2018-09-21 - MALSPAM WITH PASSWORD-PROTECTED WORD DOCS STILL PUSHING NYMAIM

ASSOCIATED FILES:

NOTES:


Shown above:  My attempt at a flow chart for today's infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

 

EMAILS


Shown above:  Screenshot from an email for today's infection.

 

 


Shown above:  The attached Word document after it's unlocked with the password.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

NOTE:

 


Shown above:  DNS traffic to Google DNS from the infected Windows host.

 

MALWARE

EXECUTABLES FOUND ON THE INFECTED WINDOWS HOST:

NOTE:

PERSISTENCE MECHANISMS:

 

FILE HASHES:

PASSWORD-PROTECTED (ENCRYPTED) WORD DOCS ATTACHED TO THE EMAILS:

FILES FROM AN INFECTED WINDOWS HOST (ALL NYMAIM OR NYMAIN-RELATED):

FILES FROM AN EARLIER INFECTION THAT I LOST THE TRAFFIC FOR (ALL NYMAIM OR NYMAIN-RELATED):

 

IMAGES


Shown above:  Windows registry entries for 2 of the 3 follow-up Nymaim executables on the infected Windows host.

 


Shown above:  1 of the 3 follow-up Nymaim executables is persistent through a shortcut in the Startup folder from the Windows Start Menu.

 


Shown above:  Some randomly-named data files were also seen on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.