2018-07-13 - MALSPAM USES .IQY FILE TO PUSH FLAWED AMMYY RAT

ASSOCIATED FILES:

  • 2018-07-13-Flawed-Ammyy-malspam-tracker.csv   (1,041 bytes)
  • 2018-07-13-Flawed-Ammyy-malspam-6-email-examples.txt   (25,291 bytes)
  • 2018-07-13-malspam-pushes-Flawed-Ammy-via-iqy-files.pcap   (914,768 bytes)
  • PDF_060975187_13072018.iqy   (33 bytes)
  • winmedia2.exe   (160,256 bytes)
  • wsus.exe   (669,472 bytes)

NOTES:


Shown above:  Flow chart for this activity.

 

EMAIL


Shown above:  Screenshot from an example of the malspam.

 

DATA FROM 6 EMAIL EXAMPLES:

 

ATTACHMENT NAMES:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

NETWORK TRAFFIC FROM AN INFECTED LAB HOST:

 


Shown above:  Callback traffic caused by the Flawed Ammyy executable.

 

FILE HASHES

MALSPAM ATTACHMENTS:

INITIAL EXECUTABLE:

FOLLOW-UP EXECUTABLE:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.