2017-10-09 - ADWIND/JRAT MALSPAM - SUBJECT: PAYMENT TT COPY

ASSOCIATED FILES:

  • 2017-10-09-TT-copy-malspam-traffic.pcap   (1,906,937 bytes)
  • 132_6473_3432_NH89_4984.Pdf.jar   (542,676 bytes)
  • 2017-10-09-TT-Copy-malspam-1233-UTC.eml   (3,870 bytes)
  • okPfqKdaTp.AGyqe.jar   (968,702 bytes)

 

NOTES:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

 


Shown above:  Clicking link from the email.

 


Shown above:  The downloaded Java archive (.jar) file.

 

TRAFFIC


Shown above:  Traffic from this infection filtered in Wireshark.

 


Shown above:  Alerts on the infection traffic using the Emerging Threats and ETPRO rulesets in Sguil on Security Onion.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

DOWNLOADED .JAR FILE:

ADDITIONAL .JAR FILE FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Windows Registry updates (and associated files) on the infected host.

 


Shown above:  Contents of the other .jar archive from the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.