El grupo de inteligencia de Cisco, Talos, analiza periodicamente los malwares más prevalentes de la semana, y durante la pasada, se notó la fuerte actividad del adware. Las amenazas activas durante la semana entre el 01 y el 08 de febrero y sus Indicadores de Compromiso a continuación. Nuevamente les presentamos la lista de los […]
El grupo de inteligencia de Cisco, Talos, analiza periodicamente los malwares más prevalentes de la semana, y durante la pasada, se notó la fuerte actividad del adware. Las amenazas activas durante la semana entre el 01 y el 08 de febrero y sus Indicadores de Compromiso a continuación.
Nuevamente les presentamos la lista de los malwares más prevalentes de la semana pasada, y sus Indicadores de Compromiso (IoC), a partir del análisis que efectúa semanalmente Talos, el grupo de inteligencia de Cisco. Como en las entregas anteriores, éste no pretende ser un análisis profundo, sino resumir las amenazas que se observaron entre el 01 y el 08 de febrero.
Como recordatorio, la información que presentamos semanalmente no es exhaustiva. También les recordamos que el proceso de caza de vulnerabilidades o Threat Hunting no sólo involucra la búsqueda de Indicadores de Compromiso. Detectar uno de los IoCs que presentamos en esta entrega no necesariamente indica infección.
Sin más introducciones, los malwares más activos durante la semana entre el 01 y el 08 de febrero fueron:
SoftPulse
PUA.Win.Adware.Softpulse-6848587-0
SoftPulse es un software publicitario, adware, que instala software malintencionado, aprovecha las técnicas de máquinas anti-virtuales y puede acceder a información potencialmente sensible de los navegadores locales.
Indicadores de compromiso
Claves del Registro
<HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
Value Name: PnpInstanceID
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
Nombres de dominio contactados por el malware
6nu2bfmath[.]mrzp97cmg3[.]com
Archivos o directorios creados
%LocalAppData%\Temp\~DF38A714DABA77BAE2.TMP
Hashes
1a74519d1568dece3bc64889f177df271b1bf93c0db86d97bb81e44a45403c2f
1a93550fd9e061d7b572ca6269934ae5d0747e82855420895d41547680e372b7
1e8a9c8f07050897420bccfc612fe39dc11acec47dbb11a9b6d17876c0f1c748
22db5127ccb49f274ab3f46f6a845bcbe693e2ed4069220c9b33c4ba7cb6e7db
2da64c580965f9d0454b9004181ed7fdd5903e93cc41d06578cc968ac4215836
30ff57307b5d4456c64ee80eaacb717cdc1804c1f1c49409c7d583ec9f3de1e3
3ff2a4f01f7bfc31db3a54ecb98c0df737cd575cc11301af3b19ed99bc0e075b
473f7dd0173bafa5de751493de7c7e2cc57fc290aac0ae4d2947cc57dcb8008d
5492869d71c62c3ade2750e79de155104329cc08fdd9e65f9ba7d213868714c8
54d8cb379579ab2063b223f0011d8fa2838368b4b68f070a54b7e06ca62c1f03
5b5c9fd28470e81d23fcd6e5b2ea1bdf7c537ca610535d2f69a23fbd11f8d0cb
5e69b36b133ca551c46014c80afbb8fe2d9f6edd1e49cebcd22ca7bbec82d9ff
6e43c79b858a27b93c87498faba5f60edd11d6472da142229bef6fb1d1310372
78ca808e8428963d80d651655c6f79c8df44448a0d0613eb442a20a3081d0b21
7db57b97495b59e84bca9e7f48b472e7412751b20780f17f453e4cf8c9694543
7fbd028726e320fddbf67a00ac1a43e8d2f7fdc98dcb53c84fbbd77871c88afb
881497c1db786286caae56f5055909c1bba6ccb24628773805f0f3a3a91c0993
8a70ba0afe5efa6f633d97f51043d6be2ff3b3a2e6c5fba979f88a6bce4813e3
92fbd91b969e6f94853430cb11a7ab2eaeaa05faefd2856a4aa55861f035beb0
93b2e125a810723a7bc4e268dccbd784cd95e593077ae59fd9ac4daa9e1a8094
99b1320bd421b716118e2aa11ff0044be4bb8849f96b099c6d7ff106ad80833b
9ec1af22463376ceaf3468b88b000a155aa674ff27910c4a2d7188fb4ed5b315
a0ea6c233f4da2e161eb3108b9534d297cb15ec8d17eaf2d22132b0e67e99c4a
a1caca2e8b3b96935fcde41509753f4531ec3b9c5f436c7291c422fdf4c1d7ec
b2917e4031446976cdba6958df9d7c2d594f657232e0786b0e39039477b13534
Emotet
Doc.Downloader.Emotet-6846065-0
Emotet es una de las familias de malware más ampliamente distribuidas y activas en la actualidad. Es una amenaza altamente modular que puede ofrecer una amplia variedad de payloads. Emotet se entrega comúnmente a través de documentos de Microsoft Office con macros, enviados como archivos adjuntos en correos electrónicos maliciosos.
Indicadores de compromiso
Claves del registro
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyOverride
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: AutoConfigURL
<HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Mutexes
Global\I98B68E3C
Global\M98B68E3C
Global\552FFA80-3393-423d-8671-7BA046BB5906
PEMD4
PEM19C
PEM4F0
PEM240
Direcciones IP contactadas por el malware
177[.]11[.]50[.]52
195[.]201[.]46[.]139
216[.]119[.]181[.]170
71[.]78[.]24[.]146
217[.]78[.]5[.]120
Nombres de dominio contactados por el malware
estacaogourmetrs[.]com[.]br
www[.]intelhost[.]com[.]br
restauranthub[.]co[.]uk
docksey[.]com
Archivos o directorios creados
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B106E8EE-597B-49CA-A6A4-5BA8ABCC8F6A}.tmp
%SystemDrive%\TEMP\~$LE1922193.doc
%LocalAppData%\Temp\CVR3B09.tmp
%LocalAppData%\Temp\~DF0EC263132EE87D9F.TMP
%LocalAppData%\Temp\~DF93E860FA48DCAA9A.TMP
%LocalAppData%\Temp\~DFCEAA78F57CC3DA47.TMP
%LocalAppData%\Temp\~DFDE0E179FA1A94A5D.TMP
%AppData%\Microsoft\Office\Recent\FILE1922193.LNK
%LocalAppData%\Temp\p24is3bq.j0q.ps1
%LocalAppData%\Temp\zjkgwiwg.sq0.psm1
%UserProfile%\Documents\20190204
%UserProfile%\Documents\20190204\PowerShell_transcript.PC.0Py_SQrs.20190204204359.txt
%WinDir%\temp\putty.exe
%AppData%\Microsoft\Office\Recent\366814370.doc.LNK
%TEMP%orary Internet Files\Content.Word\~WRS{E2A82E27-8296-44EC-B019-FE52D18D73F1}.tmp
%SystemDrive%\~$6814370.doc
Hashes
03591121dcf83a4aeb5e5fa12a1c1b75c93f5a215780eb1ebf209cc9518f12d3
04c6555af6871c7818d3df3f0d5bbf9b85efac94e979c58234310b9a36079e78
09be75647f21e12c0c4948ed45c68eb1db6667beece4e1d9748cddd5b4c38eaa
15968dcbcb0514e7fd5bb68ced13112a3f1d8b31cd948b967f3becce9283508a
1920f3315544295d13a8c3366216b74514369bb31cea90a4659506c0c4c549a1
1a4c6a9c9e4bcce9f83776f87f158d39cb21eb78ea839afaa01abf3f93c49a4c
1a7211b1d27124d3409b2d1346ba93fc2a91fd00ed3899c95c1e16fc849c54a7
1e83dfa18cc1ccff50dd5118f710bcc16e6c4e178977435c62b4238554bcf7f4
2287689165547b27ed983152dd781bc53777060a8dd911b18671b60509329ebf
247adbdf9950ad6e592f0276ae72625818f87b41ce1bb7596aa89181e0ce99d4
267af9baaa1401ae4034200940bad6c1f8cb622a7e731ed28fe84fe0682a6616
3bc75dd152bea2d4670d22e2844731646cc4a83024a3cd2349d465d5c16020ef
607f94f56ab7d2e2b01a0b8ee0bed7379144363d65e3040f44a197e8245b842c
72da32c1bec496a54885f38802c429bc1aed434651bc67dc4acbac637c0c94ce
76b02247cf6c9a6c436532a536ccd2711fa876c15312dd6e0b3863e070e8595c
7fb24419176dd9aa58bb53a4246398d40c260c253b4772cb8fdc600324f24318
ad6b9cb00268157013c2b547a379a836609f5c7e01ce6893df16cf1db8fd3965
af8e1169f130baf122b25aae81d95d62cd3506bae39673652d91ac4c4936049d
b5d83480ad61ce204743ef0904cbd2995991944efd3d0d2c9daaca9385f4b290
b9cbad9b3cd4a1f08c3284d479ff40093454e9f76d23783901087cd0add5d468
fd46fb328e72ebe81cb97846b846051a95d2012630a3ee37bf55002c3908883e
Razy
PUA.Win.Adware.Razy-6847375-0
Razy es a menudo un nombre de detección genérico para un troyano de Windows. Este grupo específico de muestras de esta semana contiene código cifrado en la sección de recursos que podría inyectarse a un proceso legítimo y funciona como adware.
Indicadores de compromiso
Mutexes
Local\MSCTF.Asm.MutexDefault1
Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
Archivos o directorios creados
%System32%\drivers\etc\hosts
%LocalAppData%\Temp\is-51KNV.tmp
%LocalAppData%\Temp\is-51KNV.tmp\09131ddb2cac0b4d4483b4bbbc76a26f244ab5a884350f733e1f60fc684da039.tmp
%LocalAppData%\Temp\is-9EHP6.tmp\_isetup\_isdecmp.dll
%LocalAppData%\Temp\is-9EHP6.tmp\_isetup\_setup64.tmp
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-CA60C.tmp\367042276.tmp
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\Asian.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\Asian.exe.config
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\FallOffLone.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\FallOffLone.exe.config
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\_isetup\_isdecmp.dll
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\is-0J9ED.tmp
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\is-D4UQV.tmp
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\is-ECQFB.tmp
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\is-T0KA5.tmp
%ProgramFiles%\Luckey\213384307.exe
%ProgramFiles%\Luckey\213384307.exe.config
Hashes
09131ddb2cac0b4d4483b4bbbc76a26f244ab5a884350f733e1f60fc684da039
3c6a39eee1d6b61e2c1d94332b55819182bc189fcdbe06d79bcafa2ea0febc43
47d1bd0892f91a1c65f5e6f06fe6969cd8db1f1473760c23e668ac1cb831bc7f
4e5e5d3bea988e7c39542245f3a1bc1046153ebefc18ee0b4d743dd8b2f93e28
51c839a1fe25c31ba3903cc47f32880741dd1e708c9e97c81a2ea050802f84db
68b15033f398389c45903085677e375dcaed3a3225d0854f6cbb5a2b45217cb7
6985e3313e82b8cc6b450bb4cb6fcdebfc1b26ec83b0ace499c836d79b0b4fbe
72a1cb206beae974f8d3504128e7892ba6fcbba38f31d7714f0fd811618bb439
7384060612fcb8c40a324c136c571295f361a2e6d7f5b470206b574aed5fe0f4
817ee49531f980991336c020e3d99f67796a38ff88aff948f07f658b083e6801
888888ec0980085d2a89f43fc32f543dfbe283d7ad0186e5c1089a08795d86b8
9d6c6642a75a6328ef321212b482519ef74c767d9a02d1538debc53f031ee293
b0d1ef5415c13028a6fbe16900e255b599781bf3824144413f9364e619480194
bb87882c8e8c87e3f0f2accf837d141550fc0a048409b6c0a4aaec4b9829f1a0
fa64e7db69b070ef8bad8046cd7539dd1fca1bb63349f04c0e94584cf0a2a7d7
PUA.Win.Trojan.00519ead
PUA.Win.Trojan.00519ead-6847245-0
PUA.Win.Trojan.00519ead es la denominación de un conjunto de muestras de programas publicitarios maliciosos que podrían aprovechar la técnica AppInit DLL para lograr la persistencia y realizar varias consultas de DNS. Actúa como troyano.
Indicadores de compromiso
Claves del registro
<HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: LoadAppInit_DLLs
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
Value Name: RequireSignedAppInit_DLLs
Mutexes
{5312EE61-79E3-4A24-BFE1-132B85B23C3A}
{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}
Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
IsoScope_10c_IESQMMUTEX_0_274
IsoScope_10c_IESQMMUTEX_0_519
IsoScope_10c_IESQMMUTEX_0_303
IsoScope_10c_IESQMMUTEX_0_331
Direcciones IP contactadas por el malware
13[.]107[.]21[.]200
104[.]200[.]23[.]95
204[.]79[.]197[.]200
209[.]197[.]3[.]15
188[.]72[.]202[.]44
34[.]226[.]238[.]42
158[.]69[.]244[.]165
212[.]32[.]250[.]31
144[.]202[.]40[.]125
104[.]16[.]13[.]194
Nombres de dominio contactados por el malware
maxcdn[.]bootstrapcdn[.]com
5isohu[.]com
done[.]witchcraftcash[.]com
thegoodcaster[.]com
www[.]theoffertop[.]com
myecomworld[.]net
wonderfulworldnow[.]club
images[.]clickfunnels[.]com
tac25[.]com
track[.]rightsearchsmooth[.]club
Archivos o directorios creados
%LocalAppData%\Microsoft\Internet Explorer\imagestore\aowwxkh\imagestore.dat
%LocalAppData%\Temp\A1D26E2
%LocalAppData%\Temp\update.exe
%LocalAppData%\Temp\~DF32A074D75E28FF74.TMP
%ProgramFiles% (x86)\Internet Explorer\IEShims.dll.tmp
%ProgramFiles% (x86)\Internet Explorer\ieproxy.dll.tmp
%ProgramFiles% (x86)\Java\jre7\bin\ssv.dll.tmp
%LocalAppData%\Temp\~DF832EC54C42A76DA7.TMP
%AppData%\Microsoft\Windows\Cookies\2XVNLMCY.txt
%LocalAppData%\Temp\is-0UA26.tmp\idp.dll.tmp
%LocalAppData%\Temp\is-B01CK.tmp
%LocalAppData%\Temp\is-B01CK.tmp\c1f44c795198b23f8058492bb82a29addd2eeae623a53296f0195777d6a5fde5.tmp
%LocalAppData%\Temp\A1D26E2\116E56C6A8.tmp
%LocalAppData%\Temp\is-0UA26.tmp\_isetup\_setup64.tmp
%LocalAppData%\Temp\is-0UA26.tmp\idp.dll
%LocalAppData%\Temp\is-0UA26.tmp\itdownload.dll
%LocalAppData%\Temp\is-0UA26.tmp\psvince.dll
%LocalAppData%\Temp\~DF12E5A698F292B5F8.TMP
%AppData%\Microsoft\Windows\Cookies\YO092G24.txt
Hashes
06386d249ae1b3cc4bc96281ae89e10a85f68dd7e350e3e52fab4c88a7c02375
1e81d5888f17947bcbe31a74b3761c31c4fd6b49cb02d3eb4f85e065d8729e08
298b8e26c83ba9fd1bb1faeb5b0df909f1d163e7896e26c48d35e041aae6320e
641432c889189c393edf97cda9b08e5b083cbb8eecc5ac09b9d476f8872ecf3b
6fbe635039debcb4eccf4d9c24cf009b8405fbe8cf9fcc5c5f24d0ca8bffd53a
a073171d46e57c4e308b6a62c0d14e597e95c030c019f428a26ee6c07f43557d
a5b2ea50f8dceec4752888c5e50e364b16253160dd7fb20932d8e5e5a56ac719
c1f44c795198b23f8058492bb82a29addd2eeae623a53296f0195777d6a5fde5
c488c9a61f7be3a4e7b9c51dbefa36c2fe7b53904d30c38f58dcc1900aec098b
c72e78abc54e7b785e666e0e61181c107a4cf6b9c0519146f9f2b9fbf47ba841
f1aa892c158ea1779a210d52b9a4311245544868343d27c91454566d730aa4ee
PUA.Win.Adware.Sanctionedmedia-6818436-0
Este clúster incluye muestras de adware .NET capaces de inyectar código, abrir un puerto para escuchar las conexiones entrantes, deshabilitar la restauración del sistema, modificar archivos dentro de los directorios del sistema, contactar con los dominios de la lista negra, modificar el registro y, en algunos casos, incluso copiarse en unidades USB.
Indicadores de compromiso
Claves del registro
<HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appsvc.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe
<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe
<HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
<HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce
<HKU>\Software\Microsoft\Windows\CurrentVersion\ime
Mutexes
Global\CLR_CASOFF_MUTEX
\BaseNamedObjects\Global\.net clr networking
RV_MUTEX
\BaseNamedObjects\RV_MUTEX
Direcciones IP contactadas por el malware
158[.]69[.]30[.]89
188[.]70[.]31[.]241
Nombres de dominio contactados por el malware
x11[.]zapto[.]org
sambosaxzx[.]ddns[.]net
Archivos o directorios creados
%SystemDrive%\AUTOEXEC.BAT.exe
%SystemDrive%\boot.ini.exe
\??\E:\$RECYCLE.BIN.exe
\??\E:\$RECYCLE.BIN
%LocalAppData%\Temp\xkkr5i_9.out
%AllUsersProfile%\miner
%AllUsersProfile%\miner\sHXJvbCG.ico
%LocalAppData%\Temp\xkkr5i_9.0.vb
%LocalAppData%\Temp\xkkr5i_9.cmdline
%LocalAppData%\Temp\xkkr5i_9.tmp
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Torrent.exe
%SystemDrive%\miner
%SystemDrive%\miner\nvidia.exe
\??\E:\miner
\??\E:\miner\nvidia.exe
\miner\nvidia.exe
\$Recycle.Bin.exe
%SystemDrive%\Documents and Settings.exe
\Documents and Settings.exe
%SystemDrive%\Recovery.exe
%SystemDrive%\366832936.exe
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RESE.tmp
%SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vbcF.tmp
%TEMP%\_ecw9cm3.0.vb
%TEMP%\_ecw9cm3.cmdline
%TEMP%\_ecw9cm3.out
%TEMP%\n02x2nc3.0.vb
%TEMP%\n02x2nc3.cmdline
%TEMP%\n02x2nc3.out
%TEMP%\nyf8h2nv.0.vb
%TEMP%\nyf8h2nv.cmdline
%TEMP%\nyf8h2nv.out
%TEMP%\q8tnr4an.0.vb
%TEMP%\q8tnr4an.cmdline
%TEMP%\q8tnr4an.out
%TEMP%\rykc4pie.0.vb
%TEMP%\rykc4pie.cmdline
%TEMP%\rykc4pie.out
%TEMP%\yjua3drf.0.vb
%TEMP%\yjua3drf.cmdline
%TEMP%\yjua3drf.out
%SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Torrent.exe
%SystemDrive%\I386.exe
%SystemDrive%\IO.SYS.exe
%AllUsersProfile%.exe
%AllUsersProfile%\miner\366832936.ico
%AllUsersProfile%\miner\CONFIG.ico
%AllUsersProfile%\miner\IO.ico
%AllUsersProfile%\miner\MSDOS.ico
%AllUsersProfile%\miner\NTDETECT.ico
%AllUsersProfile%\miner\boot.ico
%AllUsersProfile%\miner\ntldr.ico
%SystemDrive%\RECYCLER.exe
%SystemDrive%\Temp.exe
%SystemDrive%\Users.exe
%SystemDrive%\c2d124b8466cec6b3e47c4.exe
Hashes
0489f71417400080c1ebf6f5cf76655470a83f0f964a2ad54c242daf3012fa7a
0e15e99295dcf13eae0d5a4d7a04a55f7fab24e8f189f5ac37cc1007346007ad
1127cc0f06797cd128aa3724b5ecead3613c41fabebd143fcbf19a8d236a8fef
137b894b7f9992f26dd4e6c8d8c2a09e886466305384b444aac2e2d9e3ee7a19
1f5b1a8b9f7fb4d83bbd012d42fdc725468dc0ed29341bee4c5aa122d83f69f2
3357239b0cb8a4683eca02fd8bf8c0de9cd3372a2222f096d7b527b39fcf8987
372a2fde40ef021834c7d7718f2f2faf63ee372ee75a795ce3ff0e1156c57a8d
39bbcd06380d793eb655a015e04ed122d160b6d469495a3b172a89809e5c1c1c
3b3db732aa7ea25346da5ac1a4f0cb56357baf265259c9046885f889b56830da
3cf72a19a5dbca5da318ca758b07f8c1e729dd3035f1f31223c8c05fa8826faa
3f7eb77d67e6a7e2e410993234cc2bf649b3efb311931774e4c5dff3bbfcb1f7
43983381c09f51babb1b684db1c0f804c3f00ba6c5159e99bb5a68b32e4718f5
4a7bdf882b10e093cb0d82c61e71daaff97971f0cbaf16f61093acdfe149734f
4b08ea2461afbf58ef946d1897ee5d4b2873ad2b261db005a85c4aa43ffeca09
5a85a897a9e5aabf518bd1ff19339cca80543a90cefdcca5397ac09014fc71be
5da2bf905b77f3b9c4d957458cfb9f133860ddfe5dec741aac55bced51184c1c
5e01d3fbd260656eaf2eb22631ec30ce8433f8288911ef552855108c773580bd
638c303a097d02c40e3790e506234cd36ea4c907166f4447f50e6f92b7429436
63af1d420682171b535f222861b3bcc90c4da86363ad94a4b666bf489a245e11
66a2ed3db3c55603be3a2ce301cdc71be803b18da51731373a4d23c1d5b0b1a5
6e0a7315797b5add6dc3b23abdc8d96d0d43e9470bee64f3f5fd12721acd62f9
7051fca8dfa96b8ee78111d72f6945d14f82aceb94f93a891dfe6e5641512b1e
71a577218ae440efb0c6b2a624d90a8713e60ab01c525a180c15b5b2b9fa8d4e
726787ed97a97d4057caa986bd0956a80ecb446bcbdd9a1c009fb4d1ebccaee2
76b63d0d32b961663c20a01bd478d5cb1358eb1441bea38e2cb8e57c36e0ac41
GandCrab
Win.Ransomware.Gandcrab-6843341-0
GandCrab es un ransomware que cifra documentos, fotos, bases de datos y otros archivos importantes mediante la extensión de archivo “.GDCB”, “.CRAB” o “.KRAB”. GandCrab se propaga a través de campañas de spam tradicionales, así como múltiples kits de explotación, incluidos Rig y GrandSoft.
Indicadores de compromiso
Claves del registro
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
Value Name: ProxyOverride
<HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce
Mutexes
Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c
\BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e4
Direcciones IP contactadas por el malware
Nombres de dominio contactados por el malware
ipv4bot[.]whatismyipaddress[.]com
nomoreransom[.]coin
nomoreransom[.]bit
gandcrab[.]bit
dns1[.]soprodns[.]ru
dns2[.]soprodns[.]ru
Archivos o directorios creados
%AppData%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
%AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred
%TEMP%orary Internet Files\Content.IE5\C5MZMU22\ipv4bot_whatismyipaddress_com[1].htm
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\A71QDCIP.htm
%LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\A71QDCIP.htm
%AppData%\Microsoft\psznzp.exe
\Win32Pipes.00000328.0000003d
\Win32Pipes.00000328.00000041
\Win32Pipes.00000328.00000049
%AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-8196-42a28d9ef0c9
%AppData%\Microsoft\hjunhw.exe
Hashes
00e77dd692525ac51843e571dc4401ad383b01f3789a96ad952ad46e9bc30d5d
01ad099c08042d05bcc5c708aeca7a3479f93def36318469c05b3fe2c25a202d
01d3aedbbcfde336cf132fa52fb87f0a39a7e1c55cf8e30e8f79df6fa6cf2a28
021f152e82d84617ac2ba999f436fcf85f35c9c17da8f7adff51d6f6c332c63f
072a1a933df1fe1e0c90b07b30bf82dcc16fd860e47ac94877c25c05b89a1147
087af2abcf44ec68d9f1f55bcbae03e12ff0380ceea4f2197fff9b8d353f417e
098af1ba0b5cf4d27f8122eb37bc7ab009be4f6c812e990639931d8504d3619c
0d20371ebb39d45616ecdc0ebd1ae457f98641a14c8cd3c94e553fe5cb71e128
0e90f5195c0f0c81cd631c90809790490a7a5cac5eae61bf27332b9707f9e3f3
0ffd01cae290d5ff33af6dcd087646bf86a065fd02f196b7dd3afe0bb5c08d75
103f6e49c97ec73d623231fa92f418032ad223c565a7fadb238cc676a6bee79a
110084e96789b6e657a8453d8614c14344e03ca4dac55076afe7ba605a68ca06
112dcf3ef406642f9b2459a27dc79f626d28ac93db3482691eda8db3bbafd80b
119238f37579434b540e2a4cda59261d86e9a9ac0c059dfd2daf699c5a3e6094
1388310e5f683da4ad3e774923c2616a7137dc1da691efea313fccd2a0f88da1
1694e9584805e55badf8da9ce6f8b4122e3bf419bfb22070d3e97b83be0caa73
17517aac50cfcb9b6cd779f466d6ece0ec930071fc58e7b4b391a8e79a7ef49d
1c4b31ea552e67d0e573cc3c4f4c93387e79e931e41742129dcf7b1cdc55d4d5
1c700576a51cdbee44a25972503a64ebc9d4fef602b4702fca9eb02e8622a7dc
1ced683893408d370315083efe988043cb72a864a03a3ded4a94d047d2bec262
1d4f89c1ecd931c4b5cecfba15b76f1d6607417af487654da1d50497bcda1cd9
1e1b83c79a5d2ff5ec3ca325debdb29f66d83f362d2bf0ec4e18c6fbafd6c179
1eff09710c639869bef51b90404569a7917aa23afdd290c8668e617b1757a231
20be9f6a086f07dfc3fbd8a5e6a060e50f360629e428077665980f6e6e401079
20c45b4970eddc186e8e77266e5b2282c6faf4d53559482200c4d43404d23f7a
adware amenazas emotet Indicadores de Compromiso IoC malware Razy Threat hunting