Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Roundup for June 10 to June 17

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 10 and June 17. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics,…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

TALOS
#sql#vulnerability#web#mac#windows#microsoft#js#git#java#intel#sap

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between June 10 and June 17. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.Kuluoz-9951554-0

Dropper

Kuluoz, sometimes known as “Asprox,” is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations.

Win.Malware.Emotet-9951647-0

Malware

Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.

Win.Malware.Ursu-9951579-0

Malware

Ursu is a generic malware that has numerous functions. It contacts a C2 server and performs code injection in the address space of legitimate processes. It is able to achieve persistence and collect confidential data. It is spread via email.

Win.Malware.Zusy-9951717-0

Malware

Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as “explorer.exe” and "winver.exe". When the user accesses a banking website, it displays a form to trick the user into submitting personal information.

Win.Packed.Johnnie-9951653-0

Packed

Johnnie, also known as Mikey, is a malware family that focuses on persistence and is known for its plugin architecture.

Win.Downloader.Upatre-9952018-0

Downloader

Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware.

Win.Trojan.Zbot-9951812-0

Trojan

Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing.

Win.Packed.njRAT-9951863-1

Packed

njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim’s webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014.

Win.Packed.Cerber-9951870-0

Packed

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns other file extensions are used.

Threat Breakdown****Win.Dropper.Kuluoz-9951554-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 53 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE<random, matching '[a-zA-Z0-9]{5,9}’>

53

<HKCU>\SOFTWARE\KJJMJSES

        Value Name: bdjqdfwj

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: uumhwxma

1

<HKCU>\SOFTWARE\JXUUKKDW

        Value Name: locbrvhe

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: iqqhjsfw

1

<HKCU>\SOFTWARE\KPAETDOF

        Value Name: krufhdbd

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: evjvokik

1

<HKCU>\SOFTWARE\BWUDIQJM

        Value Name: jnwirdki

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: xufltbxk

1

<HKCU>\SOFTWARE\HIRHOATA

        Value Name: eisnxhra

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: mdrufreo

1

<HKCU>\SOFTWARE\PRMHPLCR

        Value Name: oshustei

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: aldpcbir

1

<HKCU>\SOFTWARE\IKNMTLOQ

        Value Name: ldgxwqmo

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: gpqtqbjl

1

<HKCU>\SOFTWARE\NLGLIGOC

        Value Name: ccdhafww

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ktfnusik

1

<HKCU>\SOFTWARE\EXICAHWH

        Value Name: xbeqvghl

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ghlwkjxg

1

<HKCU>\SOFTWARE\TDFEMELN

        Value Name: rxkaagok

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: nwimalgk

1

<HKCU>\SOFTWARE\FVWAKPNV

        Value Name: sisiqvga

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: pkpanwfn

1

<HKCU>\SOFTWARE\UFIJMRQA

        Value Name: wuwxnmmb

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: hssjhkqt

1

Mutexes

Occurrences

aaAdministrator

53

abAdministrator

53

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

66[.]45[.]253[.]250

46

67[.]231[.]22[.]199

44

67[.]18[.]12[.]2

44

178[.]210[.]167[.]213

44

81[.]177[.]181[.]223

43

31[.]186[.]5[.]20

41

185[.]66[.]12[.]185

39

Files and or directories created

Occurrences

%LOCALAPPDATA%<random, matching '[a-z]{8}’>.exe

53

File Hashes

    03d16772164bf38fce12f8b20edf31e333dde72551d28946a6b0504572a7ee3c

    0d11f50467268ec07cfcdcf7126ce47925e2734c9860193418f0bf7652b692b5

    0ec35b0853067a546b01cdd703a3af294c2b9d13ead3f08431bf6409f4e3d768

    117b43fa236e85316eae679843702e34611f783a8d32d987bfdf6d7c1e95cb05

    15ccb21da4a19b67a8921f9f658c2e4a6a128377a53775f8a22e6d8a8c1aad19

    165f2b77a3913502331e7479b9eb27daa502f95d345a21aa35e0bf25824419bd

    181b3d14bc2ccebfe2eb9b807249c4389921328f15d8a1d9052101802cde8912

    1a01fd2a79edf02208ac763bba4b85a573063695f739a14e71e8a52968203f92

    1a02a929ec3913b35be686ed02c4e573d0269b89fef541698cd7367ce8305cac

    1be0c8fa5a596a21af5a95eaefda391ae744de19f22d100868a741b1e3996185

    2563cfb42ab2886f9421221b09fed67135e2a62ac81decac5f4fbc340260b9db

    2ad88e50328965fae0bad32e09e034176f8e6ea79218e0ea45f3e9a32769c166

    2cd8dfc9ba6f7f03897763376262263cafe0b066ca45414cb2fcd07dc3a74b6a

    37f8435545d2899ec78f1310d526b8709b940fcc1fa7c209e769c51df7185478

    3b14aa6be8f6b0e413d37c4e9db91f29d93b5cf5ea88a03af31a57dd95ad287c

    3d4f44f5cfa2cfda03d736d07dcee9f5830d0306537651154cf0410082652b55

    3f4fb2d9add4d85f1f1e951b05f11321086f5ae0954da0f1e763347dde6bf299

    410669d18544b0046ce352513a5b2c20f895779e2310600abd0e5f73b4498e40

    4896f409886858981d2470cb7be22021c0b0717c9ad347ee4fe79429b3db257d

    4b1c65ac6dab390f0df1dc71aa4ced2a66e95a5f18cf3e22394471d7d06ecfb1

    50873e470dd6ea1e75f5b2baefc2d7d0a828f178b773d69da4b958dc96678eb6

    57a1bd5ba95ee4b0204130eef017f6ae00b567f68271e1d58c9a4916274e537c

    58eb13af38022ea5eeb3d5362a370e2020aff8393b21e26ec992bd910410ea86

    590e2da8a84ead5f16888321431b54095748429ba8d995b20226c2632de7b01c

    5f62d67d8bc2fe4893208bb9c839ee6944b75034e1613de5b4430534f0ef8da7

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Emotet-9951647-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63FC4996-AFD5-E391-06A7-EFB6E2702561}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63FC4996-AFD5-E391-06A7-EFB6E2702561}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{CFD6D5E6-02FB-7433-9261-E8E1B87CAC69}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER

13

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID{B11CF2E2-C0C2-7860-F12E-428101DCB963}

13

Mutexes

Occurrences

{24d07012-9955-711c-e323-1079ebcbe1f4}

13

{bf18992f-6351-a1bd-1f80-485116c997cd}

13

{ac5b642b-c225-7367-a847-11bdf3a5e67c}

13

{ed099f6b-73d9-00a3-4493-daef482dc5ca}

5

Files and or directories created

Occurrences

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

13

%System32%\Tasks\Ryddmbivo

13

%APPDATA%\1lFT

9

%APPDATA%\MJrHN

3

%APPDATA%\1lFT\icardagt.exe

2

%APPDATA%\1lFT\ie4uinit.exe

2

%APPDATA%\1lFT\xpsrchvw.exe

1

%System32%\5246

1

%System32%\5246\credwiz.exe

1

%APPDATA%\1lFT\iexpress.exe

1

%System32%\7496

1

%System32%\7496\icardagt.exe

1

%System32%\0786

1

%System32%\0786\AdapterTroubleshooter.exe

1

%System32%\7911

1

%System32%\7911\icardagt.exe

1

%APPDATA%\MJrHN\recdisc.exe

1

%APPDATA%\MJrHN\dpapimig.exe

1

%System32%\7124

1

%System32%\7124\SystemPropertiesAdvanced.exe

1

%System32%\0485

1

%System32%\0485\VSSVC.exe

1

%APPDATA%\1lFT\cmstp.exe

1

%System32%\1674

1

%System32%\1674\consent.exe

1

*See JSON for more IOCs

File Hashes

    11937c5d0ecbfdad670f9ab669e0962da77eeb6adf08c321957a8967b4df85d6

    130ad7d32592a45a7752eb5519d4eb1e8b3bc1d89c194dd3280c4092cb2df813

    38e080ff905c23845a395292a9c9ae44abdd7759b0b7f43628c7be9f99de8ff1

    49bcf6f627015d60bb285b80fcb825067d967591ea39af2b37aba982457fa277

    77a213f839b6042cb81c0d62438edc6684c1bba47b15f99acb7dfc36a5200df2

    7c43e2a210ec0bcc42f727d5a513ed5727f74b0e699f75944b68e4a64706bfe0

    c13c882f05bb3955703461f3dd0d1c672f8c49c676f2a8ba23cd081861c00b4e

    c26aa64c7dd9fd1c8ef6216502af95f047bdf5eca193a0a4163b6c33c254415d

    d37e40966aba9b94dde2f19a84c4046ec6a08b4470597ebbbe9dc92e5f039b71

    d4ab2f13939fab307477f91bca3466d208631fa5c2ea22ac6fde99aed0ac1111

    d80cc713b58f429b602e56aa23fe4df4abb76f450f19306033b070f337b8fe4d

    dba2b5323c3bb00c29e87031095ff2a5d559e840f7d998f255f555a310e977d7

    f3c74369cfc6ddd9a046177bc525e076484257b6dd8f4f1ed9249c3e608939a6

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Ursu-9951579-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Mutexes

Occurrences

{7AA4AA84-01C3-46CC-A00B-B0C840C728B7}

25

qm_mutex_key

3

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

27[.]254[.]66[.]8

25

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

pb[.]wungfon[.]com

25

Files and or directories created

Occurrences

%APPDATA%\Microsoft\sysAddr.dat

4

File Hashes

    008eb76b3d5a9fe7f8981dc7cc03b8eee4b057cbbdacc37a8d76cc61ebec6281

    014fc0be7d4ce5b735183db7e225e982c690db90616081d3f621ff29db0e5125

    032085f5d5dbd471e6b4908869ead38a07dedda23e283342bde00ab32e6b7cb1

    07980f20d13a72877f5f3e42845551f9706863c20174b3777fe72f1e4fd2b282

    0b64e696150281ccb5ed39ca437d13b073b91fc5f8c409a97d08ce377d8fde4b

    1483faa5958725204242ca17a8c91db73e7e1861d8871c8f8b9f82cd80684855

    218518f37cda9a3a24d9e0e018cf71a7ca263ba497335445c3edec73573f42d3

    22692cb2374431b564595e34a32d32147cb4047ac042869541d3638463a02f0c

    24e995a669d984569832fe86f374f1bec506bd50bbc876426784463d311a7c30

    2531acc711354ac26b715551b89c0aac6d441d2961b18846298f45ca7bba7850

    2563bbbd266cf6b242a46bd1116b34dfaa5d0472dc9c2116b678b3f8637588c5

    296d5be886a08e4c6b1eac3438ff2f561b789dc3edfb29799323b46f3a5a918c

    2ae17a2b382e80b44d1a97bcd05d7fdbf1b51ca0b2b67e46e072c351f827b862

    2c3f6c2ea02439ba156b6f2c40edc2b9fc02d0abc8b7e4c3b0a68c077d17859f

    3058d25bdbbb2ad4b639bf01f3481bd9d51365467cd9555ac2905d71fa1e22d3

    311a390ed45b8f8a46d651faef37946af238fc48e0506fb88da643401a083244

    392d0e0ad47c1c96b2208a4d2b971b984dadd5d180126933de056f9c3d50a7bb

    3eaeadc84ca2617b9d371bb5b94659b7461e0d0b2d88558f26e95ca5d09357eb

    470bd7590bc09312dc6af0487ef4a2d5f9f8b3337cd1c8876dc1531c8c678e8e

    497930029fd34a5b626e8010a06d18672390c97e8f4ff4b68bfc61b9387abebb

    52ce5f7e0e1223c82a4a88588a5658df64e6dddf262a2ca6af1ffcb5cc190054

    5ca59c6611f4b91df2070408493b5b7ab89985848401c34e1a8ed0d012eecfed

    5d2a540674e49178959767e8a1c335da233a8f8c3f509f1f4851ec0eed164557

    6af6e5cfe7d10a2cbb7fd6b8a8041ab9fd263e51065d2806c8858539b558bc2c

    6cb8e1da7b4042dda8f43dc21ccbff8ca317be65c80194744cea6bc4d1483bb7

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Malware.Zusy-9951717-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\VSS\DIAG\VSSAPIPUBLISHER

26

<HKCU>\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\USERDS

26

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

26

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS

        Value Name: 2d17e6

26

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: IntelPowerAgent13

26

Mutexes

Occurrences

2d17e659d346

26

98b59d0b000000f8

6

98b59d04000000f8

6

98b59d0b000006a8

4

98b59d04000006a8

4

98b59d0b000006e0

3

98b59d04000006e0

3

98b59d0b000006b0

2

98b59d0b0000039c

2

98b59d0b0000034c

2

98b59d0b000004ec

2

98b59d04000006b0

2

98b59d04000004ec

2

98b59d040000039c

2

98b59d040000034c

2

98b59d0b000004f0

1

98b59d0b0000076c

1

98b59d0b000007bc

1

98b59d0b000005ac

1

98b59d040000076c

1

98b59d04000004d8

1

98b59d04000007bc

1

98b59d0b000004d8

1

98b59d04000005ac

1

98b59d04000004f0

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

31[.]13[.]65[.]36

26

31[.]13[.]65[.]174

26

162[.]125[.]248[.]18

26

12[.]153[.]224[.]22

26

17[.]253[.]144[.]10

26

138[.]197[.]63[.]241

26

104[.]21[.]41[.]17

17

140[.]82[.]113[.]3

10

172[.]67[.]141[.]102

9

209[.]197[.]3[.]8

8

20[.]84[.]181[.]62

7

104[.]244[.]42[.]1

6

20[.]81[.]111[.]85

6

20[.]53[.]203[.]50

6

140[.]82[.]113[.]4

5

140[.]82[.]112[.]3

5

20[.]103[.]85[.]33

5

13[.]107[.]4[.]50

4

140[.]82[.]112[.]4

3

140[.]82[.]114[.]3

2

65[.]58[.]11[.]254

2

20[.]112[.]52[.]29

2

23[.]52[.]1[.]232

2

140[.]82[.]114[.]4

1

8[.]253[.]157[.]120

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

github[.]com

26

microsoft[.]com

26

twitter[.]com

26

instagram[.]com

26

facebook[.]com

26

download[.]windowsupdate[.]com

26

dropbox[.]com

26

etrade[.]com

26

icloud[.]com

26

python[.]org

26

sendspace[.]com

26

Files and or directories created

Occurrences

%TEMP%\2d17e659d34601689591

26

%TEMP%\uddC7F7.tmp.bat

1

%ProgramData%\2b86j6hb4d.exe

1

%TEMP%\dvw2DC9.tmp.bat

1

%ProgramData%\2b264082jd.exe

1

%TEMP%\gtrE805.tmp.bat

1

%ProgramData%\b4fj2286f2.exe

1

%TEMP%\tme6D54.tmp.bat

1

%ProgramData%\b8f6f24db2.exe

1

%TEMP%\exh192E.tmp.bat

1

%ProgramData%\dhhh6bj28j.exe

1

%TEMP%\cbhB4D.tmp.bat

1

%ProgramData%\2bd62d6bhb.exe

1

%TEMP%\himB1DE.tmp.bat

1

%ProgramData%\djf2bj6446.exe

1

%TEMP%\nqy83A9.tmp.bat

1

%ProgramData%\bjbf008h8f.exe

1

%TEMP%\nqe2F62.tmp.bat

1

%ProgramData%\248jhb4f2b.exe

1

%TEMP%\rxcFAA7.tmp.bat

1

%ProgramData%\2bj8jbjbhb.exe

1

%TEMP%\nkuDECC.tmp.bat

1

%ProgramData%\b06022fff.exe

1

%TEMP%\phmFA5B.tmp.bat

1

%ProgramData%\bd2dhjh868.exe

1

*See JSON for more IOCs

File Hashes

    01827881adc5584f7d2288e5e963160c98e1fda5d5f4f33e0a2d6b8b2d743237

    03bcd9b34164998db2446d2d4fecc46231c007bb8eb8ee2548f43ad5a1403ebd

    0c86296524c03d20adec3ac4804d86f7b96ab78e4832ab8f5a4550df4d198845

    108cf8c9a06ce3e0119a733c472146e3f8a3a9d4bb7c36f26bab3ba594b71fde

    171c661d966baf00f6ee7cda4f950a87bf1d8e716f26568656898beca218150f

    1908a93f320d1628e7c25d19653f8ab6eb86c6479b2a75358141948aec47ec01

    1b349b68841907ee055094feffecb0bb422b47c83fe695636ba78d3475be48d8

    1e539d157a8e42ffdb6011110df7ec1858d50aabe9fcbc8e1720051427656d41

    1fc8e90f1e5427bca5e5ffb95dceb11356a2054c79b15a7001a85041425eca27

    28308a84b47b32733fff0c4b6e06e7c5ab167ba77e79b7f1d4ef0930353e709a

    2b997e2ad4e646c1cf1c6114c78c5a8c676e8c3b35c8a1a3ae282af471011031

    310b56553064533930fa99917c88453347bcef1a074e6e1386da883b2e40c0c6

    31714578f7fd3a8a4cd34c6935f3e5dc61c3644cf4479fba16d535966705db9f

    39097759e5da138e3e17518032476fd2c5335c739b4e37e6e77e9eaa7e3914d0

    3967dd64c5424bfe3762ef22bfeb6bdf65b736606ee080a65627a6c73dc2ea76

    461ab94e260e60d70917066ea58c68c376b394c244ab0256c711f17fc256f68f

    46468e8076d924142490591d0a7044770c9b32e9ebdffd9acf97d737a2709aee

    47a52917370e7ee1e252e1c2cbcaace8bcc8c6b454ff3c579314ac98dbcd695e

    514ef4a4268745282585e5b13842fd4e1ecc6d2363197b9028d715df0f4b2ac1

    552fd0ab41fad09a5314d8e1635904604743286fccd8a9eca09ad41e61474a12

    575f6361702d5065d355954b5059de6aa68530ab23df995c530e74a2720d5c6a

    68f1d25e6ffe8082f25bc250d64c27dc65dc65512083b222ada322dde3496e8a

    6a7a01fff1a487039e692ce783ce802e7389b6386098195b860634ffecb26ba9

    6fe2f061aafd8df62fffa2fda7dc86de685f0a512b95ca863463b8417ec21360

    752781ac82e899ecbcf7ab1260859afa85d853ff5c89fe75a00abca010ed9c35

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Johnnie-9951653-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 69 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\159

69

Mutexes

Occurrences

Global<random guid>

25

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

45[.]35[.]72[.]106

69

104[.]21[.]41[.]66

10

104[.]21[.]56[.]158

9

172[.]67[.]187[.]40

8

23[.]221[.]72[.]27

7

23[.]221[.]72[.]10

4

172[.]67[.]189[.]196

4

23[.]46[.]150[.]48

2

23[.]221[.]73[.]32

1

23[.]221[.]72[.]16

1

23[.]46[.]150[.]72

1

23[.]1[.]236[.]9

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

ipwho[.]is

69

holdthismoney[.]site

64

apps[.]identrust[.]com

17

holdmy1337[.]ga

14

test[.]nominally[.]ru

7

Files and or directories created

Occurrences

\TEMP\System.Data.SQLite.dll

69

\TEMP\EntityFramework.SqlServer.dll

69

\TEMP\EntityFramework.dll

69

\TEMP\Ionic.Zip.dll

69

\TEMP\System.Data.SQLite.EF6.dll

69

\TEMP\System.Data.SQLite.Linq.dll

69

\TEMP\x64

69

\TEMP\x64\SQLite.Interop.dll

69

\TEMP\x86

69

\TEMP\x86\SQLite.Interop.dll

69

%LOCALAPPDATA%\g1nz0l1s7

44

%LOCALAPPDATA%\g1nz0l1s7\Browser Assets

44

%LOCALAPPDATA%\g1nz0l1s7\Browser Cookies

44

%LOCALAPPDATA%\g1nz0l1s7\Desktop Files

44

%LOCALAPPDATA%\g1nz0l1s7\Screenshot.png

44

%LOCALAPPDATA%\1337holdthismoney

25

%LOCALAPPDATA%\1337holdthismoney\Browser Assets

25

%LOCALAPPDATA%\1337holdthismoney\Browser Cookies

25

%LOCALAPPDATA%\1337holdthismoney\Screenshot.png

25

File Hashes

    03b205636ddacee2791b3bea1bc540c52dbf764d263ff7e6b78e339976bbf1bd

    03ed8536f865b257cb84d00578d68b30f7e4f5e2b8b11ea2c536f4a73fcc88bc

    0651a3d54f5d93d46b458c172788bc789310228f66f52adeed3f5b14f3926020

    071463e9857ac23eb26297a19681e96be05122bf1e42f79fa2804b2e7df4deab

    0757ed3e6a6a99d98abae124a05ee33e191fd42481e9f9af456ea5d87cb0256f

    07d45e42c071baed5f213a9cb454f423558dd8d227b5a385b5eea836166ed2a3

    07d4eb068b92809328866c660e46882d3a056e86ea55aee5b564ea54a9cb16f1

    07dd67ea6bec0584094609bee43a10b3a9f43cbb015e82987ebeb5c411af91d9

    08994b0dd47da89a34c9bbbe8e15bb03150d1823a3daac94e86ce333964727ba

    089988b533e82f9d61020b3b6979bc61aa693d163f398e0a9054fd6e64a29b4b

    09a45da2f4cc0f91e3a6af29095f73607287871573828495d1cd8679f00ee197

    0a52a1b56ac888497a88371c954325d312eae19cad14460b572aac8c5ac37d6d

    0b2d71a663e60bb5cca8f76d2fd23468a8cc74b199bb382305c7412aceb3f63d

    0c8ef4eda585236858772e3bd0f981a5aeec797a5af7888a6ca9c71a9de6c274

    1008d9650c0b5b87e4791b18dad3458ee2cc0fe29a7262a86a4a83308c5fcfc3

    10ad3015e2d6967c07d012358fcdae6f02f57e69616b0a91c0e6cdf6b683e9c3

    121377d50799144f5d718ba9c1e805915fc3bd9d7594eb6115acd09e3d76f7d5

    1300417d32610e74c37897b0e1f73efd9edeea5ded6052cf093e0555e685df2f

    1394fe31d98ae7f742189f75e1ee7f0593540b79a46ffe07d61d4397de0f12c1

    139e428d990500159cc153a5c1cd4558026542ed4c51dbd88e884e0c14f5f3a2

    1432f96255366adb5119d016f627bf241da64b3d5aba0dc9e8e5bc941f138c02

    154f79f3ca1f9eb8ec8fb728f038cfdf5ef83139cfa3f8b8f484bf7154817007

    16f56872942abbf6b94ab2993cc94039d99ac7288af5f5368184c9e587bd0230

    178a7baba15d9bfde158fb181b45b7e12dbccbc49c2d7f27c1b5f2728b9dec24

    18d541517e2f22e05b92f1e29cba6a06a155892d61c8bd24a56ccf5ba2ea7070

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Downloader.Upatre-9952018-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 24 samples

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

35[.]214[.]107[.]94

15

23[.]46[.]150[.]48

8

23[.]46[.]150[.]72

4

23[.]46[.]150[.]40

3

154[.]215[.]59[.]219

2

52[.]213[.]114[.]86

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

apps[.]identrust[.]com

15

rockeyracing[.]com

15

zombies7[.]in

6

sicherhosting[.]com

3

Files and or directories created

Occurrences

%TEMP%\hfdfjdk.exe

15

%TEMP%\ckjienn.exe

15

%TEMP%\zfbttcb.exe

6

%TEMP%\ttcbnaf.exe

3

File Hashes

    032361585c4487032050c334cfb78e5b8edc2e1610f97830ba467356caa3f193

    3976d442387200f662450deff6768a2299cc1cb7d94a7ddf70909ddfdf49ca45

    44066b4808e35af43e2fcee023d20b7ba438ad2f13b6dba08b6d35ec70fe403e

    46391535b45440cb62d8c18744bbdbe7a242df9d4a4c0005d6d3b257a4d2e3c7

    4af32df9cfe6fe35d9f8e5d3e0fb46476fd4c21c3e68037f3d0b5379ff536110

    4cf842c6025d44f8be0b85e0092a771c9bdec5f196c71dac88fa28280100b0d2

    52295e1b2bde64f718c7985f9c6f79e23393b654d8e7b0161c9e372179c24e17

    55b0245f06465a8e77cbab31dc2a600ac9898e86c70619a02c6cf65918960c77

    666b205e8e91fa93a3a1c878ea239b93cd27e16aff0a88bd2b7bb2b82f5938c9

    6e784398efa3b2695ed611f5b68a53ec31c90ecf2a17c9a6b89298918f7630d3

    77f1680ed8ee17748450c70d477a58e6ff91184e2ac4aa2d2d91cd048150033a

    7fcad26eb3223f272fcf8a31edebaf47e57f22f0f1f0a34bf9dda82f3c059291

    93cfafab66104586e86e374c87058dda3fdb30144e36f15fe93926eefb4a954e

    9594627b8e114f854ba424c21c4025a65491d86c43970431763f2538da464450

    a68dc6367e9c209cb7a48106994e1f044383d0ba5fa58dd75db434e5a923cbb5

    a6d0a7ee0c2ce3302af44fba3ae335e55b8b42e2cc0a80e8c7ae9637648fa721

    acde6674eff9d4076cf9248bef4e1f8aff56bd7ce5be48330f6c46fa4af19e27

    ad60f1a6f5155aba8c292565ac0556876f5d1bbea94fb6225ac51482469854ce

    b365de55ba86c89f92a2180fd82d8568cbe61e25f3d5d02f1b6449dc7b889aff

    bbeb8dc47bd3921abc9922f0a2a47765c83b17be1b5d0d14645adf27b7b1fc31

    c7b4f5770fd0a8143aab1ce2e398569e1d8942f8ebd14ef78dd88445cbf80d35

    ca35cb7e503469cee1f71b332029922b846d11449287f4a5fffe260ee2472af3

    ebc5dd9d017cc04deacfd74c10c777315e69361dddb8ce041b9df341c01e00ea

    f1e581da8776165ebcd36e1b33dbefa8951ea6b18da4ca035552a6bb64a4e444

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Trojan.Zbot-9951812-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASCCP

        Value Name: FileTracingMask

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASCCP

        Value Name: ConsoleTracingMask

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASCCP

        Value Name: MaxFileSize

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASCCP

        Value Name: FileDirectory

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\SVCHOST_RASCHAP

        Value Name: EnableFileTracing

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\SVCHOST_RASCHAP

        Value Name: EnableConsoleTracing

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\SVCHOST_RASCHAP

        Value Name: FileTracingMask

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\SVCHOST_RASCHAP

        Value Name: ConsoleTracingMask

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\SVCHOST_RASCHAP

        Value Name: MaxFileSize

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\SVCHOST_RASCHAP

        Value Name: FileDirectory

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\VPNIKE

        Value Name: EnableFileTracing

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\VPNIKE

        Value Name: EnableConsoleTracing

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\VPNIKE

        Value Name: FileTracingMask

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\VPNIKE

        Value Name: ConsoleTracingMask

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\VPNIKE

        Value Name: MaxFileSize

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\VPNIKE

        Value Name: FileDirectory

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPHLP

        Value Name: EnableFileTracing

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPHLP

        Value Name: EnableConsoleTracing

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPHLP

        Value Name: FileTracingMask

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPHLP

        Value Name: ConsoleTracingMask

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPHLP

        Value Name: MaxFileSize

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPHLP

        Value Name: FileDirectory

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPCP

        Value Name: EnableFileTracing

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPCP

        Value Name: EnableConsoleTracing

25

<HKLM>\SOFTWARE\MICROSOFT\TRACING\RASIPCP

        Value Name: FileTracingMask

25

Mutexes

Occurrences

MSPMutex

25

SYSTEM__91C38905

25

SYSTEM__64AD0625

25

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

de-openphone[.]org

25

Files and or directories created

Occurrences

%ProgramData%\Microsoft\Network\Connections\Pbk\rasphone.pbk

25

%SystemRoot%\SysWOW64\drivers\wsnpoem.sys

25

%SystemRoot%\SysWOW64\wsnpoema.exe

25

File Hashes

    000e1cbc44ed0a94ca14ec39365c855a0a55fb5743ddcdc97d30020455248afd

    012ca5ea88823d788ff795874809dae14c728e992b238cb2bf8ad38fa5bc16d4

    0264a42001ae18cb0b93862aa1399be459f0ef43e6b4d51547e85f61947cfccf

    037fdfe3bb7b55d2620f51e47023c7049afa10a6bb8bec989755fe60cad1b189

    06262d80ef61a3e0e1b0a320834ac19b77f4e4dd250fb2b450e86d6c0e28f756

    06364fd3a597c39708fced04f51657a71f105ffd8aac7235c248c5e1420904d7

    07156d07e6fd2e1042d80069792284963951282aa103bde9111730c822c9f053

    08ab8161c2f8b2cbef148fc41241c86f6e139442a9fd5f677fc3e7fe90dcf1d4

    08fbf9cb9e84cf1fff69aabdb2d8d6ae9ff8d0728e80c539bb8468d6a09a28f8

    0abe8c8e5f6100ce75900f8c12bbc37276e035522abc1d5c766c29c80df84d8b

    0b547ec58c5e58cc22483c79822844b3d6e068a85bd879890a4555794ea3016b

    0d97de762aad1f9bdc4719954adaf28c2f291eb761affb4474ad1ccf53d5176d

    0e7480bf43861f281a20f05f44af294c48e1a9d4d119883e1820ad9128defcd6

    0eae038f213da1fca9f5ce3cec70ead818130d36856f56206a8e88d1c3f5e7ce

    0eb42d0f19b56aeecce6f0baca195cc0fccdd1c463528dc1de3e6444dd9de217

    0f42370af3c7bf40b88f5cf2c77a8cf6da14a47e6d8db70a3cc51a2b00c364ee

    0f641e9099e5eca41973e8f784edcd072474486eede9aac1f80d80f5e40e35e6

    102a4e2988231a2448060457a75accc4016b9cf0e8d16d99789857981420fdf1

    10b40225a1b941278979a70415ff2097820f911f7a722f036a914b80fdbae084

    12c72898aa3b9ae1e9a372a151b67dc7c95a1409936180742acd5f4d1b20a684

    142077ea439b03324f37a5010ccc3909daf1f1fb7ac9a478af7e851f490fd05d

    1543751eef535b2b1b44bebe0051dc266414dd45b018139841784b0b556e282f

    1594db35d07b4883d54ae197bf9e8386ec3631791c85fd155355923c827074ec

    15b84c3a0140f74ede164b2de716df08ca71d8c1076abdaefb7b99f48dad5f84

    169cee6a6c35d47fbe9cc192c32aeaa607f01e810936e0593bb0eae5cae8f1f5

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.njRAT-9951863-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples

Registry Keys

Occurrences

<HKU>\S-1-5-21-2580483871-590521980-3826313501-500

        Value Name: di

28

<HKCU>\ENVIRONMENT

        Value Name: SEE_MASK_NOZONECHECKS

28

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON

        Value Name: ParseAutoexec

28

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: ruuvcdjrlxftqnh

28

<HKCU>\SOFTWARE\98837D34F177F6CAE60B03C4B7735AB8

28

<HKCU>\SOFTWARE\98837D34F177F6CAE60B03C4B7735AB8

        Value Name: hp

28

<HKCU>\SOFTWARE\98837D34F177F6CAE60B03C4B7735AB8

        Value Name: i

28

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: 98837d34f177f6cae60b03c4b7735ab8

28

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

        Value Name: 98837d34f177f6cae60b03c4b7735ab8

28

<HKCU>\SOFTWARE\98837D34F177F6CAE60B03C4B7735AB8

        Value Name: kl

28

Mutexes

Occurrences

98837d34f177f6cae60b03c4b7735ab8MTJBR09TVE8tUEM=

28

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

192[.]169[.]69[.]25

28

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

orlandorojast85[.]duckdns[.]org

28

Files and or directories created

Occurrences

%APPDATA%\ruuvcdjrlxftqnh

28

%APPDATA%\ruuvcdjrlxftqnh\ruuvcdjrlxftqnh.bat

28

%APPDATA%\ruuvcdjrlxftqnh\ruuvcdjrlxftqnh.exe

28

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\98837d34f177f6cae60b03c4b7735ab8.exe

28

File Hashes

    02ced158fff33e644e10bd5c9faaacf5100aa45ec91b8b300408b3a21ea49d52

    0a983b8a14ef1b253f058c3f17d1650109ce6ad5c8cf9c2fb9fa9bbbcb7778aa

    128514af952bca2de0cea5b7cc6179a2f30ebaae2766ca1bc5dcf1dd333ebf03

    16ee2defda09e350b8f3c6b206cb909a3ab25606943332390047c4366e807fe4

    16ee3f8510c547b93f9d561b9ea803657557415ac333a8d38fc9b6fbe909a4f7

    171e17c3bc3f1c503ae40f93fb74aebd5c60509fa91df6503824499762822ece

    1b8654d6f1917924a744f42429a6341d1f61620b8499c26dc2ea9e9c3fc9445d

    282c5061cfef77fb339cd138c8f2b1a13f511bfc0339951becde8f02e5da8e92

    2967843b041f3441f8e7372545a8e2f7b8009499657b3a8ff77d5a71c6dcc31e

    37335b068fdf004c732cc8f836d467e12891013856bacaf11618a8efb1d60539

    376a1fc3bd286dfd0be98040b1c2bb4461d4a7ca532214bfe499f75c10e195b3

    3c65fa09f187426ceba6b8522e41f2a6418e15dee31d2a66822e25ce6d2ae5ee

    450dff9908f7866ef255f1c9f242ed604d42e82ea79ed9d02765ac40aca0461b

    46f3651fd3412b2bb58e2ca699f1d56c35cb55221e3fe16fef7aaf784e297a61

    4ad3fa204f00664652c8a9ba1b3bc9c6fc5f7c6ea0a6b7b3f17d15d1e783101d

    526f22bf64336123dd9eadbbb88cd1329b67b465bead0d7f503a32cc7934c7f9

    5ccbf25de465cd47cca9245cf5123c13858d0cc2bb24a6492816c6bca458b910

    6c234e3722c1453d6d62e380b49e67625ab0293c45c2688dddf497f0e391eaf9

    6cefd596e792526445b3923d3cf10f7e909cdc9de140ed2c5dd0c478bcf93ef6

    7384160ecd4a3c883770c10ca3c9437cbe2bdffecea10016cbccf7601cae389e

    7d3935c8afd9f897c760413a4d4e9ed9e2da918744061f8eebe43fe471eb49ff

    7e15938bb7bf6f1bf2ac7a3b6b9b3edabf502c7ac4c23d3bc722e418b3d6cede

    801880338338f355dc386717b6f13851858978d94751753e390f99e6ab7fe171

    8648d3ae84b03c93792aeb5c33f4f172f0944cf3fd097ba70aab18074c4763d2

    86af97977baa16148747a448bf7eca3231963368da48f1088a7ccbf2707f27f4

*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Packed.Cerber-9951870-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 13 samples

Mutexes

Occurrences

shell.{381828AA-8B28-3374-1B67-35680555C5EF}

13

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

194[.]165[.]16[.]0/22

13

17[.]1[.]32[.]0/27

13

78[.]15[.]15[.]0/27

13

Files and or directories created

Occurrences

%HOMEPATH%\Contacts\Administrator.contact

13

%TEMP%\d19ab989

13

%TEMP%\d19ab989\4710.tmp

13

%TEMP%\d19ab989\a35f.tmp

13

%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat

13

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

13

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp

13

%APPDATA%\microsoft\outlook_README_B7BH9D_.hta

1

%HOMEPATH%\contacts_README_PRGY_.hta

1

%HOMEPATH%\desktop_README_D8HSYM_.hta

1

%HOMEPATH%\documents_README_F3WMD_.hta

1

%HOMEPATH%\documents\onenote notebooks\notes_README_UN1J_.hta

1

%HOMEPATH%\documents\onenote notebooks\personal_README_W9D1Z_.hta

1

%HOMEPATH%\documents\outlook files_README_EGQE_.hta

1

%LOCALAPPDATA%\microsoft\office\groove1\system_README_OT63HA9_.hta

1

%LOCALAPPDATA%\microsoft\office\groove\system_README_XAI61R3K_.hta

1

%APPDATA%\microsoft\outlook_README_AUGGWE_.hta

1

%HOMEPATH%\contacts_README_VCE2_.hta

1

%HOMEPATH%\desktop_README_DGKOFZ_.hta

1

%HOMEPATH%\documents_README_BB3H94_.hta

1

%HOMEPATH%\documents\onenote notebooks\notes_README_7QM1M1_.hta

1

%HOMEPATH%\documents\onenote notebooks\personal_README_Z1Y5_.hta

1

%HOMEPATH%\documents\outlook files_README_WEYO0_.hta

1

%LOCALAPPDATA%\microsoft\office\groove1\system_README_2WWE_.hta

1

%LOCALAPPDATA%\microsoft\office\groove\system_README_FW0XKMN1_.hta

1

*See JSON for more IOCs

File Hashes

    02f3f8d14acf7c5d5c026a449200bcbe0576ea66870d79e174e5f2349062bdca

    198695e64c0d9f23120907d6c072506ae8f1387202cfc480137b922d6b29b975

    21254357fd151284f0205b87e51512ab78098bb409017e8b41f4bc583acb046d

    21719320102b6423c901aae016c18609f980baaf6d7f364ea7cc971b83c01478

    4490b338a3d9a3d15c65a932c7880c2505f940f1cd9f0d99f5c7b240bd7e806f

    7769b6f5d40c6de59400919f20c161cca9cbf3222ae70a46cf42e43367c64b4a

    89cf0b7fc6f3d2a758985297d460b1ea242b4b0b6ea422fb1f049756b90f0c59

    989c24c6641ace3db31890191b1eedab0490f480240eb9052cab8f483cd2706b

    a864f5b878aa58fc2e381f4db133a52dfe9dd5a64b99c8f4b141e92dc6acf544

    ab23c74b171bb64fd55cea933b7f9ccd4c1fecae6b6935df76123247f77f2ef3

    c26259cfa6e203ea5f74a6823e7f463e2b148c37cc2a38391dc612efc84a6ba4

    ddaac9de46f8fdfc04126f69f4940c6a4d2603bff3d92c41192335697d00bb2d

    e45534dd14f2bb9a6a6cc3c5c1813b3e4b3fe4f74cbb8f9d8e38900f02f1d598

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

TALOS: Latest News

Welcome to the party, pal!