Scribd Logo
Upload

Welcome to Scribd!

  • Threat Prevention Apr 23 2020 9-29-50 AM

    Uploaded by

    Luis Munguia
    169 views13 pages
    This threat prevention report summarizes malware activity from March 24 to April 23. It found that the top protections blocked were related to DNS reputation and traps, while the most common malware activities involved DNS queries to command and control sites. The hosts with the most severe incidents were 172.31.33.77 and 192.168.6.117, which triggered protections against Andromeda and Conficker malware families.

    Original Description:

    Checkpoint

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This threat prevention report summarizes malware activity from March 24 to April 23. It found that the top protections blocked were related to DNS reputation and traps, while the most common malware activities involved DNS queries to command and control sites. The hosts with the most severe incidents were 172.31.33.77 and 192.168.6.117, which triggered protections against Andromeda and Conficker malware families.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    169 views13 pages

    Threat Prevention Apr 23 2020 9-29-50 AM

    Uploaded by

    Luis Munguia
    This threat prevention report summarizes malware activity from March 24 to April 23. It found that the top protections blocked were related to DNS reputation and traps, while the most common malware activities involved DNS queries to command and control sites. The hosts with the most severe incidents were 172.31.33.77 and 192.168.6.117, which triggered protections against Andromeda and Conficker malware families.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 13

    THREAT

    PREVENTION
    Report
    Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    General Activity 2

    Top Protections Top Malware Activities Active Blades


    Protection T ype Severity Log s Malware Action Log s Anti-Bot Anti-Virus

    DNS Reputation High 19.6K DNS query for a C&C site 10.7K
    DNS server resolving a C&C site for a 20K
    DNS Trap Critical 4.6K
    7.8K
    client behind it
    Signature Critical 76 18K
    Communication with C&C site 3.2K
    URL Reputation Critical 23
    Access to site known to contain 16K
    Suspicious Mail Medium 17 1.4K
    malware
    14K
    DNS query for a site known to contain
    857
    malware 12K
    DNS server resolving a site known to
    221
    contain malware for a client behind it 10K

    DNS client query or DNS server


    39 8K
    resolving a C&C site
    Malicious file/exploit download 28 6K

    Spam 17
    4K
    Malicious network activity 9
    2K

    0
    Anti-Bot Anti-Virus

    Malware Activity

    Critical High M edium Low

    1K

    500

    0
    T ue 2 4 T ue 3 1 T ue 7 T ue 1 4 T ue 2 1

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Hosts 3

    Top Hosts by No. of Incidents

    Critical High M edium Low

    Host_172.31.1.140 (172.31.1.140)

    172.31.25.41

    172.31.41.4

    PROXY_CSE2 (172.31.1.100)

    192.168.6.117

    172.31.104.21

    172.31.33.77

    192.168.6.162

    172.31.104.20

    android-8ddb640eb1391426.cse.gob.ni (192.168.70.100)

    0 500 1K 1.5K 2K 2.5K 3K 3.5K 4K 4.5K 5K

    Top Hosts by Severity


    Source Severity Blade Protection Name Protection T ype Action

    Andromeda.TC.eabbaaabb
    Andromeda.TC.iabbaaabb
    Anti-Bot CnC Server.RS.TC.ferz DNS Reputation Detect
    172.31.33.77 Critical
    Anti-Virus CnC Server.RS.TC.fewp DNS Trap Prevent
    CnC Server.RS.TC.ffac
    122 more Protections
    Andromeda.TC.eabbaaabb
    Andromeda.TC.iabbaaabb
    Anti-Bot Conficker_A.TC.akskd DNS Reputation Detect
    192.168.6.117 Critical
    Anti-Virus Conficker_A.TC.akslr DNS Trap Prevent
    Conficker_A.TC.aksmd
    1037 more Protections

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Malwares 4

    Top Malwares by No. of Incidents

    DNS query for a C&C site

    DNS server resolving a C&C site for a client behind it

    Communication with C&C site

    DNS query for a site known to contain malware

    DNS server resolving a site known to contain malware for a client behind it

    Access to site known to contain malware

    M alicious file/exploit download

    M alicious network activity

    DNS client query or DNS server resolving a C&C site

    Spam

    0 1K 2K 3K 4K 5K 6K

    Top Malwares by No. of Incidents


    Malware Action Protection Name Source Log s

    DNS query for a C&C site 6897 Protections 34 Sources 10.7K


    DNS server resolving a C&C site for a client
    6824 Protections 2 Sources 7.8K
    behind it
    Communication with C&C site 395 Protections 33 Sources 3.2K
    DNS query for a site known to contain
    47 Protections 39 Sources 857
    malware
    DNS server resolving a site known to
    40 Protections 2 Sources 221
    contain malware for a client behind it
    Access to site known to contain malware 39 Protections 34 Sources 1.4K

    Malicious file/exploit download 21 Protections 13 Sources 28

    Malicious network activity 2 Protections 2 Sources 9

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Severe Incidents 5

    Hosts With Severe Incidents By Blade


    Blade Source Severity Protection T ype Protection Name Malware Action Log s

    Anti-Bot Andromeda.TC.iabbaaabb
    Conficker_A.TC.akskd
    DNS Reputation Conficker_A.TC.akslr Communication with C&C site
    192.168.6.117 Critical 1.4K
    DNS Trap Conficker_A.TC.aksmd DNS query for a C&C site
    Conficker_A.TC.aksmi
    1034 more Protections
    Andromeda.TC.iabbaaabb
    CnC Server.RS.TC.ferz
    CnC Server.RS.TC.fewp
    172.31.33.77 Critical DNS Trap Communication with C&C site 489
    CnC Server.RS.TC.ffac
    CnC Server.RS.TC.fgea
    96 more Protections
    Andromeda.TC.iabbaaabb
    CnC Server.RS.TC.ferz
    CnC Server.RS.TC.fewp
    172.31.104.21 Critical DNS Trap Communication with C&C site 457
    CnC Server.RS.TC.ffac
    CnC Server.RS.TC.fgea
    102 more Protections
    Andromeda.TC.iabbaaabb
    CnC Server.RS.TC.ferz
    CnC Server.RS.TC.fewp
    172.31.104.20 Critical DNS Trap Communication with C&C site 373
    CnC Server.RS.TC.ffac
    CnC Server.RS.TC.fgex
    63 more Protections
    Andromeda.TC.iabbaaabb
    Conficker_B.TC.ajvzu
    DNS Reputation Generic.TC.dtjfpv Communication with C&C site
    172.31.32.38 Critical 244
    DNS Trap Generic.TC.hcpmin DNS query for a C&C site
    Generic.TC.hcvfeo
    4 more Protections

    DNS Reputation Andromeda.TC.iabbaaabb


    Communication with C&C site
    172.31.13.61 Critical Generic.TC.hcpmin 140
    DNS Trap DNS query for a C&C site
    Generic.TC.hdqghd

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Severe Incidents 6

    Blade Source Severity Protection T ype Protection Name Malware Action Log s

    Anti-Bot Andromeda.TC.iabbaaabb
    Conficker_A.TC.amerg
    DNS Reputation Conficker_A.TC.ameti Communication with C&C site
    192.168.6.162 Critical 117
    DNS Trap Conficker_A.TC.ameui DNS query for a C&C site
    Conficker_A.TC.ameur
    112 more Protections
    Andromeda.TC.iabbaaabb
    android- Generic.TC.fmsilk
    8ddb640eb1391426. DNS Reputation Generic.TC.gjgxnh Communication with C&C site
    Critical 110
    cse.gob.ni DNS Trap Generic.TC.hcpmin DNS query for a C&C site
    (192.168.70.100) Generic.TC.hcvecx
    7 more Protections
    Generic.TC.dtjfpv
    Generic.TC.ghvwib
    DNS Reputation Generic.TC.hckpzq Communication with C&C site
    proofpoint_192.168. Critical 110
    DNS Trap Generic.TC.hcpmin DNS query for a C&C site
    17.12 (192.168.17.12)
    Generic.TC.hcvecx
    3 more Protections
    Andromeda.TC.iabbaaabb
    Conficker_A.TC.akwtu
    Conficker_B.TC.ajjab
    172.31.136.20 Critical DNS Trap Communication with C&C site 53
    Conficker_B.TC.ajpef
    Conficker_B.TC.ajwbb
    13 more Protections
    4 Protection
    T otal: 4 6 Sources Critical 6.7 K Protections 4 Actions 19.7 K
    T ypes
    Anti-Virus Adware.TC.gbbgfaeji
    android- DNS Reputation
    Generic.TC.havmlf
    DNS Trap Access to site known to contain…
    8ddb640eb1391426. Infecting URL.RS.TC.eihw
    Critical DNS query for a site known to c… 36
    cse.gob.ni Signature Infecting URL.RS.TC.hnbc
    Malicious file/exploit download
    (192.168.70.100) URL Reputation Trojan.Win32.Generic.W.cqtbn
    4 more Protections

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Severe Incidents 7

    Blade Source Severity Protection T ype Protection Name Malware Action Log s

    Anti-Virus DNS Reputation Autoclicker.android.generic.TC…


    Access to site known to contain…
    Generic_Android.TC.kx
    192.168.9.52 Critical DNS Trap DNS query for a site known to c… 30
    Generic_Android.TC.lc
    Signature Malicious file/exploit download
    malicious-URL.TC.aj
    Autoclicker.android.generic.TC…
    DNS Reputation Generic.TC.dtadxa
    Access to site known to contain…
    MCHOW-PC Generic.TC.hcpnqg
    Critical DNS Trap DNS query for a site known to c… 16
    (172.31.4.50) Trojan.Win32.Zusy.TC.ajge
    Signature Malicious file/exploit download
    unknown.TC.oxeav
    1 more Protection
    DNS Reputation Access to site known to contain…
    UsuarioNuevo- not-a-virus:HEUR:Downloader.W…
    Critical DNS Trap DNS query for a site known to c… 7
    PC (172.31.4.113) unknown.TC.oxeav
    Signature Malicious file/exploit download

    DNS Reputation PUP.Win32.WebCompanion.TC.… Access to site known to contain…


    PCComputer.cse.go Critical DNS Trap malicious-URL.TC.aj DNS query for a site known to c… 3
    b.ni_54
    Signature unknown.TC.oxeav Malicious file/exploit download
    (192.168.70.51)

    Signature Infecting URL.RS.TC.fsmi Access to site known to contain…


    host_172.31.4.229 Critical 2
    URL Reputation PUP.Win32.WebCompanion.TC.… Malicious file/exploit download
    (172.31.4.229)
    DESKTOP-
    K3BVMQN Critical Signature Trojan.Win32.Generic.W.dhdck Malicious file/exploit download 1
    (172.31.4.162)
    Autoclicker.android.generic.TC.
    192.168.70.176 Critical Signature Malicious file/exploit download 1
    coj
    DESKTOP-
    6UD7IPG Critical Signature Malicious Binary.TC.ibnagn Malicious file/exploit download 1
    (172.31.4.169)
    not-a-
    Fabrica4-PC
    Critical Signature virus:WebToolbar.Win32.Asparn Malicious file/exploit download 1
    (192.168.6.57)
    et.gen.W.rcpbc

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Severe Incidents 8

    Blade Source Severity Protection T ype Protection Name Malware Action Log s

    Anti-Virus 4 Protection
    T otal: 36 Sources Critical 36 Protections 4 Actions 67 2
    T ypes

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Malicious Activity 9

    Top Malware Activity and Sources by Severity


    Malware Action Source Severity Action Log s

    Communication with C&C site 172.31.33.77 Critical Prevent 841

    172.31.104.21 Critical Prevent 772


    172.31.104.20 Critical Prevent 673
    192.168.6.117 Critical Prevent 370
    172.31.32.38 Critical Prevent 136

    T otal: 33 Sources Critical 2 Actions 3.2K

    Malicious file/exploit download android-


    8ddb640eb1391426.cse.gob.ni Critical Detect 5
    (192.168.70.100)
    UsuarioNuevo-PC Detect
    Critical 4
    (172.31.4.113) Prevent

    Detect
    MCHOW-PC (172.31.4.50) Critical 4
    Prevent

    PCComputer.cse.gob.ni_54
    Critical Detect 2
    (192.168.70.51)
    host_172.31.4.229
    Critical Detect 2
    (172.31.4.229)
    T otal: 13 Sources Critical 2 Actions 28

    Malicious network activity DESKTOP-LEMMMCB


    Critical Prevent 7
    (172.31.4.86)
    F5_SelfIP_VLAN100
    Critical Prevent 2
    (172.16.100.2)

    T otal: 2 Sources Critical 1 Action 9

    DNS query for a C&C site 172.31.25.41 High Detect 4.3K

    172.31.41.4 High Detect 4.1K


    192.168.6.117 High Detect 1.0K

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Malicious Activity 10

    Malware Action Source Severity Action Log s

    DNS query for a C&C site 172.31.13.61 High Detect 289

    VIP_Zimbra_MailServer Detect
    High 250
    (192.168.17.13) Prevent

    T otal: 34 Sources Hig h 2 Actions 10.7 K

    DNS server resolving a C&C site for a client Host_172.31.1.140


    High Detect 5.6K
    behind it (172.31.1.140)
    Detect
    PROXY_CSE2 (172.31.1.100) High 2.2K
    Prevent

    T otal: 2 Sources Hig h 2 Actions 7 .8K

    Access to site known to contain malware 172.31.33.77 High Prevent 414

    172.31.104.21 High Prevent 373

    172.31.104.20 High Prevent 356


    android-
    Detect
    8ddb640eb1391426.cse.gob.ni High 58
    Prevent
    (192.168.70.100)
    172.31.136.20 High Prevent 37

    T otal: 34 Sources Hig h 2 Actions 1.4 K

    DNS query for a site known to contain malware 172.31.33.77 High Detect 150

    172.31.104.20 High Detect 132

    172.31.104.21 High Detect 123

    VIP_Zimbra_MailServer Detect
    High 117
    (192.168.17.13) Prevent

    android-
    8ddb640eb1391426.cse.gob.ni High Detect 70
    (192.168.70.100)

    T otal: 39 Sources Hig h 2 Actions 857

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Malicious Activity 11

    Malware Action Source Severity Action Log s

    DNS server resolving a site known to contain Host_172.31.1.140


    High Detect 162
    malware for a client behind it (172.31.1.140)
    PROXY_CSE2 (172.31.1.100) High Detect 59

    T otal: 2 Sources Hig h 1 Action 221

    DNS client query or DNS server resolving a C&C VIP_Zimbra_MailServer


    Medium Prevent 25
    site (192.168.17.13)
    Host_172.31.1.140
    Medium Prevent 7
    (172.31.1.140)
    PROXY_CSE2 (172.31.1.100) Medium Prevent 7

    T otal: 3 Sources Medium 1 Action 39

    Spam proofpoint_192.168.17.12
    Medium Prevent 11
    (192.168.17.12)
    192.168.70.140 Medium Prevent 6

    T otal: 2 Sources Medium 1 Action 17

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Countries 12

    Top Destination Countries by Protections


    Destination Country Protection Name Severity Source Log s

    United States 5561 Protections Critical 227 Sources 8.4K


    Australia 1130 Protections High 3 Sources 1.4K
    Israel 428 Protections Critical 44 Sources 4.6K
    Netherlands 45 Protections Critical 22 Sources 120
    United Kingdom 39 Protections Critical 7 Sources 65

    China 28 Protections High 12 Sources 245

    Sweden 24 Protections High 2 Sources 24

    Canada 16 Protections High 16 Sources 119

    Germany 5 Protections Critical 7 Sources 47


    Russian Federation 2 Protections High 4 Sources 10
    Iran 1 Protection Critical 2 Sources 26
    Brazil 1 Protection Medium 2 Sources 2
    Ukraine 1 Protection Critical 1 Source 2
    Oman 1 Protection High 1 Source 1
    Japan 1 Protection Medium 1 Source 1

    Venezuela 1 Protection Medium 1 Source 1

    Belgium 1 Protection Medium 1 Source 1

    Nicaragua 0 Protections Low 81 Sources 250

    Anonymous Proxy 0 Protections Low 4 Sources 48


    France 0 Protections Low 3 Sources 4
    Argentina 0 Protections Low 1 Source 4
    Singapore 0 Protections Low 1 Source 1
    Portugal 0 Protections Low 1 Source 1
    Costa Rica 0 Protections Low 1 Source 1

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM
    Map 13

    Top Countries by No. of Incidents

    T HREAT PREVENT ION Report Mar 24 , 2020 12:00 AM - Apr 23, 2020 9:29 AM

    You might also like