Friday, July 5, 2019

Threat Roundup for June 28 to July 5

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 28 and July 5. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Packed.Bladabindi-7008528-0 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone.
Win.Trojan.Gamarue-7008527-0 Trojan Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud.
Win.Worm.Vobfus-7008428-0 Worm Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers.
Win.Packed.Zeroaccess-7008376-0 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
Win.Malware.Upatre-7004553-0 Malware Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.
Win.Dropper.Gh0stRAT-7003946-0 Dropper Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Malware.Ramnit-7003027-0 Malware Ramnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also has the ability to steal browser cookies and attempts to hide from popular antivirus software.
Win.Dropper.TrickBot-7003081-0 Dropper Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.
Win.Malware.RevengeRAT-7004697-0 Malware The RevengeRAT remote access tool allows the operator to perform a wide range of actions on the infected system, including eavesdropping on the user, exfiltrating data, and running additional malicious software.

Threat Breakdown

Win.Packed.Bladabindi-7008528-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\System\CurrentControlSet\Services\NapAgent\Shas 14
<HKLM>\System\CurrentControlSet\Services\NapAgent\Qecs 14
<HKLM>\System\CurrentControlSet\Services\NapAgent\LocalConfig 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\Enroll\HcsGroups 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NAPAGENT\LOCALCONFIG\UI 14
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
14
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
14
<HKCU>\Software\c7434f9594f3950a2e05d45cc97e0b51 14
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c7434f9594f3950a2e05d45cc97e0b51
14
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c7434f9594f3950a2e05d45cc97e0b51
14
<HKCU>\SOFTWARE\C7434F9594F3950A2E05D45CC97E0B51
Value Name: [kl]
14
Mutexes Occurrences
c7434f9594f3950a2e05d45cc97e0b51 14
Unknown 10
Global\ecc6d100-9d83-11e9-a007-00501e3ae7b5 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
starwydadi[.]ddns[.]net 14
Files and or directories created Occurrences
%TEMP%\winup.exe 14
%TEMP%\dw.log 10
%TEMP%\89A2.dmp 1

File Hashes

02391e42f63b5367dd990e4327dc12dfaa24ea51e96a2ae52ba3de90c732d112 02c044948ea9f53a2ab5740af1688038ed5f0b863ce1de01caf8add16dd7f595 02c34b54efedc2927061af36e7726f1545b18842ab4df21e033e90d2d153dd45 03423dab0bddc03e0cffd0f9a5b9860fc58d4cf8a3b18b6f41afe66f6b193d97 044f80bf00154486576861f9305f13aeb3152893ccc1894e89237d5964cb3791 069615e1617ba0247fee741f107516e7bf67ba227d34d44b301bb1053f2b252b 077287b6cedd20cbf323939a3d14f080ddc1489dcf9d4989764cb09cd577b205 07dc6f0502e5689ec3cc8bc8e91323084bcb028fed68a1d407c1d25364e7ad07 07f3a667a62d0ec2cb36bafd67e0b2c8e59a62223179bfb3fe8629195bbb8ed4 090856974744db766df4757083b3dadb518dfd0e3ef1c96eee63cd7076151c4c 0c5faa63bdaa0026ab4ddbce9ccb3dfb31226befc7f5e1b38873a1d2e299f1c2 0ec95d587d006803cad956a88e6a5812c3ece5b03716cdfd9fe94ce0dd3725ee 0eed80e6a87334a1c24891bb9a0fe5c8b9cd8a92167eabcbae1b5728dc5a1e93 0f56694a00ff58c317303cdf6976e81a95cb71156e79c29ee97a32cf8600c233 0fd0606df5a28446ba55b449c8276477f3dc17dadfd8897b02fddd8e70f4dc3c 101a22afcaa749c11d119751cf03c96b8fdd2bdfc759e30a1215d19fcb4ce0c2 117c818509b04bb51ccd89cffb9e59b71dc32d73d372d01517094d1516cc58d9 13e1e5dd28c015f418232c75d88a742e5102bda4b276e90c60dc588281b0e20d 14f0f8c7ab95de503728d70d30efeae2df255f2919e9ffb61d86c728d79d54d6 154d32a8d39c2a55e71a23e126cbb141bf2a860cef997a092bd5e987f463fb64 15b960b6c2eeaed4f2d8ea53172d1bfc403a36e570c92e2a569ed4b7e781e304 1711e3dd4c2a37ee762798b13e78b2aaf1f92862089055e36d4e3889bd3cacb9 179102ea1a9e3eeac268236fe006e250625376764e931f22dd41125ddf640f6f 1804e34830d4f49a6e9686d195fdd7c178fccc31841385e8fc9a712bcd22a711 18d89015080e39d8bd13c550ecef302727f58beea070897cb62d53162b7707ed
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Trojan.Gamarue-7008527-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List 24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Manager
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Microsoft Windows Manager
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050452834348584929485695758050\winmgr.exe
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050452048050540508045\winmgr.exe
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050324589790225392040235\winmgr.exe
4
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-505045204850142040560305045\winmgr.exe
3
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050402562050603850256869070\winmgr.exe
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050452042050540508045405080\winmgr.exe
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\M-5050452048050540508045405040\winmgr.exe
1
Mutexes Occurrences
t6 6
trk16 6
t50 4
trk12 3
t59 2
t20 2
t18 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
195[.]22[.]26[.]248 24
199[.]247[.]8[.]13 24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
srv1300[.]ru 24
srv1400[.]ru 24
srv1000[.]ru 24
srv1100[.]ru 24
srv1200[.]ru 24
TRKHAUS[.]RU 12
ad[.]yieldmanager[.]com 5
audience[.]tapad[.]com 5
docbook[.]org 2
nwalsh[.]com 2
Files and or directories created Occurrences
\??\E:\autorun.inf 24
\autorun.inf 24
\??\E:\Secret.exe 24
\??\E:\Documents.exe 24
\??\E:\Movies.exe 24
\??\E:\Pictures.exe 24
\??\E:\windrv.exe 24
\??\E:\Private.exe 24
\Documents.exe 24
\Movies.exe 24
\Pictures.exe 24
\Private.exe 24
\Secret.exe 24
\windrv.exe 24
\??\E:\Music.exe 20
\Music.exe 20
\??\E:\Porn.exe 12
\??\E:\505050.exe 12
\505050.exe 12
\505040.exe 12
\Porn.exe 12
E:\505040.exe 12
%TEMP%\njabdkadwvuiajkdlawuvi1ba 9
%TEMP%\05 - Exchange.mp3 6
%TEMP%\g3OdSbf__bigger.jpeg 6
*See JSON for more IOCs

File Hashes

1f4cf029dfbf7eb7ab7349a996c714929ad997be0e09311777b84b75d8f2163b 459a89a03a6f46e5901f2c2ce54b2c47dd12777eb4b0d95caa7cf00394b5a862 50fcf4110822d9272e706ac3661f5374a00ffed48da20f6f1503c612288ca2a9 59c9b977a95e516ffffd77a72e16314a80df92cd1d59b0b16f7e1f06e72a2398 5b31e2845b9ff0c262f09eb2ea2b4cc6896eb78402c4fddf41c76fe1ebf37b79 673dfd5ddcc565679db5739f992e0b4de8c61c1628aa151cf690278afe28fa23 86982deca7af6d4d0cf0118afec263b97d4a5975eec187093d1f730334e35144 8ce0ab86f7d3fb858373ae9bc44dc058d7f4322d56d38d0b32e485c9bb27c630 9ad466fb4e695905f2c8328fef7b4917c4c97ca2377c2002ad5cea3892b69a62 a004a9cf108c93981ad0f5891215169376336c9e13cffb2fe56e68d1af5d75f6 aecde0e15dae5f0fdac6f927f39341b40158898554b25739c7cfbbc88442ddb7 b07245addc6dac3ec4c4e258016ca457d56474ad93c11b43d0b55b6f4a5e5b5d b383ca1d776204776c643a020e71bcce8990ec6768de84e7ed6fe5bef7d692d7 c3f480a13b31de10baca5e1973ff774453c6c298b13781ace209523f055a9d74 c6faca00d7e4fa656c574de14d475bccd353aa622495a8a475f4fc52031c658d c79b3cc43f74d8b0afc8db7b1d7fefe694076b06b97c7dde85f561cdb132c529 d0293d2660844495ee219f03a9a0a13ba8b364c510f65c8325367649db499cc6 d5c3e89984dcf0346a8726bd95bc00bfc269bb96c991db729c3068aa08e18f01 d6029469cfe0aa53e619ac0a3311f9b56663be048ed51e3fdb6fdde6a5e4f07c d871f17f1609e257ee0586cc9bce74acf1d0289cf9a8264b62cb4ba82b6a94c3 d97fe58b643226abaa1f9bf4ef8acd0c7810cab3d048503f4a84cd0cf196b970 e7ba39323ddb88229cb9339e051da857a2ed5c243f2d8ea41dbd6ae70117eaf6 e8531ab3f02f293c3eb42067ba92ee8cf1513201fd4089ad0db570dc2218cb2c ec58b08efd428ad04d32f3d883b1a693cfe97fff89385d9fc8b01535b2ec2052 ef8bb975c2ec5413dfd82ea1b161ad50ba684f7f01b1e2a8bf12a41ac8a58148
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid



Umbrella




Win.Worm.Vobfus-7008428-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\KAVSVC.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\FPAVSERVER.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EWIDO.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CPF.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLAMAUTO.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\BULLGUARD.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSASCUI.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WERFAULT.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\UI0DETECT.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CTFMON.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WUAUCLT.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIJACKTHIS.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAM.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMGUI.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MBAMSERVICE.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SBIESVC.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEWUAU.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEBITS.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIECRYPTO.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIEDCOMLAUNCH.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SANDBOXIERPCSS.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SBIECTRL.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\COMBOFIX.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PEV.EXE
Value Name: Debugger
13
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\HIDEC.EXE
Value Name: Debugger
13
Mutexes Occurrences
©Úü×À»¢Íéõèò© 13
\BaseNamedObjects\ 13
Local\https://www.hugedomains.com/ 13
Local\https://tiny.cc/ 11
Local\https://www.google.com/ 1
Local\https://www.ashleymadison.com/ 1
Local\https://www.jcpenney.com/ 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
72[.]21[.]81[.]200 13
172[.]217[.]12[.]138 13
172[.]217[.]9[.]238 13
72[.]52[.]179[.]175 13
216[.]87[.]78[.]25 13
172[.]217[.]10[.]227 13
18[.]211[.]9[.]206 13
107[.]22[.]223[.]163 13
204[.]79[.]197[.]200 12
104[.]25[.]37[.]108 12
67[.]225[.]218[.]50 12
192[.]241[.]240[.]89 12
23[.]20[.]239[.]12 12
185[.]53[.]179[.]29 11
104[.]25[.]38[.]108 11
172[.]217[.]6[.]226 11
104[.]20[.]2[.]47 11
104[.]20[.]3[.]47 11
172[.]217[.]10[.]36 10
172[.]217[.]12[.]131 9
104[.]28[.]29[.]32 9
104[.]20[.]218[.]42 8
172[.]217[.]15[.]72 8
172[.]217[.]15[.]100 8
13[.]107[.]21[.]200 7
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fonts[.]gstatic[.]com 13
static[.]hugedomains[.]com 13
c[.]statcounter[.]com 13
www[.]directorio-w[.]com 13
sstatic1[.]histats[.]com 13
www[.]easycaptchas[.]com 13
www[.]hugedomains[.]com 13
secure[.]statcounter[.]com 13
HDRedirect-LB6-54290b28133ca5af[.]elb[.]us-east-1[.]amazonaws[.]com 13
directorio-w[.]com 13
cdnjs[.]cloudflare[.]com 12
bit[.]ly 12
www[.]gstatic[.]com 12
www[.]google-analytics[.]com 12
parking[.]parklogic[.]com 12
www[.]qseach[.]com 12
tiny[.]cc 12
cdn[.]pubguru[.]com 12
ajax[.]googleapis[.]com 11
ib[.]adnxs[.]com 11
securepubads[.]g[.]doubleclick[.]net 11
www[.]googletagservices[.]com 11
d1lxhc4jvstzrp[.]cloudfront[.]net 11
ssl[.]google-analytics[.]com 11
fastlane[.]rubiconproject[.]com 11
*See JSON for more IOCs
Files and or directories created Occurrences
\??\E:\autorun.inf 13
\autorun.inf 13
%APPDATA%\Mozilla\Firefox\Profiles\1lcuq8ab.default\prefs.js 13
%APPDATA%\Mozilla\Firefox\Profiles\iv5rtgu3.default\prefs.js 13
%HOMEPATH%\27F6471627473796E696D64614 13
%HOMEPATH%\27F6471627473796E696D64614\winlogon.exe 13
%System32%\drivers\etc\hosts 13
\??\E:\$RECYCLE.BIN .LnK 13
\$RECYCLE.BIN .LnK 13
\??\E:\System Volume Information .Lnk 13
\System Volume Information .Lnk 13
%HOMEPATH%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences 13
\??\E:\lE8z54f35yL4uFzESl0145FQ0e8zzsyhXVP 13
\??\E:\lE8z54f35yL4uFzESl0145FQ0e8zzsyhXVP\S-1-3-01-4631041401-4114748267-464015834-1505 13
\??\E:\lE8z54f35yL4uFzESl0145FQ0e8zzsyhXVP\S-1-3-01-4631041401-4114748267-464015834-1505\Desktop.ini 13
\lE8z54f35yL4uFzESl0145FQ0e8zzsyhXVP\S-1-3-01-4631041401-4114748267-464015834-1505\Desktop.ini 13
%HOMEPATH%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\Z17N57WM\www.hugedomains[1].xml 10
%APPDATA%\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A 3
%APPDATA%\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A 3

File Hashes

c037253e276f68915f94a880ef6092f6a2a9e2a22dde3752b1a189e7392bb1c2 c9664af8c4a783ba1837929d8fbe97222a9e08ef44849d0bd3fbdd5fd3771056 d79ea7f8669da09b2a8871d5d52c046e5730edd4806228bff088fdcf60dc492f e2dfd666cf32d2825de8a84339c1a2329ccfd986164fad48190a9420b37c32d9 e895fb316f2c6e59edd5b57c98df52ac7a8cff2b08f7e6fbd57623e6608d7c70 ef995680626316921a87d60298208aa1a7337e6b8582e859fa12027909512ea1 f0e508c2ac7a24a070a1478f9cc27e3a78357fa7c3f76ca3592637eafcd5dec8 f12b6897b528bee20e2cb54f5b445d141948ae5361b6ef21b495777ecc92aaf2 f67f73d39c0fade143d1cc30c8a5f1b823ef4cf91dc45314fb51e714d179c3fe f9722379fe4ce4cd008143cb3c4cfeb4b5b4ba695ddaf1fee839a9ab368d1d8d fa4c827d119b5a98f40027dcbbdc9c3bddfdc38511772de7e4ade6bffbd5b2f9 fb4ff852fbee72185cc989143092f2f580c4997b51504da59bd873024254660e fb854a98e62eaab30f6bdb26d2ab655770dbec021e4dc62bc276fa761ff0d165

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella




Win.Packed.Zeroaccess-7008376-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
10
<HKLM>\SYSTEM\CurrentCo
ntrolSet\Services\SharedAccess\Epoch
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\Epoch 10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Type
10
Mutexes Occurrences
Global\{9a937ad1-c80e-6934-b9b5-3afedfb64be2} 10
{9a937ad1-c80e-6934-b9b5-3afedfb64be2} 10
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]200 10
64[.]210[.]151[.]32 10
13[.]107[.]21[.]200 5
83[.]133[.]123[.]20 5
208[.]100[.]26[.]251 1
154[.]214[.]250[.]73 1
62[.]60[.]251[.]244 1
180[.]215[.]207[.]110 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
promos[.]fling[.]com 10
12geg23[.]cdn104[.]uploadetchosting[.]com 2
12geg22[.]cdn104[.]uploadetchosting[.]com 2
12geg1q[.]cdn104[.]uploadetchosting[.]com 1
12geg1s[.]cdn104[.]uploadetchosting[.]com 1
12geg1t[.]cdn104[.]uploadetchosting[.]com 1
12geg1w[.]cdn104[.]uploadetchosting[.]com 1
12geg1y[.]cdn104[.]uploadetchosting[.]com 1
12geg21[.]cdn104[.]uploadetchosting[.]com 1
Files and or directories created Occurrences
%TEMP%\IXP000.TMP 10
%TEMP%\IXP000.TMP\TMP4351$.TMP 10
@ 10
L 10
U 10
%System32%\logfiles\scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 10
\systemroot\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f} 10
\systemroot\system32\services.exe 10
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\@ 10
%System32%\services.exe 10
%TEMP%\IXP000.TMP\C32938~1.EXE 10
%TEMP%\IXP000.TMP\reloaded.exe 10
%APPDATA%\msrfa.dll 1
%APPDATA%\pibis.dll 1
%APPDATA%\wisnge.dll 1
%APPDATA%\wsrmg.dll 1
%APPDATA%\nscizr.dll 1
%APPDATA%\wshufx.dll 1
%APPDATA%\bgnsoc.dll 1
%APPDATA%\mcrdr.dll 1
%APPDATA%\zrshu.dll 1
%APPDATA%\mstemf.dll 1

File Hashes

1a45f21c4e9da8fe25dee15d791d14525ff229c3e0330d17af76477391c9cd5e 37ac22156718afc2837f23f12e032530f464083c7204644aa3ce2fb0676a149d 5ca82ac85c65d79b8069ec7b41b3ab212d22bf014eaccd712ed30294a23cfa6f 6c2df30ebf956363eed646fa1032395186c303e20e859f561d0bda1ebc5de002 8b91726726c5b33f1a4aa3efa0184209bee0fb26c919d748f078e887d3ddd0f8 9127e176fa15d685992b36d6781d79dee5c5994431a021d13f78f3328168cd04 b9aa60607427eedf69bfa2058c0476f8b673955ba7701b710a44ba02edcf9c36 c5f5861f4c4a560396fa5c20394515b5147d97427cba2e37c5d114738d9dcf31 d239e098f814f0350a81ade67000be01f91a8007833823d5f2e6c782a3b5552b f40030bec4290e152e63064e90b4fda8f3314f5b1ac98eb298f2993c85b93f24

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid




Win.Malware.Upatre-7004553-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\75E0ABB6138512271C04F85FDDDE38E4B7242EFE
Value Name: Blob
14
<HKCU>\SOFTWARE\MICROSOFT\Vunadiikify 1
<HKCU>\Software\Microsoft\Ejluzaduy 1
<HKCU>\Software\Microsoft\Hofoaldyospa 1
<HKCU>\Software\Microsoft\Byypjecykuan 1
<HKCU>\Software\Microsoft\Pekuymgu 1
<HKCU>\SOFTWARE\MICROSOFT\Uswyloyhujmo 1
<HKCU>\Software\Microsoft\Weqyireluz 1
<HKCU>\Software\Microsoft\Ahulbupagupi 1
<HKCU>\Software\Microsoft\Yvuwdefusuyx 1
<HKCU>\SOFTWARE\MICROSOFT\YVUWDEFUSUYX
Value Name: 16864bd5
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Kapya
1
<HKCU>\SOFTWARE\MICROSOFT\YVUWDEFUSUYX
Value Name: 2ai47ccj
1
<HKCU>\SOFTWARE\MICROSOFT\YVUWDEFUSUYX
Value Name: 1b0jgcdj
1
<HKCU>\SOFTWARE\MICROSOFT\Ifrytaacpiu 1
<HKCU>\SOFTWARE\MICROSOFT\IFRYTAACPIU
Value Name: ebecgbi
1
<HKCU>\SOFTWARE\MICROSOFT\IFRYTAACPIU
Value Name: 9e6eb40
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Syyqx
1
<HKCU>\SOFTWARE\MICROSOFT\IFRYTAACPIU
Value Name: 1eb88i7e
1
<HKCU>\SOFTWARE\MICROSOFT\Asohubtafib 1
<HKCU>\SOFTWARE\MICROSOFT\ASOHUBTAFIB
Value Name: 292fjjef
1
<HKCU>\SOFTWARE\MICROSOFT\ASOHUBTAFIB
Value Name: 24a073d5
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Hoavt
1
<HKCU>\SOFTWARE\MICROSOFT\ASOHUBTAFIB
Value Name: 3jcbf77
1
<HKCU>\Software\Microsoft\Ocidrajiasze 1
Mutexes Occurrences
Global\{C30C6CF2-932B-408E-55BA-04D54CAC27C8} 16
Global\{566D79B0-8669-D5EF-55BA-04D54CAC27C8} 16
Global\{C8D239CA-C613-4B50-55BA-04D54CAC27C8} 16
Global\{C8D239CB-C612-4B50-55BA-04D54CAC27C8} 16
Local\{73DE6ED9-9100-F05C-55BA-04D54CAC27C8} 16
Local\{A9348FD8-7001-2AB6-55BA-04D54CAC27C8} 16
Local\{A9348FDF-7006-2AB6-55BA-04D54CAC27C8} 16
Global\{73DE6ED9-9100-F05C-55BA-04D54CAC27C8} 16
Global\{A5D858EA-A733-265A-55BA-04D54CAC27C8} 16
Global\{A9348FD8-7001-2AB6-55BA-04D54CAC27C8} 16
Global\{A9348FDF-7006-2AB6-55BA-04D54CAC27C8} 16
Local\{C8D239CA-C613-4B50-55BA-04D54CAC27C8} 16
Local\{C8D239CB-C612-4B50-55BA-04D54CAC27C8} 16
Local\{E9745CFB-A322-6AF6-55BA-04D54CAC27C8} 16
Global\{B665CB4B-3492-35E7-031D-B06E1A0B9373} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
184[.]168[.]131[.]241 16
68[.]235[.]37[.]83 16
94[.]64[.]68[.]197 16
190[.]37[.]207[.]199 16
71[.]91[.]43[.]179 16
79[.]187[.]164[.]155 16
63[.]227[.]34[.]28 16
178[.]116[.]48[.]217 16
86[.]135[.]144[.]6 16
94[.]189[.]230[.]78 16
206[.]190[.]252[.]6 16
86[.]140[.]35[.]54 16
59[.]90[.]26[.]49 16
123[.]203[.]139[.]252 16
86[.]158[.]144[.]27 16
75[.]87[.]87[.]199 16
84[.]234[.]151[.]23 16
222[.]96[.]81[.]59 16
172[.]245[.]217[.]122 16
58[.]252[.]57[.]193 16
103[.]14[.]195[.]20 16
108[.]230[.]237[.]240 16
172[.]217[.]10[.]68 10
172[.]217[.]10[.]36 4
18[.]233[.]6[.]11 4
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
kofinyame[.]com 16
california89[.]com 16
www[.]california89[.]com 16
fquxszdtduirtabaguyqcyxwgu[.]com 3
kbbqhhqsthaoflrodxoftwjn[.]ru 3
vkljvwgzxtaltwdpso[.]ru 3
eivsovswuswxlrecqxytmv[.]biz 3
izfupirthqqhtdmrsgizi[.]org 3
aqyldvcucbivwcuzltqszlwuiv[.]com 3
dqxcpjxrkpvkrscvoibusskxkcx[.]com 3
kfeyrgzheujramjvdebmfih[.]biz 3
llbmbyozculfxljkrdaetkzofv[.]info 3
qxwguplvcyswhiciqoylyhijrcvo[.]biz 3
belzrwyugfulnrtsvwwjfzttk[.]ru 3
ofdyvgdenbrwizswrgrshnvifzemam[.]info 3
tobeugnjhuczhucepcedyfyx[.]net 3
dieqgetxwlvwcxklrjboffi[.]info 3
emfetgfafeeygpxvshmbyxwsof[.]biz 3
xwlvzlnvzlwkplbtodmrtgl[.]com 3
jnaqjrmfjzcepvcxgcyeaxhwcy[.]org 3
mrbyprkqkemlnpzbtjnwkkvts[.]org 3
lfydktrtcydhfuycuxcp[.]com 3
nvzpfuwvmfbadnvvjrhipskem[.]net 3
lixsgurgbcmamxkqkqijfapcmrk[.]info 2
qkhfeydhaixcdvkbgihqqhq[.]com 2
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\NTUSER.DAT 16
%HOMEPATH%\ntuser.dat.LOG1 16
%TEMP%\budha.exe 16
%TEMP%\kilf.exe 16
kilf.exe 16
%SystemRoot%\SysWOW64\secur32.dll 14
%SystemRoot%\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll 12
%SystemRoot%\SysWOW64\winhttp.dll 10
%SystemRoot%\SysWOW64\webio.dll 7
%TEMP%\OVQEBB9.bat 1
%APPDATA%\Awdei\tyun.exe 1
%TEMP%\QXY4CCB.bat 1
%APPDATA%\Ingue\epxiur.exe 1
%TEMP%\RSQ2CE0.bat 1
%APPDATA%\Olvyq\juwe.exe 1
%TEMP%\PJM7E60.bat 1
%APPDATA%\Almenu 1
%APPDATA%\Almenu\anozyb.exe 1
%TEMP%\YYN5BA3.bat 1
%APPDATA%\Jasit\xequ.exe 1
%TEMP%\KMN5AE0.bat 1
%APPDATA%\Azwia\wiziny.exe 1
%TEMP%\JWJ9A47.bat 1
%APPDATA%\Comomi\afve.exe 1
%TEMP%\NYW5A92.bat 1
*See JSON for more IOCs

File Hashes

014f7b0000b4959505cc055eb5c91283919f7e9596b9d375a15966808f3cac40 03ef7f307a4014590af1936ce69ef7f7e77fd34ecc1b553f4064a2fd4481b799 084cbb7cd8627cdfe63f8519f09a8100aac4710de7d396149d345182ce078d93 14726cda4db95441c35a350011f5ded8d832f2c8a6ab181c3c4a4fb73056ae6e 6a3eff21994abc3ae6c3c7a2d81e2f6c9e710ae4874e25db0a51213de4133c0d 7218bc90b23ce5f58e339e7e4caa68405ee10ad314c0765c92d0885f1ce3fce7 76bf6463c9751e4f8c6df80dff89dd58deeada57edc0dfaa3fcb88c5b676e3d9 7befc280a73717d09d831778e63173b1d48bf65d6d5a0da3055571a6d434bc6a 7c1b33a4ffaca8cd292d24c9b0a275629e931e0378d49305680e759d87b19aa5 8d8215b512830f6285f8248e6408e3f0e61535f32775f8c01b234c52729ce497 a05880b5a7d66ee3c976cba4553e48421da2c87d25540e81db739771217516e5 cc192820453aaf77261330c8caaf91436cbc5912e0307e9940b7265089c14705 cc908625e97f5ee851b27f69d492b90cedd17576612a8005f2a709960010a5da ccf99adebff70749af314d4414ef84fb4577ccb7bbd4816f3623a2013954d4c0 d4bda6c737fb1ea8ba4d486dc9d129c35e24faede3b17f6dd6d5f154a0e269f5 eb75f7cc2bef48e82fe540a53e39a53a78442e41b283917bb83bd050975447b4

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella




Win.Dropper.Gh0stRAT-7003946-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SVCSHOST
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: SVCSHOST
1
Mutexes Occurrences
546634635.3322.org 3
kent.wicp.net 3
23.95.28.181 3
58.55.149.231 2
59233086.f3322.org 2
58.55.154.119 1
www.zmr321.com 1
\BaseNamedObjects\122.0.114.49 1
122.0.114.139 1
23.245.118.14 1
mantou0314.f3322.org 1
yanjianlong.f3322.org 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
174[.]128[.]255[.]251 3
174[.]128[.]255[.]253 3
23[.]95[.]28[.]181 3
58[.]55[.]149[.]231 2
122[.]114[.]141[.]107 2
58[.]55[.]154[.]119 1
122[.]0[.]114[.]49 1
122[.]0[.]114[.]139 1
23[.]245[.]118[.]14 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
546634635[.]3322[.]org 3
kent[.]wicp[.]net 3
59233086[.]f3322[.]org 2
www[.]zmr321[.]com 1
mantou0314[.]f3322[.]org 1
yanjianlong[.]f3322[.]org 1

File Hashes

065b0891dd2f1f140a304d6083a42920f479e9f78449653dda3e3f4773d65f64 0e3ca15c7fbb7290152a4352eb9f128d371a61748bf574629b1e20e88194f39a 16ae0bbd83dfbf5d842d830eb025a48afeb882d280cd2667178a64c5e4e52aa7 2c3bb3de7dc1618182cc870473e21773ec64a7907a7a8b908ba84aa3dfc1ccb8 3fc973ba80cdb771e03afcede4504b916e2271ee061371132943e69a6851d0a6 72ad952cd9fb882a07fc5076925ef9f54c99c1e2b8d787c6b7da5efe93d2320d 7947b164011507462d16333b66ff489f62d0d07c063886a65fc1119c434595b4 7c23edb038674293f17bcd1f54ce09257155f50167c291b898369b7f67a0543d 7dd7075d773df6b6adbceecb7670aeba729b409c4eab34fa43ee12cec71d961f 8099dfc84e82896b7ffd60989d80dcf3e6d201119fe41c297be02efa198d4c97 8e985850c2689d00fb7a806b008798980036f4d2ec139e1b7ee50aa7adb2a1da 908e09cdf2eacbb1361d94c86d393c0149634d927ba537862db5c26ee1fdd1d5 9a744852496a014e1346262aab597cdc6d7c86cc1254a6b3f1e2f0509e011f49 9d83339f74a26f74ab4b32835f4e56224bf4455f52d78e4e1597a36f63dc34ca 9e2ae029580b63672ebed5d256f22745cda92397969ae98db888275c74c33492 a9c39431622634720eb6af8bed7440508c1b76d955377bb98ff6b4a5f3cd476e bc6a883c9ea0eb02da0590ad56eee63fffff733fb530fb901e449c41fd63dee4 d94e3332f0f9181e0fe3e4dc6da12024a66ac9bd27e3e2e8a2805cd99de34552 e1645442bba1f21d0a3243661dca6d4bae3dd28150e03f5d959f1c8bf61fca64 e880f061dc1f2f08585787d07c55ae03e212408f9e2e6ee8b6d392be694f2663 fb0f9a707cc2ab33dd9370aac07dd7c0f354bc6780de8c0c54c69f7d828e8e1e fd514b2dfc176298d8b6b4885079cdb43a7c374fdd914850c50aad7c8791b455

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid




Win.Malware.Ramnit-7003027-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusOverride
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: AntiVirusDisableNotify
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallDisableNotify
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: FirewallOverride
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UpdatesDisableNotify
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER
Value Name: UacDisableNotify
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION
Value Name: jfghdug_ooetvtgk
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: JudCsgdy
10
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
10
Mutexes Occurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4} 10
\BaseNamedObjects\{137A1518-4964-635A-544B-7A4CB2C11D0D} 10
\BaseNamedObjects\{137A1A2C-4964-635A-544B-7A4CB2C11D0D} 10
\BaseNamedObjects\{137A2419-4964-635A-544B-7A4CB2C11D0D} 10
\BaseNamedObjects\{137A1A2D-4964-635A-544B-7A4CB2C11D0D} 10
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB6991D0D} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB4951D0D} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB8651D0D} 1
\BaseNamedObjects\{137A1956-4964-635A-544B-7A4CB6891D0D} 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
208[.]100[.]26[.]251 9
172[.]217[.]12[.]142 9
46[.]165[.]254[.]214 9
89[.]185[.]44[.]100 4
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ryfgpvevpka[.]com 9
FXOPHXMRRY[.]COM 9
rijyjgrqrod[.]com 9
wqebvfqhvdwd[.]com 9
xkfkhlwxmy[.]com 9
hpujpcor[.]com 9
msdsspdwrtmjjjrgeew[.]com 9
hwlfiogofk[.]com 9
yogtmphumejfhm[.]com 9
ATIUTTVAQR[.]COM 9
MKYJFUMSG[.]COM 9
okjndyeu3017uhe[.]com 9
JIFGMEOA[.]COM 9
xfqtdsyao[.]com 9
vbtwrlpdfbcvqgrfxa[.]com 9
ifshcrwujqprjwuwt[.]com 9
TTGFETOSRTL[.]COM 9
bujynaslvjlmf[.]com 9
gyjijwyrhwyugui[.]com 9
urjpwtnytfyiaaly[.]com 9
fqxonymdkdmjjfceuf[.]com 9
PLOOWSETHQB[.]COM 9
hkdagrtomfuev[.]com 9
yephjhhcg[.]com 9
OHEFDIGIK[.]COM 9
*See JSON for more IOCs
Files and or directories created Occurrences
\Boot\BCD 10
\Boot\BCD.LOG 10
%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat 10
%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat.LOG1 10
%HOMEPATH%\NTUSER.DAT 10
%HOMEPATH%\ntuser.dat.LOG1 10
%LOCALAPPDATA%\bolpidti 10
%LOCALAPPDATA%\bolpidti\judcsgdy.exe 10
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe 10
\Device\HarddiskVolume3 10
%SystemRoot%\bootstat.dat 10
%TEMP%\guewwukj.exe 10
%TEMP%\yowhywvr.exe 10
%HOMEPATH%\Local Settings\Application Data\hmqphkgx\pseqpmjy.exe 10
%HOMEPATH%\Local Settings\Application Data\jpnfmrvn.log 10
%HOMEPATH%\Start Menu\Programs\Startup\pseqpmjy.exe 10
%ProgramData%\wtvakgao.log 10

File Hashes

00848dceedd7c2271a182e97c8e5ad7c947af0350f4dc2ace6f600d1f1eaf9c8 07f659c6e3ac188112a9cbec06ed454711f8450b4cef0b59c95a8db0acfe8137 1a82f19a88827586a4dd959c3ed10c2c23f62a1bb3980157d9ba4cd3c0f85821 2a4d1cdf8ceb39bcdd782e2fca4c01390218ad32862d0df40eac079875dfdf89 2e6bebb485ed1ac9bf88e8fa2bb54fe0493e792771d33876b229008b13d4a85f 3fdedad406e3f100e8a216ae7477366a47998f14893adf97f647777c692e4151 5943564ab3d38d4a9a0df32352dd5d2b04ccb76294e68a5efcbad5745d397de3 8ab75a0bc7167646928afd8eea3c3450f2c9529e7d58ed2a87f4f32885017f30 f18fba4d2779d4407f522bf5a9287e9b9117c92aa92bcaa843f69cf842e1d7d5 ff66f9cf0c4ffa299fff1b03a92daa2070087301ea89cba2c03d58a9480fa843

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella




Win.Dropper.TrickBot-7003081-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender 9
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\services\
9
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Users\Administrator\AppData\Roaming\services\
9
<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions 9
<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths 9
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
2
Mutexes Occurrences
316D1C7871E00 9
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
116[.]203[.]16[.]95 3
194[.]87[.]94[.]225 3
104[.]20[.]16[.]242 2
82[.]146[.]48[.]241 2
194[.]87[.]93[.]84 2
216[.]239[.]34[.]21 1
216[.]239[.]36[.]21 1
198[.]27[.]74[.]146 1
52[.]202[.]139[.]131 1
82[.]146[.]48[.]44 1
82[.]202[.]226[.]189 1
78[.]155[.]199[.]124 1
195[.]133[.]147[.]140 1
209[.]205[.]188[.]238 1
73[.]252[.]252[.]62 1
185[.]21[.]149[.]41 1
67[.]209[.]219[.]92 1
80[.]87[.]198[.]204 1
195[.]88[.]209[.]128 1
82[.]202[.]236[.]84 1
179[.]43[.]160[.]45 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip[.]anysrc[.]net 3
icanhazip[.]com 2
myexternalip[.]com 1
ipecho[.]net 1
checkip[.]amazonaws[.]com 1
wtfismyip[.]com 1
Files and or directories created Occurrences
%TEMP%\4rQ7ipw 10
Modules 9
client_id 9
group_tag 9
%System32%\Tasks\services update 9
%APPDATA%\services\client_id 9
%APPDATA%\services\group_tag 9
%SystemRoot%\TEMP\4rQ7ipw 9
%APPDATA%\services 9
%TEMP%\nsb246C.tmp\System.dll 1
%TEMP%\nsgFCA0.tmp 1
%SystemRoot%\TEMP\nshF273.tmp 1
%TEMP%\nsg6A03.tmp\System.dll 1
%SystemRoot%\TEMP\nswC349.tmp 1
%SystemRoot%\TEMP\nswC349.tmp\System.dll 1
%SystemRoot%\TEMP\nsn69F3.tmp 1
%SystemRoot%\TEMP\nsn6A42.tmp 1
%SystemRoot%\TEMP\nsn6A42.tmp\System.dll 1
%SystemRoot%\TEMP\nsc1020.tmp 1
%SystemRoot%\TEMP\nss107F.tmp 1
%SystemRoot%\TEMP\nssDD4E.tmp 1
%SystemRoot%\TEMP\nss107F.tmp\System.dll 1
%SystemRoot%\TEMP\nssDD9D.tmp 1
%APPDATA%\services\67ff09786g26g98gef29fgb5035370fb293gb44g2d766fb0gff228fge797gbb6.exe 1
%SystemRoot%\TEMP\nssDD9D.tmp\System.dll 1
*See JSON for more IOCs

File Hashes

357b2a34ad3496df379c3ad774fa3be01969472363a53defb2642119ac1a8f51 57ee09685f15f98fde19efb4024260eb192fb33f1c755eb0fee118efd797fbb5 65ea62aa3ed8bb08e2519bb0cc54f39dde625e11517ef43f1ce9acf306df412f 664c4f020f49f18b5d4cb6952184a9f2472bfbc41d4922e8c43d8c8db3411930 a690c57af967f33edfd3e34448af5a3d0aeb6885262d1dec9150debb404241d0 a7e40660025a2f92bf5b27a429c2a65038932203d7d6c33168f01c47b34868fa bd60a69a384090fbdf9c03ae483e5e3eddcfdbfb7d8d5ebee7d106a2e21d86e4 c2e6cb0575738459478d51904bf70fe81fc44c88b560e45b06a74571dcfbf83f dde71d9ec99bef73f61f841af134463fc1e494522c35fa8534a668337082f107 e5a25723b4386688017c8a808488f7827c526b4848a05b23a85a65ed398fd035 fafa057ebb741166e290c0864d2392e34700a1fb2147e7d4817295db9adaaddb

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid




Win.Malware.RevengeRAT-7004697-0

Indicators of Compromise

Mutexes Occurrences
RV_MUTEX-BtNHuiGGjjtn 37
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
79[.]134[.]225[.]8 35
105[.]112[.]96[.]51 27
91[.]221[.]66[.]6 3
185[.]244[.]29[.]15 2
197[.]210[.]44[.]157 1
105[.]112[.]96[.]109 1
197[.]210[.]55[.]210 1
197[.]210[.]44[.]68 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
mallorca[.]myftp[.]org 37
mbvd[.]hopto[.]org 37
Files and or directories created Occurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\pcwrun.url 37
%APPDATA%\cdosys 37
%APPDATA%\cdosys\aadtb.exe 37
%APPDATA%\cdosys\pcwrun.vbs 37
%HOMEPATH%\Start Menu\Programs\Startup\pcwrun.url 25

File Hashes

043e6e31d0efe8f818b408a4f38ed07d33ff6c9e3ff5efe33440f426da6c65e9 08255fa9a6461fe91cc3c7cabb4d7cf1d0e34442916989f121c25c007d0e4f4e 14ff9bca2e40edf80f24f64944a187691436d26dec1c57e71c83e2f8d3cf8d83 172c143486841e0e24c436f8cc4548c46afb9db7f6bf52d857795f62b18124fb 1bfb8266eb0284cbda01b9405977691de3abd817d4575285aaef4f5065391ba8 232238e349a632c148ff162e31159a6ba7b19d89f9cdb43027c98c69d03756a9 2ee4332fa127a46c6bff99587d8ec99778a6eaa764d80d1abb874495f27605b5 33faa6cad2fe7aaf15771977673baed989f973cc3b6be562c5caa2de71c7d532 3c0ea80441e2824c506dc57154ccc1123e7c293856ba89c078269177f0bdc940 3f09b3040a82ce439e8147eeb19e109505866982e3a1150a79ea011e53920745 4209a07df4409b81df9fd0bdab4bfd0f45f15ee0acb57be1b28dc7409e7f8417 4e91a567c5de2bc40e9be1fd72065a17f98454f93bceb3c3f6bc01c95880ea8e 5683d55fcbaec725b59770d31bf272cf1aa99b8c1c4955eba6cf23204ebcca79 6db50a7f6a77e354d56b65175024df2baa70e7c161a05b2c876d65c09448f30b 6fb1ef865a16257408e954ca2d917eb50126767b9be5505d5772238b60eed25e 723617156eb76841485e598c6958b4b29261dc78f1187629a5c001f037a92920 75d8713483f5a769d1140c4eef300f27dcd39f3799f1106c3c6600a8dd44cccd 7ef273b2c04c40e249f250a5c12513587ac84125df78c870df5ca17c8833d3c9 82541fd5caae2acdff85558a535874361c3f5d6e2e6c27a821cc3bc4b9b50b35 951b10c3a12ebe5a4923c7ddac5d9b534e717cd86fa29dabd5c67d66dc73418d a41d6ab21b948ce314ec0805d96ea7480da8a3a8de7691501c46cacf7bb2921c a84a57b96eb296cf90c881bb18a19df7930aa114e97c12171ad1b238e45b3d31 a9230c56cec40f3238f21c7a5c5e1b79c63160275eacc814d12d637370e39333 ad9ecaf4f946fe463f98b468049de4563eb4d7666d12338cc7f6d555f4633c2d ba048c20a4e0fb9ae726d05b10cf3097e245a14d2260e43a9f34c4adef004b7b
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Trickbot malware detected - (3094)
Trickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching.
Atom Bombing code injection technique detected - (2529)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Madshi injection detected - (947)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
Excessively long PowerShell command detected - (904)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Kovter injection detected - (583)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Dealply adware detected - (545)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (528)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (166)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
PowerShell file-less infection detected - (63)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Installcore adware detected - (40)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.

No comments:

Post a Comment