2016-10-06 - PORTUGUESE MALSPAM: PAY YOUR MEU VIVO (MY LIVING) ACCOUNT

ASSOCIATED FILES:

  • 2016-10-06-traffic-from-Portuguese-malspam-attachment.pcap   (7,779,133 bytes)
  • 2016-10-06-1704-UTC-malspam.eml   (3,950 bytes)
  • FaturaVivoPendDDA-05102016.zip   (489,840 bytes)
  • FaturaVivoPendDDA-05102016VER.exe   (813,048 bytes)
  • MeuVivoFatura06102016.html   (1,109 bytes)

 

EMAIL


Shown above:  Email headers showing where the message came from.

 


Shown above:  Screenshot of the email.

 


Shown above:  Google translation of the email.

 

EMAIL TEXT:

Subject: Meu Vivo | Pague Sua Conta - Último Aviso. - 2234555667

Meu Vivo

Prezado Cliente,

Consta em seu CPF um débito referente ao mês de Agosto e Setembro não cobrado em sua fatura.
Para sua comodidade efetuaremos a cobrança via débito automático em sua conta.

Para seu maior conforto, por favor, verifique os detalhes junto ao anexo no e-mail.

Cobranças envolvidas na negociação: Valor Total: 253,64

Atenciosamente,
Central de Relacionamento com o Cliente

 

GOOGLE TRANSLATION:

Subject: My Living | Pay Your Account - Last Warning. - 2234555667

my Living

Dear customer,

Appears on your Social Security a debit for the month of August and September not charged to your bill.
For your convenience we'll charge via direct debit to your account.

For your convenience, please check the details with the attachment in the email.

Charges involved in negotiating: Total value: 253.64

Regards,
Customer Relationship Center

 

FILES


Shown above:  Email attachment (an HTML file).

 


Shown above:  Malware downloaded from the HTML email attachment.

 

ASSOCIATED FILES:

 

TRAFFIC


Shown above:  Traffic from the pcap filtered in Wireshark.

 

HTTP REQUESTS:

ASSOCIATED DOMAINS:

 

IMAGES


Shown above:  Unusual user-agent during post-infection callback.

 


Shown above:  Hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.