2015-08-06 - ADWIND MALSPAM EXAMPLES

ASSOCIATED FILES:

 

NOTES:

Since about mid-July 2015, I've noticed an increase of malicious spam (malspam) with Adwind-based malware as .jar (Java archive) attachments.  More info on Adwind (also known as Unrecom) can be found here and here.

I did some digging for the past 10 days and came up with 10 malware samples and several email examples for today's blog entry.

 

DETAILS

Here's what I found for the last 10 days since 2015-07-27 for Adwind malspam:

[ READ: Date/Time received -- Sender -- Subject -- Attachment ]

 

Here's a list of the 10 adwind samples I found, sorted by MD5 hash:

 

TRAFFIC

I infected a Windows 7 host with a sample from this morning: MD5 hash be3e67412e8a0a36d8eb25cf5fbeed64, file name P.O_18003.jar.  Here's what we saw in the traffic:

 

185.17.1.233 is a Russian IP.  The traffic on port 2556 was SSL, and it used a certificate with the following information:

 

POST-INFECTION

The malware created a folder at C:\Users\[username]\nNUekzhcQJ7 with multiple sub-directories and a large number of files.  I've got a complete list in a text file "list-of-other-files.txt" in the archive 2015-08-06-Adwind-infection-additional-artifacts.zip.  About 8 minutes after opening the Adwind .jar file, two files appeared in the C:\Users\[username]\AppData\Loca\Temp (see image below).

 

The svchost.exe file is not inherently malicious.  However, it's original file name is regsvcs.exe, which I don't think is normal.  Also, it shouldn't be showing up in the user's AppData\Local\Temp directory like that.

 

The other file, Random8130785738909442238.exe, appears malicious, but I haven't had time to examine it.

 

File name:  Random8130785738909442238.exe
File size:  340.0 KB ( 348160 bytes )
MD5 hash:  bfe8b5b2c1e7d5c7d871d5b9ec991a4f
SHA256 hash :  2a6015cbc160df29cdce35dc7eef062658303c83de82e0a453b929a2dbc7a736
Detection ratio:  1 / 55
First submission:  2015-08-06 17:08:30 UTC
https://www.virustotal.com/en/file/2a6015cbc160df29cdce35dc7eef062658303c83de82e0a453b929a2dbc7a736/analysis/

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.