DOCSLIB.ORG

Automated Malware Analysis Report for N.Xlsx

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Malware Analysis Report for N.Xlsx ID: 92618 Sample Name: n.xlsx Cookbook: defaultwindowsofficecookbook.jbs Time: 12:02:06 Date: 22/11/2018 Version: 24.0.0 Fire Opal Table of Contents Table of Contents 2 Analysis Report n.xlsx 3 Overview 3 General Information 3 Detection 3 Confidence 3 Classification 4 Analysis Advice 4 Mitre Att&ck Matrix 5 Signature Overview 5 Networking: 5 Spam, unwanted Advertisements and Ransom Demands: 5 System Summary: 5 Hooking and other Techniques for Hiding and Protection: 5 Behavior Graph 5 Simulations 6 Behavior and APIs 6 Antivirus Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Memory Dumps 7 Unpacked PEs 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 Dropped Files 8 Screenshots 8 Thumbnails 8 Startup 8 Created / dropped Files 8 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 14 Static File Info 14 General 14 File Icon 15 Network Behavior 15 Code Manipulations 15 Statistics 15 System Behavior 15 Analysis Process: EXCEL.EXE PID: 3284 Parent PID: 3072 15 General 15 File Activities 15 File Deleted 16 File Written 16 Registry Activities 16 Disassembly 16 Copyright Joe Security LLC 2018 Page 2 of 16 Analysis Report n.xlsx Overview General Information Joe Sandbox Version: 24.0.0 Fire Opal Analysis ID: 92618 Start date: 22.11.2018 Start time: 12:02:06 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: n.xlsx Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus20.rans.winXLSX@1/12@0/0 Cookbook Comments: Adjust boot time Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Simulate clicks Number of clicks 76 Scroll down Close Viewer Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Detection Strategy Score Range Reporting Detection Threshold 20 0 - 100 Report FP / FN Confidence Strategy Score Range Further Analysis Required? Confidence Copyright Joe Security LLC 2018 Page 3 of 16 Strategy Score Range Further Analysis Required? Confidence Threshold 2 0 - 5 true Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice No malicious behavior found, analyze the document also on other version of Office / Acrobat Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 2018 Page 4 of 16 Sample might require command line arguments, analyze it with the command line cookbook Mitre Att&ck Matrix Initial Privilege Credential Lateral Command and Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration Control Valid Windows Remote Winlogon Port Monitors File System Credential System Application Data from Local Data Data Obfuscation Accounts Management Helper DLL Logical Offsets Dumping Information Deployment System Compressed Discovery 1 Software Signature Overview • Networking • Spam, unwanted Advertisements and Ransom Demands • System Summary • Hooking and other Techniques for Hiding and Protection Click to jump to signature section Networking: Found strings which match to known social media urls Urls found in memory or binary data Spam, unwanted Advertisements and Ransom Demands: May drop file containing decryption instructions (likely related to ransomware) System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Found graphical window changes (likely an installer) Document is a ZIP file with path names indicative of goodware Checks if Microsoft Office is installed Uses new MSVCR Dlls Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Behavior Graph Copyright Joe Security LLC 2018 Page 5 of 16 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 92618 Number of created Registry Values Sample: n.xlsx Number of created Files Startdate: 22/11/2018 Visual Basic Architecture: WINDOWS Score: 20 Delphi Java .Net C# or VB.NET C, C++ or other language May drop file containing decryption instructions started Is malicious (likely related to ransomware) EXCEL.EXE 40 23 Simulations Behavior and APIs Time Type Description 12:02:42 API Interceptor 3x Sleep call for process: EXCEL.EXE modified Antivirus Detection Initial Sample Source Detection Scanner Label Link n.xlsx 0% virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Copyright Joe Security LLC 2018 Page 6 of 16 Source Detection Scanner Label Link www.nyxbone.com/malware/brazilianRansom.html 0% virustotal Browse www.nyxbone.com/malware/brazilianRansom.html 0% Avira URL Cloud safe www.nyxbone.com/malware/RemindMe.html 1% virustotal Browse www.nyxbone.com/malware/RemindMe.html 0% Avira URL Cloud safe bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html 0% Avira URL Cloud safe www.nyxbone.com/malware/Strictor.html 0% virustotal Browse www.nyxbone.com/malware/Strictor.html 0% Avira URL Cloud safe www.nyxbone.com/malware/7ev3n-HONE$T.html; 0% virustotal Browse www.nyxbone.com/malware/7ev3n-HONE$T.html; 0% Avira URL Cloud safe www.nyxbone.com/malware/CryptoMix.html 2% virustotal Browse www.nyxbone.com/malware/CryptoMix.html 0% Avira URL Cloud safe https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate 0% virustotal Browse https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate 0% Avira URL Cloud safe nyxbone.com/malware/BlackShades.html 0% virustotal Browse nyxbone.com/malware/BlackShades.html 0% Avira URL Cloud safe www.nyxbone.com/malware/koreanRansom.html 2% virustotal Browse www.nyxbone.com/malware/koreanRansom.html 0% Avira URL Cloud safe https://reaqta.com/2016/06/raa-ransomware-delivering-pony/ 0% virustotal Browse https://reaqta.com/2016/06/raa-ransomware-delivering-pony/ 0% Avira URL Cloud safe nyxbone.com/malware/SNSLocker.html 0% virustotal Browse nyxbone.com/malware/SNSLocker.html 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Joe Sandbox View / Context IPs No context Domains No context ASN No context Copyright Joe Security LLC 2018 Page 7 of 16 Dropped Files No context Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Startup System is w7 EXCEL.EXE (PID: 3284 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 716335EDBB91DA84FC102425BFDA957E) cleanup Created / dropped Files Copyright Joe Security LLC 2018 Page 8 of 16 C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191330272160)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78223 Entropy (8bit): 7.923956211832512 Encrypted: false MD5: 76B52E7BC924F0A39CD1A978D7183DDC SHA1: 1AD9CB4742681F6F829C51C4A039D517F790FA09 SHA-256: E3CABC27DD6CFE997B5A2B911F0D68557DFF81FC9C01126A96E50774D3F6E196 SHA-512: 60995728907BC023388E76DC118B746D3D6B78AE3B58C61AD4A662320DC166F0D03EDFBAA04EA67FCC15F3CCC7 A19E685BD4CC42F26A7F5FCDCC3EA720A35A5D Malicious: false Reputation: low C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191355909024)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78230 Entropy (8bit): 7.92393574284663 Encrypted: false MD5: 739510D6E361C4DA1978E9D4AB41A026 SHA1: D713A30A5744374A3F817ED2DC80867E075E8C7F SHA-256: AFCB62F4BF442544840E5B880F71D902067943D72BA3AF5EA655303394929447 SHA-512: 2C648C121D2DBA450A9289942FEF19130EEA7C2C0E6AAD23E194FDB1A54AA3E9C6E42D518251B463AF8A50FF85 8AFF5E182B1D565BA3301254732BE1F3D171F4 Malicious: false Reputation: low C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191371431344)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78233 Entropy (8bit): 7.924019259545063 Encrypted: false MD5: 2B353CF6598ED729F5ABAE0C1A2777F8 SHA1: 4D7338DEC605D3AA47C14F3073A7CD3B7BD692EC SHA-256: 72C6876B82B5116F7D925EB57FA37C7E19B4D7F1184FBEDE479DDA1CD40482B4 SHA-512: 896C2CDAAE969389B582752DF247C27270A23AE36E2C36448EDD36B9348CC2C46B5F6B793FBCD20F28691A6302 D4BA50B2A034E850BE09FF70C6A476F7696101 Malicious: false Reputation: low C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191383849200)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78233 Entropy (8bit): 7.92390093829244 Encrypted: false MD5: 08113A57C2F5EBF268A3EC1DCF040A6C
Load more

Recommended publications
  • Siber Güvenlik Ve Savunma STANDARTLAR Ve UYGULAMALAR
    Siber Güvenlik ve Savunma STANDARTLAR ve UYGULAMALAR Editör Prof. Dr. Şeref SAĞIROĞLU Yazarlar Prof. Dr. Şeref SAĞIROĞLU - Onur AKTAŞ A. Oğuzhan ALKAN - Bilgehan ARSLAN Dr. Öğr. Üyesi Atila BOSTAN - Dr. Öğr. Üyesi Eyüp Burak CEYHAN Dr. Öğr. Üyesi İsmail Fatih CEYHAN Dr. Öğr. Üyesi Onur ÇAKIRGÖZ Dr. Öğr. Üyesi Mehmet DEMİRCİ - Sedef DEMİRCİ Doç. Dr. Gülüstan DOĞAN Dr. Öğr. Üyesi Muharrem Tuncay GENÇOĞLU Doç. Dr. Ali Hakan IŞIK - Burak ÖZÇAKMAK Dr. Öğr. Üyesi A. Nurdan SARAN - Doç. Dr. Gökhan ŞENGÜL Seda YILMAZ - Özgür YÜREKTEN Ankara 2019 Siber Güvenlik ve Savunma: Standartlar ve Uygulamalar Editör Prof. Dr. Şeref SAĞIROĞLU Yazarlar Prof. Dr. Şeref SAĞIROĞLU Doç. Dr. Gökhan ŞENGÜL Doç. Dr. Ali Hakan IŞIK Doç. Dr. Gülüstan DOĞAN Dr. Öğr. Üyesi Atila BOSTAN Dr. Öğr. Üyesi Eyüp Burak CEYHAN Dr. Öğr. Üyesi İsmail Fatih CEYHAN Dr. Öğr. Üyesi Onur ÇAKIRGÖZ Dr. Öğr. Üyesi Mehmet DEMİRCİ Dr. Öğr. Üyesi Muharrem Tuncay GENÇOĞLU Dr. Öğr. Üyesi A. Nurdan SARAN Onur AKTAŞ A. Oğuzhan ALKAN Bilgehan ARSLAN Sedef DEMİRCİ Burak ÖZÇAKMAK Seda YILMAZ Özgür YÜREKTEN ISBN: 978-605-2233-42-9 1. Baskı Aralık, 2019 / Ankara 1500 Adet Yayınları Yayın No: 334 Web: grafikeryayin.com Kapak, Sayfa Tasarımı, Baskı ve Cilt Grafik-Ofset Matbaacılık Reklamcılık San. ve Tic. Ltd. Şti. 1. Cadde 1396. Sokak No: 6 06520 (Oğuzlar Mahallesi) Balgat-ANKARA Tel : 0 312. 284 16 39 Pbx - Faks : 0 312. 284 37 27 E-posta : [email protected] Web : grafiker.com.tr Bu kitap HAVELSAN'ın katkılarıyla basılmıştır. İÇİNDEKİLER EDİTÖRDEN ........................................................................................................................................................... 11 BİLGİ GÜVENLİĞİ DERNEĞİ'NDEN ............................................................................. 15 ÖN SÖZ ........................................................................................................................................................................... 19 1. BÖLÜM SİBER GÜVENLİK MATEMATİĞİ 1.1.
    [Show full text]
  • Ethical Hacking
    Ethical Hacking Alana Maurushat University of Ottawa Press ETHICAL HACKING ETHICAL HACKING Alana Maurushat University of Ottawa Press 2019 The University of Ottawa Press (UOP) is proud to be the oldest of the francophone university presses in Canada and the only bilingual university publisher in North America. Since 1936, UOP has been “enriching intellectual and cultural discourse” by producing peer-reviewed and award-winning books in the humanities and social sciences, in French or in English. Library and Archives Canada Cataloguing in Publication Title: Ethical hacking / Alana Maurushat. Names: Maurushat, Alana, author. Description: Includes bibliographical references. Identifiers: Canadiana (print) 20190087447 | Canadiana (ebook) 2019008748X | ISBN 9780776627915 (softcover) | ISBN 9780776627922 (PDF) | ISBN 9780776627939 (EPUB) | ISBN 9780776627946 (Kindle) Subjects: LCSH: Hacking—Moral and ethical aspects—Case studies. | LCGFT: Case studies. Classification: LCC HV6773 .M38 2019 | DDC 364.16/8—dc23 Legal Deposit: First Quarter 2019 Library and Archives Canada © Alana Maurushat, 2019, under Creative Commons License Attribution— NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) https://creativecommons.org/licenses/by-nc-sa/4.0/ Printed and bound in Canada by Gauvin Press Copy editing Robbie McCaw Proofreading Robert Ferguson Typesetting CS Cover design Édiscript enr. and Elizabeth Schwaiger Cover image Fragmented Memory by Phillip David Stearns, n.d., Personal Data, Software, Jacquard Woven Cotton. Image © Phillip David Stearns, reproduced with kind permission from the artist. The University of Ottawa Press gratefully acknowledges the support extended to its publishing list by Canadian Heritage through the Canada Book Fund, by the Canada Council for the Arts, by the Ontario Arts Council, by the Federation for the Humanities and Social Sciences through the Awards to Scholarly Publications Program, and by the University of Ottawa.
    [Show full text]
  • D6.2 Altcoins – Alternatives to Bitcoin and Their Increasing Presence In
    Ref. Ares(2018)1599225 - 22/03/2018 RAMSES Internet Forensic platform for tracking the money flow of financially-motivated malware H2020 - 700326 D6.2 Altcoins: Alternatives to Bitcoin and their increasing presence in Malware-related Cybercrime Lead Authors: Darren Hurley-Smith (UNIKENT), Julio Hernandez-Castro (UNIKENT) With contributions from: Edward Cartwright (UNIKENT), Anna Stepanova (UNIKENT) Reviewers: Luis Javier Garcia Villalba (UCM) Deliverable nature: Report (R) Dissemination level: Public (PU) (Confidentiality) Contractual delivery date: 31/08/2017 Actual delivery date: 31/08/2017 Version: 1.0 Total number of pages: 36 Keywords: Cryptocurrency, altcoin, malware, darknet market, privacy Abstract Bitcoin is a relatively well-known cryptocurrency, a digital token representing value. It uses a blockchain, a distributed ledger formed of blocks which represent a network of computers agreeing that transactions have occurred, to provide a ledger of sorts. This technology is not unique to Bitcoin, many so-called ‘altcoins’ now exist. These alternative coins provide their own services, be it as a store of value with improved transactions (lower fees, higher speed), or additional privacy. Malware and Dark Net Market (DNM) operators have used Bitcoin to facilitate pseudo-anonymous extraction of value from their victims and customers. However, several high-profile arrests have been made using Bitcoin transaction graphing methods, proving that the emphasis is on the pseudo part of pseudo-anonymity. Altcoins specialising in masking the users’ identity – Monero, ZCash, and Dash – are therefore of interest as the next potential coins of choice for criminals. Ethereum, being the second largest crypto-currencies and imminently implementing its own privacy features, is also of interest.
    [Show full text]
  • Ransomware Payments in the Bitcoin Ecosystem
    Ransomware Payments in the Bitcoin Ecosystem Masarah Paquet-Clouston Bernhard Haslhofer Benoît Dupont GoSecure Research Austrian Institute of Technology Université de Montréal Montreal, Canada Vienna, Austria Montreal, Canada [email protected] [email protected] [email protected] ABSTRACT the time of writing, there are 5051 known ransomware families de- Ransomware can prevent a user from accessing a device and its tected and almost all of them demand payments in Bitcoin [27], files until a ransom is paid to the attacker, most frequently in Bit- which is the most prominent cryptocurrency. coin. With over 500 known ransomware families, it has become Yet, global and reliable statistics on the impact of cybercrime in one of the dominant cybercrime threats for law enforcement, se- general, and ransomware in particular, are missing, causing a large curity professionals and the public. However, a more comprehen- misunderstanding regarding the severity of the threat and the ex- sive, evidence-based picture on the global direct financial impact tent to which it fuels a large illicit business. Most of the statistics of ransomware attacks is still missing. In this paper, we present available on cybercrime and ransomware are produced by private a data-driven method for identifying and gathering information corporations (cf. [29, 38, 39]) that do not disclose their underlying on Bitcoin transactions related to illicit activity based on foot- methodologies and have incentives to over- or underreport them prints left on the public Bitcoin blockchain. We implement this since they sell cybersecurity products and services that are sup- method on-top-of the GraphSense open-source platform and ap- posed to protect their users against such threats [23].
    [Show full text]
  • Fraud; Recognition & Prevention
    Fraud; Recognition & Prevention Issue 10 July 2021 WORLD LEADERS IN PIONEERING BODY WORN VIDEO TECHNOLOGY Proud to be supporting the return of these LIVE events across the UK in Autumn 2021... The Emergency Services Show 7th and 8th September | NEC Birmingham | stand L85 International Security Expo At the forefront 28th and 29th September | London Olympia | stand C2 of mobile, digital BAPCO Annual Conference & Exhibition evidence gathering 12th and 13th October | Ricoh Arena Coventry | stand C20 technology since 2005. FIND OUT MORE: WWW.AUDAXUK.COM | [email protected] | WWW.VIMEO.COM/SHOWCASE/AUDAXGLOBAL 2 Foreword: Well at long last there is light at the end of the very long COVID tunnel. As numerous industries start to return to normal, or are even doing better than anticipated, due to the economic defibrillator that the lifting of restrictions represents to so many. I am personally seeing a shortage of trained and licenced security officers in several sectors. Just maybe, this will force a rise in contract charge rates, and drive salaries up! I can but hope. One sector of society that have enjoyed lockdown and has made a fortune from an unexpectedly housebound population, are the fraudsters and con artists….. There has never been such a deluge of online cons, telephone scams and fake NHS sites selling tests, vaccines and all manner of bogus stuff, all capitalising on the understandable fears and concerns of the nation, and the desire we all have to protect and do the best for our families and loved ones. What can you do to protect yourself and those you hold dear, from this non-stop deluge of lies, cons, misinformation and very clever schemes designed to part you from as much money as possible? As luck would have it, amongst other things, this issue is taking a look at the many devious faces of fraud, and some of the top experts in their fields have contributed some great advice and guidance designed to help you avoid the many traps that the criminal fraternity have set for the unwary.
    [Show full text]
  • KOOBFACE: Inside a Crimeware Network
    JR04-2010 KOOBFACE: Inside a Crimeware Network By NART VILLENEUVE with a foreword by Ron Deibert and Rafal Rohozinski November 12, 2010 WEB VERSION. Also found here: INFOWAR http://www.infowar-monitor.net/koobface MONITOR JR04-2010 Koobface: Inside a Crimeware Network - FOREWORD I Foreword There is an episode of Star Trek in which Captain Kirk and Spock are confronted by their evil doppelgängers who are identical in every way except for their more nefarious, diabolical character. The social networking community Facebook has just such an evil doppelgänger, and it is called Koobface. Ever since the Internet emerged from the world of academia and into the world-of-the-rest-of-us, its growth trajectory has been shadowed by the emergence of a grey economy that has thrived on the opportunities for enrichment that an open, globally connected infrastructure has made possible. In the early years, cybercrime was clumsy, consisting mostly of extortion rackets that leveraged blunt computer network attacks against online casinos or pornography sites to extract funds from frustrated owners. Over time, it has become more sophisticated, more precise: like muggings morphing into rare art theft. The tools of the trade have been increasingly refined, levering ingenuous and constantly evolving malicious software (or malware) with tens of thousands of silently infected computers to hide tracks and steal credentials, like credit card data and passwords, from millions of unsuspecting individuals. It has become one of the world economy’s largest growth sectors—Russian, Chinese, and Israeli gangs are now joined by upstarts from Brazil, Thailand, and Nigeria—all of whom recognize that in the globally connected world, cyberspace offers stealthy and instant means for enrichment.
    [Show full text]
  • Download Windows 10 Page Free Bleepingcomputer Bleeping Computer
    download windows 10 page free bleepingcomputer Bleeping Computer. Bleeping Computer is a website covering technology news and offering free computer help via its forums, that was created by Lawrence Abrams in 2004. [2] It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology. Contents. History Content Legal issues See also References External links. In 2018, Bleeping Computer was added as an associate partner to the Europol NoMoreRansom project [3] for the ransomware information and decryption tools provided by the site. History. BleepingComputer was founded in 2004 after Abrams could not find existing technical support sites that could offer easy-to-understand instructions for his friends and family. [2] The domain name bleepingcomputer.com originates from the sounds made by a broken computer and because you want to curse at a computer when it does not work properly. [2] Since the CryptoLocker ransomware attack in September 2013, and a subsequent DDoS of the site due to its reporting on the new malware, [4] Bleeping Computer has been reporting on new ransomware families as they are released. [5] Content. The articles published at Bleeping Computer are categorized as news articles, tutorials and virus removal guides. Its content includes searchable databases for looking up Windows start-up programs and uninstall entries, as well as a free Internet forum to receive computer help. The site covers news released by researchers and companies, but also performs in-house investigative reporting [6] and analysis of ransomware [7] and malware. [8] Free decryptors to unlock files encrypted by various ransomware families have been released through the forums or the site's news section by third-party researchers.
    [Show full text]
  • TELI-20170328010.Pdf
    1 2 3 Sophos berichtet von einer aktuellen Malware‐Kampagne mit AKBuilder (Exploit Kit), Dyzap (Banking Trojaner) und Betabot (Bot, Ransomware). https://nakedsecurity.sophos.com/2017/03/01/unholy‐trinity‐of‐akbuilder‐dyzap‐ and‐betabot‐used‐in‐new‐malware‐campaigns/ 4 Sophos dokumentiert in dem Artikel die „Satan“‐Ransomware und den dazugehörigen Backend‐Dienst. Salopp formuliert handelt es sich bei Satan um eine „free‐to‐join“‐ RaaS (Ransomware‐as‐a‐Service) mit einem Geschäftsmodell ähnlich iTunes. D.h. dem geneigten Cyberkriminellen entstehen keine Vorabkosten für die erzeugte Malware. Diese jedoch wickelt sämtliche Kommunikation und Zahlung über den Dienst ab, der dem Kriminellen dann 70% des Gewinns auszahlt. Im Grunde genommen also ein „pay‐as‐you‐go“‐Model, bei dem man dem Provider trauen muss. https://nakedsecurity.sophos.com/2017/03/07/satan‐ransomware‐old‐name‐new‐ business‐model/ 5 MalwareBytes beschreibt in einem sehr interessanten Artikel Hintergründe zur CryptoBlock‐Ransomware und der dahinterliegenden C2‐Infrastruktur. Nach Meinung der Autoren befindet sich CryptoBlock auf dem Weg zu einem RaaS‐Angebot. Von besonderem Interesse daher, da noch nicht alle Komponenten fertig sind und man daher die Entstehung sozusagen „am lebenden Objekt“ beobachten kann. https://blog.malwarebytes.com/threat‐analysis/2017/03/cryptoblock‐and‐its‐c2/ https://www.bleepingcomputer.com/news/security/malwarebytes‐researchers‐hack‐ into‐soon‐to‐be‐launched‐raas‐portal/ 6 MalwareBytes hat eine umfangreiche Analyse mehrerer Spora‐Samples vorgestellt. Die Analyse umfasst sowohl Dropper als auch den eigentlichen Encrypter. Darüber hinaus werden auch die Web‐Server mit den Meldungen für User aber auch die Verschlüsselung selber untersucht. https://blog.malwarebytes.com/threat‐analysis/2017/03/spora‐ransomware/ https://gist.github.com/coldshell/6204919307418c58128bb01baba6478f 7 BleepingComputer berichtet über eine neue „Kirk“‐Ransomware.
    [Show full text]
  • Internet Organised Crime Threat Assessment (Iocta) 2017
    INTERNET IOCTA ORGANISED CRIME 2017 THREAT ASSESSMENT INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2017 This publication and more information on Europol are available online: www.europol.europa.eu Twitter: @Europol and @EC3Europol PHOTO CREDITS All images © Shutterstock except pages 6, 20, 26, 33, 35, 36, 44 and 59 © Europol. ISBN 978-92-95200-80-7 ISSN 2363-1627 DOI 10.2813/55735 QL-AL-17-001-EN-N © European Union Agency for Law Enforcement Cooperation (Europol), 2017 Reproduction is authorised provided the source is acknowledged. For any use or reproduction of individual photos, permission must be sought directly from the copyright holders. IOCTA 2017 4 IOCTA 2017 INTERNET ORGANISED CRIME THREAT ASSESSMENT CONTENTS IOCTA 2017 5 FOREWORD 7 ABBREVIATIONS 8 EXECUTIVE SUMMARY 10 KEY FINDINGS 12 RECOMMENDATIONS 14 INTRODUCTION 17 AIM 17 SCOPE 17 METHODOLOGY 17 ACKNOWLEDGEMENTS 17 CRIME PRIORITY: CYBER-DEPENDENT CRIME 18 KEY FINDINGS 19 KEY THREAT – MALWARE 19 KEY THREAT – ATTACKS ON CRITICAL INFRASTRUCTURE 25 KEY THREAT – DATA BREACHES AND NETWORK ATTACKS 27 FUTURE THREATS AND DEVELOPMENTS 30 RECOMMENDATIONS 32 CRIME PRIORITY: CHILD SEXUAL EXPLOITATION ONLINE 34 KEY FINDINGS 35 KEY THREAT – SEXUAL COERCION AND EXTORTION (SCE) OF MINORS 35 KEY THREAT – THE AVAILABILITY OF CSEM 36 KEY THREAT – COMMERCIAL SEXUAL EXPLOITATION OF CHILDREN 38 KEY THREAT – BEHAVIOUR OF OFFENDERS 39 FUTURE THREATS AND DEVELOPMENTS 39 RECOMMENDATIONS 41 CRIME PRIORITY: PAYMENT FRAUD 42 KEY FINDINGS 43 KEY THREAT – CARD-NOT-PRESENT FRAUD 43 KEY THREAT – CARD-PRESENT
    [Show full text]
  • The Rise of China's Hacking Culture: Defining Chinese Hackers
    California State University, San Bernardino CSUSB ScholarWorks Electronic Theses, Projects, and Dissertations Office of aduateGr Studies 6-2016 The Rise of China's Hacking Culture: Defining Chinese Hackers William Howlett IV California State University - San Bernardino Follow this and additional works at: https://scholarworks.lib.csusb.edu/etd Part of the Asian Studies Commons, Criminology and Criminal Justice Commons, International Relations Commons, Politics and Social Change Commons, and the Science and Technology Studies Commons Recommended Citation Howlett, William IV, "The Rise of China's Hacking Culture: Defining Chinese Hackers" (2016). Electronic Theses, Projects, and Dissertations. 383. https://scholarworks.lib.csusb.edu/etd/383 This Thesis is brought to you for free and open access by the Office of aduateGr Studies at CSUSB ScholarWorks. It has been accepted for inclusion in Electronic Theses, Projects, and Dissertations by an authorized administrator of CSUSB ScholarWorks. For more information, please contact [email protected]. THE RISE OF CHINA’S HACKING CULTURE DEFINING CHINESE HACKERS A Thesis Presented to the Faculty of California State University, San Bernardino In Partial Fulfillment of the Requirements for the Degree Master of Arts in Social Sciences and Globalization by William Sedgwick Howlett June 2016 THE RISE OF CHINA’S HACKING CULTURE DEFINING CHINESE HACKERS A Thesis Presented to the Faculty of California State University, San Bernardino by William Sedgwick Howlett June 2016 Approved by: Cherstin Lyon, Committee Chair, Social Sciences and Globalization Jeremy Murray, Committee Member, History Jose Munoz, Committee Member, Sociology © 2016 William Sedgwick Howlett ABSTRACT China has been home to some of the most prominent hackers and hacker groups of the global community throughout the last decade.
    [Show full text]
  • ABSTRACT Ransomware Attacks Are Evolving and Becoming More and More Complicated
    ABSTRACT Ransomware attacks are evolving and becoming more and more complicated. This guide will review the current state of ransomware to help you understand how companies are profiled for attacks, what you RANSOMWARE can do to prevent an attack, and what to do if you become a victim. Limit the Risk Table of Contents About Peters & Associates ........................................................................................................................ 2 Who we are ............................................................................................................................................. 2 About the Author ...................................................................................................................................... 2 Contact Us ................................................................................................................................................. 2 Introduction ................................................................................................................................................. 3 What is Ransomware? ................................................................................................................................ 4 How is Ransomware Spread? ................................................................................................................ 4 Characteristics of Ransomware ............................................................................................................. 6 Features of Ransomware ......................................................................................................................
    [Show full text]
  • Blockchain Threat Report
    REPORT Blockchain Threat Report Blockchain, a Revolutionary Basis for Decentralized Online Transactions, Carries Security Risks 1 Blockchain Threat Report REPORT Table of Contents 5 Blockchain attacks 5 Phishing 6 Malware 8 Cryptojacking 9 Endpoint miners 11 Implementation vulnerabilities 13 Wallet theft 13 Technology attacks 15 Legacy attacks modernized 15 Dictionary attack 20 Exchanges under fire 20 Major events 24 Recovery 26 Conclusion 2 Blockchain Threat Report REPORT This report was researched Blockchain consumers are often the easiest and written by: targets—due to a start-up mentality in which • Charles McFarland • Tim Hux security takes a backseat to growth • Eric Wuehler • Sean Campbell Introduction In late 2017 the cryptocurrency Bitcoin hit the headlines in a big way. Its value skyrocketed to almost US$20,000 per coin, waking up major news organizations and catching the eyes of would-be investors. Bitcoin, the leading cryptocurrency, is based on blockchain, a revolutionary new technology. Blockchain, which records transactions in a decentralized way, has begun to change the way we look at money and offers a path to solve old business problems in new ways. However, with new technologies come new security concerns. Bad actors have already targeted many blockchain implementations using social engineering, malware, and exploits. As additional groups begin using blockchain and building tools around it, they must understand the security risks. In this report we will look at current security problems and specific incidents within blockchain implementations. We will cover bad actors’ techniques, targets, and malware used for attacks. In 2009, the first implementation of a blockchain, Bitcoin, raised excitement among technologists and researchers.
    [Show full text]