2018-02-21 - MALSPAM - SUBJECT: DHL ITALY - ORDINE

ASSOCIATED FILES:

  • 2018-02-21-malspam-infection-traffic.pcap   (1,206,208 bytes)
  • 012725.js   (24,970 bytes)
  • 2018-02-21-malspam-1737-UTC.eml   (2,919 bytes)
  • conferma_ordine_57427.js   (9,350 bytes)
  • conferma_ordine_57427.zip   (4,916 bytes)
  • pzamd.exe   (376,832 bytes)

ASSOCIATED FILES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  Downloading the zip attachment and extracting the malicious .js file.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  This was somewhat odd.  It happened right after the first HTTP request to delivery1class.download that returned JavaScript.

 

INFECTION TRAFFIC:

 

MALWARE

DOWNLOADED ZIP ARCHIVE:

EXTRACTED .JS FILE:

.JS FILE FOUND ON THE INFECTED HOST:

FOLLOW-UP BINARY (URSNIF):


Shown above:  Follow-up malware persistent on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.