2016-11-08 - JRAT MALSPAM - SUBJECT: MTCN REG QUERY: OPS189985651

ASSOCIATED FILES:

  • 2016-11-08-malspam-traffic.pcap   (270,266 bytes)
  • 2016-11-08-malspam.eml   (33,476 bytes)
  • Query Reference Slip .zip   (472,416 bytes)
  • Windows6052555107978301025.dll   (46,592 bytes)
  • nSlrfMRSMfa.jAtqpg   (247,119 bytes)
  • pkKDftHgUY.NvMEa   (968,665 bytes)

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 


Shown above:  Screenshot of some of the message headers.

 

INFORMATION FROM THE HEADER LINES:

 

MESSAGE TEXT:

Greetings,

I have tried to reach you by phone but yet to be successful. Please refer to the attached Query document regarding attached fraudlent transaction.

        View        |       Download

Head of IT Department
Western Union Money Transfer
wu.compliance@westernunion.com
Corporate Headquarters
P.O. Box 6036. Englewood, CO 80112.
Phone: +1-720-332-1000
Fax: 1-800-325-6000

www.westernunion.com

This information is intended only for the use of the intended addressee(s) and may contain information that is confidential. If you are not the intended recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication or any attachments is strictly prohibited. If you have received this communication in error, please delete this e-mail and any attachments. Thank you.

 

DOWNLOADED MALWARE


Shown above:  The zip archive downloaded from the link in the email.

 


Shown above:  Screenshot of one of the extracted .jar files (both are the same, with different names).

 

TRAFFIC


Shown above:  Traffic from the pcap filtered in Wireshark.

 


Shown above:  A closer look at the certificate data from the HTTPS/SSL/TLS traffic on port 2889.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

DOWNLOADED ZIP ARCHIVE:

 

THE EXTRACTED .JAR FILE(S):

 

OTHER ARTIFACTS FROM THE INFECTED WINDOWS HOST:

 

LIST OF ARTIFACTS ON THE INFECTED HOST:

 

REGISTRY KEY UPDATED FOR PERSISTENCE:

 

IMAGES


Shown above:  Hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 


Shown above:  Hits from Snort 2.9.8.3 using the Snort subscription ruleset.

 


Shown above:  Registry entry for persistence on an infected Windows host.

 


Shown above:  Some fo the artifacts from an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.