MIFR-10050855-1.v2

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.

CISA received one artifact for analysis, Emailed Invoice - 1019701.msg. This email message contained the attachment, Invoice_101970~1.doc, that contains the exploit CVE-2012-0158 and drops a Dridex Trojan payload if successful.

This report contains preliminary analysis and is not intended to be a complete description of the submitted artifacts' capabilities. Results may be incomplete due to the artifacts' complexity or ability to defend against analysis techniques. If additional information is required, please contact the CISA Security Operations Center using the information at the end of this report.

Analysis Environment: windows_xp_sp3, 32_bit

For a downloadable copy of IOCs, see MIFR-10050855-1.v2.stix.

Files (3)

41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4 (Invoice_101970~1.doc)

993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67 (vmsk.exe)

f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49 (Emailed Invoice - 1019701.msg)

IPs (1)

91.239.232.145

Findings

f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49

Tags

CVE-2012-0158trojan

Details

Name	Emailed Invoice - 1019701.msg
Size	556544 bytes
Type	CDFV2 Microsoft Outlook Message
MD5	5b23662452c12c4f95adaeafe2614e9a
SHA1	409810256090f7f755f8653834cacb62adfa675e
SHA256	f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49
SHA512	3fa0e32ca97bf86d21077aebbcb0243b28945a90bc21a9f6719f22f845b4ebfbf89e4b26fdb84639c33ddda5c57ad926cf9136a9a37aa9527a660a03e390f79b
ssdeep	12288:O8MFkp0CZ95suKFw2m99ej2l70q9TccyW4Xe4sqy:O8MFkp1Wfm99ej2yq9Tc7b3E
Entropy	7.266701

Antivirus

Ahnlab	RTF/Exploit
Avira	VBS/Dldr.Agent.nimx.4
BitDefender	Exploit.RTF.CVE-2012-0158.G
ClamAV	Rtf.Exploit.CVE_2012_0158-24
Cyren	CVE-2012-0158!Camelot
ESET	Win32/Exploit.CVE-2012-0158.ABR trojan
Ikarus	Exploit.CVE-2012-0158
McAfee	Generic Exploit.af
NANOAV	Exploit.Rtf.Heuristic-rtf.dinbqn
Quick Heal	Exp.RTF.CVE-2012-0158.A
Sophos	Troj/DocDrop-FK
TrendMicro	TROJ_CV.E4BFFC95
TrendMicro House Call	TROJ_CV.E4BFFC95

YARA Rules

No matches found.

ssdeep Matches

97	41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
96	5397af3fe2e731c8392347bad05e9e7fe4fa25273bd1ec7002f1ffbc89b7c7a5

Description

Process Tree:

- cmd.exe 748 (1420)

- - cmd.exe 1864 (748)

File activity:

execute, cmd.exe

The email message contains the malicious attachment Invoice_101970~1.doc.

--Begin Email Headers--

Received: from [REDACTED] by [REDACTED] with Microsoft SMTP Server id 8.3.406.0; Wed, 3 Feb 2016

10:41:12 -0500

Authentication-Results: [REDACTED]; dkim=None (message not signed) header.i=none; spf=PermError smtp.mailfrom=yvonne@direct-electrical.com; spf=None smtp.helo=postmaster@[200.236.65.6]

Received-SPF: PermError ([REDACTED]: cannot correctly interpret

sender authenticity information from domain of

yvonne@direct-electrical.com) identity=mailfrom;

client-ip=200.236.65.6; receiver=[REDACTED];

envelope-from="yvonne@direct-electrical.com";

x-sender="yvonne@direct-electrical.com";

x-conformance=spf_only; x-record-type="v=spf1"

Received-SPF: None ([REDACTED]: no sender authenticity

information available from domain of

postmaster@[200.236.65.6]) identity=helo;

client-ip=200.236.65.6; receiver=[REDACTED];

envelope-from="yvonne@direct-electrical.com";

x-sender="postmaster@[200.236.65.6]"; x-conformance=spf_only

X-IronPort-Anti-Spam-Filtered: true

X-IronPort-Anti-Spam-Result: A0AdJAC5HbJWVAZB7MiCbAUBxmECAgEtCAg

X-IronPort-AV: E=Sophos;i="5.22,391,1449550800";

d="doc'212?scan'212,208,212";a="30714064"

Received: from unknown (HELO [200.236.65.6]) ([200.236.65.6]) by [REDACTED]

with ESMTP; 03 Feb 2016 10:41:04 -0500

From: "yvonne@direct-electrical.com" <yvonne@direct-electrical.com>

To: [REDACTED]

Subject: Emailed Invoice - 101970:1

Date: Wed, 3 Feb 2016 09:41:03 -0500

Message-ID: <56a74b1c.d7bc1c0a.c68bd.ffffb6a7@mx.google.com>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_07BB_01D15909.472F8790"

X-Mailer: Microsoft Outlook 16.0

Thread-Index: AQFWN1DoL0ELw7e2BKf2LERCeWAK4A==

Return-Path: yvonne@direct-electrical.com

--End Email Headers--

Screenshots

None -

41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4

Tags

CVE-2012-0158downloaderdroppertrojan

Details

Name	Invoice_101970~1.doc
Size	522803 bytes
Type	Rich Text Format data, version 1, unknown character set
MD5	99cf22f4adeb6baf887de7e1eecc4b9e
SHA1	a36c4225af317b6ce3aa6fc14959402e9d6165ab
SHA256	41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
SHA512	91dfab514dbdda51e2964db4bf01e7fb7a8c4ede4ea36203b32a29eed36ae605ae2900d692fc247d6cce682c364fadef46c50b1d3af7ed833a1b519f517c10e6
ssdeep	12288:a8MFkp0CZ95suKFw2m99ej2l70q9TccyW4Xe4sqy5:a8MFkp1Wfm99ej2yq9Tc7b3E5
Entropy	7.312316

Antivirus

Ahnlab	RTF/Exploit
Antiy	Trojan/Generic.ASExplot.62
Avira	VBS/Dldr.Agent.nimx.4
BitDefender	Exploit.RTF.CVE-2012-0158.G
ClamAV	Rtf.Exploit.CVE_2012_0158-24
Cyren	CVE-2012-0158!Camelot
ESET	Win32/Exploit.CVE-2012-0158.ABR trojan
Emsisoft	Exploit.RTF.CVE-2012-0158.G (B)
Ikarus	Exploit.CVE-2012-0158
McAfee	Generic Exploit.af
Microsoft Security Essentials	TrojanDropper:O97M/Drixed
NANOAV	Exploit.Rtf.Heuristic-rtf.dinbqn
NetGate	Exploit.Win32.Generic
Quick Heal	Exp.RTF.CVE-2012-0158.A
Sophos	Troj/DocDrop-FK
Symantec	W97M.Downloader
TACHYON	Exploit.RTF.CVE-2012-0158.G
TrendMicro	TROJ_CV.E4BFFC95
TrendMicro House Call	TROJ_CV.E4BFFC95

YARA Rules

No matches found.

ssdeep Matches

96	d7958a4984bca10fe9f76a9d42b7ce2f50c031d5878ee54af54a2e560762d678
97	f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49

Relationships

41791fd591...	Connected_To	91.239.232.145
41791fd591...	Dropped	993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67

Description

Process Tree:

- WINWORD.EXE 1380 (1132)

- - vmsk.exe 1620 (1380)

- - cmd.exe 1608 (1380)

- - - reg.exe 2004 (1608)

- - cmd.exe 1932 (1380)

- - - reg.exe 1452 (1932)

- - cmd.exe 964 (1380)

- - - reg.exe 1720 (964)

- - cmd.exe 1192 (1380)

- - - WINWORD.EXE 420 (1192)

vmsk.exe (1620) API behavior:

getaddrinfo, 91.239.232.145

NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb

NtCreateFile, PIPE\lsarpc

NtCreateFile, C:\WINDOWS\system32\rsaenh.dll

NtCreateFile, PIPE\ROUTER

NtCreateFile, c:\autoexec.bat

NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat

NtCreateFile, C:\Documents and Settings\user\Cookies\index.dat

NtCreateFile, C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat

WINWORD.EXE (420) API behavior:

NtCreateFile, PIPE\lsarpc

NtCreateFile, MountPointManager

NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm

NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm

NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb

NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{998EF836-BA09-4683-B899-C4FFB00E51CE}.tmp

NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc

NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~DF5A45.tmp

NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~$cument.doc

NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{0BAD88AD-3924-4EA9-A6C1-AB4401A42EC2}.tmp

NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Office\review.rcd

NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Office\adhoc.rcd

NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\UProof\CUSTOM.DIC

NtCreateFile, C:\WINDOWS\system32\rsaenh.dll

NtCreateFile, C:\Program Files\Microsoft Office\OFFICE14\PROOF\MSGR3EN.LEX

WINWORD.EXE (1380) API behavior:

NtCreateFile, PIPE\lsarpc

NtCreateFile, MountPointManager

NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dotm

NtCreateFile, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm

NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb

NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{3C9F9EB9-1F08-4FB8-97AF-50FF138A66F8}.tmp

NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\Invoice_1019701.doc

NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\~$voice_1019701.doc

NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRF{2AB6E542-2C73-4F67-A355-6BD5A07CE617}.tmp

NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe

NtCreateFile, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc

File activity:

write, PIPE\lsarpc

write, C:\Documents and Settings\user\Application Data\Microsoft\Templates\~$Normal.dotm

write, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{3C9F9EB9-1F08-4FB8-97AF-50FF138A66F8}.tmp

write, C:\DOCUME~1\user\LOCALS~1\Temp\~$voice_1019701.doc

write, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe

execute, C:\DOCUME~1\user\LOCALS~1\Temp\vmsk.exe

write, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc

write, C:\DOCUME~1\user\LOCALS~1\Temp\Invoice_1019701.doc

execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F

execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F

execute, cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F

execute, cmd.exe /c "C:\DOCUME~1\user\LOCALS~1\Temp\document.doc"

write, PIPE\ROUTER

execute, reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F

execute, reg delete "HKCU\Software\Microsoft\Office\15.0\Word\Resiliency" /F

execute, reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F

execute, C:\DOCUME~1\user\LOCALS~1\Temp\document.doc

write, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.Word\~WRS{998EF836-BA09-4683-B899-C4FFB00E51CE}.tmp

write, C:\DOCUME~1\user\LOCALS~1\Temp\~$cument.doc

Registry activity:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsqz=:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610313

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610349

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610350

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordMTTT:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems9{=:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersDesktop: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ed56972-8b61-11e4-ab5b-806d6172696f}\BaseClass: D\x00r\x00i\x00v\x00e\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8ed56970-8b61-11e4-ab5b-806d6172696f}\BaseClass: D\x00r\x00i\x00v\x00e\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersPersonal: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00M\x00y\x00 \x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Documents: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon Desktop: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00D\x00e\x00s\x00k\x00t\x00o\x00p\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersLocal AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00C\x00o\x00o\x00k\x00i\x00e\x00s\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems%|=:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610314

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610315

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610317

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610320

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610322

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610323

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610325

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610327

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610329

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1216610305

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00

write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths: 4

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache1\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache2\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache3\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache4\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit: 81830

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit: 81830

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit: 81830

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit: 81830

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00H\x00i\x00s\x00t\x00o\x00r\x00y\x00\x00\x00

write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy: 1

write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0

write, HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0

write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:

write, HKEY_LOCAL_MACHINE\Software\ClassesProxyBypass: 1

write, HKEY_LOCAL_MACHINE\Software\ClassesIntranetName: 1

write, HKEY_LOCAL_MACHINE\Software\ClassesUNCAsIntranet: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsd3?:

write, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale1033: O\x00f\x00f\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1216610332

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610351

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1216610352

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsa4?:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsm4?:

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x001\x00F\x008\x00F\x008\x00E\x007\x00B\x00-\x00B\x00C\x008\x00F\x00-\x004\x002\x006\x006\x00-\x00B\x008\x00B\x00A\x00-\x00A\x00E\x002\x00A\x006\x004\x002\x00F\x009\x008\x000\x009\x00}\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordPlace MRUMax Display: 25

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordFile MRUMax Display: 25

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery1BBA1461BBA146:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610329

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610330

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610329

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610330

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610346

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610347

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610331

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\UsageSpellingAndGrammarFiles_3082: 1216610332

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610331

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\UsageSpellingAndGrammarFiles_1036: 1216610332

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610348

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610349

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonLicensing019C826E445A4649A5B00BF08FCC4EEE:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610350

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610351

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610352

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\UsageSpellingAndGrammarFiles_1033: 1216610353

write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordSecurity\Trusted DocumentsLastPurgeTime: 24329539

This file contains the exploit CVE-2012-0158 and if successful drops the malicious payload vmsk.exe.

--Begin Document Content--

Hello!!!!

If you read this it's mean exploit work!!!

--End Document Content--

Screenshots

None -

91.239.232.145

Tags

command-and-control

Ports

1743 TCP

Whois

Queried whois.ripe.net with "-B 91.239.232.145"...

% Information related to '91.239.232.0 - 91.239.235.255'

% Abuse contact for '91.239.232.0 - 91.239.235.255' is 'support@netassist.ua'

inetnum:        91.239.232.0 - 91.239.235.255

netname:        HOSTPRO-NET5

descr:         Hostpro Ltd.

country:        UA

org:            ORG-HA81-RIPE

admin-c:        RS9768-RIPE

tech-c:         RS9768-RIPE

status:         ASSIGNED PI

mnt-by:         RIPE-NCC-END-MNT

mnt-by:         HOSTPRO-MNT

mnt-routes:     HOSTPRO-MNT

mnt-domains:    HOSTPRO-MNT

created:        2012-05-29T08:50:04Z

last-modified: 2015-05-05T01:38:12Z

source:         RIPE

sponsoring-org: ORG-NL64-RIPE

organisation: ORG-HA81-RIPE

org-name:     Hostpro Ltd.

org-type:     OTHER

address:        str. Knyazhiy Zaton 2/30

address:        Kiev, 02140

address:        Ukraine

phone:         +380 44 5857796

fax-no:         +380 44 5857796

e-mail:         info@hostpro.ua

abuse-c:        AR24429-RIPE

notify:         registry@ip.datagroup.ua

abuse-mailbox: abuse@hostpro.ua

admin-c:        HR71-RIPE

tech-c:         HR71-RIPE

mnt-ref:        HOSTPRO-MNT

mnt-by:         HOSTPRO-MNT

created:        2006-11-03T08:44:08Z

last-modified: 2014-11-17T16:39:11Z

source:         RIPE

person:         Ruba Sergey

address:        Ukriane, Kyiv, 02095,str. Knyazhiy Zaton 2/30

phone:         +38(044)5857796

nic-hdl:        RS9768-RIPE

created:        2009-12-10T11:47:43Z

last-modified: 2014-06-13T11:36:16Z

source:         RIPE

mnt-by:         HOSTPRO-MNT

% Information related to '91.239.232.0/24AS196645'

route:         91.239.232.0/24

descr:         Hostpro Ltd.

origin:         AS196645

mnt-by:         HOSTPRO-MNT

created:        2016-01-18T10:44:30Z

last-modified: 2016-01-18T10:44:30Z

source:         RIPE

% This query was served by the RIPE Database Query Service version 1.86 (DB-2)

Relationships

91.239.232.145

Connected_From

41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4

993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67

Tags

CVE-2012-0158backdoortrojan

Details

Name	vmsk.exe
Size	314368 bytes
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	f9ea75f082a66a23ea422d2f9412ee9a
SHA1	b35a5a50d34b04cc8599d50f38330f00784c842f
SHA256	993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67
SHA512	9704736ba8ef6ff310474686bfd506ec756bd55c235e95c744c593bf34e2d8521db77cfe07b92bbb667e03822cf2ae233728a356c426e1590c6430191b2fe6c0
ssdeep	6144:Jtzoyb82w53WsGK2YhtfSfVY5t4emDjnw:JFzbFw53NGK2GSNe4eN
Entropy	6.703364

Antivirus

AegisLab	Trojan.Win32.Dridex.to6K
Ahnlab	Trojan/Win32.Dridex
Antiy	Trojan[Backdoor]/Win32.Dridex
Avira	TR/Crypt.ZPACK.193361
BitDefender	Trojan.GenericKD.3026055
ClamAV	BC.Win.Packer.Troll-14
Cyren	W32/Dridex.YZRG-2092
ESET	Win32/Dridex.AA trojan
Emsisoft	Trojan.GenericKD.3026055 (B)
Ikarus	Trojan.Win32.Dridex
K7	Trojan ( 004d86461 )
McAfee	PWS-Dridex
Microsoft Security Essentials	Backdoor:Win32/Drixed.M
NANOAV	Trojan.Win32.Dridex.efhcwh
NetGate	Trojan.Win32.Malware
Quick Heal	Backdoor.Drixed.B5
Sophos	Troj/Agent-AQDZ
Symantec	Trojan.Cridex
Systweak	trojan.crypt
TACHYON	Backdoor/W32.Dridex.314368
TrendMicro	TSPY_DRIDEX.BYX
TrendMicro House Call	TSPY_DRIDEX.BYX
Vir.IT eXplorer	Trojan.Win32.Inject3.ZTI
VirusBlokAda	Backdoor.Dridex

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date	2016-02-03 04:50:28-05:00
Import Hash	467a98e7c853ed981c187e5441038bff
Company Name	CACE Technologies, Inc.
File Description	Adding Cautionary Quotation Spec Determine
Legal Copyright	2006-2014
Original Filename	LogicalSell.exe
Product Name	LogicalSell
Product Version	7.7.4.5

PE Sections

MD5	Name	Raw Size	Entropy
7fc0b7057e44606ffa404636be57a8f6	header	1024	2.648089
e03be0a6e325899826686df1e7511ec9	.text	175104	7.063227
2131ca512ddfc2db851eef1f9761fb7e	.rdata	35328	6.990231
6313685a326e0e8d6fd7ab24f171ecd9	.data	4608	2.436517
bf619eac0cdf3f68d496ea9344137e8b	.tls	512	0.000000
fa8873c6bcdd98c1aa18b3471f687b9f	.rsrc	97792	4.929244

Relationships

993c03b028...

Dropped_By

41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4

Description

Process Tree:

- vmsk.exe 1380 (1132)

vmsk.exe (1380) API behavior:

getaddrinfo, 91.239.232.145

NtCreateFile, C:\WINDOWS\Registration\R000000000007.clb

NtCreateFile, PIPE\lsarpc

NtCreateFile, C:\WINDOWS\system32\rsaenh.dll

NtCreateFile, PIPE\ROUTER

NtCreateFile, c:\autoexec.bat

NtCreateFile, C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat

NtCreateFile, C:\Documents and Settings\user\Cookies\index.dat

NtCreateFile, C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat

File activity:

write, PIPE\lsarpc

write, PIPE\ROUTER

Registry activity:

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCommon AppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00A\x00l\x00l\x00 \x00U\x00s\x00e\x00r\x00s\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00

write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersAppData: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00A\x00p\x00p\x00l\x00i\x00c\x00a\x00t\x00i\x00o\x00n\x00 \x00D\x00a\x00t\x00a\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCache: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00T\x00e\x00m\x00p\x00o\x00r\x00a\x00r\x00y\x00 \x00I\x00n\x00t\x00e\x00r\x00n\x00e\x00t\x00 \x00F\x00i\x00l\x00e\x00s\x00\x00\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsDirectory: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPaths: 4

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache1\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache2\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache3\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CachePath: C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\Cache4\x00

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath1CacheLimit: 81830

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath2CacheLimit: 81830

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath3CacheLimit: 81830

write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CachePathsPath4CacheLimit: 81830

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersCookies: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00C\x00o\x00o\x00k\x00i\x00e\x00s\x00\x00\x00

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHistory: C\x00:\x00\\x00D\x00o\x00c\x00u\x00m\x00e\x00n\x00t\x00s\x00 \x00a\x00n\x00d\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00u\x00s\x00e\x00r\x00\\x00L\x00o\x00c\x00a\x00l\x00 \x00S\x00e\x00t\x00t\x00i\x00n\x00g\x00s\x00\\x00H\x00i\x00s\x00t\x00o\x00r\x00y\x00\x00\x00

write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsMigrateProxy: 1

write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0

write, HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet SettingsProxyEnable: 0

write, HKEY_USERS\S-1-5-21-746137067-839522115-1060284298-1003Software\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings:

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName: 1

write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 1

This file is a Dridex Trojan payload that connects out to IP address 91.239.232.145 over port 1743.

Relationship Summary

41791fd591...	Connected_To	91.239.232.145
41791fd591...	Dropped	993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67
91.239.232.145	Connected_From	41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4
993c03b028...	Dropped_By	41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
Monitor users' web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

1-888-282-0870
NCCICCustomerService@us-cert.gov (UNCLASS)
us-cert@dhs.sgov.gov (SIPRNET)
us-cert@dhs.ic.gov (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov
E-Mail: submit@malware.us-cert.gov
FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Revisions

May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

MIFR-10050855-1.v2

Notification

Summary

Description

Files (3)

IPs (1)

Findings

f2aad8db0218789c3180981c00110c9fe82a873eee6ab48bc8ef652dae557c49

Tags

Details

Antivirus

YARA Rules

ssdeep Matches

Description

Screenshots

41791fd591230f430fb33d8f9b4f0812971c99e05a7c7691e3502ba1cc45f9b4

Tags

Details

Antivirus

YARA Rules

ssdeep Matches

Relationships

Description

Screenshots

91.239.232.145

Tags

Ports

Whois

Relationships

993c03b02820be8d8128b85ad6423d06341deb964794d032bf867415888f3f67

Tags

Details

Antivirus

YARA Rules

ssdeep Matches

PE Metadata

PE Sections

Relationships

Description

Relationship Summary

Recommendations

Contact Information

Document FAQ

Revisions

Please share your thoughts