2016-11-04 - FACEBOOK-THEMED MALSPAM: "DENUNCIA DE RACISMO EM SEU PERFIL"

ASSOCIATED FILES:

  • 2016-11-04-traffic-from-facebook-themed-malspam.pcap   (7,508,637 bytes)
  • 2016-11-04-facebook-themed-malspam-1230-UTC.eml   (10,865 bytes)
  • File-Fwd.dll   (4,108,800 bytes)
  • IMG_68794206_0521890.js   (9,587 bytes)
  • IMG_68794206_0521890.zip   (3,238 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the malspam.

 


Shown above:  Clicking on one of the links in the malspam (it's a goo.gl URL).

 


Shown above:  File downloaded from the goo.gl link in the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Alerts using tcpreplay on the first pcap with the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

Zip archive downloaded from any of the goo.gl links in the email:

.js file extracted from the zip archive:

DLL file dropped on the infected Windows host:


Shown above:  Artifacts from the infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.