6ac82c84b2f
- 4c65d4cf2a7773a7358323b826665b0dcc8eefaa6cc543fb493f3aff3329804a
- 7ff6c48e69875b5d824d1a6b005e179002076f4ce90fce5c9a22f044ac65291c
- 94a44a077ea320d2bbf338b72fa4c263d8cf70eb398c5ffb07d5dc7e0adf840d
- a92ad1f6f77b663420940708572de26cbaaeb70d4e22114f7c1c8f62d7f4d500
- b381f69867fff9a3e07c84f7186a1ed86dbf98c7b9f09df3978b6649e13fb1c3
- b5e589fd4e4522ab6320a76a1c2e69e6e1e557628e87cc16e0572ef0f31453d8
- c0b1a8acf40906c0c0ee2041ee1e3f1c04ec0b73602b0ed8e8e97104075c70a7
- c11d18e057fd911901e9473689b04156110cf5eea97e4b33f363b00ad0d161e0
- c4df3b3743c9696c5f20b9763644bff65500440019bbc83f85930ddb287a936b
- e18f8ac7f8275e648ef44c882e032389770e0ce4fda43142b69ab23ab4e9f45d
- e9c8209739ed62082a8f9cb4067ab2c8ff2588db6c0a165726b55cb5bef62695
- f32c8bd9e3c0bedcbe6c33d08723513d3da438219902c25012c10d648a11d824
- f51967541563d54bd8e7219a127d5f2189cf01eb33236729b3dbb540b171d17d
- fd29ce672f03d7970cbedcd45a75e512a1df62e758f5776b90e1af6f1a2c2f2c
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Dropper.Zbot-6584477-0
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\NETBT\PARAMETERS\INTERFACES\TCPIP_{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}
- <HKCU>\SOFTWARE\MICROSOFT\Ycbi
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- <HKCU>\SOFTWARE\Microsoft\Ycbi
- <HKCU>\Software\Microsoft\Windows\Currentversion\Run
- <HKCU>\SOFTWARE\MICROSOFT\YCBI
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS Mutexes
- N/A IP Addresses
- N/A Domain Names
- roster.su
- etot.su Files and or directories created
- %LocalAppData%\Temp\tmpb550dbcc.bat
- %AppData%\Ikywz
- %AppData%\Ikywz\opmaf.exe
- %AppData%\Meen
- %AppData%\Meen\moibq.aqy
- %AppData%\Zulie
- %AppData%\Zulie\ylhib.ecf
- %AppData%\Ikywz\opmaf.exe
- %LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat
- \TEMP\tmpWfEKb5.exe
- %LocalAppData%\Temp\tmpb550dbcc.bat
- %AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred
- %AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\faf08ed1-edb0-448c-809a-73cb275c3833 File Hashes
- 153f450b211047e543b1ccce8ef6afe41a476aeccfd961cd0159d24e1096f77f
- 20d24c1936867db7511ec35003079dfd0bd6fa91f4bc0b34485c7f3a5adf31b4
- 71361e9c9a716ad6b6e0cc13e35b1f3ac0e39aa1eb33d445b87add909fb6e665
- b9163c8a5974b8b9397fc2af2fa692cbf6a9e332bf2fc5cc7cfe4ef256ec3bc6
- bb463702eb24d0d43d4510366ef05dc0cc5d6c001db2d80b7da59ce27d0f096c
- bfe8551016d5e77bc71774f3a1bb7b194ed0817ae11155347c8b3ec8f8f9578d
- d2c7a02492ab09e846a8dac12ab7bb7d742f0052071ab194cb6f838c68b14381
- df65bd267142c58835136c519d40eb4b529b735e4d0ee7baa7aee00e62d17f00
- e1de7ded32c7deabba387fd5ccf09d62c8fbd13b18a6bf1c8fa17d6746688c84
- f675c120ed096112a120ec9b4a72dd589f5fed33d280b851c71d1c9657397a5f
- f9dd63a23f4cf30db953e13d2a9f66fa6db69ac59b432f3a7abe9b6d9a955631
- fb48a9b9da0d772521f925d3f578930cbd078e438d8c0a796a1112f1f96db659
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Trojan.Generic-6584512-1
Indicators of Compromise
Registry Keys
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\PORTKEYWORDS\DHCP
- <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
- <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\IndexTable
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D6
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D3
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D6
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D6
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\8000000005683
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\A00000000572A
- <HKLM>\SYSTEM\CONTROLSET001\SERVICES\GENRALNLA
- <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS Mutexes
- PEM1A4
- PEM938
- PEMB6C
- PEM570
- PEM6D0
- PEM53C
- PEMB18 IP Addresses
- 192.168.1.1
- 255.255.255.255
- 192.168.1.255
- 70.182.77.184
- 69.17.170.58
- 209.85.144.108
- 68.1.17.8
- 209.85.144.16
- 62.254.26.220
- 82.57.200.135
- 193.252.22.86
- 194.60.217.89
- 74.124.44.100
- 195.200.78.68
- 64.8.71.14
- 108.167.146.22
- 193.252.22.84
- 208.91.199.223
- 64.210.232.50
- 192.185.4.48
- 217.79.186.14
- 66.147.240.163
- 64.98.36.162
- 69.168.97.48
- 62.254.26.231
- 62.24.139.43
- 216.40.42.154
- 40.97.188.226
- 184.154.202.50
- 143.95.253.117
- 198.89.124.197
- 158.69.57.254
- 192.185.4.148
- 69.163.253.7
- 74.208.196.99
- 212.1.215.225
- 195.229.241.221
- 69.89.31.229
- 54.169.79.115
- 93.17.128.164
- 50.87.144.90
- 64.136.52.50
- 144.217.66.117
- 69.168.97.78
- 62.24.202.43
- 52.71.59.20
- 64.4.202.62 Domain Names
- smtp.orange.fr
- smtp.googlemail.com
- smtp.crosbyisd.org
- smtp.robeson.k12.nc.us
- smtp.fuse.net
- smtp.tim.it
- smtp.cox.net
- smtp.blueyonder.co.uk
- mail.vd.educanet2.ch
- smtp.gmail.com
- mail.wanadoo.fr
- gator4037.hostgator.com
- bbm-exchange.bbm-germany.de
- mail.cmidwest.com
- mail.banit.club
- mail.sfr.fr
- smtp.netzero.com
- mail.telebeep.com
- smtp.tiscali.co.uk
- mail.virgin.net
- s4.fcomet.com
- smtp.gtscarrier.com
- smtp.charter-business.net
- mail.cecompute.com
- smtp.hughes.net
- smtp.rcn.com
- mail.dbmcbride.com
- smtp.talktalk.net
- smtp.whitecars.com
- gator4136.hostgator.com
- mail.niuelec.com.pg
- mail.rjcables.com
- gator3071.hostgator.com
- mail.fuse.net
- smtp.wanadoo.fr
- smtp.exchange.1and1.com
- smtp.orthopaedicsopenjournal.com
- mail.tropitelvalley.com
- smtp.exchange.emailservice.io
- box429.bluehost.com
- mail.cmail.club
- mail.xplornet.ca
- mail.labolab.com.ec
- smtp.nhspeedometer.com
- smtp.emirates.net.ae Files and or directories created
- \srvsvc
- %WinDir%\AppCompat\Programs\RecentFileCache.bcf
- %System32%\config\SYSTEM
- %System32%\config\SYSTEM.LOG1
- %WinDir%\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
- %WinDir%\SysWOW64\wrGwEEi.exe
- %WinDir%\SysWOW64\wrGwEEi.exe File Hashes
- 07fd0e423c2272c76323d8b816f83ff4e4715fa97d22ef331131bd4ac5b084b4
- 114d916fdfc70a518790f184311ff5ef3488b4181366e782b37c0d68fdfd2f1e
- 482be1caf6a2a0b959a4a40460c007f88615ab787b8771474f9c6fc5cf5acf66
- 4ac3cc415b1b3847b69ec0e7fb4287dce886fe17631a4f5a9f0f400118aa972a
- 5ad9c2866e77495fe2d41c5067879bb938716fe00e4a8dbcfaa7b90a8b53655e
- 5f12c45ebd24669b0e69e63c549c6812d742220c5221bb147c6312f1a68ac5dc
- 6a3d06d6bbe7b98f604cc9167b7a96c94b8fb7f749f893038926f552b56c8931
- 7335842c08c2f8caecf1754ca5d5ee75d9a4cdaae05d70792dd4be56127de424
- 7f198deac8ecf78fc1658728669c1523176a65d71e95605b28991b09a40a6259
- 8387856244d53a3025f8eafbe1cd2bbfcf0c40c6a04f70de1d0e22d29261de96
- 86d9d667ba5d0880ada452dbac0b6dec35c30248398d14f984143ce7738e61fa
- 969e2c1803df2eda353feb8381687922d28d58bc2910feabc894842d4d9a388f
- 9c5e793117db00555164da86a4c4f075b24abef08b313bc192bb80a9f55f4e69
- 9fbbcd37da800026d3dcd10d2e3cd622447ff0d91c65c6ddf4a232dee2b6f054
- cc0208db49b171a19a6309301e78a0619bf3122887da1d28ea29ee0e84717026
- dad9965c05194ec329b240eec4e975269c2f4bc2a3fdda057872991c541ef7f8
- e7f818214208a01677a70b60b598703ab4c4408b1a495172e25934a7ae11c84b
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Malware.Installcore-6584374-1
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\CONNECTIONS
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
- <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
- <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
- <HKCU>\Software\Microsoft\Internet Explorer\Main Mutexes
- !IECompat!Mutex IP Addresses
- 35.163.153.35
- 52.206.6.222
- 52.42.47.197
- 34.218.108.244 Domain Names
- rp.totikik1.com
- os.totikik1.com
- os2.totikik1.com Files and or directories created
- %LocalAppData%\Temp\in699DB22B\
- %LocalAppData%\Temp\in699DB22B\2A4213C8.tmp
- %LocalAppData%\Temp\INH265~1\css\
- %LocalAppData%\Temp\INH265~1\css\ie6_main.css
- %LocalAppData%\Temp\INH265~1\css\main.css
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\browse.css
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\button.css
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\checkbox.css
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\images\
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\images\button-bg.png
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\images\progress-bg-corner.png
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\images\progress-bg.png
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\images\progress-bg2.png
- %LocalAppData%\Temp\INH265~1\css\sdk-ui\progress-bar.css
- %LocalAppData%\Temp\INH265~1\csshover3.htc
- %LocalAppData%\Temp\INH265~1\form.bmp.Mask
- %LocalAppData%\Temp\INH265~1\images\
- %LocalAppData%\Temp\INH265~1\images\BG.png
- %LocalAppData%\Temp\INH265~1\images\Close.png
- %LocalAppData%\Temp\INH265~1\images\Close_Hover.png
- %LocalAppData%\Temp\INH265~1\images\Color_Button.png
- %LocalAppData%\Temp\INH265~1\images\Grey_Button.png
- %LocalAppData%\Temp\INH265~1\images\Grey_Button_Hover.png
- %LocalAppData%\Temp\INH265~1\images\Loader.gif
- %LocalAppData%\Temp\INH265~1\images\Progress.png
- %LocalAppData%\Temp\INH265~1\images\ProgressBar.png
- %LocalAppData%\Temp\INH265~1\images\sponsored.png
- %LocalAppData%\Temp\INH265~1\locale\
- %LocalAppData%\Temp\INH265~1\locale\EN.locale
- %LocalAppData%\Temp\INH265~1\images\Color_Button_Hover.png
- %LocalAppData%\Temp\9E6FFDFF.log
- %LocalAppData%\Temp\9E7000AD.log
- %LocalAppData%\Temp\9E7000BD.log
- %LocalAppData%\Temp\inH265813966324383\
- %LocalAppData%\Temp\inH265813966324383\bootstrap_5001.html
- %ProgramFiles% (x86)\9E7009E1.log File Hashes
- 00f5fb9fcc5740a8538141cd5faba3ff4c326558c62e5e95da316129785673c5
- 012a09533536cc77bf0eaed8ab3acefae793bdd35223ce5391710c70ddffe393
- 0135775f4298ddb7b44b2bb40c869c8ad78ba874203e151634eb2c71506c7332
- 0546adad07a2169c980d9965bc94ed94b9fce9b2f310ae1be8c6df3ba8c0a177
- 09d060282484fb0eed75a2f7e5970699b002c42ebddd5b0017911b01706f4646
- 09d603e99ccec947facb2b2da48bd5c7da44c622da2c97344fa89ed39dd65812
- 0a1c695bef83997a684e845b9179c9e229e4ca479e92e81b2e006dac6f559fe9
- 0a52f81e4d9c244880353df9b641c88f4649ced7df1a820c1bcc5a9722189a0b
- 0c07cb171aa5978cd5eeeecd22ed32b83e253926f82a439f2be076248894b1d9
- 0c97012e37ef8f55af1b9926c065c9c08bc32224718f2bbd6f3a3e971f6075d7
- 0e4ee2f6bddd019745bfca57bd47260ba52e0c8bc42013036b05d89fc643592a
- 0ec5f5d88faf0ed99235adf55c0f97870512a10144d97d8b32658bf718d4bca8
- 0fb590428e8b12d48d74e7744bb00aaa88c9079deadc8f5e61aec1145e67e0c1
- 1357c5fa8e01e446f4ec0065e7400b5810ee53115735f09e97a3af413b6d8de9
- 14018597d0f8231df086e21e0d8660b4ad94aeda5fefd3749604039731d50f55
- 14416c9bf4c7b938377b528cddd359509ce3c09a57b12a756451432f96e3e8a9
- 15d4ce867af59a0f95c4acd35c4abd4e0d8fe199a7a32fae5480c68669aa2469
- 17bde73dc4ee1fd1999d6efe7519a25bbfc61fe53c705665a2451b26367826b4
- 1806d1dc9deebea348c03f731696c0191f7ddf74b7c3af512df96e9c86dade47
- 185b0a621bd278df79a77eddecfe9908e8032b9e19d5db930ef5cfa56b766a45
- 1b6f5acaa8737285ab91f7ca5d80dff908aee706254c1aad1eabb8f310f78649
- 1cd10e184752c9eb4bc7c1d3301bc80f5d56b25c294d66945e4ae86653aa87a8
- 1e6bb4ed50b658e0bdd74fdfbb7897f847d83be01292b19fc29d4ebcc52557b6
- 200de4855c7523956ccbd08585b6102cec28ddc0710a6a1e11885b7b73b1d541
- 20ba5231bc9b84ce5640aca571ca65f76b0d1e2e5ff07250057c2757b3d58262
Coverage
Screenshots of Detection
AMP
ThreatGrid
Win.Trojan.Jaik-6584366-1
Indicators of Compromise
Registry Keys
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\CONTENT
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\COOKIES
- <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\CACHE\HISTORY
- <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\INDEXTABLE\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}\1000000008F79
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\LRULIST\00000000000029D6
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\Indexes
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\INDEXES\FileIdIndex-{3f37ba64-ef5c-11e4-bb8d-806e6f6e6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB5\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- <A>\{F698CDEA-372F-11E8-8419-00501E3AE7B5}\DEFAULTOBJECTSTORE\OBJECTTABLE\AB6\INDEXES\FILEIDINDEX-{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\33fd244257221b4aa4a1d9e6cacf8474
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4c8f4917d8ab2943a2b2d4227b0585bf
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5309edc19dc6c14cbad5ba06bdbdabd9
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\82fa2a40d311b5469a626349c16ce09b
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9e71065376ee7f459f30ea2534981b83
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a88f7dcf2e30234e8288283d75a65efb
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d33fc3b19a738142b2fc0c56bd56ad8c
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ecd15244c3e90a4fbd0588a41ab27c55
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
- <HKCU>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
- <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Mutexes
- 8-3503835SZBFHHZ
- O247ST8-UYZ6KDCz IP Addresses
- 34.202.122.77
- 199.34.228.159
- 188.93.150.105
- 199.193.6.130
- 79.98.129.62
- 198.185.159.145
- 156.67.212.57
- 94.73.146.154 Domain Names
- www.acilklimaservisi.net
- www.mediquipmedicalsolutions.net
- www.thisforthatquidproquo.com
- www.verim.site
- www.nextdealworld.com
- www.pelatihanukm.com
- www.maydiamondbeautyandstyle.com
- www.mirrorxr.com
- www.nuuee.com
- www.walktofinancialfreedom.com
- www.epsycoachez.com Files and or directories created
- \PC*\MAILSLOT\NET\NETLOGON
- %AllUsersProfile%\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol
- %LocalAppData%\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\Policy.vpol
- %AppData%\O247ST8-
- %AppData%\O247ST8-\O24log.ini
- %AppData%\O247ST8-\O24logim.jpeg
- %AppData%\O247ST8-\O24logrv.ini
- %ProgramFiles% (x86)\L0xbx
- %ProgramFiles% (x86)\L0xbx\winztqlgh18.exe
- %LocalAppData%\Temp\L0xbx
- %LocalAppData%\Temp\L0xbx\winztqlgh18.exe
- \TEMP\tmptxf6QC.exe File Hashes
- 4145362d249b81cd7f7caca054693ef5621a1f820101b4bff27009c896157e75
- 5270a58badc5af1c4eb47e8100958699dcb4ef137670da52e24d23f1d687caac
- 5dda41fb0abc6528d80995aedb47c0b59fc6467e7307bbdc75d097aef50fcd21
- 71f19b06d95ec1e2947c012008bda50e23fca9a8707ccef53f2b3d4c496d179e
- 7985460fa754edcbc2e3aa499d0dacf771a60d8a2c53e05113faeccae1496542
- a28fabc26c7bf6da4e8a7ae712c89fa173de94787aa612a245a1452a8fb4d497
- c2d7be6d4ab0d11a3cae4872db6fd104f1cdfcf6516e3b3548297e3b86795bf9
- da56e0abc288d01462844de42eeac4c7a14f76f09028ffb2d55909beace24504
- eafe26e115ca9bf982d3b579f7970e3ffa4307b9e9ab5794dd14f192941360c6
- ed5478099263686e19bf1fc7f5c169f84afb05ecc44008e3056d913e20edc6a6
Coverage
Screenshots of Detection
AMP
ThreatGrid