2017-09-15 - AMATEUR HOUR: MORE FAKE MICROSOFT UPDATE MALSPAM WITH .EXE ATTACHMENTS

ASSOCIATED FILES:

  • 2017-09-15-fake-Microsoft-update-traffic.pcap   (36,370 bytes)
  • 2017-09-15-fake-Microsoft-update-tracker.csv   (3,729 bytes)
  • 2017-09-15-fake-Microsoft-update-malspam-example.eml   (38,278 bytes)
  • 2017-09-15-poorly-written-file-downloader.exe   (27,648 bytes)
  • 2017-09-15-poorly-written-follow-up-malware-bitcoin-wallet-stealer.exe   (36,864 bytes)

NOTES:


Shown above:  How some people think, apparently.

 

EMAILS


Shown above:  Screenshot from the spreadsheet tracker.

 


Shown above:  Screenshot from an email on 2017-09-15.

 

EMAILS NOTED:

Read:  Date/time -- Sending IP address -- Sending email address (spoofed) -- Subject line -- attachment name

 

TRAFFIC


Shown above:  Attachment from the email has to be run as an administrator, then it will act as a file downloader.

 


Shown above:  Follow-up malware needs MSWINSCK.OCX and a bitcoin wallet at a specific location on the infected host.

 

ASSOCIATED URLS:

 

ASSOCIATED MALWARE

ATTACHED EXE FILE:

FOLLOW-UP MALWARE:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.