Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.
CISA received one artifact for analysis, Emailed Invoice - 1019701.msg. This email message contained the attachment, Invoice_101970~1.doc, that contains the exploit CVE-2012-0158 and drops a Dridex Trojan payload if successful.
This report contains preliminary analysis and is not intended to be a complete description of the submitted artifacts' capabilities. Results may be incomplete due to the artifacts' complexity or ability to defend against analysis techniques. If additional information is required, please contact the CISA Security Operations Center using the information at the end of this report.
Analysis Environment: windows_xp_sp3, 32_bit
For a downloadable copy of IOCs, see MIFR-10050855-1.v2.stix.
Files (3)
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 (Invoice_101970~1.doc)
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 (vmsk.exe)
f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49 (Emailed Invoice - 1019701.msg)
IPs (1)
91.239.232.145
Findings
f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49
Tags
CVE-2012-0158trojan
Details
| Name |
Emailed Invoice - 1019701.msg |
| Size |
556544 bytes |
| Type |
CDFV2 Microsoft Outlook Message |
| MD5 |
5b23662452c12c4f95adaeafe2614e9a |
| SHA1 |
409810256090f7f755f8653834cacb62adfa675e |
| SHA256 |
f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49 |
| SHA512 |
3fa0e32ca97bf86d21077aebbcb0243b28945a90bc21a9f6719f22f845b4ebfbf89e4b26fdb84639c33ddda5c57ad926cf9136a9a37aa9527a660a03e390f79b |
| ssdeep |
12288:O8MFkp0CZ95suKFw2m99ej2l70q9TccyW4Xe4sqy:O8MFkp1Wfm99ej2yq9Tc7b3E |
| Entropy |
7.266701 |
Antivirus
| Ahnlab |
RTF/Exploit |
| Avira |
VBS/Dldr.Agent.nimx.4 |
| BitDefender |
Exploit.RTF.CVE-2012-0158.G |
| ClamAV |
Rtf.Exploit.CVE_2012_0158-24 |
| Cyren |
CVE-2012-0158!Camelot |
| ESET |
Win32/Exploit.CVE-2012-0158.ABR trojan |
| Ikarus |
Exploit.CVE-2012-0158 |
| McAfee |
Generic Exploit.af |
| NANOAV |
Exploit.Rtf.Heuristic-rtf.dinbqn |
| Quick Heal |
Exp.RTF.CVE-2012-0158.A |
| Sophos |
Troj/DocDrop-FK |
| TrendMicro |
TROJ_CV.E4BFFC95 |
| TrendMicro House Call |
TROJ_CV.E4BFFC95 |
YARA Rules
No matches found.
ssdeep Matches
| 97 |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
| 96 |
5397af3fe2e731c8392347bad05e9e7fe4fa25273bd1ec7002f1ffbc89b7c7a5 |
Description
Process Tree:
- cmd.exe 748 (1420)
- - cmd.exe 1864 (748)
File activity:
execute, cmd.exe
The email message contains the malicious attachment Invoice_101970~1.doc.
--Begin Email Headers--
Received: from [REDACTED] by [REDACTED] with Microsoft SMTP Server id 8.3.406.0; Wed, 3 Feb 2016
10:41:12 -0500
Authentication-Results: [REDACTED]; dkim=None (message not signed) header.i=none; spf=PermError smtp.mailfrom=yvonne@direct-electrical.com; spf=None smtp.helo=postmaster@[200.236.65.6]
Received-SPF: PermError ([REDACTED]: cannot correctly interpret
sender authenticity information from domain of
yvonne@direct-electrical.com) identity=mailfrom;
client-ip=200.236.65.6; receiver=[REDACTED];
envelope-from="yvonne@direct-electrical.com";
x-sender="yvonne@direct-electrical.com";
x-conformance=spf_only; x-record-type="v=spf1"
Received-SPF: None ([REDACTED]: no sender authenticity
information available from domain of
postmaster@[200.236.65.6]) identity=helo;
client-ip=200.236.65.6; receiver=[REDACTED];
envelope-from="yvonne@direct-electrical.com";
x-sender="postmaster@[200.236.65.6]"; x-conformance=spf_only
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AdJAC5HbJWVAZB7MiCbAUBxmECAgEtCAg
X-IronPort-AV: E=Sophos;i="5.22,391,1449550800";
d="doc'212?scan'212,208,212";a="30714064"
Received: from unknown (HELO [200.236.65.6]) ([200.236.65.6]) by [REDACTED]
with ESMTP; 03 Feb 2016 10:41:04 -0500
From: "yvonne@direct-electrical.com" <yvonne@direct-electrical.com>
To: [REDACTED]
Subject: Emailed Invoice - 101970:1
Date: Wed, 3 Feb 2016 09:41:03 -0500
Message-ID: <56a74b1c.d7bc1c0a.c68bd.ffffb6a7@mx.google.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_07BB_01D15909.472F8790"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFWN1DoL0ELw7e2BKf2LERCeWAK4A==
Return-Path: yvonne@direct-electrical.com
--End Email Headers--
Screenshots
![]()
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
Tags
CVE-2012-0158downloaderdroppertrojan
Details
| Name |
Invoice_101970~1.doc |
| Size |
522803 bytes |
| Type |
Rich Text Format data, version 1, unknown character set |
| MD5 |
99cf22f4adeb6baf887de7e1eecc4b9e |
| SHA1 |
a36c4225af317b6ce3aa6fc14959402e9d6165ab |
| SHA256 |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
| SHA512 |
91dfab514dbdda51e2964db4bf01e7fb7a8c4ede4ea36203b32a29eed36ae605ae2900d692fc247d6cce682c364fadef46c50b1d3af7ed833a1b519f517c10e6 |
| ssdeep |
12288:a8MFkp0CZ95suKFw2m99ej2l70q9TccyW4Xe4sqy5:a8MFkp1Wfm99ej2yq9Tc7b3E5 |
| Entropy |
7.312316 |
Antivirus
| Ahnlab |
RTF/Exploit |
| Antiy |
Trojan/Generic.ASExplot.62 |
| Avira |
VBS/Dldr.Agent.nimx.4 |
| BitDefender |
Exploit.RTF.CVE-2012-0158.G |
| ClamAV |
Rtf.Exploit.CVE_2012_0158-24 |
| Cyren |
CVE-2012-0158!Camelot |
| ESET |
Win32/Exploit.CVE-2012-0158.ABR trojan |
| Emsisoft |
Exploit.RTF.CVE-2012-0158.G (B) |
| Ikarus |
Exploit.CVE-2012-0158 |
| McAfee |
Generic Exploit.af |
| Microsoft Security Essentials |
TrojanDropper:O97M/Drixed |
| NANOAV |
Exploit.Rtf.Heuristic-rtf.dinbqn |
| NetGate |
Exploit.Win32.Generic |
| Quick Heal |
Exp.RTF.CVE-2012-0158.A |
| Sophos |
Troj/DocDrop-FK |
| Symantec |
W97M.Downloader |
| TACHYON |
Exploit.RTF.CVE-2012-0158.G |
| TrendMicro |
TROJ_CV.E4BFFC95 |
| TrendMicro House Call |
TROJ_CV.E4BFFC95 |
YARA Rules
No matches found.
ssdeep Matches
| 96 |
d7958a4984bca10fe9f76a9d42b7ce2f50c031d5878ee54af54a2e560762d678 |
| 97 |
f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49 |
Relationships
| 41791fd591... |
Connected_To |
91.239.232.145 |
| 41791fd591... |
Dropped |
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 |
Description
Process Tree:
- WINWORD.EXE 1380 (1132)
- - vmsk.exe 1620 (1380)
- - cmd.exe 1608 (1380)
- - - reg.exe 2004 (1608)
- - cmd.exe 1932 (1380)
- - - reg.exe 1452 (1932)
- - cmd.exe 964 (1380)
- - - reg.exe 1720 (964)
- - cmd.exe 1192 (1380)
- - - WINWORD.EXE 420 (1192)
vmsk.exe (1620) API behavior:
getaddrinfo, 91.239.232.145
NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb
NtCreateFile, PIPE\lsarpc
NtCreateFile, C:\WINDOWS\system32\rsaenh.dll
NtCreateFile, PIPE\ROUTER
NtCreateFile, c:\autoexec.bat
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat
NtCreateFile, C:\Documents and Settings\user\Cookies\index.dat
NtCreateFile, C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat
WINWORD.EXE (420) API behavior:
NtCreateFile, PIPE\lsarpc
NtCreateFile, MountPointManager
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm
NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{998EF836-BA09-4683-B899-C4FFB00E51CE}.tmp
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~DF5A45.tmp
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~$cument.doc
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{0BAD88AD-3924-4EA9-A6C1-AB4401A42EC2}.tmp
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Office\review.rcd
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\UProof\CUSTOM.DIC
NtCreateFile, C:\WINDOWS\system32\rsaenh.dll
NtCreateFile, C:\Program Files\Microsoft Office\OFFICE14\PROOF\MSGR3EN.LEX
WINWORD.EXE (1380) API behavior:
NtCreateFile, PIPE\lsarpc
NtCreateFile, MountPointManager
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm
NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{3C9F9EB9-1F08-4FB8-97AF-50FF138A66F8}.tmp
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\Invoice_1019701.doc
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~$voice_1019701.doc
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRF{2AB6E542-2C73-4F67-A355-6BD5A07CE617}.tmp
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc
File activity:
write, PIPE\lsarpc
write, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm
write, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{3C9F9EB9-1F08-4FB8-97AF-50FF138A66F8}.tmp
write, C:\DOCUME~1\user\LOCALS~1\Temp\~$voice_1019701.doc
write, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe
execute, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe
write, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc
write, C:\DOCUME~1\user\LOCALS~1\Temp\Invoice_1019701.doc
execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F
execute, cmd.exe /c "C:\DOCUME~1\user\LOCALS~1\Temp\document.doc"
write, PIPE\ROUTER
execute, reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
execute, reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F
execute, reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
execute, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc
write, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{998EF836-BA09-4683-B899-C4FFB00E51CE}.tmp
write, C:\DOCUME~1\user\LOCALS~1\Temp\~$cument.doc
Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsqz=:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610313
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610349
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610350
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems9{=:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktop: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ed56972-8b61-11e4-ab5b-806d6172696f}\BaseClass: D\x00r\x00i\x00v\x00e\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ed56970-8b61-11e4-ab5b-806d6172696f}\BaseClass: D\x00r\x00i\x00v\x00e\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersPersonal: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00M\x00y\x00 \x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Documents: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Desktop: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00C\x00o\x00o\x00k\x00i\x00e\x00s\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems%|=:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610314
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610315
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610317
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610320
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610322
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610323
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610325
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610327
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610329
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1216610305
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths: 4
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache1\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache2\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache3\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache4\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit: 81830
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00H\x00i\x00s\x00t\x00o\x00r\x00y\x00\x00\x00
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy: 1
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:
write, HKEY_LOCAL_MACHINE\Software\ClassesProxyBypass: 1
write, HKEY_LOCAL_MACHINE\Software\ClassesIntranetName: 1
write, HKEY_LOCAL_MACHINE\Software\ClassesUNCAsIntranet: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsd3?:
write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale1033: O\x00f\x00f\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610332
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610351
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610352
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsa4?:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsm4?:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x00F\x008\x00F\x008\x00E\x007\x00B\x00-\x00B\x00C\x008\x00F\x00-\x004\x002\x006\x006\x00-\x00B\x008\x00B\x00A\x00-\x00A\x00E\x002\x00A\x006\x004\x002\x00F\x009\x008\x000\x009\x00}\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordPlace MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordFile MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery1BBA1461BBA146:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610329
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610330
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610329
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610330
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610346
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610347
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610331
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610332
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610331
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610332
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610348
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610349
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing019C826E445A4649A5B00BF08FCC4EEE:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610350
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610351
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610352
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610353
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordSecurity\Trusted DocumentsLastPurgeTime: 24329539
This file contains the exploit CVE-2012-0158 and if successful drops the malicious payload vmsk.exe.
--Begin Document Content--
Hello!!!!
If you read this it's mean exploit work!!!
--End Document Content--
Screenshots
![]()
91.239.232.145
Tags
command-and-control
Ports
Whois
Queried whois.ripe.net with "-B 91.239.232.145"...
% Information related to '91.239.232.0 - 91.239.235.255'
% Abuse contact for '91.239.232.0 - 91.239.235.255' is 'support@netassist.ua'
inetnum: 91.239.232.0 - 91.239.235.255
netname: HOSTPRO-NET5
descr: Hostpro Ltd.
country: UA
org: ORG-HA81-RIPE
admin-c: RS9768-RIPE
tech-c: RS9768-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: HOSTPRO-MNT
mnt-routes: HOSTPRO-MNT
mnt-domains: HOSTPRO-MNT
created: 2012-05-29T08:50:04Z
last-modified: 2015-05-05T01:38:12Z
source: RIPE
sponsoring-org: ORG-NL64-RIPE
organisation: ORG-HA81-RIPE
org-name: Hostpro Ltd.
org-type: OTHER
address: str. Knyazhiy Zaton 2/30
address: Kiev, 02140
address: Ukraine
phone: +380 44 5857796
fax-no: +380 44 5857796
e-mail: info@hostpro.ua
abuse-c: AR24429-RIPE
notify: registry@ip.datagroup.ua
abuse-mailbox: abuse@hostpro.ua
admin-c: HR71-RIPE
tech-c: HR71-RIPE
mnt-ref: HOSTPRO-MNT
mnt-by: HOSTPRO-MNT
created: 2006-11-03T08:44:08Z
last-modified: 2014-11-17T16:39:11Z
source: RIPE
person: Ruba Sergey
address: Ukriane, Kyiv, 02095,str. Knyazhiy Zaton 2/30
phone: +38(044)5857796
nic-hdl: RS9768-RIPE
created: 2009-12-10T11:47:43Z
last-modified: 2014-06-13T11:36:16Z
source: RIPE
mnt-by: HOSTPRO-MNT
% Information related to '91.239.232.0/24AS196645'
route: 91.239.232.0/24
descr: Hostpro Ltd.
origin: AS196645
mnt-by: HOSTPRO-MNT
created: 2016-01-18T10:44:30Z
last-modified: 2016-01-18T10:44:30Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.86 (DB-2)
Relationships
| 91.239.232.145 |
Connected_From |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67
Tags
CVE-2012-0158backdoortrojan
Details
| Name |
vmsk.exe |
| Size |
314368 bytes |
| Type |
PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5 |
f9ea75f082a66a23ea422d2f9412ee9a |
| SHA1 |
b35a5a50d34b04cc8599d50f38330f00784c842f |
| SHA256 |
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 |
| SHA512 |
9704736ba8ef6ff310474686bfd506ec756bd55c235e95c744c593bf34e2d8521db77cfe07b92bbb667e03822cf2ae233728a356c426e1590c6430191b2fe6c0 |
| ssdeep |
6144:Jtzoyb82w53WsGK2YhtfSfVY5t4emDjnw:JFzbFw53NGK2GSNe4eN |
| Entropy |
6.703364 |
Antivirus
| AegisLab |
Trojan.Win32.Dridex.to6K |
| Ahnlab |
Trojan/Win32.Dridex |
| Antiy |
Trojan[Backdoor]/Win32.Dridex |
| Avira |
TR/Crypt.ZPACK.193361 |
| BitDefender |
Trojan.GenericKD.3026055 |
| ClamAV |
BC.Win.Packer.Troll-14 |
| Cyren |
W32/Dridex.YZRG-2092 |
| ESET |
Win32/Dridex.AA trojan |
| Emsisoft |
Trojan.GenericKD.3026055 (B) |
| Ikarus |
Trojan.Win32.Dridex |
| K7 |
Trojan ( 004d86461 ) |
| McAfee |
PWS-Dridex |
| Microsoft Security Essentials |
Backdoor:Win32/Drixed.M |
| NANOAV |
Trojan.Win32.Dridex.efhcwh |
| NetGate |
Trojan.Win32.Malware |
| Quick Heal |
Backdoor.Drixed.B5 |
| Sophos |
Troj/Agent-AQDZ |
| Symantec |
Trojan.Cridex |
| Systweak |
trojan.crypt |
| TACHYON |
Backdoor/W32.Dridex.314368 |
| TrendMicro |
TSPY_DRIDEX.BYX |
| TrendMicro House Call |
TSPY_DRIDEX.BYX |
| Vir.IT eXplorer |
Trojan.Win32.Inject3.ZTI |
| VirusBlokAda |
Backdoor.Dridex |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
| Compile Date |
2016-02-03 04:50:28-05:00 |
| Import Hash |
467a98e7c853ed981c187e5441038bff |
| Company Name |
CACE Technologies, Inc. |
| File Description |
Adding Cautionary Quotation Spec Determine |
| Legal Copyright |
2006-2014 |
| Original Filename |
LogicalSell.exe |
| Product Name |
LogicalSell |
| Product Version |
7.7.4.5 |
PE Sections
| MD5 |
Name |
Raw Size |
Entropy |
| 7fc0b7057e44606ffa404636be57a8f6 |
header |
1024 |
2.648089 |
| e03be0a6e325899826686df1e7511ec9 |
.text |
175104 |
7.063227 |
| 2131ca512ddfc2db851eef1f9761fb7e |
.rdata |
35328 |
6.990231 |
| 6313685a326e0e8d6fd7ab24f171ecd9 |
.data |
4608 |
2.436517 |
| bf619eac0cdf3f68d496ea9344137e8b |
.tls |
512 |
0.000000 |
| fa8873c6bcdd98c1aa18b3471f687b9f |
.rsrc |
97792 |
4.929244 |
Relationships
| 993c03b028... |
Dropped_By |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
Description
Process Tree:
- vmsk.exe 1380 (1132)
vmsk.exe (1380) API behavior:
getaddrinfo, 91.239.232.145
NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb
NtCreateFile, PIPE\lsarpc
NtCreateFile, C:\WINDOWS\system32\rsaenh.dll
NtCreateFile, PIPE\ROUTER
NtCreateFile, c:\autoexec.bat
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat
NtCreateFile, C:\Documents and Settings\user\Cookies\index.dat
NtCreateFile, C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat
File activity:
write, PIPE\lsarpc
write, PIPE\ROUTER
Registry activity:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths: 4
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache1\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache2\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache3\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache4\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit: 81830
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00C\x00o\x00o\x00k\x00i\x00e\x00s\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00H\x00i\x00s\x00t\x00o\x00r\x00y\x00\x00\x00
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy: 1
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 1
This file is a Dridex Trojan payload that connects out to IP address 91.239.232.145 over port 1743.
Relationship Summary
| 41791fd591... |
Connected_To |
91.239.232.145 |
| 41791fd591... |
Dropped |
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 |
| 91.239.232.145 |
Connected_From |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
| 993c03b028... |
Dropped_By |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
Recommendations
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".
Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.
|
