2017-07-03 - MORE UPS-THEMED MALSPAM PUSHING KOVTER

ASSOCIATED FILES:

  • 2017-07-03-UPS-themed-Kovter-malspam-traffic.pcap   (7,316,883 bytes)
  • 2017-06-30-UPS-themed-Kovter-malspam-1557-UTC.eml   (3,825 bytes)
  • 2017-07-01-UPS-themed-Kovter-malspam-2003-UTC.eml   (3,773 bytes)
  • 2017-07-02-UPS-themed-Kovter-malspam-0930-UTC.eml   (3,702 bytes)
  • 2017-07-03-Kovter-sample-retrieved-by-js-file.exe   (485,261 bytes)
  • UPS-Label-07584276.doc.js   (1,750 bytes)
  • UPS-Label-07584276.zip   (1,442 bytes)
  • UPS-Package-06520201.doc.js   (1,648 bytes)
  • UPS-Package-06520201.zip   (1,439 bytes)
  • UPS-Package-07907895.doc.js   (1,682 bytes)
  • UPS-Package-07907895.zip   (1,448 bytes)

RELATED BLOG POSTS:

OTHERS NOTES:

 

EMAILS

EMAIL HEADERS:

 

TRAFFIC


Shown above:  Traffic from an infection on 2017-07-03 using one of the extracted .js files, filtered in Wireshark.

 

PARTIAL URLS RECOVERED FROM THE .JS FILES:

POST-INFECTION TRAFFIC:

 

FILE HASHES

EMAIL ATTACHMENTS:

EXTRACTED .JS FILES:

KOVTER SAMPLE DOWNLOADED BY ONE OF THE .JS FILES:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.