2015-03-18 - UPATRE/DYRE MALSPAM - SUBJECT: FW: CUSTOMER ACCOUNT DOCS

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: "Carrie L. Tolstedt" <Carrie.Tolstedt@wellsfargo.com>
Date: Tuesday, March 17, 2015 at 15:48 UTC
To:
Subject: FW: Customer account docs


[image: Wells Fargo Logo]

We have received the following documents regarding your account, if you would like to confirm the changes please check / view the documents please click here.

[image: Carrie Tolstedt Portrait]

Carrie L. Tolstedt
Carrie.Tolstedt@wellsfargo.com
Senior Executive Vice President
Community Banking
Wells Fargo & Company

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

 

EMAIL HEADERS:

 

LINKS TO THE MALWARE NOTED:

 

INFECTION TRAFFIC

DOWNLOAD OF ZIP FILE FROM HTTPS LINK:

 

RUNNING THE EXTRACTED MALWARE ON A VM:

 

POST-INFECTION UDP STUN TRAFFIC:

 

POST-INFECTION TCP TRAFFIC:

 

SNORT EVENTS FROM THE TRAFFIC

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Talos (Snort) ruleset from Snort 2.9.7.0 on Debian 7:

 

MALWARE FROM INFECTED HOST

 

NOTE: temp15.pdf is a regular PDF document (abour war drones) that opens on the desktop, drawing your attention away from the infection happening behind the scenes.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.