Friday, November 1, 2019

Threat Roundup for October 25 to November 1

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 25 and Nov. 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Malware.Trickbot-7367071-1 Malware Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts.
Win.Dropper.Emotet-7365661-0 Dropper Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019.
Win.Trojan.DarkComet-7365618-1 Trojan DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system.
Win.Packed.Zbot-7364099-0 Packed Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing.
Win.Malware.njRAT-7363922-1 Malware njRAT, also known as Bladabindi, is a RAT that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Trojan.Socks-7363151-0 Trojan Socks is a generic worm that spreads itself via autorun.inf files and downloads follow-on malware to infected systems.
Win.Malware.Lokibot-7363866-1 Malware Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.
Win.Packed.Zeroaccess-7358361-0 Packed ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns.
Win.Ransomware.Shade-7357624-1 Ransomware Shade, also known as Troldesh, is a ransomware family typically spread via malicious email attachments.

Threat Breakdown

Win.Malware.Trickbot-7367071-1

Indicators of Compromise

Mutexes Occurrences
Global\316D1C7871E10 31
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]94[.]233[.]210 15
192[.]3[.]104[.]46 11
192[.]3[.]247[.]11 3
172[.]82[.]152[.]126 2
Files and or directories created Occurrences
%System32%\Tasks\Download http service 31
%ProgramData%\мчваОнгшЬЛВчяй.dfxcsd 31
%APPDATA%\NuiGet 31
%APPDATA%\NuiGet\settings.ini 31
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 27
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 27

File Hashes

12e8006a018c424bcb76b7c97d880314c08f79d8951a545d92d73034f5778ec7 194f14146ed498074cb229f3941740463913e79bc4a08a765f2ffd490dfbbdd0 35030bca598f6d38bf753df2c51fa0b43a0189f44438728efd0b17027cb7d6f6 4a66279719169895ee353164bebd0d14aea7bd6588fe0d4cea242465b260a519 4e42cd765cf0ab37b5a1141d446607a672473d409a7da92a34a3add36ce1a8c7 4ea19a355329cbf55d60502bc479daae8664a0df0148b52d0096d0ea9df67626 5c49e59a65499989081ae896fd9748ef572315a3c064e63e246a670d1d292fe0 5efb96495538937fe47d41b0d7e98db37de61e6f593d349238286df075c1397c 686831b801833681a66bf8d26369358725d6eeb3d6a59dfba359d0cffc0a6879 6b63955ef70f2db59d37e4a9d1d8ea6160348a07075a63f3aba90344a4359870 6c59d5e1cbc381e8fabd6886b9202ccb8cb47fde6d197ef656ca9038d720562b 6d64abd7986e0caefe99c4c11f23ee79dc583b5ae8667b44b224cbc2ed5587db 71d6c8a2a0201af5013f6624738ca844095d6f50d7a31f105e60726d54589918 75cc6fafd3becff2a1dcb7e7a4b37542fe5fcd4f399d36ae5d5659336900b4fb 7acd91a84c5bea43ad99688a67760fd0826bc7d67b0de373292f06ecbe2d9297 81cb4e71e4327b1969f30625661c6e027c8e33cfc04be4acd20cbe3a913c236b 823e680c8c8b03a264a6cd347b84ee72913622f0bc675b18a0b3dbe0cb11422a 8d6e5a67290d22e5bb7e2beed6d83c67bb40455c3a2e27e802997aaa7f98760a 9123558e3b1d5f8041754f2bf41ed0f453d3a02da5979454f9f574efc6dc82ef 9373dd5aeea4258abed94cae3f4cf771b59714f6b7f31efb16394108cf3a9e2d 98dd50a96301fae6c07eafed51df1d5d1bd444a7920a076cc2a72bb483ae9542 a5dbee433d7d11dfff76b54e00c1879f969787f9b760908add1f89946381165e b9b992d27c996693b7d315b58a51a562e9c9286728fa162d0204fad15cc68a28 bd49f6d5e49f5dd45a38128ef576a86f1c447842d7a428ae08c7e33e321ed7aa c98366526022af2d7c17edf78d0bc5856aabebdf712f314574c6c9bc65454cd5
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP




Win.Dropper.Emotet-7365661-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS
Value Name: Type
168
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS
Value Name: Start
168
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS
Value Name: ErrorControl
168
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS
Value Name: ImagePath
168
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS
Value Name: DisplayName
168
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS
Value Name: WOW64
168
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS
Value Name: ObjectName
168
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS
Value Name: Description
168
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CHINESESONGS 168
Mutexes Occurrences
Global\I98B68E3C 168
Global\M98B68E3C 168
Global\<random guid> 3
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
167[.]99[.]105[.]223 77
54[.]38[.]94[.]197 59
176[.]31[.]200[.]130 54
74[.]202[.]142[.]71 52
173[.]194[.]68[.]108/31 48
190[.]182[.]161[.]7 48
186[.]159[.]246[.]121 43
190[.]229[.]205[.]11 41
79[.]143[.]182[.]254 41
62[.]149[.]157[.]55 35
178[.]128[.]148[.]110 34
212[.]129[.]24[.]79 34
62[.]149[.]128[.]179 33
176[.]9[.]47[.]53 31
74[.]202[.]142[.]33 31
62[.]149[.]152[.]151 31
62[.]149[.]128[.]200/30 29
17[.]36[.]205[.]74 27
62[.]149[.]128[.]72/30 26
191[.]252[.]112[.]194/31 25
185[.]94[.]252[.]27 24
45[.]55[.]82[.]2 24
37[.]187[.]5[.]82 24
200[.]206[.]34[.]68 24
172[.]217[.]10[.]243 23
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
smtp[.]prodigy[.]net[.]mx 51
mail[.]aruba[.]it 35
smtp[.]infinitummail[.]com 33
pop3s[.]aruba[.]it 33
imail[.]dahnaylogix[.]com 31
smtp[.]alestraune[.]net[.]mx 31
mail[.]pec[.]aruba[.]it 31
smtp[.]pec[.]aruba[.]it 31
mail[.]outlook[.]com 27
smtpout[.]secureserver[.]net 27
pop3s[.]pec[.]aruba[.]it 26
mail[.]cemcol[.]hn 19
smtp[.]secureserver[.]net 18
smtp[.]orange[.]fr 17
ssl0[.]ovh[.]net 17
as1r1066[.]servwingu[.]mx 15
imaps[.]aruba[.]it 15
outlook[.]office365[.]com 14
mail[.]tiscali[.]it 14
mail[.]singnet[.]com[.]sg 13
mail[.]libero[.]it 13
mbox[.]cert[.]legalmail[.]it 13
mail[.]funfruit[.]com[.]mx 13
mail[.]caoa[.]com[.]br 13
smtp[.]outlook[.]com 12
*See JSON for more IOCs
Files and or directories created Occurrences
%ProgramData%\xcsdwrsdk.dtxsd 91
%ProgramData%\dxcsdyjgbn.dfxcsd 77
%TEMP%\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt 56
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 56
%SystemRoot%\SysWOW64\chinesesongsa.exe 6
%SystemRoot%\SysWOW64\chinesesongsb.exe 3
%ProgramData%\Len350p.exe 1
%ProgramData%\uUgG1WJQ4usO.exe 1
\TEMP\PpoNLODk9uCChTGo9HH.exe 1
%SystemRoot%\TEMP\543E.tmp 1
\TEMP\h5xs_232.exe 1
\TEMP\R53Pew.exe 1
\TEMP\o86t6prpvay0ah3.exe 1
\TEMP\hw8ah6hmp5ku.exe 1
\TEMP\scsl_2153.exe 1
\TEMP\1p3gf.exe 1
\TEMP\xk3wdb8t.exe 1
\TEMP\067vnss8y_680.exe 1
\TEMP\ypb8jo5.exe 1
\TEMP\41v2241jicyu8m8.exe 1
\TEMP\8aklv68ynf.exe 1
%SystemRoot%\TEMP\2086.tmp 1
%SystemRoot%\TEMP\2096.tmp 1
\TEMP\wealxtx4234pz0.exe 1
\TEMP\RlwZ7vqPWQOoRg.exe 1
*See JSON for more IOCs

File Hashes

0299861a3cdc50a555b8d327b8cdbe9ebb3d286bd67d34fd78e82910ba0a69da 02e0225c00b4f47728a493dbad00964ff4e2f975312d2fdccb5fee836b8e02a7 04242859c480e5af73f938324355a7058c209a29bd90cdc9c03095da158aafb6 04edae27709686fe0eec70970a0bb0073e1e573ed64341705545068b789eda9b 068c2726caca44b77e7ee220fb4d181d086dbf433c76b588297477ac5689d572 0704a26d82961ffcc14aa5f1ca3df6be3cd09cd4a27580ecff7eea8f6b70f7e2 078d578cfbb4ea91813381500b1d4b56106bb4c73b30697b6f9cc6bc46727251 0b1bb755d31acfd314aa59b362818f89afee12840cffa7665b9a21c909249e73 0c15940c4c9a49103c2e0b33cb1488a8838aa905dddc2a53e841e5be07a1cfe3 0df437e357d886397345b7bcebd48a4404c6c923758ea30bd286fbf786531771 100ed9e984af228f4c63f6e389066f244a146a07a24a98b2ef5737484f8b9418 10cb59a28331f74a3eb14a688be158aa83ad848a29b42e9b5e69f210470004af 10dd8ab62c73328905f71435a19e2fbd4c0b3c0bfb9c62e499ce321cd455e03d 11b968a43e6f27e16c73887a56b9e04315caa0ea36ccce003411ebeb83bfb28c 11cec37f15cb1f81608912172d843502b3e74c3cf5a6002b1d186b08c561556f 12e8a80c47ac89a43c220db77cd56b746284d8fb08b0544d0b5642ff01d42c31 186d8fc5e47032b99b15b3e64d5df4427d2d89dd8a0fc08e720800f5715f1f69 19dec17408be3e2a980e50f038d4563911a0a3b315085db29b1cce06415902ce 1a24c713e52fc6072e7586ecd2ab3e858b03c893e463aae8c678c05c3b493be7 1ada1f15d5e4b2a7b67a8ee63ddb8ffbd15c2a2299977f3ff0f26f557e3d1ed8 1c80dd78b374786cd12cb3c466a69faef4b336b31b88259f735ae90a590151d6 217b0f8c66870cd11d7e6d22125e4afbb2ae711154a5ea7f56c40a02e7d6edfa 229b1494c66f15a919697f70307f34e082b77e53b4ec35b0425e5a1cac4665a2 23699f526439964cce4a8e8c9c5f27a4549bd7bb0293cae683e84730e20887ca 24d0044976a4122a3fcfedad6f66849eb0d1d9fa7fb7f7ad52bf0a9d97f394b5
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


Umbrella




Win.Trojan.DarkComet-7365618-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\DC3_FEXEC 25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: java
25
Mutexes Occurrences
DC_MUTEX-6ZFK11A 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
mrsnickers03[.]no-ip[.]biz 25
Files and or directories created Occurrences
%APPDATA%\dclogs 25
%APPDATA%\IDM 25
%APPDATA%\IDM\ichader.exe 25
%TEMP%\WTHTE.bat 2
%TEMP%\WTHTE.txt 2
%TEMP%\SXIJG.txt 1
%TEMP%\PTQEQ.bat 1
%TEMP%\PTQEQ.txt 1
%TEMP%\USQVI.bat 1
%TEMP%\USQVI.txt 1
%TEMP%\CQGTP.bat 1
%TEMP%\CQGTP.txt 1
%TEMP%\NKKWS.bat 1
%TEMP%\NKKWS.txt 1
%TEMP%\WAXFT.bat 1
%TEMP%\WAXFT.txt 1
%TEMP%\JRFQG.bat 1
%TEMP%\JRFQG.txt 1
%TEMP%\APQNW.bat 1
%TEMP%\APQNW.txt 1
%TEMP%\UVJWH.bat 1
%TEMP%\UVJWH.txt 1
%TEMP%\OSNVJ.bat 1
%TEMP%\OSNVJ.txt 1
%TEMP%\MUISJ.bat 1
*See JSON for more IOCs

File Hashes

0d35dc067583af9f8ec8aa97a0ffafc8a92c52145196755eff63f62fd545da80 4671622ecb23629041c6f808461e60b20692ba4920d7207442db3e0bb2f9cb43 560532abb05b4b9219c6206d02defb4ce74f0f07be27173257df016e2576e0c1 5b6a3069e1fdad0d43dea5e289a41ea3a76c2583990f070368394154339dc682 60fda48fabb1047741a46cb1989b1ed5a49fa8214955e328d9b9e0825bd06dae 76f99c94e4cb98ecb947dc0add432659cf9510cf0ff75dd532af16f68ca70612 7c15a840a3f2bd987e096d3810991e4f88fe65c9ba6efff2529c1608dfd39e34 7e18585cff88ab47bbdc0d2f9c76ade0d12cf1431983864c260ada790aee3afa 82648de7b9a19b4e1a23933f5c5a24991365fdd97bdb03d0cd95431f38df0b23 842e707c9400e589df5e4be6ec72454403fee00adb174c54b2f2dea3ac1d69d5 85faf6824e603e5bff1ec4e743bd944f2cfdca0098920cbf66467e4d24d8d919 87411b5aee6a4ca4f671b44e63cc9a8e0fc27ed2b43a843cfbe904c428420668 897e054816e7d69c51c73b843c0def266858d0f0eb50425930f975416210868c 8d8821ca5999ec65308100e8a4d7e3bdfe850783161c925789149394f1e071a5 91da6fab3b8e86ba31a0c36eb37787c5bd3723d2f452b59ec5ecac8431a721a3 937d56fae295a0647c6bcea2db66a1f33aefe91db3ab8bb04979ad745d5cd18d 94ac600212f0cb12d2dfb7f2e5a5814160226fa0cd2d545dd2ab32f3057fc92d 9a5b643414e9a3b2b0768123f6c2039c06ec39a1f647201cf284c1785809be2d 9db56c0d7979b0ec84776064129b1a2354d9d3b13f09cff625b106a230fc0caa a4d07da8c28394c58f19e8a7ffb8505386ef714efd4fe9f9d096462233cb7e87 a72e5af5e928da722ded5dee33dba92c9ff07b4c5a7cfdd083c60bc4c6ca6dd3 a7f813ece9b9f797ff84d1d13294892e499ba36e442a118f7f08a3499671e449 a9fc7d3f2b74b0640102d091bd79e5f98887e4bb43ad8bf153cd2e477b67dba6 b13881418dc9d5f70d4ed4da6188806132e6b9d4c7cfa45a6dd426203db5f797 b28117f5e719f5e2c419a9fd0569d40729442d1cff822b1644379986e29c9c50
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP




Win.Packed.Zbot-7364099-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\DSP
Value Name: ChangeNotice
1
Mutexes Occurrences
-e2a38afdMutex 25
FvLQ49IlîIyLjj6m 25
FvLQ49Il IyLjj6m 21
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]200 25
212[.]83[.]168[.]196 21
199[.]2[.]137[.]29 21
62[.]112[.]10[.]15 21
13[.]107[.]21[.]200 13
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
api[.]wipmania[.]com 21
n[.]alnisat[.]com 21
n[.]jagalot[.]com 21
n[.]myadvsit1[.]com 21
Files and or directories created Occurrences
%APPDATA%\Microsoft\Exoiom.exe 21

File Hashes

0cb65d9d8421292e933acf4b5f8aebbe69fcdad0948f8bf711ebf8be9ca23392 0d2b2655e40f10215b306fd47028cf2dffada53d808fec0784514f5a896746d9 11246d210b2edc49c14b00f14791a22b5f2ec12c1be96ce90d5177769a489869 11c83400744d7f64516e1854772373f91b105e66169ba15d5d110f0948bed825 17ca554b2e2a1a6b9412cc2c3e29d6c95e27a24305e879beb1ec3ec6b504d526 1ae7050f136ee52bc82af58ea180ba449e47f1bfde4c27956906ac1ff1913998 25328cbd1c4325abcc27a6a1553fbfe029ca98b10747c2adc5ecee08eef77bc2 25e261c4a20575828b3344d872bd99725fceb952acecf524fa6c3c1267a2e729 2ca7fa29437a2caca2c10c4c347f73d8bb4fed5698a2f78c91b949420fd2b015 306e30cefb63944763afedf2f77f7c9d51d0bcda5d53068c5b832bee4e9bb7b4 31cf80b70149972f55f5064158359386cd1a1e8e3426cd1b9fa922ac994c47e7 3908a42cf0243c333fbd9d5cee753db2e8e44b8e26daabd0336ab3faca57136c 3f1a2e83de8d62377f9c1db5326cedff42b0b3ab6581dd1c8c3a4a52b9498ce9 43d34611fc97e74ee6d88b3b1fddbfd6b97fec6dae41208856e6e0cfbc921007 4453c2ac6b30f16a9560439c542dc42a17c723caab95e63289aa239017d002c1 4664d6a94aeca4dbdd5ec72453be28be2697546f4effc2579b6330b00942011a 519eab7ecc913297fa56b498685eb13e06a9375ba3cd7108057952639f8945bb 5295c963140c0b6022b1c9bb91401d2042ffb715d5a0af394546e788124b058d 5d53c88240b8ac76a3de5ba303bfa805f9730abc2827f149716c5a3ef9776fab 664aec540c5ad508b5b86c695ebd6e302cd67d7833abe56516365273f735a0b6 68fe7ccc046a6eb48d4bb9b6acf26ca7a22a7379fed0663e83f89492f4bc001a 76d7eb8843a1031e6498584e781934f6546b513658e345081e85f5c2ccee3459 794509058dd3ca5f5e6e1e775c24cd46573c7ed556184f3b67e28abd053167bc 7de6b27ba23da2c1d1ddfc54926b8a770a7da00908516e377c68140ebefa44d5 81bb7e47f2f07cae53dfa7a78ae94625bc49945a99a147b06da9b30f887981f0
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP




Win.Malware.njRAT-7363922-1

Indicators of Compromise

Registry Keys Occurrences
<HKU>\S-1-5-21-2580483871-590521980-3826313501-500
Value Name: di
21
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
21
<HKCU>\SOFTWARE\E99E462D99AD204BDF7D672852A4E30A
Value Name: [kl]
21
<HKCU>\SOFTWARE\E99E462D99AD204BDF7D672852A4E30A 16
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e99e462d99ad204bdf7d672852a4e30a
7
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: e99e462d99ad204bdf7d672852a4e30a
7
Mutexes Occurrences
e99e462d99ad204bdf7d672852a4e30a 21
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]22[.]2[.]84 14
104[.]22[.]3[.]84 9
95[.]185[.]232[.]120 1
98[.]124[.]119[.]29 1
41[.]141[.]118[.]138 1
197[.]26[.]141[.]153 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 21
inforhack[.]ddns[.]net 3
shadowhakar41[.]ddns[.]net 1
osaam2015[.]ddns[.]net 1
x5pqt[.]ddns[.]net 1
server5319[.]us[.]to 1
aqwe[.]ddns[.]net 1
hx[.]ddns[.]net 1
snokeall[.]ddns[.]net 1
animeopening[.]ddns[.]net 1
mrzero007[.]ddns[.]net 1
sikipon32[.]ddns[.]net 1
Files and or directories created Occurrences
%TEMP%\dw.log 17
%TEMP%\<random, matching '[A-F0-9]{4,5}'>.dmp 17
%TEMP%\svchost.exe 12
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\e99e462d99ad204bdf7d672852a4e30a.exe 6
%APPDATA%\svchost.exe 2
%APPDATA%\skype.exe 1
%TEMP%\8c0_appcompat.txt 1
%HOMEPATH%\svchost.exe 1
%TEMP%\dlhost.exe 1
%HOMEPATH%\Hex.exe 1
%TEMP%\Microsoft.exe 1

File Hashes

059e82f8093d6cc96a0c9b256b91f29a76a504b31e7b99e505f00f1a58fb0fc8 0e456becd300e714371a779408d0e06c9e2d607e4e64357eddfa044a52c16640 2a167630a36ac40de7c8734db7020485e6437e48f7df33254702cdd8970128c0 51e4acbcc40cd882aaad099ae740e95657b309933898ba1d7008c457f0d75cdb 6001923be2f05f19e5061ddf5975f4b8c11f0085328434d6b1926c5a2c6485b9 6d377ec90f4ba0dd424381e05b48c7ed6e92dacc5e8ee3a154c4b770eeb52587 76c67ae939c6a9d187a0bdea6aaa6327984cd3e8de004835eb067ce4ec94ca1e 79fb56495974b83bc55b641f7a242206a539fcc028f66587f9e3c01e954f60b1 82af8835172e86cb143531abfaaf49ba71f5f82087c47bde81982e7f9fb4857a 836067675ad71d653ef9e8cedd07df5e6d15a41e7bc54cdbbaee2fc7764d9d2f 842865c8e038c4cf4da7c65a2c42379548009ddfedf206ac768f4fc443f3fae4 8c8ab50a5fffa135df8e2f8414a7862659dfec13742a511f9ca7f07348f3a44e 8df49f96d2f23b361c482dc331569827f4de5948cb95b426bf51c5f02d7574e5 92451c9eaec9049c6d787ec783bfacbaa20c4b95380b7247b540419c9b326a15 b56bdfb6b099cfe281a29e3d1f1a08d7fb4d56c0495dad8db010cb207ca73d67 ca1bc558e24135a5d6b79621ad7c236f6ca50c552bbc7b13d8b0d6feecf0a330 d788fe230c34a048d3a9b81464e72b62804447c046fc160ab920fda1ab168d56 e060f062be14913686fec255fae67e79f0042507701289fe8347d15206462df6 e4545c9397b09fa28bfd369bdc28babaee10ec05546bcd674263c0d24244aa07 f17ae58c267b7d0601014165e804580d0044134dc04b1ca50811275df0793ded f6d6b6fae736e1fc4d9bbb52704a7c84cc8bf4981f18ea466793f5aaf545d38a

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP




Win.Trojan.Socks-7363151-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntuser
24
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: autoload
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: ImagePath
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ntuser
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: autoload
24
<HKLM>\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND 24
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
208[.]100[.]26[.]251 24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fewfwe[.]net 24
blinko-usa[.]com 24
satellife[.]info 24
Files and or directories created Occurrences
%HOMEPATH%\cftmon.exe 24
%SystemRoot%\SysWOW64\drivers\spools.exe 24

File Hashes

0e9ce623b6d9979002c965f8d4b8379d16a3cdd71e64edfefb7b46546f760556 158b0aa2b4d23ab0c60e398eaffcc453d3b2135e9ac8501fc6fc8b0181f34916 19037ebfa382219b5a715a3190291091db8c4305cfcfb80ccf7ee6134f24ac2b 2c5f26e9971998e2989d69062df2b4947e52799f3b1e467eca922637cfc4b8a0 4772d7089ed885adeffe0c432f206e84a10038d93aea00713a0fef3ea204d61b 4ab819c524ad7e920bc7fedfce565676c6fdbc952e565bd42da7622456900f5b 4b39a3e4422ff108fbbeb5527524254eff540f48afcb882ef723c86760c01692 4d0b608d4816454ea7c615a51d24d20d25d3db7b424bea47956f3cf610c12a63 564cc6cf1fb9c7f23321ea597da0de78584f663faa3576cc25c876f0ced8539f 6451c75aa10348799759f004bb5f8cec4cab9ca59a243f74af6a92d994ff47ad 6bb0c35cf05218d0f843085b0da1dadead72bb6f3f08c72909c42875d177fac9 7299f47ff48a6286d1cd26a0b7d1e5233dd14af4cb7b1899538f9aa6661194ad 72ad21d29db21fd7519e226f0e50bd12a6c656b3ec14aed124555467373f09c4 748a55b6bb4144523e88a1a6795b22a445d30c142f06f869db1ea79ea879a6dd 8125c5f1f273ce5eafef48762c6886cb9df53a7dd5d41aad058afdab64256c9f 9814aae0363183ef5ae7d960da747db0dc5a644bae9e6f880c2b16f1b06f0de7 bbe846b00154658a2ce4701a08f085b806aebfebec60a5fc7b755bdb16f1db46 cec7f824501284e919c38d9161196136e527b67a8cb5066a2605995ec9833b94 cee25c0db7ab90aa3848e13013b2b02e82f101e473544ed802dc57242e54acfc cf8478480f7974884ce7a9d817b4ded724f2d1c77638273fbeaa3f086d1905ad d814df1c7a8edf3d4ce11091595ffd5d25b5a79de1891b39dc8ddfd8c00353c2 da967dec24f5455ed8910f3d7df93c60319fba735a29e2e09401db4b6b7a057c f713344d26bc5ad3d88efd93473acbbde824c4d4f0e1a70fb690d9bfe27a2bff f74c53738e554de22236498e91bef767351ac06a677eb2192ee09182eec203a4

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP




Win.Malware.Lokibot-7363866-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\WINRAR 3
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 8PKXHTYXYR
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: KV1LBH_H1V
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: JPXX3LNHNHY
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: PHLL54I
1
Mutexes Occurrences
3749282D282E1E80C56CAE5A 12
3BA87BBD1CC40F3583D46680 11
8-3503835SZBFHHZ 4
6M1O492E903A660D 4
S-1-5-21-2580483-1060168328224 2
Global\ee9ec621-fa96-11e9-a007-00501e3ae7b5 1
S-1-5-21-2580483-6362420053499 1
S-1-5-21-2580483-19562420053499 1
S-1-5-21-2580483-13882420053499 1
S-1-5-21-2580483-11682420053499 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]247[.]73[.]132 10
62[.]149[.]128[.]45 2
198[.]54[.]117[.]200 2
47[.]91[.]169[.]15 2
198[.]49[.]23[.]144/31 2
172[.]80[.]15[.]9 2
185[.]149[.]23[.]24 2
45[.]43[.]35[.]96/31 2
213[.]186[.]33[.]5 1
50[.]63[.]202[.]52 1
91[.]195[.]240[.]126 1
23[.]20[.]239[.]12 1
184[.]168[.]131[.]241 1
52[.]58[.]78[.]16 1
81[.]88[.]57[.]68 1
183[.]90[.]245[.]41 1
162[.]213[.]255[.]220 1
162[.]211[.]181[.]225 1
213[.]239[.]221[.]71 1
198[.]54[.]117[.]218 1
173[.]247[.]243[.]182 1
203[.]238[.]182[.]106 1
103[.]75[.]189[.]246 1
77[.]72[.]0[.]138 1
69[.]16[.]230[.]43 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
devhaevents[.]us 10
www[.]nadidetadllar[.]com 3
28080[.]com 2
www[.]peizi33[.]com 2
www[.]zgtmn[.]com 2
www[.]neurofoodmarketing[.]com 2
www[.]dc-eas[.]com 2
www[.]wls11[.]com 2
www[.]the-conference-buddies[.]com 2
www[.]parapuglia[.]com 2
www[.]wemovieblog[.]info 2
www[.]browneyedbakerfun[.]com 2
www[.]zjko2o[.]com 2
www[.]cryptogage[.]com 2
cn-list[.]info 2
www[.]xn--u2u404a[.]ink 2
www[.]stvple[.]com 2
www[.]ledean-pauvert[.]com 2
www[.]ms-field[.]net 2
www[.]2zh4m[.]com 1
www[.]66463dh[.]com 1
www[.]moveoptimizer[.]com 1
www[.]onmyoji-kouryaku[.]com 1
www[.]1399pk10[.]com 1
mindslaver[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\D282E1\1E80C5.lck 12
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 12
%APPDATA%\D1CC40\0F3583.lck 11
%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-1258710499-2222286471-4214075941-500\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1 11
%TEMP%\bill file.exe 11
%APPDATA%\D1CC40\0F3583.exe (copy) 9
%APPDATA%\D282E1 7
%APPDATA%\6M1O492E\6M1logim.jpeg 7
%APPDATA%\6M1O492E\6M1logrc.ini 7
%APPDATA%\6M1O492E\6M1logri.ini 7
%APPDATA%\D1CC40\0F3583.hdb 5
%APPDATA%\6M1O492E\6M1logrv.ini 4
%System32%\Tasks\Attractableness 3
%ProgramData%\hellderbind.exe 3
%ProgramData%\HELLDE~1.EXE 2
\Documents and Settings\All Users\hellderbind.exe 2
%SystemRoot%\Tasks\Attractableness.job 2
%TEMP%\A1ED.dmp 1
%TEMP%\8D7A.dmp 1
%TEMP%\bin.exe 1
%APPDATA%\-L951SVT\-L9logim.jpeg 1
%APPDATA%\-L951SVT\-L9logrc.ini 1
%APPDATA%\-L951SVT\-L9logri.ini 1
%TEMP%\52843.bat 1
%ProgramFiles(x86)%\Dmdvpl4r8\IconCacheebvhjrz.exe 1
*See JSON for more IOCs

File Hashes

0b1ec867f89cabea9e5a4750f7c7ba76ba255b417341b13351bde26733827d5e 124f01bbbcc20d33191c4d2bb756d7b4be9fd98b1c18dd0bafc2f5a1a0119a7c 1536d75683e29eb947bd08c622687c23e96b0a5b7192650d2c0e0b71b523f53b 3199c726488205e1e39d826666ddb14e567283dc1912b94688bf80623e3bb8b1 46d599a3253021c45a373cd9f324d1fe9b97a28a9b2ca57685621557296a736f 4a7483bd09d881a0c9b94077d2fa308eebcd44988dabf866b481c9dfd4d211da 68e514e18e7353c018dd48e6f237e5f7c57def18a357156ffca7dd3826ee7426 72b2e6a534b504d1e5871293956412bf8b198ae71139312592755bfe8a5cbfab 7a675a25cd30dc40dba8e32cbdc499089dcbc5a994150d8466497f14619ae6ba 8e89f43a20be6022d88e7ba6821a91e5f2ade5882ba8de7e86e449ba497e56cc c4294beaabec49ed4dede08037b48667ac91dbf9eb4cff60e987b1906d7e35f1 ca5eeac3a04231f26f71646ec3f62c867d42fef71dcd677cb4e2a01a986a80eb d0a46670613cb3711bb0c690f75768640e6867b53ee2866f1952bb3b39436f59 dbe53d918accbf4b75025ad3b525ebce8547c913808ef547e8b9d67114113b1c f966a33cbaba9b97cb874d8b8d17544c856db7544c7bb2a09d3d2535a8e28fd5

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


Umbrella




Win.Packed.Zeroaccess-7358361-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
21
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Type
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Start
21
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: ErrorControl
21
Mutexes Occurrences
Global\82f0e161-f7c1-11e9-a007-00501e3ae7b5 1
Global\a280e5c1-f7c1-11e9-a007-00501e3ae7b5 1
Global\d6367241-f7c1-11e9-a007-00501e3ae7b5 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
83[.]133[.]123[.]20 14
212[.]253[.]253[.]254 9
218[.]144[.]173[.]167 8
98[.]248[.]140[.]174 7
76[.]119[.]18[.]160 6
82[.]130[.]158[.]137 6
24[.]222[.]83[.]135 6
1[.]161[.]150[.]169 6
65[.]36[.]75[.]132 6
50[.]7[.]216[.]66 5
166[.]82[.]93[.]190 5
36[.]2[.]141[.]192 5
184[.]90[.]23[.]168 4
72[.]189[.]202[.]136 4
37[.]19[.]241[.]169 4
31[.]134[.]253[.]187 4
110[.]226[.]47[.]156 4
74[.]88[.]57[.]193 4
184[.]38[.]240[.]175 4
5[.]43[.]242[.]139 4
152[.]7[.]6[.]164 4
190[.]105[.]127[.]197 4
98[.]69[.]146[.]176 4
86[.]124[.]234[.]155 4
80[.]116[.]95[.]189 4
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
j[.]maxmind[.]com 21
Files and or directories created Occurrences
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 21
\@ 21
\L\eexoxfxs 21
\systemroot\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f} 16
\systemroot\system32\services.exe 16
%System32%\services.exe 16
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\@ 16
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\L 16
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\U 16
\systemroot\assembly\GAC_32\Desktop.ini 5
\systemroot\assembly\GAC_64\Desktop.ini 5
\$Recycle.Bin\S-1-5-18 5
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 5
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 5
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 5
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 5
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 5
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 5
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 5
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 5
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 5
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 5
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\@ 3
\RECYCLER\S-1-5-18\$ad714f5b8798518b3ccb73fd900fd2ba\n 3
\RECYCLER\S-1-5-21-1258710499-2222286471-4214075941-500\$ad714f5b8798518b3ccb73fd900fd2ba\@ 3
*See JSON for more IOCs

File Hashes

0698b0699a2832438d3d40b9b254a1db6997650030a4f1baa9d83b195ddcefee 2a4480ab660655f0667496d06a8a6c4ca40795ea673a1d8be36c185fcd5843a2 2ff6a5a8fb138d625121b218c791129fdac013f6cea1fc4cac9a8f986a43a17e 61fe63c712ac33630cca861ad8bc3283d9e591a61184cf0c2e40e1712880e858 68073e04dff2910046705b41823a3d2e22de0b80722b2e0642f8bbad2251f31b 6c0cfbb2a0f755be5e73f9eebf0af5a66a8a9ccd9f064742275c45911aa4ba05 73efae80e8a1433ecce908d9d89a7e0dee9689f9e41a43858b7dd020ad98bdbb 81af3ef292ab1ca88658434c67ba4433727b2fa52c6170689cc7e6987d52e994 82c17d05d449adc7970c6d923a00567228d2f92d784e17e46fd40fb5f75fc96c 852ca255c72851fff39129f7e4ad946e28c1c3adfe73f099d034b511d0d4f0ab 8bed5fd8ee4415d50e0fcfa15697455737ec30e371b9cf59998f16b9df82d655 8ff205742a2e987be8743877e3832f704a3d8a428adeaa809a62a2da3d98284f 90971a6f3936154d1d42143075a74343307211738f60fd8dc2704b9b1092b9eb 91b52463d52c11f45b8bc6e833560f374b3c23943ef83a596de4c9c263e25601 945e8db2a3e172c1b4def44a627f31ec3d92027c2302ae6ca8426995a0d2f330 97ab941d4e212453c834739eecc62dc6b23a2737b7e99fdfd5e5bc2b1e677070 97b0052c9b458793345d76e6a445608f464eb17c15a4a3e1ac62ecc2b5e19c70 9abab9e192eba949efed12bf34d82b796b872954a8928695c6c2eb539d7a9994 9b57296d2b3a6e2d71d279e2f72a0c5764076e60db0decd1c933cea1ec68abbd 9be01433e0553992428c321e8ddb794697837e4266ebfcde8957190f175300d0 9bef202996bca3127c622f5b26c98bbe35ae6ef0aeea22f071517a4545c5daac 9c0d8b542bc6d349355dc8bff3d9f3436ec63033777b6ae2b7350b82a31f0b64 9c73a69c0eec3b51b0ede9d6ffdb4079c8f8ecab122dace2625d32f5a81794b1 9f6076a9aeff4a57d098390ff61e60b6a954ee545b8945fca5d39f4907de0e84 a0c2956a0dd44d0e177af551a6b3c0990a6d163f2d8e36a1b4370c667bf7bdd2
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP




Win.Ransomware.Shade-7357624-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xi
12
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Client Server Runtime Subsystem
12
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xVersion
12
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32 12
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION 12
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: shst
11
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: sh1
11
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: shsnt
11
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xstate
11
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xcnt
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\WINDOWS ERROR REPORTING\DEBUG
Value Name: ExceptionRecord
11
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xmode
11
<HKLM>\SOFTWARE\WOW6432NODE\SYSTEM32\CONFIGURATION
Value Name: xpk
11
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\HOMEGROUP\UISTATUSCACHE
Value Name: OnlyMember
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER
Value Name: CleanShutdown
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Generation
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5}
Value Name: Data
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5}
Value Name: Generation
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Data
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Generation
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Data
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\MOUNTPOINTS2\CPC\VOLUME\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963}
Value Name: Generation
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPLETS\SYSTRAY
Value Name: Services
6
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES 6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CD BURNING\DRIVES\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963}
Value Name: Drive Type
6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
76[.]73[.]17[.]194 5
131[.]188[.]40[.]189 5
208[.]83[.]223[.]34 4
171[.]25[.]193[.]9 4
86[.]59[.]21[.]38 3
193[.]23[.]244[.]244 3
194[.]109[.]206[.]212 3
154[.]35[.]32[.]5 3
128[.]31[.]0[.]39 3
83[.]142[.]225[.]126 1
137[.]74[.]19[.]202 1
195[.]154[.]237[.]147 1
81[.]17[.]17[.]131 1
198[.]16[.]70[.]10 1
5[.]9[.]116[.]66 1
62[.]151[.]180[.]62 1
193[.]105[.]73[.]80 1
176[.]31[.]103[.]150 1
194[.]59[.]207[.]195 1
146[.]185[.]189[.]197 1
144[.]76[.]143[.]137 1
87[.]193[.]208[.]14 1
98[.]128[.]172[.]233 1
87[.]121[.]98[.]43 1
141[.]157[.]13[.]229 1
*See JSON for more IOCs
Files and or directories created Occurrences
\README1.txt 12
\README10.txt 12
\README2.txt 12
\README3.txt 12
\README4.txt 12
\README5.txt 12
\README6.txt 12
\README7.txt 12
\README8.txt 12
\README9.txt 12
%ProgramData%\System32\xfs 11

File Hashes

26da7d57ec1798ddcdc4f016f4eb0752a6e1ecd5481091dc523ea01175093d8d 2a68d908566be84208cdb2f8f7d91e333690f9caee7e3f2e910483612c5a5046 5d7a85f85865277795519e6e7b5f656cf9904ed6dcdbb6d901482c47594cea7b 68daf44d57a4d13701eb66b637a00cc6931fb913515a7c95dec3a318c0365968 6f387364a1ebaebef7dc40f5bc1bf8200206b140e27050ff3f41fe6fb46c6b7f 7699113e80abe023018877fd18e3b39a29b26a21cd7dfcef06cbe9c0f9595cff 9714f035f6458b4496dd0e1362eded1eca6214ee35768b1e2f615124671b52e3 985418b9d311ec5b3f386204c2f65342856b90c5617fcbb1bf50bf1ae13ec3f1 b7005d089d4e060ea4528dbca67236924bb2310c0b214d3f74e0961effda7da4 b9bd26c9291c769620dd003b63619c10b741495bbef133d488dc877634cda0bc d48ef74859fc77868492c43758d01f618c2af1d007e570d3848fe1d5a246e10c deaa2c5a65617ca09fd4d84a268febc8ecdd660307a5fe576bbd10833d045de1

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (57939)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Atom Bombing code injection technique detected - (2838)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Kovter injection detected - (410)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Excessively long PowerShell command detected - (354)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Process hollowing detected - (313)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Gamarue malware detected - (137)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (95)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Dealply adware detected - (93)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
PowerShell file-less infection detected - (46)
A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
Fusion adware detected - (29)
Fusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware.

No comments:

Post a Comment