MAR-10320115-1.v1 - TEARDROP

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Description

This report provides detailed analysis of malicious artifacts associated with a sophisticated supply chain compromise of Solar Winds Orion network management software, identified by the security company FireEye as TEARDROP.



TEARDROP is a loader designed to decrypt and execute an embedded payload on the target system. The payload has been identified as the Cobalt Strike Beacon Implant (Version 4) and provides a remote operator command and control capabilities over a victim system through an encrypted network tunnel. The capabilities include the ability to rapidly exfiltrate data, log keystrokes, take screenshots, and deploy additional payloads.

For a downloadable copy of IOCs, see: MAR-10320115-1.v1.stix.

Submitted Files (2)

1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c (1817a5bf9c01035bcf8a975c9f1d94...)

b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07 (b820e8a2057112d0ed73bd7995201d...)

Domains (2)

ervsystem.com

infinitysoftwares.com

1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c

Tags

backdoordroppertrojan

Details

Antivirus

YARA Rules

• rule CISA_10320115_01 : TEARDROP trojan backdoor
  
  {
  
     meta:
  
         Author = "CISA Code & Media Analysis"
  
         Incident = "10320115"
  
         Date = "2020-12-31"
  
         Last_Modified = "20201231_1800"
  
         Actor = "n/a"
  
         Category = "Trojan Backdoor"
  
         Family = "TEARDROP"
  
         Description = "Detects variants of TEARDROP malware"
  
         MD5_1 = "f612bce839d855bbff98214a197489f7"
  
         SHA256_1 = "dc20f4e50784533d7d10925e4b056f589cc73c139e97f40c0b7969728a28125c"
  
         MD5_2 = "91e47c7bc9a7809e6b1560e34f2d6d7e"
  
         SHA256_2 = "b37007db21a7f969d2c838f3bbbeb78a7402d66735bb5845ef31df9048cc33f0"
  
         MD5_3 = "91e47c7bc9a7809e6b1560e34f2d6d7e"
  
         SHA256_3 = "1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c"    
  
     strings:
  
         $s0 = { 65 23 FB 7F 20 AA EB 0C B8 16 F6 BC 2F 4D D4 C4 39 97 C7 23 9F 3E 5C DE }
  
         $s1 = { 5C E6 06 63 FA DE 44 C0 D4 67 95 28 12 47 C5 B5 EF 24 BC E4 }
  
         $s2 = { 9E 96 BA 1B FB 7F 19 5A 8C 06 AB FA 43 3B F0 83 9E 54 0B 02 }
  
         $s3 = { C2 7E 93 FC 02 B9 C6 DE 2B AF C6 C2 BE 2C 88 02 B4 1D 03 F5 }
  
         $s4 = { 48 B8 53 4F 46 54 57 41 52 45 C7 44 24 60 66 74 5C 43 C6 44 24 66 00 48 89 44 24 50 48 B8 5C 4D 69 63 72 6F 73 6F }
  
         $s5 = { 48 83 F8 FF 48 8D }
  
         $s6 = { 8B 0A 48 83 C2 04 8D 81 FF FE FE FE F7 D1 21 C8 25 80 80 80 80 }
  
         $s7 = { 5B 5E 5F 5D 41 5C 41 }
  
         $s8 = { 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 20 00 53 00 65 00 74 00 75 00 70 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 }
  
         $s9 = { 64 6C 6C 00 4E 65 74 53 65 74 75 70 53 65 72 76 69 63 65 4D 61 69 6E }
  
         $s10 = { 41 31 C0 45 88 04 0A 48 83 C1 01 45 89 C8 41 39 CB 7F }
  
     condition:
  
         ($s0 or $s1 or $s2 or $s3) or ($s4 and $s5 and $s6 and $s7 and $s8 and $s9 and $s10)
  
  }
• rule FireEye_20_00025665_01 : TEARDROP APT dropper
  
  {
  
     meta:
  
         Author = "FireEye"
  
         Date = "2020-12-13"
  
         Last_Modified = "20201213_1916"
  
         Actor = "n/a"
  
         Category = "Hacktool"
  
         Family = "TEARDROP"
  
         Description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
  
         MD5_1 = ""
  
         SHA256_1 = ""
  
     strings:
  
         $sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
  
         $sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
  
         $sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
  
     condition:
  
         all of them
  
  }
• rule FireEye_20_00025665_02 : TEARDROP APT dropper
  
  {
  
     meta:
  
         Author = "FireEye"
  
         Date = "2020-12-13"
  
         Last_Modified = "20201213_1916"
  
         Actor = "n/a"
  
         Category = "Hacktool"
  
         Family = "TEARDROP"
  
         Description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
  
         MD5_1 = ""
  
         SHA256_1 = ""
  
     strings:
  
         $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
  
         $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
  
         $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
  
         $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
  
         $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
  
     condition:
  
         (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. The malware attempts to read the first 64-bytes of a file named "festive_computer.jpg" (Figure 1). It does not utilize the data it reads from this file and it will continue executing even if this file is not present on the target system.



After attempting to read the file "festive_computer.jpg," it will decrypt and execute an embedded code buffer using an XOR based stream cipher (Figure 2). Below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:



—Begin Cipher Key—

C27E93FC02B9C6DE2BAFC6C2BE2C8802B41D03F53365B25AEE1A67D0E9525171F5F7149045E5D1F672176CA686C3C7A0D34E5FF1FBCBF6C14C4BEE2867A296DDE199179CB4D4CC93EA4DFB75510AB9F531EDCCA291B74C7FAA9D7156A97F359B6E68D9EA2D77E646654D3533D8A135A1E604FE6A55EE72B4543A7F331B473A9B7D14765D01DF7ACC0370894DE2530F8FDB51066AE70B0D462A15

—End Cipher Key—



The embedded code buffer has been identified as the Cobalt Strike Beacon (version 4) Remote Access Tool (RAT). Displayed below is the embedded Beacon configuration data:



—Begin Cobalt Beacon Configuration Data—

Port                             - 443

SleepTime                 - 7200000

MaxGetSize                - 1399696

Jitter                            - 18

MaxDNS                     - 255

C2Server                     - ervsystem.com/2019/Two-Man-Point-The-Brands/

UserAgent                    - Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 3.5.30729; rv:11.0) like Gecko

HttpPostUri                 - /2019/Users-Case-Documentation-And-Yourselt/

Malleable_C2_Instructions        - Remove 38 bytes from the end

                                Remove 1554 bytes from the beginning

                                Base64 decode

HttpGet_Metadata                 - Referer: https://yahoo.com/

                                Host: ervsystem.com

                                Accept: */*

                                Accept-Language: en-US

                                Accept-Encoding: gzip, deflate

                                Connection: close

                                PHPSESSID=

                                Cookie

HttpPost_Metadata                - Referer: https://yahoo.com/

                                Host: ervsystem.com

                                Accept: */*

                                Accept-Language: en-US

                                Connection: close

                                name="uploaded_1";filename="04373.avi"

Content-Type: text/plain



                                p

SpawnTo                         - b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

PipeName                         -

DNS_Idle                         - 9.9.9.9

DNS_Sleep                        - 0

SSH_Host                         - Not Found

SSH_Port                         - Not Found

SSH_Username                 - Not Found

SSH_Password_Plaintext     - Not Found

SSH_Password_Pubkey         - Not Found

HttpGet_Verb                     - GET

HttpPost_Verb                    - POST

HttpPostChunk                    - 0

Spawnto_x86                     - %windir%\syswow64\msiexec.exe

Spawnto_x64                     - %windir%\sysnative\print.exe

CryptoScheme                     - 0

Proxy_Config                     - Not Found

Proxy_User                     - Not Found

Proxy_Password                 - Not Found

Proxy_Behavior                 - Use IE settings

Watermark                        - 892810033

bStageCleanup                    - True

bCFGCaution                     - False

KillDate                         - 0

bProcInject_StartRWX             - False

bProcInject_UseRWX             - False

bProcInject_MinAllocSize         - 7281

ProcInject_PrependAppend_x86     - b'\x90'

                                Empty

ProcInject_PrependAppend_x64     - b'\x90\x90\x90'

                                Empty

ProcInject_Execute             - ntdll:RtlUserThreadStart

                                CreateThread

                                NtQueueApcThread

                                SetThreadContext

ProcInject_AllocationMethod     - NtMapViewOfSection

bUsesCookies                     - True

HostHeader                     -

—End Cobalt Beacon Configuration Data—

Screenshots

ervsystem.com

Tags

command-and-control

URLs

• ervsystem.com/2019/Two-Man-Point-The-Brands/

Ports

• 443 TCP

Whois

Domain Name: ERVSYSTEM.COM

Registry Domain ID: 2222911627_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.epik.com

Registrar URL: http://www.epik.com

Updated Date: 2020-09-04T23:23:29Z

Creation Date: 2018-02-04T08:45:05Z

Registrar Registration Expiration Date: 2022-02-04T08:45:05Z

Registrar: Epik, Inc.

Registrar IANA ID: 617

Registrar Abuse Contact Email: abuse@epik.com

Registrar Abuse Contact Phone: +1.4253668810

Reseller:

Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited

Registry Registrant ID:

Registrant Name: Privacy Administrator

Registrant Organization: Anonymize, Inc.

Registrant Street: 704 228th Ave NE

Registrant City: Sammamish

Registrant State/Province: WA

Registrant Postal Code: 98074

Registrant Country: US

Registrant Phone: +1.4253668810

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: ervsystem.com@anonymize.com

Registry Admin ID:

Admin Name: Privacy Administrator

Admin Organization: Anonymize, Inc.

Admin Street: 704 228th Ave NE

Admin City: Sammamish

Admin State/Province: WA

Admin Postal Code: 98074

Admin Country: US

Admin Phone: +1.4253668810

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: ervsystem.com@anonymize.com

Registry Tech ID:

Tech Name: Privacy Administrator

Tech Organization: Anonymize, Inc.

Tech Street: 704 228th Ave NE

Tech City: Sammamish

Tech State/Province: WA

Tech Postal Code: 98074

Tech Country: US

Tech Phone: +1.4253668810

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: ervsystem.com@anonymize.com

Name Server: NS3.EPIK.COM

Name Server: NS4.EPIK.COM

DNSSEC: signedDelegation

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Relationships

Description

This domain is the command and control (C2) for the sample "1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c."

b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07

Tags

backdoortrojan

Details

Antivirus

YARA Rules

• rule FireEye_20_00025665_02 : TEARDROP APT dropper
  
  {
  
     meta:
  
         Author = "FireEye"
  
         Date = "2020-12-13"
  
         Last_Modified = "20201213_1916"
  
         Actor = "n/a"
  
         Category = "Hacktool"
  
         Family = "TEARDROP"
  
         Description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
  
         MD5_1 = ""
  
         SHA256_1 = ""
  
     strings:
  
         $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
  
         $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
  
         $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
  
         $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
  
         $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
  
     condition:
  
         (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
  
  }

ssdeep Matches

No matches found.

PE Metadata

PE Sections

Relationships

Description

This file is a malicious 64-bit DLL, identified as a variant of the TEARDROP loader. During runtime, the malicious application decodes and executes an embedded code buffer using an XOR based stream cipher. Displayed below is the key utilized by the cipher algorithm to decrypt the embedded code buffer:



—Begin XOR Cipher Key—

AFAFD51031EE936AFC50B611CDC70E7E62A7BAFCA72B43DB0023915BBBBAC016A5331CB28EE6E3DF0804B24004D219EE7ED24C7B41D9669C21A7AECB1B87927C4ED5A25949404DD2218091F00DD9F874B955D1615534FEF8C5200DFDA816FF4A023CF1D2E679AFCA79A5C5BB4C871ABF34CA641E5F1ACC42864CEE8BF5921A4E0DAC1D18C090D15D0CC79A843D9F763B4D323A34B26216F065705A62B47000BED185E7E2A7DE306DB6C94B5D3C2DA5FF8149AB8A7D13C3E0A3DAC5BEC46A9BD0D9

—End XOR Cipher Key—



The embedded code buffer contains the malicious identified as Cobalt Strike Beacon (version 4) RAT. Displayed below is the embedded Beacon configuration data:



—Begin Cobalt Beacon Configuration Data—

BeaconType                     - HTTPS

Port                             - 443

SleepTime                        - 14400000

MaxGetSize                     - 1049217

Jitter                         - 23

MaxDNS                         - 255

C2Server                         - infinitysoftwares.com,/files/information_055.pdf

UserAgent                        - Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36

HttpPostUri                     - /wp-admin/new_file.php

Malleable_C2_Instructions        - Remove 313 bytes from the end

                                Remove 324 bytes from the beginning

                                XOR mask w/ random key

HttpGet_Metadata                 - Referer: https://twitter.com/

                                Host: infinitysoftwares.com

                                Accept: */*

                                Accept-Language: en-US

                                Accept-Encoding: gzip, deflate

                                Connection: close

                                PHPSESSID=

                                Cookie

HttpPost_Metadata                - Host: infinitysoftwares.com

                                Accept: */*

                                Accept-Language: en-US

                                Connection: close

                                name="uploaded_1";filename="33139.pdf"

Content-Type: text/plain



                                r

SpawnTo                         - b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

PipeName                         -

DNS_Idle                         - 208.67.220.220

DNS_Sleep                        - 0

SSH_Host                         - Not Found

SSH_Port                         - Not Found

SSH_Username                     - Not Found

SSH_Password_Plaintext         - Not Found

SSH_Password_Pubkey             - Not Found

HttpGet_Verb                     - GET

HttpPost_Verb                    - POST

HttpPostChunk                    - 0

Spawnto_x86                     - %windir%\syswow64\print.exe

Spawnto_x64                     - %windir%\sysnative\msiexec.exe

CryptoScheme                     - 0

Proxy_Config                     - Not Found

Proxy_User                     - Not Found

Proxy_Password                 - Not Found

Proxy_Behavior                 - Use IE settings

Watermark                        - 943010104

bStageCleanup                    - True

bCFGCaution                     - False

KillDate                         - 0

bProcInject_StartRWX             - False

bProcInject_UseRWX             - False

bProcInject_MinAllocSize         - 8493

ProcInject_PrependAppend_x86     - b'\x90\x90'

                                Empty

ProcInject_PrependAppend_x64     - b'\x0f\x1f\x00'

                                Empty

ProcInject_Execute             - ntdll:RtlUserThreadStart

                                CreateThread

                                NtQueueApcThread

                                SetThreadContext

ProcInject_AllocationMethod     - NtMapViewOfSection

bUsesCookies                     - True

HostHeader                     -

—End Cobalt Beacon Configuration Data—

Screenshots

infinitysoftwares.com

Tags

command-and-control

URLs

• infinitysoftwares.com/files/information_055.pdf

Ports

• 443 TCP

Whois

Domain Name: infinitysoftwares.com

Registry Domain ID: 2356151174_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.namesilo.com

Registrar URL: https://www.namesilo.com/

Updated Date: 2021-01-01T07:00:00Z

Creation Date: 2019-01-28T07:00:00Z

Registrar Registration Expiration Date: 2021-01-28T07:00:00Z

Registrar: NameSilo, LLC

Registrar IANA ID: 1479

Registrar Abuse Contact Email: abuse@namesilo.com

Registrar Abuse Contact Phone: +1.4805240066

Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited

Registry Registrant ID:

Registrant Name: Domain Administrator

Registrant Organization: See PrivacyGuardian.org

Registrant Street: 1928 E. Highland Ave. Ste F104 PMB# 255

Registrant City: Phoenix

Registrant State/Province: AZ

Registrant Postal Code: 85016

Registrant Country: US

Registrant Phone: +1.3478717726

Registrant Phone Ext:

Registrant Fax:

Registrant Fax Ext:

Registrant Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org

Registry Admin ID:

Admin Name: Domain Administrator

Admin Organization: See PrivacyGuardian.org

Admin Street: 1928 E. Highland Ave. Ste F104 PMB# 255

Admin City: Phoenix

Admin State/Province: AZ

Admin Postal Code: 85016

Admin Country: US

Admin Phone: +1.3478717726

Admin Phone Ext:

Admin Fax:

Admin Fax Ext:

Admin Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org

Registry Tech ID:

Tech Name: Domain Administrator

Tech Organization: See PrivacyGuardian.org

Tech Street: 1928 E. Highland Ave. Ste F104 PMB# 255

Tech City: Phoenix

Tech State/Province: AZ

Tech Postal Code: 85016

Tech Country: US

Tech Phone: +1.3478717726

Tech Phone Ext:

Tech Fax:

Tech Fax Ext:

Tech Email: pw-531dcecd9bbebe6f78f00ff61cc84da6@privacyguardian.org

Name Server: NS1.DNSOWL.COM

Name Server: NS2.DNSOWL.COM

Name Server: NS3.DNSOWL.COM

DNSSEC: unsigned

URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

Relationships

Description

This domain is the C2 for the sample "b820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07."

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

• 1-888-282-0870
• CISA Central (UNCLASS)
• CISA SIPR (SIPRNET)
• CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.surveymonkey.com/r/G8STDRY

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

• Web: https://malware.us-cert.gov
• E-Mail: submit@malware.us-cert.gov
• FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.