Los malwares más prevalentes de la primera semana de febrero de 2019

El grupo de inteligencia de Cisco, Talos, analiza periodicamente los malwares más prevalentes de la semana, y durante la pasada, se notó la fuerte actividad del adware. Las amenazas activas durante la semana entre el 01 y el 08 de febrero y sus Indicadores de Compromiso a continuación.

Nuevamente les presentamos la lista de los malwares más prevalentes de la semana pasada, y sus Indicadores de Compromiso (IoC), a partir del análisis que efectúa semanalmente Talos, el grupo de inteligencia de Cisco. Como en las entregas anteriores, éste no pretende ser un análisis profundo, sino resumir las amenazas que se observaron entre el 01 y el 08 de febrero.

Como recordatorio, la información que presentamos semanalmente no es exhaustiva. También les recordamos que el proceso de caza de vulnerabilidades o Threat Hunting no sólo involucra la búsqueda de Indicadores de Compromiso. Detectar uno de los IoCs que presentamos en esta entrega no necesariamente indica infección.

Sin más introducciones, los malwares más activos durante la semana entre el 01 y el 08 de febrero fueron:

SoftPulse

PUA.Win.Adware.Softpulse-6848587-0
SoftPulse es un software publicitario, adware, que instala software malintencionado, aprovecha las técnicas de máquinas anti-virtuales y puede acceder a información potencialmente sensible de los navegadores locales.

Indicadores de compromiso

Claves del Registro

  • <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972-E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION
    • Value Name: PnpInstanceID
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: ProxyBypass
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP
    • Value Name: IntranetName

Nombres de dominio contactados por el malware

  • 6nu2bfmath[.]mrzp97cmg3[.]com

Archivos o directorios creados

  • %LocalAppData%\Temp\~DF38A714DABA77BAE2.TMP

Hashes

  • 1a74519d1568dece3bc64889f177df271b1bf93c0db86d97bb81e44a45403c2f
  • 1a93550fd9e061d7b572ca6269934ae5d0747e82855420895d41547680e372b7
  • 1e8a9c8f07050897420bccfc612fe39dc11acec47dbb11a9b6d17876c0f1c748
  • 22db5127ccb49f274ab3f46f6a845bcbe693e2ed4069220c9b33c4ba7cb6e7db
  • 2da64c580965f9d0454b9004181ed7fdd5903e93cc41d06578cc968ac4215836
  • 30ff57307b5d4456c64ee80eaacb717cdc1804c1f1c49409c7d583ec9f3de1e3
  • 3ff2a4f01f7bfc31db3a54ecb98c0df737cd575cc11301af3b19ed99bc0e075b
  • 473f7dd0173bafa5de751493de7c7e2cc57fc290aac0ae4d2947cc57dcb8008d
  • 5492869d71c62c3ade2750e79de155104329cc08fdd9e65f9ba7d213868714c8
  • 54d8cb379579ab2063b223f0011d8fa2838368b4b68f070a54b7e06ca62c1f03
  • 5b5c9fd28470e81d23fcd6e5b2ea1bdf7c537ca610535d2f69a23fbd11f8d0cb
  • 5e69b36b133ca551c46014c80afbb8fe2d9f6edd1e49cebcd22ca7bbec82d9ff
  • 6e43c79b858a27b93c87498faba5f60edd11d6472da142229bef6fb1d1310372
  • 78ca808e8428963d80d651655c6f79c8df44448a0d0613eb442a20a3081d0b21
  • 7db57b97495b59e84bca9e7f48b472e7412751b20780f17f453e4cf8c9694543
  • 7fbd028726e320fddbf67a00ac1a43e8d2f7fdc98dcb53c84fbbd77871c88afb
  • 881497c1db786286caae56f5055909c1bba6ccb24628773805f0f3a3a91c0993
  • 8a70ba0afe5efa6f633d97f51043d6be2ff3b3a2e6c5fba979f88a6bce4813e3
  • 92fbd91b969e6f94853430cb11a7ab2eaeaa05faefd2856a4aa55861f035beb0
  • 93b2e125a810723a7bc4e268dccbd784cd95e593077ae59fd9ac4daa9e1a8094
  • 99b1320bd421b716118e2aa11ff0044be4bb8849f96b099c6d7ff106ad80833b
  • 9ec1af22463376ceaf3468b88b000a155aa674ff27910c4a2d7188fb4ed5b315
  • a0ea6c233f4da2e161eb3108b9534d297cb15ec8d17eaf2d22132b0e67e99c4a
  • a1caca2e8b3b96935fcde41509753f4531ec3b9c5f436c7291c422fdf4c1d7ec
  • b2917e4031446976cdba6958df9d7c2d594f657232e0786b0e39039477b13534

Emotet

Doc.Downloader.Emotet-6846065-0
Emotet es una de las familias de malware más ampliamente distribuidas y activas en la actualidad. Es una amenaza altamente modular que puede ofrecer una amplia variedad de payloads. Emotet se entrega comúnmente a través de documentos de Microsoft Office con macros, enviados como archivos adjuntos en correos electrónicos maliciosos.

Indicadores de compromiso

Claves del registro

  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyEnable
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyServer
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyOverride
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: AutoConfigURL
  • <HKU>\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: AutoDetect

Mutexes

  • Global\I98B68E3C
  • Global\M98B68E3C
  • Global\552FFA80-3393-423d-8671-7BA046BB5906
  • PEMD4
  • PEM19C
  • PEM4F0
  • PEM240

Direcciones IP contactadas por el malware

  • 177[.]11[.]50[.]52
  • 195[.]201[.]46[.]139
  • 216[.]119[.]181[.]170
  • 71[.]78[.]24[.]146
  • 217[.]78[.]5[.]120

Nombres de dominio contactados por el malware

  • estacaogourmetrs[.]com[.]br
  • www[.]intelhost[.]com[.]br
  • restauranthub[.]co[.]uk
  • docksey[.]com

Archivos o directorios creados

  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B106E8EE-597B-49CA-A6A4-5BA8ABCC8F6A}.tmp
  • %SystemDrive%\TEMP\~$LE1922193.doc
  • %LocalAppData%\Temp\CVR3B09.tmp
  • %LocalAppData%\Temp\~DF0EC263132EE87D9F.TMP
  • %LocalAppData%\Temp\~DF93E860FA48DCAA9A.TMP
  • %LocalAppData%\Temp\~DFCEAA78F57CC3DA47.TMP
  • %LocalAppData%\Temp\~DFDE0E179FA1A94A5D.TMP
  • %AppData%\Microsoft\Office\Recent\FILE1922193.LNK
  • %LocalAppData%\Temp\p24is3bq.j0q.ps1
  • %LocalAppData%\Temp\zjkgwiwg.sq0.psm1
  • %UserProfile%\Documents\20190204
  • %UserProfile%\Documents\20190204\PowerShell_transcript.PC.0Py_SQrs.20190204204359.txt
  • %WinDir%\temp\putty.exe
  • %AppData%\Microsoft\Office\Recent\366814370.doc.LNK
  • %TEMP%orary Internet Files\Content.Word\~WRS{E2A82E27-8296-44EC-B019-FE52D18D73F1}.tmp
  • %SystemDrive%\~$6814370.doc

Hashes

  • 03591121dcf83a4aeb5e5fa12a1c1b75c93f5a215780eb1ebf209cc9518f12d3
  • 04c6555af6871c7818d3df3f0d5bbf9b85efac94e979c58234310b9a36079e78
  • 09be75647f21e12c0c4948ed45c68eb1db6667beece4e1d9748cddd5b4c38eaa
  • 15968dcbcb0514e7fd5bb68ced13112a3f1d8b31cd948b967f3becce9283508a
  • 1920f3315544295d13a8c3366216b74514369bb31cea90a4659506c0c4c549a1
  • 1a4c6a9c9e4bcce9f83776f87f158d39cb21eb78ea839afaa01abf3f93c49a4c
  • 1a7211b1d27124d3409b2d1346ba93fc2a91fd00ed3899c95c1e16fc849c54a7
  • 1e83dfa18cc1ccff50dd5118f710bcc16e6c4e178977435c62b4238554bcf7f4
  • 2287689165547b27ed983152dd781bc53777060a8dd911b18671b60509329ebf
  • 247adbdf9950ad6e592f0276ae72625818f87b41ce1bb7596aa89181e0ce99d4
  • 267af9baaa1401ae4034200940bad6c1f8cb622a7e731ed28fe84fe0682a6616
  • 3bc75dd152bea2d4670d22e2844731646cc4a83024a3cd2349d465d5c16020ef
  • 607f94f56ab7d2e2b01a0b8ee0bed7379144363d65e3040f44a197e8245b842c
  • 72da32c1bec496a54885f38802c429bc1aed434651bc67dc4acbac637c0c94ce
  • 76b02247cf6c9a6c436532a536ccd2711fa876c15312dd6e0b3863e070e8595c
  • 7fb24419176dd9aa58bb53a4246398d40c260c253b4772cb8fdc600324f24318
  • ad6b9cb00268157013c2b547a379a836609f5c7e01ce6893df16cf1db8fd3965
  • af8e1169f130baf122b25aae81d95d62cd3506bae39673652d91ac4c4936049d
  • b5d83480ad61ce204743ef0904cbd2995991944efd3d0d2c9daaca9385f4b290
  • b9cbad9b3cd4a1f08c3284d479ff40093454e9f76d23783901087cd0add5d468
  • fd46fb328e72ebe81cb97846b846051a95d2012630a3ee37bf55002c3908883e

Razy

PUA.Win.Adware.Razy-6847375-0
Razy es a menudo un nombre de detección genérico para un troyano de Windows. Este grupo específico de muestras de esta semana contiene código cifrado en la sección de recursos que podría inyectarse a un proceso legítimo y funciona como adware.

Indicadores de compromiso

Mutexes

  • Local\MSCTF.Asm.MutexDefault1
  • Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
  • Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511

Archivos o directorios creados

  • %System32%\drivers\etc\hosts
  • %LocalAppData%\Temp\is-51KNV.tmp
  • %LocalAppData%\Temp\is-51KNV.tmp\09131ddb2cac0b4d4483b4bbbc76a26f244ab5a884350f733e1f60fc684da039.tmp
  • %LocalAppData%\Temp\is-9EHP6.tmp\_isetup\_isdecmp.dll
  • %LocalAppData%\Temp\is-9EHP6.tmp\_isetup\_setup64.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-CA60C.tmp\367042276.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\Asian.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\Asian.exe.config
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\FallOffLone.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\FallOffLone.exe.config
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\_isetup\_isdecmp.dll
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\is-0J9ED.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\is-D4UQV.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\is-ECQFB.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-JAN27.tmp\is-T0KA5.tmp
  • %ProgramFiles%\Luckey\213384307.exe
  • %ProgramFiles%\Luckey\213384307.exe.config

Hashes

  • 09131ddb2cac0b4d4483b4bbbc76a26f244ab5a884350f733e1f60fc684da039
  • 3c6a39eee1d6b61e2c1d94332b55819182bc189fcdbe06d79bcafa2ea0febc43
  • 47d1bd0892f91a1c65f5e6f06fe6969cd8db1f1473760c23e668ac1cb831bc7f
  • 4e5e5d3bea988e7c39542245f3a1bc1046153ebefc18ee0b4d743dd8b2f93e28
  • 51c839a1fe25c31ba3903cc47f32880741dd1e708c9e97c81a2ea050802f84db
  • 68b15033f398389c45903085677e375dcaed3a3225d0854f6cbb5a2b45217cb7
  • 6985e3313e82b8cc6b450bb4cb6fcdebfc1b26ec83b0ace499c836d79b0b4fbe
  • 72a1cb206beae974f8d3504128e7892ba6fcbba38f31d7714f0fd811618bb439
  • 7384060612fcb8c40a324c136c571295f361a2e6d7f5b470206b574aed5fe0f4
  • 817ee49531f980991336c020e3d99f67796a38ff88aff948f07f658b083e6801
  • 888888ec0980085d2a89f43fc32f543dfbe283d7ad0186e5c1089a08795d86b8
  • 9d6c6642a75a6328ef321212b482519ef74c767d9a02d1538debc53f031ee293
  • b0d1ef5415c13028a6fbe16900e255b599781bf3824144413f9364e619480194
  • bb87882c8e8c87e3f0f2accf837d141550fc0a048409b6c0a4aaec4b9829f1a0
  • fa64e7db69b070ef8bad8046cd7539dd1fca1bb63349f04c0e94584cf0a2a7d7

PUA.Win.Trojan.00519ead

PUA.Win.Trojan.00519ead-6847245-0
PUA.Win.Trojan.00519ead es la denominación de un conjunto de muestras de programas publicitarios maliciosos que podrían aprovechar la técnica AppInit DLL para lograr la persistencia y realizar varias consultas de DNS. Actúa como troyano.

 Indicadores de compromiso

Claves del registro

  • <HKCR>\LOCAL SETTINGS\MUICACHE\3E\52C64B7E
    • Value Name: LanguageList
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value Name: AppInit_DLLs
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value Name: LoadAppInit_DLLs
  • <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS
    • Value Name: RequireSignedAppInit_DLLs

Mutexes

  • {5312EE61-79E3-4A24-BFE1-132B85B23C3A}
  • {66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}
  • Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
  • IsoScope_10c_IESQMMUTEX_0_274
  • IsoScope_10c_IESQMMUTEX_0_519
  • IsoScope_10c_IESQMMUTEX_0_303
  • IsoScope_10c_IESQMMUTEX_0_331

Direcciones IP contactadas por el malware

  • 13[.]107[.]21[.]200
  • 104[.]200[.]23[.]95
  • 204[.]79[.]197[.]200
  • 209[.]197[.]3[.]15
  • 188[.]72[.]202[.]44
  • 34[.]226[.]238[.]42
  • 158[.]69[.]244[.]165
  • 212[.]32[.]250[.]31
  • 144[.]202[.]40[.]125
  • 104[.]16[.]13[.]194

Nombres de dominio contactados por el malware

  • maxcdn[.]bootstrapcdn[.]com
  • 5isohu[.]com
  • done[.]witchcraftcash[.]com
  • thegoodcaster[.]com
  • www[.]theoffertop[.]com
  • myecomworld[.]net
  • wonderfulworldnow[.]club
  • images[.]clickfunnels[.]com
  • tac25[.]com
  • track[.]rightsearchsmooth[.]club

Archivos o directorios creados

  • %LocalAppData%\Microsoft\Internet Explorer\imagestore\aowwxkh\imagestore.dat
  • %LocalAppData%\Temp\A1D26E2
  • %LocalAppData%\Temp\update.exe
  • %LocalAppData%\Temp\~DF32A074D75E28FF74.TMP
  • %ProgramFiles% (x86)\Internet Explorer\IEShims.dll.tmp
  • %ProgramFiles% (x86)\Internet Explorer\ieproxy.dll.tmp
  • %ProgramFiles% (x86)\Java\jre7\bin\ssv.dll.tmp
  • %LocalAppData%\Temp\~DF832EC54C42A76DA7.TMP
  • %AppData%\Microsoft\Windows\Cookies\2XVNLMCY.txt
  • %LocalAppData%\Temp\is-0UA26.tmp\idp.dll.tmp
  • %LocalAppData%\Temp\is-B01CK.tmp
  • %LocalAppData%\Temp\is-B01CK.tmp\c1f44c795198b23f8058492bb82a29addd2eeae623a53296f0195777d6a5fde5.tmp
  • %LocalAppData%\Temp\A1D26E2\116E56C6A8.tmp
  • %LocalAppData%\Temp\is-0UA26.tmp\_isetup\_setup64.tmp
  • %LocalAppData%\Temp\is-0UA26.tmp\idp.dll
  • %LocalAppData%\Temp\is-0UA26.tmp\itdownload.dll
  • %LocalAppData%\Temp\is-0UA26.tmp\psvince.dll
  • %LocalAppData%\Temp\~DF12E5A698F292B5F8.TMP
  • %AppData%\Microsoft\Windows\Cookies\YO092G24.txt

Hashes

  • 06386d249ae1b3cc4bc96281ae89e10a85f68dd7e350e3e52fab4c88a7c02375
  • 1e81d5888f17947bcbe31a74b3761c31c4fd6b49cb02d3eb4f85e065d8729e08
  • 298b8e26c83ba9fd1bb1faeb5b0df909f1d163e7896e26c48d35e041aae6320e
  • 641432c889189c393edf97cda9b08e5b083cbb8eecc5ac09b9d476f8872ecf3b
  • 6fbe635039debcb4eccf4d9c24cf009b8405fbe8cf9fcc5c5f24d0ca8bffd53a
  • a073171d46e57c4e308b6a62c0d14e597e95c030c019f428a26ee6c07f43557d
  • a5b2ea50f8dceec4752888c5e50e364b16253160dd7fb20932d8e5e5a56ac719
  • c1f44c795198b23f8058492bb82a29addd2eeae623a53296f0195777d6a5fde5
  • c488c9a61f7be3a4e7b9c51dbefa36c2fe7b53904d30c38f58dcc1900aec098b
  • c72e78abc54e7b785e666e0e61181c107a4cf6b9c0519146f9f2b9fbf47ba841
  • f1aa892c158ea1779a210d52b9a4311245544868343d27c91454566d730aa4ee

PUA.Win.Adware.Sanctionedmedia-6818436-0

Este clúster incluye muestras de adware .NET capaces de inyectar código, abrir un puerto para escuchar las conexiones entrantes, deshabilitar la restauración del sistema, modificar archivos dentro de los directorios del sistema, contactar con los dominios de la lista negra, modificar el registro y, en algunos casos, incluso copiarse en unidades USB.

 Indicadores de compromiso

Claves del registro

  • <HKU>\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appsvc.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe
  • <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SCHEDULE
    • Value Name: Start
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe
  • <HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe
  • <HKU>\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\ime

Mutexes

  • Global\CLR_CASOFF_MUTEX
  • \BaseNamedObjects\Global\.net clr networking
  • RV_MUTEX
  • \BaseNamedObjects\RV_MUTEX

Direcciones IP contactadas por el malware

  • 158[.]69[.]30[.]89
  • 188[.]70[.]31[.]241

Nombres de dominio contactados por el malware

  • x11[.]zapto[.]org
  • sambosaxzx[.]ddns[.]net

Archivos o directorios creados

  • %SystemDrive%\AUTOEXEC.BAT.exe
  • %SystemDrive%\boot.ini.exe
  • \??\E:\$RECYCLE.BIN.exe
  • \??\E:\$RECYCLE.BIN
  • %LocalAppData%\Temp\xkkr5i_9.out
  • %AllUsersProfile%\miner
  • %AllUsersProfile%\miner\sHXJvbCG.ico
  • %LocalAppData%\Temp\xkkr5i_9.0.vb
  • %LocalAppData%\Temp\xkkr5i_9.cmdline
  • %LocalAppData%\Temp\xkkr5i_9.tmp
  • %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Torrent.exe
  • %SystemDrive%\miner
  • %SystemDrive%\miner\nvidia.exe
  • \??\E:\miner
  • \??\E:\miner\nvidia.exe
  • \miner\nvidia.exe
  • \$Recycle.Bin.exe
  • %SystemDrive%\Documents and Settings.exe
  • \Documents and Settings.exe
  • %SystemDrive%\Recovery.exe
  • %SystemDrive%\366832936.exe
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RESE.tmp
  • %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vbcF.tmp
  • %TEMP%\_ecw9cm3.0.vb
  • %TEMP%\_ecw9cm3.cmdline
  • %TEMP%\_ecw9cm3.out
  • %TEMP%\n02x2nc3.0.vb
  • %TEMP%\n02x2nc3.cmdline
  • %TEMP%\n02x2nc3.out
  • %TEMP%\nyf8h2nv.0.vb
  • %TEMP%\nyf8h2nv.cmdline
  • %TEMP%\nyf8h2nv.out
  • %TEMP%\q8tnr4an.0.vb
  • %TEMP%\q8tnr4an.cmdline
  • %TEMP%\q8tnr4an.out
  • %TEMP%\rykc4pie.0.vb
  • %TEMP%\rykc4pie.cmdline
  • %TEMP%\rykc4pie.out
  • %TEMP%\yjua3drf.0.vb
  • %TEMP%\yjua3drf.cmdline
  • %TEMP%\yjua3drf.out
  • %SystemDrive%\Documents and Settings\Administrator\Start Menu\Programs\Startup\ Torrent.exe
  • %SystemDrive%\I386.exe
  • %SystemDrive%\IO.SYS.exe
  • %AllUsersProfile%.exe
  • %AllUsersProfile%\miner\366832936.ico
  • %AllUsersProfile%\miner\CONFIG.ico
  • %AllUsersProfile%\miner\IO.ico
  • %AllUsersProfile%\miner\MSDOS.ico
  • %AllUsersProfile%\miner\NTDETECT.ico
  • %AllUsersProfile%\miner\boot.ico
  • %AllUsersProfile%\miner\ntldr.ico
  • %SystemDrive%\RECYCLER.exe
  • %SystemDrive%\Temp.exe
  • %SystemDrive%\Users.exe
  • %SystemDrive%\c2d124b8466cec6b3e47c4.exe

Hashes

  • 0489f71417400080c1ebf6f5cf76655470a83f0f964a2ad54c242daf3012fa7a
  • 0e15e99295dcf13eae0d5a4d7a04a55f7fab24e8f189f5ac37cc1007346007ad
  • 1127cc0f06797cd128aa3724b5ecead3613c41fabebd143fcbf19a8d236a8fef
  • 137b894b7f9992f26dd4e6c8d8c2a09e886466305384b444aac2e2d9e3ee7a19
  • 1f5b1a8b9f7fb4d83bbd012d42fdc725468dc0ed29341bee4c5aa122d83f69f2
  • 3357239b0cb8a4683eca02fd8bf8c0de9cd3372a2222f096d7b527b39fcf8987
  • 372a2fde40ef021834c7d7718f2f2faf63ee372ee75a795ce3ff0e1156c57a8d
  • 39bbcd06380d793eb655a015e04ed122d160b6d469495a3b172a89809e5c1c1c
  • 3b3db732aa7ea25346da5ac1a4f0cb56357baf265259c9046885f889b56830da
  • 3cf72a19a5dbca5da318ca758b07f8c1e729dd3035f1f31223c8c05fa8826faa
  • 3f7eb77d67e6a7e2e410993234cc2bf649b3efb311931774e4c5dff3bbfcb1f7
  • 43983381c09f51babb1b684db1c0f804c3f00ba6c5159e99bb5a68b32e4718f5
  • 4a7bdf882b10e093cb0d82c61e71daaff97971f0cbaf16f61093acdfe149734f
  • 4b08ea2461afbf58ef946d1897ee5d4b2873ad2b261db005a85c4aa43ffeca09
  • 5a85a897a9e5aabf518bd1ff19339cca80543a90cefdcca5397ac09014fc71be
  • 5da2bf905b77f3b9c4d957458cfb9f133860ddfe5dec741aac55bced51184c1c
  • 5e01d3fbd260656eaf2eb22631ec30ce8433f8288911ef552855108c773580bd
  • 638c303a097d02c40e3790e506234cd36ea4c907166f4447f50e6f92b7429436
  • 63af1d420682171b535f222861b3bcc90c4da86363ad94a4b666bf489a245e11
  • 66a2ed3db3c55603be3a2ce301cdc71be803b18da51731373a4d23c1d5b0b1a5
  • 6e0a7315797b5add6dc3b23abdc8d96d0d43e9470bee64f3f5fd12721acd62f9
  • 7051fca8dfa96b8ee78111d72f6945d14f82aceb94f93a891dfe6e5641512b1e
  • 71a577218ae440efb0c6b2a624d90a8713e60ab01c525a180c15b5b2b9fa8d4e
  • 726787ed97a97d4057caa986bd0956a80ecb446bcbdd9a1c009fb4d1ebccaee2
  • 76b63d0d32b961663c20a01bd478d5cb1358eb1441bea38e2cb8e57c36e0ac41

GandCrab

Win.Ransomware.Gandcrab-6843341-0
GandCrab es un ransomware que cifra documentos, fotos, bases de datos y otros archivos importantes mediante la extensión de archivo «.GDCB», «.CRAB» o «.KRAB». GandCrab se propaga a través de campañas de spam tradicionales, así como múltiples kits de explotación, incluidos Rig y GrandSoft.

 Indicadores de compromiso

Claves del registro

  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyEnable
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyServer
  • <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
    • Value Name: ProxyOverride
  • <HKU>\Software\Microsoft\Windows\CurrentVersion\RunOnce

Mutexes

  • Global\pc_group=WORKGROUP&ransom_id=4a6a799098b68e3c
  • \BaseNamedObjects\Global\pc_group=WORKGROUP&ransom_id=ab8e4b3e3c28b0e4

Direcciones IP contactadas por el malware

  • 66[.]171[.]248[.]178

Nombres de dominio contactados por el malware

  • ipv4bot[.]whatismyipaddress[.]com
  • nomoreransom[.]coin
  • nomoreransom[.]bit
  • gandcrab[.]bit
  • dns1[.]soprodns[.]ru
  • dns2[.]soprodns[.]ru

Archivos o directorios creados

  • %AppData%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5
  • %AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred
  • %TEMP%orary Internet Files\Content.IE5\C5MZMU22\ipv4bot_whatismyipaddress_com[1].htm
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\A71QDCIP.htm
  • %LocalAppData%\Microsoft\Windows\Temporary Internet Files\Content.IE5\SSZWDDXW\A71QDCIP.htm
  • %AppData%\Microsoft\psznzp.exe
  • \Win32Pipes.00000328.0000003d
  • \Win32Pipes.00000328.00000041
  • \Win32Pipes.00000328.00000049
  • %AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\bb5ca9a3-5378-4a8e-8196-42a28d9ef0c9
  • %AppData%\Microsoft\hjunhw.exe

Hashes

  • 00e77dd692525ac51843e571dc4401ad383b01f3789a96ad952ad46e9bc30d5d
  • 01ad099c08042d05bcc5c708aeca7a3479f93def36318469c05b3fe2c25a202d
  • 01d3aedbbcfde336cf132fa52fb87f0a39a7e1c55cf8e30e8f79df6fa6cf2a28
  • 021f152e82d84617ac2ba999f436fcf85f35c9c17da8f7adff51d6f6c332c63f
  • 072a1a933df1fe1e0c90b07b30bf82dcc16fd860e47ac94877c25c05b89a1147
  • 087af2abcf44ec68d9f1f55bcbae03e12ff0380ceea4f2197fff9b8d353f417e
  • 098af1ba0b5cf4d27f8122eb37bc7ab009be4f6c812e990639931d8504d3619c
  • 0d20371ebb39d45616ecdc0ebd1ae457f98641a14c8cd3c94e553fe5cb71e128
  • 0e90f5195c0f0c81cd631c90809790490a7a5cac5eae61bf27332b9707f9e3f3
  • 0ffd01cae290d5ff33af6dcd087646bf86a065fd02f196b7dd3afe0bb5c08d75
  • 103f6e49c97ec73d623231fa92f418032ad223c565a7fadb238cc676a6bee79a
  • 110084e96789b6e657a8453d8614c14344e03ca4dac55076afe7ba605a68ca06
  • 112dcf3ef406642f9b2459a27dc79f626d28ac93db3482691eda8db3bbafd80b
  • 119238f37579434b540e2a4cda59261d86e9a9ac0c059dfd2daf699c5a3e6094
  • 1388310e5f683da4ad3e774923c2616a7137dc1da691efea313fccd2a0f88da1
  • 1694e9584805e55badf8da9ce6f8b4122e3bf419bfb22070d3e97b83be0caa73
  • 17517aac50cfcb9b6cd779f466d6ece0ec930071fc58e7b4b391a8e79a7ef49d
  • 1c4b31ea552e67d0e573cc3c4f4c93387e79e931e41742129dcf7b1cdc55d4d5
  • 1c700576a51cdbee44a25972503a64ebc9d4fef602b4702fca9eb02e8622a7dc
  • 1ced683893408d370315083efe988043cb72a864a03a3ded4a94d047d2bec262
  • 1d4f89c1ecd931c4b5cecfba15b76f1d6607417af487654da1d50497bcda1cd9
  • 1e1b83c79a5d2ff5ec3ca325debdb29f66d83f362d2bf0ec4e18c6fbafd6c179
  • 1eff09710c639869bef51b90404569a7917aa23afdd290c8668e617b1757a231
  • 20be9f6a086f07dfc3fbd8a5e6a060e50f360629e428077665980f6e6e401079
  • 20c45b4970eddc186e8e77266e5b2282c6faf4d53559482200c4d43404d23f7a