DOCSLIB.ORG

Security Threat Intelligence Report

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Threat Intelligence Report Security Threat Intelligence Report September 2020 In this issue Trickbot malware targets Linux Internet Explorer script-based malware emerges Business email compromise attacks bypass MFA Zoom phishing campaign harvesting Office 365 credentials Agent Tesla RAT adds new features Security Threat Intelligence Report About this report Message from Mark Hughes Fusing a range of public and proprietary information feeds, The shift to remote work has seen a including DXC’s global network considerable uptick in targeting remote access of security operations centers and cyber intelligence services, solutions. A new Zoom phishing campaign this report delivers an overview is harvesting Office 365 credentials while of major incidents, insights into new business email compromise attacks can key trends and strategic threat awareness. bypass multifactor authentication. We must ensure identity and access management are tight, and cyber This report is a part of DXC Labs | Security, which provides insights hygiene is an ongoing focus. We also must continue to educate and thought leadership to the teams to keep a diligent eye on ongoing phishing schemes and security industry. malware. Intelligence cutoff date: August 24, 2020 Mark Hughes Senior Vice President and General Manager of Security DXC Technology Threat Updates Table of TrickBot’s Anchor malware platform targets Linux Multi-industry 3 contents devices Business email compromise attacks bypass MFA Multi-industry 6 Zoom phishing campaign harvesting O365 Multi-industry 7 credentials Agent Tesla RAT adds new features Multi-industry 9 Vulnerability Updates Internet Explorer scripting malware emerges Multi-industry 12 Incidents/breaches Carnival Corporation suffers ransomware attack Travel Industry 15 Nation State and Geopolitical U.S. Justice Department seizes cryptocurrency Multi-industry 16 accounts of 3 suspected terrorist groups 2 Security Threat Intelligence Report Threat Updates TrickBot’s Anchor malware platform targets Linux devices Discovered by Stage 2 researcher Waylon Grange, TrickBot’s Anchor malware is still in the early stages of development. Intel is limited at this time. Updates will be reported as they become available. TrickBot is a multipurpose Windows malware platform that uses different modules to perform various malicious activities, including information stealing, password stealing, Windows domain infiltration and malware delivery. TrickBot is rented by threat actors who use it to infiltrate a network and harvest anything of value. It is then used to deploy ransomware such as Ryuk and Conti to encrypt the network’s devices as a final attack. Anchor_Linux will configure itself to run every minute using the following crontab entry: */1 * * * * root [filename] Figure 1. Setting up persistence via CRON Source: Vitali Kremez Attack Vector According to Stage 2, this malware is often delivered as part of a ZIP file and is a lightweight Linux backdoor. Upon execution it installs itself as a cron job, determines the public IP for the host and then begins to beacon via DNS queries to its C2 server. Dropper functionality includes: • The ability to drop other malware on Linux devices and execute it • An embedded Windows TrickBot executable • A Linux embedded binary that serves as new lightweight TrickBot malware • Code connections to older TrickBot tools This malware can be used to infect Windows machines on the same network. This is the Windows infection process: • Anchor_Linux will copy the embedded TrickBot malware to Windows hosts on the same network using SMB and $IPC 3 Security Threat Intelligence Report • When successfully copied to a Windows device, Anchor_Linux will configure it as a Windows service using: ATM makers address illegal cash withdrawals – The Service Control Manager Remote protocol ATM manufacturers Diebold Nixdorf – SMB SVCCTL named pipe and NCR have fixed a number of software vulnerabilities that have allowed attackers to execute arbitrary code with or without system privileges. Hackers made illegal cash withdrawals by committing deposit forgery and manipulating underlying systems by issuing valid commands to dispense currency. Figure 2. Copying a file via SMB Source: Waylon Grange Upon startup, the Windows machine will connect to the C2 for instructions. Linux version The Linux version allows threat actors to target non-Windows environments with a backdoor. If successful, attackers can pivot to Windows devices on the same network. It uses an attack vector outside of email phishing for Windows infection. The Linux backdoor has a persistence mechanism as seen in the cron job. It functions in the UNIX environment and targets devices in the UNIX environment, including: • Routers • VPN devices • NAS devices run on Linux operating systems IoT devices also require security controls and monitoring to detect Anchor_Linux. Figure 3. TrickBot’s Anchor framework Source: SentinelOne 4 Security Threat Intelligence Report Hunting Anchor_Linux will create a log file at: /tmp/anchor.log There is a high probability that the name of the log file will change as the malware development progresses. If this file exists, a complete audit of the system for the presence of the Anchor_Linux malware should be conducted. It is expected that TrickBot will continue its development to make it a full-featured addition to its Anchor framework. IoCs – Courtesy of Stage 2 Security Hashes: 55754d178d611f17efe2f17c456cb42469fd40ef999e1058f2bfe44a503d877c C721189a2b89cd279e9a033c93b8b5017dc165cba89eff5b8e1b5866195518bc 7686a3c039b04e285ae2e83647890ea5e886e1a6631890bbf60b9e5a6ca43d0 Domains: *.biillpi[.]com IPs: 23.95.97[.]59 Yara: rule anchor_linux_dns { meta: author = “Stage 2 Security” description = “Trickbot anchor_linux” strings: $hdr = {7f 45 4c 46} $x1 = {80 74 0? ?? b9} $x2 = “anchor_l” $x3 = “getaddrinfo” $x4= “IPC$” $x5 = {48 ?? 2f 74 6d 70 2f 00 00 00} $x6 = “test my ip” $x7 = {73 6d 62 32 5f [4–7] 5f 61 73 79 6e 63 20} $x8 = “Kernel32.dll” $x9 = “libcurl” $x10 = “/1001/” condition: $hdr at 0 and 7 of ($x*) } 5 Security Threat Intelligence Report Impact iOS SDK breach surfaces Trickbot was first detected in 2016 and has developed its capabilities extensively over Researchers discovered malicious the years. Trickbot can disable antivirus systems, propagate throughout a network, functionality within the iOS perform man-in-the-middle attacks and drop other malware. The latest Trickbot MintegralAdSDK (aka SourMint) update means the malware has a completely new attack vector targeting Linux and distributed by Chinese company Unix devices. Based on its success with Windows machines, the impact rating to Mintegral. The malicious functionality organizations should be considered critical. enabled ad fraud on hundreds of iOS apps and brought major privacy TrickBot has been seen in the wild dropping Ryuk and GlobeImposter ransomware. concerns to consumers. It allows Multiple malware infections greatly complicate the remediation process. It has spying on user link click activity successfully disabled endpoint antivirus applications, allowing the infection to spread within thousands of iOS apps that across the network, compromising over a hundred systems. use the SDK, tracking requests performed by the app and reporting Note that Trickbot began as a banking trojan and is proficient at harvesting and it back to Mintegral’s servers.. exfiltrating data from infected systems prior to deploying ransomware, which is a tactic adopted by most ransomware groups in 2020. DXC perspective Trickbot is used by multiple threat actor groups due to its success rate and its ability to propagate throughout the environment and drop other malware. Groups using Trickbot are financially motivated, and successful intrusions will result in the exfiltration of data. Security controls should be tuned to alert on abnormal outbound traffic. It may also deliver disruptive malware such as ransomware and system-wiping malware. The recent addition of this new Trickbot attack vector will require security teams to tune security monitoring tools to detect intrusions as well as hunt for existing network presence of previous non-detected intrusions. Sources: Stage 2 Security Intezer Labs Sans Business email compromise attacks bypass MFA Business email compromise (BEC) campaigns are increasing in frequency, and compromise success rates are up, with reports of email accounts being taken over despite multifactor authentication (MFA) and conditional access. It is not possible to enforce MFA when a user signs into an account using legacy email protocols, including IMAP, SMTP, MAPI and POP. Office 365 licenses provide the ability to configure conditional access policies, which block access from legacy applications. However, attackers are bypassing conditional access controls by obscuring (renaming) the app being used. Credential stuffing campaigns have been seen in the wild using legacy applications in attempts to bypass MFA. 6 Security Threat Intelligence Report Impact The motivation behind BEC attacks is financial and can impact organizations at various levels: • Credential harvesting and data exfiltration • Financial losses from company fund transfer requests • GDPR fines associated with PII data being exfiltrated • Reputational damage resulting from any of the above DXC perspective Even the most highly trained and vigilant employee will get fooled by the variety of tactics that threat actors use. Security controls such as secure email gateways (SEGs) should be used to prevent such emails from reaching the legitimate users. SEGs
Load more

Recommended publications
  • TR-SBA-Research-0512-01: Fast and Efficient Browser Identification With
    Fast and Efficient Browser Identification with JavaScript Engine Fingerprinting Technical Report TR-SBA-Research-0512-01 Martin Mulazzani∗, Philipp Reschl; Markus Huber∗, Manuel Leithner∗, Edgar Weippl∗ *SBA Research Favoritenstrasse 16 AT-1040 Vienna, Austria [email protected] Abstract. While web browsers are becoming more and more important in everyday life, the reliable detection of whether a client is using a specific browser is still a hard problem. So far, the UserAgent string is used, which is a self-reported string provided by the client. It is, however, not a security feature, and can be changed arbitrarily. In this paper, we propose a new method for identifying Web browsers, based on the underlying Javascript engine. We set up a Javascript confor- mance test and calculate a fingerprint that can reliably identify a given browser, and can be executed on the client within a fraction of a sec- ond. Our method is three orders of magnitude faster than previous work on browser fingerprinting, and can be implemented in just a few hun- dred lines of Javascript. Furthermore, we collected data for more than 150 browser and operating system combinations, and present algorithms to calculate minimal fingerprints for each of a given set of browsers to make fingerprinting as fast as possible. We evaluate the feasibility of our method with a survey and discuss the consequences for user privacy and security. This technique can be used to enhance state-of-the-art session management (with or without SSL), as it can make session hijacking considerably more difficult. 1 Introduction Today, the Web browser is a central component of almost every operating sys- tem.
    [Show full text]
  • Maelstrom Web Browser Free Download
    maelstrom web browser free download 11 Interesting Web Browsers (That Aren’t Chrome) Whether it’s to peruse GitHub, send the odd tweetstorm or catch-up on the latest Netflix hit — Chrome’s the one . But when was the last time you actually considered any alternative? It’s close to three decades since the first browser arrived; chances are it’s been several years since you even looked beyond Chrome. There’s never been more choice and variety in what you use to build sites and surf the web (the 90s are back, right?) . So, here’s a run-down of 11 browsers that may be worth a look, for a variety of reasons . Brave: Stopping the trackers. Brave is an open-source browser, co-founded by Brendan Eich of Mozilla and JavaScript fame. It’s hoping it can ‘save the web’ . Available for a variety of desktop and mobile operating systems, Brave touts itself as a ‘faster and safer’ web browser. It achieves this, somewhat controversially, by automatically blocking ads and trackers. “Brave is the only approach to the Web that puts users first in ownership and control of their browsing data by blocking trackers by default, with no exceptions.” — Brendan Eich. Brave’s goal is to provide an alternative to the current system publishers employ of providing free content to users supported by advertising revenue. Developers are encouraged to contribute to the project on GitHub, and publishers are invited to become a partner in order to work towards an alternative way to earn from their content. Ghost: Multi-session browsing.
    [Show full text]
  • HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014
    HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S.
    [Show full text]
  • Downloadable Email Program for My Pc 32 Best Free Email Clients
    downloadable email program for my pc 32 Best Free Email Clients. Here are 32 best free email client software . These let you manage and access all of your email accounts in one single place easily. All these email client software are completely free and can be downloaded to Windows PC. These free software offer various features, like: can be used with IMAP, SMTP, POP3 and Gmail, keeps your emails safe and secure, lets you open various emails simultaneously, provide protection from spam, lets you view your emails offline, manage and access all of your email accounts in one single place, supports PH, LDAP, IMAP4, POP3 and SMPT mail protocols etc. So, go through this list of free email client software and see which ones you like the most. Thunderbird. Thunderbird is a free and handy email client software for your computer. It can be used with IMAP, SMTP, POP3 and Gmail. It will also work with email accounts provided by MS Exchange Server. The user interface of Thunderbird is tabbed. It lets you open various emails simultaneously. Thunderbird keeps your emails safe and secure. It also has special filters for filtering the mail. Windows Live Mail. Windows Live Mail is a free email client for your computer. It works with various email accounts. It lets you access Yahoo, Gmail, Hotmail and emails from different servers which supports POP3 and SMTP. Its security features are excellent it will also provide protection from spam. You can also view your emails offline in this freeware. Zimbra Desktop. Zimbra Desktop is a free email client.
    [Show full text]
  • Other New Browsers I Can Download for Free Other New Browsers I Can Download for Free
    other new browsers i can download for free Other new browsers i can download for free. Completing the CAPTCHA proves you are a human and gives you temporary access to the web property. What can I do to prevent this in the future? If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware. If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices. Another way to prevent getting this page in the future is to use Privacy Pass. You may need to download version 2.0 now from the Chrome Web Store. Cloudflare Ray ID: 679e96dd4e10f132 • Your IP : 188.246.226.140 • Performance & security by Cloudflare. The 10 Best Web Browsers for Mac Other Than Safari. In an internet-centric world, the browser is king. In most instances, the browser is the platform. For flash games, cloud storage, software-as-a- service, and synching across devices, the choice of browser is becoming even more important. On the other hand, with the browser also serving as the door to the Internet, it also serves as a door to your computer. Nowadays, most malware gets entry to the computer and Internet device via the browser. On the Mac OS X, the default browser is Safari, but there are a lot more browsers available for download, with more features than Safari. The following is a list of the Internet’s best web browser for Mac.
    [Show full text]
  • Web Browser a C-Class Article from Wikipedia, the Free Encyclopedia
    Web browser A C-class article from Wikipedia, the free encyclopedia A web browser or Internet browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI) and may be a web page, image, video, or other piece of content.[1] Hyperlinks present in resources enable users to easily navigate their browsers to related resources. Although browsers are primarily intended to access the World Wide Web, they can also be used to access information provided by Web servers in private networks or files in file systems. Some browsers can also be used to save information resources to file systems. Contents 1 History 2 Function 3 Features 3.1 User interface 3.2 Privacy and security 3.3 Standards support 4 See also 5 References 6 External links History Main article: History of the web browser The history of the Web browser dates back in to the late 1980s, when a variety of technologies laid the foundation for the first Web browser, WorldWideWeb, by Tim Berners-Lee in 1991. That browser brought together a variety of existing and new software and hardware technologies. Ted Nelson and Douglas Engelbart developed the concept of hypertext long before Berners-Lee and CERN. It became the core of the World Wide Web. Berners-Lee does acknowledge Engelbart's contribution. The introduction of the NCSA Mosaic Web browser in 1993 – one of the first graphical Web browsers – led to an explosion in Web use. Marc Andreessen, the leader of the Mosaic team at NCSA, soon started his own company, named Netscape, and released the Mosaic-influenced Netscape Navigator in 1994, which quickly became the world's most popular browser, accounting for 90% of all Web use at its peak (see usage share of web browsers).
    [Show full text]
  • The Artist's Emergent Journey the Metaphysics of Henri Bergson, and Also Those by Eric Voegelin Against Gnosticism2
    Vol 1 No 2 (Autumn 2020) Online: jps.library.utoronto.ca/index.php/nexj Visit our WebBlog: newexplorations.net The Artist’s Emergent Journey Clinton Ignatov—The McLuhan Institute—[email protected] To examine computers as a medium in the style of Marshall McLuhan, we must understand the origins of his own perceptions on the nature of media and his deep-seated religious impetus for their development. First we will uncover McLuhan’s reasoning in his description of the artist and the occult origins of his categories of hot and cool media. This will prepare us to recognize these categories when they are reformulated by cyberneticist Norbert Wiener and ethnographer Sherry Turkle. Then, as we consider the roles “black boxes” play in contemporary art and theory, many ways of bringing McLuhan’s insights on space perception and the role of the artist up to date for the work of defining and explaining cyberspace will be demonstrated. Through this work the paradoxical morality of McLuhan’s decision to not make moral value judgments will have been made clear. Introduction In order to bring Marshall McLuhan into the 21st century it is insufficient to retrieve his public persona. This particular character, performed in the ‘60s and ‘70s on the global theater’s world stage, was tailored to the audiences of its time. For our purposes today, we’ve no option but an audacious attempt to retrieve, as best we can, the whole man. To these ends, while examining the media of our time, we will strive to delicately reconstruct the human-scale McLuhan from what has been left in both his public and private written corpus.
    [Show full text]
  • What the Floc?
    Security Now! Transcript of Episode #811 Page 1 of 30 Transcript of Episode #811 What the FLoC? Description: This week we briefly, I promise, catch up with ProxyLogon news regarding Windows Defender and the Black Kingdom. We look at Firefox's next release which will be changing its Referer header policy for the better. We look at this week's most recent RCE disaster, a critical vulnerability in the open source MyBB forum software, and China's new CAID (China Anonymization ID). We then conclude by taking a good look at Google's plan to replace tracking with explicit recent browsing history profiling, which is probably the best way to understand FLoC (Federated Learning of Cohorts). And as a special bonus we almost certainly figure out why they named it something so awful. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-811.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-811-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We've got a new fix for the Microsoft Exchange Server flaw. This one's automatic, thanks to Microsoft. We'll also take a look at some nice new features in Firefox 87. You can get it right now. And then, what the FLoC? We'll take a look at Google's proposal for replacing third-party cookies. Is it better? It's all coming up next on Security Now!. Leo Laporte: This is Security Now! with Steve Gibson, Episode 811, recorded Tuesday, March 23rd, 2021: What the FLoC? It's time for Security Now!, the show where we cover your privacy, your security, your safety online with this guy right here, Steve Gibson from GRC.com.
    [Show full text]
  • I. an Investigation of the Organic Compounds in the Media and Mycelium of Naucoria Confragosa
    Scholars' Mine Masters Theses Student Theses and Dissertations 1965 I. An investigation of the organic compounds in the media and mycelium of Naucoria confragosa. II. Study of the extra-cellular pigments of an unknown fungus Yueh-Tsun Chen Follow this and additional works at: https://scholarsmine.mst.edu/masters_theses Part of the Chemistry Commons Department: Recommended Citation Chen, Yueh-Tsun, "I. An investigation of the organic compounds in the media and mycelium of Naucoria confragosa. II. Study of the extra-cellular pigments of an unknown fungus" (1965). Masters Theses. 5238. https://scholarsmine.mst.edu/masters_theses/5238 This thesis is brought to you by Scholars' Mine, a service of the Missouri S&T Library and Learning Resources. This work is protected by U. S. Copyright Law. Unauthorized use including reproduction for redistribution requires the permission of the copyright holder. For more information, please contact [email protected]. 7 ( . I. A!J Il!VESTIGATIOU OF THE OaGAHIC CO:·~OUHDS Irr THZ ECDIA JJ!D ::YCELIUH OF IrAUCORIA . CON'FRAG00A II. STUDY OF THE EXTRA-CELLULAR PIG!!ENTS OF A...'l UI-Jt:NQ;;N ::!'tU!GUS BY YUEH TSUU CHEN1ttt31 A THESIS submitted to the faculty of the illv"IVERSITY OF HISSOUill: AT ROLLA in partial fulfillment of the requirement for the ' ·; Degree of !'..ASTER OF SCIENCE IN · CHE1-1ISTRY ROLLA, IliSSOURI 1965 T!1e funeal r:etabol1:~es excreted. into the cuture fluid by ba::;i- diom.ycetes zro,rl.ng on synthetic zlucose media as \'lOll as fol'·med in the ~.. cella of t::e orgaJl.is.~G uere investi~ated in this thesis.
    [Show full text]
  • Instrumentalizing the Sources of Attraction. How Russia Undermines Its Own Soft Power
    INSTRUMENTALIZING THE SOURCES OF ATTRACTION. HOW RUSSIA UNDERMINES ITS OWN SOFT POWER By Vasile Rotaru Abstract The 2011-2013 domestic protests and the 2013-2015 Ukraine crisis have brought to the Russian politics forefront an increasing preoccupation for the soft power. The concept started to be used in official discourses and documents and a series of measures have been taken both to avoid the ‘dangers’ of and to streamline Russia’s soft power. This dichotomous approach towards the ‘power of attraction’ have revealed the differences of perception of the soft power by Russian officials and the Western counterparts. The present paper will analyse Russia’s efforts to control and to instrumentalize the sources of soft power, trying to assess the effectiveness of such an approach. Keywords: Russian soft power, Russian foreign policy, public diplomacy, Russian mass media, Russian internet Introduction The use of term soft power is relatively new in the Russian political circles, however, it has become recently increasingly popular among the Russian analysts, policy makers and politicians. The term per se was used for the first time in Russian political discourse in February 2012 by Vladimir Putin. In the presidential election campaign, the then candidate Putin drew attention to the fact that soft power – “a set of tools and methods to achieve foreign policy goals without the use of arms but by exerting information and other levers of influence” is used frequently by “big countries, international blocks or corporations” “to develop and provoke extremist, separatist and nationalistic attitudes, to manipulate the public and to directly interfere in the domestic policy of sovereign countries” (Putin 2012).
    [Show full text]
  • Wechat About China's Tencent
    We Build Connections QQ Weixin For Enterprises: For Users: For Tencent: • Access to vast user base • Always connected • Deepen user stickiness via broadened • Unified user log-in enables CRM and • Enjoy a wide range of integrated social product offerings targeted advertising entertainment and content offerings, built • Increase traffic conversion through • Online payment facilitates transactions upon IPs and tech innovations transactions and advertising • Integrate capabilities across different • Access to rich mix of services and • Tap into new opportunities as the products to facilitate digital upgrades, e.g., transact at fingertips economy digitizes Weixin, WeChat Work, Tencent Meeting WeChat about 2 China’s Tencent Chris Wheldon, co-Portfolio Manager of the Magellan High Conviction strategy, and Ryan Joyce, co-Head of Magellan’s Technology team, explain why Tencent is a high-quality business, why the strategy invested in the company recently, what risks the investment poses and why Tencent performed well during the pandemic’s Chris Wheldon Ryan Joyce initial stages. Tencent is one of the High Conviction Q1. strategy’s top five positions. Can you please tell us about the company? A: Tencent was founded in 1998 as a Chinese instant-messaging service and web portal named QQ and subsequently built itself into a PC-based social network similar to today’s Facebook. In 2011, Tencent launched the WeChat mobile app, now China’s leading social “WeChat’s 1.2 network and communications platform and core to the company’s billion users average success. WeChat’s 1.2 billion users average nearly 100 minutes per day, every day, on the app.
    [Show full text]
  • Download PDF Report
    DYNAMIC ANALYSIS REPORT #1337459 Classifications: Exploit Downloader Spyware MALICIOUS Threat Names: Exploit.CVE-2018-0802.Gen Verdict Reason: - Sample Type Excel Document Sample Name homefarmanteroom9b56459b5645b0f5e2fbbb8ec8c45c1a4e82922f73a7b6c28dbc6c5f397ad9bda83f77.xls ID #471135 MD5 596b83a169467280b5e047f498eeaa33 SHA1 4d36aad5a72e14082ec57274921f503a9ae29aa1 SHA256 9b5645b0f5e2fbbb8ec8c45c1a4e82922f73a7b6c28dbc6c5f397ad9bda83f77 File Size 37.63 KB Report Created 2021-05-07 20:08 (UTC+2) Target Environment win7_64_sp1_en_mso2016 | ms_office X-Ray Vision for Malware - www.vmray.com 1 / 30 DYNAMIC ANALYSIS REPORT #1337459 OVERVIEW VMRay Threat Identifiers (24 rules, 73 matches) Score Category Operation Count Classification 5/5 Injection Writes into the memory of a process running from a created or modified executable 1 - • (Process #3) doqqx.exe modifies memory of (process #8) doqqx.exe. 5/5 Injection Modifies control flow of a process running from a created or modified executable 1 - • (Process #3) doqqx.exe alters context of (process #8) doqqx.exe. 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Opera, WinSCP, TightVNC, Cyberfox, Flock, Ipswitch WS_FTP, OpenVPN, TigerVNC, FTP Navigator, Microsoft Outlook, Pocomail, FileZilla, k- Meleon, SeaMonkey, BlackHawk, Opera Mail, Mozilla Thunderbird, IncrediMail, CoreFTP, Internet Download Manager, Postbox, The Bat!, Internet Explorer / Edge, Comodo IceDragon, Internet Explorer, Mozilla Firefox. 4/5 Execution Document tries to create process 3 - • Document creates (process #2) eqnedt32.exe. • Document creates (process #6) doqqx.exe. • Document creates (process #8) doqqx.exe. 4/5 Obfuscation Reads from memory of another process 2 - • (Process #3) doqqx.exe reads from (process #6) doqqx.exe. • (Process #3) doqqx.exe reads from (process #8) doqqx.exe. 4/5 Discovery Queries OS version via WMI 1 - • (Process #8) doqqx.exe queries OS version via WMI.
    [Show full text]