一周威胁综述（2 月 2 日至 2 月 9 日）

2018 年 2 月 9 日, 星期五 一周威胁综述 (2 月 2 日至 2 月 9 日 ) 本文概括介绍 Talos 在 2 月 2 日至 2 月 9 日观察到的最常见威胁 与之前的威胁综述一样, 本文不进行深入分析, 而是重点从以下方面总结我们观察到的威胁 : 关键行为特征 感染指标, 以及我们的客户是如何自动得到保护 免受这些威胁的 在此提醒, 本文中介绍的关于以下威胁的信息并不十分详尽, 但所述内容截至发稿日期为止为最新 对以下威胁的检测和防护会根据进一步的威胁或漏洞分析进行更新 如需获取最新信息, 请参阅 Firepower 管理中心 Snort.org 或 ClamAV.net 本周观察到的最常见的威胁主要如下 : Img.Dropper.PhishingLure-6443153-0 Office 宏植入程序这些分发植入程序的 Emotet 使用图像向用户展示指令, 以启用动态内容 Win.Adware.InstallMonster-6443601-0 广告软件 InstallMonster 是一种软件捆绑软件, 它可能在系统上安装不需要的应用, 并向用户显示不需要的广告 Win.Downloader.Adload-6418193-1 下载程序 Adload 是一种持久广告软件, 可反复打开弹出窗口和虚假错误消息 这些弹出窗口将用户定向到广告, 或下载并安装其他不需要的应用 Win.Downloader.DownloaderGuide-6443792-0 下载程序此集群涉及 XmasFred 安装程序, 可下载并执行其他二进制文件 Win.Trojan.Emotet-6444504-0 木马此恶意软件集群涵盖 Emotet 样本和 Tinba 样本 通过经过混淆处理的 VisualBasic 可执行文件, 可植入该恶意软件 Win.Trojan.GenInjector 木马此系列是破坏力极大的恶意软件, 它会向其他进程的地址空间注入代码 此外, 它使用了进程挖空技术来阻碍分析和长期休眠 为了实现持久性, 它设置了自动启动注册表项

Win.Trojan.Zusy-6443152-0 木马此.NET 木马包含一个名为 God.exe 的模块, 它在 AppData 中创建虚假 svchost.exe 进程, 并向 Windows 防火墙的授权应用列表中添加条目 威胁 Img.Dropper.PhishingLure-6443153-0 感染指标 注册表项 N/A 互斥体 MC8D2645C MD57D8F73 Global\I98B68E3C Global\M98B68E3C IP 地址 176[.]223[.]209[.]113 212[.]5[.]159[.]61 域名 www[.]manuelaponomarenco[.]ro 创建的文件和 / 或目录 %WinDir%\SysWOW64\specsystem.exe 文件散列值 182cad030170c3ebb1b5ec28a2174b572845403f0731363291ccf0d16350f891 1aa7436383c71ed5bc878e1e52bf66a017cb6b82b4ee6fbe23b67b11403efadc 1d869439f6a5b2e51a92b579924395478263b897822bd76124639a0d78fe361b 281ae4e896a0fe96ab28bab6a1da4d9a9d36f2b4d4ff88167df990e50735d0f5 290dc3abf2bdb619f6c8d2abf79d12483dc8b0ae420ab5ccfca178baeece5089 2f82036da229db4a9600179aad8e967edb06d1c0bfa2ea8f857bcc781ed30e08 35de4cf3ed429504e8b8695b33f386d2ca84017373af99b76f41d5df69f5f84c 3927f8d5492927df58b6ea3a97197592cb9ce4ef9fc98f5e93952805d6ebbdab 43089883a4e0d5dcb286f4b7bc585bc418a4641a0e3d1c0919215a2112378630 43e7bcef39f88ca7d3b9b67d09f9264c4946e0e12a337c23e043bb8e9f634c2e 46acbdf64873613dceff0d9d5af2169ef6af5b71576a312d3cd2320bc2ca4f34 4c6203f2c7d3590948d783ce0dbf181927a3645b82167fefbad5d34a203112d2 4d31f25c4da2b05fbacc21035e0a2284be60e10ef103d3a1d412234717706550 4e9624a45f3419c398f9fc9c7e8ec2e8472b432382c11c984aeb7860e1297903 54144d97c81096fb6cd6464b12cd1b6c48e5f2b0ce0d8b1f16e34af0153a98cb

5602ba9c52386806f8d723f63265fe94d15303d3112a2c0b6bd7b6319626c32f 66ae2270fff3a22c0e1a65fc4952f735b42b4d03445d5729b3a4e74d9ffe5d49 6755c2d4855a8b5ec2eb9dd9ab20edc55230c9cd12c372080bae52997899cf2e 6cf585b16de1edb9dc313886ddb4b32d617290eef1c9ce1a2ef6160336c1eaad 6e2460dab20fcca216798641dfa821e73b5bccf510df487839f542a198740778 6e4a276dd2d745f57faa6e18ba90e255836ef4976c65cdfd831412b8ae4ab91c 6f9034646e6fcead5342f708031412e3c2efdb4fb0f37bba43133a471d1cb0e0 72d16e5244d6e31f29a0ce765df09b6e9f8cc096a4266458001ce1cff345a398 74b66767a723949e5b0837eb281bad34b6f6132d9b4aef0b3d36651193edd3d7 76c7d0440bee5b4f885592bc4714e5ed3c1ba6677f95702d83cb44a52907437a 7c344293212b1de4798beb0cf70c9bec493460d5befba2eef1ce26a83c04ad2f 853ce320b07e88db313df40a05307921594d83f568ec7cb5981e180d24a7e510 865e660b5d65cfea1cf8d595c281363bd399c0a47b0270dac8bb9b8e7dd9fcf1 86b774067ba5911413c1125626056f32d4e076c0c15aa38e78c606573b3f730e 87dc2f7b36c4423f641516068c94feb3c9a634fbaa9196244cbf03bed8f2c85a 9f84428908f16511529c2589a917e7f53b3568cd7a7832d966cf06333bb26bcb a317da8fffca78122bc24c3c39d4c6af965aa9e1bae00a0705c7cee8c231dc79 a77e40b03e814c6f554929a939839416d80f73228a123ab953be37a1f25780b5 a8c75f9b1e601c4c77b67ddd1bdb28bf9164c4f507b9530fa31861f2c72fb2d7 b62230042f02ecdff4a53e7d3cb77023c1d4bdde332d568cfc2c1001500c314d b6600f389bf52796db5fcba03ef991df5a395a1a70b0f4096445469f9553ecde c412ad121682d33210402955ad330fbd182c5c57155bab2db659c7557d4a417b c462b00bfbd8e3bd79fe54c2bd74850b3a4a6d67b36cf3dc088462910b593b81 cb7ce3342987424ea1303adb8172f0172f4bbead7a348263f67bd84630b01059 d007c2ec4483fcd4dbf67233956b194d3a3a46426f700282ea7b01785a10fc50

防护 检测结果屏幕截图 AMP

ThreatGrid Umbrella 屏幕截图

Win.Adware.InstallMonster-6443601-0 感染指标 注册表项 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURREN TVERSION\INTERNET SETTINGS\ZONEMAP Value: ProxyBypass <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURREN TVERSION\INTERNET SETTINGS\ZONEMAP Value: IntranetName <HKCU>\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2 <HKCU>\Software\Microsoft\Internet Explorer\Main <HKCU>\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 互斥体 N/A IP 地址 200[.]7[.]96[.]22 域名 sciencemiracle[.]top 创建的文件和 / 或目录 %Public%\Desktop\Download Corel Painter...lnk 文件散列值 05827d9b842370ad0172bbc21189956edf6a3aeacabe455c3386fb294c91cbac 02fe9351831a92fc038f546703d9d76a84474cef38c93bdf2fe2f76d3409e932 049fc0a7cece52d6f40d34a5ec7f1e55e1a00b15d78fc831397f050785a92e5a 0b20d5bc9b5f22fde1fd769392a8df02722cb30f12954a18fad2570f6c2fcedf 0d10201d5be9135b7bb1676c30452fac1d82019debcf3170655a0719ba3e0d59 13353b13d483f3096a3c4cc98bbbecdf5f67c86e13d1af3627b9f61b8a37c058 16ee6d3da75a3527ce741fbcbd8424b52826fcd89510a1206d9e30df1e441ff6 16f734eac6b1360142b4f4602aa7543b0af21440e0c6d06f635f6f685b6d951b 1901b7872887beca319f88ded466061762dcce27b82964e0771bdc239d70a04a 1e1f00584ddd324467fd0e2b9f06d1320efdec7253f63833d19d960acc598975 22903e84c8be9c4cef7ec3a7280fa359cced7bb9ee71de74f815a38f07c1fcc4 25750ae1857c77a233d43bad1ca56b7287efb31d568c8788cddfd56e8f161f22

防护 检测结果屏幕截图 AMP

ThreatGrid Umbrella Win.Downloader.Adload-6418193-1 感染指标 注册表项 N/A 互斥体 Global\AmInst Runing_1 IP 地址 198[.]54[.]117[.]200

域名 www[.]quaintspokenracketiest[.]site 创建的文件和 / 或目录 N/A 文件散列值 1f910886460d291aa28ce33dff560b291ee3a9040c1ffe125134d01cb8673bd3 1f9c34ceeb4600837359be13415e95783f4e5f7ea8d3def87ce3b06ec6a047dd 1d5c26af77f30dab347de49c91146a6d2d3b95df5ccd532fc1d8aee0ae63eda8 1474c9ed8ea883047a1f069ad93cfa3516d3a337fbbf93ae9248c17f6646c3ba 10b8bbff557792a03e71fb766b075cc6281976e05694b11bfac31a375863d6d6 0dc1235368b24fed46e7f744c6b9f9c486d3b36a3e6fa1a20d7ec869ac656310 0bbff365a4284eb3ab0932cb80f5d3d35880ec2a0c473daa7a75ac46c091bb3c 150a103d11bbc8638116a30427620db833d926e6bd74fcda12ec90d6e89dfe3d 0b2c3b28e73b96ab473d6e5f4c24c8c427e9639d7efe203faededaf09480c2e6 051826260a52420903d9c17d973a0cc78dc5706140df1af05cdafd9321d2764f 0473d1632bda43d83bc8fdb65d095479a5ef49ad816725b84aa9a7bf75356d42 25b2aeddfe481e574ee14ead95537de4d94b18d3654c8d0866dbe42631aab64c 1eea07045426f602a8ec956cbe99556c8b54c1d51610fe7a6806941a79deed84 19d41761096fdb20dc412af13a00c6ec752ca7bbb8444aa9c546aa0fb5385782 1978e7025d0cff47a798ce59da8e3f5dafe6b9ec39aa46ca1882fdef2a0b61c2 0c00f2e323696cc3f39832b7da538701850d28998610711d8d70594314436399 f854f72ac2f61de681be53b78c6c5050580c19c589104c3efdedc8a4838e6932 ce37d2dc789a535be7af9a44827ebce419f8637a09bb7e352696d474e07786a6 cf5249a37d8c7526cd7daabb01e8df29eaacf7cf93759ac09b48e08db8b26c2a b99011d4fcafe5ed1e022534e5dcc18835fae5a86c873039a1a56617414689ec

防护 检测结果屏幕截图 AMP

ThreatGrid Umbrella Win.Downloader.DownloaderGuide-6443792-0 感染指标 注册表项 N/A 互斥体 DlgCpp IP 地址 N/A 域名 dlg-messages[.]buzzrin[.]de dlg-configs[.]buzzrin[.]de

创建的文件和 / 或目录 %WinDir%\SoftwareDistribution\DataStore\DataStore.edb %WinDir%\WindowsUpdate.log 文件散列值 2713963eb9b15eba3254444d86bdf9fc50c0a44709eb8ee154c476786e9d99c1 3529872d962530a50f47e947ea5c4a367fb7bbc8d6084dde1d8089e3b48b3893 93974e363e38dfa5d11fd227e0de730d62b0967fd640b31e7382903b6ba5f739 59c68020dee3bbb7e0c071db202fff734b858aef4aa0f708054bfeee08577cdb bc0015c6ab7cab17c34b96111a165591b4db5fee01eed778a9ab6d285e51485f 902f1150f83800ac4fc2c28a3e83253f7892c297ca4998955fc66f78336fa69b 466fff17d182237602a6ed4897a0122a61d1b4e4bed73481b41a10fc7d5355da 103ee228b018a8e1e689a03c610fad4ab9d0c4d644facbba745b1b63f5ed40ec ad75bfc96fd6e336be402b250001620706ba1ff4b54f7ddad92a6ec4e760c320 70e6eaccfd29763b4bf117067e0ef378b3720616fc82406a1d8e546d51919fb4 1ae3646b98b09736443aa3d26e5396d7feb510a14d6275a98d010903c660e8e1 3c14d644d76bc09c3243305a01221246e4c30d58b5498a42c6a7248b28f29645 85961d3953f9830946af4fe46e6639dd57e56df6be26689c497a93bbec0543e9 319cbac9d24298431ce6b4451ca1751d05787a39ab298dbbb516c6351bc7e500 f1ea59a7312d82b48c43292466b44b5533dee92b0dd50d618454fe695bfcde05 e0c3b75a1fd23310c6310a96c2a9c1f1d6aafe6a89833aa5eb68f307e1c8a074 9731e93d38a6cd040102243cd9918f9ab63f23c063e51284700b4784325f7a00 8deeb09519b1a398409fcf5e375a6c68f8712a168a98fb41721d1fb3ea8dd8b9 d3c318d3bbf3186e879a6dd125e0828eb480120b231df33e34156d2b9a32aff2 8fef976a246e440dba1e3f45671588253e1f8c46acc10fe5d1873098b9f2bd3a 9c8ea37c3c17728b11477936e0723de25c74ef38d66d5b17832dfca7b1788d76 85739ff86a8c4465f0abe5eb0dd9100f453a15dfe5c1756de34ab40247273d03 14d5afb6e3867b3016925a53c294b87fe2122fbf8650f468c9f5e3e1ca115b16 5cf9b749006d7404e09190d54d76a7f0af758471948ed6d924736dec784689e4 1bf58f0bfb9ae73d0735519717731e2aaf159b975b7ed6442565fdbbb496cd23

防护 检测结果屏幕截图 AMP

ThreatGrid Umbrella 屏幕截图

Win.Trojan.Emotet-6444504-0 感染指标 注册表项 N/A 互斥体 FAFEB955 IP 地址 N/A 域名 N/A 创建的文件和 / 或目录 %WinDir%\setupact.log %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456- A289-439d-8115-601632D005A0 %System32%\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456- A289-439d-8115-601632D005A0 \Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01.chk %WinDir%\Tasks\SCHEDLGU.TXT %System32%\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2580483871-590521980-3826313501-500_UserData.bin %AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\638784ff-73cd-4f1c-a5cf-845c7e3f97ce %System32%\config\TxR\{016888cc-6c6f-11de-8d1d-001e0bcde3ec}.TxR.blf %AppData%\Microsoft\Protect\S-1-5-21-2580483871-590521980-3826313501-500\Preferred 文件散列值 151b8a37101a060bb97a12c6d076923bbc4706da2763fc0bde43fb2ae5b38e3c 912c1c5303e782d4ef43f65146b80d0efe2d79e5a0f43e06c8cd146125a9e0a6 de3b898b771d6e1abfbd5c4cacf7db4b806ab8048e021eb18d8885108839fe77 c37aaa5702f75169e2ce9de7a9fe109727efb3558d582352c2b97a3cca3564d8 32f60f4ff601a89d6ccfce6cd6af4b19cd606d2d2278b23903e049c429c8e056 53eccf073cb85d00623d1c708cc13fff995ec504fe89dfab59c56a782c18c409 08f3c988473aea98d4ca8ab627cd5e10f075455b5f6a538a13dc53871d29a04c 75430b8cd13f3974be5950f0a84bcf23b31d4199c17e729e804d9dddffbc8b3a 2d21f1034be1e02955c906251b147ec28974e1afff7982a956ac77e951c69642 e45c52c8115e6d396504667f7dfda58c55760eced8847ad4938c77e6128323f8 70580a49df3be66fdb1a0a369f478660ea55bfb16800b1f2976731c4cb9549d8 57ed7d6ee9ae8b07783bd1df207521cf0f3e1365951c29ac04f1afc1d4f3c048

防护 bb2cac71f9c861e2554933876b45fdb7d143aa20ff78a2bb73565ff014d29fd5 01012f164c2570e656ea7c4b99b2b5a7845a77cefcab66b9d65e02da73821894 检测结果屏幕截图 AMP

ThreatGrid Win.Trojan.GenInjector 感染指标 Registry Keys <HKU>\S-1-5-21-2580483871-590521980-3826313501- 500_CLASSES\LOCAL SETTINGS\MUICACHE\3A\52C64B7E Value: LanguageList <HKU>\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections <HKLM>\SYSTEM\CONTROLSET001\CONTROL\NETWORK\{4D36E972- E325-11CE-BFC1-08002BE10318}\{9EB90D23-C5F9-4104-85A8-47DD7F6C4070}\CONNECTION Value: PnpInstanceID <HKLM>\ Њ ќ э э В Г Й я <HKLM>\System\CurrentControlSet\Services\Tcpip\Parameters 互斥体 3749282D282E1E80C56CAE5A IP 地址 31[.]31[.]196[.]236

域名 u0417398[.]cp[.]regruhosting[.]ru 创建的文件和 / 或目录 %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\284_appcompat.txt \TEMP\SOA October IN274348.exe %WinDir%\SoftwareDistribution\DataStore\DataStore.edb \EVENTLOG %WinDir%\WindowsUpdate.log %WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb %SystemDrive%\DOCUME~1\ADMINI~1\LOCALS~1\Temp\10B26.dmp 文件散列值 fb237b7fc75cec8180f4d853c44911dc0dbdb705be39c3e6f1f2a523b79ff9d5 d90dc3f22cc7bd92f22bafa9d77b0e373849386eae57606b42239f915357084a e128f7ad54a882d2d269733a956f49e5b1bf2b182781f24f98f058f2d8f48787 021492b2cc3c242851207e402e9ba284ed32350379deac649f38426130b2c01f 2cd6fc2a4572f4b1a39371a8df8c664eabe119608908d441257e72eb203737f4 防护

检测结果屏幕截图 AMP ThreatGrid Umbrella

Win.Trojan.Zusy-6443152-0 感染指标 注册表项 <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURREN TVERSION\RUN Value: svchost <HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5E197F8B-DAA2-BABD-EDBF- DEFDFDFEBEEB} Value: StubPath <HKU>\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\VB AND VBA PROGRAM SETTINGS\INSTALL\DATE Value: HFGW2HEVRP <HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLI CIES\EXPLORER\RUN Value: svchost <HKU>\S-1-5-21-2580483871-590521980-3826313501- 500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value: svchost <HKU>\S-1-5-21-2580483871-590521980-3826313501-500\SOFTWARE\VB AND VBA PROGRAM SETTINGS\SRVID\ID Value: HFGW2HEVRP <HKU>\S-1-5-21-2580483871-590521980-3826313501- 500\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5E197F8B-DAA2-BABD-EDBF-DEFDFDFEBEEB} Value: StubPath <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARA METERS\FIREWALLPOLICY\STANDARDPROFILE\AUTHORIZEDAPPLIC ATIONS\LIST Value: C:\Users\Administrator\AppData\Roaming\svchost.exe <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARA METERS\FIREWALLPOLICY\STANDARDPROFILE Value: DoNotAllowExceptions <HKU>\S-1-5-21-2580483871-590521980-3826313501- 500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN Value: internat.exe <HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARA METERS\FIREWALLPOLICY\STANDARDPROFILE Value: DoNotAllowExceptions

互斥体 N/A IP 地址 N/A 域名 runeo[.]no-ip[.]info 创建的文件和 / 或目录 %AppData%\mirc %AppData%\svchost.exe 文件散列值 742d600c5e784c8dd2d54a9a6b74e3b67a20da1a6f9355511ff0c05ba48121c2 0328c4576287299e56877f254ea46a78f902c46fefef26c4bef7f2e9914ab378 07927ef357ebb94200b9ec784db1337f2a2012a9591bcdf2f27387e7992983ac 0e40b1eaf8bb90fbc2401ff200edbf7930957235af98d5c58ae7f1562d3a3d93 191281b087c742f6a99e05356bf0d8fd6e30340754c7b8ead6ae4051a595744e 217fd7e2bb21f0f0023f1c557bf29bd7578ea92159232e20d2d9cf34b6dfe976 219c813aa7aefc3db6d7de37898dfc9cb31a915f0c97d9ffd204b03df6598145 2d928287f5966bd08e8fba8e5682b6f0200ae92c560fd9f5b07eaf3301110417 3d9b06a7e27337026085feb880489db6fdf9d92eff63412385a784977825e165 4a6003e3c1930cd82f5be9f73b6b4554777ab453dd7783fb21cfd94478787ab1 4f318f15e17c6839069c53c5cc9594f50cc805867aa9d04df688daa10c55a28c 6e9516009a6da7c3247f058783b6515d66c11c440bd60394452112a28a815272 961af12739f5f34051d10edeefb90ba81d7509135de72c16fc8afefc28febdaf a45471269d4a0c4e4a2f207b1e69827a075ad171b30c7812e65ba1af15839d1d a7af202e3d506f9f52a3cec09238bc8aa8096611206807e2c3f2b17d7976db96 ad47218986739e0072c91932f1d07a9f5f0ea7c98264978f57d0041f6100551e b067ecbfb6d02654c42fca66e4cf6dffe14a171a42807fd354f9cb7e7cba775b b8dbab7f7429309272e6608b9bae6bdc6ff75f95c130b93c78bb8a9b619a5cb6 b9c2b5cc1df590e197d3df80584a8c077c2d68ef9aaea4888af8598541aec0f2 bc61b85b359f344f7a00eae0d4015889fca2cdb623569fd25133400db2f2015a bdc949c5324235de7179b823d967220b3e92dcaaa21ee98ff452a3c80cd1c2c1 be31db615f5a4aa48517252c57022a2fc9582f7740801e00bd8d7858d89b2bcb d4ff1da63afb7b0008d655bc2387f5f00452e920d6e253f23792f928ff6ac875 e445e0d7f1a46b98400693a28c9ec427450abc8f29df4c145c1d860205dffa57 e88b52ba0a0047a297855ce56115eacc07ea8b34a06900eef9890a577482ea7c

防护 检测结果屏幕截图 AMP

ThreatGrid 发布者 :ALEXANDER CHIU; 发布时间 :0:29 标签 :AMP 防护 威胁综述 THREATGRID UMBRELLA