2016-06-09 - BOLETO MALSPAM

ASSOCIATED FILES:

  • 2016-06-09-boleto-malspam-traffic.pcap   (1,937,154 bytes)
  • 2016-06-08-1432-UTC-boleto-malspam.eml   (4,354 bytes)
  • 2016-06-09-HTTPS-requests-seen-from-the-infected-host.txt   (366 bytes)
  • Gerar_Boleto_472289_COBRACAPI_Maio_Inst_BR.js   (15,397 bytes)
  • Media-Sys.dll   (1,677,824 bytes)

 

NOTES:


Shown above:  A screenshot of the email.

 

TRAFFIC


Shown above:  Traffic filtered in Wireshark (image edited to fit all the information in).


Shown above:  HTTPS URLs associated with this traffic.

 

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Clicking on the link from the email.

 


Shown above:  Opening the .js file in a text editor.

 


Shown above:  Callback traffic over TCP port 444 (decoded as SSL).

 


Shown above:  HTTP callback after the previous SSL traffic.

 


Shown above:  Malware found on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.