2015-06-09 - MALSPAM CAMPAIGN SENDING CRYPTOWALL 3.0 CONTINUES

PCAP AND MALWARE:

 

NOTES:

 

DETAILS

EMAILS SEEN TODAY:

 

ATTACHMENTS:

 

EXTRACTED FILES FROM THE ATTACHMENTS (ALL HTML):

 

EXTRACTED HTML FILES HAVE IFRAME LINKS TO:

 

CHECKING SOME OF THE ABOVE LINKS GAVE ME 200 OK REPONSES WITH HTTPS LINKS TO THE FOLLOWING GOOGLE URLS:

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE FROM DOCS.GOOGLE.COM LINKS:

File name:  my_resume_pdf.zip
File size:  204.2 KB ( 209136 bytes )
MD5 hash:  29e28ae8cca81d223ef3fd24ca1d3d68
Detection ratio:  13 / 57
First submission:  2015-06-09 19:21:32 UTC
VirusTotal link:  https://www.virustotal.com/en/file/24eb11fd46915d470c3c18e769df28414f160c66c0c9504f59f1f422555af138/analysis/

 

EXTRACTED MALWARE (CRYPTOWALL 3.0):

File name:  my_resume_pdf_id_3551-5411-241.scr
File size:  264.0 KB ( 270336 bytes )
MD5 hash:  7d231a2cebfcadb783377ab17fd2ef2f
Detection ratio:  13 / 57
First submission:  2015-06-09 18:42:54 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e5c2c16ec235c74c2586dee6913089602d26633af6aac9c9790b77029f8f6405/analysis/

 

FINAL NOTES

Once again, here's the PCAP of the traffic and ZIP file of the malware:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.