2017-10-23 - MALSPAM PUSHES A RAT'S NEST OF MALWARE

ASSOCIATED FILES:

  • 2017-10-23-malspam-traffic.pcap   (8,719,986 bytes)
  • 1.exe   (850,432 bytes)
  • 2.exe   (1,149,440 bytes)
  • 2017-10-23-RAT-malspam-0716-UTC.eml   (454,594 bytes)
  • 3.exe   (1,149,440 bytes)
  • 4.exe   (1,477,120 bytes)
  • 5.exe   (1,509,888 bytes)
  • 6.exe   (1,362,432 bytes)
  • FRTRK.jar   (484,834 bytes)
  • New Order.exe   (879,104 bytes)
  • New Order.zip   (328,818 bytes)
  • rundll.exe   (7,680 bytes)

NOTES:


Shown above:  All you have to do is double-click that innocent-looking executable.

 

EMAIL


Shown above:  Screenshot from the email.

 

EMAIL INFO:

 


Shown above:  Zip attachment and extracted malware.

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 


Shown above:  Alerts on the infection traffic from the Emerging Threats Pro (ET Pro) ruleset using Sguil on Security Onion.

 


Shown above:  Some RAT-based alerts on the infection traffic from the Snort subscriber ruleset on Snort 2.9.11.

 

ASSOCIATED DOMAINS:

 

MALWARE

ZIP ATTACHMENT FROM THE EMAIL:

EXTRACTED MALWARE:

MALWARE RETRIEVED FROM INFECTED WINDOWS HOST:

 

IMAGES

Most of the malware I found in the infected user's AppData\Local\Temp directory also copied itself to other locations.  Too many to list here, so I just kept copies from that initial location.


Shown above:  Malware retrieved from the infected user's AppData\Local\Temp directory.

 

Hey, look!  Directories are all open on the server hosting the post-infection malware.

 

 

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.