2016-09-08 - BRAZILIAN MALSPAM: "PRICE OF THESE PRODUCTS"

ASSOCIATED FILES:

  • 2016-09-08-malspam-traffic.pcap   (9,820,088 bytes)
  • 2016-09-08-1226-UTC-malspam.eml   (1,806 bytes)
  • 7za.exe   (476,672 bytes)
  • Nalywynhol.zip   (9,748,084 bytes)
  • Planilha.zip   (2,374 bytes)
  • Planilha_Oráamento.js   (5,334 bytes)
  • aHeoswCPa8P.zip   (70,934 bytes)
  • c4t0c0y1y4.exe   (4,276,224 bytes)
  • security.dll   (1,181,696 bytes)
  • srrstr.dll   (2,853,888 bytes)
  • t9lil0t5lt4l1.exe   (1,573,888 bytes)
  • tl1lin0.exe   (2,853,888 bytes)

 

EMAIL INFO

SUBJECT:

TEXT:

 

IMAGES


Shown above:  Screen shot of the malicious spam (malspam).

 


Shown above:  Translation of the text.

 


Shown above:  Some of the email headers.

 


Shown above:  Downloaded file from link in the email.  NOTE: I saw different files after clicking the same URL.

 


Shown above:  Traffic from the infected host when downloading the file and running it.

 


Shown above:  Some ofregistry entries to ensure the malware stayed persistent after a reboot.

 

TRAFFIC

ASSOCIATED DOMAINS AND HTTP REQUESTS:

 

MALWARE AND ARTIFACTS

ARTIFACTS FOUND ON THE INFECTED HOST:

SHA256 HASHES OF THE DOWNLOADED ZIP AND EXTRACTED .JS FILES:

SHA256 HASHES OF THE ARTIFACTS FROM THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.