Friday, January 31, 2020

Threat Roundup for January 24 to January 31

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 24 and Jan. 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.


For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness.
The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Doc.Downloader.Emotet-7561073-0 Downloader Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Ransomware.TeslaCrypt-7561199-1 Ransomware TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.
Win.Malware.Cerber-7561026-0 Malware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Win.Packed.njRAT-7561028-1 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Packed.Kuluoz-7561668-1 Packed Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Trojan.SmokeLoader-7562031-1 Trojan SmokeLoader is malware primarily used to download and execute additional malware. Read more about this threat on our blog at https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html.
Win.Malware.Nymaim-7565328-1 Malware Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads.
Win.Packed.ZBot-7563206-1 Packed Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods like key-logging and form-grabbing.
PUA.Win.File.Dealply-7563212-0 File DealPly is an adware program that installs an add-on for web browsers and displays malicious ads.

Threat Breakdown

Doc.Downloader.Emotet-7561073-0

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID 5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: Type
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: Start
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: ErrorControl
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: ImagePath
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: DisplayName
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: WOW64
5
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MEXICOGUID
Value Name: ObjectName
5
Mutexes Occurrences
Global\I98B68E3C 5
Global\M98B68E3C 5
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
100[.]98[.]237[.]179 15
100[.]100[.]159[.]93 15
100[.]67[.]234[.]62 15
100[.]121[.]59[.]233 15
100[.]105[.]91[.]145 15
186[.]138[.]186[.]74 5
35[.]203[.]98[.]50 5
35[.]214[.]151[.]75 5
173[.]194[.]205[.]108/31 3
51[.]77[.]113[.]100 3
190[.]24[.]243[.]186 3
176[.]9[.]47[.]53 2
193[.]70[.]18[.]144 2
17[.]36[.]205[.]74 2
74[.]202[.]142[.]71 2
86[.]96[.]229[.]29 2
74[.]202[.]142[.]33 2
200[.]44[.]32[.]43 2
74[.]202[.]142[.]51 2
172[.]217[.]6[.]211 2
196[.]43[.]2[.]142 2
123[.]58[.]177[.]239 2
74[.]202[.]142[.]25 2
94[.]23[.]252[.]181 2
185[.]224[.]136[.]6 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
cliniquefranceville[.]net 20
institutpediatriesociale[.]com 20
cool-game[.]info 15
abakonferans[.]org 15
cnarr-tchad[.]org 15
imail[.]dahnaylogix[.]com 2
smtp[.]prodigy[.]net[.]mx 2
smtp[.]amilcargo[.]com 2
smtp[.]infinitummail[.]com 2
mail[.]cantv[.]net 2
smtp[.]alestraune[.]net[.]mx 2
smtp[.]saix[.]net 2
smtp[.]dsl[.]telkomsa[.]net 2
gwsmtp[.]lgdisplay[.]com 2
smtp[.]pangia[.]biz 2
mail[.]suntakpcb[.]com 2
smtp[.]grupobiblioteca[.]es 2
mail[.]1und1[.]de 1
smtp[.]mail[.]pjud 1
mail[.]ofsnt[.]com 1
smtp[.]svacv[.]es 1
smtp[.]roteisa[.]es 1
mail[.]ebrou[.]az 1
mail[.]assets[.]cl 1
hotelancor[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%HOMEPATH%\976.exe 20
%TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 17
%TEMP%\tst7C.tmp 1
%TEMP%\tstBC.tmp 1
%TEMP%\tstE.tmp 1

File Hashes

020514ef776f7380cafd8d2999591c75e0d476fc139450d9ac6fdfe09dd7ae87 0b77b17216fc7fb3b5de978762f07a063f722709597d0444aa2625123b8925a8 25efcc40c30bdfc1415f61c5fa2da3a569c7f4a511933bb0b898292367ca6804 2ef37c6a7f53e69a4e81613d72c21e1bc4413d4c3ebfbdb59f4c5a43b7233ae2 339e0f2df55ba72558ab93082fbb5ef218fe8527611c2c1961a4506d7c6521c4 44713e481564f2ce7a930e43bcdda80390718b92301f85cb575098959de0f6e1 44b91893a8d2d4df847664829c426f8fa0f1f3b565b0614bcf958e18795bf144 44bcf15f4888850c235f6e5e7b88bb357a3be71e4b8b22cf9cbaa7ecadbce81c 52c9a08e9df80b7b3ee5dcba625f097da1ad214cad2fb488dd4ff5296f598a4d 544b49bce1aeac4879cdcd5526cab45257ada596d9a32b3cbd254b7cb5bab381 6591f298762dac4578f9a738d736e65002adb412139af02c8cdf129ea1eb96ad 6cfb6058d1b0f8aa7927a40680c7fcd88e0c3f67cdfc2b271af7823dd89754a3 70084c2ceb78bd84337fbbfdb4765d5cfcf58a003b9d39b07c4e1ca9e7e1291d 7d6b5fa35c763390dc6187b13dae9d0248b6adacdd1b3ecd57dabd29e6aeca22 b072a08b5c35f8fb107b90ee815584ac4f7b24bd6ae30a803717f1f3fdfbeaea ca7b1a3d7db2feeb5548928ff6adb85fdb993b11795f88fed56ec7649beef850 d4b2aaebb6b4c3413610303cd78a4c7a3c57d6d269e775421881f48d7e37b898 d97abe68b3f17ac6ed03f44542568c5fc3f1586ff71a618202a6d045ed296ccf f44dadeff2a79d2ce69d0e7f8c63b7fac1bd972306dc7f803440a6378b9af58c fa60f451bb2be89d13963f75bcfc165868a5fa32d9752debbf2f077916884ac5

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Ransomware.TeslaCrypt-7561199-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections
21
<HKCU>\SOFTWARE\XXXSYS 21
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
21
<HKCU>\SOFTWARE\XXXSYS
Value Name: ID
21
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 21
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>
Value Name: data
21
<HKLM>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Value Name: Blob
20
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: clycoowjblev
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xcdjaxwnjnyv
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kdkrjkoxcoox
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: jylmwtguxgkt
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ookfknruoagc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kjayrvnavhux
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xlfrocgqtuck
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: rjopbftidbxn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: untudrlkcqaf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: exoxvooruudo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: itbqxmjmhgli
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ngtpiwrksqfm
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ajcdjvtakwtb
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nhflhnkqeiix
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: sllccxaietxc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tauqjbughujc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: pdfnqsbitrak
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: awjcujlsmtrl
1
Mutexes Occurrences
ityeofm9234-23423 21
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]11[.]56[.]48 21
109[.]73[.]238[.]245 21
85[.]128[.]188[.]138 21
162[.]241[.]224[.]203 21
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
en[.]wikipedia[.]org 21
www[.]torproject[.]org 21
tt54rfdjhb34rfbnknaerg[.]milerteddy[.]com 21
gwe32fdr74bhfsyujb34gfszfv[.]zatcurr[.]com 21
tes543berda73i48fsdfsd[.]keratadze[.]at 21
music[.]mbsaeger[.]com 21
surrogacyandadoption[.]com 21
imagescroll[.]com 21
worldisonefamily[.]info 21
biocarbon[.]com[.]ec 21
stacon[.]eu 21
Files and or directories created Occurrences
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I0ZU5JT.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I478AKJ.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FI238.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4FKVBH.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I4QK3KJ.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I5QX7W9.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I77RW1L.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I7J37KF.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$I9NSD58.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IANXEE8.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IC5NB1M.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ID60W3E.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IIUTK07.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IJE160U.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IKAVPAE.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IL2NS3P.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$INKC8CM.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IP8M1EE.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IPDP9E0.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$ISIYA4I.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IV54ALI.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWK2JPN.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IWYYKMD.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IXC3P46.txt 21
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$IZ7KADN.txt 21
*See JSON for more IOCs

File Hashes

0bdadbb588f8cfc714bec1feb439cd5e06ebbfe33a1cb5676faad4d85304dd0b 11a166c4e1ecbe40cfc39cc03c57aafe2f812f2187a0a0d1e27c03ac932c869c 23d00f9302a58aa9903bafc850ed358fab58eb2ef82b8aa07515c22a558d23b7 335db66a2abb1f82bd92f5b6cd74722b9d5cf209beac6dcb2eefde17603d6a99 42b4d5ce541c8784936ece2082690368223730d112f108aa8d810192c54455d9 50e2f2c53166d6cb2466aa679a2917c71c6f65eb3348d350d2e38b3aeb738ddd 6d3e58844146e35ef586f8ec5b1d470a95cf360578e1d9c8aa9e012a736dd8f3 7edeacf55c94647b6826b71e08517702712d11ac41e7e5f14957812d1c9492a5 921ebcefaff3b70bf0cdd963a1442b172ac92872d4fcf757594a5998c49404cc 9482d8782e4cdefabd0d2e14645924fa508b4d49173861360db2d3d8099b713d 9d9d7709dcb74cbb2715375e4eea839263b1dd497bb27a3c8a6ada0c10aca1b3 9f7a453c5814a6ad35b0c227e97b8a1635e9b75d779c4955ff484645857f54bb b1c341cf5a3a405102e80a476986dc624e580b2d314fb80b93e967713790268a b3e5577ffd2705637a709a961aa9add3822eacd9d492b081385b1a5ac21dd34d c2d69d1b4e4977cbc97108ca5818e6fcfed517f3480b441726d6f75ac7962d84 ca6f903670b80305f33bb4b2431a8fa5c75fd59ac3938f06cf2826a98224be57 d2bcb8683986f9f06f38569c4402804cee939f56a90b40078b819e324400eb53 dec2f3b1b9b450843c1a9a4e8a368b325356f13ab1460ee3591525aae651e3d7 eb8c433674c2ae7030f0eca0bc639abb7f9dc79077cd1be6734edc31f6208a26 ef4c0401795082d5ac654c97254401435d2f844c80cdf4b9ed4ac1601ac37061 f5aae66779652b5b4abfe575f5d7f9c1f57deb2127a21e6031b01c16b148ccee

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Malware.Cerber-7561026-0

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES
Value Name: DefaultTokenId
19
<HKCU>\SOFTWARE\MICROSOFT\SPEECH\VOICES 19
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 25
shell.{<random GUID>} 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
31[.]184[.]234[.]0/25 25
104[.]20[.]20[.]251 8
104[.]20[.]21[.]251 6
104[.]24[.]104[.]254 4
104[.]24[.]105[.]254 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
en[.]wikipedia[.]org 19
www[.]collectionscanada[.]ca 19
alpha3[.]suffolk[.]lib[.]ny[.]us 19
www[.]archives[.]gov 19
www[.]vitalrec[.]com 19
www[.]cdc[.]gov 19
api[.]blockcypher[.]com 10
btc[.]blockr[.]io 10
chain[.]so 7
xxxxxxxxxxxxxxxx[.]xxxxxxxxxxxx[.]xxx 2
vyohacxzoue32vvk[.]v0xn1i[.]bid 1
vyohacxzoue32vvk[.]7jrv53[.]bid 1
vyohacxzoue32vvk[.]jtdcph[.]bid 1
vyohacxzoue32vvk[.]lpnef4[.]bid 1
vyohacxzoue32vvk[.]patchmans[.]gdn 1
vyohacxzoue32vvk[.]8g1k17[.]bid 1
vyohacxzoue32vvk[.]goodslet[.]win 1
vyohacxzoue32vvk[.]23fvxw[.]bid 1
Files and or directories created Occurrences
%TEMP%\d19ab989\4710.tmp 25
%TEMP%\d19ab989\a35f.tmp 25
\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\README.hta 20
%ProgramFiles(x86)%\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 20
%APPDATA%\Microsoft\Access\README.hta 20
%APPDATA%\Microsoft\Outlook\README.hta 20
%HOMEPATH%\Desktop\README.hta 20
%HOMEPATH%\Documents\Outlook Files\README.hta 20
%HOMEPATH%\Contacts\README.hta 19
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 19
%APPDATA%\Adobe\Acrobat\9.0\README.hta 16
<dir>\<random, matching [A-Z0-9\-]{10}.[A-F0-9]{4}> (copy) 10

File Hashes

000315b74577c50c57b6572c33312f1911d3d55df50674a87ee95d88a3c0b1b2 011b56e8a271ce8853e3f3e61079c2f62ceab0424a2995fdb3c3f165d2e48666 016aecdd057f2a3881726fde3b86d252062b8891d37822b0dd48ba62ee258dbf 01a0d960c7d6cae948631473f5b39c85b490c83a362d1eeb5f36a5908127389f 040587bdd329f4db15db6f24162691421069e38324b38275449db69ac2cf2029 0430c8f48d38780eba6e1d1b31a80b9c27f3c2bc5507cee74f352546ef07fe7a 0458432198b913f1bf1180e489186297d510550ce908e1dae163a7163a7ade3f 04b76f05a328d0c650141e82da5dbecb4b8d6f0c9c1c7ad83fd111c1f915a0cc 08561dd16308a0871e531a56e834ef0feeafff902901ef7114f5901ee68735db 09172c06a88ed355a772a24f06657e126809dbd61d4b1dda3ad274fb6c7b28fa 0d6c99690789fb5c3a8f8e9f384a34e9da251533910e89df6fcd9098c5edc042 0d909f449bc71cf5ff20077c20215f0b0b358b9f7c1f6baea8fd0592e376248f 0e2aa56da62c5a9bddef4a0162ad5522b0530d2470a0aa9c39ef2c781c0f3672 0fc0d6c7c8b0661db73de058f1f30432d4fef0670dcf5a2f9416f7e2c723cfd1 0fea5d0606a587c7bfb985fbd896ac6cb4fcd6663538a8a5d1760a3171380834 1025c58e7ffef3535b7fb89a900ee09cfecfd11af644f0f5155a832dafd9a02c 1142746bc626e5ee64430de62de2b1383f193d84f4b7044ab67236c427600099 1658371db7a7e52a191522322cda7fe93d093b54e2e8cba65a5adae91a3f5bf1 17ff4c8f632ca8e4a9200e9a68f46a6d3440cac2dd7c8c4e8e1698291e8c7cd1 18192e9bffb8e02b8a3c7540f0d33d14d0f49464adaec86d86f5477a55694eb0 19f56bfaf4437ae7fc227ad695d16adc7d94a91ebf092cbac0e406e421d7c48a 1a1378b871bb6d0a00fe3c6e151d5510f28d92b00ed87031916247b91e13a216 1b7962b03eb0e7fb25f9f31d20d263e3ef6603623f8e0efc94a91a00f9b1b3f1 1bf19b2a823abd555002380c9fc5fc932c2e66826d1c949ac96050d51924ab41 1c018281e339f735fde9edb9180f3f08181f34226aefd3d43d8de6874bdd77c4
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid





Win.Packed.njRAT-7561028-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\ENVIRONMENT
Value Name: SEE_MASK_NOZONECHECKS
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: ParseAutoexec
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 5cd8f17f4086744065eb0992a09e05a2
3
<HKCU>\SOFTWARE\C2405709A54EC95CDDCC5C598F34081C 3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c2405709a54ec95cddcc5c598f34081c
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c2405709a54ec95cddcc5c598f34081c
3
<HKCU>\SOFTWARE\C2405709A54EC95CDDCC5C598F34081C
Value Name: [kl]
3
<HKCU>\SOFTWARE\61EA4210CF20153E16C66B613536B9E0 2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 61ea4210cf20153e16c66b613536b9e0
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 61ea4210cf20153e16c66b613536b9e0
2
<HKCU>\SOFTWARE\61EA4210CF20153E16C66B613536B9E0
Value Name: [kl]
2
<HKCU>\SOFTWARE\C550D26EE8BEBB2D926652BE861588B2 2
<HKCU>\SOFTWARE\C550D26EE8BEBB2D926652BE861588B2
Value Name: hp
2
<HKCU>\SOFTWARE\C550D26EE8BEBB2D926652BE861588B2
Value Name: i
2
<HKCU>\SOFTWARE\C550D26EE8BEBB2D926652BE861588B2
Value Name: kl
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c550d26ee8bebb2d926652be861588b2
2
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: c550d26ee8bebb2d926652be861588b2
2
<HKCU>\SOFTWARE\ADOBE\ACROBAT READER\9.0\AVGENERAL
Value Name: bLastExitNormal
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: f8782a013a20610e09216f21b705d856
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: f8782a013a20610e09216f21b705d856
1
<HKCU>\SOFTWARE\F8782A013A20610E09216F21B705D856
Value Name: [kl]
1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE
Value Name: C:\Program Files (x86)\Windows Photo Viewer\PhotoViewer.dll
1
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE
Value Name: C:\Program Files (x86)\Windows NT\Accessories\WORDPAD.EXE
1
<HKCU>\SOFTWARE\A283D5EDA9CD874157ADF0AF127AFD04
Value Name: hp
1
Mutexes Occurrences
<32 random hex characters> 11
5cd8f17f4086744065eb0992a09e05a2 3
c550d26ee8bebb2d926652be861588b2SGFjS2Vk 2
Acrobat Instance Mutex 1
a283d5eda9cd874157adf0af127afd04SGFjS2Vk 1
2AC1A572DB6944B0A65C38C4140AF2F44d472337468 1
2AC1A572DB6944B0A65C38C4140AF2F44d472337490 1
2AC1A572DB6944B0A65C38C4140AF2F44d4723374A4 1
2AC1A572DB6944B0A65C38C4140AF2F44d4723374CC 1
2AC1A572DB6944B0A65C38C4140AF2F44d47233758C 1
2AC1A572DB6944B0A65C38C4140AF2F44d4723376DC 1
2AC1A572DB6944B0A65C38C4140AF2F44d472337710 1
2AC1A572DB6944B0A65C38C4140AF2F44d472337750 1
2AC1A572DB6944B0A65C38C4140AF2F44d472337828 1
2AC1A572DB6944B0A65C38C4140AF2F44d4723378B0 1
2AC1A572DB6944B0A65C38C4140AF2F44d473EA6134 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
156[.]216[.]33[.]12 1
141[.]255[.]152[.]56 1
141[.]255[.]153[.]212 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
imaneblueyes[.]ddns[.]net 2
mestry1212[.]ddns[.]net 2
amrfarag[.]ddns[.]net 1
njs1[.]ddns[.]net 1
emlpesa[.]ddns[.]net 1
facebock[.]ddns[.]net 1
Files and or directories created Occurrences
%TEMP%\server.exe 4
%TEMP%\Trojan.exe 3
%TEMP%\Trojan.exe.tmp 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\c2405709a54ec95cddcc5c598f34081c.exe 3
%TEMP%\Chrom.exe 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\c550d26ee8bebb2d926652be861588b2.exe 2
%APPDATA%\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst 1
%APPDATA%\Adobe\Acrobat\9.0\SharedDataEvents 1
%APPDATA%\Adobe\Acrobat\9.0\UserCache.bin 1
%LOCALAPPDATA%\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst 1
%APPDATA%\Adobe\Acrobat\9.0\SharedDataEvents-journal 1
%APPDATA%\Microsoft.exe 1
%TEMP%\Windows 1
%TEMP%\Windows Update.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\f8782a013a20610e09216f21b705d856.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9de3566e57ab5f0665456e9f5754a7d3.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2f08ade869f075aa32331d77d03e57e5.exe 1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\77ca5176ec9da801e6934f1f927759d5.exe 1

File Hashes

186dae58f108dac74fd244a34d8a508232ae314301992e52a166c2e6f82e50e3 28fa81e67c51b9ba0c71dde4b5ad4df0d3314f81deef202492be2d85a4af6c05 3335c86b6906fc3f0fc3ada7dec5fde0c10be9e8b0c20f9fe8719f2c54ff277b 41d83b4ddf1b6861b2f7b5f3fd949f208cd0bdd96966217c61b5d5ea45c3a1c4 488864edfd3a995a2733f842bdf18cdf638b1f03563fc1959da6b04c719f09d9 6e25e2b859bf13299c0c116bf94bd86ea97c470aada3fa94bc2a4522ca1a471b 70b10d403f814d4bc94e0fdaf9584563d47bb36d72a1afce40cfd0ebec1eafd9 7274ef9fd2c4bab07a9a3ca46fb0f4b37107748fb9d8632e27faeba6be597b46 77149e99944db0ebe0c44bee046dad27529a104c6b9214973fba67f707bb3566 7cf3348c2711766f5ef2222a3cc74033fa08577a023f4e69fd921acc50810fa8 a0e50a68677941f3b7e68f9d32e4d1e014dac945a2e01f6bb823e58adeb7ec09 aa74ffa3991bf176f7d9eca8da00f379f735bd2d3acd7e9dd74fc041bbf84d01 c10cfd2c2141fa2d49f0d6f1238e844b51ed3381f6c63fed03792ec90a198fce c1938290fa67d53419918fec56e9f2ee07627fd0f8c279fa7f13357c624041e7 e3b41f2a9223a9531b94c257cba97ecd5b075a04523e5f19c9bb07396097a99a f0d1321a4f4774b87d74b8d5a18be28d3dae01361f0d28be599e7bb955a140f8 fc6b24794dd8168be2adc39d831cd18ea43f7cd9e91942228df5fc70606c509e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid




Win.Packed.Kuluoz-7561668-1

Indicators of Compromise

Mutexes Occurrences
2GVWNQJz1 25
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
69[.]93[.]231[.]252 18
149[.]154[.]154[.]249 18
88[.]190[.]226[.]223 17
31[.]47[.]250[.]41 16
83[.]141[.]7[.]102 12
50[.]56[.]124[.]35 10
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 25
%HOMEPATH%\Local Settings\Application Data\tffgswtx.exe 3
%HOMEPATH%\Local Settings\Application Data\uhqbtmne.exe 1
%HOMEPATH%\Local Settings\Application Data\tmdejqpr.exe 1
%HOMEPATH%\Local Settings\Application Data\gesansxj.exe 1
%HOMEPATH%\Local Settings\Application Data\xfddgijv.exe 1
%HOMEPATH%\Local Settings\Application Data\sqslklnf.exe 1
%HOMEPATH%\Local Settings\Application Data\krkswwef.exe 1
%HOMEPATH%\Local Settings\Application Data\blvvvbjt.exe 1
%HOMEPATH%\Local Settings\Application Data\uswhecuu.exe 1
%HOMEPATH%\Local Settings\Application Data\stterjid.exe 1
%HOMEPATH%\Local Settings\Application Data\xuxivago.exe 1
%HOMEPATH%\Local Settings\Application Data\vhhvooxa.exe 1
%HOMEPATH%\Local Settings\Application Data\tqknmmob.exe 1
%HOMEPATH%\Local Settings\Application Data\pnitjnpg.exe 1
%HOMEPATH%\Local Settings\Application Data\tjucsrwv.exe 1
%HOMEPATH%\Local Settings\Application Data\fidbhpbb.exe 1
%HOMEPATH%\Local Settings\Application Data\qpuokdjt.exe 1
%HOMEPATH%\Local Settings\Application Data\mpwshjgw.exe 1
%HOMEPATH%\Local Settings\Application Data\uhpeqlrs.exe 1
%HOMEPATH%\Local Settings\Application Data\elsmwsrf.exe 1
%HOMEPATH%\Local Settings\Application Data\kwfdmcme.exe 1
%HOMEPATH%\Local Settings\Application Data\egcnjpnc.exe 1
%HOMEPATH%\Local Settings\Application Data\ntftgptb.exe 1

File Hashes

0108740d41c4f9f055e365a2f69b297ce9c10c8bb1ba0de30bbf5d65dcb60c2c 012082d16c60291c94e03aad79d7363ee6500ddd1e775487960565977d3c87b9 02fba64a3b71a5ac96e3d827c8d38cce63a252d2e3569adbfef99910cdfadc51 0527a40a7d8fff9c7fcd999e746f484156c66714d2fbcce5fd3215de4ec89f05 0549b4e372310c856e724a3afc638e4e94b4faaf5d947dc7e517e6f84eff312f 060620d8e4038d2705cf20ae625a8b5eb23e4888b51ad0f7cbd7adf68d7deef2 061f8f8125741ed3271cd34d2b7a58bb92affbd4d652e332f5c8c26ee55883ee 06288e899058ab5d7773b7353f66565545a8feba7380b121d80112bbe0453d30 0696d337aa0b00ca9a22cd1f934fc7ea7cb4591073dc97bbc90263d9dcb5b232 078c9cfcab1871f10a2f8168a18f40dd5c90d7900f82ba73c16bd2425fee430e 093285215d738a1b2f5e66ace61ff34e561b3a941e664b1e2c583bc9392b57e8 09b48bfc7ad57b3d7924ed422defdfc9218c3c2b592e56b5c25a9faf1058d716 0a0e1e0ba5bc50ae1b4d83c4993c79abc783a3962f101516ef7c046d5d261697 0a9a6045b22468d1f35fe939f00318f841b26ebc4491d77e90c4d861902987ff 0b13ffc85de1b3e09f9850d010c85e64b4daa77f6acbfdf334b9126726fcf81f 0b516d370bd6e32d4e1f34c9119dbcd85ed302ff13abeb2433ac0c8fc97fb874 0ba092f829fa1a6d4a407c80b3032ae15b55a6a2bc4881e23fe1b2087d55bfd0 0c1b0a0154c6f83a96a949e26f42086af5bfaf2ad7c6cda273ae8d72c6412373 0c3a114fa273a56b3298ac93d7ee8358dcf6f16948b6ed7deaacec4eaef51860 0c4ae1b251bfed96d1e8eea56d618d35a56a6a0fe33ca76da299ed6232bf10da 0c88e57f1814b0bf3c5cd6520c368f4d7b3332614493d6fe87c280f6719ff6a3 0d6e734a8f3144b5fb657501546386535b86baec473f299857241a3b302cd320 0de30c8bd2a81c1a88cf936c811d36be0680c206d93a176351bb9bd92da48c7b 0e2d908f734e728e9cd08d696533004abf1723991541f687fa540352ef032c35 0ff08927fc2e34a84b9ce4cedb70a728b30c2babfd7aeeedd35769f1f0aeb6b3
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Win.Trojan.SmokeLoader-7562031-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\LOCAL APPWIZARD-GENERATED APPLICATIONS 22
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 8
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLUA
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV
Value Name: Start
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: TaskbarNoNotification
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: HideSCAHealth
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 2827271685
7
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 2827271685
5
<HKCU>\SOFTWARE\WINRAR 2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003E9
Value Name: F
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000001F5
Value Name: F
2
<HKCU>\SOFTWARE\WINRAR
Value Name: HWID
2
<HKLM>\SAM\SAM\DOMAINS\ACCOUNT\USERS\000003EC
Value Name: F
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Service Host Process for Windows
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: help
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: help
1
Mutexes Occurrences
qazwsxedc 16
04F453E614B75F818C01D1BD88F5825B98B68E3C 7
Frz_State 5
Local\https://docs.microsoft.com/ 1
YAHWKKS65HAKSDJA 1
Mutex_Y1vFO98bB6v9Q8lC815ehD1xoEvADrFwNqccccSHudZP31Qt 1
Mutex_nLoOSZQIZqWgQsQHTpJ1ymgM69XnbNuwA89bPTRycpnppKwx 1
2BC133F114B75F818C01D1BDA7C0E24C98B68E3C 1
2CA90D003CEA016700C2B1832C6BBC833C28B0E4 1
AA2A0D04BA6901638641B1872C6BBC833C28B0E4 1
A1356D9DB17661FA8D5ED11E2C6BBC833C28B0E4 1
7B0110536B421C34576AACD02C6BBC833C28B0E4 1
B3CC54B3A38F58D49FA7E8302C6BBC833C28B0E4 1
F99113FAE9D21F9DD5FAAF792C6BBC833C28B0E4 1
0527C9131564C574294C75902C6BBC833C28B0E4 1
12C5B9C22DB3D5B2119B6556035EDC943C28B0E4 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]203 8
23[.]193[.]177[.]127 8
23[.]66[.]61[.]153 8
40[.]91[.]124[.]111 7
40[.]90[.]247[.]210 7
23[.]6[.]69[.]99 7
20[.]45[.]1[.]107 5
23[.]0[.]48[.]75 5
23[.]13[.]211[.]142 4
23[.]218[.]40[.]161 3
13[.]107[.]21[.]200 2
36[.]38[.]34[.]230 2
40[.]112[.]72[.]205 2
172[.]217[.]12[.]238 2
104[.]102[.]89[.]231 2
212[.]27[.]63[.]115 2
23[.]0[.]209[.]167 2
23[.]221[.]48[.]201 2
207[.]148[.]248[.]143 1
204[.]79[.]197[.]200 1
184[.]105[.]192[.]2 1
172[.]217[.]12[.]142 1
172[.]217[.]197[.]156 1
23[.]20[.]239[.]12 1
40[.]76[.]4[.]15 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
m[.]googlex[.]me 15
w[.]googlex[.]me 15
outlook[.]com 8
rover[.]ebay[.]com 8
www[.]onenote[.]com 8
www[.]msn[.]com 8
java[.]com 8
itunes[.]apple[.]com 8
contextual[.]media[.]net 8
img-s-msn-com[.]akamaized[.]net 8
www[.]autotrader[.]com 8
g[.]msn[.]com 8
flights[.]msn[.]com 8
linkmaker[.]itunes[.]apple[.]com 8
www[.]comparecards[.]com 8
carrentals[.]msn[.]com 8
blog[.]msn[.]com 8
static-global-s-msn-com[.]akamaized[.]net 8
www[.]skype[.]com 8
www[.]adobe[.]com 8
www[.]fool[.]com 8
www[.]nextadvisor[.]com 8
e7933[.]dsca[.]akamaiedge[.]net 8
widgets[.]tree[.]com 8
redirect[.]viglink[.]com 8
*See JSON for more IOCs
Files and or directories created Occurrences
%APPDATA%\aewefdvg 7
%APPDATA%\aewefdvg\jisgivdt.exe 7
%ProgramData%\Media Center Programs 2
%APPDATA%\csrss.exe 1
%APPDATA%\svchost.exe 1
%APPDATA%\InstallDir 1
%APPDATA%\InstallDir\help.exe 1
%APPDATA%\rundll32.exe 1
%APPDATA%\Other.res 1
%APPDATA%\cstbddwb 1
%APPDATA%\cstbddwb\jisgivdt.exe 1
%TEMP%\1539673208.bat 1
%TEMP%\1539674363.bat 1
%APPDATA%\ctrjauaa\dtcisave.exe 1
%TEMP%\52781.bat 1
%APPDATA%\rrcrauae\dtcisave.exe 1
%APPDATA%\rbdfguju\dtcisave.exe 1
%APPDATA%\hsabbafd\dtcisave.exe 1
%APPDATA%\sdttfesd\dtcisave.exe 1
%TEMP%\307718.bat 1
%APPDATA%\wjjbbdwr\dtcisave.exe 1
%APPDATA%\afchtjbd\dtcisave.exe 1
%APPDATA%\bctfsjtc\dtcisave.exe 1

File Hashes

09c2143145ee9c113455c149c6ff6f951a2fd67638becc0c21bdb9c1a93e5bc3 1c6068227c934bd7eafa19513c90f83c6e84291689c529efdff52d3bbaee71ad 204fb306993b6547b953c6792d3f5e1c7c24ed1e70c40d0744f5c23d5ecc6260 2121cfce691f58d55a6865d9b0fbadfb37b1cc1b7f50e13914fc8c36d6df7a52 232c60a2fe47c6441527e0f708a695bad64770c4788d65d849895618b37ac537 2fd8a99f2e9d9940779d65f0271bedefccdea87cf9bfee5d456cdba538cd8701 322a2d80f46734cb2605d9eb0d8e7e3e100e36aced1e93302c5ce3151fffc728 34a56d4e0a80a296cfa11f929536f3d2d2ce576e28d1460259b3a2ae72c92a55 3858b2a58127adff7565ba59d9622cb82c27d7b60bb7338a35d7f9396bbb20b1 3c9dab4a204a151e2658a66e948a71790e876c657f48fd449cc57ecd79b50a77 4a461c876e41c8f10b8c682311650f535d607089e3aa930aecfcf7d0400bfb18 6854eeaf50e91cfd239713b8532ada3670c4007d30db92f7a10dcaf3919ad122 7baa48ce1d5b0783fe77a8236301991ebad8cbbfb2726d72ee7baf830be1bfac 9adc55c4337148fa4e463ef6bf008f2423dcf9a17eb0d5dcd245aa932dadd9f5 a6140aa4b277141779e6344174f88e6901e8c2921d49624f4d8a2419afa5cf93 aa6dea172c9db744c31a322163e6ec829517400a8f2af996dda345e9ab5097b8 b97f5e3d1a881e93633bcf38414d63916ba1dde8c5368d34a16aecdd227f16f1 c8a0dae1be189ebb115341551175322f8544c1a169573b43ac015b36ef2bf711 caab2cd143d3ad7e0890b3fe5a561b5a264c089186bf41ee213b1e4a32eedee4 d3cda596ba6945b34c331271ad243e81858a5614713143b04c18d1dea325e0f5 fc10ad68ba5fa127c089389f1acacb6635ae64df1525ec87dad928d7c6ac60b7 fee972c5f99500d1ac8e83ad65484494772885e18721c02f95e256c30f3f8bd2

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Malware.Nymaim-7565328-1

Indicators of Compromise

Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\GOCFK 12
<HKCU>\SOFTWARE\MICROSOFT\KPQL 12
<HKCU>\SOFTWARE\MICROSOFT\GOCFK
Value Name: mbijg
12
<HKCU>\SOFTWARE\MICROSOFT\KPQL
Value Name: efp
12
Mutexes Occurrences
Local\{06258131-BA39-27D4-02A0-AD682205B627} 12
Local\{2D6DB911-C222-9814-3135-344B99BBA4BA} 12
Local\{369514D7-C789-5986-2D19-AB81D1DD3BA1} 12
Local\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A} 12
Local\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606} 12
Local\{F04311D2-A565-19AE-AB73-281BA7FE97B5} 12
Local\{F6F578C7-92FE-B7B1-40CF-049F3710A368} 12
Local\{338F4080-2AF8-328F-1D44-E65FAFBB3088} 12
Local\{83B9D177-24D4-29BF-C0FB-035E7B3F2D46} 12
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
gvjmoleiqx[.]com 11
hjlxybnt[.]pw 11
mxsffkacgxhb[.]in 11
aqnwun[.]net 11
sppja[.]net 11
wkbbomuxzbhk[.]com 11
ipfmg[.]pw 11
tznyr[.]com 11
tajlmh[.]com 11
flphjxmni[.]com 11
ezkdeavdhzte[.]com 11
lmlnzwlwgn[.]com 11
ebiodd[.]pw 11
krbmzpx[.]com 11
llqikewmnt[.]net 11
lgniduzwgg[.]pw 11
rdbaqoj[.]pw 11
ljcpqydcptw[.]pw 11
jaokwlaiwjx[.]in 11
spiesfhvlq[.]in 11
pewxbb[.]pw 11
yabnl[.]in 11
gejetvtxpjze[.]in 11
qrqtmeuk[.]net 11
wicxqfc[.]in 11
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\fro.dfx 12
%TEMP%\npsosm.pan 12
\Documents and Settings\All Users\pxs\dvf.evp 12
\Documents and Settings\All Users\pxs\pil.ohu 12
%ProgramData%\ph 12
%ProgramData%\ph\eqdw.dbc 12
%ProgramData%\ph\fktiipx.ftf 12
%TEMP%\gocf.ksv 12
%TEMP%\kpqlnn.iuy 12

File Hashes

0a32a31d2b9d356c8887506ac547d5f44cc34ab40d8549d3f79709a9fa84381c 14d5e17e32f558058739e0633b2e61851186500c0aa80967dac57968e018fe37 16b1ca029162ab6c4a241d60d2de8a015a8cd866f050b9847d228ab3ba0704ba 4019c94cf57c53ae814fe62f7aa804829a909d19c23922b60921f1418deb51e8 46eef4a7440acb228050b0ec2c4ba6c3e47d5e3f75a6f6bb184a946bd502ce66 4b3dead1bc0865f079731c4f7ce6e19487724e80b39ded94371c09edc6978a48 6c89b38394fbfdcc1766d401d0bf54281e7c4d47388e1a0c99c962655bc6fdb6 7878d706f9f3a683904db685ebe2b6ead7464ec142ef239f242e19ebe1a6fe67 8875970e47c112f058e29d254371350ce058376a791fd9fdabad2ab2ed8dc83c b79952df8a801d9a8619d1254a24bde3ce37ea8ebfd17ca8eb48bdd90b27b305 d1c1dcbee46d723b931f1a18ec83f5f22c515edfcdf4dcd9e04a9ab8f173b4d2 d9273903d761b64374ab16e83b854d412ac27983b95a908f52254992b6092903

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Umbrella




Win.Packed.ZBot-7563206-1

Indicators of Compromise

Registry Keys Occurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs
19
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: AppInit_DLLs
19
Files and or directories created Occurrences
%System32%\Tasks\aybbmte 19
%ProgramData%\Mozilla\thfirxd.exe 19
%ProgramData%\Mozilla\lygbwac.dll 19
%HOMEPATH%\APPLIC~1\Mozilla\kvlcuie.dll 16
%HOMEPATH%\APPLIC~1\Mozilla\tfbkpde.exe 16
%SystemRoot%\Tasks\kylaxsk.job 16

File Hashes

32d3d77c246077febd6a51c1c4af6cd0ef6e991f9d058814670b4d9b1ffb5929 35dba41629d3ef8e563339fe6169c2ddd9c630667a60e90e50d4901ce0fb3114 47364b16ec0b8af99154c5afb4c55f758c5ffbdc19759c039195d0f630a9fddd 5a3bdec2815d798fed747fd136c383305614c2d708805f5b5100dccce12188d9 64d56df10e94e1fff9ba9592660193168dcaece38ec92682326f7e3a6302c2ca 6ddf8b1b3866f32e26e61bf68e33e74444b591dc64642afe1b842d86cfdf5b33 7319a595fc991cae27e5057bb14714efa68ad74456f8c7c6eedd23575f3c5a47 7dfbb5e40028da7c503344cd4630727b71448ce1bcb2b2164e3217652578e623 8b3a463fc845258b9a4f60f60e853243b748de58ad4758e167decbc22ffe80cb 8c5f9e03729e46d8feb08d5357f21e888f1c922fd13edd626b9e5fea5ade7876 908e06fa764660785cc8f7c02090cbc783b8c2824a2524caefdf26279bae831c b2e187349a3e50eb0e1252a242f65d675cae2e32d362c6025c8cc966922dbf63 cbf3982f100358e34b4c2dc2782886a76432f1dad59761f747c1e8bc10ccec8c d5125b8c5dffe7fa67289ca75fed8d237ba399c779032bef27326d59fc458754 d84cd0947dd7a4c73239b992173267907bdf55fc28976797d2af7ed300bfaf83 d9134462d8be534f26973c5e19767c3c745262573f294cef1ab3b917eb410f98 d9c47353ee4c964a9f2bc115c1d47d02b0219839dbeccc6a72ac5d2df0a6905a e032675300402235fcd213f5b6790097b430051353034d23cacf207a0f642647 f21985a67551565d464004a7661d21a29d1581157955349e9a04dea717ab23d5

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




PUA.Win.File.Dealply-7563212-0

Indicators of Compromise

IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
54[.]146[.]91[.]247 14
52[.]41[.]141[.]111 12
34[.]231[.]131[.]84 11
54[.]149[.]89[.]229 8
198[.]50[.]173[.]223 8
54[.]69[.]88[.]117 7
35[.]164[.]24[.]169 7
52[.]37[.]160[.]176 5
54[.]213[.]123[.]75 2
207[.]154[.]205[.]3 2
172[.]217[.]12[.]174 1
172[.]217[.]12[.]142 1
151[.]80[.]42[.]103 1
23[.]221[.]50[.]122 1
5[.]9[.]9[.]18 1
172[.]217[.]13[.]238 1
23[.]54[.]219[.]51 1
185[.]107[.]71[.]41 1
51[.]38[.]57[.]168 1
159[.]89[.]184[.]138 1
23[.]3[.]126[.]219 1
165[.]227[.]137[.]252 1
23[.]0[.]52[.]194 1
178[.]79[.]169[.]193 1
149[.]56[.]157[.]112 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
info[.]yidadaridap[.]com 25
rp[.]yidadaridap[.]com 25
sourceforge[.]net 9
media[.]phpnuke[.]org 8
os2[.]yidadaridap[.]com 8
os[.]yidadaridap[.]com 8
mydati[.]com 3
schema[.]org 2
www[.]gstatic[.]com 1
market[.]android[.]com 1
i[.]ytimg[.]com 1
lh3[.]googleusercontent[.]com 1
img-prod-cms-rt-microsoft-com[.]akamaized[.]net 1
developer[.]android[.]com 1
channel9[.]msdn[.]com 1
store[.]office[.]com 1
products[.]office[.]com 1
assets[.]onestore[.]ms 1
statics-marketingsites-wcus-ms-com[.]akamaized[.]net 1
pf[.]benjaminstrahs[.]com 1
www[.]deadpoolgame[.]com 1
trials[.]dynamics[.]com 1
www[.]azure[.]com 1
www[.]befunky[.]com 1
www[.]rockstargames[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
%TEMP%\in10F4BD16 25
%TEMP%\in10F4BD16\472F35C2.tmp 25
%TEMP%\<random, matching '[A-F0-9]{8}'>.log 25
%TEMP%\INH162~1\css\ie6_main.css 24
%TEMP%\INH162~1\css\main.css 24
%TEMP%\INH162~1\css\sdk-ui\browse.css 24
%TEMP%\INH162~1\css\sdk-ui\button.css 24
%TEMP%\INH162~1\css\sdk-ui\checkbox.css 24
%TEMP%\INH162~1\css\sdk-ui\images\button-bg.png 24
%TEMP%\INH162~1\css\sdk-ui\images\progress-bg-corner.png 24
%TEMP%\INH162~1\css\sdk-ui\images\progress-bg.png 24
%TEMP%\INH162~1\css\sdk-ui\images\progress-bg2.png 24
%TEMP%\INH162~1\css\sdk-ui\progress-bar.css 24
%TEMP%\INH162~1\csshover3.htc 24
%TEMP%\INH162~1\images\BG.png 24
%TEMP%\INH162~1\images\Button.png 24
%TEMP%\INH162~1\images\Button_Hover.png 24
%TEMP%\INH162~1\images\Close.png 24
%TEMP%\INH162~1\images\Close_Hover.png 24
%TEMP%\INH162~1\images\Icon_Generic.png 24
%TEMP%\INH162~1\images\Loader.gif 24
%TEMP%\INH162~1\images\Pause_Button.png 24
%TEMP%\INH162~1\images\Progress.png 24
%TEMP%\INH162~1\images\ProgressBar.png 24
%TEMP%\INH162~1\images\Quick_Specs.png 24
*See JSON for more IOCs

File Hashes

029c5f2c2dbec036f397cd9f0352c99b5518adb48e9e0c14479b1042de97a8e1 043768f5d9923ecd231657dd90b8c5557987c0a96dbb0e90366c64d62893911d 049576cad41dcdad343c0e1b724cdc9ff854ad7f519d02dff60f5e5e611d4e4b 10e6962923b5afccb804f0089fdcfc47d33f8006bdc6b806b6d954e8a9df2ac2 192426fc265d7bd4d385b3c5a983725a754927d65ebc62c3097b2f41f447e4fa 1c99f891424cb56a090d2e1eb5625db0786f04c6704c82532198024a63a7c50a 2a1a4e11fa18befb29b00399de5af5c17d1d62c361cf1ca0ea069041a79abc39 2fc2a60b7154f47293e51d82e49f8c467b0e61dfa308b1bc53496a885fe730a6 49c4f31b2aae590042eaf9822d3256471ba862a5d2de4b6e8c1c9ba7994f42cd 4e62b6d6df8e3c2b00e4c8769e50cd8a8649b050b99c21e86bff2a344b43ee0b 528941efc56008a7f2c96ebf3f48a27733d95cc3802e1047be791bf0b1524795 57ff8a4bb6c0ff378c413d8e671ac4df2a896124a2b8bfdd56778ec44ba9641e 5be89eb16dab481ea1fb47f9800113bda32e7242230937f9500ce5df602ae1dc 5e4c796fa1e9e895c559d56bf51378a5af8a1341c8a253b289cc97530b757dd7 62a0f3ce3d7b54ca3bd95ec76ab45c226dfbce40ac0743d2dc0d5c73288e6d13 69d1e5b5468e4d083b98f6ed1fc85b98154144286e659390f63a8ad4fee575e6 6acacd65413137480a9e3ee60aa2cb8be000e0e5fc5ff4af2e206d8fcaddb3cf 6cb2a0a139bd72d43509b892d108c93ecf4e1f24e8267ce3862fe48ca35f4447 72948fecb2e7925785c76419a7d94686b1fa4dc3b165607f4cdf28655d69c612 72d3672de410e718288fdb19a2ea817f303f7b68a3358e2b63c4c6c06e4ee6f6 88ccf70fd42ad193bb82044191e4a3cb7eda3b7af3a9a1034104fe5b99e43888 914573db0bfe9ccdf1a102828397523f3abac13a8859b13d743f15fa7de00096 948cb02c5eb1afade4086c04f3954748cd37707a1f44ba6854bd38258844cbec a0c5d45bb1b35ff2f76e4b96112de328d2bf0032a5fefa843a6be6c14cf96d0f ac927c4c24469eb1de203e32a56bce3a0fa4eca37b4388fd35e6be699f8dc7e7
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.
CVE-2019-0708 detected - (5959)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (313)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Kovter injection detected - (220)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (188)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Installcore adware detected - (111)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Excessively long PowerShell command detected - (84)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Reverse http payload detected - (32)
An exploit payload intended to connect back to an attacker controlled host using http has been detected.
Atom Bombing code injection technique detected - (32)
A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
Dealply adware detected - (22)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Corebot malware detected - (16)
Corebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking.

No comments:

Post a Comment