Thursday, August 27, 2020

Threat Roundup for August 21 to August 27


Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 21 and Aug. 27. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name Type Description
Doc.Downloader.Emotet-9412146-0 Downloader Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
Win.Packed.Chthonic-9405917-1 Packed Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer.
Win.Trojan.Bublik-9406364-1 Trojan Bublik is a downloader that targets Windows hosts. Although it's primarily used as malware to distribute various banking trojans, it's also capable of extracting and exfiltrating sensitive information from the host.
Doc.Downloader.Sagent-9431315-0 Downloader Sagent downloads and executes a binary using Powershell from a MS Word document.
Win.Trojan.ZeroAccess-9406344-1 Trojan ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
Win.Packed.CyberGate-9446722-1 Packed Cybergate, also known as Rebhip, is a remote access trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system.
Win.Adware.Dealply-9476483-0 Adware DealPly is an adware program that installs an add-on for web browsers and displays malicious ads.
Win.Trojan.Gh0stRAT-9455238-0 Trojan Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks.
Win.Ransomware.Cerber-9408183-0 Ransomware Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension ".cerber," although in more recent campaigns other file extensions are used.

Threat Breakdown

Doc.Downloader.Emotet-9412146-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL 2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: Type
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: Start
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: ErrorControl
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: DisplayName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: WOW64
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: ObjectName
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\TASKKILL
Value Name: ImagePath
2
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VCRUNTIME140
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PANMAP
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IR32_32
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASACCT
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IR32_32
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140RUS
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MFC140RUS
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SDIAGENG
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SDIAGENG
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MSCORIES
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PANMAP
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITSPERF
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BITSPERF
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IASACCT
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLFSW32
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\CLFSW32
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\KBDROST
Value Name: ImagePath
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
174[.]127[.]119[.]148 16
23[.]111[.]156[.]118 16
70[.]121[.]172[.]89 15
64[.]183[.]73[.]122 1
116[.]202[.]234[.]183 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
abcofcricket[.]com 16
reliancectg[.]com 16
e13678[.]dspb[.]akamaiedge[.]net 5
Files and or directories created Occurrences
%TEMP%\OFFICe2019 16
%TEMP%\Office2019\M8e9ziy.exe 16
%SystemRoot%\SysWOW64\hnetmon 2
%System32%\Windows.Networking.Proximity\fdprint.exe (copy) 1
%System32%\aadcloudap\help.exe (copy) 1
%System32%\kd_02_8086\atl.exe (copy) 1
%System32%\sfc\directmanipulation.exe (copy) 1
%SystemRoot%\SysWOW64\rdpendp 1
%SystemRoot%\SysWOW64\wecapi 1
%System32%\cscobj\KBDAL.exe (copy) 1
%System32%\LockAppBroker\dmxmlhelputils.exe (copy) 1
%SystemRoot%\SysWOW64\QCLIPROV 1
%System32%\SearchIndexer\WIFEMAN.exe (copy) 1
%System32%\DeviceEnroller\msg.exe (copy) 1
%System32%\KBDLT2\amstream.exe (copy) 1
%System32%\PNPXAssoc\csrsrv.exe (copy) 1
%System32%\ir32_32original\nsi.exe (copy) 1
%System32%\odfox32\ConhostV2.exe (copy) 1

File Hashes

0099a00ee33efc8e25e68b3bd2862656ac4819416a7ce5252da75b326480ece2 05897a743fd2fe3d791b9560b3a3a0d5fa3f4ca8c2dc6f1a490aaf4a7f4f5636 362e736d6f3bff825ce41cbe07673edecd04b460201d5f464ab18f547085ffb5 3780d20be48fb349faf9fb0fc17e1eb9f3a3060e3d57af2bbd7e20d6b0b4223d 597e9c35dd31bf8130c43d9fbcc15b84427dfbc80a72cb31c495bedd4b5fc5d8 6908f421de0201f20066643862907ed1cddc4753f51a42850b8209380bfe1e6f 6a5ecf7dfa844149f405476219f41fc9b8de66e61a0c91285858c8ed994d8d65 8e35e8ba595b5a480cfb07ba4ace588139b959108de6a15519b4db831fefd4af a89f4a0e07aed6f0db5226aa6c45eca8e232db1686eaaf99f163acf0eb849c37 b114bdb0998bba2f9df4cb49501e222276365890cb0c24f6c0ec94d7deda4d33 c76dd6c988b0d2886904cc2f393b360277487b31602297b5c5268ae59604586e cbcffeaf57dc69c22c4c1f6eaa6b2102c764aa8b0080b466aa95969f3c0283e1 cec2abed8d3e093ac30ead62cdebfbf1522c763159ec278ecf0af89a16dd1f4c cfa624d839f73dd527469da0d9c2d9955bfbd320277c47454498beca7877dca2 e6897b31f6e77a3182753226f0781709a200bf67633cd45568c33c4e78b9456b e7801b2180c3386d049135af6b5e4ad14c56a7a6eda2cf87dcf474e3ce9c4e39

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Malware



MITRE ATT&CK





Win.Packed.Chthonic-9405917-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 17 samples
Registry Keys Occurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: ShowSuperHidden
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: Load
17
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: 1081297374
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 1081297374
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 17
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]215[.]148[.]63 17
35[.]229[.]93[.]46 17
173[.]231[.]189[.]27 17
35[.]231[.]151[.]7 14
20[.]45[.]1[.]107 11
40[.]90[.]247[.]210 10
40[.]67[.]189[.]14 9
20[.]41[.]46[.]145 7
80[.]240[.]216[.]155 2
176[.]58[.]127[.]165 2
5[.]34[.]248[.]225 2
40[.]91[.]124[.]111 1
93[.]186[.]225[.]208 1
31[.]28[.]161[.]68 1
139[.]162[.]149[.]127 1
217[.]144[.]138[.]234 1
144[.]76[.]197[.]108 1
81[.]21[.]65[.]169 1
164[.]132[.]166[.]29 1
50[.]192[.]156[.]121 1
84[.]16[.]73[.]33 1
46[.]54[.]224[.]12 1
78[.]96[.]7[.]8 1
198[.]60[.]22[.]240 1
78[.]47[.]158[.]133 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
www[.]kryptoslogic[.]com 17
europe[.]pool[.]ntp[.]org 17
differentia[.]ru 17
disorderstatus[.]ru 17
north-america[.]pool[.]ntp[.]org 2
Files and or directories created Occurrences
%ProgramData%\msodtyzm.exe 17
%ProgramData%\~ 17

File Hashes

213e8ed0cd9a5450ca8dc8e2215dc302ef5784a1d893bc920b6faf089aa33588 291089cea1cf25586cfffc61fb1243872018931135dbf177ebcda26f8388933a 2a9ba70589bd6416b4db98c8b068a620e9b3fbf9942300b1bcabfde353937d76 3e593e1d1bbba40902edfb7fa3326b3f56060116157731bd63ec2debd1e196be 4219e1d7f3b437b5307450acbf9ff533e206bf517d01f1409f8b38c757152c27 47e8456d3ac9547ab0792376072b52aff4d5eed4025bcd14577bcd9b051c2651 5052228606f5d14a327e1acf14e8c5ee443204e2f95090c66a478a52ffa5c080 5faa78f9f6587af4b6d1b42fe1603915db67929101c3fe5730c2e134bd03cab2 7227b7ffe4c84548b4d0ad92f0d4e3dc62a6f4409d561eb47a40829b90fefd11 9083da810c49eef9bfa4ab0490c9b1c40b43d5c18f51693d0d199b97966d04f1 a140890e637f598eb6ae102e5835d4bfc123b1013b8f9c70f27e6c0954d28bd6 a81dafcbffe233c09898e7c7837b0991d0f1dbbd08c48fd696305d871d4b01cc ae8e8a0bafa05a668088aa07e7c9714ba462982a67d3d3191815be02dfe06963 b0d4f9344a1d4e38d193f0582f704ae755b68cc2176cfc4da0f5d79b72c4300f e3a44d7f30400d05af1d2665f28211878a8c590b4c2cccdc23f4fc673a8c15b9 eac35ecab4412b3725396bde62a2f887892be5fa26482d0a8d4ed0862e25cedc fd4fa9e654201183ab02f12efa162f4e825e4f9cffeaa5273591ee3223214d96

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Trojan.Bublik-9406364-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpkl32.exe
24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\DOMAINPROFILE\AUTHORIZEDAPPLICATIONS\LIST
Value Name: C:\Windows\SysWOW64\wmpkl32.exe
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WinMedia Services
24
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\LAYERS
Value Name: C:\Windows\SysWOW64\wmpkl32.exe
24
Mutexes Occurrences
muipcdraotse 24
S3xY! 16
V8x 8
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
143[.]248[.]35[.]28 24
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
vps318[.]intelbackupsvc[.]su 16
vps360[.]intelbackupsrv[.]su 8
s38[.]intelaids[.]su 3
s30[.]intelcore[.]su 3
s27[.]intelaids[.]su 3
s51[.]intelblog[.]su 3
s70[.]intelblog[.]su 3
s59[.]intelprog[.]su 2
s65[.]intelblog[.]su 2
s48[.]intelcore[.]su 2
s81[.]intelprog[.]su 1
s13[.]intelaids[.]su 1
s87[.]intelblog[.]su 1
Files and or directories created Occurrences
\Autorun.inf 24
E:\Autorun.inf 24
E:\SysDrv.{645FF040-5081-101B-9F08-00AA002F954E} 24
E:\SysDrv.{645FF040-5081-101B-9F08-00AA002F954E}\sysdrv-x9349601.dat 24
E:\afk45.lnk 24
E:\afk46.lnk 24
E:\afk47.lnk 24
E:\afk48.lnk 24
E:\p.cpl 24
E:\~mediadrv.exe 24
\SysDrv.{645FF040-5081-101B-9F08-00AA002F954E}\sysdrv-x9349601.dat 24
\afk45.lnk 24
\afk46.lnk 24
\afk47.lnk 24
\afk48.lnk 24
\p.cpl 24
\~mediadrv.exe 24
%SystemRoot%\SysWOW64\wmpkl32.exe 24

File Hashes

01f90706734a3242e1291eb64d4c03f0b7d8e4f16803d1bfd54ab767d6a264c7 03d03cd36d8c2810bd53153b8ea1fc69007d1a895e03cf61d582896b419fb55f 0f727a25ec6f57f93822b0ba890084b4c087f4993024a184b632eccd75a0601b 101700d247dec0ce811a9a0206a4d5519cf4c3c822528575e29e51837ef27eb1 14091ac21e0469513be8f2d02c9ce3fa4740b175ab132413b5ec840eac511b3f 15080ee748c3931d82e81ad1d529b8456cc6626ac83ffc9f6e0db5786b086cda 188790c896d5217ae0281ee48ed9968e7f4d8a08609d846f423ee00ad11c1518 19e3178145302b3e46dcb5feb9877e88e11eb49d48e8d9dc140f9c512c23f41c 1a3939b63e71775a9a2ecd6731a3f2d8849c938b5beb13cdbccdda447fd97a23 1aee694929aac1bc24e47d9fdd983bf4acb5d1a19b7bc9fd4c78b3bfc65b159a 1b574c920e63fd19c7cea277f89c735f70d73573c3a3a45d815cc71e3b3cd609 1c43f31514c447df519707ecd4a6cc9d79f9b6e6273c64425c27c4a5f88b2252 254dc35faa305b0fd5e8510a5e48c1030024ba39e402a9db8b2cf63394a398b8 25dea1a6d70a275c6f94dfdf3133d04d0b6c80485acb4a289fd5f46a5b9f0265 29ff80a4961dff7384a5fc9b031d345282f3e6732e26c53cbcf3ba28b85ffc2c 2b249fa14dbc8fffdcf2beb568c6a6546febd25ad9a6ef8dd045833890349f83 2b2b72d960b7d1736268a6a9b6b3d248e3c2ff58504923ce2bfd7a7085a4fc65 2c9423d0b58466ea9562e0908bb45eefe5afa576c6831ff89cac45d2078fa56d 2cf78a61789bfa678f97329ffcd62f679ed5a11980e0d6696caae4472b833ae7 328a6ee6b2beb48487e7d783b4274ea9a4ac8b23fe62af6ec242014ed166e652 35d571401950954d7566506e25bd621b917b15ba357453563c90acc741907086 3a26f3fa6c6e7e2df5f364bd08d5ea225f2ad22762a9271d98740d7e8647fbf1 3ad2b19e2f0cac1467fc3bcc2a6ac95f1e38403468617ca910d3c306963b4af6 3e42beca6486e79e8aa0fd5620d7af6b967903fb419291da99f7754b33ba73f8 44d3e82f92a3a848db1d97b0b95dbb30c6664e9cd28d0c14ca73536ea5f5947c
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Doc.Downloader.Sagent-9431315-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 48 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Type
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Start
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ErrorControl
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ImagePath
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: DisplayName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: WOW64
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: ObjectName
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>
Value Name: Description
15
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 14
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PROVSVC
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3DXOF
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\D3DXOF
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SRPUXNATIVESNAPIN
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSNMP32
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSNMP32
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\PCAUI
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SLWGA
Value Name: Description
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPROP
Value Name: ImagePath
1
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPROP
Value Name: Description
1
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
173[.]94[.]215[.]84 48
37[.]187[.]11[.]160 48
43[.]229[.]84[.]164 46
103[.]7[.]8[.]131 46
72[.]21[.]81[.]240 13
205[.]185[.]216[.]42 4
205[.]185[.]216[.]10 3
8[.]253[.]45[.]248/31 3
85[.]25[.]207[.]108 2
8[.]253[.]131[.]120 1
8[.]253[.]131[.]111 1
8[.]249[.]225[.]254 1
23[.]199[.]71[.]185 1
23[.]199[.]71[.]200 1
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
synergiktattoo[.]com 48
justinkongyt[.]com 46
www[.]intelligence[.]com[.]sg 46
intelligence[.]com[.]sg 46
api[.]w[.]org 38
gmpg[.]org 38
fonts[.]gstatic[.]com 37
www[.]yelp[.]com 37
www[.]synergiktattoo[.]com 37
ctldl[.]windowsupdate[.]com 28
cs11[.]wpc[.]v0cdn[.]net 13
e13678[.]dspb[.]akamaiedge[.]net 11
www[.]litespeedtech[.]com 9
schema[.]org 7
cds[.]d2s7q6s2[.]hwcdn[.]net 7
auto[.]au[.]download[.]windowsupdate[.]com[.]c[.]footprint[.]net 6
a767[.]dscg3[.]akamai[.]net 2
Files and or directories created Occurrences
%TEMP%\OFfIcE2019 48
%TEMP%\Office2019\J0z5myj.exe 48
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'> 10
%System32%\<random, matching '[a-z]{8}\[a-z]{6,8}'>.exe (copy) 5
%System32%\vdmdbg\KBDINDEV.exe (copy) 1
%System32%\dmcommandlineutils\msltus40.exe (copy) 1
%System32%\wlidsvc\ktmutil.exe (copy) 1
%System32%\AppxPackaging\MDMAppInstaller.exe (copy) 1
%TEMP%\CVR6AF.tmp 1
%TEMP%\CVRBBC.tmp 1
%System32%\RMActivate_ssp_isv\werconcpl.exe (copy) 1
%System32%\es\KBDTAT.exe (copy) 1
%System32%\drprov\rasplap.exe (copy) 1
%System32%\SndVolSSO\Windows.Devices.Printers.Extensions.exe (copy) 1
%System32%\srumapi\Windows.Media.BackgroundMediaPlayback.exe (copy) 1

File Hashes

02480931bf8a8b3e881ba422b102f207249b593518e41fe9d80cfc2260831d94 04b97f646e22eddca85ab67b16cab7dc4afaeba4f91a06d3ad25d98d1985f38e 0988c011847da56047d7c56ecb308a287e7086d8820b4ab5010d03bb4bd1c5ba 0c9bdaf25bc6465c491f19c920faa56544188ae9d41c7a0905bda06a835b6ec4 0ce1f9eb5a77c80202cc0a91a877c8385bcbc61b6c7c2a5fd5a093a7b181fb1b 0f8e990c9307312fb8034c19575537843ef21192f83fe1aa677cd10e045a9e8e 15614f9fe6b5fc4c1239cce9d4f1a1ea18ae400b60efba8c76023d4e9cad758c 157e011b3641dfbfc900a3ca21944bc8d8b69fb4c2804977e5e341f40f93fcce 16ff4fe3cba48e347fb641fca0cb7c6095a6f860fa876f219f68a217d61d1605 1bfd584355dbb008bdd75f8020faccf21ef4d8c89e00486f6717979bf78c38fd 1e30cf6e10390f4e65553597493e92c0e2a00210c5fba3ceeacd75c682d5bae9 205b245311901312ed7d08e486ee280d59cf15060b656390f4ea347a7eb6d485 28f570a49c85e61ededd992a81ac41afc645788e1ebd28b542cbb51fccc9fe72 3047248964013165db7c29d497534910e95c53cce560dd0b52f896d8071085c8 32c5a3488033ba4299a0c21c08fc12c7fce85323855cef8e71788250f6dfa656 32c7119fd7bf1474715501218947a304b37f2891299853952af6dad147fcde31 35bb5a6cfcf9621d2ba567aa7f4bb36717a4e80429bf283a3f3e8bcf336caae8 373746de1051086e14a05098652a92c9cdf9bbe20f23809b9347b2a55cf53e13 3b6e44377bca92d629f9924fa890eda7a54c191d829480a8396c22876429baec 43323bdb41df07f7e469908c9e39ad631fc65ab7bb49def978f136d0e0e12031 44279f3cfc9724d88ffd9da0fcbab6a97f773fffa7e7206cf318e4eba969fc05 46a93eed05754760f5ba802dafeda47962f308540ff4b640d3c11fb2939a080d 4b03db8f1e87958078c087ad30a89527603f05c95ec6619325dd64298856e246 4e132ba6d019767be2f8156e367e5c0f60ee91db33f3517c525d22cace8bfa9b 5114a1e83db1ff843b0500b41fc4d3155bee2bfd98ebfb2f64514427d1d7e331
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Malware



MITRE ATT&CK





Win.Trojan.ZeroAccess-9406344-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 33 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BROWSER
Value Name: Start
33
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Defender
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IPHLPSVC
Value Name: DeleteFlag
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC
Value Name: ErrorControl
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Type
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: Start
33
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\BFE
Value Name: ErrorControl
33
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
88[.]254[.]253[.]254 29
92[.]254[.]253[.]254 29
87[.]254[.]253[.]254 29
180[.]254[.]253[.]254 29
166[.]254[.]253[.]254 29
135[.]254[.]253[.]254 29
117[.]254[.]253[.]254 29
119[.]254[.]253[.]254 29
115[.]254[.]253[.]254 29
134[.]254[.]253[.]254 29
206[.]254[.]253[.]254 29
222[.]254[.]253[.]254 29
182[.]254[.]253[.]254 29
190[.]254[.]253[.]254 29
184[.]254[.]253[.]254 29
197[.]254[.]253[.]254 29
130[.]185[.]108[.]132 16
82[.]238[.]108[.]66 12
98[.]178[.]156[.]250 12
111[.]169[.]199[.]72 12
98[.]204[.]174[.]164 11
208[.]107[.]225[.]25 11
69[.]112[.]189[.]232 11
76[.]177[.]210[.]91 11
75[.]181[.]56[.]80 11
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
j[.]maxmind[.]com 33
Files and or directories created Occurrences
%System32%\LogFiles\Scm\e22a8667-f75b-4ba9-ba46-067ed4429de8 33
\systemroot\assembly\GAC_32\Desktop.ini 30
\systemroot\assembly\GAC_64\Desktop.ini 30
%SystemRoot%\assembly\GAC_32\Desktop.ini 30
%SystemRoot%\assembly\GAC_64\Desktop.ini 30
\$Recycle.Bin\S-1-5-18 30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f 30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\@ 30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\L 30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\U 30
\$Recycle.Bin\S-1-5-18\$0f210b532df043a6b654d5b43088f74f\n 30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f 30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\@ 30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\L 30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\U 30
\$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500\$0f210b532df043a6b654d5b43088f74f\n 30
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 26
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\@ 23
\$Recycle.Bin\S-1-5-21-1160359183-2529320614-3255788068-500\$bc873181c718236380cd637b8be3cfa0\n 23
\systemroot\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f} 3
\systemroot\system32\services.exe 3
%System32%\services.exe 3
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\@ 3
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\L 3
%SystemRoot%\Installer\{0f210b53-2df0-43a6-b654-d5b43088f74f}\U 3

File Hashes

0768ceb62a6a9f61088819a45173e7597fa62374a06aa38f1a9fcb468f1abe01 0cc69db658e9ee0e0b67867529df19769a5fbd2abd65665d42888f123b7bd973 0e29ed3a4a56881388d49418c30a5dbbfe88fb6b9bffabfabaf3fe4501dc8058 0ef4e57067637fbdc5870202d8068b2683714cd91cd1e9c0a1c3ff20cdbe0972 0f06d58c1af6abf844006187e206799c5b9071aed65015d4deab39fab48106ad 11fe7a5c5d48ef5bd174e3063ad5a9405e3e514914cce0e1399d356f963f34c6 141779d5782d21252e7aa8de4f457d1134fe61030b413ebb14081934af0a1bfb 142f9fbbe5c29fe44acce248efdb7219691672c9ec5eb587adb0298c476d1cf6 17f6522781da9008dfa877a596ad0028400f36ecd8b657c755017d212c02e271 189f1c97975b7f1531a52e015fac6ec88406f46c8e9ffd0366969d6f3b27ab0e 1bec33956004759107dd425160000abab63e404a9e5a2c90f174f507af4097ad 204b39438cb163b799148b935a5a61c4932c3a59628f3107307410ddef8472f9 29fb4d5dbe99877d30db2d01240d431441b576a72cdd41b8a72e93058deff14d 2dccfcb049594eecaa3896500c0519aa64a394ac797fb89d138c1fbe538e4052 301f916d3c96c12eb602d2608e0ff666f01c4f54ba1c6d86ddbdfeca1a422bd9 3150509b0ea9464a43f0c73c5d58e34b2d101fd9adbf3515b527ac15ef5b5615 355d2753380e49e43305e628803d520f14939df5ff43ec5aa7380ff322cdc57f 39301feefcdd8a92c3d5e53f269f21cde33e9f97f48b4a875841e0a5f64b3692 3b5fcebfd0e6fcb8393b0970c8e2b3bb098f557f9152a4af1eeb594d2406d290 3cbecb4db34eee1e5cd0bfaeec1e5e6209776a1fd8fd62728ac0d14300449166 3f072060be7626f84773860d3a834aee3d7ea724cf5547cc928a3c737e916c69 3f3220f777206569fcd3628c51b53a4f103eeea0288a22159e64f81b1570b931 44353e88ed952d67fc9f7b0453e033eae18f6ba125b35ddbbfd8effb75902b2e 47297023886b6e9b87fdfc6018adfc4ddd6d869bc2e185561d387bfc21f6374e 4a948cc5fc09e6999188476cec8e209e2be2c6e7cc241b40c16d81d0a8097e0f
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security This has coverage
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Packed.CyberGate-9446722-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 129 samples
Registry Keys Occurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 58
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN 37
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS 36
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLICATIONS\LIST 24
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DoNotAllowExceptions
22
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL 22
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID 22
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID 22
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE 22
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{<random GUID>} 21
<HKLM>\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{<random GUID>}
Value Name: StubPath
20
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 17
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: Userinit
12
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: NewIdentification
12
<HKCU>\SOFTWARE\DC3_FEXEC 10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: csrss
10
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: csrss
10
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: csrss
10
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: csrss
10
<HKCU>\SOFTWARE\VB AND VBA PROGRAM SETTINGS\MICROZOFT 10
<HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: FirstExecution
8
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsDefender
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: WindowsDefender
6
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: WindowsDefender
6
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: WindowsDefender
6
Mutexes Occurrences
<random, matching '[A-Z0-9]{14}'> 20
<random, matching '[A-Z0-9]{14}'>_SAIR 16
<random, matching [a-zA-Z0-9]{5,9}> 15
Administrator5 11
_x_X_BLOCKMOUSE_X_x_ 10
_x_X_PASSWORDLIST_X_x_ 10
_x_X_UPDATE_X_x_ 10
<random, matching '[A-Z0-9]{14}'>_PERSIST 9
Administrator1 6
Administrator4 6
MasterBl4ster 6
DC_MUTEX-<random, matching [A-Z0-9]{7}> 6
Local\https://docs.microsoft.com/ 4
***401C6XX500*** 3
***401C6XX500***_PERSIST 3
***401C6XX500***_SAIR 3
FYG4HCTRE1 3
egregregerfwde-readfile 3
**MUTEX** 2
**MUTEX**_SAIR 2
IXGKC56ZVE 2
CWSPROT20S 1
ITL49EY2Q8 1
2BAPBWGP14 1
8A58FNQNRC5VQ1Administrator15 1
*See JSON for more IOCs
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
104[.]17[.]214[.]67 5
204[.]79[.]197[.]200 4
212[.]117[.]50[.]228 4
172[.]217[.]197[.]156 4
152[.]199[.]4[.]33 4
65[.]55[.]44[.]109 4
20[.]36[.]253[.]92 4
23[.]5[.]234[.]11 4
172[.]217[.]7[.]142 4
23[.]203[.]29[.]190 4
151[.]101[.]128[.]133 3
69[.]65[.]19[.]115 3
13[.]107[.]21[.]200 2
153[.]92[.]0[.]100 2
104[.]20[.]68[.]46 2
151[.]101[.]2[.]217 2
151[.]101[.]194[.]217 2
151[.]101[.]64[.]133 2
151[.]101[.]192[.]133 2
140[.]82[.]114[.]4 2
199[.]59[.]242[.]153 2
104[.]17[.]215[.]67 2
52[.]201[.]110[.]209 2
92[.]241[.]164[.]224 2
78[.]159[.]135[.]230 1
*See JSON for more IOCs
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
blackshades[.]ru 7
www[.]maxmind[.]com 7
blog[.]maxmind[.]com 7
dev[.]maxmind[.]com 7
static[.]maxmind[.]com 7
status[.]maxmind[.]com 7
support[.]maxmind[.]com 7
xxxblackfirexxx[.]no-ip[.]biz 7
web[.]private4919[.]com 7
schema[.]org 4
www[.]google-analytics[.]com 4
stats[.]g[.]doubleclick[.]net 4
github[.]com 4
avatars1[.]githubusercontent[.]com 4
az725175[.]vo[.]msecnd[.]net 4
aka[.]ms 4
avatars3[.]githubusercontent[.]com 4
developercommunity[.]visualstudio[.]com 4
cdn[.]speedcurve[.]com 4
w[.]usabilla[.]com 4
oneforall[.]no-ip[.]info 4
tippyshot[.]no-ip[.]info 3
synopsys[.]no-ip[.]org 3
prempmatt[.]no-ip[.]biz 3
lethal[.]no-ip[.]info 3
*See JSON for more IOCs
Files and or directories created Occurrences
%SystemRoot%\SERVIC~2\Local Settings\AppData\Local\Temp\MpCmdRun.log 45
%LOCALAPPDATA%\Microsoft\Windows\WebCache\WebCacheV01.tmp 20
%APPDATA%\<random, matching '[a-z0-9]{3,7}'> 15
\Autorun.inf 11
%TEMP%\Administrator7 11
%TEMP%\Administrator8 11
%TEMP%\Administrator2.txt 11
E:\Autorun.inf 11
%TEMP%\XX--XX--XX.txt 10
%TEMP%\UuU.uUu 10
%TEMP%\XxX.xXx 10
%APPDATA%\<random, matching [A-Fa-z0-9]{5,8}.exe 8
\Autorun.ini 6
%APPDATA%\chrtmp 6
E:\Autorun.ini 6
%TEMP%\tmpcmd.bat 6
%APPDATA%\data.bin 6
\SYSTEM.EXE 5
%APPDATA%\logs.dat 5
E:\SYSTEM.EXE 5
%APPDATA%\csrss.exe 5
%APPDATA%\lsass.exe 5
%APPDATA%\Administratorlog.dat 5
%APPDATA%\cglogs.dat 5
%APPDATA%\Microsoft\csrss.exe 5
*See JSON for more IOCs

File Hashes

0bae59beb875fb459bb3ef865ae185e9335b3fb29b2901c68e58e24654be3ef2 0baf9884c6b793c75c12410b7665d050ab789f1c94d696187494b999bd932f2b 0bdac277ec7c6b79e1490605cddff5228bdff4837c541f182e0d82ba5844e1c5 0d7a20b908612c157b2c6980cdf28b41e7cd71bf8cd31e1282fb5ac13eb359fe 11ed3d5888bbcc613f74f96c003a32edf3d72f9f931c153acb478c2455213ac8 13b8afd2fdb23045b3e7c25cde989b55c71afea1820c8813f1af4a471dc4629e 14d1a0a0df4afa1a182ad91fd855d31644d31a4bb6cc9f7c0af6ad73a8c10352 17964fadf462c3a94ce55d8f1d13656e7037b8402c031d6eb1e74013e330a541 17af01a87a023b5dfe6858f891c3333e4711063d8b06eed5b6ed18d2e9e31752 17b68ff8923ba0cf30d85cceff8098e2f3ca85409b3c48b27f25d0ccde6034f4 1b30c94652dee2930803d75ace0b29d7df3a6fdfef125b46318bd0dc39ed7331 1e76d257e24f548fbe0a93aac540be21c565bf69506e75e2c7689421d2a66118 1eb310c44523707cbacdb8ab12412d92b732628ff1fde591900c9b5a3a0a73f2 21d8642a8e6e11b88ee6a70c2380f86768ae2022e32fdbcf3f4614894c765922 2367a5b82443e197d7ee1269ddad1e58df256fd16c44a7b243d29d8a6d3a3321 2ca7e0922f77c2027b006730efc4b45b506734827cd344db52bdf815c2184a9a 301168e06dcb03fc1ede4bd39a312a51453f7bb340c26fd945e2d15c373775ba 3152a501494e1494275f3435ab0051f0dbac0eaa43e39a960350d5076b9b07f4 319daab18402cac88c7c51cc919562257b95481a1b682e2e4d2c2a845437e17b 3b49e1428be06dd1f62903514d10e695f0d6c8bdcaccb8303e8898c62dfbe794 3c01cb4b803ac287ade2980ed979c7d59fd17444ff6b2c842a9a705914619c01 4544c3a23d113d2ac541feaee75e648f02bc86fba1164badb1a2d481d78c5f70 45bd8e4f15ece029c60748eb4e25699d6d9147eb0105bf1356a8dcd93156ca22 497becaa7378aa9842b915c8b75fbd408b8f86c7b4906ce7e1c47e2da862cc08 4a4981a681753e14667bf1a82039d45833e5786e04dc0262ae49fac977c583df
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Umbrella



MITRE ATT&CK





Win.Adware.Dealply-9476483-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 15 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
13[.]248[.]196[.]204 15
204[.]79[.]197[.]200 3
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
info[.]opensubcdn[.]com 15
rp[.]opensubcdn[.]com 15
Files and or directories created Occurrences
%TEMP%\INH158~1\css 15
%TEMP%\INH158~1\css\ie6_main.css 15
%TEMP%\INH158~1\css\main.css 15
%TEMP%\INH158~1\css\sdk-ui 15
%TEMP%\INH158~1\css\sdk-ui\browse.css 15
%TEMP%\INH158~1\css\sdk-ui\button.css 15
%TEMP%\INH158~1\css\sdk-ui\checkbox.css 15
%TEMP%\INH158~1\css\sdk-ui\images 15
%TEMP%\INH158~1\css\sdk-ui\images\button-bg.png 15
%TEMP%\INH158~1\css\sdk-ui\images\progress-bg-corner.png 15
%TEMP%\INH158~1\css\sdk-ui\images\progress-bg.png 15
%TEMP%\INH158~1\css\sdk-ui\images\progress-bg2.png 15
%TEMP%\INH158~1\css\sdk-ui\progress-bar.css 15
%TEMP%\INH158~1\csshover3.htc 15
%TEMP%\INH158~1\images 15
%TEMP%\INH158~1\images\BG.png 15
%TEMP%\INH158~1\images\Close.png 15
%TEMP%\INH158~1\images\Close_Hover.png 15
%TEMP%\INH158~1\images\Icon_Generic.png 15
%TEMP%\INH158~1\images\Loader.gif 15
%TEMP%\INH158~1\images\Pause_Button.png 15
%TEMP%\INH158~1\images\Progress.png 15
%TEMP%\INH158~1\images\ProgressBar.png 15
%TEMP%\INH158~1\images\Quick_Specs.png 15
%TEMP%\INH158~1\images\Resume_Button.png 15
*See JSON for more IOCs

File Hashes

0a45836679748386146da47bb59a96b5c7620c6672615c2b2f1a781b86fecd71 2146c3c85611f024adc38ce32f9b601d4520fbe7b1407da6167df1ec9b1e8bb7 3b8b24a6699ea37723b95627e05d58ee5db0df8ee5058d96659771ba3d3dc376 4811135b54469df599262cb2dcb25cbaae4dff9886a006029a39d737686a7c27 52f8a4ee10a44c42278558b64e481fc60460bea81dfb1f0630214ea43c26f96e 54a0eb7763a431b09e659c801fc03863b76c2bea6ab686ce7cbf02b4a6ccff51 5b184c02ad821c5d9099eae869a5f42973a36d3723c647e4edc9860a007e1989 71a0a62d30ac584ae69e926d8ba2bb923d50bf96a13357e80447ae92d7dd1a9a 92350a75b5558b4a94ff9a581d39b2c6bcae26059ac53aa0e112e35b897123ee a22538b7effc6e5b1fd07fd2d62e596ad89c49b4214c999a653b86d36f85a993 a56294862f17c9e2de13172c10cf0d1ed6f5e7e0de6213fb1060898581e995fc c5a2ae950a318b8472513cc5db8332ce7fd24746af775adfaf8c969d3094bfb8 d6e0f80c4e9c51b3e3036fd0f68d50ca9fea536d9a462b8e64c1c13cf723601a ea52b13b61a45818f8a25c5c2aea2db0dcf2a3ee873dba289d69d5373cde3936 fc9da101aa25f81ca9d8152d8c3cd6d784fa1de0446a352e411cf78a19bbdd5e

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella This has coverage
WSA This has coverage

Screenshots of Detection

AMP



ThreatGrid



Malware



MITRE ATT&CK





Win.Trojan.Gh0stRAT-9455238-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
Value Name: NextAtJobId
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: FBBFD190
25
Mutexes Occurrences
lsw8.q9p6.com:2555127.0.0.1:2012127.0.0.1:2012 25
Domain Names contacted by malware. Does not indicate maliciousness Occurrences
lsw8[.]q9p6[.]com 25
Files and or directories created Occurrences
\atsvc 25
%System32%\Tasks\At1 25
%System32%\Tasks\At10 25
%System32%\Tasks\At11 25
%System32%\Tasks\At12 25
%System32%\Tasks\At13 25
%System32%\Tasks\At14 25
%System32%\Tasks\At15 25
%System32%\Tasks\At16 25
%System32%\Tasks\At17 25
%System32%\Tasks\At18 25
%System32%\Tasks\At19 25
%System32%\Tasks\At2 25
%System32%\Tasks\At20 25
%System32%\Tasks\At21 25
%System32%\Tasks\At22 25
%System32%\Tasks\At23 25
%System32%\Tasks\At24 25
%System32%\Tasks\At3 25
%System32%\Tasks\At4 25
%System32%\Tasks\At5 25
%System32%\Tasks\At6 25
%System32%\Tasks\At7 25
%System32%\Tasks\At8 25
%System32%\Tasks\At9 25
*See JSON for more IOCs

File Hashes

030cb9b1d654afb7c56ddcb4043bbeb109a7c6f85c78d5e3f41bf0ca6923360f 0593bf706362b897ed95ff3f42c1d922d210fbe7138a32863bf7c293c20536a0 0c32783e6d40e2c16be39d2b21d49276f915afa4e5331384d13b6ccd256af89b 0d07afe19a374251d30be4a65df595a526bcc26721e6d6c6f4de8454526aef36 160e0b1fcf609297976a222b0ef8d0cb378482ad77c365ee2493c34d7618cb88 1e4eb1b05a1b88a2e3f99132653c2ac0c576b6d347b56938abe42a58b82b850d 24bd90ef1dd1b2b66b1f424445f1a4d4fdd6f6c6171d6bf5cf931a19ff441164 33b4f5b8b38d833bf66ed5603755b6326d21a8a6a893de6be0e652e512f051a8 3ec6c56c4fec56f0304b8807378fbc1764087b741fb4875843075c8698f0d3d5 40d93b6833d74fb1a233af2ca0dbde00ec488410a7a2b97b506947a2c12ee317 46ce940d59aa492d10e7a2c16b75ed2cc61f5af580c11a67e62b5ffa1d77b975 4802f4911362f06f44463ed07c1d8f9967570b68f6e40c64e77d58d314f8157a 520a4f9f74e6b689d55c871668ed0c1fc0aac3c3bacd608b86b88c72d47d1bf6 5e0a7b0103b8985820bb64f6d540256795c1fe31b5d6a9438980e9068fa7b8d1 7033bd3be4915d973123350ed7e2c4e2bb63d7234b661d37c1608c8739770023 74e61026c627788afb97807298d98dfdc6c0a1cd8d1f48366ed9cfbbf3717d34 764c79b760c8a66e22cce3430db56c7fa290e4e75abce537a6f7b20bcb37c5e1 76c3d0ba8a7dbda062179a525f07aa4228a337772a9869530b02a7ec6a9f10c6 787a9c8ef55fa141c035beeebbbda5ed70d033a002fae8273880740a15f0ef05 79c4bec94a99695611111e3a5599b7942094567b06d3c6220139d4c7489e8c7f 7b3153e06ab4a0fac7814d3625ad1387c68316aca924c457af1d0a2fdeb38ef7 870ce7c64dce57c0bc626808bb4c3c3aa7a5061a1125453610a80cccff200f70 a70e132b96f95b2b1f4e5e9990d181c7bb1d478ed07d5e18158fde616ed6eab5 b1a1faabb23265c5994d3615ef780a2ee7c9f66cbba167bf5e88024a48df0f53 b7324d6c2952803a32e2014d82500c45b847124aa1bb21f9b7cfd3d3e759d233
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Win.Ransomware.Cerber-9408183-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples
Mutexes Occurrences
shell.{381828AA-8B28-3374-1B67-35680555C5EF} 26
shell.{<random GUID>} 23
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences
31[.]184[.]234[.]0/25 26
216[.]218[.]206[.]69 1
Files and or directories created Occurrences
%TEMP%\d19ab989 26
%TEMP%\d19ab989\4710.tmp 26
%TEMP%\d19ab989\a35f.tmp 26
%ProgramData%\Microsoft\RAC\PublishedData\README.hta 14
%ProgramData%\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf 14
%ProgramData%\Microsoft\RAC\StateData\README.hta 14
%ProgramData%\Microsoft\RAC\StateData\RacDatabase.sdf 14
%APPDATA%\Microsoft\Access\README.hta 14
%TEMP%\24e2b309\1719.tmp 14
%TEMP%\24e2b309\4436.tmp 14
%ProgramFiles(x86)%\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\README.hta 13
%APPDATA%\Adobe\Acrobat\9.0\README.hta 13
%APPDATA%\Microsoft\Outlook\README.hta 13
%HOMEPATH%\Contacts\README.hta 13
%HOMEPATH%\Desktop\README.hta 13
%HOMEPATH%\Documents\Outlook Files\README.hta 13
%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp 13
%TEMP%\<random, matching [a-z0-9]{8}\[a-f0-9]{4}>.tmp 9

File Hashes

003e76a189c72139a69fb8b05506c4edf415746325da0489246253b536c7458c 0059c870db8630cb007aea2fde9b3359ea97359e874a619fb8f5ba1bcfe01052 0110f39ffd440ad6ec2e8ec516dd90d7810178f26898485503cd9c1cfb0330fc 033583835022118ef5af11428a70b52f692e106c027eaf951a7ec3eb277dbbd2 037d36515a2708b10b41faba8193d6ce7c63a689f5c4897967c7dc659425eeb8 0457668fe0994f8d6bef8b01a0c087b9039d4c466b3b89f5f230397886c4f32d 04605951d2e32153b09747fbd55471ea08caaa5f8666fc44889dcdb87371da7e 049c1ca386cf04eab21de1e7ee3be7a33b4cc8708094535e97a59a4f1070b28d 04d949cebf68f37decf3a31fbd46a347429c36a700529ef15a53d1882cf37b1d 055d6753938acc767632db1bec8eb6de783de36972e057b1a0c14bf315d6b387 0777fc68803bdf85239eedf2afe130fccbe3b54fec1667d07079b849fbfc7528 07c90afca8e787147877908ac2081e9bfe95ed2f5a4421b7eedbcac90cf9d789 095c322f0e90b43ff4b9cc6a8b86be6bbf9f1531245e967858c46c5136847fac 09d9b0bd4957f7a751b31e842790ee58072cfb284c3ce6d156b5c5fd942cbd93 0b8392f22c32ff0ddf5aa95566b3f160814479591512a9c44dfb9e4483deceeb 0cbed10c1b2a71335150389875dd118d422e5cec3ab3dd54084a993c046b18c9 0d1fbdf0ec2b7ed2bd6818e46b13b3e14762bd72612970e7a050888382bf0272 0dd0ab144c8e4c1aa207ee829af42a2665b44224968a0f1426e6f792f33e2bd3 0e4139bb0de5bf11bb274bec2e02783a5d6cc550d5b9b952750094a4fbd98626 0e7bc604f6cd985d665d9c435772606038fb629af1a460f01721ca954d3c7ff1 0eb01d713dfe4ec0b5bff83c77d1893c3607922e5ad874a8d5a08cf9c718182e 0efa6308ec98c0a710d6ce9ae4e65cb3a501186da46ac043639793b658c9b301 0f5259e011c4e9f38bbc3621253b71e4a03ea9d566f8ccc24935b16bc7e9ccae 0f6fb32d40667093618ca0a9ce220bf2a2df3d07f6e7f2ce833c0cef6f732b9a 12341057a4946b4505996f6dea6682194e89dd07c4f7577140699e7cccf64834
*See JSON for more IOCs

Coverage

Product Protection
AMP This has coverage
Cloudlock N/A
CWS This has coverage
Email Security This has coverage
Network Security N/A
Stealthwatch N/A
Stealthwatch Cloud N/A
Threat Grid This has coverage
Umbrella N/A
WSA N/A

Screenshots of Detection

AMP



ThreatGrid



MITRE ATT&CK





Exploit Prevention

Cisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities.

Dealply adware detected - (8610)
DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
Process hollowing detected - (2230)
Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
CVE-2019-0708 detected - (2148)
An attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction.
Crystalbit-Apple DLL double hijack detected - (1162)
Crystalbit-Apple DLL double hijack was detected. During this attack, the adversary abuses two legitimate vendor applications, such as CrystalBit and Apple, as part of a dll double hijack attack chain that starts with a fraudulent software bundle and eventually leads to a persistent miner and in some cases spyware deployment.
Excessively long PowerShell command detected - (851)
A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
Squiblydoo application whitelist bypass attempt detected. - (713)
An attempt to bypass application whitelisting via the "Squiblydoo" technique has been detected. This typically involves using regsvr32.exe to execute script content hosted on an attacker controlled server.
Malware dropper detected - (493)
A malware dropper has been detected. A dropper will download or unpack addtional malware during it's execution. A variety of techniques can be employed for the payload to gain persistence and escalate privelege if neccessary.
Installcore adware detected - (380)
Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
Kovter injection detected - (239)
A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
Smoke Loader detected - (87)
Smoke Loader has been detected. Smokeloader is used mainly to execute other malicious software, like ransomware or cryptocurrency miners. Its initial infection vector is usually an email with a malicious Microsoft Word document or delivered through an exploit kit. Smokeloader uses various plugins designed to steal data from its victims, particularly credentials stored on the system or transfered over HTTP, HTTPS, FTP, SMTP, POP3 or IMAP.

No comments:

Post a Comment