2016-10-23 - ADWIND (JRAT) MALSPAM - SUBJ: ** CURRENT BALANCE SAS - XPRESSMONEY **

ASSOCIATED FILES:

  • 2016-10-23-malspam-traffic.pcap   (309,434 bytes)
  • 2016-10-23-malspam.eml   (72,673 bytes)
  • Current_Balcance_October_11_23_06_scan01_jpeg.jar   (260,408 bytes)

NOTES:

 

TRAFFIC


Shown above:  Screenshot of the email.

 

MESSAGE HEADERS:

 

MESSAGE TEXT:

Greetings,

Current Balance - SAS -XpressMoney

        Date         :         Oct 22, 2016

Kindly download the attached report

Click to view     Click to download

Regards,

Credit control Team
Xpress Money Services Limited | P.O. Box 643996, Dubai, UAE
Tel: +971 4 8186107 | Fax: +971 4 8186000
xm.creditcontrol@xpressmoney.com www.xpressmoney.com
______________________________________________

 

TRAFFIC


Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

DOWNLOADED .JAR FILE:


Shown above:  The malicious .jar file.

 

IMAGES


Shown above:  Hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 


Shown above:  Registry entry for persistence from an infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.