{ "Event": { "analysis": "2", "date": "2018-07-03", "extends_uuid": "", "info": "Clipboard CryptoCoin Hijacker", "publish_timestamp": "1530625191", "published": true, "threat_level_id": "2", "timestamp": "1530625163", "uuid": "5b3b7b62-5728-4980-937b-40240acd0835", "Orgc": { "name": "Synovus Financial", "uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Megasync.exe/allradio_4.27_portable.exe", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-702c-45b3-831a-024a0acd0835", "value": "9d891048dddda8a65de966c71f81464b20e402766aaee8a284da8d25c98270bd" }, { "category": "Payload delivery", "comment": "Clipboard CryptoCoin Hijacker, d3dx11_31.dll", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-c67c-4e90-8a40-024a0acd0835", "value": "48b66dd02a336eb049a784b3fd1beb5312fb8c078b3729d49e92e3e986c98e91" }, { "category": "Payload delivery", "comment": "Logger.exe", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-6d70-4225-b6ad-024a0acd0835", "value": "0cc32e6e6a407b2b69e1d89b3f005eecc54e238104725dcdcc8d3fc09c109bb4" }, { "category": "Payload delivery", "comment": "Injected miner", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-e698-4e7c-86fa-024a0acd0835", "value": "cf8ef10678e63ffd02a5a35c84461d0195e0eed234bf9328eede52f3bef0e5f7" }, { "category": "Payload delivery", "comment": "Hidden Service", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-cbb0-4075-9c70-024a0acd0835", "value": "2e23ab52259e45eaced300811a6d6795db719b029d06b08ca7bac7d86cc289ad" }, { "category": "Payload delivery", "comment": "Satamon.exe", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-2b64-42b1-b364-024a0acd0835", "value": "2c3eae980a88e7bb6a91f2b466856f612f34b8a37fac46bbbb52c0af0e695488" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-5fe0-459b-8a68-024a0acd0835", "value": "ffdc286711557df5f0bfd6a96744e93633d13fe45c02c240d5d6cf7531b21847", "Tag": [ { "colour": "#42933e", "name": "Adware" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-fcec-4230-94ba-024a0acd0835", "value": "20bdef6e68bbec5ddeb7b893a9b4f387adbf2ee304963e905d98116a57334a41", "Tag": [ { "colour": "#42933e", "name": "Adware" } ] }, { "category": "Payload delivery", "comment": "Temp downloader", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-d310-4dcb-be70-024a0acd0835", "value": "acf810c7bb3961fd42f5925fcd4417cb812eb6fdaad00c98830c522d54c7f6eb" }, { "category": "Payload delivery", "comment": "Temp downloader", "deleted": false, "disable_correlation": false, "timestamp": "1530624986", "to_ids": true, "type": "sha256", "uuid": "5b3b7bda-cb08-43c7-a5aa-024a0acd0835", "value": "084d4811c47a5dc36df59bfaf477e1f0bf3a9b3901877de1d1548c3343d1e4d6" }, { "category": "Payload delivery", "comment": "Temp downloader", "deleted": false, "disable_correlation": false, "timestamp": "1530624987", "to_ids": true, "type": "sha256", "uuid": "5b3b7bdb-fe10-4c9d-af40-024a0acd0835", "value": "ea92702d5fe168a57ccf5abbe6b9f5eca25f039e111db4b010183aa6909c38d2" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-c840-40dd-ac6d-28b70acd0835", "value": "HKCU\\Software\\All-Radio" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-f378-43e3-b6f5-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-0998-428e-b04f-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\TimeStamp\t914BE45509E88CBE12C9C147B92F8928" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-1978-4c09-995a-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\CurrentLanguage\tEnglish" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-2764-426d-998b-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\skin name\tCold" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-3294-4b11-92e1-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\color\t0" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-4788-4c49-9e44-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\saturation\t0" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-4ed0-48e1-98be-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\use skin\t1" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-5230-4d33-bb44-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\CurrentServer\thttp://www.radioserver2.com/" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-4e24-4424-bf77-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\ServersCount\t8" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-5e68-475b-bb2f-28b70acd0835", "value": "HKCU\\Software\\All-Radio\\Settings\\resize\t1" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-5ea8-4f33-8ddf-28b70acd0835", "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\agwpyjho\t\"%USERPROFILE%\\gidulfmf.exe\"" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-7464-428d-bd37-28b70acd0835", "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DirectX 11\trundll32 %Temp%\\d3dx11_31.dll,includes_func_runnded" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-93e4-4134-8ab3-28b70acd0835", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-a6e4-4316-a19e-28b70acd0835", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}\\Path\t\\Opera scheduled Autoupdate 1427321617" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-b5fc-41d6-b3a7-28b70acd0835", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}\\Hash\tBINARY SIZE=32 MD5=5520F781167B06815EF8BD54DD186F9C" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-b768-43cb-8995-28b70acd0835", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}\\Triggers\tBINARY SIZE=352 MD5=83356B89B15EAB067435487A7B92FDBE" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-d9a4-40e4-b86f-28b70acd0835", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}\\DynamicInfo\tBINARY SIZE=28 MD5=3068A03846DFF3649992C32FBA75E688" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625013", "to_ids": false, "type": "regkey", "uuid": "5b3b7bf5-fa50-44a7-b755-28b70acd0835", "value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\%WINDIR%\\SysWOW64\\kqgzitry\t0" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1530625146", "to_ids": false, "type": "link", "uuid": "5b3b7c72-4be0-49cf-94eb-28b50acd0835", "value": "https://www.bleepingcomputer.com/news/security/all-radio-427-portable-cant-be-removed-then-your-pc-is-severely-infected/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] } ] } }