Malware-Traffic-Analysis.net - 2017-10-10 - Lokibot infection from CVE-2017-0199 exploit

2017-10-10 - LOKIBOT INFECTION FROM CVE-2017-0199 EXPLOIT

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-10-10-Lokibot-infection-traffic.pcap (633,297 bytes)

2017-10-10-Lokibot-malspam-1231-UTC.eml (370,939 bytes)

7571BA.exe (675,840 bytes)

REQ. FOR QUOTATION.doc (221,271 bytes)

NOTES:

Malicious spam (malspam) with an attachment.
Attachment is an RTF document with a CVE-2017-0199 exploit, and it's disguised as Word document.
The exploit is designed to infect Windows hosts with Loki Bot malware.

Shown above: Screenshot of the email.

EMAIL HEADERS:

Shown above: Attachment is actually an RTF document with an exploit for CVE-2017-0199.

Shown above: Traffic from the infection filtered in Wireshark.

Shown above: Alerts on the infection traffic using the Emerging Threats and ETPRO rulesets in Sguil on Security Onion.

ASSOCIATED DOMAINS AND URLS:

192.254.235[.]79 port 80 - almahalliah[.]com - GET /images/htajem.hta
192.254.235[.]79 port 80 - almahalliah[.]com - GET /images/jem.exe
194.100.58[.]202 port 80 - www.lasihuolto[.]fi - POST /if/panel/five/fre.php

RTF WITH EXPLOIT FOR CVE-2017-0199:

SHA256 hash: 34a19d2fb7e045bb1c985ed727beff59f169b3021ee67cfc462366a66ce14251
File size: 221,271 bytes
File name: REQ. FOR QUOTATION.doc

FOLLOW-UP MALWARE (LOKIBOT):

SHA256 hash: 54ef1c6df5b3b288366b560f7721f1cc5e556bd2fa3c8b0edee7fdb2fe871ffb
File size: 675,840 bytes
File location: C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe

Click here to return to the main page.