Jump to content

Recommended Posts

I have a user getting a blocked notice for a Trojan with an outbound to dcone.fcfc.one via Adobe Creative Cloud. It happens once after the user reboots their computer. I have since updated to 4.5.0 to see if that will fix the issue, the user was not in a position to reboot the computer again, but if i am able to follow up with that I will at a later time. I don't know if this is a false positive or not, but it seems to be related to Adobe Creative Cloud and I'm thinking it might just be checking some analytics server or something. Below is a export of the report:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 12/16/21
Protection Event Time: 11:51 AM
Log File: 6ce49e1a-5e90-11ec-b072-c860006e7a01.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.48672
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1415)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Trojan
Domain: dcone.fcfc.one
IP Address: 63.251.235.76
Port: 80
Type: Outbound
File: C:\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe


(end)

 

Link to post
Share on other sites

Ah ok. I did check the domain itself and that came back clean which is what confused me:

https://www.virustotal.com/gui/url/3b711d6f73f7de5dc3647be9df676bd4be8c466660d93d61c5673c4b759692e2

Is there a way to determine if something is using Creative Cloud to communicate out or is Creative Cloud compromised? Or maybe to see what the actual request was that was trying to be made?

Link to post
Share on other sites

  • Staff

Would have to request that from the server side as they would be able to do log analysis and more in depth forensics analysis on the server. 

I see it as the communicating files have many security vendor detections, they are very recent detections and not just one type of malware, many different threats reported on VT, to include a comment on Cobalt Strike, which looking at the link below, which shows a "beacon" as well, typically used by Cobalt Strike. 

https://otx.alienvault.com/indicator/ip/63.251.235.76

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.