Las amenazas más prevalentes entre el 7 y el 14 de diciembre

El grupo de inteligencia de Cisco, Talos, semanalmente nos provee con información respecto de las amenazas que más han prevalecido. Durante el período entre el 7 y 14 de diciembre, estos malwares se tomaron la semana!

Si bien esta lista no pretende ser un análisis en profundidad, resume las amenazas que se han observado al resaltar los comportamientos clave mediante los indicadores de compromiso (IoC).

Hay que recordar que el proceso de Threathunting o “caza de vulenrabilidades” es un proceso complejo que debe analizar varios factores presentados. Bajo este contexto, los IoC presentados a continuación deben ser ponderados en el contexto que se presenten. Hallar presente sólo uno de los indicadores de compromiso expuestos no asegura la presencia de las amenazas, pero sí da indicios para continuar investigando. Las amenazas más comunes de la semana pasada y sus indicadores de compromiso a continuación:


Doc.Malware.Dkvn-6781497-0

Malware
Este es un troyano que suelta un ejecutable malicioso y ejecuta comandos de PowerShell. Puede ser utilizado como un descargador o un gotero para Emotet.

Indicadores de Compromiso

Claves del Registro:

  • <HKLM>\SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\PRINT\PRINTERS\Canon PIXMA MG2520\PrinterDriverData

Mutexes:

  • Local\10MU_ACB10_S-1-5-5-0-57527
  • Local\10MU_ACBPIDS_S-1-5-5-0-57527
  • Local\WinSpl64To32Mutex_e162_0_3000

Direcciones IP contactadas por el malware

  • 45[.]40[.]183[.]1
  • 66[.]198[.]240[.]4
  • 103[.]18[.]109[.]178
  • 192[.]169[.]140[.]162
  • 209[.]151[.]241[.]184

Nombres de dominio contactados por el malware

  • enthos[.]net
  • shofar[.]com
  • shawktech[.]com
  • thecreativeshop[.]com[.]au
  • burlingtonadvertising[.]com

Archivos o directorios creados

  • %UserProfile%\Documents\20181212
  • %LocalAppData%\Temp\109.exe
  • %SystemDrive%\~$6889120.doc
  • %LocalAppData%\Temp\2vuqj0ws.zbs.ps1
  • %LocalAppData%\Temp\4ezh4c4j.esn.psm1
  • %LocalAppData%\Temp\CVR95F8.tmp
  • %LocalAppData%\Temp\~DF78CDE2D9B1588659.TMP

Hashes

  • 0421be0b17b64e14118e01ec412f1721bb9079630a004ff7e846f954c2355538
  • 18bf25020d301b1b22e316d2a6909a40c8dcea59fb04057d58346bdb58a7503c
  • 24ee6e8bd38b5bef0c3db97c8cfdf03a38e442b624a1f7f731fb6e7c2989d6ea
  • 2d50cc5a4ac493e5578038e8f892f9df5e134114ed6e9840089d9f32b8f28440
  • 2ed82969c7fb23e18f1f9b0ab519124438129dc7f2530ee24604397b9c1250de
  • 3e662508b29b2ef40092655a69073c220770a8306c0b17773059e07fe1a712b3
  • 5ed274afe729b6b92cbb4446fa3f4f6130c8e20b3a903b13d7691d2006d2e72d
  • 6d34270f0aeb0fbdb270e47866413a299a1deb54e7c4dd6b785a0ca7f2e0c73a
  • 727afa31d97e874e3d2a3c11870a5b1b65ecda8905e3c97cbddb31a9fbfaf543
  • 74201328ff459bf6412c7dbbcc0866f06f7ccc2b2dc7a1c4bc429518a85fee89
  • 827c0012de03d21f84442e7dd0ea1d0a25f40b0e2982fab1695f935aaf471bd0
  • 91da45beb83ea575f50ff8d9d6dcad7d9efa437b7e337006b2cc8ed2f6d4faf2
  • ac280877daecf65f6570233d76c249caa8eaa52cb5ba31fc3e1611d45c8d0454
  • aeef6e04c09d5f051f94a5c6545cf4228670954274ab97f1c85e7c78f1e6f116
  • af8a10416ae6e32a6250cf03d8c3ba37933903accf649e9feb4f636c17ae2b54
  • c26e6b57799f13d5d8353834bd721b304a15a7bbbb238995dbf98c4a26b71be3
  • d77fdb097fb549034a72f67236bf4c744012ff71e43f37cd89e373645fc26288
  • da7ac63e1a221dba1fb4d1ee743537b985fde34ad9bbc372fcc07a184ce683a7
  • db37c4693eebc0f518bbd7e5707ec3abd4c2633e86b2ca92b9e34b21864a310b
  • dd57c3ea2596874a51b13fe84d3dc328365af06bd0f50eb328819bc970766fde
  • de2c3b81106ab89e0dd2c7d654b0a161e2227bbaafcd1b1860c387c7b67be69d
  • e2ae044f486dba0d5005295ffa9100411a6225fff6c061da69225b6c50834a69
  • e4269fcfda0fe8ef8872dbf51aec6dc9cbb18ad4eae281700be24f563164026d
  • e71d9efea3a62cc265938bac1c53aa96f8729609cabfc6df4c66d5c5e9c016fe
  • eb2bb764fb66c7c5509c7ce50ee3e0c61a675867f85ecdae78ad547b0ac72760

 

Txt.Malware.Nemucod-6780827-0

Malware
Nemucod es un troyano que ejecuta ransomware en la computadora de una víctima.

Indicadores de Compromiso

Direcciones IP contactadas por el malware

  • 144[.]217[.]147[.]190
  • 201[.]187[.]101[.]156
  • 185[.]104[.]28[.]132

Nombres de dominio contactados por el malware

  • www[.]w3[.]org
  • api[.]w[.]org
  • gmpg[.]org
  • ikincielesyaevi[.]com
  • www[.]ikincielesyaevi[.]com
  • www[.]gulfshorecooling[.]com
  • elemaroregon[.]com
  • gpconstructie[.]be
  • cvcpdx[.]com
  • www[.]chaffinww[.]com
  • workwithcore[.]com
  • phoenixconstruction[.]com
  • www[.]laneexteriorsllc[.]com
  • autosorno[.]cl
  • cleanairtx[.]com
  • www[.]ohiostatestucco[.]com
  • www[.]teknikinc[.]com
  • GOESTOM[.]COM
  • CLARAMUSICA[.]COM
  • claramusica[.]com
  • goestom[.]com

Archivos o directorios creados

  • \ROUTER
  • \DAV RPC SERVICE
  • \Device\Null
  • \Win32Pipes.00000370.00000001
  • \Win32Pipes.00000370.00000002

Hashes

  • 029cfbcb0e44965e253979458652858b3eabfff38be5e7648c8b82f475233345
  • 0cb706b11174c5a7fd08e70308d1ff84447d6e65a487b146846d5150931a8970
  • 17304c0d1c57c83a58b5b1df2e6fe5b0b2a58634d1cebbd83ce8bd5533fea584
  • 215953913e52f0e071dd8244d598a7c34367d03558599f7b9c824d916f60186a
  • 2c93a65ec63e429b8e8a971dbaea069829763235daeb26a5f24adc69debbff71
  • 38848aedc1194c09d6eeb88ef04ba56aee22e0f579284a63b12d896fdb0d4831
  • 3bf5629a35700582d0abbdf8aa1c97c34c4f2fd933de6f70569d2b3103f6379e
  • 4d85b12eddc09b1cfdfd8d580ecca6d724dd66b91d8866f707aa91cb50c7fbd7
  • 5247f2722b8623e95f8d10cd79d0fbe3e96fe8f0527d3b9be480d2640f02b160
  • 52cecc5d101a881b137c07143268217dacf145dab73d50e0e8da318000f5b5e0
  • 59109d8c01b76ebe171dc28cbe37ceb393846d0ed240f54a14eb9014588c748d
  • 5c2d33368a931651ea426f3ed037185d99c7c3bb28d5430413a2c93b4f525428
  • 66b09b100ecc40609965a74c90e9553457d730bc8b4c5ee95b2f2089dd0aba3b
  • 7d9fcffa70fec088cda7c4095740599a45a710ce38a66fa9e13f0dfb7bc43b3b
  • 8afdadaa66d58e386411755871ff91858bb99016e22e67de3ce3cc63ea35c4a8
  • 918312a6b9b634f27089520d15dc15966a25bd719627962d756f370949adb152
  • af0ab34d44410fab4cfb8c24dfc0240e508de5e31a0eb567c0533344eb9c92fe
  • de5e00e84554eb352985d85146eb696be474c1f5b97a764052fc0575fec8ad13
  • e29d601569f5197e631275c5391a273058ab2aca0473dedf148177516de1e7c5
  • f40f059bad77bf7297b3783af078e8febf11650709294e69a9c198c711a87386

 

Win.Virus.Parite-6780568-0

Virus
Parite es un infector de archivos polimórficos. Infecta archivos ejecutables en la máquina local y en las unidades de red.

Indicadores de compromiso

Mutexes

  • InstallLauncher_4541454E-9FFA-4246-835D-3F49EFA91F6C
  • \BaseNamedObjects\InstallLauncher_4541454E-9FFA-4246-835D-3F49EFA91F6C

Archivos o directorios creados

  • %LocalAppData%\Temp\ejp5C31.tmp

Hashes

  • 03b06a1f568e2985a763c155c14c2a9c4b7b18471d91bf2164ad44350d4353d6
  • 0478b98235d5c49bc7facddce8f912a4ec2b58c33b4947922927e139b9efba1f
  • 11ec64be12c389f32640d9803deffa8f93b9457572c71f36df3fe0df4e1f6a8b
  • 17527e946bbac0ed6c69fe1b97d4d16a8d2ea20811898ee471bf0f9e4377d3e7
  • 250e929dc833074872defd3ca65b2ccf6cf9b32ed6f6cfca07a66767e48db6d4
  • 2a4b55983c456e9ea14115378397e67df37d89a28818cb3f557b8afbb3e086e3
  • 2f6a2d0728cad1403d52a3dfc6db10011fa215f6f5b8272e5c4699e1a68afaf2
  • 318722e8243edf25c73800569cc1d78c8a6f62aa382f484116c0197d3cfc6578
  • 3858721e1297e627247f17ebf44ff0502981481af3c04ebb6c76bafda0db2c6d
  • 3aea0bd31f0d86f9c5a5035828dea6e42cb0646c204bb866c71528bd1f714e7f
  • 55e263c3206ceed9776d0d0b6015cc5e7c444bed6c68a66766d34998fb744ff1
  • 5b6e1419168ecd9ead5800273b1c63fa6420455b1ac2c85be430d5e976f4a104
  • 69528927f100ff5c7b92e6898f33e94768953fceed5ffb71fce02dc6acb9ca56
  • 6efd875b023b1289020e7d2acd02526d61592f4dd5e1b35e2ca04eeae162507b
  • 78af109d92ce244c02b1530f7ae65f2c9958e34e239788caf3ee94115ad36d47
  • 8240517c639812a704d439035b22fe685b3b905bb376776c4adcc264862675e7
  • 8e170f44cd0e49ad850ffbd244ad755d1b0b7b91051308ed18c049a5e6068acc
  • 8f6c73d10c4c5f1ee2758f80bbee0e2700978b34ec74b83296ec9e3a403e81db
  • 94aad46d563c9f5a46bc1e1316d638f7e96ab4ac07b7925510644768504c9d1d
  • 9d818507ca3222b5f1f471ae1c4338de9227e95b12ac838eed1d68550019aa22
  • c1b87392cafff0a07c0dedfa59da2936a371bf2e40855c9b1a1d6bf66903ef12
  • c56b47185d4176e620a12ba8f752a67d4e264919127970f0f8bb567f5f778511
  • d9cc0b9443f5ec4f84070165ddd08d3def72662df47b52795b793725547816b3
  • dafa195b9f7cf1b3d249ccc6e40bbc181aa54878faf3411b78ccea85e4e4f255
  • e77216030291a46d69d4bdf5725dc052d16e6ed7d6485b85cfcc8c4b88bc4313

 

Xls.Downloader.Jums-6779285-0

Descargador
Jums es un troyano, descargador, que genera un PowerShell y crea y ejecuta un ejecutable malicioso. Recopila una gran cantidad de información del sistema y llega a un servidor remoto después de la instalación.

Indicadores de compromiso

Mutexes

  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • Local\ZonesCacheCounterMutex
  • KYIMEShareCachedData.MutexObject.Administrator
  • KYTransactionServer.MutexObject.Administrator

Direcciones IP contactadas por el malware

  • 192[.]185[.]16[.]22
  • 192[.]254[.]237[.]11

Nombres de dominio contactados por el malware

  • www[.]aaaplating[.]com
  • weighcase[.]co[.]uk

Archivos o directorios creados

  • %LocalAppData%\Temp\VBE\MSForms.exd
  • %AppData%\Microsoft\Excel\XLSTART
  • %UserProfile%\Documents\20181119
  • %TEMP%\tmp907.bat
  • %LocalAppData%\Temp\tmp016.exe
  • %LocalAppData%\Temp\CVR4F0E.tmp
  • %LocalAppData%\Temp\twaibr0n.00s.ps1

Hashes

  • 199f1eec8413168be6418ace60cfe760d858350ebef3605aa91d47338b881e0c
  • 1f444338e19212dfe5f597ceb3b55f06a8b927a342ce50d0c5ae4452d4999e80
  • 49fbb593eb1418ecbbefd3ac0529ccf1ed2ef64e20927a5e0379f99ec9fd0c9b
  • 5ac6fb69b5c55ec6419b89e22ce7fd873d11d263ae2eda9ff85e8eda10b20444
  • 644f8f3822eb0c5435ffbec711a0b2821e1fa050ca10c837a62c02a9df814d9d
  • 77f27841d4263d1ed6ba59267d78a454c9a2a3383ee3f1a2a5ddbed4e835dd06
  • 83cf5c7623bc92966e02b594bb41ab3896b1ffaae748d7cc9b4331f3f435f171
  • 9a422430a9443b77b5959847657ec411736e180b30563b5066d1ea0c7b22633e
  • 9bfd539bb55f7a7a5a8df5a0e3ecd87157ecd87675915ac01ca6ce62a3402872
  • 9dbd2fc30b9c22fb03df72eb46ea83af41449bb6054cdf8cd83e5520de633641
  • a46e400bbf7b921a5b2e131ac3c8bf10506569466ad3fff99381c411e585192d
  • a6043595251b41b336ca8bc2ccc05bc2bf2781274c1893d6943141a4bd3cf637
  • a6d95c0eac0c0b584faa37c1e21ee5baad74e227685275899a9d8c5ac2806b9d
  • be6ac030af25e2044cf8889d747fa170bcbb10a325a3f05f67194379f86375ca
  • c7c3ded9554e8ca38031ab080c1ed9d775a20ac928eaded8d24fb325d7c6be1f
  • cba2b5d0949ff517c40f74cf166b7c363dbf54bda30d4e8432f31da674a78b9c
  • e4fcc415e1f7cec20991a6e5612c7706c1187e23ecea5115fbeea824c9b06c14
  • efd04977ffd67e71dc9730268a7cee0b85ca128c0e0e3962b073494e5e9f2081
  • f495fc57c7bd8311cee17ea6dc15c953d21c5fd97147e632a509b07217855501

 

Win.Virus.Sality-6780277-0

Virus
Sality es un virus infector de archivos que establece una red de bots de igual a igual. Aunque ha prevalecido durante más de una década, seguimos viendo nuevas muestras que requieren atención marginal para permanecer consistentes con la detección. Una vez que un cliente de Sality pasa por alto la seguridad del perímetro, su objetivo es ejecutar un componente descargador capaz de ejecutar malware adicional.

Indicadores de compromiso

Mutexes

  • uxJLpe1m
  • wininit.exeM_320_
  • winlogon.exeM_356_
  • wudfhost.exeM_1644_
  • \BaseNamedObjects\uxJLpe1m
  • \BaseNamedObjects\csrss.exeM_528_
  • \BaseNamedObjects\services.exeM_664_
  • \BaseNamedObjects\lsass.exeM_676_
  • \BaseNamedObjects\svchost.exeM_1008_
  • \BaseNamedObjects\smss.exeM_364_
  • \BaseNamedObjects\spoolsv.exeM_1560_
  • \BaseNamedObjects\winlogon.exeM_552_
  • \BaseNamedObjects\ctfmon.exeM_204_
  • \BaseNamedObjects\svchost.exeM_912_
  • \BaseNamedObjects\userinit.exeM_1372_
  • \BaseNamedObjects\svchost.exeM_832_
  • \BaseNamedObjects\jqs.exeM_1736_
  • \BaseNamedObjects\rundll32.exeM_948_
  • \BaseNamedObjects\explorer.exeM_1456_
  • \BaseNamedObjects\svchost.exeM_1116_
  • \BaseNamedObjects\wmiprvse.exeM_440_
  • wmiprvse.exeM_776_
  • \BaseNamedObjects\wmiadap.exeM_3280_
  • \BaseNamedObjects\356677150.exeM_1408_
  • \BaseNamedObjects\wmiprvse.exeM_1688_

Archivos o directorios creados

  • \??\E:\autorun.inf
  • %System32%\drivers\lhlnn.sys
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@cargocrystal[1].txt
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@cargocrystal[2].txt
  • %SystemDrive%\Documents and Settings\Administrator\Cookies\administrator@samayer[1].txt
  • %LocalAppData%\Temp\wingqijig.exe
  • %SystemDrive%\okieu.exe
  • \??\E:\mshy.pif
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\augx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bvwf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ceohbt.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\cevjx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\dkgn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\easrrv.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gekhk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\glya.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hpqd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ixway.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jbccl.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jhrim.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\jvuj.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kdpw.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kwih.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lmbonl.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lpig.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ltyyd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mqsr.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mskjgp.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mslmw.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ndcdl.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\niut.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nixbf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nygs.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\olsit.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ospd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pffcy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rfioy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rxoqk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tguha.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tvuin.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uspe.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vkecy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vtba.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vxqq.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vylwe.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\whtfo.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winadpngm.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winasew.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winauunwn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbkjyy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbpcf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winbusg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windlwd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\windpbi.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wineeyux.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winesrg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfjvcgs.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winfpmye.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winiuak.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjenpka.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winjkyn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkqxb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winkrepqp.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winktee.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlbehwb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlihxj.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlsbpg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlxanm.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winlywa.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winmtfju.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winneng.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnjxa.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winnurxrn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winodpm.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winohuuif.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winolmyt.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winonwqwp.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpcpvjx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpdae.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpdgmo.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpgqpu.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpmlm.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpnsv.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winpuybd.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wintqckmy.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winudusnh.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winuixn.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvcwb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winvxxb.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwbnx.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winwbppmo.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winydntxg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyksvqi.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winyqksg.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xfkklk.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xgvmsf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xmjmf.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xwota.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yxjkrt.exe
  • %SystemDrive%\eetdut.exe

Hashes

  • 02e3ca0b78494efa9c54f41856fbf50478673329ea238c7786bdeb30542e5ed5
  • 034336a710468f49c1eed9d375a85d4d7f48ecc271dde830f60b428d52a94c2b
  • 0a9a606be52079bc06d34ee969313e58809c8bf4978e31101ce329b7651f564e
  • 2055ba5f6fa09c201359729adc6c0e20ad97346d698b5801b601d29a85e78c52
  • 34b3a1c08a185f7755b8fe3f741e13a6452b46766b2b564cd329c45bd45e1c76
  • 38764b867874a08bd44e8a4b78b670e7445f93af546fba0443c99f56d469a951
  • 3bd14203a0587eea25421d679fc5d7c598464e5fde6f39cf7e6a506fa86aaf5c
  • 40d8f51d911e4f4d3fa29fcd39adc9e826557727dc1ec411404d6bd09c7f8c35
  • 518b8b1dea7caf5f1c2d9b6f6ef32ba70effc2f74ebd7a902434fc66e179700e
  • 609dcb6f088836745f24a24d71b49e092196b08a9924f42e8b63b92f4c0ebe24
  • 6f8fec09c16a0f5bb60e3ec4cd1a41cb34a2eaa59d0351f5f875a83dd7ec8411
  • 76cb38ecf5c3b925e946b6da3cc78e25e0df6db48c66073a6dc33bb8bc03cb5c
  • 78784ee614b06d505879ec8454a80843416aa89869ecfb7eb059aadb14027178
  • 7d5787833d365d5a2d84c0e6135106bd6d5a49de4da86857995cf0222491c028
  • 8089f6db67efb482755dfc06ee4efe7271e685136e46a231b06bff87aca4393b
  • 9af10868ac775ec789e3b9e7475015c3ba66f9ed35aabcfe8ea323b9b1a8d7a5
  • 9fadad87f4763f5a062c0c12677b3b549f9df261484ad89cf58bb60809751e9c
  • a543f5d10445af1ce7710cc596b2b6ab0532cef51e9041b8f8c58bd36b218dd9
  • ac9ee5d47307f578e1a19a96dfb509a5063045a339ffcf1dc79f6a559f6385c3
  • c3a88516553f23807115597f99f0b8f9e8a62c68bf7ee321bf1ff6c599c3c8f1
  • c96d2cd51eff903958ccc279fa48e392e858403aead3add4b00e6e9b031d5754
  • d2da9a2988364a576679489265765e8bd5419ea66e8aea48e666a5300f2c5e6f
  • e080790b62f025fedc93b161dc061421ae47cf4785ecb1744d6da1be44f8667a
  • e1a951d34a0c35cc5a011242189ed82707d3fc40289b37470169703f269d88f4
  • e1d9701b9af405e448e57714ee762722c3ddc6306d271038c350b0cfc138cebc

 

Doc.Malware.Powload-6775735-0

Malware
Powload es un documento malicioso que utiliza PowerShell para descargar malware. Esta campaña está distribuyendo actualmente el malware Emotet.

Indicadores de compromiso

Mutexes

  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex
  • RasPbFile
  • Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2580483871-590521980-3826313501-500
  • Global\MTX_MSO_AdHoc1_S-1-5-21-2580483871-590521980-3826313501-500
  • Global\MTX_MSO_Formal1_S-1-5-21-2580483871-590521980-3826313501-500
  • Local\10MU_ACB10_S-1-5-5-0-57527
  • Local\10MU_ACBPIDS_S-1-5-5-0-57527
  • Local\WinSpl64To32Mutex_e162_0_3000
  • \BaseNamedObjects\Global\.net clr networking

Direcciones IP contactadas por el malware

  • 199[.]188[.]200[.]110
  • 185[.]72[.]59[.]32
  • 185[.]87[.]51[.]118
  • 185[.]2[.]4[.]116
  • 177[.]185[.]194[.]161

Nombres de dominio contactados por el malware

  • www[.]w3[.]org
  • tecleweb[.]com[.]br
  • chiporestaurante[.]com
  • www[.]onecubeideas[.]com
  • onecubeideas[.]com
  • dc[.]amegt[.]com
  • fortools[.]ru

Archivos o directorios creados

  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{257D7FC1-A1F1-4741-80E5-4CCDA3324B78}.tmp
  • %AppData%\Microsoft\Templates\~$Normal.dotm
  • %AppData%\Microsoft\Word\STARTUP
  • %AppData%\Microsoft\Office\Recent\index.dat
  • \EVENTLOG
  • \ROUTER
  • %UserProfile%\Documents\20181207
  • %LocalAppData%\Temp\705.exe
  • %LocalAppData%\Temp\CVR8C5B.tmp
  • %AppData%\Microsoft\Office\Recent\355848530.doc.LNK
  • %SystemDrive%\~$5848530.doc
  • %LocalAppData%\Temp\fjzx2n2i.cc2.ps1
  • %LocalAppData%\Temp\qfrje44a.wpp.psm1
  • %LocalAppData%\Temp\~DF25D3033E1B874DBC.TMP
  • %AppData%\Microsoft\Office\Recent\37c08bc14f578f0b19f992648c113e46dc49e0ad1ddc9cd2e63dfb9242fe151c.LNK

Hashes

  • 02c58585c45ba7f87a94eb10fda2ad3d1216dae821536c77bd1f53b5b48730cf
  • 0aac7ab733c51437873bf791b28557b12e027bf9bf1b3eafcde05388010af655
  • 0cc53d287e5df9017989526addc988b49fcd76894032458720acad7c265df9de
  • 14ab7c3501e5ea1482687558d1544698b85cd9b24b3580245a85ce0b781c03e7
  • 1af67c800700954695d42c3e124753750016b7c598c6fa2f9bcd9f85723dd1c6
  • 1bfc31debc05dc83864b01ddf300552ec6496cc0d1c25b5846fcd2a4c5da93df
  • 1e0c90f629beae558c6af53c3def9cda4bc77d06cd42131b8f969ff0da9afe25
  • 1ff1729697c956aa4270731f63686d2f6aa1e86a47d219f32058fa67be31817f
  • 21982965fc5661c509d1833f8fe9caf02d7649619b7b542d7a735abd7936a9cd
  • 21e781747a69ebeda636616b47fdd4ff871b9c672aad10f3cf95cbd55eb8b169
  • 239fea895e2a4a3bd3c3339ce48b2f330bd611d8120e0937aca1c8581e977849
  • 2759147c5b948b705943cc4dfe7932aaeb14bda833ed00a850d1ee5543bac6c3
  • 2b3064f31f52b8d33a9a7f73c1624252f4a2b615df0c99b4c70b4c617eed87fa
  • 2c97f2997575df803d28dd38636856fd0efb9fa7efaea22c526b8dc71daa9aee
  • 370c83daaa8ad3c9e1f684ac93a5c7436e86bab917f8511544792f083fd8d127
  • 37c08bc14f578f0b19f992648c113e46dc49e0ad1ddc9cd2e63dfb9242fe151c
  • 3ac2d948a193f03d6d6bbd288ab9ae2b58588567e459aecae80a66e00a291847
  • 3b958df2dedb42704c2baf7b9dff89112db8e8297a594ebe98303f9913004e9b
  • 54bf05efacb556c7ed106a9b802619b2f038d1e6b8adbcf4c8d632f8531e68be
  • 56de2fad613807e46613e7159681a962cc8c54fc6ed20c7c3e90e104cdbfeaff
  • 590cb8e2648bc9566d2709a22d33369309e32ddfcf6cf725dfce6b0efb2b51b3
  • 5a2763ea3481568a73456a2e784b6b31b32845ec08df99b3394533ecdb0f973a
  • 5f47e689fb44578d43e4c7590ce10c275f7f533c894387086bf5e0bb3a68e46d
  • 626ead7063f00752432c54dcb61975b060e306f2712fa2fb1e6f3aa4cc406e1a
  • 6714f37afcbe1d0685770f9558c40d0856e7c337f8d4c4beb7e312672adda950

 

PUA.Win.Trojan.Hupigon-6776762-0

Troyano
Hupigon es un troyano que se instala a sí mismo como una puerta trasera en la máquina de una víctima.

Indicadores de Compromiso

Mutexes

  • Local\MSCTF.Asm.MutexDefault1
  • \BaseNamedObjects\ISPWizard Mutex
  • ISPWizard Mutex

Files and or directories created

  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
  • %WinDir%\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tmpsetup.exe
  • %System32%\rnaph.dll
  • %LocalAppData%\Temp\tmpsetup.exe

File Hashes

  • 0d72d9ee3de3e8ac191444390ba097b471e72fe6ff951b8d77f2107486f1310d
  • 174751136660fe996a57657e8ec2205ad9a5e9efe8eaa5078b714f5fb51cf9a2
  • 1edcf0b7e78dd603aaf2900a06bb8f52c38e5648df696caf14f6c39d2d23c4e9
  • 4d2719868251d27b80b746161fcb2eb78e5ce1927b10c4da5f782ccc51b619e5
  • 835a2e9ef6349c641ac1e786aae48338c88e76315a2ce4fd4c43903304984093
  • a1a60ca213175febdcc3ff1bc578053c563a6d33c40312f46f3118464e2c9b34
  • c6f5fcd39af9fe1a342d5b55b09c74c5cc29c666becdc583098e0a09883491c5
  • d84e292c72cd96b1d4755881bb7c05bc7f013910f5671c606fe66a1c56a85411
  • e1d008fcb364fa01413eb0710ec049f74e791b17ae25d8f27fe857a7ff9aa8f9
  • f094e7eea20b73e4513ed141d82eeb96c8f4ba44373483154719ef9bdef07de4