2016-06-25 - MALSPAM - SUBJ: BOLETO CONDOMINIO EM ABERTO

ASSOCIATED FILES:

  • 2016-06-16-1843-UTC.eml   (1,511 bytes)
  • 2016-06-25-0228-UTC.eml   (1,501 bytes)
  • 2016-06-25-malspam-traffic.pcap   (23,804,255 bytes)
  • 471Aw.bat   (204 bytes)
  • B20062016.js   (5,254 bytes)
  • B24062016.js   (4,395 bytes)
  • BoT.mp3   (1,925,226 bytes)   NOTE: This file is a zip archive.
  • Cad.mp3   (14,854,002 bytes)   NOTE: This file is a zip archive.
  • HOSTNAME-PC.jpg   (97 bytes)   NOTE: This is a text file.
  • X8YZ   (7,506,104 bytes)   NOTE: This file is a zip archive.
  • tNfRz.jpg   (16,204 bytes)

 

NOTES:

 

EMAILS

 

TRAFFIC

TRAFFIC ON 2016-06-16:

 

TRAFFIC ON 2016-06-26:

 

ARTIFACTS

SOME ARTIFACTS FROM THE INFECTED HOST ON 2016-06-26:

 

IMAGES FROM 2016-06-25


Shown above:  An example from this boleto malspam campaign on 2016-06-25.

 


Shown above:  Looking at the email headers (and body) from the 2016-06-25 example of this malspam.

 


Shown above:  Following the from the email and downloading the .js file.

 


Shown above:  What the .js file from 2016-06-26 looks like.

 


Shown above:  Traffic from the 2016-06-25 infection filtered in Wireshark.

 


Shown above:  A popup window from the infected host after double-clicking the .js file.

 


Shown above:  What happened when I proceeded with the popup window.

 


Shown above:  The .bat file referenced in the previous image before it deleted itself.

 


Shown above:  Another file that appeared in the infected user's AppData\Local\Temp directory before it deleted itself.

 


Shown above:  A closer look at the file C:\Users\[username]\AppData\Local\Temp\X8YZ  (downloaded as filename: Hut.mp3).

 


Shown above:  Two other zip archives that were downloaded during the 2016-06-25 infection.

 


Shown above:  Interesting file that appeared at C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Templates\tNfRz.jpg.

 


Shown above:  One of the directories had different artifacts after rebooting the infected host.

 

FINAL NOTES

Once again, here are the associated files:

 

Click here to return to the main page.