Classification: Confidential

Company: everis
Owner: everisSO-CSIRT

SEG00000203
Indicators of Compromise

www.everis.com
Index
1. Indicators of compromise .................................................................................. 3
Compromised website .............................................................................. 3
Malicious file............................................................................................. 4
Lateral movement .................................................................................... 4
Infection ................................................................................................... 4

-2- everisSO-CSIRT
1. Indicators of compromise

The threat phases are:

1. An everis user access to a compromised website where the source code was modified
to show a fake browser update and download a file.
2. The file is a JavaScript code (JS) which infects the device with a C2C malware
categorized as “EMOTET”. This JavaScript creates additional exe files.
3. Once the attackers controls the infected device, install a PowerShell post explotation
framework called Empire1. With Empire Framework in the infected device, the attacker
enumerates the network and get credentials form the infected device cache. With this,
different Empire installations is seen in different hosts and servers.
4. Attackers distribute a ransomware family called “BitPaymer/IEncrypt” to everis devices
through compromised hosts and servers

Compromised website

A compromised website with a modification of the source code to simulate a fake browser
update.

Indicators of Compromise
URL
Compromised
hxxps://esancendoc[.]esan[.]edu[.]pe/
website

1 https://github.com/EmpireProject/Empire

-3- everisSO-CSIRT
 Malicious file

Compromised website downloads a JS file “Chrome.Update.3f61f4.js”. JS script is a Dropper

which downloads “crhome.update.3f61f4.exe” categorized as EMOTET. An additional exe
“d0409052256c6efc85b155f58cc03f70.exe” file is created and executed.

Indicators of Compromise
Chrome.Update.3f61f4.js
a9db3444e9c50da5ce6845ccc116255c MD5
c1a5725f45e6a35bd82852210e29f941 MD5
URL to download the malware
hxxps://click[.]clickanalytics208[.]com/s_code[.]js?cid=240&v=73a55f6de3dee2a751c3 URL
EMOTET - crhome.update.3f61f4.exe
628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c SHA256
IP: 195.123.213.19
IP:Port
Port: 443
EMOTET - d0409052256c6efc85b155f58cc03f70.exe
1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05 SHA256

Lateral movement

Lateral movement is performed by the attacker through the PowerShell post-explotation

framework called Empire. Lateral movement was performed through sysinternals tool
“psexesvc.exe”.

Indicators of Compromise
Empire Framework
IP: 185.92.74.215 Attackers IP and
Port: 443 port

Infection

Malware is distributed from compromised assets to affected endpoints.

Indicators of Compromise
BitPaymer/IEncrypt
evrs.exe
bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f SHA256

-4- everisSO-CSIRT