Friday, August 23, 2019

Threat Roundup for August 16 to August 23

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 16 and Aug. 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Trojan.Tofsee-7131053-0 Trojan Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
Win.Virus.Neshta-7131041-0 Virus Neshta is file-infecting malware that also collects sensitive information from an infected machine and sends it to a C2 server.
Win.Trojan.Razy-7124013-0 Trojan Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence.
Win.Malware.Elkern-7118026-1 Malware Elkern is a worm that spreads via peer-to-peer networks by masquerading as popular movies, games, or software. Once executed, it installs follow-on malware onto the system.
Win.Packed.Xcnfe-7131484-0 Packed This cluster provides generic detection for the Dridex banking trojan that's downloaded onto a target's machine.
Win.Worm.Vobfus-7123957-0 Worm Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its C2 server.

Threat Breakdown

Win.Trojan.Tofsee-7131053-0

Indicators of Compromise

Registry Keys Occurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
28
<HKU>\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config3
28
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 28
REGISTRY\USER\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0
28
REGISTRY\USER\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1
28
REGISTRY\USER\.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
28
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
28
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\fymsrzfu
5
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\buionvbq
4
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\slzfemsh
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\yrflksyn
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\dwkqpxds
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\athnmuap
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\kdrxwekz
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\wpdjiqwl
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\tmagfnti
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\zsgmltzo
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\lesyxfla
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
239[.]255[.]255[.]250 28
69[.]55[.]5[.]250 28
46[.]4[.]52[.]109 28
176[.]111[.]49[.]43 28
85[.]25[.]119[.]25 28
144[.]76[.]199[.]2 28
144[.]76[.]199[.]43 28
43[.]231[.]4[.]7 28
192[.]0[.]47[.]59 28
95[.]181[.]178[.]17 28
211[.]231[.]108[.]47 25
64[.]233[.]186[.]27 25
172[.]217[.]197[.]27 25
98[.]136[.]96[.]74 25
172[.]217[.]5[.]228 24
67[.]195[.]228[.]110 23
173[.]194[.]66[.]27 23
209[.]85[.]203[.]27 23
207[.]69[.]189[.]229 22
98[.]137[.]157[.]43 22
213[.]205[.]33[.]63 22
98[.]136[.]96[.]77 22
23[.]160[.]0[.]108 21
98[.]136[.]96[.]73 21
188[.]125[.]72[.]73 21
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
250[.]5[.]55[.]69[.]in-addr[.]arpa 28
250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 28
250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 28
250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 28
whois[.]iana[.]org 28
250[.]5[.]55[.]69[.]bl[.]spamcop[.]net 28
whois[.]arin[.]net 28
eur[.]olc[.]protection[.]outlook[.]com 28
250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 28
microsoft-com[.]mail[.]protection[.]outlook[.]com 28
honeypus[.]rusladies[.]cn 28
marina99[.]ruladies[.]cn 28
sexual-pattern3[.]com 28
coolsex-finders5[.]com 28
mta5[.]am0[.]yahoodns[.]net 27
smtp[.]secureserver[.]net 25
mx-eu[.]mail[.]am0[.]yahoodns[.]net 25
mx-aol[.]mail[.]gm0[.]yahoodns[.]net 25
mx1[.]emailsrvr[.]com 25
hotmail-com[.]olc[.]protection[.]outlook[.]com 25
hotmail[.]de 24
mx1[.]hanmail[.]net 24
hanmail[.]net 23
mx6[.]earthlink[.]net 22
msx-smtp-mx1[.]hinet[.]net 22
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SysWOW64\config\systemprofile 28
%SystemRoot%\SysWOW64\config\systemprofile:.repos 28
%TEMP%\<random, matching '[a-z]{8}'>.exe 28
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 28
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 5
%TEMP%\utjfmin.exe 1
%TEMP%\jiyubxc.exe 1
%TEMP%\dcsovrw.exe 1
%TEMP%\rqgcjfk.exe 1

File Hashes

0009a9ca6636ab37f4c3f21f19741971f5900ae4b18381e7695962a4d4e6f811 013bec317dbcead53cdedaa23feb802e1f2b4e74e016cdff7e39490d22adab30 015ad805d24234339ca8e9f1402c7bcaa1493cefb13f61f3442873fd8f31df97 04d5f2b852d6e9602612ed5b58becccd1eff5e0a8d53671bb3a2209a36ad4a79 059bbb4be73dd7b7055687f9ae779598b2327d61f49b2367ac129685577c8e8b 080b33f9d842b08d082b40f3c49ab9b6727ae47ad154e7c65ee45775d6750693 1348df977c70b9b0ff8cf904c4bd96cbcd58aa332db5c448a63259a1cc7909b2 13e5a8542f77eb807e805cf136d489350d2976af8164c4e9b5daeacdefb4b0f9 16befc710825960d79ccb4f7a2ed12a399e7c4d457e11d141163882e6c6d246e 187746b5d8d8627e46781d34167c08a018ad8a31d2f50033d723d3244c7aad41 1c5da4a767bf010a4eb2ffa39b939f65c21a1dad6b2c40de8fe71db6b5cefab9 1cf13ba4a00fc7dbb79d2e47c2a56c35518494652989cb1a5e932ec676019bb6 1e3f0775aa3feea8393b3073e34fbb0b00b1306cce374fbef5018d7d79a8f556 269b04eaee60cae3fe4428292be87a81561ea94a4a0df7cab400b15411566415 27681e2fb23e38cfcd21dd751d79ac47a866655ae259131e05566ad1be8611e0 280d20ee6383ebe642253f076e194831c53396f9e7d33567054411cd6b167a50 288084927b8287de4320b026474cfcf01270bc2eb63f40cad82a2a95be4acab0 28b7e0c90f7664f834f7adbee912f1f1efc769132d419b16572cbeeba5c6d724 29100329861dd3e48acc75d9ccb0faaf852e44158538db71ccc569df5e84507e 2996e60bf4ef30b47ddb32ee6ea23603bc266562913be0add727791bd2261234 29f84ea78abaf727817f2d2126ccbec9554ec32550897e28e20dd6ac3f9a038e 2b77064e3de89e494664d588ea3c1fd3f7d3863babbc919769d13187250c395c 2ce0b071b4465e9e383c3ce3df2d100cf5e7cc96a12b25e861e7d88d4be77cdf 2ec24ae1e990a9abadb6d5393089a39c4c570d5f138c3651a66daf336b519598 31fb8cfa6e434122f5a2817d33a2d509f0adc23577771d11ab9ad7682ed7bd41
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Virus.Neshta-7131041-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND 11
Mutexes Occurrences
MutexPolesskayaGlush*.*svchost.comexefile\shell\open\command‹À "%1" %*œ‘@ 11
Files and or directories created Occurrences
\MSOCache\ALLUSE~1\{90140~1\DW20.EXE 11
\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe 11
\MSOCache\ALLUSE~1\{91140~1\ose.exe 11
\MSOCache\ALLUSE~1\{91140~1\setup.exe 11
%TEMP%\tmp5023.tmp 11
%SystemRoot%\svchost.com 11
%HOMEPATH%\APPLIC~1\Adobe\Reader\9.2\ARM\ARMUPD~1\AdobeARM.exe 11
%HOMEPATH%\APPLIC~1\Adobe\Reader\9.2\ARM\ARMUPD~1\READER~1.EXE 11
%HOMEPATH%\APPLIC~1\Adobe\Setup\{AC76B~1\Setup.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000050.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000053.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000059.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000060.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000066.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000067.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000070.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000071.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000074.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000073.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000114.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000115.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000116.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000118.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000119.exe 11
\SYSTEM~1\_RESTO~1\RP1\A0000120.exe 11
*See JSON for more IOCs

File Hashes

23e9f0d6be0f5ba18e787052e64fb7ec62410fab4ec8a3b5f11ec58e34dcf4d7 28996ba8b6dc0794260721cb26bbdc207b23af9352234f5eee0c61851c4a3811 397b969c83ad2e1c6efdb492e932ff8a111f0b1cab34f1409d1888784ad9ca6a 5a3535e2815f02762483cdd97b060cac4ec220e28f21ac42d332fc6281a2709e 63e9b564538a88cb7d06e75114ff1e3fc1cf07b973d5c2e74b114361699ba298 793529a8214ced18d6c43239ddc99b60b6cd3ac5055667e4c5878d65c4c24af7 88d1b872c821bd52be9f52677626b319307a316e9218547a66fb9c6597233aa0 9a8af062b9581de41c2fc10673a5760af539f0ad28b94b81bc5bfa4665ea843d ad15b25e0356c98ca1679abcf41d12ab2a3869f0e7aad18d169c72af55bcb502 f988cbba1b43f688839a203e0916e3e11861df7581c4fc770ead93a63f584c44 fd5476414674ca6a58296181ce38fe772ed7c76cd9cfe026b19e194da43787b0

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Trojan.Razy-7124013-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SECURITY\POLICY\ACCOUNTS\S-1-5-21-2580483871-590521980-3826313501-500 32
<HKLM>\SECURITY\POLICY\ACCOUNTS\S-1-5-21-2580483871-590521980-3826313501-500\SECDESC 32
<HKLM>\SECURITY\POLICY\ACCOUNTS\S-1-5-21-2580483871-590521980-3826313501-500\SID 32
<HKLM>\SECURITY\POLICY\ACCOUNTS\S-1-5-21-2580483871-590521980-3826313501-500\PRIVILGS 32
<HKLM>\SECURITY\POLICY\ACCOUNTS\S-1-5-21-2580483871-590521980-3826313501-500 32
<HKLM>\SECURITY\POLICY\ACCOUNTS\S-1-5-21-2580483871-590521980-3826313501-500\SECDESC 32
<HKLM>\SECURITY\POLICY\ACCOUNTS\S-1-5-21-2580483871-590521980-3826313501-500\SID 32
<HKLM>\SECURITY\POLICY\ACCOUNTS\S-1-5-21-2580483871-590521980-3826313501-500\PRIVILGS 32
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINLOGIN_INFO
Value Name: pool_url
32
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINLOGIN_INFO
Value Name: pool_pass
32
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Start Windows
32
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINLOGIN_INFO 32
<HKLM>\SECURITY\RXACT
Value Name: Log
32
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINLOGIN_INFO
Value Name: pool_user
32
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
94[.]100[.]186[.]119 32
217[.]69[.]128[.]99 32
88[.]99[.]142[.]163 14
136[.]243[.]102[.]167 12
94[.]130[.]143[.]162 11
136[.]243[.]102[.]154 10
78[.]46[.]49[.]212 6
94[.]130[.]9[.]194 6
136[.]243[.]88[.]145 6
136[.]243[.]94[.]27 6
94[.]130[.]64[.]225 5
136[.]243[.]102[.]157 5
46[.]4[.]119[.]208 5
176[.]9[.]147[.]178 5
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
xmr[.]pool[.]minergate[.]com 32
cloclo11[.]datacloudmail[.]ru 32
cloclo16[.]datacloudmail[.]ru 32
Files and or directories created Occurrences
%APPDATA%\Lopatka\app.exe 32
%APPDATA%\Lopatka\config.json 32
%APPDATA%\Lopatka 32
%System32%\config\SECURITY 6
%System32%\config\SECURITY.LOG1 6

File Hashes

0137fc231e2d7e412a4e4ebbb670e732e47264034f9ec2493ecbd8000c2eb499 02ab00e9a675adb7b0fb711ba04f29abffe9774d9a79a12cde4041dd1ec81b0d 07ae413be994ec96a7d3e8202cf8917b8635bde5e3f4176dcd218d6cd713db72 088b3da558e94be8b010002638a54ad34edcc5e2557cad98ab0adbfff7ee887b 0bec1af49840202e3f08ee153839630bc15ca00be3c59947d3f34de189b33e43 0c44e2c58e9940b3fc9f2266fcf797e574a24dcf109e136703c37f6b3d0831e5 0c5ea4b44180db65a8833e4808abd600f4ddd2f1f637adf7f89c131aa0cfecff 0cee3e0769dd885c12ac6a214a85275a59bd98937e72e3d03847cfb6f257bd56 0f2b46d1ef3003c93ebddeb87f66e2fe64e338ed36ec868710367e112c36e495 1182ef3ba1044b9341ece945425ed1274e085f374fbbc48917a069de87e53fcc 11e9f442c1f1542f820ffbf23872bafbcfc8fdd2571ac29db34725cee402f3ef 128b0e52a319a8176898acb8561831a6287719202ad4f94dc94fd100ac582335 13b5035f6c4dbcd1a00b2868db39f95cae92b67457e07a208e5eb881d647d132 1839a13f2080086beefa122c5d855580d74059c5d6aba3e1c9759c1e851d092c 184ad59d217ed9d9564436c2f547dfda36250aebf2c29c1350263e506a241aec 1a4426dba7c2baffb9f678acd282e836c8701e497814f95d0c3fe8282e7f0235 1a8c8b017edebaf6f249bda6e91daaecb2b1e2dcbf37b72d5b23bad128fedd3a 1bf6eb53191201bbb8e6281fa417178e1a789f8435b30cf7366cf6bd8fdc3c43 20580370ad7f348ca8709df2da855bdfa2c779a25165b44ced3da6fc70c22d41 21198bdc5acdabc431021f78c6e983e56437b84287e1473431033bc86ba2dca1 2198063b30b7d7195fb574d56571c4f2a699100e34e7d731966fb6c9fc5e90a2 219bdf6c224824fbca243df963f5bb5c6253b56d72c7a2ccdba1af2d2b836172 2573687a28ed782e1df1d2473801c02880a893ef4ee3b2f9664740391818bdee 2d9eec16b891d142303841369dc5b353c2842f3bb623eeee706c7bb316d2bd04 37444d1e21872ad1aca34d764d217dd8ef53c2e199d9c90e296a13535cf06d51
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Elkern-7118026-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\HP710C 32
Files and or directories created Occurrences
%SystemRoot%\Temp\AIM Account Stealer Downloader.exe 32
%SystemRoot%\Temp\AikaQuest3Hentai FullDownloader.exe 32
%SystemRoot%\Temp\Battle.net key generator (WORKS!!).exe 32
%SystemRoot%\Temp\Borland Delphi 6 Key Generator.exe 32
%SystemRoot%\Temp\Britney spears nude.exe 32
%SystemRoot%\Temp\CKY3 - Bam Margera World Industries Alien Workshop Full Downloader.exe 32
%SystemRoot%\Temp\Cat Attacks Child Full Downloader.exe 32
%SystemRoot%\Temp\DSL Modem Uncapper.exe 32
%SystemRoot%\Temp\DivX.exe 32
%SystemRoot%\Temp\GTA3 crack.exe 32
%SystemRoot%\Temp\Gladiator FullDownloader.exe 32
%SystemRoot%\Temp\Grand theft auto 3 CD1 crack.exe 32
%SystemRoot%\Temp\Hack into any computer!!.exe 32
%SystemRoot%\Temp\Hacking Tool Collection.exe 32
%SystemRoot%\Temp\Half-life ONLINE key generator.exe 32
%SystemRoot%\Temp\Half-life WON key generator.exe 32
%SystemRoot%\Temp\How To Hack Websites.exe 32
%SystemRoot%\Temp\Internet and Computer Speed Booster.exe 32
%SystemRoot%\Temp\Jenna Jameson - Built For Speed Downloader.exe 32
%SystemRoot%\Temp\KaZaA media desktop v2.0 UNOFFICIAL.exe 32
%SystemRoot%\Temp\Key generator for all windows XP versions.exe 32
%SystemRoot%\Temp\LordOfTheRings-FullDownloader.exe 32
%SystemRoot%\Temp\MSN Password Hacker and Stealer.exe 32
%SystemRoot%\Temp\Macromedia Flash 5.0 Full Downloader.exe 32
%SystemRoot%\Temp\Macromedia key generator (all products).exe 32
*See JSON for more IOCs

File Hashes

0b68f9af51bbf81c844c2918b585affdd9dd718b2947a561184773f67aeb1f6a 278cad9a78dbad1143db49335eb14979ea4d0ee92c57d2ee2d609174e64a9410 3de7e6becb18bcbc7b296570bedcde5298573aa173ab5b171e074837388e9009 4130a0b119e9ec6d19778832e4c46735be0dd0db1416804c3e812955422eb7aa 41e91ae33451c66142cd5a9a311eaf486a3120e6e5791b092ba0d6c5369488b5 44a2fe971055187936edd220bfd39b53d4a861f87dc26f571919b84ab97ee082 47e52b8ac3c6ff8f2dca34ad0956546c2bf6fa0402b284f2abcf68518a231c6c 4daf6f6578dd52f8622126e6aa602a34126971b27f8b3057fca64af77dcee47d 4ef1228ae3c74f4302f6e6310a76d2a927dcd3df449f0fd507447a0aba24f6e6 51c932a3be3232c21ad7c85b3a42bd69ac8c94b871d2d5ce71b5c7975c74bebb 53beca3b6a9f89775a63e5ac5cfc9bf19ec4ae0ef7610083c1d695fdcc1d3ccc 5ef82482de74c3c76c6ae5e84ed81a90467f2c893e9bdfbe15e0288629ed4bba 6074a512cdd562abd6b565d3d52b0623b699d1ae395fc5b636f287451d4b7d9b 60799126289b3b6cb6cc72c24c3dbfc047646915444ebe11c47be9153ae010a1 6a1421414241c9055b19ed82ff7017b867ec30d7dd958187d1c43470878b964c 6b7a03e862e6c5cf1a14ca0266fd6ab0dbc1919e7d3e8359929f48de3284bb57 6fbf4d256e79f5a00166750204384a7c0dbec8e506ed70e133f9661844563318 7dbcdde4d690e346735b7e282ae64e6f3c82ecf292aec7cf5936e1364d850293 7dc3a586bf6d1addc417169f1522f227cc546d49b3ff722bae8589380962a0fa 82855b7292f0db3a431b4aedf1b03ea39b043082ac31254bdc8201b4a597cf9b 8722a40d49f8dc67c85d9bf38e6a0c09f87141b1f1432a265e3bb465323ec196 890c5dd6a7ba3d245633fc9cc0ddc3710c4fbfbc2272889556b99e8e80fdf63d 9a5ae6f06d4db89fcb05f0aa434cabf8ca40c61523896a97ace25e86986bdcce 9e7a30c7ced797c5e329022a1557e2164bf790420ce08320c0b20cdc78937ad6 9e97a9bfb0e8e9b082f3c79146e3f34e2098de7404af807f6d90a62d48ff7e2e
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Packed.Xcnfe-7131484-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
26
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
26
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
22
Mutexes Occurrences
mxPWjmqQ8n 1
tx0w71lvCy 1
6exxyHtr5d 1
G2HYsj3fFg 1
JerlUkOuKL 1
MiIl5jaHeB 1
OaqotdMe7M 1
SCmfJWJkxg 1
UzS0XAm1fS 1
dG6tI9ut6B 1
3t5z9ncR4g 1
Fnbk52Waor 1
R6AEP2O20C 1
UAZKOAGGs2 1
k9oOrGi0aX 1
l5nsV9SyRF 1
pyka6wxPfy 1
xmZSk4nyco 1
ATgpy0BqxR 1
NnWRFLviWv 1
Qjy3zaZyv9 1
agtFwXTy1f 1
jReSCvTbxM 1
jxvaMsSvTQ 1
myY0J7QVPE 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]10[.]78 25
104[.]20[.]208[.]21 14
104[.]20[.]209[.]21 12
172[.]217[.]6[.]206 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 26
www[.]ga1n8pm45j[.]com 1
www[.]htoc9fu6lz[.]com 1
www[.]d5spcpq7ma[.]com 1
www[.]x9imtredft[.]com 1
www[.]cv4ygugpgj[.]com 1
www[.]gnzs22h5ae[.]com 1
www[.]ctabhfeith[.]com 1
www[.]1ditgmvebu[.]com 1
www[.]fhgbysko8w[.]com 1
www[.]svu9es1kaz[.]com 1
www[.]mbke6vrdrw[.]com 1
www[.]y428zntdqc[.]com 1
www[.]pb1ymjotdh[.]com 1
www[.]fvi6gtygop[.]com 1
www[.]nacci0plbn[.]com 1
www[.]tfbjnm8ss8[.]com 1
www[.]bf3ktyulcd[.]com 1
www[.]7hcgj1c7yi[.]com 1
www[.]vgdxer8o9b[.]com 1
www[.]efk8v7cwgz[.]com 1
www[.]b2oes11vip[.]com 1
www[.]kxzgxtsgzo[.]com 1
www[.]bqwdgq9z5o[.]com 1
www[.]9ryvqouwz2[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
<malware cwd>\old_<malware exe name> 26

File Hashes

03ab0d4316dba014132279a8fa00672dd72dc52010eca751cca0ceeffee2a940 08728191591ac79aca64917792a74cba2c615487efd3a1194c9bcb774c7a2bbe 0e150456f2a44be79d12adc971076182752864d5c975135609dde6396edf8f92 1650c30e8c7a2441fddc5ae39022d063787d6e9bf31136e7b7a4da058d0e127b 16a955f71500c4b96bb4f3477f295b1e03891e37ed3f15814f3e10e986b41891 2baea5f5924c3797df0292430d7c221c29affc31ac9e892cddce75318cbd4050 38f55600b63cf4b1dead874bb77508dbb367289d4ed39bfa501f38ce6864c561 4529b2919ba158197448b5a407f6399a7ad659aa4b6bfe84a0a69012251957d6 455dda508bbc9bb449541a164536c6ff349036138ace35ecd8b41f328d124868 49328a8570131578e7db5efb056fdfe0918da3022207f6f11fce28cc3ada0dd4 502394f8fd57179a0d32c6c16ec67553841ceb2d2502287ad72b24cf3bbcb940 66c52a00e0bbfc2521431b1093459445abfc410ab365fe18eaa6be4d39b290e5 6a428aa727871fd11bbe5c47c28133042711634b984640e9e61d07281349ebe1 7dc0103c383cbb391561b17c1b5519ff6d742f157d24780b8b89802bf8aeaca8 8b9ffb6981205ab934f0b0014157853099952feb642733dfaf22a36915eaf9e2 8dccacaa54c3735a10c22b876351b6503f5bbc5dec99acd0ac45f72302ea0cc1 8e31d779fb1b41faea824379012dc111909efd6ba6fd22fc3792c42d0d750c30 91a6ff4ea2c0dcefc1afc65a73b0354ebca82938abf16be2fdf5d0260c6a9fae 989193f39f3e95b4451cfd992692dd0e4ae06dd53cbddaacc4cde0e647b6cd26 992956d43b605e5382e17455cfbb08970fd9c95b38bbfda96efb053f4c9212e3 a24985a6f7bff0429bfabf4b0a42f222c152b40669459c068774674c3d156038 adf49cd22dae9ee319da7f8dc03b24eac649f982048b5542f9b377f7beeeb1ac b1a5a9e9ddaec143aae51d0440d040ba98010724046c3a2b97e754d9784aa252 b492b4bbdc6a0661f22678cd3b80430279c29bd0eadbd947c1f44794dc56e99d c10735796a4e90c0266e5c127a0b9ae3361a966c0bc5f1460fb9f3db66a3c519
*See JSON for more IOCs

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
Wsa N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Worm.Vobfus-7123957-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR
Value Name: Locked
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
12
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU 12
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE\AU
Value Name: NoAutoUpdate
12
<HKLM>\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\WINDOWSUPDATE 12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fxrab
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: saoavir
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kiupouv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: liupiuh
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: juvil
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xeaoro
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: loxem
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: qetap
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kauuyom
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jaoguo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: reugo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: meerad
1
Mutexes Occurrences
\BaseNamedObjects\A 11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]11[.]56[.]48 11
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ns1[.]timedate3[.]com 11
ns1[.]timedate1[.]com 11
ns1[.]timedate1[.]net 11
ns1[.]timedate3[.]net 11
ns1[.]timedate2[.]com 11
ns1[.]timedate3[.]org 11
ns1[.]timedate1[.]org 11
ns1[.]timedate2[.]org 11
Files and or directories created Occurrences
\autorun.inf 12
\System Volume Information.exe 12
\$RECYCLE.BIN.exe 12
\Secret.exe 12
\Passwords.exe 12
\Porn.exe 12
\Sexy.exe 12
E:\autorun.inf 12
E:\$RECYCLE.BIN.exe 12
E:\Passwords.exe 12
E:\Porn.exe 12
E:\Secret.exe 12
E:\Sexy.exe 12
E:\System Volume Information.exe 12
E:\x.mpeg 12
%HOMEPATH%\Passwords.exe 12
%HOMEPATH%\Porn.exe 12
%HOMEPATH%\Secret.exe 12
%HOMEPATH%\Sexy.exe 12
\<random, matching '[a-z]{4,7}'>.exe 12
E:\<random, matching '[a-z]{4,7}'>.exe 12
%HOMEPATH%\<random, matching '[a-z]{5,7}'>.exe 12
%HOMEPATH%\RCX<random, matching '[A-F0-9]{3,4}'>.tmp 9

File Hashes

0426c4c36a4793fcbd52f68d1c31620ed0500bc9999c8cae4be03cd7307299d8 7c7a93cc53493be184545ec97e05763dc16dd4fd6aff6da00b7cb3f00091427e cac1b67bfdfc89299cd8720ad33004591bd65fa7eae30ac9b41d8bba158b036c e0d2b56017c438c095800e361ccd7dc27991d0414ce90c0ba9e841220a7c4cc4 e30608735f6e814e40dfd878d4ef1f236660e6ebb4541d6496509493aec5058b f0cf9a4022dbd84685941b3043fd899c4411f9109ea1a09188190705deab8793 f7808bd853e4d50ea09aa31fe8f4c2593391e73f4e73e94a737ae9a074d04abb fca71f3c3fbf6bde78320761bef612e2d7ab278b86e8ae63a70a55708f9600fa fd225f346b89b87ed234350ee6aa8ee61816865b67369d45ac17b8aaf9bacbba fd283c48a116a0f724d0817ae861deb561da5c8890f82dbf1241e9e692730ad6 fd3c422dd572255bac29ff57d36f2fc619d8665ac81c822b12f24d2a338bc3ed fe7a44bb5409772b8386a585c6bdfce47fa978d29cf0203eb9d547490daa776c

Coverage

Product Protection
Amp This has coverage
Cloudlock N/A
Cws This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
Wsa This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
Madshi injection detected - (1156)
Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
CVE-2019-0708 detected - (1075)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Kovter injection detected - (580)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Process hollowing detected - (526)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Dealply adware detected - (244)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Excessively long PowerShell command detected - (214)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Gamarue malware detected - (53)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (34)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Atom Bombing code injection technique detected - (25)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
PowerShell file-less infection detected - (15)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.

No comments:

Post a Comment