Security
Headlines
HeadlinesLatestCVEs

Headline

Threat Round up for January 20 to January 27

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan. 20 and Jan. 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key

TALOS
#sql#vulnerability#web#mac#windows#google#microsoft#nodejs#js#backdoor#pdf#botnet#firefox

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Jan. 20 and Jan. 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat Name

Type

Description

Win.Dropper.HawkEye-9984948-0

Dropper

HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media.

Win.Dropper.Zegost-9984959-1

Dropper

Zegost is a remote access trojan designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. Zegost appears to be derived from Gh0stRAT, which is a well-known remote access trojan that had its source code leaked, thus significantly lowering the barrier to entry for actors looking to modify and reuse the code in new attacks.

Win.Ransomware.TeslaCrypt-9985040-0

Ransomware

TeslaCrypt is a well-known ransomware family that encrypts a user’s files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the extortion request, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.

Win.Ransomware.Tofsee-9985077-0

Ransomware

Tofsee is multi-purpose malware that features several modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.

Win.Dropper.Zeus-9985129-0

Dropper

Zeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.

Win.Dropper.LokiBot-9985173-0

Dropper

Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails.

Win.Dropper.Nanocore-9985222-0

Dropper

Nanocore is a .NET remote access trojan. Its source code has been leaked several times, making it widely available. Like other RATs, it allows full control of the system, including recording video and audio, stealing passwords, downloading files and recording keystrokes.

Win.Ransomware.Cerber-9985289-0

Ransomware

Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension “.cerber,” although in more recent campaigns, other file extensions are used.

Win.Dropper.Bifrost-9985293-0

Dropper

Bifrost is a backdoor with more than 10 variants. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker to execute arbitrary code on the compromised machine. Bifrost contains standard RAT features including a file manager, screen capture utility, keylogging, video recording, microphone and camera monitoring, and a process manager. Bifrost uses a mutex that may be named “Bif1234” or “Tr0gBot” to mark its presence on the system.

Threat Breakdown****Win.Dropper.HawkEye-9984948-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
Value Name: Hidden

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: Windows Update

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

104[.]16[.]154[.]36

1

208[.]123[.]117[.]2

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

whatismyipaddress[.]com

1

s3[.]dedicatedpanel[.]net

1

Files and or directories created

Occurrences

%APPDATA%\pid.txt

1

%APPDATA%\pidloc.txt

1

%TEMP%\holdermail.txt

1

%TEMP%\holderwb.txt

1

%APPDATA%\WindowsUpdate.exe

1

File Hashes

06572f2182ef9dfaf3b8c7d2e025a18a2f4529fb989ad41fd54e17c3532aac0b
178319c41b50d3b78e36d6ac9105b81cbbe74375ce13b271e3ede79222f83854
234f8d4603971d0c86b5a4ccd06212b785ec6a260f9c692db3cced7d3ae6ce77
235bdaa330b9305eb30b08c8e63e28d318bcdb640e87e2bac1f77caf643e2494
255a56ac4fda1184eabc21cca66983c70bd795c99851802595441c5151e4a152
2ba523bc65c1f954e3f45324986840c5a910b4cd6d992d4bc228cbb86def8e98
3af54f2049dbc175ef4c589aa376141586711dd724617ed87e0a5bc7f1e431c0
4370bb6226f36558266a224de5ebb1582208f82bafdf9f2e2617a5cdace9d377
508708e5f5ab169299334434b17fc926d7972b9cc601e0f588ec979a6fb67f4a
549887b9e8e1ffe1e95a31a287c61ca265dd864b886034c22e4bf12bedb5ac91
60355c9d953b39905ec1d23237cc8339b2e1ffe0eb29bc8028dde75bddedd8db
71b210336d2277a498c150e99ddfb99750b8e481fb6dd0d647b7be571c2629f1
7628f72251de0d74df47361bb228fc34abdc121212d6da40936052a5215054e6
9143f2fe92b76f3a42dbeddccb738a397e2d07e5060046a367ed6c1a2c543dd4
a1d8085822a839d8e4f5078584dadc2221738309dbb6e386deb60c4cb8685d90
a3f5688c1f1d5473722fd4a6ae84be5c4f8235db2789fd1e77929cfbb026078a
a41cf4f43bdf0ca8bd515799702f62a1ff811d898f823d1c0225422a54376607
a6f20cc5f0a34adf5ac4582936e5407e48397db18847afa6ea3068c707cc40dd
b30e4856fd0b7adacf553023314db78e88638cd6ee9a14f2f0b8e3dad8fff98c
b66a4c2e0b22011ba409167c9bb663997b180a35f50fbe124bc0439403d65e74
d28b60289c250c1a5a2661dd4a57839cfa3e273f5ef5b068624ff99a2ccc2b65
d49278e577526a1839a13cb7066aabf02ea2d59cc7bb1c922404270cab602c1b
de4afe7e3fe9fc07edbf818ef66a0534844a9daf92d843b3402d67946222637e
e0ee8c2858064cf3eb1bb7a467aa07e9804255570d7b6e25ddfe927cef2d83f8
e21e57541123a49fdfde9912b959fda0bdf5c5fb951094a44bda3fed61ee0c06
*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zegost-9984959-1****Indicators of Compromise

  • IOCs collected from dynamic analysis of 10 samples

Registry Keys

Occurrences

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: ConnectGroup

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: MarkTime

7

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: Type

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: Start

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: ErrorControl

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: ImagePath

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: DisplayName

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: WOW64

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: ObjectName

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: Description

5

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RS<random, matching '[A-Z]{4} [A-Z]{8}’>
Value Name: FailureActions

5

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\RSETSR BQMYSGMF

1

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\RSETSR BQMYSGMF
Value Name: ConnectGroup

1

<HKLM>\SYSTEM\CONTROLSET001\CONTROL\RSETSR BQMYSGMF
Value Name: MarkTime

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER
Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER
Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER
Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER
Value Name: ImagePath

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER
Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER
Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER
Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\RUNTIME BROKER
Value Name: Description

1

Mutexes

Occurrences

Global\58026681-1745-11ed-9660-001517439349

1

csq1.e2.luyouxia.net:24705:Rsetsr bqmysgmf

1

127.0.0.1:8000:Rscsso omyumyeq

1

127.0.0.1:8000:Rsgewq wsqscuqa

1

dlos1245.e2.luyouxia.net:21516:Rszhzn ppzrdglm

1

182.61.134.76:8000:Rsidcj jyuwqkyj

1

121.4.85.235:1499:Rsgkcs icmwmkam

1

w794754387.e2.luyouxia.net:29523:Rswsue csscaksq

1

43.230.169.58:8000:Rsvurb jfjqyucm

1

112.18.159.112:34567:Runtime Broker

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

180[.]97[.]221[.]120

2

43[.]230[.]169[.]58

2

123[.]99[.]198[.]201

1

121[.]4[.]85[.]235

1

182[.]61[.]134[.]76

1

124[.]248[.]66[.]214

1

112[.]18[.]159[.]112

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

lqwljs[.]cn

1

sjlwql[.]top

1

dlos1245[.]e2[.]luyouxia[.]net

1

w794754387[.]e2[.]luyouxia[.]net

1

csq1[.]e2[.]luyouxia[.]net

1

Files and or directories created

Occurrences

%ProgramFiles(x86)%\Terms.exe

1

%ProgramFiles(x86)%\Microsoft Qbeuxn

1

%ProgramFiles(x86)%\Microsoft Qbeuxn\Wywssvd.exe

1

%SystemRoot%\SysWOW64\Mawyace.exe

1

%ProgramFiles(x86)%\Ezsszfx.exe

1

%ProgramFiles(x86)%\Bjrvlbx.exe

1

%ProgramFiles(x86)%\RuntimeBroker.exe

1

File Hashes

1e31145e87fcaf55e61e38d4aa7f4dc71be19d35ff3f747a684e488805b07594
3ddcaa1008f22e9abddf2252d69ee1724a21a1d07005584ac42505539e5379a6
6d448045dbe5f11cca8ac423edb230c38279b201fbb512d5dc5f1207a93cbb17
7b61780a7a04cc483f25f790fbe210086748626a1de1988340cb35895f7df70e
7f399111c9b70c0de1b51525fec281e6eb6a39af6802a0abe626678af0d1ced3
87233e65e7b07831749fb294687632b8ef51b2f155d412024a561243288e08b6
a607a60d0d952d7d73649ce327646fe2de7f7cdaa2ca7785faa7851b9b8d100c
d6457c55dd9eba5fd8078e7bacf965c65232d713a1e037064f3617ad4d45844f
f6647a78d8bf05b80830dfd013a7876b4f9619c16433478a4fd2b69fbac9d0d9
fc7a21b32715e94357d9e7659b18d93b5401e63187e9952b50b45a23673abc99

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.TeslaCrypt-9985040-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples

Registry Keys

Occurrences

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
Value Name: EnableLinkedConnections

16

<HKCU>\SOFTWARE\XXXSYS

16

<HKCU>\SOFTWARE\XXXSYS
Value Name: ID

16

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>

16

<HKCU>\Software<random, matching '[A-Z0-9]{14,16}’>
Value Name: data

16

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: aingokyddfin

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xynflbfpqxfg

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xsrdyarnlxkb

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: nrosuypgjita

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: uqjergivpotl

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: cokwmnrosuyg

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xhcqdmqiixoc

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: fsglxsrdyang

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: bajwwakyuxyv

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: urbajwwakyuy

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xenfsxranlku

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xxynflbfqxsl

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: dcpegxxynflb

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: xxynflbfpqxe

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wwakyuxyvyly

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: wakyuxyvalcg

1

Mutexes

Occurrences

ityeofm9234-23423

16

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

85[.]128[.]188[.]138

16

162[.]241[.]224[.]203

16

34[.]98[.]99[.]30

16

154[.]219[.]146[.]245

16

23[.]221[.]227[.]165

10

23[.]221[.]227[.]169

6

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

biocarbon[.]com[.]ec

16

imagescroll[.]com

16

music[.]mbsaeger[.]com

16

stacon[.]eu

16

surrogacyandadoption[.]com

16

worldisonefamily[.]info

16

apps[.]identrust[.]com

16

Files and or directories created

Occurrences

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I08BO8F.xlsx

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I11KHR4.doc

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I5QKHLN.doc

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I62TWBD.ppt

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$I6FZORX.doc

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IABMX83.pdf

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IAJ2Y6R.pdf

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IALGTCS.xlsx

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IGTBBSA.accdb

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH49RPF.ppt

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IH71GGR.ppt

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJKODPH.pdf

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IJP965K.accdb

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IKY5R3M.pdf

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IMYCSIT.pdf

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$ISLP722.doc

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXLC77A.pdf

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IXUL2U1.doc

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IYSR1FU.ppt

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$IZ2GMJW.XLSX

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R08BO8F.xlsx

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R11KHR4.doc

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R5QKHLN.doc

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R62TWBD.ppt

16

$Recycle.Bin\S-1-5-21-2580483871-590521980-3826313501-500$R6FZORX.doc

16

*See JSON for more IOCs

File Hashes

046979df42da0affa983d6c73be7ad19afacbb6a05a28855cd302a24624ebb97
10a0df06ed33b5ed2771a316abc7cc9a621c2097fa9a4522d9c0ac31c4953b70
2bce73c239a95080211fbfbc5b5268e1fecc81b3e5348ca391d00486dfe67d70
3113c2ac299a173a07ea6de7da87a2f2f29ed95e509b9dc6e7128ea9a8796266
31e2b0639ccb2499f79c4d45a037a1b6db52e4d0145605076d5a3b28fe564566
4559e437ee99d1f7cf2727597e030fade0c452c3ae0649e4669306372522db22
4f7473bb503c036c12d8e5850f3aaeb1c8abe9cab4dd8b16314f258999eaa5cf
6fd825e2bddea82cbc88fccbfdd50f425aa05047ffab0b511fb55c3f85ae88e4
8837ded9097e82948c53a4c875d66ff10271127e93702f89a8e4a9265625564d
91df821cfa7634ff2b6e08a73533885f3ed24c19aa61d3f5d5e346b97d1f1590
acbbd4b0c721c51bd9e510823659b521536ce43aad5eb324783c1c9e03e94974
cb998389d745287bc242eb23fe128d50bb42198b6e2cf7092e9576471cf25a38
d89d2f295b2a07e6bf0bf6c2a1b47c8221700746b781a5e537099c212da6b06b
d91e331d39b96788c6c7fb7ab3bf652d46f53be628331a7753ed1955e5f717be
e5db44290dea09182ee4383925805ee3bc901966cba16d7c05704b5a01eed95a
ee0ca0f158ba207090b00152ac85b17e4ba097335bcf9242ca8246e849bcf537

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Tofsee-9985077-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples

Registry Keys

Occurrences

<HKU>.DEFAULT\CONTROL PANEL\BUSES

3

<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config2

3

<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config1

3

<HKU>.DEFAULT\CONTROL PANEL\BUSES
Value Name: Config0

3

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJPLOJAV
Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJPLOJAV
Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJPLOJAV
Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJPLOJAV
Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJPLOJAV
Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHNJMHYT

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJPLOJAV
Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\IJPLOJAV
Value Name: Description

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHNJMHYT
Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHNJMHYT
Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHNJMHYT
Value Name: ErrorControl

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHNJMHYT
Value Name: DisplayName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHNJMHYT
Value Name: WOW64

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHNJMHYT
Value Name: ObjectName

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\GHNJMHYT
Value Name: Description

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ijplojav

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS
Value Name: C:\Windows\SysWOW64\ghnjmhyt

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRXTWRID

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRXTWRID
Value Name: Type

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRXTWRID
Value Name: Start

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\QRXTWRID
Value Name: ErrorControl

1

Mutexes

Occurrences

Global<random guid>

8

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

31[.]13[.]65[.]52

3

176[.]113[.]115[.]136

3

80[.]66[.]75[.]4

3

176[.]113[.]115[.]154/31

3

176[.]113[.]115[.]158

3

176[.]113[.]115[.]239

3

176[.]113[.]115[.]135

3

94[.]100[.]180[.]90

2

31[.]13[.]65[.]174

2

77[.]88[.]21[.]125

2

212[.]42[.]75[.]240

2

52[.]223[.]241[.]7

2

40[.]93[.]207[.]0

2

142[.]250[.]176[.]196

2

142[.]251[.]35[.]163

2

20[.]53[.]203[.]50

2

141[.]8[.]193[.]185

2

23[.]3[.]13[.]35

1

66[.]254[.]114[.]41

1

40[.]97[.]188[.]2

1

200[.]147[.]36[.]76

1

104[.]47[.]18[.]97

1

104[.]23[.]141[.]25

1

104[.]23[.]139[.]25

1

104[.]23[.]143[.]25

1

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

249[.]5[.]55[.]69[.]bl[.]spamcop[.]net

3

249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org

3

249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net

3

249[.]5[.]55[.]69[.]in-addr[.]arpa

3

249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org

3

249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org

3

i[.]instagram[.]com

3

microsoft-com[.]mail[.]protection[.]outlook[.]com

3

microsoft[.]com

3

www[.]google[.]com

3

svartalfheim[.]top

3

www[.]instagram[.]com

2

video-weaver[.]lax03[.]hls[.]ttvnw[.]net

2

www[.]google[.]nl

2

imap[.]mail[.]ru

2

imap[.]ukr[.]net

2

imap[.]yandex[.]ru

2

www[.]tiktok[.]com

1

www[.]ebay[.]co[.]uk

1

www[.]omegle[.]com

1

imap[.]aol[.]com

1

www[.]pornhub[.]com

1

outlook[.]office365[.]com

1

front1[.]omegle[.]com

1

ebay[.]com

1

*See JSON for more IOCs

Files and or directories created

Occurrences

%SystemRoot%\SysWOW64\config\systemprofile

3

%SystemRoot%\SysWOW64\config\systemprofile:.repos

3

%SystemRoot%\SysWOW64\ijplojav

1

%SystemRoot%\SysWOW64\ghnjmhyt

1

%SystemRoot%\SysWOW64\qrxtwrid

1

%TEMP%\dsgdwcyb.exe

1

%TEMP%\gnnrscmx.exe

1

%TEMP%\ysizcadm.exe

1

File Hashes

52d043fde53ca1f8206e8cccec0a6202608927cbe1ccc66c897ce7806e0bb8db
52f7941f779a31924cbdc50ea92481821281f9ed61e1751689e6d0d77a28b865
573c4a98edae30752a2a3153796707b149bd8fefe265509e6a4e95e64a00edde
6017f05c453161374cfd6f9729b6b2e12d5e22f34e64c854700aeba843e512b4
685db303322dd68e66a46447b37022cdc4d0000576cad05eef5234eb09dc9f31
712f57fd1ad51878132bf31a9c10845cfdd201268b5f29683f331daaa94064e0
8b945dac10d16c2f76a20b497a392f9782768d4ec233c38890c5b4e4d347b7e0
8c766a9efc8d743b072044be56b41a98eaa0750d17bd9940fd334423bf4163d5
942b61d7f36de871315070d6b89f8bee9d49f043fd115b710b202138209a51a7
9f7538929d41e712d2f0af226ca663c890b07301140d8569f071a43815dd39b4
a378313d3462b42b4bd6f81218d6ddcad3c58730042a09d6ea7d2724de6ad8f5
a8dab16a73c683ced6a88ba70b1b3fba1d06d5c214e3b8a534b69c49ceab3bac
b7371868a517e14b30fc12515aa5dfea39f3786ce1a14b0061815d462302eebe
c8ecbd53f00218c14ea066848502f5828f7f77cde4fcee3b66e9c72088ab1ca8
d4ded32b48c5896ea5c338e2f0fb6131ec4365d2aca874901f979ef1b34cff53
dd14921b8274f08aebcfe6d02359191fec130e13feffbde9b4cb88f9810bc10b
e6f650114bc7e368a97786dacf73d57f3c4b8766f895fe2a570781ec9e8f6f28
f68d76ebc0c51240fccaccd641c66f1e0059b5ccfeabff3737fc5e5bbab1ddb7

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Zeus-9985129-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 26 samples

Registry Keys

Occurrences

<HKCU>\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PRIVACY
Value Name: CleanCookies

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104
Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101
Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103
Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100
Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102
Value Name: CheckSetting

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: {AA56720F-EB83-D818-7B46-E026C6F642DC}

1

<HKCU>\SOFTWARE\MICROSOFT\ZOOZIN
Value Name: Yqameb

1

<HKCU>\SOFTWARE\MICROSOFT\ZOOZIN

1

Mutexes

Occurrences

Local{8D47BEAD-2721-FF09-7B46-E026C6F642DC}

1

Local{A847581D-C191-DA09-7B46-E026C6F642DC}

1

Local{DF676CEF-F563-AD29-7B46-E026C6F642DC}

1

GLOBAL{<random GUID>}

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

muzze[.]biz

1

Files and or directories created

Occurrences

%APPDATA%\Moe\fylavai.hig

1

%TEMP%\tmp264ba9dd.bat

1

%TEMP%\tmp4e248681.bat

1

%APPDATA%\Moe

1

%APPDATA%\Xeit

1

%APPDATA%\Xeit\ottyga.exe

1

File Hashes

024e7d89552b263467f912568ccd95181ac718f4a8e5012e5c6ec1aacf2f77e4
0483f996d51c910d04083acc2057c6889473e9dde561dc1f9b9535f738e594a1
0f6486fdaf98bb93a0557a3c44bb906d41b4c0e00c007bcad189914fae85be7c
16d63848bec52a9eaf184bdaa704674657c1a6b31cf50696b95cac7244fdc358
17877bc57bf371e332f3f59d46102319728261a80090791293be290056020b0e
1ac1fcff08cf6b2df798710c364bec4113d44c3447806dfc566191c0c5db7bb5
1c6cd22f8fdfc8219861db803349bce1cdeaa5cd880dae609e1a1667b5d022ad
1f4457b541ac0ad19951d39a1e260b1733210c68c7bc16932d0f3467f2e7c8b6
216e23b13eebcede1492f9414ef926bf49e825a42470bc265458debb103330ba
2426d26e4924f9514d674304627480a7cfb43e5e5ff1d1876321c188502374dc
2460deaefede5b79219cffdc473e5a9fc371d15b7797fa70d8449b4c4f9abe8d
274192458297e01466260a43ded24165efa899fe4448c73198f0de81766e2527
298f72fc3b9de5eb91ae3d6102526b832ae3365647d569877242d51e566f4029
347ccb8f6bb23038c9cd690cd5a4ce3ad79824ee65a1ce7477987fd106b5fd32
3654aaff7c3064cb607cac6d1211e7e64cafd5ceacfb0a416dbba719bdffc2cd
403122fe822bb9bc87aff93a2c93471a9360413d519781950d6871a8daeaf94d
4190f82a028deb2d0f399520e034a6f1ab5a78d14c4d1433be8ba4a6d2f70b41
4272e583ff2c4b9ce0e507cf339d14d750c05288b897557d0fd672c6f23fc8bf
427d2cfa6470def7183affabff2d26e582ee71dbb824e265261f01d86be2ac26
4a6538cbea79e455429465ced98f32a8736abe8a5a919d9f4f1446060a3f6c54
507cdd0ac8cfffd9815c86431289eac78ee92f1aa19825ee82d29e6650858dd5
5170ccdc6131e2f4341274bac186dddde935f77c0f3d3d6dc429171714f856ff
5308632516b9ae13e416fc7450750a8239a0d8a5aaa99e80af00ca5fb97d2386
6a432b1e261b3d366681b52fdec626a5673fd0fe8f3265898aabefc7be370581
6a5c370e1a6326d988f483defdae1214d6c3dae5126e0b2129f90eee59e21e4b
*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.LokiBot-9985173-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 27 samples

Mutexes

Occurrences

3749282D282E1E80C56CAE5A

1

Global\f5549e21-9b80-11ed-9660-00151711fe83

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

sibiusmart[.]ro

1

Files and or directories created

Occurrences

%APPDATA%\D282E1

1

%APPDATA%\D282E1\1E80C5.lck

1

%APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5

1

File Hashes

0042a5fcd4c4e430c71d076dc5c95eac93069d77dfe821f412285bac7fa4597b
02f2e2f38004334f9c00f100f8eb03c80b85e25bf3fae085c1f2b1289d4cdce3
031c093a692f78038810f3249aacaf17b29b579432cabebe0344136c5812d1d4
04cebc586fb7609a622cb97edc1648efe1dd5109d8bfa8e6a5c65fd06e8a8c4a
05f2cbf468cbc1f49fa11344598a33343463c6a1b98e41a61e715b5a8e046d4a
09023da9a9c788b0b4f8fe97555f3f4487b37f29e64431c6dcfb269bfcdaeef3
0a34c917f81a02e080f92d9c5a4fe2c134da87861ea9e8cf54a99e027aa02583
0b8922eb675b84835d295358355ed825b98ba56f6ad2fb5a246a39dc2422a74a
19291bfe2f477f9a462f7bfec2a1a29ba596b8693b0f3130eb1fd2c532312b54
1c5e0c66477b508177bd9da97721bb97607f65374dedfddc711057aecc15aed5
1e1fb567710358f2f81e72642528581e08807786da92014303979f5fdd7149bc
1f93e1ad55e298fdade05c00dd0220ca9d3b26ab8044310388357ab0b900cefa
20da9b41f6f1c34732f193eb011f1b9bd25c29289fb687bfcfd14f74d14d6689
289a9718bf44f945cd95db839964ab225e347ac7490a5c89c8aa0a93f6474895
2b271dd0350ebce6ddd239803988c3f9a64aeee314cd032eb1d9d1ebfe26a8d2
2b2c302f12a0cf798e3621efe73064f0e938643956c07668fd8b54451b9acaec
367b0bcfe9894c93d7c2f9993a8ecbea7b0c16d6992752afd97e8a749a3f80af
38e9b92df247ef59650d723e0b04edeec9e7bc6983176edaa8c87cec9facbed5
396d98aeca3665a187a2b31fb0b7e026181a4f4c11876fa62a5723caa2016af5
3ea57948ea5e4758ef408714b2ae55c1d214f605f8f2b776f0518a681cf7529e
3f32dd4bdc512625ffbd05bb51c49bbb5500d63bb68a89826c1f2744601bc38c
3fb4c8d385d957154279efc406c309134ec41bfe1e0a6c536be9c20ffd2850b6
42a65e0d026b317b0ebe217180e5391e77c7d10f4938ac14a5884ff684816679
42b634f4a218d5093a94881b1548667722f87fa38d915a97fe126996ddf3c4ca
46760a3057ab75e01adda1a49b4a156282a4ab596db0053bb59b5f1be57650f5
*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

N/A

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Nanocore-9985222-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 18 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList

12

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001

4

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: UpDaTe

3

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: AGP Manager

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: NXLun

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: DnDcR

1

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000

1

Mutexes

Occurrences

aBdraOSHWQtfP

1

ImvdLkQNiWmhZ

1

FOdhZrTOEIj

1

Global{cb7cb109-a06b-4fd7-8d0e-5290e77da5a5}

1

RxDIBEIVVrpgGcjw

1

obbAitLYlcWHDjd

1

ZhStsilCCDoWCSTjZzsnSDITc

1

LCEGTrpYB

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

149[.]154[.]167[.]220

3

173[.]231[.]16[.]76

2

84[.]200[.]69[.]80

1

91[.]235[.]128[.]141

1

104[.]237[.]62[.]211

1

129[.]205[.]113[.]151

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

api[.]ipify[.]org

3

api[.]telegram[.]org

3

cp5ua[.]hyperhost[.]ua

1

nonoise[.]duckdns[.]org

1

Files and or directories created

Occurrences

%System32%\Tasks\Updates

5

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

5

%TEMP%\UpDaTe

3

%TEMP%\UpDaTe\UpDaTe.exe

3

%System32%\drivers\etc\hosts

1

%ProgramFiles(x86)%\AGP Manager

1

%ProgramFiles(x86)%\AGP Manager\agpmgr.exe

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\Logs\Administrator

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\run.dat

1

%APPDATA%\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\task.dat

1

%System32%\Tasks\AGP Manager

1

%System32%\Tasks\AGP Manager Task

1

%APPDATA%\NXLun

1

%APPDATA%\NXLun\NXLun.exe

1

%APPDATA%\DnDcR

1

%APPDATA%\DnDcR\DnDcR.exe

1

%APPDATA%\THGNjTonqYzAQ.exe

1

%System32%\Tasks\Updates\THGNjTonqYzAQ

1

%APPDATA%\lisuoa2h.jv3

1

%APPDATA%\lisuoa2h.jv3\Firefox

1

%APPDATA%\lisuoa2h.jv3\Firefox\Profiles

1

%APPDATA%\lisuoa2h.jv3\Firefox\Profiles\1lcuq8ab.default

1

%APPDATA%\lisuoa2h.jv3\Firefox\Profiles\1lcuq8ab.default\cookies.sqlite

1

*See JSON for more IOCs

File Hashes

0829ed65c94d0ad265f99961d35fe56915c7b506671ae27a4ff6cae75e49cc66
1273b8a3054090fdf04f696dd22f284639ccb57afe9aa0a657d6fdb8fbdd3bd1
148a552de9c74376c409b18f2731c4dba0131c520c04a0cccb0af3364469bb73
2563e0db2599ab4c5d01fa046bc0706572b17a532ce52754f2977a735d8fbf01
371f8375dde28de80b098d9e808df9de07a5d8f0ab13d086325984d73a9cd5ed
3b704635a48f9ff94d44f0019e874ed71ddbc220bc3ce9f3cd7df38df120642a
53d55a9c88eb76405269ee02a4c4818214be23b6793b348d817ebc764506e5af
5fc15dd06f8ba66498c9865d6e82e6ff79c1f75284c5416ecb67baa8a604fa97
70d209addc0fea8ad36babd76a4b11f247dc11c9d8c1b48fffaf4b0e38efe886
7b9a9c4a56b756b499574a593ce6c5632f8a513abc4fd9a61844f211ffc672c8
90ab59d30c731411c996564775e58c6769535fd39e7ff51c48b690767c10f9e9
b388b8fefb3086f17b010cb86fd23957822e9d913b8d99d5ed786c7969fbaf78
ba846910ae2ae36a36f62eeaac3d693228dbe07d32484d23795414d5ac5908ff
c8d7e38a611b60fe03397645b2ae0b3bc2aaa9604c68c81f0baf6565b813fb35
cbf8d74421e9309ac79fd0556ef85c3b16e2bcf03fa196a5947eb3d0815cb1e6
cf0f97b4319ac18159cf02f905f91d07d4fe70722aefef70e32abe1b1fab9e7e
f7775262c09407cd3a8012620dd858aee083d645346d5419a4e16cff96eac373
fe8dfa5a692cbfdcc238b360d8e7e2f07b673d7d7645d9d2a2eabd245213457c

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Ransomware.Cerber-9985289-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 28 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList

28

Mutexes

Occurrences

shell.{381828AA-8B28-3374-1B67-35680555C5EF}

28

Global\C::Users:Administrator:AppData:Local:Microsoft:Windows:Explorer:thumbcache_idx.db!16613a8

28

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

178[.]128[.]255[.]179

28

91[.]117[.]40[.]0/27

28

91[.]119[.]40[.]0/27

28

91[.]121[.]40[.]0/22

28

172[.]66[.]42[.]238

14

172[.]66[.]41[.]18

14

104[.]20[.]20[.]251

12

172[.]67[.]2[.]88

9

104[.]20[.]21[.]251

7

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

api[.]blockcypher[.]com

28

bitaps[.]com

28

chain[.]so

28

btc[.]blockr[.]io

28

Files and or directories created

Occurrences

%TEMP%\d19ab989

28

%TEMP%\d19ab989\4710.tmp

28

%TEMP%\d19ab989\a35f.tmp

28

%LOCALAPPDATA%\Microsoft\Office\Groove1\System\CSMIPC.dat

28

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.tmp

28

%TEMP%\tmp<random, matching [A-F0-9]{1,4}>.bmp

28

<dir>_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}’>_.hta

28

<dir>_HELP_HELP_HELP_<random, matching '[A-F0-9]{4,8}’>_.png

28

File Hashes

04eb026fd69ee85a204deb1ab3d894fc95d543ff94667bc1f9baf05b77e1aa0c
11dd9314fe25aa3eb43b042abf8b81b9e50fcfd79528b81288e3f98961789db6
168ef2a56df0859de10120b164c6696d5affbf606fa9d6e79d78f6065d3edc03
1e0b0bfbc83d700f9583f730244b02b26b12ba1db5c50edbe3489418acc837de
202e5716d57ea7202f2231153c600fcf7f96017f82b70a11d6f15cb637a28779
258d29d87887f9e9303c0c23f466c6807c89f41ba19bc29d99d688971eb59c22
2e8e2e885a25bb09aa90943880e7d81b9addfc0013d76c205cc5f615028f1839
2f2f6a0ef0de62b9c305b24260b9208064130ea88d47a955f922a20f2be02ac0
31dc34001eb08664526ad2389b4b0cdf28214c595eba05bf0f84bf16fa6b119b
341d486619e7e2f91de5be87f1bca56ab58c3edebcdc35a949ea306cc4f2c91b
377df2eb0bffe8d47667a343f80f0dff71a47227369f8a63a5336736fca1718d
3d3382e61f289dd249b6817a694dc2c5ddfcdce7dafad7d1f3074e04bfa9442d
4843ee4070f7d7a3c6e06e2e1ba26014c1d1b54ba1ca6eed552ddbb7ffa76d7b
4e38a707a26fda9ba556cc17b79cb01121a51e6692809c18afe36e491b39174d
4f6e0e822cfb6ffa0cca7c80bd33a8184912e6621aa28459e06f70929d9d36d9
562f05f30ffb78866d0077785cfb36d11200f44dbf4abd68b4c43b016a136f8d
57631559806e8a977e616b9c00fbe3ff2a957d5c65bbd4bbd5fcd53a63489949
588c4714537fe5243b82572b8b98d2cc83cb99a18d188eaf883791e5125786da
5a21751f48b27dff8488521a6113a4e102164ad68f1d6ac43f90b8ad7a0ebc8d
693969c204a6b9714af4128612abeb08e36fbfc03bbef71accd253b0895b45b5
793c06d0016e679f27a26643ff229dc942588838874fa4605961c74d10c34a49
7e319635b05f872bcde07b37a87c45ac59a19cc403062b0a7a18125f6aa07d02
7f73061dda346d0528d01f811e508b5fc47076df69503576032053166340d2af
80654347845e9392f5039a94342f7b28c345c1ae6766939d7bda21360bf605bd
8444fb5e16ca451dad9a315610b43a604ded969009404bf88110f9a840cbd96b
*See JSON for more IOCs

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

N/A

WSA

N/A

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

MITRE ATT&CK

Win.Dropper.Bifrost-9985293-0****Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples

Registry Keys

Occurrences

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList

4

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKLM

3

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: HKCU

3

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

3

<HKCU>\SOFTWARE((MUTEX))

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}

2

<HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000

2

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
Value Name: 36412

2

<HKCU>\SOFTWARE((MUTEX))
Value Name: ServerStarted

2

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{5460C4DF-B266-909E-CB58-E32B79832EB2}
Value Name: StubPath

2

<HKCU>\SOFTWARE((MUTEX))
Value Name: InstalledServer

2

<HKCU>\SOFTWARE\DC3_FEXEC

1

<HKCU>\SOFTWARE\CYBER
Value Name: NewIdentification

1

<HKCU>\SOFTWARE\CYBER
Value Name: NewGroup

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: EnableFirewall

1

<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE
Value Name: DisableNotifications

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
Value Name: MicroUpdate

1

<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON
Value Name: UserInit

1

<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN

1

<HKCU>\SOFTWARE\CYBER

1

<HKCU>\SOFTWARE\CJSXZ

1

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{05ACO487-3Q28-LSLC-XN56-108QEJS54A88}

1

<HKCU>\SOFTWARE\CJSXZ
Value Name: ServerStarted

1

<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS{05ACO487-3Q28-LSLC-XN56-108QEJS54A88}
Value Name: StubPath

1

<HKCU>\SOFTWARE\CJSXZ
Value Name: InstalledServer

1

Mutexes

Occurrences

UFR3

6

XTREMEUPDATE

3

((Mutex))

2

((Mutex))PERSIST

2

((Mutex))EXIT

2

2562100796

2

lol

2

CWSPROT20S

2

Administrator1

1

Administrator4

1

Administrator5

1

DCPERSFWBP

1

Bif123

1

CJSXz

1

DC_MUTEX-3MWQJGB

1

FR725I0U8LRK05

1

FR725I0U8LRK05_PERSIST

1

FR725I0U8LRK05_SAIR

1

IP Addresses contacted by malware. Does not indicate maliciousness

Occurrences

20[.]72[.]235[.]82

2

146[.]185[.]235[.]245

2

52[.]8[.]126[.]80

1

217[.]69[.]139[.]160

1

208[.]91[.]196[.]46

1

104[.]96[.]229[.]149

1

199[.]191[.]50[.]166

1

31[.]170[.]164[.]19

1

Domain Names contacted by malware. Does not indicate maliciousness

Occurrences

5noseqwa[.]no-ip[.]info

2

ftp[.]vlakkeeetert[.]hol[.]es

2

f4n6[.]hut4[.]ru

2

smtp[.]mail[.]ru

1

www[.]server[.]com

1

ati2evxx[.]sytes[.]net

1

x1[.]i[.]lencr[.]org

1

kiwa[.]no-ip[.]org

1

lolzor2h[.]zapto[.]org

1

jalagui[.]no-ip[.]org

1

www[.]webserver[.]com

1

exploreinquiry[.]com

1

Files and or directories created

Occurrences

\TEMP\ufr_reports

5

%TEMP%\tmp.ini

3

%APPDATA%\Microsoft\Windows((Mutex)).cfg

2

%APPDATA%\Microsoft\Windows((Mutex)).dat

2

%ProgramData%\Local Settings

2

%ProgramData%\Local Settings\Temp

2

%APPDATA%\dclogs

1

%SystemRoot%\InstallDir

1

%SystemRoot%\InstallDir\Server.exe

1

%TEMP%\Administrator7

1

%TEMP%\Administrator8

1

%TEMP%\Administrator2.txt

1

%TEMP%\x.html

1

\directory

1

\directory\CyberGate

1

%APPDATA%\addon.dat

1

%APPDATA%\Administratorlog.dat

1

%HOMEPATH%\Documents\MSDCSC

1

%HOMEPATH%\Documents\MSDCSC\msdcsc.exe

1

\TEMP\ufr_reports\NO_PWDS_report_25-01-2023_02-45-25-726A6BBD-JDGK.bin

1

\TEMP\ufr_reports\NO_PWDS_report_25-01-2023_02-43-24-726A6BBD-AIAB.bin

1

%ProgramData%\Local Settings\Temp\mswxle.bat

1

%ProgramData%\Local Settings\Temp\mswqmnvv.exe

1

%TEMP%\report_25-01-2023_02-44-14-726A6BBD-FDGN.bin

1

%TEMP%\isendsms_setup.exe

1

*See JSON for more IOCs

File Hashes

0309e6c7cd2a73721e6956af2ec340c948bc5009450f76c9337ded167e60cfbd
26dfd674facde0f957bb4ed81e7cea4dae37114ced4d59c491d86bfc667d5dc4
32ac27ab6cd0654430449b0624a744169e2d0cc6769192fd79599e1ab6717632
3596f41561adf0d6eeb205b7414e17993f20da0590a28d2a4c94d984fd327fa8
49704324bbf8ffde957586c01cc85d45a970458d2697fe34f381d7cb82d7f88d
4c1986ea7e1ecea980fad59a62ddbf472bc2d7344c923332fd48f41dc6fbbe48
52fe24425eb3e6248e59fd959ce1956e09d1cbb65809f63706f0f9170ea0eb48
5c86c8c3bad2edd4174675a5dbab131d9b84ca5e5325431d2fa91d1c22292afa
6946be08c392001c142ad89213ff0860f3f3eac188b30c877e10783d435334ba
73d73c1a9f1e4494f550597a9d2438a79ebd900914c8b0851164aea5f1cb688e
7d2f5afc77e09d02b604cbdbfb5b33941914296966306761478609a23cd3a14e
975d3f301392e173335b801f6a12e3a7556ba00c2984a968ca033a44e69610c3
a6ab70d56a50d8446028ec0fef89bbde4e4a5784fd8a471b50392c0230d88fb0
b1da9aaa33886f2d103540ffd831f46d5f97280eca05f8013e277579cfd0051a
c1504e3f1b761540498a0fde42e462c0b20676502981ce84aa41049550159aab
c2014131fcee489c7e1c4a943237bd89dfeb5ba2ab1216ff89cfb202b00e2671
ca566fce1a39c24dd34479446524eac96d5e43634134e9e7616d2a18d5fba5ca
df05799c88e4cb5cbc2661b83e286d3247fa682dae330e6932c52a1d661935cb
eaf65d454e9ba165ada208f4482a760f0cdf23b15aa94022aa9617bf03609f2f
f5e2cf6885a62fad9a6488a8487e0490e5892bfac0dddeff515ba97b2b86d2cd

Coverage

Product

Protection

Secure Endpoint

Cloudlock

N/A

CWS

Email Security

Network Security

Stealthwatch

N/A

Stealthwatch Cloud

N/A

Secure Malware Analytics

Umbrella

WSA

Screenshots of Detection****Secure Endpoint

Secure Malware Analytics

Umbrella

MITRE ATT&CK

TALOS: Latest News

New PXA Stealer targets government and education sectors for sensitive information