2017-04-28 - BANKING TROJAN MALSPAM - SUBJECT: UPS TRACKING NUMBER FOR SHIPMENT H6902644376

ASSOCIATED FILES:

  • 2017-04-28-UPS-malspam-traffic.pcap   (599,140 bytes)
  • 2017-04-28-UPS-malspam-100129-UTC.eml   (3,482 bytes)
  • 2017-04-28-UPS-malspam-100140-UTC.eml   (3,531 bytes)
  • H6902644376.js   (3,061 bytes)
  • H6902644376.rar   (1,298 bytes)
  • last.conf   (7,545 bytes)
  • rad7DAC6.tmp.exe   (366,434 bytes)

 

EMAIL


Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

 


Shown above:  Malicious attachment from the malspam is a RAR archive containing a .js downloader.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 


Shown above:  HTTP request by the .js file for a Windows executable.

 


Shown above:  Certificate data from the post-infection traffic.

 


Shown above:  IP address check by the infected host.

 

FILE HASHES

EMAIL ATTACHMENT:

ARTIFACTS FROM THE INFECTED WINDOWS HOST:

WINDOWS REGISTRY UPDATE:

 

IMAGES


Shown above:  Some alerts on the traffic from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 


Shown above:  Alerts after reading the pcap with Snort 2.9.9.0 on Debian 7 using the Snort Subscriber ruleset.

 


Shown above:  Malware made persistent on the infected Windows host.

 


Shown above:  Configuration file for the banking Trojan.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.