2016-11-30 - MALSPAM - SUBJECT: DHL ITALY - INFORMAZIONI RICHIESTE

ASSOCIATED FILES:

 

NOTES:

 

THE EMAIL


Shown above:  Screenshot of the email.

 


Shown above:  Traffic from the email link retrieving a malicious zip archive.

 

EMAIL HEADER INFO:

LINK FROM THE MESSAGE TEXT:

 

THE MALICIOUS ZIP ARCHIVE


Shown above:  Screenshot of the email.

 

ZIP ARCHIVE:

EXTRACTED .JS FILE:

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS/URLS:

 


Shown above:  Signature hits from the Emerging Threats and ET Pro rulesets using Sguil on Security Onion.

 


Shown above:  Signature hits for Ursnif from the Snort subscriber ruleset using Snort 2.9.8.3 on Debian 7.11

 

POST-INFECTION FILE HASHES

DOWNLOADED .EXE FILE:

DOWNLOADED .JS FILE:

 


Shown above:  Entries from the registry of the infected Windows host for persistence.

 

FINAL NOTES

Once again, here are the associated archives:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.