Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 31 and April 7. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your FireSIGHT Management Center, Snort.org, or ClamAV.net.
This week's most prevalent threats are:
- Js.Downloader.Nemucod-6198135-0
Script-based malware downloader
Nemucod is a popular script-based downloader, often resulting in drops for Locky & Cerber. This latest variant consists of ~30-50 lines of minimized scripting code, relying on obfuscation & requests to several domains (most of which are in plaintext). - Doc.Trojan.CommentObfuscation
Macro Obfuscation Technique - Heuristic chaff
This obfuscation technique utilizes macro comments to inject data, characters, words, etc. into malicious office documents for the purposes of obscuring heuristic, static scanning. As an obfuscation technique, these droppers are being discovered delivering payloads of all sorts and sizes. - Win.Adware.Gator
Adware
Gator is common adware that is frequently bundled with ad-supported software. Gator can add toolbars to browsers, add links to the user's folders, and create popup advertisements. - Win.Worm.Allaple-6171102-0
Worm
The worm scans network subnets for connected machines. It will try to log on to machines with frequently-used credentials and copy itself to the C$ network share. The worm is polymorphic and changes its code when copying itself. - Win.Worm.Mamianune-6230992
Worm
Mamianune is an email spreading worm and file infector. It copies itself to the infected system at the %system% directory, and changes the registry to ensure persistence. It will try to spread itself through email to addresses found in files present in the system. It may also create files in the system with .htm extension. - Win.Trojan.VBEmailGen
Generic Trojan/Information stealer
This generic trojan is heavily polymorphic and it is written in Visual Basic. The main goal of this malware is to steal credentials. These credentials range from FTP logins to passwords stored in the browser. These samples perform injection and try to complicate the analysis with anti-vm and anti-debug tricks. - Doc.Dropper.Agent-6206825-0
Office VBA/PowerShell downloader/dropper
This sample is a Microsoft Word document that uses a macro to launch a PowerShell script to download and execute a secondary payload. - Doc.Macro.AliasFunc-6203108-0
Office Macro Obfuscation Heuristic
Office macro code is used to further compromise a target system. Macros can leverage external Win32 APIs to download files, write or modify files, connect to servers, etc. This signature looks for imported function that are aliased for malicious intents. - Doc.Macro.wScriptObfuscated-6203135-0
Office Macro
Office macros can provide functionality to download files, however, to accomplish this certain functionality it used. To prevent basic detection techniques macro developers obfuscate the way they create and access API required to perform certain actions. - Doc.Dropper.Agent-5932811-0
Marco
This sample is a Microsoft Word document that uses a macro to launch a PowerShell script to download and execute another executable payload. Unfortunately, this secondary payload was unavailable at the time of this execution report.
Js.Downloader.Nemucod-6198135-0
Indicators of Compromise Registry Keys
- HKEY_USERS\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
- HKEY_USERS\<USER>\shell\open\command
- HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\OSUpgrade Mutexes
- \BaseNamedObjects\Global\C278B16ED3FB49FB
- \BaseNamedObjects\FDDC561D84D621F8
- \BaseNamedObjects\shell.{18D0266F-2D74-3F5C-79BE-40E45584D13C}
- \BaseNamedObjects\18469BB796AF13B3 IP Addresses
- 62.113.208.114
- 37.140.192.161
- 195.29.89.23
- 195.141.45.95
- 86.109.170.121
- 78.40.108.228
- 109.234.161.38 Domain Names
- vip-charter[.]eu
- gipnart[.]ru
- zivogosce[.]com
- evro[.]ch
- fp[.]amusal[.]es
- applecitycareer[.]com
- horizons-meylan[.]com Files and or directories created
- %APPDATA%\d2f225f\045b126.356b036e
- %APPDATA%\d2f225f\8dcb019.bat
- %TEMP%\exe1.exe
- %SystemRoot%\system32\config\WindowsPowerShell.evt File Hashes
- a7d5a8786bef4bcdd5786e347277f84ff8c1da90ddea0a3c85ccb367aa22b630
- 59ffaa34c8445555a2b65e67f991870a04f17524e3023ceec338dcda7f33c99c
- 5ca09f901b1a0996e0aa8d027928503eb8ef107ae69eb7771b466706f7f3a27d
- c6a97bc59e99bd19ce5134df7469b770ca734a39e6e83ddfe8282be33928aeac
- dae57172401bb726a28c4317cefc475ebf662c62a04e60bb6da462a31f921fb7
Coverage

Screenshots of Detection AMP

ThreatGrid


Umbrella

Doc.Trojan.CommentObfuscation
Indicators of Compromise File Hashes
- 14f79bd9dd171ebe7ad96d0fb799bf7afd492a51f32a2bcb5594a84b2beb7ddf
- 3d14e2ae06a16db70e9d7d7495be830703d8f3da1aeebfadf2831782b479e726
- 5fd368dac325e282cc8fb2f70f0f003425881bc9615adc7ae23420996dbd4ece
- 94d92f9a7a0de39363089d243ac6249d66a8a803532821d8d260ccd9c86a2017
- 9a4957219e6f48262e54bc660c37d40d79ef98abfae95f8942e734fdb92ce6f9
- ae892ee8cfc3685d78182dfd6b31a6f7691e9892c727bf2016e4764f6ec3eb84
- cbf86eef9d0b22d28a46ba309172dca58f7c0d98986cba1ebd3fa47e4aaa0783
- Cf17ab33a117d24bf64a83f7604ed6e125e3a3c7c9e4a6af274058ee4d2bada3
Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Adware.Gator
Indicators of Compromise Registry Keys
- HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\Trickler
- HKLM\SOFTWARE\QWERTYUIO\TRICKLER\AppPath
- HKLM\SOFTWARE\QWERTYUIO\TRICKLER\OldTrickler
- HKLM\SOFTWARE\CLASSES\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} Mutexes
- N/A IP Addresses
- N/A Domain Names
- N/A Files and or directories created
- C:\TEMP\<original_filename>.exe
- C:\TEMP\<original_filename>_3202[a-z].exe File Hashes
- 611497aab19c41edd874cc8a2749343ab266ca11c498cb2d149101f7ae4efa4c
- 52cd00a58dde64c67971d7c88fdb486a6bdfdecd158d3be3aac0cd7fe26a75be
- 531ad4d1eedb21e43a97223475d84e161e635ead793c67ec649d6b848699bd54
- f4785012bea82b1c843383f2a579644cbb2dd2929740f3f3e31890a016db4e07
- 6453bd44b7d459b9c3920f55f35dfe673d22b337332b8a6c60427c668d635723
- 34e667fc845cdfed918cf3e04a998ec4453a1162931e341a83a0fcb3cbb26cfe
- b672f6b44cd0a1482d63c20f5d1ed2bbbdb0764b5cfaff2526e062be4868973c
- b0667ceb4931e8174b08b01005082f725eae6853041b80d4dc4bb30f64200fc3
- 4b44d48de8f6f53a7a49fc83e210cdb82a6f2f6112c557e114eda00876e56198
- 35cf22dcf978e5e712962680153b6f6e824ee15de845f1e94abd2cc9ef9575d4
Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Worm.Allaple-6171102-0
Indicators of Compromise
Registry Keys
Creates class IDs which point to the malware binary. The CLSID varies, and points to the dropped worm binary
- HKLM\Software\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}
- HKLM\Software\Classes\CLSID\{A18CE63E-6C47-00A5-8688-927B7EB5E2B5}\LocalServer32 Mutexes
- \BaseNamedObjects\jhdheruhfrthkgjhtjkghjk5trh
- \BaseNamedObjects\jhdheddfffffhjk5trh IP Addresses
- N/A Domain Names
- N/AFiles and or directories created
- C:\I386\COMPDATA\[a-z]{8}.exe
- C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\[a-z]{8}.exe
- C:\Program Files\Adobe\Reader 8.0\Reader\adobe_epic\eula\en_US\install.html
- C:\Program Files\Adobe\Reader 8.0\Reader\HowTo\ENU\WS[0-9A-F]{8}-[0-9A-F]{4}-[0-9a-f]{4}-[0-9A-F]{4}-[0-9A-F]{12}.html File Hashes
The worm is polymorphic and creates a new binary each time it copies itself to a new machine. The given hashes are just examples of worm binaries.
- 044020f369542e3ef8e6e3d1697904cdf9484c9382bae0e9a5e637056bada5b3
- 06d7258355f841ceb8ef0f444785eff6886fb16b5f60303c4321dfdd57b5debd
- 08bd26a0b0a1c4ae70fa72cf1efe6e0a1b908bc34e05f1b861c6aa3a3e1fec2c
- 3ea6d5f924fc9bd3dd55a97c62a8be2ef52142003a5ef298552a494ba7c837ea
- 4ca685cf021aa8c1fbd93f6bca7264a733f577cf86a0f1d132db179c4a45fa76
- 7a6facb36eab78bab5378f800ef44fa4fc955ed41de0eeafd8769dc968d96e9c
- 7fece8b506810686e2fe5ae34efa773b1abda48e3b175e3c4d5d957e6e8c4b55
- 8e5c4063c4b384b5e2e07035f69e66c16e93fe78cd4d2162dd092f118f83e6c4
- 926edb2df49ac87e7f57dc7283f57a2f2c0296817dc5332b7ba88142ae732127
- 9c0f09e6013af7e9fbaf847506b7e329f37923179447665f6c94340b2d269e79
- a4dd532c71f0f802c313f12e971349c8f06b273cfcf85458fe1d0f45a3a78a75
- b64e6c26a213a5bb955155e009c4fd31b697761e992fd040da98459611a0afef
- ba92b52950a1f41a4b00022bb119ff8f8680d67bd73c4971a83fc71cc045b1f7
- cba4e590a5dec97562c19c99337c31891558621d9e462ccf176831bc67e73601
- d87de7d2adc271d20dad6ccf8b606a3bba1a3dbbc1d32726bb2482d856e8bac4
- de0c9b69b5d20fa75813dfca45e6c9dc619c794e26785dca8e6cb810896ec20e
- e8617de08bd8da781992099073c7f7a5f8e682f63ed0ad7575fbc1903170887a
- eea5674aa53774cde05f098415a07761ad45d20fc5f1d143c04c1010f6239462
- f673c0be7d8a164cc49601746616aa784e3420202e94f1a56fc1a9c94cdea8da
- ff63a199a865ab203218523b1bbb90bac9f282bf1abbf9b3887411b6934dc2d9
Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Worm.Mamianune-6230992
Indicators of Compromise Registry Keys
- HKEY_USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Mutexes
- [a-z0-9]+ E.g.: jhdheruhfrthkgjhtjkghjk5trh Files and or directories created
- Will infect modify any executable found on the system.
- May create files on the system: [a-zA-Z0-9].htm File Hashes
- 08858fd01702c814b5524988ab8c0802c8c66990559bbb68081c592251b9a133
Coverage

Screenshots of Detection AMP

ThreatGrid

Win.Trojan.VBEmailGen
Indicators of Compromise
Registry Keys
- HKEY_USERS\Software\WinRAR\HWID
- HKEY_USERS\Software\WinRAR\Client Hash Mutexes
- N/A IP Addresses
- 192.3.140.114
- 192.3.140.121
- 62.108.34.122
- Numerous other IP addresses can be associated depending on the sample Domain Names
- slynny[.]usa[.]cc
- expresslimco[.]usa[.]cc
- limvat[.]usa[.]cc
- *[.]usa[.]cc Files and or directories created
- \samr File Hashes
- 024df78f71a7974a33611a17ce6e552c5c33c8bf9c63a2a3286260cb7024ecc2
- 0b949c2da04adb63a0b2b2ab879d55bd18e870a867b703e2c6d2099e44a4a1d6
- 126195829847422118cf942572388a6d57d29a1d4c4bdb61ddac6f9c41b829bd
- 1540943aa8da93cf72deb4d0b032696cf62fefd43d9e57266291583e99b4d62e
- 159f524d461df27925e0f6730a0f275d5751f2216932de120b3ddb4a0dc6a3e6
- 26a4396750bfe364c9843dcada3cccdd148667115b5b9606803e68b17bd7182c
- 27c393ba6411561f57342dc22ae4392b21292d4ed56e54f4aa2c486a1cfaf416
- 3e245c3e12d86e74a1a679ea41354a9c130de66f7cba27c68314f4ed1c9833c1
- 417438c96804eaa6748d90ddacea232600733c0fca293e2f8b18934425159c2d
- 43d87148fad6c0a9cc94019626670622889a95e6e12f4bec22a63ee2549f077c
- 54583a611eb881e755caf34379db0ab49030aa50c17a3eb4e09519a36740d61e
- 5a37dbecf825521597ec511ae03e854c8000c9b6220db8f10bf18415fa856a90
- 5e25b891306342a02c2d744381bb5429823430a8ad7297dd53a0b61feaf64e38
- 8153c480b72455c5e03f3e5322f603962f9d23532a849318c8a30a6f63a61d3c
- 83df6d5fdb6371d45c4ab2dd333fc7ab4b1c1a729926720006cc250355198fbc
- 86f5d1ff6049450eb53c9ba28cdf2ad26087def29e4f34f56f835390aca0058e
- b4ba641367f66c48859229c6039b6ebab89b21cd86ff4c169c4cfdc411663654
- c3f622584222c8a97614ab1b210bdbe3c67d21de6d51c1c583bd29e3ad0c30f9
- d2e07f91f7edb89707c1d314b69678b56aaf0edb4ab8d30047fad4d2b782332a
- df742a83513a3537b451d7cb8598398a6be849e0cb3ee886e7be59c69d12c780
- f6ba14b376c96abda2444fb555951674e4cb589b3943652e01c4fd44b1a2e71b
Coverage

Screenshots of Detection
AMP

Umbrella

ThreatGrid

Doc.Dropper.Agent-6206825-0
Indicators of Compromise
URLs
- /file/cet.ert?showforum=12.0 IP Addresses
- 62.109.7.232
- 185.163.45.27 Domain Names
- melodifix[.]pl
- newfaund[.]pl Files and or directories created
- %TEMP%\programming.dll
- %TEMP%\YarnMavin File Hashes
- Acb997996c74749f073a83ebb852e7396d546cd692f2590c78e5dbe40c86c725
- BB4D13340B82060A7F300A8408CA4533A51017318A5FBCBC40FA49E156367108
- B51701FCF002CFFCC361A7E111AFF2A19FD98E591DF61D1EC93C641CE5FA1CB1
- 003cc8bae434d0bf7dc3fae1d5b7dc35e66251540c0fbcc025ed6e9471b9756a
- 025976cfbf9192f813bb19b182aa7df5a578e6c55edb44be1b59d4529900cce0
- 02946a61761581336f31fdc8e933e577324395da77a104ab26badc50649efb23
- 039ba8310975624d55f1e85ed931fdbe44068af5101fc21a783acd97277179ab
- 04070452057f5262513b2d5cf0f5fdae34410d2531a966e8fd416a5edfff0e0f
- 09155ce0b9b9a6c49143c7aac3ec2c693b50a3b12e14b46a7c37f6d004165013
- 0c9af6f03f35d4d04a568c50f1c7813abbe862865c203934982a0f173304b4c4
- 0cb68591ab238da5e203a7cb1e0bbb9ebddfb3906e43194819ecb0d7039f54c0
- 0d6d5a2c9b06f986ea468e3df1602c307bb2478155c3566bd9421901ffc0c289
- 0e47674ac2dc230f8905be6446c077627fa5672dcf309d844580e14b87a3e42d
- 0fc621e81a188a89e269b4440b8c62ae5812ce7b658224fd45628a0c3a983b88
- 10508d5e47b50be2f15a8419a214c91e6516c604dceaba66a2d06a2334bf777a
- 14b45db836ff1c0d7e283d0ff824013d7a48c59d3805c20cf9a4c61106256fe4
- 155d7611a75392ead0d69df77ce4be4e72235dfd3c5e10b9bb850da5a57cbfc6
- 18224d2e924945aea1b73f89fe10e3c8e64dab1f50233e56fdb279fd172b010e
- 1b375ba7912e96821e9b5706a25f3a0411898f2cc3f9690b3e12fca84fac1e15
- 1bb1a1b58db0b6c9e0946b3ced3d576fd057c0365141968a43dec6c72d1d511a
- 1e303941e1b520d962080164ad54a75c0cf25aa53f80effb2891708869495bbd
- 1f8558ae8a8f11afa0e6bcb4b9a8bdc20e9b98efdc63f44e088802befebb570e
- 20a46289b115d2258dd9d0217729e8828664358a3c81653458fb17271a99f171
Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella


Malware Screenshot

Doc.Macro.AliasFunc-6203108-0
Indicators of Compromise
Registry Keys
- N/A Mutexes
- N/A IP Addresses
- N/A Domain Names
- N/A Files and or directories created
- N/A File Hashes
- 76683b6d9be9a5595f857f612919cd0e9fe58b24c8db977522c21eee4e7c612b
- 84ab92e565c0eadee1e2da2dd8c55d82b356330786acbd088d5eced779eaecf4
- eac422d2a54bab4305cc313fa8682f33715ecd5b3c03a7a82883dd19282100e7
- 5553e39dcd0d8b91e1b2a2829201e3b994457c7ffbcc6d2d8f87c860f2462877
- 485aaa99469550cdbb5542cd43cc0f5318017ada250c2fe7c8ba6e2d5d2693b0
- d26c4d26b044cd2f19fbf8b039c7c57328aa3e4ce12bc5c604ad9ff59512fc69
- 8f09461b86e819c67d138c44d2cc94287af56b691e96c5515853f0273a2daa08
- B4fc5bdb79eac839cb285ac7b3bbccd679e8e4776bde3947beb86d0c6ce07bf5
- 28eafbd69faed61103d8334d78a6f18512cf8fa5e61a08bb554fbd3bff6d5222
- fd0c2c8213e97cebf0b627627634db07cdc610f3f79bc9b0b239fa9b4a540b39
Coverage

Screenshots of Detection AMP

ThreatGrid

Malware Screenshot

Doc.Macro.wScriptObfuscated-6203135-0
Indicators of Compromise
Registry Keys
- N/A Mutexes
- N/A IP Addresses
- N/A Domain Names
- oceanshipforafrica[.]gdn Files and or directories created
- N/A File Hashes
- 2b0aca97ac42bca58ed6abdf81bab340825da442291bc15d1c5a22ee7e8b009f
- 7ddfffd8b5827d09f93e4ba9da2f3cfe965fe7e5fb8ec680856c12dc024b7827
- 7a72bad05f9d4bd653c131fcf800cd0ad21eb179597d398f2e49963ff86a0c4f
- 7ca81591a87ed9ac1d9b2a02a7a1a64394f52f138108b190db83a49b6db35d36
- 190496d6b2db946d2342ece0bd0d1addf20bb15234d07934c6ec55a52e7dcb0e
- 37a57d36516a29996282f1999bbd0d0184ebc82ed7975155345a93d7c0d26fb9
- a237af78f7b3e81d060d3d1ae6edf22706c8815c88cc1b93a1b0ee759897a54a
- 2feecb7d931b2d16af9a7ced7bbf7c08f91ea404dd6034c13040d814462ffc5d
- c60fad4b7ff90f58d3e1be3a9f3a3a75de82727520553e23c264208e0f51f248
- D1563a9faa9590dafc097936cef24b406359da72e2dd3accca7bf697732cdae8
Coverage

Screenshots of DetectionAMP

ThreatGrid

Umbrella

Doc.Dropper.Agent-5932811-0
Indicators of Compromise IP Addresses
- 5.154.191.172 Domain Names
- iuhd873[.]omniheart[.]pl File Hashes
- 02af015f85bca96b018e8ff7e9c0a2a7e32fc71ccc9620eb31063e8488fe6acf
Coverage

Screenshots of Detection AMP

ThreatGrid

Umbrella

Malware Screenshot
