XG Firewall

Suggest, discuss, and vote on new ideas for Sophos XG Firewall. The next thing in next-gen.

Suggest an Idea...

: www.cert-in.org.in. The alerts on latest malware are published under VIRUS ALERTS section.

JCry ransomware is designed to encrypt data and append filenames with a ".jcry" extension. Once data is encrypted, JCry opens a pop-up window and generates the HTML file, "JCRY_Note.html", then drops a copy in every existing folder. The HTML file delivers a message informing victims about the encryption and ransom demand. This activity was observed in the Information Technology Sector.

*******************************IOC*****************************
Analysis:

Host
IPv4: 172.81.182[.]63
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Command and Control
Characterization: IP Watchlist

Host
URL: http://185.163.47[.]134/flashplayer_install.exe
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Delivery
Characterization: URL Watchlist
[MD5:C86C75804435EFC380D7FC436E344898].

Host
URL: http://76.74.177[.]236/flashplayer_install.exe
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Delivery
Characterization: URL Watchlist
MD5: C86C75804435EFC380D7FC436E344898].

Host
FQDN: kpx5wgcda7ezqjty[.]onion
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Actions on Objectives
Characterization: Domain Watchlist

Host
FQDN: weserenawilliams[.]online
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Command and Control
Characterization: Domain Watchlist

File
Filename: flashplayer_install.exe
Size: 1782579
MD5: C86C75804435EFC380D7FC436E344898
SHA1: 9AAB879DB9AA96683FEB1BE7F741AFAF7099C665
SHA256: D7E118A3753A132FBEDD262FDF4809A76CE121F758EB6C829D9C5DE1FFAB5A3B
SSDEEP: 49152:GIgXEThdDy39yKPSvXfatTt4opKw28qPtH7zPjuO3NF:GIsQ1KavXit3pn2VzPjuy
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Installation
Characterization: File Hash Watchlist

File
Filename: dec.exe
MD5: 6B4ED5D3FDFEFA2A14635C177EA2C30D
SHA1: 50B8940981D51CEA6BAC3A6849F7DF3008A43ACE
SHA256: F2F4323DF1A065CDE9269B1C801FA912B296E36D08452E038778BA16B05DCBA9
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Installation
Characterization: File Hash Watchlist

File
Filename: enc.exe
MD5: 5B640BE895C03F0D7F4E8AB7A1D82947
SHA1: 3F2B30D3E72DF24632FDF505A194E3027723240F
SHA256: 22488ABDDBD4A61BB32BB7C2883B56E2F97541F85125F8D4C1593F65853A1D48
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Installation
Characterization: File Hash Watchlist

File
Filename: msg.vbs
MD5: EAE8D08312FBBB511EFFA07E71EBF73E
SHA1: F55B9028098BBA49FA87DFA7412B52869CFDFB79
SHA256: AE3E856A3A707E9ED600A988A3855CDB5375DE93C2C54619741225404D2EDAD1
Sighted: 2019-03-08 [only single sightings used]
Kill chain Phase: Installation
Characterization: File Hash Watchlist

*****************************END***************************

CERT-IN General recommends:
• Users are advised to disable their RDP if not in use, if required it should be placed behind the firewall and users are to bind with proper policies while using the RDP.
• Restrict execution of Power shell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
• Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly
through browser.
• Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.

2 votes
Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)

We’ll send you updates on this idea

PRASAD BHATTAD shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

0 comments

Sign in
(thinking…)
Sign in with: Facebook Google Sophos Features & Ideas Laboratory
Signed in as (Sign out)
Submitting...

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.