Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.
Summary
Description
This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.
CISA received one artifact for analysis, Emailed Invoice - 1019701.msg. This email message contained the attachment, Invoice_101970~1.doc, that contains the exploit CVE-2012-0158 and drops a Dridex Trojan payload if successful.
This report contains preliminary analysis and is not intended to be a complete description of the submitted artifacts' capabilities. Results may be incomplete due to the artifacts' complexity or ability to defend against analysis techniques. If additional information is required, please contact the CISA Security Operations Center using the information at the end of this report.
Analysis Environment: windows_xp_sp3, 32_bit
For a downloadable copy of IOCs, see MIFR-10050855-1.v2.stix.
Files (3)
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 (Invoice_101970~1.doc)
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 (vmsk.exe)
f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49 (Emailed Invoice - 1019701.msg)
IPs (1)
91.239.232.145
Findings
f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49
Tags
CVE-2012-0158trojan
Details
Name |
Emailed Invoice - 1019701.msg |
Size |
556544 bytes |
Type |
CDFV2 Microsoft Outlook Message |
MD5 |
5b23662452c12c4f95adaeafe2614e9a |
SHA1 |
409810256090f7f755f8653834cacb62adfa675e |
SHA256 |
f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49 |
SHA512 |
3fa0e32ca97bf86d21077aebbcb0243b28945a90bc21a9f6719f22f845b4ebfbf89e4b26fdb84639c33ddda5c57ad926cf9136a9a37aa9527a660a03e390f79b |
ssdeep |
12288:O8MFkp0CZ95suKFw2m99ej2l70q9TccyW4Xe4sqy:O8MFkp1Wfm99ej2yq9Tc7b3E |
Entropy |
7.266701 |
Antivirus
Ahnlab |
RTF/Exploit |
Avira |
VBS/Dldr.Agent.nimx.4 |
BitDefender |
Exploit.RTF.CVE-2012-0158.G |
ClamAV |
Rtf.Exploit.CVE_2012_0158-24 |
Cyren |
CVE-2012-0158!Camelot |
ESET |
Win32/Exploit.CVE-2012-0158.ABR trojan |
Ikarus |
Exploit.CVE-2012-0158 |
McAfee |
Generic Exploit.af |
NANOAV |
Exploit.Rtf.Heuristic-rtf.dinbqn |
Quick Heal |
Exp.RTF.CVE-2012-0158.A |
Sophos |
Troj/DocDrop-FK |
TrendMicro |
TROJ_CV.E4BFFC95 |
TrendMicro House Call |
TROJ_CV.E4BFFC95 |
YARA Rules
No matches found.
ssdeep Matches
97 |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
96 |
5397af3fe2e731c8392347bad05e9e7fe4fa25273bd1ec7002f1ffbc89b7c7a5 |
Description
Process Tree: - cmd.exe 748 (1420) - - cmd.exe 1864 (748)
File activity: execute, cmd.exe
The email message contains the malicious attachment Invoice_101970~1.doc.
--Begin Email Headers--
Received: from [REDACTED] by [REDACTED] with Microsoft SMTP Server id 8.3.406.0; Wed, 3 Feb 2016 10:41:12 -0500 Authentication-Results: [REDACTED]; dkim=None (message not signed) header.i=none; spf=PermError smtp.mailfrom=yvonne@direct-electrical.com; spf=None smtp.helo=postmaster@[200.236.65.6] Received-SPF: PermError ([REDACTED]: cannot correctly interpret sender authenticity information from domain of yvonne@direct-electrical.com) identity=mailfrom; client-ip=200.236.65.6; receiver=[REDACTED]; envelope-from="yvonne@direct-electrical.com"; x-sender="yvonne@direct-electrical.com"; x-conformance=spf_only; x-record-type="v=spf1" Received-SPF: None ([REDACTED]: no sender authenticity information available from domain of postmaster@[200.236.65.6]) identity=helo; client-ip=200.236.65.6; receiver=[REDACTED]; envelope-from="yvonne@direct-electrical.com"; x-sender="postmaster@[200.236.65.6]"; x-conformance=spf_only X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0AdJAC5HbJWVAZB7MiCbAUBxmECAgEtCAg X-IronPort-AV: E=Sophos;i="5.22,391,1449550800"; d="doc'212?scan'212,208,212";a="30714064" Received: from unknown (HELO [200.236.65.6]) ([200.236.65.6]) by [REDACTED] with ESMTP; 03 Feb 2016 10:41:04 -0500 From: "yvonne@direct-electrical.com" <yvonne@direct-electrical.com> To: [REDACTED] Subject: Emailed Invoice - 101970:1 Date: Wed, 3 Feb 2016 09:41:03 -0500 Message-ID: <56a74b1c.d7bc1c0a.c68bd.ffffb6a7@mx.google.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_07BB_01D15909.472F8790" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQFWN1DoL0ELw7e2BKf2LERCeWAK4A== Return-Path: yvonne@direct-electrical.com
--End Email Headers--
Screenshots
![]()
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
Tags
CVE-2012-0158downloaderdroppertrojan
Details
Name |
Invoice_101970~1.doc |
Size |
522803 bytes |
Type |
Rich Text Format data, version 1, unknown character set |
MD5 |
99cf22f4adeb6baf887de7e1eecc4b9e |
SHA1 |
a36c4225af317b6ce3aa6fc14959402e9d6165ab |
SHA256 |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
SHA512 |
91dfab514dbdda51e2964db4bf01e7fb7a8c4ede4ea36203b32a29eed36ae605ae2900d692fc247d6cce682c364fadef46c50b1d3af7ed833a1b519f517c10e6 |
ssdeep |
12288:a8MFkp0CZ95suKFw2m99ej2l70q9TccyW4Xe4sqy5:a8MFkp1Wfm99ej2yq9Tc7b3E5 |
Entropy |
7.312316 |
Antivirus
Ahnlab |
RTF/Exploit |
Antiy |
Trojan/Generic.ASExplot.62 |
Avira |
VBS/Dldr.Agent.nimx.4 |
BitDefender |
Exploit.RTF.CVE-2012-0158.G |
ClamAV |
Rtf.Exploit.CVE_2012_0158-24 |
Cyren |
CVE-2012-0158!Camelot |
ESET |
Win32/Exploit.CVE-2012-0158.ABR trojan |
Emsisoft |
Exploit.RTF.CVE-2012-0158.G (B) |
Ikarus |
Exploit.CVE-2012-0158 |
McAfee |
Generic Exploit.af |
Microsoft Security Essentials |
TrojanDropper:O97M/Drixed |
NANOAV |
Exploit.Rtf.Heuristic-rtf.dinbqn |
NetGate |
Exploit.Win32.Generic |
Quick Heal |
Exp.RTF.CVE-2012-0158.A |
Sophos |
Troj/DocDrop-FK |
Symantec |
W97M.Downloader |
TACHYON |
Exploit.RTF.CVE-2012-0158.G |
TrendMicro |
TROJ_CV.E4BFFC95 |
TrendMicro House Call |
TROJ_CV.E4BFFC95 |
YARA Rules
No matches found.
ssdeep Matches
96 |
d7958a4984bca10fe9f76a9d42b7ce2f50c031d5878ee54af54a2e560762d678 |
97 |
f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49 |
Relationships
41791fd591... |
Connected_To |
91.239.232.145 |
41791fd591... |
Dropped |
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 |
Description
Process Tree: - WINWORD.EXE 1380 (1132) - - vmsk.exe 1620 (1380) - - cmd.exe 1608 (1380) - - - reg.exe 2004 (1608) - - cmd.exe 1932 (1380) - - - reg.exe 1452 (1932) - - cmd.exe 964 (1380) - - - reg.exe 1720 (964) - - cmd.exe 1192 (1380) - - - WINWORD.EXE 420 (1192)
vmsk.exe (1620) API behavior: getaddrinfo, 91.239.232.145 NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb NtCreateFile, PIPE\lsarpc NtCreateFile, C:\WINDOWS\system32\rsaenh.dll NtCreateFile, PIPE\ROUTER NtCreateFile, c:\autoexec.bat NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat NtCreateFile, C:\Documents and Settings\user\Cookies\index.dat NtCreateFile, C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat
WINWORD.EXE (420) API behavior: NtCreateFile, PIPE\lsarpc NtCreateFile, MountPointManager NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{998EF836-BA09-4683-B899-C4FFB00E51CE}.tmp NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~DF5A45.tmp NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~$cument.doc NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{0BAD88AD-3924-4EA9-A6C1-AB4401A42EC2}.tmp NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Office\review.rcd NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Office\adhoc.rcd NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\UProof\CUSTOM.DIC NtCreateFile, C:\WINDOWS\system32\rsaenh.dll NtCreateFile, C:\Program Files\Microsoft Office\OFFICE14\PROOF\MSGR3EN.LEX
WINWORD.EXE (1380) API behavior: NtCreateFile, PIPE\lsarpc NtCreateFile, MountPointManager NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{3C9F9EB9-1F08-4FB8-97AF-50FF138A66F8}.tmp NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\Invoice_1019701.doc NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~$voice_1019701.doc NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRF{2AB6E542-2C73-4F67-A355-6BD5A07CE617}.tmp NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc
File activity: write, PIPE\lsarpc write, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm write, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{3C9F9EB9-1F08-4FB8-97AF-50FF138A66F8}.tmp write, C:\DOCUME~1\user\LOCALS~1\Temp\~$voice_1019701.doc write, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe execute, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe write, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc write, C:\DOCUME~1\user\LOCALS~1\Temp\Invoice_1019701.doc execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F execute, cmd.exe /c "C:\DOCUME~1\user\LOCALS~1\Temp\document.doc" write, PIPE\ROUTER execute, reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F execute, reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F execute, reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F execute, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc write, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{998EF836-BA09-4683-B899-C4FFB00E51CE}.tmp write, C:\DOCUME~1\user\LOCALS~1\Temp\~$cument.doc
Registry activity: write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsqz=: write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610313 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610349 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610350 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordMTTT: write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems9{=: write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktop: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ed56972-8b61-11e4-ab5b-806d6172696f}\BaseClass: D\x00r\x00i\x00v\x00e\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ed56970-8b61-11e4-ab5b-806d6172696f}\BaseClass: D\x00r\x00i\x00v\x00e\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersPersonal: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00M\x00y\x00 \x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Documents: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Desktop: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00C\x00o\x00o\x00k\x00i\x00e\x00s\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems%|=: write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610314 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610315 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610317 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610320 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610322 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610323 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610325 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610327 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610329 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1216610305 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths: 4 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache1\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache2\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache3\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache4\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit: 81830 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit: 81830 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit: 81830 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit: 81830 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00H\x00i\x00s\x00t\x00o\x00r\x00y\x00\x00\x00 write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy: 1 write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0 write, HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0 write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings: write, HKEY_LOCAL_MACHINE\Software\ClassesProxyBypass: 1 write, HKEY_LOCAL_MACHINE\Software\ClassesIntranetName: 1 write, HKEY_LOCAL_MACHINE\Software\ClassesUNCAsIntranet: 1 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass: 1 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName: 1 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 1 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsd3?: write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale1033: O\x00f\x00f\x00\x00\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610332 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610351 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610352 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsa4?: write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsm4?: write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x00F\x008\x00F\x008\x00E\x007\x00B\x00-\x00B\x00C\x008\x00F\x00-\x004\x002\x006\x006\x00-\x00B\x008\x00B\x00A\x00-\x00A\x00E\x002\x00A\x006\x004\x002\x00F\x009\x008\x000\x009\x00}\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordPlace MRUMax Display: 25 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordFile MRUMax Display: 25 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery1BBA1461BBA146: write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610329 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610330 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610329 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610330 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610346 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610347 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610331 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610332 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610331 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610332 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610348 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610349 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing019C826E445A4649A5B00BF08FCC4EEE: write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610350 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610351 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610352 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610353 write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordSecurity\Trusted DocumentsLastPurgeTime: 24329539
This file contains the exploit CVE-2012-0158 and if successful drops the malicious payload vmsk.exe.
--Begin Document Content--
Hello!!!!
If you read this it's mean exploit work!!!
--End Document Content--
Screenshots
![]()
91.239.232.145
Tags
command-and-control
Ports
Whois
Queried whois.ripe.net with "-B 91.239.232.145"...
% Information related to '91.239.232.0 - 91.239.235.255'
% Abuse contact for '91.239.232.0 - 91.239.235.255' is 'support@netassist.ua'
inetnum: 91.239.232.0 - 91.239.235.255 netname: HOSTPRO-NET5 descr: Hostpro Ltd. country: UA org: ORG-HA81-RIPE admin-c: RS9768-RIPE tech-c: RS9768-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-END-MNT mnt-by: HOSTPRO-MNT mnt-routes: HOSTPRO-MNT mnt-domains: HOSTPRO-MNT created: 2012-05-29T08:50:04Z last-modified: 2015-05-05T01:38:12Z source: RIPE sponsoring-org: ORG-NL64-RIPE
organisation: ORG-HA81-RIPE org-name: Hostpro Ltd. org-type: OTHER address: str. Knyazhiy Zaton 2/30 address: Kiev, 02140 address: Ukraine phone: +380 44 5857796 fax-no: +380 44 5857796 e-mail: info@hostpro.ua abuse-c: AR24429-RIPE notify: registry@ip.datagroup.ua abuse-mailbox: abuse@hostpro.ua admin-c: HR71-RIPE tech-c: HR71-RIPE mnt-ref: HOSTPRO-MNT mnt-by: HOSTPRO-MNT created: 2006-11-03T08:44:08Z last-modified: 2014-11-17T16:39:11Z source: RIPE
person: Ruba Sergey address: Ukriane, Kyiv, 02095,str. Knyazhiy Zaton 2/30 phone: +38(044)5857796 nic-hdl: RS9768-RIPE created: 2009-12-10T11:47:43Z last-modified: 2014-06-13T11:36:16Z source: RIPE mnt-by: HOSTPRO-MNT
% Information related to '91.239.232.0/24AS196645'
route: 91.239.232.0/24 descr: Hostpro Ltd. origin: AS196645 mnt-by: HOSTPRO-MNT created: 2016-01-18T10:44:30Z last-modified: 2016-01-18T10:44:30Z source: RIPE
% This query was served by the RIPE Database Query Service version 1.86 (DB-2)
Relationships
91.239.232.145 |
Connected_From |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67
Tags
CVE-2012-0158backdoortrojan
Details
Name |
vmsk.exe |
Size |
314368 bytes |
Type |
PE32 executable (GUI) Intel 80386, for MS Windows |
MD5 |
f9ea75f082a66a23ea422d2f9412ee9a |
SHA1 |
b35a5a50d34b04cc8599d50f38330f00784c842f |
SHA256 |
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 |
SHA512 |
9704736ba8ef6ff310474686bfd506ec756bd55c235e95c744c593bf34e2d8521db77cfe07b92bbb667e03822cf2ae233728a356c426e1590c6430191b2fe6c0 |
ssdeep |
6144:Jtzoyb82w53WsGK2YhtfSfVY5t4emDjnw:JFzbFw53NGK2GSNe4eN |
Entropy |
6.703364 |
Antivirus
AegisLab |
Trojan.Win32.Dridex.to6K |
Ahnlab |
Trojan/Win32.Dridex |
Antiy |
Trojan[Backdoor]/Win32.Dridex |
Avira |
TR/Crypt.ZPACK.193361 |
BitDefender |
Trojan.GenericKD.3026055 |
ClamAV |
BC.Win.Packer.Troll-14 |
Cyren |
W32/Dridex.YZRG-2092 |
ESET |
Win32/Dridex.AA trojan |
Emsisoft |
Trojan.GenericKD.3026055 (B) |
Ikarus |
Trojan.Win32.Dridex |
K7 |
Trojan ( 004d86461 ) |
McAfee |
PWS-Dridex |
Microsoft Security Essentials |
Backdoor:Win32/Drixed.M |
NANOAV |
Trojan.Win32.Dridex.efhcwh |
NetGate |
Trojan.Win32.Malware |
Quick Heal |
Backdoor.Drixed.B5 |
Sophos |
Troj/Agent-AQDZ |
Symantec |
Trojan.Cridex |
Systweak |
trojan.crypt |
TACHYON |
Backdoor/W32.Dridex.314368 |
TrendMicro |
TSPY_DRIDEX.BYX |
TrendMicro House Call |
TSPY_DRIDEX.BYX |
Vir.IT eXplorer |
Trojan.Win32.Inject3.ZTI |
VirusBlokAda |
Backdoor.Dridex |
YARA Rules
No matches found.
ssdeep Matches
No matches found.
PE Metadata
Compile Date |
2016-02-03 04:50:28-05:00 |
Import Hash |
467a98e7c853ed981c187e5441038bff |
Company Name |
CACE Technologies, Inc. |
File Description |
Adding Cautionary Quotation Spec Determine |
Legal Copyright |
2006-2014 |
Original Filename |
LogicalSell.exe |
Product Name |
LogicalSell |
Product Version |
7.7.4.5 |
PE Sections
MD5 |
Name |
Raw Size |
Entropy |
7fc0b7057e44606ffa404636be57a8f6 |
header |
1024 |
2.648089 |
e03be0a6e325899826686df1e7511ec9 |
.text |
175104 |
7.063227 |
2131ca512ddfc2db851eef1f9761fb7e |
.rdata |
35328 |
6.990231 |
6313685a326e0e8d6fd7ab24f171ecd9 |
.data |
4608 |
2.436517 |
bf619eac0cdf3f68d496ea9344137e8b |
.tls |
512 |
0.000000 |
fa8873c6bcdd98c1aa18b3471f687b9f |
.rsrc |
97792 |
4.929244 |
Relationships
993c03b028... |
Dropped_By |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
Description
Process Tree: - vmsk.exe 1380 (1132)
vmsk.exe (1380) API behavior: getaddrinfo, 91.239.232.145 NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb NtCreateFile, PIPE\lsarpc NtCreateFile, C:\WINDOWS\system32\rsaenh.dll NtCreateFile, PIPE\ROUTER NtCreateFile, c:\autoexec.bat NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat NtCreateFile, C:\Documents and Settings\user\Cookies\index.dat NtCreateFile, C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat
File activity: write, PIPE\lsarpc write, PIPE\ROUTER
Registry activity: write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths: 4 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache1\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache2\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache3\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache4\x00 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit: 81830 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit: 81830 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit: 81830 write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit: 81830 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00C\x00o\x00o\x00k\x00i\x00e\x00s\x00\x00\x00 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00H\x00i\x00s\x00t\x00o\x00r\x00y\x00\x00\x00 write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy: 1 write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0 write, HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0 write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings: write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass: 1 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName: 1 write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 1
This file is a Dridex Trojan payload that connects out to IP address 91.239.232.145 over port 1743.
Relationship Summary
41791fd591... |
Connected_To |
91.239.232.145 |
41791fd591... |
Dropped |
993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 |
91.239.232.145 |
Connected_From |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
993c03b028... |
Dropped_By |
41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 |
Recommendations
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".
Contact Information
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or contact@mail.cisa.dhs.gov.
Can I submit malware to CISA? Malware samples can be submitted via three methods:
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.
|