Denial of Service (DoS) attacks are still very much in vogue with cybercriminals. They are used for extortion attempts, to attack competitors or detractors, as an ideological statement, as a service for hire, or simply “for teh lulz.” As anti-DoS methods become more sophisticated so do the DoS techniques, becoming harder to stop or take down by turning into distributed (DDoS) among stolen or hacked end-points. Some DDoS methods even use distributed, public systems that aren’t hacked or stolen, but still offer a means for a reflected attack (DrDoS) such as the widespread Network Time Protocol (NTP) DrDoS attacks seen over the past several years.

In the spirit of discovering and exposing potential future cybercrime methods, this research focuses on determining the viability of DrDoS attacks using public-facing email validation protocols. With knowledge of attack anatomy white hats can better understand the threat landscape while building their unique threat models, and if need be, build and configure defenses against such potential protocol abuses. Fortunately, or unfortunately, depending on your reference point, the findings of this research conclude that these types of attacks are likely not to be a widespread threat given the current sets of in-the-wild email server configurations; though this may change in the future as more systems come online and configuration habits shift.

We know what sort of returns we can get for DDoS leveraging SPF in large part through the work of Douglas Otis. However, given other DDoS vectors available (DNS, NTP, etc.) using SPF alone doesn’t have much of a bite. The idea here was to try and also leverage other email validation protocols that may be configured for a mail server also employing SPF, a stacked attack. Following a review of the DomainKeys Identified Mail (DKIM) protocol RFC it was discovered that there are instances where the specification suggests using reply codes: 4xx, 451/4.7.5, and 550/5.7.x specifically. This suggests mail server configurations that may reply to messages that meet, or fail, certain criteria.

However, of the 20 in-the-wild sample servers (located in the United States, France, Germany, Hungary, and Taiwan), zero responded to invalid DKIM headers. As with the DKIM RFC, the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol RFC has a configuration suggestion for issuing a 5xy reply code for failed messages as well as a security discussion for External Reporting features of DMARC. Both of these vectors seemed promising for possible exploitation. Of the 20 in-the-wild servers tested, (located in the United States, the United Kingdom, France, Canada, and Switzerland) only four replied with a failure code and zero offered External Reporting services.

While subject to future change, these findings suggest that the current, real-world landscape does not lend itself to leveraging these validation protocols for any serious volume of DrDoS.

According to the 2019 Verizon Data Breach Investigations Report, there was a noticeable shift toward financially motivated crime (80 percent), with 35 percent of all breaches occurring as a result of human error, and approximately one quarter of breaches occurring through web application attacks. These attacks were mostly attributable to the use of stolen credentials used to access cloud-based email.

Another fun fact: social engineering attacks are increasingly more successful, and the primary target is the C-suite. These executives are 12x more likely to be targeted than other members of an organization, and 9x more likely to be the target of these social breaches than previous years. Verizon notes that a successful pretexting attack on a senior executive helps them to hit the jackpot, as 12 percent of all breaches analyzed occurred for financially motivated reasons, and their approval authority and privileged access to critical systems often goes unchallenged.

“Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to get through,” the Verizon DBIR states. “The increasing success of social attacks such as business email compromises (BECs, which represent 370 incidents or 248 confirmed breaches of those analyzed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime.”

Retailers Are Most Vulnerable at the Application Layer

The good news for consumers and retailers alike are that the days of POS compromises or skimmers at the gas-pump appear to be numbered, as these card breaches continue to decline in this report. The not-so-good news is that these attacks are, instead, primarily occurring against e-commerce payment applications and web application attacks. Indeed, the report shows that web applications, privilege misuse, and miscellaneous errors make up 81 percent of breaches for retail organizations.

What’s more, 62 percent of breaches and 39 percent of incidents occur at the web application layer. While it is unclear exactly how the web applications were compromised in some cases, it’s assumed that attackers are scanning for specific web app vulnerabilities, exploiting them to gain access, inserting some kind of malware, and harvesting payment card data to create a profit.

The report notes, “We have seen webshell backdoors involved in between the initial hack and introduction of malware in prior breaches. While that action was not recorded in significant numbers in this data set, it is an additional breadcrumb to look for in detection efforts. In brief, vulnerable internet-facing e-commerce applications provide an avenue for efficient, automated, and scalable attacks. And there are criminal groups that specialize in these types of attacks that feast on low-hanging fruit.”

Overall, Veracode’s State of Software Security Vol. 9 shows that retail organizations are quick to fix their flaws, ranking second in this regard as compared to other industries. With this in mind, it may mean that retail organizations need to keep a closer eye on third-party software and open source code in their own applications to ensure they’re not the next to sign a cyberattacker’s paycheck.

At Veracode, we help our customers to ensure that every web application in their portfolio is secure through each stage of the SDLC. Check out this case study to learn about how Blue Prism implemented Veracode Verified to ensure the strength of its application security program and protect its most sensitive data.

If you follow us and read our daily diaries, you probably already know some famous tools developed by Didier (like oledump.py, translate.py and many more). Didier is using them all the time to analyze malicious documents. His tools are also used by many security analysts and researchers. The complete toolbox is available on his github.com page[1]. You can clone the repository or download the complete package available as a zip archive[2]. However, it’s not convenient to install them all the time when you’re switching from computers all the time if, like me, you’re always on the road between different customers.

Being a fan of Docker containers, I built a Docker image called “DSSuite” (a not very original name :-) that contains all Didier’s tools preinstalled and ready to use from any system that has Docker available. The image is available on hub.docker.com[3]. 

To use it, just pull the image:

$ docker pull rootshell/dssuite

Once done, you can use tools directly from Docker or start an interactive shell. First, let’s try a simple oledump against a sample OLE file:

$ file malicious_ole.vir
malicious_ole.vir: Composite Document File V2 Document, Cannot read section info
$ docker run -it --rm -v $(pwd):/malware rootshell/dssuite oledump.py malicious_ole.vir
  1: O   49737 '\x01Ole10Native'
  2:         6 '\x03ObjInfo’

If you don’t pass arguments to the container, an interactive shell will be started:

$ docker run -it -v $(pwd):/malware rootshell/dssuite
 ____  ____ ____        _ _
|  _ \/ ___/ ___| _   _(_) |_ ___
| | | \___ \___ \| | | | | __/ _ \
| |_| |___) |__) | |_| | | ||  __/
|____/|____/____/ \__,_|_|\__\___|

Version 1.0 - Help: https://blog.didierstevens.com/my-software/

root@a43d72df1d9b:/malware#

Note that you need to map a /malware volume to access the malicious files to analyze

For more convenience, just create an alias like this in your shell to call directly the commands:

$ alias dssuite='docker run -it --rm -v $(pwd):/malware rootshell/dssuite $@‘
$ dssuite oledump.py sample.doc

Most of the tools are running out of the box but let me know if you detect some issues and I'll keep the Docker updated

[1] https://github.com/DidierStevens/DidierStevensSuite
[2] https://didierstevens.com/files/software/DidierStevensSuite.zip
[3] https://hub.docker.com/r/rootshell/dssuite

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I published the following diary on isc.sans.edu: “DSSuite – A Docker Container with Didier’s Tools“:

If you follow us and read our daily diaries, you probably already know some famous tools developed by Didier (like oledump.py, translate.py and many more). Didier is using them all the time to analyze malicious documents. His tools are also used by many security analysts and researchers. The complete toolbox is available on his github.com page. You can clone the repository or download the complete package available as a zip archive. However, it’s not convenient to install them all the time when you’re switching from computers all the time if, like me, you’re always on the road between different customers… [Read more]

[The post [SANS ISC] DSSuite – A Docker Container with Didier’s Tools has been first published on /dev/random]

This new version of jpegdump.py (a tool to analyze JPEG pictures) adds 2 new options: -t and -A.

Option -t: consider everything after the first EOI as trailing.

Option -A: perform ascii dump with RLE

jpegdump_V0_0_7.zip (https)
MD5: DF600AAADD1E6335CB1DC5FEF895B2AE
SHA256: 123CDBACA0533BE975751F935EA9C6CEF75B7F8E67CC0FBAD36F8C66DD9354D8

• Win.Trojan.Tofsee-6965613-0
  Trojan
  Tofsee is multi-purpose malware that features a number of modules used to carry out various activities, such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages in an effort to infect additional systems and increase the overall size of the botnet under the operator’s control.
   
• Win.Trojan.Zeroaccess-6965107-0
  Trojan
  ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click fraud campaigns.
   
• Win.Dropper.Emotet-6964837-0
  Dropper
  Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a wide variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails.
   
• Win.Trojan.Darkkomet-6964750-0
  Trojan
  DarkKomet is a freeware remote access trojan that was released by an independent software developer. It provides the same functionality you would expect from a remote access tool: keylogging, webcam access, microphone access, remote desktop, URL download, program execution, etc.
   
• Win.Malware.Kryptik-6964485-1
  Malware
  Kryptik is oftentimes a generic detection name for a Windows trojan. Some of the malicious activities that could be performed by these samples, without the user's knowledge, include collecting system information, downloading/uploading files and dropping additional samples.
   
• Win.Packed.Kovter-6964099-0
  Packed
  Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries which store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware.
   
• Win.Malware.Python-6964012-0
  Malware
  Win.Malware.Python is a generic name given to malware written in Python and, typically, compiled into a Windows executable using tools like PyInstaller. There are a vast array of supporting libraries, proof-of-concept exploit tools, and example code that makes developing malware in Python easier than with lower-level languages. Examples of functionality commonly seen in this type of malware include the ability to spread laterally by exploiting EternalBlue PoC scripts and file encryption performed by ransomware.
   
• Win.Ransomware.Cerber-6963958-0
  Ransomware
  Cerber is ransomware that encrypts documents, photos, databases and other important files using the file extension ".cerber."
   
• Doc.Downloader.Powload-6959926-0
  Downloader
  Powload is a malicious document that uses PowerShell to download malware. This campaign is currently distributing Emotet malware.
   
• Win.Dropper.Qakbot-6962757-0
  Dropper
  Qakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
   

Threats

Win.Trojan.Tofsee-6965613-0

Indicators of Compromise

• 0647fc954ed93c7ea544d83e63a40d502f5fffd8a13f30017a73b67e9a45f1b2
• 06cd974d945d25823b35d71c42c63223e70e3117e457e93dee236b32767bd7ec
• 0780495fcad283f3b4d0a8c67ab1f899901a411609e5d418c32d63ea341ab025
• 10d8ca95e213491b05ec904bb8632212e22886d66c45525c104678dc80f670ae
• 125c11dec65eb1649338f5ed9442a65f79a0bcfd386e7db297de44ac7674c0b6
• 243c7f05dc3569c907f03ed8a84d215ff9aa72c83cf3a2204d60e82c66d9aaff
• 2db74b28c8d6fb6cd5dc708a4f63b5f0552edfdef708c2f86ea3a40361e963fd
• 3a9fc763818d743f0b87fffc92d2fd29f6e76f182142a43a6b65c9d12dd3efd4
• 3f057b371908761ce99846fe561f0c86376ee18ad0124fd8e848d7f2862e8c05
• 43726985501f447b624194119724d9bf9673a6ec4a9b4d4367d8157569f5dc7f
• 456d4a6d6fbdc25b6c9cafde2af81b6023293e564ddd6473e42f8e420f1fcdd5
• 4623e1ce31a8671e59640e83fc545a5f19e167c31cfc6e8d097864c7a4c27859
• 539975f3e33f6b41f3038ed1101633ce5635004bce96ca7764c19a79fb4f83ca
• 5a0f61ab9e096aa16c514f37f60853a708b3eed62dfe8c14643dcc2652141d96
• 61baf3c68654787eab765e7361c07270cac1b7041a07062dff7485aa860fc4b5
• 63f7598a21986a406d2a1ac946184140a80558bc7598bebabfcff82214895d75
• 658a040596a2b67e36bd8af81037fefd039eae1bcf63b99928f3b5125e414019
• 751ac2eb414eba0c3f93245c865f2162e328c461c5c844271ffb299df5d1e4df
• 79c2cfd759cc6d1727c7f7015e40333900bda4571e91d18899b98025c0480b94
• 7f5b069015e694544a2a693ddc7815c82c9ac6ec0d523ae9ed06d77b78965be4
• 82fbb918e0d47f7d9992cd3c5479ee1468d608d1e176f7570994e99ffc66e6b0
• 858f2612c45ad1bb0b986f74274f61224b827912f4e1a80f9121cad40edabacf
• 8ac67c280615873b5aec89d5bd5838d2a23552e7c47511a99b64799d28d659ff
• 8ad48911e8594b3530022ae45fbe12e40438c71cca38d2a7e85a8d3efd220180
• 93cb0db5f5aecff9574b756b557280b61d557724591817013c016a3a68096be5
• See JSON for more IOCs

Coverage

Screenshots of Detection

Win.Trojan.Zeroaccess-6965107-0

Indicators of Compromise

• 07c405ee534570f541b59cdaa0f96ff7504589dd26b9e2c6f71e5b89b70fe77f
• 105a3a1a379be2fc1efe05678726a2ff34183a3f6453af7fe11d3c93b00a06c1
• 1f286fca031ace5bcd5d09af6aa0bbe2e01d709274ac02db69409b24d1605f63
• 2334dabfb999ed340bb820f8db859248c8bda0345c044271effb482e08663397
• 23b236a0c3a4f078b90afb13fb32d0c3f6bdd11b301cad889729699664f2e5e8
• 2a7ec665835825ff43db2b82df1884ee5d481ef371ad4c3f8ce0e4e18bd9a2a4
• 550ad9dda25a0f1130dd0da04ddef0621a1158db98a5c5ebf90113842c2164e8
• 68ec8422d27625d1af4e31d6fccadd07f71cc055761b417d141a1865e58e6886
• a68f8aa154a3c12d066e1876619eeee00034692251e4e1edd23c8c7028e9518d
• a7f5fe66ec05e1672d7ce83e0745c028fb366c3341c8e1a907c99087dab346fc
• b08915d6e08d92a3de5977effd344b6e22b2b0aafce2479a1aadd4842c159ab3
• b7540ca2429a0ea057c84962b1ddb211dc20ac018b593dec8cb2501a74ab11a4
• bdfb9125073845bdc6bebf19a27fa02d248dac1f7fe4c59fd0b677e8a0ec9f65
• c2dc4f333f3ae35f5d40363a69639756e7b4533db364cb20f838543935510d1d
• cdc9f0d84b8813ae03d846bf7596130a85151683e65bae067a7a1f44d066561f
• fc84363a134bd0b2c3686c226773bc9a93e33189b2c606815e909b7d7fff79f7
• feb2afe93c29bba4bf068e198b1e91ae95add4c104430969ae89f2f4202ba65a

Coverage

Screenshots of Detection

Win.Dropper.Emotet-6964837-0

Indicators of Compromise

• 1e04bcdb51abfed7d2093115cbcaec092b5e8840556f172f368c0a62057c7a37
• 20c8e37dd60b38bbc9af1f55478e1d7618131bcc5bf383378a2bf00c6ffc1a08
• 2d7102eb62f9f8c523b7500c5b47eb4cadeff07b2980552e5f8f59aede506eb1
• 42697c161579c4e96b49f91935b12b3ec042ce5bfc5a583e8b44b416eb5fcf8f
• 433ad951f81e55b63f14fafe5c606532dc08343bb803d149867c767953a94a66
• 5550f5e1a7f27b537a1de8c945877755f8a89c28376c12ed2a635a6cc6f375b3
• 7dbcdbf63ed234c18481358441ee78e0c156f3da60bee606c6c52eafa25fe499
• 8196fe92cc4b2a674b7014b4505ba3339e8ad36a004d03d77b125e1f9aec76ad
• 8b2699e4d5ac77bdd3674321b114c05e674f30979b0f032c53a4fcf5a3b11aa5
• bd86fa60126d2c23abd5e75dbd4b6b952550a7ab1c17139ff009bca37729d7d7
• cdc8557f6b22789a9d4e10149f9c60f94f217bcb1f695b239fe7a12a0dffaa67
• d77d9f14025de5483c623673b3f5c4bbe8cdd01c55658c25b62970bf1be6a736
• d9d2d222e053edc845ce56cdc0ff3516f8e962ee226434772609ee8ce6edfc91
• e63d957b42d76bc73d03a937d1e2267e4f92c0d9ac0b678124785ea14ce9b991
• e6c00d963b75e7e5e3f037d54dd3d7099f92dfae0cda82fb5d483e6e8ce8b33b
• f00a7ca48e367919a09a255d040f3321e3a189ecf7533b0233b3299c9f61f207
• f1e2beb854ed706d5837ebb789373b83ff0a658f717173227f02bcb4e40ad1b8
• f88c591028ab0a8084ae15fdeee2afcc87be6980198d9c0ff863e9ac4c5a807f

Coverage

Screenshots of Detection

Win.Trojan.Darkkomet-6964750-0

Indicators of Compromise

• 28b4c182eede85890244ea0678da95e9744cdf175dd8748e257064e6e867824d
• 32f509646e99c7aea9d15d180ec891328fcba9dd156750d370f481dc586d674c
• 548d4d3ee7271c7b57f7b99c0b1348da5d1c94e7acfe1adc47f296a562af47d0
• 725fc28899391ced1970b4caffa22f4b92a636a4a5596c587855f4040f93e557
• a3117c0c2a3d2bbe0bb4bdf2ee37d3bd461c3116ff018277c70aad51498552d5
• a7e82cc0def7a4884816f9a97e85675cc0d1d4d8db8ea0c01f35f26de41b654e
• b1c674e44363aae15e87840db0f5a1123e98228a1c33110b41270318cd2f4ada
• d5f888e61113f8cef35692be3a876caf5ac1bbb6fa7983a28e0a1de0f964cd92
• f78968d304d87b83e759cedde480ba74011e92fd9701c77207bcdc0935735940
• f99d91a32c833a44ff5d8f938251401eae021320777e2e6f217948a50f8af428

Coverage

Screenshots of Detection

Win.Malware.Kryptik-6964485-1

Indicators of Compromise

• 06aa0afbdfa537fa2a213bc400553e62935911ff40b2e899c839109b3aa76343
• 0a8dbca58db6fd04e3b0fcb3ba3a08843676eb43362794b13d2b294b1428a8e5
• 310433c733a765de4ebad4517cc227c0aa326bd496e9a0971a2c5fb2cc080e05
• 516873875312e95e415216eecdbb0fe3799559cd774d68dd10f67b2e413cb646
• 6155690a39ca14c04877424c2292c638910cce74e766d55036e6c3f8133f0c8c
• 70b6964498ad91dc5cf69bca30abec8c65f549e6f11ce47b62cc999bfe167374
• 85d7d87f0fa1cd3a5d405274286f4298ac9d66c6cd17bf90d7245bb2e0bc5b8b
• 94c981cfdc9ec45d961a33c802e24c3c8c50771ed36e66fc5d06e7faaaba602b
• ab44bd641e6fabcb49e6f7febd81073e296b8df9b868cf6cbadcc8515c089355
• e1abb836355f1085113d6e4605b0eb941c965720eea05092993b8180756fb738

Coverage

Screenshots of Detection

Win.Packed.Kovter-6964099-0

Indicators of Compromise

• 967d47c136b9b0572999085bdf88035b47ac413a0fcc643379235a656c7b19bf
• baf12e28c9f22bbc6343d8fd52ec0f9bdbec595887a3bb86ac8276b73a6149f0
• c97d5b490cdb6a003c7fbc4f01d6e96b6eb7daa401fabb91159df441a7c3a414
• d0e6edab6f229bddae3ba675045d31dae31ecfebc5071bcef6fb5bb75d7114bf
• d101f5b175f474b2e8f7768e8ae0492f3732a776367b1df256412d2918edeabb
• d229bf0e951fbb466a7a695021ff001f29b8a14e9236386fa23d64c0292fcabb
• d7bfc27b9cae97fd12fc37aca51e72e11ad55a545d8fc1ef1cf1262b3a75d1cf
• e09390b6cac41111e9573db97340727c493b7d61db4bd5f7be5e298bce1feb61
• e7cf854f13c13b4356b79196b1703033ea820eb9d9c0539202774cfa62f4ddc1
• ea4109825ea5dd469b35237206639f261ab9dbbc9029f6ff5cbe245e19708253
• eeb139134e8f9ae9a06f2b88a5d710aff711ba5ad5f653300a2bf4f874d8cf90
• f26f413104736c1e442bf3fc3d90f7e7ebf37015b8c81c8c8d8a3cb98ca17112
• f644f06fe38ad3643c026e0a2eda3e0fd17b8dc3e248699d824df192455310e5
• f76268c3dff77dddabcec092f5bc236cdacab5d052f5bac4ab3b1be932fe2f1e
• f857b7ea2d8a195080fef9a188eceddd5c35d88bcad8cdc0ad074b937b0b4d71
• fc8fce6392c14f721d61f41f1fdb794bd3abf8c0edbbe84e6b5f0efed38ca9d7

Coverage

Screenshots of Detection

Win.Malware.Python-6964012-0

Indicators of Compromise

• 2d5c9619b85111c8af13ad75bc334b26713839eed3ac96e9b22447039296aa0e
• 30117d30a63aaf64648199e3874762f0a31d1c45f35ff73820d3bb65827dbc89
• 4af89e0f76d112342c2ac7e5cd3696974027a5c771fb4655faa78fefae4774e8
• 5304995ff9b9ca3d6f597fc2eb1e456125eb5c42dc42df234173e47184df71f2
• 568db055c4fb8890fe7f3ef0ef3d32c250ac4d997e94571f84b3463805befedb
• 5795c318c70fd3009a470198ce1ccb6a7d74af59f3758385fe034520d657c45c
• 59a6c6c90be9cd113afafad6261fce0f23decc1c453ffd3f135e028073fde501
• 5f6a3155166e492a8acf391d70b334e985d24dfd43b9ea12f5e47a2d7222ea49
• 6059747fb8a2c5429313d835f610d9c4a6965c5f63719c694ba20533450da3f7
• 605cbd5701cbbc4a36935599525e6d0d5c1a043c9252aa081cb9c2f3724fc8ba
• 613531d0a4eeffaca1e34fc90de6ce2a042dac8983fe8ac30d5868f2d400d4e2
• 619b34db1e2b672ab7709c581a43ecc902b4f36fc817c007cd557b75d7dc67bf
• 64c06234473e62abe6b4dd9dcb8c0df812344f4808fa8d2c594e3117bb22ac8e
• 6503fd5020dc940cb38a647c1d6ee211259e418593d6bdf9db3aeb79621a4a6c
• 6859d6615d5de8f981ee996de57b6f2c838420c2b21cf328b8a258a500e2ebc5
• 6921860fd202f8de479af08511a6b5ddfb9c84654a89020f133243cebf0bee9a
• 693df72f101e68cb4a19a921c89301779552e4215830498bc8b5c7843e35e5e2
• 6a2a3089e6adf58b64a3800b94bc53d0e2b6b05a21aa6127ce57620268b49f08
• 70c258ff7c21f6319d1434480d5ae6f2e111feb864a5e33b81b01f8364247d11
• 70e53a2ffa43d9d4426fc703c04d7d610aa0346c2fb7e37dc234167c613dd515
• 7149016c8e6cdeb9494dea17b743b298d12adbc35c77dcf7bc0a1e12f8ddea2d
• 7246bf9b6fdb3b49ce33ff7b0a3f2bae33eb1e0301db635ccb74608313c719e1
• 763571d4fc7e3d4738941599d41a665bcb859c0180de80ac99765edbe47f93a9
• 7895313b35d27c7d5bc0fca556736f63e800e99feb6dcde910c76c743d4634ac
• 79582a03488d2c8a1a14ce512034f65727e4a921f7420e18078d92bf1dd085ac
• See JSON for more IOCs

Coverage

Screenshots of Detection

Win.Ransomware.Cerber-6963958-0

Indicators of Compromise

• 7019c1e1802915ac18691419d277a94b5e30a11209dd445f234ca14b35f5d720
• 72316d031bea130d9475d57d97f96b05cf11190101b219b106eadbb7ffb41b4a
• 8518d800daf5c94937948b6f1ca696a7e03faa6f86a689e809218f81f697b80e
• 860ee1bc900c05313d12f50f17620c330f642a9dcfce66b8dd8141897bd4ed09
• a8eb934ac833e714578d5d7d2b8fa2388328cb2145e8207553a0f124da942f48
• ac4851b671d4ecf728681c9587bd7d14bc011c682e6957124aba87660882377c
• bccbc893aef7ecee4eebeeb2c386e43abb1deaa78d4f03dc54e8f7f409d73b6f
• c3e5d39b17b60def951d6c0829ed1bf887cc0e71c9d24c9dc14a02d6bdf23c86
• cf557bc47899bdec8b94a0e8b0b00d73390be2c1c404a973b65828e264c26c77
• e2e487d62c6c9ef0a965fbb0d99e0af7752a11738a9ef3e1d9d193862b28e118
• f0e79e62922ddf62d71c4e44aa2e927ad111b4437df9adcf0c28c491b22d633a

Coverage

Screenshots of Detection

Doc.Downloader.Powload-6959926-0

Indicators of Compromise

• 07ad82ee6f552024b89e9569759078672295762694af017f35f64bb7284b93c3
• 1a6641086b78035d6c9ba38c7199aac02d37dafbadf96059a81b6f4c35e49f84
• 1f4a46bf19d090bee1282d5920e1ce502620c0a50cb4d5165d735d5b52e4a79e
• 224d99639dbb488494e23f7fd8a60c75630ffc694a3114a6d4f596da2062fbe0
• 2ade167cc02b318750feb789c0476581e4f2e0864c3a51fd65bd74c25534a74e
• 3606c54dbaba863109929191dfda5771de069a4fdbdc6322ae75c549aeec3ddd
• 394d047267664ca7feaa87df65b83ef559a4a97d7660e855fd84ad39ca15c17f
• 3f832fc27ebcc0391c302aedbc3f8d3dfe7473679d5d9aa0176f9623d4306d68
• 3f90bc319f969145e499fa90a32a81f0fed988320b255b0febc18befca735484
• 404f20fabcaf9c4c086a38eb1cb139e49e2e08d6249ef41b88d7eb2c0e628bbc
• 42981d37b50801d5cdc23d5d9f0a1e0e20f3787e24c4d20f606d2250ce5bf804
• 438757f58f956c0bf3c4d88c3270f25c6bef6cc6c7599d01e2050871e1c7cced
• 49b5e70a242f984eadee49435aac4371ca3cb65b02b2f6fbcbfcbfbd9d985782
• 51d6fab6ccf8fb3460ce156af02cfcbaf6098f74d37e5d323a3d9e2c07e4b8f4
• 567c4f99a489d6e26cdd76b719f290108f558cb49b7f5f7e2d84dc8929f7613b
• 571210656adbfe8cde574bb15f96232169cdfb487f4597ce1a4532c7a0258f46
• 58c44d575aa6041c0d0e87372288f96804c1fa141ee903a67f668e73cb690dec
• 5f401aefe65751c9e09131d50f1a6ea3f86f542552ecab2973a334a360357699
• 61e933a06b4a2af4239c378c84211b2ff1baab4effe6b5bf044ac4f2d3371c32
• 64b75110604d920b41da5dedf56cabebac63da64a209a35cb664ba69764fb8a8
• 68e686c3f2b87d3169766ffe4bba021a8acd7648ca38c6c75be829a864558ecb
• 6a817c04b3ec3fb6f85801ecf4999db95505445ecbc8f741cf2985972f2d6f75
• 6f926261cf70832a6f3332c727eb674da29212109a968a25cab4cb92fced7694
• 72f28f83d17f71068693f8f34ea40d09dc75d111635427f1b58fa9d4cad29558
• 7416ebc5373fd8a3ec9ece1dff46c15699738491d703b47f20ae4de8c59bcef0
• See JSON for more IOCs

Coverage

Screenshots of Detection

Win.Dropper.Qakbot-6962757-0

Indicators of Compromise

• 4737f7e7a483154476a69b4f5a48fb4551ac02ac240a784c4f3377c436dbd203
• 666d680dfc69cb8931cc724a81cdb588d16602788f7d3bd7955803ce224d6f80
• 6c4d27124a279c0f49eb46852ea440fdd482bd8798126bfe0b526361f3702531
• 85ff1bf1196b88d85f7f7092fc8f3905a9ded0e14e06b17475163df47a079e29
• 8c5f802a24045fc230207298aa825e0fca94d7dd7d8e9f06abd59836d0ed373e
• 908889c25ce86b55fc08b790b42ab405a485dc498821249c10d5517c47470e35
• 9258e1004f3ddbf9bc72a4764a77d174b090faf1288afaa2f7b1d16f96fbb1a6
• 99cfbb31846bd275123aa1ab9206e92b71556ea269e8eeceffff3b3dc27385b5
• a4be182a1dc5815e8a9327956310222b714dac52ba4c5aa4ba0f72975c716218
• b274a28e4ad451b106c78e64d917f9da3d1ab46d7e450a3a3908351b25718b3c
• c6f26163d2c2dc499ffdb86d649e95301329db9d908888b909f4190d3d51ca1f
• d7c6d675543ec8fc13cb6e169f7df286f33187ee96a3163252c607aa16e7bbf1
• ecd2fdff63d752ee98eb1e0dd185a1919d2ff72c23c80a7a8c057d4b9f5e9ad5
• f23982a726efd837a3fb23d770ed2e1eba1cf2629b4466b76ef205b52c19e540
• f9d48c419ad4ea015efa8258f323a5242b46da80c1755ff2b551592a3b54d0bd

Coverage

Screenshots of Detection

Exprev

• Madshi injection detected (3477)
  Madshi is a code injection framework that uses process injection to start a new thread if other methods to start a thread within a process fail. This framework is used by a number of security solutions. It is also possible for malware to use this technique.
• Kovter injection detected (2818)
  A process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns.
• PowerShell file-less infection detected (1467)
  A PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families.
• Process hollowing detected (521)
  Process hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead.
• Gamarue malware detected (172)
  Gamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system.
• Atom Bombing code injection technique detected (146)
  A process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well.
• Suspicious PowerShell execution detected (97)
  A PowerShell command has attempted to bypass execution policy to run unsigned or untrusted script content. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.
• Installcore adware detected (69)
  Install core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware.
• Dealply adware detected (40)
  DealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware.
• Excessively long PowerShell command detected (26)
  A PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats.