2016-05-24 - TUESDAY MALSPAM HUNT - "THE HORROR!  THE HORROR!"

ASSOCIATED FILES:

 

NOTES:


Shown above:  He cried in a whisper at some image, at some vision--he cried out twice, a cry that was no more
than a breath: The horror! The horror!

 

  • 1st wave:   .wsf files   -   Subject: Re:
  • 2d wave:   .js files that retrieved Locky sample 1   -   Subject: SAFARI LPO [MAL] [random characters]
  • 3d wave:   .js files that retrieved Locky sample 2   -   Subject: We Have Received Your Payment - Thank You (#[random characters])
  • 4th wave:   Word documents with macros that downloaded Dridex   -   Subject: Account Compromised
  • 5th wave:   .js files that retrieved Locky sample 1   -   Fake HP Scanjet messages

 

EMAILS AND ATTACHMENTS


Shown above:  Data from the .csv spreadsheet on 20 malspam samples from Tuesday 2016-05-24.

 


Shown above:  Data from the .csv spreadsheet on 20 attachments from malspam samples on Tuesday 2016-05-24.

 

TRAFFIC


Shown above:  Example of traffic from zip attachments containing .wsf files.

 

TRAFFIC FROM ZIP ATTACHMENTS CONTAINING .WSF FILES:

 


Shown above:  Example of traffic from zip attachments containing .js files for first sample of Locky.

 

TRAFFIC FROM ZIP ATTACHMENTS CONTAINING .JS FILES SENDING FIRST LOCKY SAMPLE:

POST-INFECTION TRAFFIC FROM THE FIRST LOCKY SAMPLE:

 


Shown above:  Example of traffic from zip attachments containing .js files for second sample of Locky.

 

TRAFFIC FROM ZIP ATTACHMENTS CONTAINING .JS FILES SENDING SECOND LOCKY SAMPLE:

POST-INFECTION TRAFFIC FROM THE SECOND LOCKY SAMPLE:

 


Shown above:  Example of traffic from zip attachments containing the .doc files for Dridex.

 

INITIAL SSL TRAFFIC AFTER ENABLING MACROS ON FROM ZIP FILES CONTAINING WORD DOCS:

  • countryName = MU
  • localityName = Port Louis
  • organizationName = Beffls Ffjouc SCA
  • commonName = buke223.brcherinliemas.team

ENCRYPTED TRAFFIC OR ATTEMPTED CONNECTIONS FROM THE DRIDEX INFECTIONS:

 

IMAGES


Shown above:  SSL certificate info from one of the Dridex pcaps.

 

ZIP ARCHIVE CONTENTS

 

FINAL NOTES

Once again, here is the associated file:

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.