Archived Content

In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
Analysis Report

MIFR-10050855-1.v2

Last Revised
Alert Code
AR20-133K
 

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.

CISA received one artifact for analysis, Emailed Invoice - 1019701.msg. This email message contained the attachment, Invoice_101970~1.doc, that contains the exploit CVE-2012-0158 and drops a Dridex Trojan payload if successful.

This report contains preliminary analysis and is not intended to be a complete description of the submitted artifacts' capabilities. Results may be incomplete due to the artifacts' complexity or ability to defend against analysis techniques. If additional information is required, please contact the CISA Security Operations Center using the information at the end of this report.

Analysis Environment: windows_xp_sp3, 32_bit

For a downloadable copy of IOCs, see MIFR-10050855-1.v2.stix.

Files (3)

41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 (Invoice_101970~1.doc)

993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 (vmsk.exe)

f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49 (Emailed Invoice - 1019701.msg)

IPs (1)

91.239.232.145

Findings

f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49

Tags

CVE-2012-0158trojan

Details
Name Emailed Invoice - 1019701.msg
Size 556544 bytes
Type CDFV2 Microsoft Outlook Message
MD5 5b23662452c12c4f95adaeafe2614e9a
SHA1 409810256090f7f755f8653834cacb62adfa675e
SHA256 f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49
SHA512 3fa0e32ca97bf86d21077aebbcb0243b28945a90bc21a9f6719f22f845b4ebfbf89e4b26fdb84639c33ddda5c57ad926cf9136a9a37aa9527a660a03e390f79b
ssdeep 12288:O8MFkp0CZ95suKFw2m99ej2l70q9TccyW4Xe4sqy:O8MFkp1Wfm99ej2yq9Tc7b3E
Entropy 7.266701
Antivirus
Ahnlab RTF/Exploit
Avira VBS/Dldr.Agent.nimx.4
BitDefender Exploit.RTF.CVE-2012-0158.G
ClamAV Rtf.Exploit.CVE_2012_0158-24
Cyren CVE-2012-0158!Camelot
ESET Win32/Exploit.CVE-2012-0158.ABR trojan
Ikarus Exploit.CVE-2012-0158
McAfee Generic Exploit.af
NANOAV Exploit.Rtf.Heuristic-rtf.dinbqn
Quick Heal Exp.RTF.CVE-2012-0158.A
Sophos Troj/DocDrop-FK
TrendMicro TROJ_CV.E4BFFC95
TrendMicro House Call TROJ_CV.E4BFFC95
YARA Rules

No matches found.

ssdeep Matches
97 41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
96 5397af3fe2e731c8392347bad05e9e7fe4fa25273bd1ec7002f1ffbc89b7c7a5
Description

Process Tree:
- cmd.exe 748 (1420)
- - cmd.exe 1864 (748)

File activity:
execute, cmd.exe

The email message contains the malicious attachment Invoice_101970~1.doc.

--Begin Email Headers--

Received: from [REDACTED] by [REDACTED] with Microsoft SMTP Server id 8.3.406.0; Wed, 3 Feb 2016
10:41:12 -0500
Authentication-Results: [REDACTED]; dkim=None (message not signed) header.i=none; spf=PermError smtp.mailfrom=yvonne@direct-electrical.com; spf=None smtp.helo=postmaster@[200.236.65.6]
Received-SPF: PermError ([REDACTED]: cannot correctly interpret
sender authenticity information from domain of
yvonne@direct-electrical.com) identity=mailfrom;
client-ip=200.236.65.6; receiver=[REDACTED];
envelope-from="yvonne@direct-electrical.com";
x-sender="yvonne@direct-electrical.com";
x-conformance=spf_only; x-record-type="v=spf1"
Received-SPF: None ([REDACTED]: no sender authenticity
information available from domain of
postmaster@[200.236.65.6]) identity=helo;
client-ip=200.236.65.6; receiver=[REDACTED];
envelope-from="yvonne@direct-electrical.com";
x-sender="postmaster@[200.236.65.6]"; x-conformance=spf_only
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AdJAC5HbJWVAZB7MiCbAUBxmECAgEtCAg
X-IronPort-AV: E=Sophos;i="5.22,391,1449550800";
d="doc'212?scan'212,208,212";a="30714064"
Received: from unknown (HELO [200.236.65.6]) ([200.236.65.6]) by [REDACTED]
with ESMTP; 03 Feb 2016 10:41:04 -0500
From: "yvonne@direct-electrical.com" <yvonne@direct-electrical.com>
To: [REDACTED]
Subject: Emailed Invoice - 101970:1
Date: Wed, 3 Feb 2016 09:41:03 -0500
Message-ID: <56a74b1c.d7bc1c0a.c68bd.ffffb6a7@mx.google.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_07BB_01D15909.472F8790"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFWN1DoL0ELw7e2BKf2LERCeWAK4A==
Return-Path: yvonne@direct-electrical.com

--End Email Headers--

Screenshots

None -

41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4

Tags

CVE-2012-0158downloaderdroppertrojan

Details
Name Invoice_101970~1.doc
Size 522803 bytes
Type Rich Text Format data, version 1, unknown character set
MD5 99cf22f4adeb6baf887de7e1eecc4b9e
SHA1 a36c4225af317b6ce3aa6fc14959402e9d6165ab
SHA256 41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
SHA512 91dfab514dbdda51e2964db4bf01e7fb7a8c4ede4ea36203b32a29eed36ae605ae2900d692fc247d6cce682c364fadef46c50b1d3af7ed833a1b519f517c10e6
ssdeep 12288:a8MFkp0CZ95suKFw2m99ej2l70q9TccyW4Xe4sqy5:a8MFkp1Wfm99ej2yq9Tc7b3E5
Entropy 7.312316
Antivirus
Ahnlab RTF/Exploit
Antiy Trojan/Generic.ASExplot.62
Avira VBS/Dldr.Agent.nimx.4
BitDefender Exploit.RTF.CVE-2012-0158.G
ClamAV Rtf.Exploit.CVE_2012_0158-24
Cyren CVE-2012-0158!Camelot
ESET Win32/Exploit.CVE-2012-0158.ABR trojan
Emsisoft Exploit.RTF.CVE-2012-0158.G (B)
Ikarus Exploit.CVE-2012-0158
McAfee Generic Exploit.af
Microsoft Security Essentials TrojanDropper:O97M/Drixed
NANOAV Exploit.Rtf.Heuristic-rtf.dinbqn
NetGate Exploit.Win32.Generic
Quick Heal Exp.RTF.CVE-2012-0158.A
Sophos Troj/DocDrop-FK
Symantec W97M.Downloader
TACHYON Exploit.RTF.CVE-2012-0158.G
TrendMicro TROJ_CV.E4BFFC95
TrendMicro House Call TROJ_CV.E4BFFC95
YARA Rules

No matches found.

ssdeep Matches
96 d7958a4984bca10fe9f76a9d42b7ce2f50c031d5878ee54af54a2e560762d678
97 f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49
Relationships
41791fd591... Connected_To 91.239.232.145
41791fd591... Dropped 993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67
Description

Process Tree:
- WINWORD.EXE 1380 (1132)
- - vmsk.exe 1620 (1380)
- - cmd.exe 1608 (1380)
- - - reg.exe 2004 (1608)
- - cmd.exe 1932 (1380)
- - - reg.exe 1452 (1932)
- - cmd.exe 964 (1380)
- - - reg.exe 1720 (964)
- - cmd.exe 1192 (1380)
- - - WINWORD.EXE 420 (1192)

vmsk.exe (1620) API behavior:
getaddrinfo, 91.239.232.145
NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb
NtCreateFile, PIPE\lsarpc
NtCreateFile, C:\WINDOWS\system32\rsaenh.dll
NtCreateFile, PIPE\ROUTER
NtCreateFile, c:\autoexec.bat
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat
NtCreateFile, C:\Documents and Settings\user\Cookies\index.dat
NtCreateFile, C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat

WINWORD.EXE (420) API behavior:
NtCreateFile, PIPE\lsarpc
NtCreateFile, MountPointManager
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm
NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{998EF836-BA09-4683-B899-C4FFB00E51CE}.tmp
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~DF5A45.tmp
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~$cument.doc
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{0BAD88AD-3924-4EA9-A6C1-AB4401A42EC2}.tmp
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Office\review.rcd
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\UProof\CUSTOM.DIC
NtCreateFile, C:\WINDOWS\system32\rsaenh.dll
NtCreateFile, C:\Program Files\Microsoft Office\OFFICE14\PROOF\MSGR3EN.LEX

WINWORD.EXE (1380) API behavior:
NtCreateFile, PIPE\lsarpc
NtCreateFile, MountPointManager
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm
NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm
NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{3C9F9EB9-1F08-4FB8-97AF-50FF138A66F8}.tmp
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\Invoice_1019701.doc
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~$voice_1019701.doc
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRF{2AB6E542-2C73-4F67-A355-6BD5A07CE617}.tmp
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe
NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc

File activity:
write, PIPE\lsarpc
write, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm
write, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{3C9F9EB9-1F08-4FB8-97AF-50FF138A66F8}.tmp
write, C:\DOCUME~1\user\LOCALS~1\Temp\~$voice_1019701.doc
write, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe
execute, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe
write, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc
write, C:\DOCUME~1\user\LOCALS~1\Temp\Invoice_1019701.doc
execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F
execute, cmd.exe /c "C:\DOCUME~1\user\LOCALS~1\Temp\document.doc"
write, PIPE\ROUTER
execute, reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
execute, reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F
execute, reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
execute, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc
write, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{998EF836-BA09-4683-B899-C4FFB00E51CE}.tmp
write, C:\DOCUME~1\user\LOCALS~1\Temp\~$cument.doc

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsqz=:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610313
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610349
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610350
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems9{=:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktop: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ed56972-8b61-11e4-ab5b-806d6172696f}\BaseClass: D\x00r\x00i\x00v\x00e\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ed56970-8b61-11e4-ab5b-806d6172696f}\BaseClass: D\x00r\x00i\x00v\x00e\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersPersonal: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00M\x00y\x00 \x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Documents: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Desktop: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00C\x00o\x00o\x00k\x00i\x00e\x00s\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems%|=:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610314
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610315
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610317
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610320
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610322
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610323
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610325
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610327
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610329
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1216610305
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths: 4
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache1\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache2\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache3\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache4\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit: 81830
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00H\x00i\x00s\x00t\x00o\x00r\x00y\x00\x00\x00
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy: 1
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:
write, HKEY_LOCAL_MACHINE\Software\ClassesProxyBypass: 1
write, HKEY_LOCAL_MACHINE\Software\ClassesIntranetName: 1
write, HKEY_LOCAL_MACHINE\Software\ClassesUNCAsIntranet: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsd3?:
write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale1033: O\x00f\x00f\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610332
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610351
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610352
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsa4?:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsm4?:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x00F\x008\x00F\x008\x00E\x007\x00B\x00-\x00B\x00C\x008\x00F\x00-\x004\x002\x006\x006\x00-\x00B\x008\x00B\x00A\x00-\x00A\x00E\x002\x00A\x006\x004\x002\x00F\x009\x008\x000\x009\x00}\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordPlace MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordFile MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery1BBA1461BBA146:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610329
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610330
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610329
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610330
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610346
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610347
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610331
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610332
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610331
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610332
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610348
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610349
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing019C826E445A4649A5B00BF08FCC4EEE:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610350
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610351
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610352
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610353
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordSecurity\Trusted DocumentsLastPurgeTime: 24329539

This file contains the exploit CVE-2012-0158 and if successful drops the malicious payload vmsk.exe.

--Begin Document Content--

Hello!!!!

If you read this it's mean exploit work!!!

--End Document Content--

Screenshots

None -

91.239.232.145

Tags

command-and-control

Ports
  • 1743 TCP
Whois

Queried whois.ripe.net with "-B 91.239.232.145"...

% Information related to '91.239.232.0 - 91.239.235.255'

% Abuse contact for '91.239.232.0 - 91.239.235.255' is 'support@netassist.ua'

inetnum:        91.239.232.0 - 91.239.235.255
netname:        HOSTPRO-NET5
descr:         Hostpro Ltd.
country:        UA
org:            ORG-HA81-RIPE
admin-c:        RS9768-RIPE
tech-c:         RS9768-RIPE
status:         ASSIGNED PI
mnt-by:         RIPE-NCC-END-MNT
mnt-by:         HOSTPRO-MNT
mnt-routes:     HOSTPRO-MNT
mnt-domains:    HOSTPRO-MNT
created:        2012-05-29T08:50:04Z
last-modified: 2015-05-05T01:38:12Z
source:         RIPE
sponsoring-org: ORG-NL64-RIPE

organisation: ORG-HA81-RIPE
org-name:     Hostpro Ltd.
org-type:     OTHER
address:        str. Knyazhiy Zaton 2/30
address:        Kiev, 02140
address:        Ukraine
phone:         +380 44 5857796
fax-no:         +380 44 5857796
e-mail:         info@hostpro.ua
abuse-c:        AR24429-RIPE
notify:         registry@ip.datagroup.ua
abuse-mailbox: abuse@hostpro.ua
admin-c:        HR71-RIPE
tech-c:         HR71-RIPE
mnt-ref:        HOSTPRO-MNT
mnt-by:         HOSTPRO-MNT
created:        2006-11-03T08:44:08Z
last-modified: 2014-11-17T16:39:11Z
source:         RIPE

person:         Ruba Sergey
address:        Ukriane, Kyiv, 02095,str. Knyazhiy Zaton 2/30
phone:         +38(044)5857796
nic-hdl:        RS9768-RIPE
created:        2009-12-10T11:47:43Z
last-modified: 2014-06-13T11:36:16Z
source:         RIPE
mnt-by:         HOSTPRO-MNT

% Information related to '91.239.232.0/24AS196645'

route:         91.239.232.0/24
descr:         Hostpro Ltd.
origin:         AS196645
mnt-by:         HOSTPRO-MNT
created:        2016-01-18T10:44:30Z
last-modified: 2016-01-18T10:44:30Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.86 (DB-2)

Relationships
91.239.232.145 Connected_From 41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4

993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67

Tags

CVE-2012-0158backdoortrojan

Details
Name vmsk.exe
Size 314368 bytes
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 f9ea75f082a66a23ea422d2f9412ee9a
SHA1 b35a5a50d34b04cc8599d50f38330f00784c842f
SHA256 993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67
SHA512 9704736ba8ef6ff310474686bfd506ec756bd55c235e95c744c593bf34e2d8521db77cfe07b92bbb667e03822cf2ae233728a356c426e1590c6430191b2fe6c0
ssdeep 6144:Jtzoyb82w53WsGK2YhtfSfVY5t4emDjnw:JFzbFw53NGK2GSNe4eN
Entropy 6.703364
Antivirus
AegisLab Trojan.Win32.Dridex.to6K
Ahnlab Trojan/Win32.Dridex
Antiy Trojan[Backdoor]/Win32.Dridex
Avira TR/Crypt.ZPACK.193361
BitDefender Trojan.GenericKD.3026055
ClamAV BC.Win.Packer.Troll-14
Cyren W32/Dridex.YZRG-2092
ESET Win32/Dridex.AA trojan
Emsisoft Trojan.GenericKD.3026055 (B)
Ikarus Trojan.Win32.Dridex
K7 Trojan ( 004d86461 )
McAfee PWS-Dridex
Microsoft Security Essentials Backdoor:Win32/Drixed.M
NANOAV Trojan.Win32.Dridex.efhcwh
NetGate Trojan.Win32.Malware
Quick Heal Backdoor.Drixed.B5
Sophos Troj/Agent-AQDZ
Symantec Trojan.Cridex
Systweak trojan.crypt
TACHYON Backdoor/W32.Dridex.314368
TrendMicro TSPY_DRIDEX.BYX
TrendMicro House Call TSPY_DRIDEX.BYX
Vir.IT eXplorer Trojan.Win32.Inject3.ZTI
VirusBlokAda Backdoor.Dridex
YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-02-03 04:50:28-05:00
Import Hash 467a98e7c853ed981c187e5441038bff
Company Name CACE Technologies, Inc.
File Description Adding Cautionary Quotation Spec Determine
Legal Copyright 2006-2014
Original Filename LogicalSell.exe
Product Name LogicalSell
Product Version 7.7.4.5
PE Sections
MD5 Name Raw Size Entropy
7fc0b7057e44606ffa404636be57a8f6 header 1024 2.648089
e03be0a6e325899826686df1e7511ec9 .text 175104 7.063227
2131ca512ddfc2db851eef1f9761fb7e .rdata 35328 6.990231
6313685a326e0e8d6fd7ab24f171ecd9 .data 4608 2.436517
bf619eac0cdf3f68d496ea9344137e8b .tls 512 0.000000
fa8873c6bcdd98c1aa18b3471f687b9f .rsrc 97792 4.929244
Relationships
993c03b028... Dropped_By 41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
Description

Process Tree:
- vmsk.exe 1380 (1132)

vmsk.exe (1380) API behavior:
getaddrinfo, 91.239.232.145
NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb
NtCreateFile, PIPE\lsarpc
NtCreateFile, C:\WINDOWS\system32\rsaenh.dll
NtCreateFile, PIPE\ROUTER
NtCreateFile, c:\autoexec.bat
NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat
NtCreateFile, C:\Documents and Settings\user\Cookies\index.dat
NtCreateFile, C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat

File activity:
write, PIPE\lsarpc
write, PIPE\ROUTER

Registry activity:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths: 4
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache1\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache2\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache3\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache4\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit: 81830
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit: 81830
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00C\x00o\x00o\x00k\x00i\x00e\x00s\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00H\x00i\x00s\x00t\x00o\x00r\x00y\x00\x00\x00
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy: 1
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0
write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 1

This file is a Dridex Trojan payload that connects out to IP address 91.239.232.145 over port 1743.

Relationship Summary

41791fd591... Connected_To 91.239.232.145
41791fd591... Dropped 993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67
91.239.232.145 Connected_From 41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
993c03b028... Dropped_By 41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or contact@mail.cisa.dhs.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Revisions

May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.