Friday, August 21, 2020

Threat Roundup for August 14 to August 21


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 14 and Aug. 21. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Win.Dropper.Cerber-9294966-0 Dropper Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.
Doc.Downloader.Emotet-9369643-0 Downloader Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.njRAT-9375376-0 Packed njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.
Win.Trojan.CyberGate-9370803-1 Trojan Cybergate, also known as Rebhip, is a remote access trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.
Win.Dropper.Kuluoz-9310433-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.
Win.Packed.Dridex-9379120-1 Packed Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine.
Win.Dropper.Tofsee-9368705-0 Dropper Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control.

Threat Breakdown

Win.Dropper.Cerber-9294966-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 51 samples
Registry Keys Occurrences
<HKCU>\PRINTERS\DEFAULTS\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} 49
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
Value Name: Run
49
<HKCU>\SOFTWARE\MICROSOFT\COMMAND PROCESSOR
Value Name: AutoRun
49
<HKCU>\CONTROL PANEL\DESKTOP
Value Name: SCRNSAVE.EXE
49
<HKCU>\PRINTERS\DEFAULTS 49
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FlashPlayerApp
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: FlashPlayerApp
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: mountvol
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: mountvol
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DWWIN
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: DWWIN
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: netbtugc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: netbtugc
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xwizard
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: xwizard
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: NAPSTAT
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: NAPSTAT
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: PkgMgr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: PkgMgr
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WPDShextAutoplay
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: WPDShextAutoplay
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Dism
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dnscacheugc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: dnscacheugc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: instnm
1
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 49
shell.{<random GUID>} 6
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
31[.]184[.]234[.]0/25 49
208[.]95[.]112[.]1 49
69[.]195[.]146[.]130 6
98[.]137[.]11[.]164 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
ip-api[.]com 49
Files and or directories created Occurrences
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2} 49
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mountvol.lnk 3
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\DWWIN.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\DWWIN.EXE 2
%System32%\Tasks\DWWIN 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\xwizard.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\xwizard.exe 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\mountvol.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\netbtugc.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\netbtugc.exe 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\PkgMgr.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\PkgMgr.exe 2
%System32%\Tasks\PkgMgr 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\WPDShextAutoplay.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\WPDShextAutoplay.exe 2
%System32%\Tasks\xwizard 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\NAPSTAT.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\NAPSTAT.EXE 2
%System32%\Tasks\mountvol 2
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\FlashPlayerApp.lnk 2
%APPDATA%\{6F885251-E36F-0FE6-9629-63208157D7A2}\FlashPlayerApp.exe 2
%System32%\Tasks\FlashPlayerApp 2
%System32%\Tasks\netbtugc 2
%System32%\Tasks\WPDShextAutoplay 2
%System32%\Tasks\NAPSTAT 2
*See JSON for more IOCs

File Hashes

01a392328bde81495f6682e728034b82556d4019bcceb8e9fd7337525370ca82 03c87da71be399ace0ed9a4ebf95e2b95d32060f273fd8ea8001e25d08cd54dd 0712fdbf593406d803bfc4638264b7a5d8dc95316d4988079828106e6f6925e3 18c4f60df01b00809a5affabfa5ba04a724e4d4a98ab7e9fb83e9f627aa789e1 1f2161956d8bb447845b0ef70b514edc31f6f01b1007ee6c7a5ebd77e4331439 24f656fed8bb0ea0e5cca4422dd61a3b7a2eeeccff942403429f722cfcdef5a3 27343c1b2124a0767c1513d568c8cc25aec07ccbe9b136ee7005c63be965e354 2778aa52eaf8d8fa2950cd2ef50faae6f49c9d7e0c55d813a36613fe63a3be73 29b05e9f79e56a480421ca565d2ae57b6db6e6b54e15d603534686bbde6c5759 2b2acc6a166aa30ff190af2b95ccbe0b31596f5ddf24661a062630a2eaafe516 2eeab773c4cc1760a51cf0e0dee6e0fdb0b1e2c5ee81e14a297e379bf4f75fd4 34959098859ac166ece6bf7c8edc1f28feefa4cec1f26eeb531466449ee4345d 350cafe8a66a3bebfc84fe7c9fc5533a976a476354583e840364e8c9d0ee1cb9 39709bd8d99856ce16e4ec47fc1f1d25b1dfd133ba0d0bbb9914658240921da1 3de3161efe34122601f3865aff18e56cb873ddcc2adb6b7a8b6c4afaa38ec3e4 3f92bd7f208dafca5d89a7ba1145836f264336baab457f62269129028eb53ecd 40bc0cd77874e7fff3d9c3fccf64ce3676d870af88ea27caafb4b650aabe7593 413eeaef11563646ef90407e4fdd8e0078f95dfd309fb2ada8728e45befbb313 4fb0907454e2b6faa947003184878d70555be3073132e677b4606032907ca91f 5ab3a63e8d334368280d566f526718a2a10c95073059a53a9707af0bb74eeb9b 5adf50576a375547c4775341535461d49078234283379e17bba88465cd286f7c 68e5aaea215f94b30d9bfafc8f62cda3460e7f230edffc66d8902cbbb513b53c 6959e3521c3ce4a39a250cfb899f52cc74b6bd1a7a1ba4ee03d4766210346fa3 6a49ffcb3ddb3a8912c3f75ae35b846913b6d3cc6303c395f251b3e66ee1621c 6edbea75b6b0904f0cbebda821805eeb3af462cde35d9af3d3ecdb6e8145e860
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Doc.Downloader.Emotet-9369643-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 34 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\CLASSES\{80B8C23C-16E0-4CD8-BBC3-CECEC9A78B79} 17
<HKLM>\SOFTWARE\CLASSES\{80B8C23C-16E0-4CD8-BBC3-CECEC9A78B79}
Value Name: telemetry
12
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
7
Mutexes Occurrences
{773F1B9A-35B9-4E95-83A0-A210F2DE3B37}-Default 12
Global\Avira.Spotlight.Bootstrapper.Presetup 11
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
23[.]197[.]19[.]180 12
68[.]66[.]248[.]6 9
68[.]44[.]137[.]144 6
75[.]139[.]38[.]211 4
204[.]79[.]197[.]200 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
package[.]avira[.]com 12
poonamjoshi[.]com 9
e11356[.]dscd[.]akamaiedge[.]net 6
e13678[.]dspb[.]akamaiedge[.]net 2
Files and or directories created Occurrences
%TEMP%\Prmi.exe 34
%TEMP%\.CR.6851 12
%TEMP%\.CR.6851\ANTIVIRUSSETUP.INF 12
%TEMP%\.CR.6851\AVIRA.COMMON.MIXPANEL.DLL 12
%TEMP%\.CR.6851\AVIRA.FILEDOWNLOADER.DLL 12
%TEMP%\.CR.6851\AVIRA.SPOTLIGHT.BOOTSTRAPPER.CORE.DLL 12
%TEMP%\.CR.6851\AVIRA.SPOTLIGHT.BOOTSTRAPPER.ENGINE.DLL 12
%TEMP%\.CR.6851\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE 12
%TEMP%\.CR.6851\AVIRA.SPOTLIGHT.BOOTSTRAPPER.EXE.CONFIG 12
%TEMP%\.CR.6851\AVIRA.SPOTLIGHT.BOOTSTRAPPER.LOGGING.DLL 12
%TEMP%\.CR.6851\AVIRA.SPOTLIGHT.BOOTSTRAPPER.TELEMETRY.INTERFACE.DLL 12
%TEMP%\.CR.6851\DE-DE 12
%TEMP%\.CR.6851\DE-DE\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL 12
%TEMP%\.CR.6851\DRYIOC.DLL 12
%TEMP%\.CR.6851\DRYIOC.MEFATTRIBUTEDMODEL.DLL 12
%TEMP%\.CR.6851\DRYIOCATTRIBUTES.DLL 12
%TEMP%\.CR.6851\EN-US 12
%TEMP%\.CR.6851\EN-US\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL 12
%TEMP%\.CR.6851\ENDPOINTPROTECTIONSDK.LIC 12
%TEMP%\.CR.6851\ES-ES 12
%TEMP%\.CR.6851\ES-ES\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL 12
%TEMP%\.CR.6851\FR-FR 12
%TEMP%\.CR.6851\FR-FR\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL 12
%TEMP%\.CR.6851\IT-IT 12
%TEMP%\.CR.6851\IT-IT\AVIRA.SPOTLIGHT.BOOTSTRAPPER.RESOURCES.DLL 12
*See JSON for more IOCs

File Hashes

033b3dd8584846505e11f16d26dc75ac3cc7f57142e2cc8130157a0830a55cb0 056530cd4782d99039a1c59a00634e347c97aba91712f28efa2f99016e36255d 0b266ef585d9883b0763708c60476e9423021f96e8e87ab1e54807d9363ff7f6 0e861ab37632e5d638b21e42cf6be9447598e6a216d09ad51dd30393705bb5cd 13def6e8f5dd2909bd67cbe188104f4478248a4488bdce7087b9b5f82002344b 17fa6bc7b5a8e53957b3325b522d8181d528a54bc83163cc615f04663ecfc2cb 2122d67f3efbf699748dcf332fcbdbe1b9ed50cc14d6e68d3d73ca0ba73289e9 26b01d8670864c99f1875ab686adaa67e4fb2a84ec06b19a459dca2026d38295 287337f947290c2bc018c9d0aecaa86f30a6daa50e0ccfca3e397c0b2bfbc780 334013f325a415d98c667bc55bc94e05ed085bc18a99ea57f331d0fc86242646 35625c4db57524d02bb9b8a3a150c15a793c8bcf531e07b2d1cad9a1367491ae 3eea9f7afe639ed32775963d6fae0261bd31b0927a8d21eb9cbcaadfe7633ae4 4367602aecdb9683550953f6f1f4ebb2fcdab4ac551c34b7042113a411b055a6 4cdbc6024c36e4dbda2a453b41ca1c7da90f638e5407e1fb99ef52cdfb118750 4d20c5ae0e33f500b516d5c05d802bad194c3def3888d3442f75ab26bf657645 505a12b991bd71e62c6776b42b2392b95a581e0d7334a66fb3437fb15d37c357 5703c758f1686aafaa3e8b0dc664b5956216319aa48e2188e759ffdcbf68aa02 607f2d3fdda89ae8fed6e2dbd496d8a75a833ba6b941455366e5f3a932ff90d5 82484f937d447414a0d20f7ddebadad675608fa009f2a255712cac5dcd93f39d 84ccb7dd64a2a08a9be41050698b514edd4b7b2360f42a6342f4960977bccdc5 85063dea74121863a9ec22bae6b095765373c4f3bb6fb8fdc7d4c7a97aae6344 8abbf9483a9763b8032c8b936535b757567605b00f28489751d7aea901d8414a 908e9b0b53a4a2cdee3e2738f654da2a779e31b975e7b25674321143e174119f 93400c3e807aa9fa5ce6c7251d89c4332bccd266c69e0638349625a868bc1ed4 9540841d5a15ebb8280e5a0b0c4e0550866c812b17a52e82874644551b877d73
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK




Win.Packed.njRAT-9375376-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 11 samples
Mutexes Occurrences
Local\https://www.youtube.com/ 5
Local\https://www.vnhax.net/ 5
{1B655094-FE2A-433c-A877-FF9793445069} 1
Local\https://ouo.io/ 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]164[.]131 6
172[.]217[.]15[.]74 6
204[.]79[.]197[.]200 5
209[.]197[.]3[.]15 5
151[.]101[.]248[.]193 5
46[.]105[.]201[.]240 5
172[.]217[.]164[.]129 5
172[.]217[.]7[.]243 5
172[.]217[.]164[.]169 5
172[.]217[.]12[.]230 5
31[.]13[.]66[.]19 4
172[.]217[.]2[.]98 4
2[.]57[.]90[.]16 4
81[.]171[.]10[.]216 4
104[.]16[.]87[.]26 3
172[.]217[.]15[.]98 3
139[.]45[.]197[.]77 3
54[.]152[.]94[.]42 3
139[.]45[.]195[.]173 3
162[.]159[.]135[.]232/31 3
99[.]86[.]230[.]76 2
104[.]16[.]88[.]26 2
162[.]159[.]129[.]233 2
172[.]217[.]7[.]162 2
172[.]217[.]13[.]234 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
fonts[.]gstatic[.]com 6
maxcdn[.]bootstrapcdn[.]com 5
googleads[.]g[.]doubleclick[.]net 5
pagead2[.]googlesyndication[.]com 5
www[.]blogger[.]com 5
ajax[.]googleapis[.]com 5
connect[.]facebook[.]net 5
www[.]googletagservices[.]com 5
resources[.]blogblog[.]com 5
s10[.]histats[.]com 5
2[.]bp[.]blogspot[.]com 5
i[.]imgur[.]com 5
static[.]doubleclick[.]net 5
discordapp[.]com 5
t[.]dtscout[.]com 5
pd[.]sharethis[.]com 5
e[.]dtscout[.]com 5
s4[.]histats[.]com 5
cdn[.]tynt[.]com 5
get[.]s-onetag[.]com 5
reevaipi[.]com 5
native[.]propellerclick[.]com 5
deloplen[.]com 5
discord[.]com 5
www[.]vnhax[.]net 5
*See JSON for more IOCs
Files and or directories created Occurrences
\Users\Admin 11
\Users\Admin\AppData 11
\Users\Admin\AppData\Local 11
\Users\Admin\AppData\Local\Temp 11
\Users\Admin\AppData\Local\Temp\4gfdGFsf78fds4\mysql.data.dll 6
\Users\Admin\AppData\Local\Temp\4gfdGFsf78fds4 6
\Users\Admin\AppData\Local\Temp\mysql.data.dll 5
\Users\Admin\AppData\Local\Temp\4gfdGFsf78fds4\SetupZ.exe 2
\Users\Admin\AppData\Local\Temp\4gfdGFsf78fds4\Setup306.exe 1
\Users\Admin\AppData\Local\Temp\4gfdGFsf78fds4\Setup304.exe 1
\Users\Admin\AppData\Local\Temp\4gfdGFsf78fds4\Setupdego.exe 1
\Users\Admin\AppData\Local\Temp\4gfdGFsf78fds4\Setup305.exe 1
\Users\Admin\AppData\Local\Temp\Setup297.exe 1
\Users\Admin\AppData\Local\Temp\Setup298.exe 1
\Users\Admin\AppData\Local\Temp\Setup299.exe 1
\Users\Admin\AppData\Local\Temp\Setup291.exe 1
\Users\Admin\AppData\Local\Temp\Setup290.exe 1

File Hashes

123ff092bf52da9bc166f93ce39967d251b1205771ea2b07e48e7d37ccdadaf7 3202f116e3fb754b9123569007cd45c5c182a0da95b129f0ee6648ad576db125 4cce5e70cea8212db05ee2e6f821fe03afd5d1cd49aef6c0fd84c1a2fb02b761 72ad941f3d1a1bf8f766467fe7b4651856a47b32dbec38f034da4c66edcb5233 ae985046e04615ea59db075856eaa04e5bf5fad0da8f26218e007ee63d831227 af6679f00435312d785bcb56f7a556bc6c0a6988165571d2a6d2de261fdc07fc e07db1e4114846a12f014bce39d706e060c1c4eb25f641e16055f10634e1a3e2 f6d54ccbe35f078b4ad2483a74532fecfcebbe338c170050927c31aaa8a773f3 f7d63f46325aa3c17d8f0e893159676b3143a58522be3a1d657691f12338ae13 fce43478c068c0fa078e4c906092d83ea36504fb59a6d101a218d932092eab92 fcec1361c8cc996ff8fa339e9d82ba027c1b171e3d8f24314a46370afd7498b1

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


Malware


MITRE ATT&CK




Win.Trojan.CyberGate-9370803-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU
11
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: Policies
10
<HKCU>\SOFTWARE\REMOTE
Value Name: NewIdentification
7
<HKCU>\SOFTWARE\REMOTE
Value Name: NewGroup
7
<HKCU>\SOFTWARE\REMOTE 7
<HKCU>\SOFTWARE\REMOTE
Value Name: FirstExecution
7
<HKCU>\SOFTWARE\CONFIGS 5
<HKCU>\SOFTWARE\CONFIGS
Value Name: MyConfigs
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{D1KTD4HJ-5T1H-DCTI-3667-MD8SRPE8T4SB} 5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{D1KTD4HJ-5T1H-DCTI-3667-MD8SRPE8T4SB}
Value Name: StubPath
5
<HKCU>\SOFTWARE\CONFIGS
Value Name: InstalledServer
5
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{C3SJI10F-238X-165D-NNOQ-8D558141Y27M} 4
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{C3SJI10F-238X-165D-NNOQ-8D558141Y27M}
Value Name: StubPath
4
<HKCU>\SOFTWARE\TEST TEST 3
<HKCU>\SOFTWARE\TEST TEST
Value Name: FirstExecution
3
<HKCU>\SOFTWARE\TEST TEST
Value Name: NewIdentification
3
<HKCU>\SOFTWARE\TEST TEST
Value Name: NewGroup
3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{AGRJN71I-WGW1-3347-3M2P-5EO85X8U8T50} 3
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{AGRJN71I-WGW1-3347-3M2P-5EO85X8U8T50}
Value Name: StubPath
3
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: Babylon RAT
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{448WCTSI-C1V3-W61T-2HR1-12OXXKJ11N7D} 1
Mutexes Occurrences
xXx_key_xXx 10
<random, matching '[A-Z0-9]{14}'>_SAIR 10
<random, matching '[A-Z0-9]{14}'> 6
4A11UU20D6464T 4
4A11UU20D6464TAdministrator15 4
4A11UU20D6464T_RESTART 4
--((Tutex))-- 3
XTREMEPERSIST 3
S743LT3713B31K_RESTART 3
Administrator5 1
35148ca6-1c0b-4530-98d2-587f379376a6 1
3IFVB66N7W1OXSAdministrator15 1
3IFVB66N7W1OXS_RESTART 1
3a456814-3b81-422a-9068-7b88c37f90a5 1
4K15GYSBND31IKAdministrator15 1
4K15GYSBND31IK_RESTART 1
R48G012M5XEAQOAdministrator15 1
R48G012M5XEAQO_RESTART 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
111[.]255[.]149[.]181 3
204[.]79[.]197[.]200 1
205[.]185[.]216[.]10 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
aminexd[.]no-ip[.]biz 5
googlechrom2e[.]linkpc[.]net 3
no-ip1414[.]ddns[.]net 3
hatancoool[.]no-ip[.]biz 1
cds[.]d2s7q6s2[.]hwcdn[.]net 1
ctldl[.]windowsupdate[.]com 1
t7l[.]no-ip[.]biz 1
xes[.]redirectme[.]net 1
Files and or directories created Occurrences
%TEMP%\Administrator7 10
%TEMP%\Administrator8 10
%TEMP%\Administrator2.txt 10
%APPDATA%\98B68E3C 10
%APPDATA%\98B68E3C\ak.tmp 10
%APPDATA%\Administrator-wchelper.dll 10
\default.html 10
%SystemRoot%\SysWOW64\install 5
%ProgramFiles(x86)%\InstallDir 5
%ProgramFiles(x86)%\InstallDir\MSBuild.exe 5
%SystemRoot%\SysWOW64\install\system.exe 5
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\system.exe 3
%ProgramFiles%\InstallDir\MSBuild.exe 3
%SystemRoot%\SysWOW64\Test 3
%SystemRoot%\SysWOW64\Test\Test.exe 3
%APPDATA%\ConfigsEx 2
\install 1
\install\server.exe 1
%ProgramData%\Babylon RAT 1
%ProgramData%\Babylon RAT\client.exe 1
%ProgramFiles(x86)%\install3d 1
%ProgramFiles(x86)%\install3d\dx3d.exe 1
%ProgramFiles%\install3d\dx3d.exe 1
%APPDATA%\4D9A7C89\ak.tmp 1

File Hashes

043ffc741a50ad91d27ea60deeb67dcf78b22354cd84b4ae1a369858561194af 13ea52a723bfcd19ea04fa6fafb71fb57df751912dd1ce57d925cdd3f029182b 18afaa9b927afc9963fd11209f3955dbdf4bc587c8accc7819924dec8f0861ec 1bea2456cf27d6f66273817e01604a864799e91b621443364ec826075e814236 3935e79d29b1fe8b1a86cd7a514df1e2185ccb51e5c13866b30a3a42c6bb6388 49a7f0661dd828694eed57686474a6850db5713769a981c6a25fa066bc5ddb82 4a0bad27b7a5c0f7675e19ee99ed93d9c399f2793fa599e1d760f450c2f52f0e 64f9d19547e60c6b2b4d23878222c7637cc054cf7d5297abe6d8631bc6eb26e8 72843528a1b5db576290edffb9bb4e990f8124c366c94092d5730a1569a38f5a 729891cc31c545c26243c320b334572408488c30fa0d730e97760e57b5aeffa6 752937377a6e66022f1ff5a48a2304230b11c6920dae1ddee86da0084738bdd2 8a4c5972b69727f8d00901974a381d5c2ba7180eb93d9ae86a0f20de9490ff10 8e4216841bc104588a04e7c6c3444509bd98244a639d89b8cd13feb99f0ec956 8eb8ae74cec7d8a05e84e9dc9cabf051bb526d47716272b410f39106adcd8268 940b45fd7858d3a9bb8d3babdf85e825adac5985057b696108e17edc5ee9b6a6 9e9a16f38b89735433e2d8c0543b3a20ed5e064873415e8969c6f682660de0f7 c44097fce477ba8e84cb3eb9d7301f6cbdd8b0651bf1f3dcc8164baac9857f82 cf394ed374611f9d9207743abd07ff6f3676d1337538e3c197deebe03af33faf f9e59b2101c2d97f9c71450e2ab442f405a0af994c2115c01f45ecd9c047ca99

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Kuluoz-9310433-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 251 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 251
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ktnngrhi
1
<HKCU>\SOFTWARE\AFPVLKBX
Value Name: wqfvjekn
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dhbdbqkm
1
<HKCU>\SOFTWARE\NVGDKCIE
Value Name: aixcmjic
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: awtxppgq
1
<HKCU>\SOFTWARE\QVKWDHEO
Value Name: hlcqewda
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: kxetxhpf
1
<HKCU>\SOFTWARE\VXJDXQHP
Value Name: aevlkpnr
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: vxcadfvb
1
<HKCU>\SOFTWARE\XQUWCRAK
Value Name: httjpfmg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: goqmmidb
1
<HKCU>\SOFTWARE\BCJDMFGU
Value Name: jfgjlgsx
1
<HKCU>\SOFTWARE\WQDLORIR
Value Name: riqhalbw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: tgpvkoeq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: lcxracpm
1
<HKCU>\SOFTWARE\DNCUXKVD
Value Name: idihuusf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: crnlsmxc
1
<HKCU>\SOFTWARE\MHNMFJSQ
Value Name: nmglgctd
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: hgwdhikv
1
<HKCU>\SOFTWARE\DUOMXSJX
Value Name: pbgmgape
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: smqhikok
1
<HKCU>\SOFTWARE\MIULKTUB
Value Name: lwwhxkdf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: ftgwmqrt
1
<HKCU>\SOFTWARE\ITSQCGGV
Value Name: hvlkuhmh
1
Mutexes Occurrences
aaAdministrator 251
abAdministrator 251
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
70[.]32[.]100[.]120 177
133[.]242[.]54[.]221 175
162[.]255[.]86[.]196 174
94[.]23[.]33[.]107 171
109[.]234[.]156[.]84 165
208[.]81[.]237[.]99 159
93[.]189[.]94[.]42 151
104[.]23[.]99[.]190 1
104[.]28[.]9[.]92 1
Files and or directories created Occurrences
%LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 251

File Hashes

00c094133bda1c663739b7f309e16a499626aa9fc79900ef4e1c289a81c59d4a 04fa71fffcf84af36ff01c2523770cf441fcaa2aaffa0e75af11992c77c69cd7 0775cc6eed185845bb5b4355d506005cd596ba64c650fca92742ad6edc3dfebf 07a573fd62af9d41afee10daa2b8d31fb5aa5a8efc564dbf25afb6a94f7e40a6 0da0371e8a46091b790515e99876561716f19eadc5e8bc0f7d205e80e93e54ac 10324357734645053b854c5a2e9a7a5c3e315c0c3355777d9742b919631eebe9 1130a96175167018e2cba80a72b688a1c931c9b3073fbb91210f6a87ba614806 147d7f3d3e7e8b51319db717cca66a7b3b903f81af9ef56fad7577a8571768a4 14f48c19f2bd957af3600a1ce427a257472673879e666bc0e474d88d64583191 150e3525f3d186bf0df42f725a7604783322c81901234649c2e3c39bc803c621 1818187e3dfe3db9cd3e9dd20c71d42ddc716d64786b3ea68899ae9706b75e6a 1b77610983e6b31da63b779502b840befe299f6bd78eb2c3b3692243489ea340 1c21a90dd070377755636feab85feac008f6fcd4e4e1e07eb9791c77eb4ed6ae 1c49fc3892a80301ff74a3de7055b8bf91a2d6ad4df07843dc225b9991b43201 1dc1fa158b52c3bdc652b974e95444c539c0e8cf4d3fdc2f4dae53081abad6a6 1e6176d10f128d91c987d081a3c36674c4012050b0da017e71a9b88b47cc8c49 1eac7da8c586731156272dbcabb8bdfd3e6fc628671391963bf64562e6aa9cbd 2361743ca09bf97c6d908f4ccfa34f6500656b942183e43c2aac27ee0eaccd1f 249db9fc7bdb9dd47dc4f2b91980a6dc359ce7b4efd4e5a84ee75d74791be438 24ca227a04c8efefa6a034d2a8fb8fdd22575f3e9a2b4a950cebabbde9932c41 24efcb00d32e59c7aa39dc0ce3afbd39bd256c296505e1d0d9b889a383bbeea5 24f1e391d9900d058dae9ee94d17922d436c80f0b75af33e57c234e448874059 26746ee78eed1ad445250fba7f14757deac500fde6ba883803269f421f6fd787 26c953fbe991916ee8e862a46cee653e62bd5823b36c72f45d3d1bd7ed3a091b 275513fdf1776a887b4fc6ae0e8d0db2ec655f71626cd73411c80cdabed696a3
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Packed.Dridex-9379120-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
Value Name: trkcore
18
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: DisableTaskMgr
18
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0
Value Name: CheckSetting
18
Mutexes Occurrences
27ll78h0lw 1
SbjQOmEBCG 1
tEgAzuv5Md 1
iXv6vsTBxq 1
pojM8NBO8e 1
dL9gUaCqd4 1
ZSjKWmNh1R 1
GE5e9v1dXx 1
VoxoGaXhBz 1
Q9NHDplhag 1
u7ztcpaBkf 1
YkB4G9MABT 1
SBABIEZ1Qh 1
yOGj2Ek5iZ 1
8hruYGN9lP 1
vGbdNwPNF5 1
IG9cROUS47 1
tjfxQac5Wm 1
aEFtckMWOf 1
anukaSMwwo 1
fvBAm1zPBv 1
iiVpfNxN6B 1
LpyLk2PBoH 1
c15qMk86gJ 1
Cs3Ov37wOK 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
172[.]217[.]7[.]238 18
104[.]23[.]99[.]190 12
104[.]23[.]98[.]190 9
172[.]217[.]197[.]100/31 8
72[.]21[.]81[.]240 6
172[.]217[.]197[.]102 5
172[.]217[.]197[.]138 4
23[.]3[.]13[.]154 3
172[.]217[.]197[.]113 1
23[.]3[.]13[.]88 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
pastebin[.]com 18
ctldl[.]windowsupdate[.]com 10
cs11[.]wpc[.]v0cdn[.]net 6
a767[.]dscg3[.]akamai[.]net 4
www[.]dvulwwbkii[.]com 1
www[.]mwgbwhofk2[.]com 1
www[.]nhrry1xnyb[.]com 1
www[.]6bwxeoacgn[.]com 1
www[.]hayhmse6t6[.]com 1
www[.]e9wgrblquh[.]com 1
www[.]i5fnvdeomp[.]com 1
www[.]mumn8fnnqq[.]com 1
www[.]oyutdttpeb[.]com 1
www[.]6why1sz2se[.]com 1
www[.]btchfh3tfr[.]com 1
www[.]9lhaps1wu2[.]com 1
www[.]18ny7rrtyt[.]com 1
www[.]hcg3bau1sv[.]com 1
www[.]e3jwezioip[.]com 1
www[.]gdbm7bvxya[.]com 1
www[.]1wu55b5pua[.]com 1
www[.]7wjak5mb8f[.]com 1
www[.]fqa2nwjdws[.]com 1
www[.]molnu9ypiw[.]com 1
www[.]yirebpgi48[.]com 1
*See JSON for more IOCs
Files and or directories created Occurrences
<malware cwd>\old_<malware exe name> (copy) 18

File Hashes

0043a6dc53363b611736fe13bfe46b137fc85e5847ab99a36a62097a16f98f58 10a95840be4b03f482755b3d11b970cf733a2fe227c3499ada80d04a72ce361a 187ec034a8439d687bb22cdbd7c9563239d3bd5c1ef384f581e136cc0152076f 214fa3dc8400e1724e5ef97f88b47df7fb517656ceda0c936cac1d9f073f7d47 2aa0c5a8eb082626ef493b9dee84e10f4183b50af01d3d729211b6f6adeb683d 305f0c984d461ad496bad20faf268d8aea590e785a1676fed6079271c16310ba 34d405765cbe1349878df80a52379681a938d60d03dbea8b36e90b60c0c1ce0c 3bf41e66f1489126397f33618b7f4322f3ee4fb8150c76c5ff4f41080db6e3b7 475fb647cc09017421cbf1e4949e3f327875a875629de906a65314bc1f527035 678c0c914a9d8f2b61cd7edc3ab6c5961a2eee1ff5bead6a1416fb21c87656c8 70b966ce0ee5fd36eb434abd5e71dd0cecd37cd35d27661f40adfd195de427d7 74c1602930d69fd7f7709fb3f36d7f33d08b338c079d6e7e9c08b042f53406b3 823a0a93e05bc87d564d6d9b7e6e01f32336e39a22532b4b0fbc6fa367eeda7f 9387bae0e98a682b8395d3dc23fe1e209a9dbcd0c3564888c57629af3acbe966 acc6a88231cae802d23111963b4ab20ef0f1080fc8b521f28a6fc5c4c4846b64 bf0291fec48305573567f5c66ab60ab0c763d911c85772c3635dc38100a94fa6 da9569fb898545a0c518b6350b638e1c99e97a815c6bc8c0cdd84935d661e952 fcdebfcc071390f2450e4619fad80de84ebe6767a78a23d9c41f9247dd8782ae

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Win.Dropper.Tofsee-9368705-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS\INSTANCES 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS\INSTANCES\WINMONFS 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMON 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMON\SECURITY 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONFS\SECURITY 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONPROCESSMONITOR 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINMONPROCESSMONITOR\SECURITY 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFENDER 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFENDER\SECURITY 7
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFENDER
Value Name: DisplayName
7
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PROCESSES
Value Name: d12c99f7af77.exe
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: DistributorID
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: CampaignID
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: SB
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PatchTime
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: PGDSE
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984 7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: Firewall
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: Defender
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: FirstInstallDate
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: ServiceVersion
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: SC
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: VC
7
<HKCU>\SOFTWARE\MICROSOFT\A1890984
Value Name: ServersVersion
7
Mutexes Occurrences
Global\SetupLog 7
Global\WdsSetupLogInit 7
Global\h48yorbq6rm87zot 7
Global\Mp6c3Ygukx29GbDk 7
Global\ewzy5hgt3x5sof4v 7
Global\xmrigMUTEX31337 7
WininetConnectionMutex 7
25ba6ebb3e470993540ebc62e98a51e2 7
Global\25ba6ebb3e470993540ebc62e98a51e2 7
Global\b7c341015338340fc8cc5c21e0473579 7
b7c341015338340fc8cc5c21e0473579 7
d19ab989-a35f-4710-83df-7b2db7efe7c5{846ee340-7039-11de-9d20-806e6f6e6963} 2
dfthorbnjAdministrator 2
dfthorbnj ' w 2
24e2b309-1719-4436-b195-573e7cb0f5b1{e161a13c-26f1-11e5-93ca-806e6f6e6963} 2
Global\{BEF590BE-11A6-442A-A85B-656C1081E04C} 1
(null)\69884752-95BE-4032-8AF1-B300F0E2CB97-Mutex 1
Global\syncronize_036DPFA 1
Global\syncronize_036DPFU 1
cnuk 1
qwuw 1
maron 1
Global\c54ff441-e0c5-11ea-887e-00501e3ae7b6 1
lmbmg 1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
204[.]79[.]197[.]219 7
104[.]214[.]40[.]16 7
104[.]27[.]134[.]78 4
172[.]67[.]177[.]188 4
104[.]31[.]77[.]84 3
104[.]31[.]76[.]84 3
104[.]24[.]107[.]99 3
104[.]24[.]106[.]99 3
239[.]255[.]255[.]250 2
69[.]31[.]136[.]5 2
66[.]218[.]84[.]137 2
43[.]231[.]4[.]7 2
157[.]240[.]18[.]174 2
69[.]55[.]5[.]252 2
37[.]28[.]155[.]134 2
85[.]114[.]134[.]88 2
98[.]136[.]96[.]92 2
208[.]95[.]112[.]1 2
217[.]172[.]179[.]54 2
5[.]9[.]72[.]48 2
130[.]0[.]232[.]208 2
144[.]76[.]108[.]82 2
185[.]253[.]217[.]20 2
128[.]116[.]114[.]3 2
45[.]90[.]34[.]87 2
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
vsblobprodscussu5shard60[.]blob[.]core[.]windows[.]net 7
vsblobprodscussu5shard35[.]blob[.]core[.]windows[.]net 7
gfixprice[.]space 7
dealbigdata[.]com 7
schema[.]org 2
ip-api[.]com 2
microsoft-com[.]mail[.]protection[.]outlook[.]com 2
ok 2
www[.]roblox[.]com 2
252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org 2
252[.]5[.]55[.]69[.]in-addr[.]arpa 2
252[.]5[.]55[.]69[.]bl[.]spamcop[.]net 2
252[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org 2
252[.]5[.]55[.]69[.]cbl[.]abuseat[.]org 2
252[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net 2
api[.]sendspace[.]com 2
auth[.]roblox[.]com 2
telete[.]in 2
apxover[.]cn 2
burusonol[.]com 2
120[.]151[.]167[.]12[.]in-addr[.]arpa 1
www[.]google[.]co[.]jp 1
api[.]anti-captcha[.]com 1
ext[.]captcha[.]yandex[.]net 1
prod-rotation-v2[.]guce[.]aws[.]oath[.]cloud 1
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\Logs\CBS\CBS.log 7
%SystemRoot%\rss 7
%SystemRoot%\rss\csrss.exe 7
%TEMP%\csrss 7
%TEMP%\csrss\dsefix.exe 7
%TEMP%\csrss\patch.exe 7
%System32%\drivers\Winmon.sys 7
%System32%\drivers\WinmonFS.sys 7
%System32%\drivers\WinmonProcessMonitor.sys 7
%SystemRoot%\windefender.exe 7
%TEMP%\Symbols 7
%TEMP%\Symbols\ntkrnlmp.pdb 7
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02 7
%TEMP%\Symbols\ntkrnlmp.pdb\9E22A5947A15489895CE716436B45BE02\download.error 7
%TEMP%\Symbols\pingme.txt 7
%TEMP%\Symbols\winload_prod.pdb 7
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361 7
%TEMP%\Symbols\winload_prod.pdb\B7B16B17E078406E806A050C8BEE2E361\download.error 7
%TEMP%\dbghelp.dll 7
%TEMP%\ntkrnlmp.exe 7
%TEMP%\osloader.exe 7
%TEMP%\symsrv.dll 7
%TEMP%\csrss\DBG0.tmp 7
%System32%\Tasks\ScheduledUpdate 7
%System32%\Tasks\csrss 7
*See JSON for more IOCs

File Hashes

052c892a0c059712e97027a15df3fc0817c2b257561e2bcd1ab78fa6fab08dce 0c001ea7b1816cc982ee25ca2ede743bd46855b0d1bf3af7649df6260c6019d1 13df5d98c94e2e7c09076c490e37baa9453f36bf10c22e7c4a6773bacfbe18da 215e76df8cd1d086ba96390f71c2af53e6e3e50e41d46c61591ae4357f98fe72 21bff3580594fee48f18793609e3475f1b41a41677dcad2b1505009042f365bd 28cda348381eab1a139e7003f6a97bf67fcb029e448b354e15acd9989476535c 2ea6667055f51ef018672eb47e9517e2159f9e58ba0ed7a8596dba65f752e073 4ae4d596f8089441b15fb38d40808fbe1ba44c00b0a05be7034ee16d01931796 50e0772647af783515932ad4a44b80ca946ea1770265016266619ed167b9cce8 59aaf3ed519633a62d2acea1fc54410b078e4255fc89ad54819972969f586dae 63480f0572247df4f267aa39f8bf9f6941395ca4f969219f35064ec13aebf3aa 695d9d2c3566d447996678b57b47f887f418f699dc14903f620c6c22c15352fb 703ccc3a41bde909492df39832d92b313c699a1dd8557b87df472a89406fabad 7eba1d422c2a62e547466293d743f312eb774e2fdad113f3b2b764151ea4a2e6 a8ff495ffea3021673f7c6b77aacea172702156523338bd12f447736dc687a3d c6a56565168fa4ca263c74fa4062d17977eb48c3e3269c650ad860f98160d72f c9fc5c135b5e8ab06f807d44ad58c3f3e27335dae739a235e27c8b236b59de9d

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP


ThreatGrid


MITRE ATT&CK




Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (6458)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
CVE-2019-0708 detected - (2105)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Process hollowing detected - (1298)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
Crystalbit-Apple DLL double hijack detected - (656)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (596)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Squiblydoo application whitelist bypass attempt detected. - (544)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Installcore adware detected - (251)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (118)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Gamarue malware detected - (75)
Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
Maze ransomware detected - (58)
Maze ransomware has been detected injecting into rundll32.exe or regsvr32.exe. Maze can encrypt files on the victim and demand a ransom. It can also exfiltrate data back to the attacker prior to encryption.

No comments:

Post a Comment