2017-01-05 - BRAZIL TARGETED MALWARE INFECTION

NOTICE:

NOTES:

ASSOCIATED FILES:

  • 2017-01-05-Brazil-targeted-malware-infection.pcap   (1,728,547 bytes)
  • 2017-01-04-Brazil-malspam-1412-UTC.eml   (3,075 bytes)
  • 2017-01-04-Brazil-malspam-1656-UTC.eml   (3,077 bytes)
  • 2017-01-04-Brazil-malspam-2111-UTC.eml   (3,075 bytes)
  • 2017-01-04-Brazil-malspam-2154-UTC.eml   (3,075 bytes)
  • 2017-01-04-Brazil-malspam-2316-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-0250-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-0313-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-0331-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-0342-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-0644-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-0759-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-0852-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-0956-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-1049-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-1201-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-1210-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-1218-UTC.eml   (3,074 bytes)
  • 2017-01-05-Brazil-malspam-1358-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-1438-UTC.eml   (3,075 bytes)
  • 2017-01-05-Brazil-malspam-1627-UTC.eml   (3,075 bytes)
  • 05012017HLiMHwQ9RfYE4G5KrDQR19Z6O4lHh828377.vbe   (548 bytes)
  • Ionic.Zip.Reduced.dll   (253,440 bytes)
  • JUNGLE-PC.aes   (16 bytes)
  • JUNGLE-PC.zip   (1,087,252 bytes)
  • JUNGLE-PCx.ocx   (440 bytes)
  • SYSJUNGLEPC37.txt   (3,242 bytes)
  • dll.dll.exe   (396,480 bytes)
  • tmpB04B.tmp   (11,548 bytes)
  • wimgwdfh.yim.vbs   (53,223 bytes)

 

EMAILS


Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

 

TRAFFIC


Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

MALWARE

ARTIFACTS FOUND ON THE INFECTED HOST:

 

SHA256 HASHES FOR THE ARTIFACTS:

 

ADDITIONAL INFO

Here are the links I saw from the emails:

 

Here are the base domains from the above URLs:

 

Those four domains were registered on 2017-01-02 with the following info:

Note:  fsist[.]xyz and jioapnllybzbexyxyyodecgbvuit16[.]xyz are also registered to Soren Laderoute with the same contact data.

 

When I pinged them today, all the above domains appeared to be hosted on 65.181.112[.]240.

 

Click here to return to the main page.