2016-11-28 - BRAZILIAN MALSPAM - SUBJECT: COBRANCA ATUALIZADA

ASSOCIATED FILES:

  • 2016-11-28-Brazilian-malspam-traffic.pcap   (9,466,579 bytes)
  • 2016-11-28-0427-UTC.eml   (7,103 bytes)
  • AN_COBRANCA-.js   (9,903 bytes)
  • rsd1-from-rsdw1.plu.DLL   (5,064,192 bytes)
  • rsd1-from-rsdy1.plu.DAT   (3,113,985 bytes)
  • rsd2-from-rsdw2.plu.DLL   (6,011,904 bytes)
  • rsd2-from-rsdy2.plu.DLL   (3,612,160 bytes)
  • rsd4-from-rsdy4.plu.DLL   (571,904 bytes)

 

THE EMAIL


Shown above:  Screenshot of the email.

 


Shown above:  Google translation of the email text.

 

EMAIL DATA:

 

THE ATTACHMENT


Shown above:  The attachment, a zip archive named: AN_COBRANCA-13.zip.

 


Shown above:  The .js file extracted from the zip archive, AN_COBRANCA-.js.

 

ATTACHMENT AND EXTRACTED .JS FILE:

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED URLS:

 

IMAGES


Shown above:  Archives downloaded from makrpecas.com.br.

 


Shown above:  A registry key from the infected Windows host.

 

FILES EXTRACTED FROM ARCHIVES DOWNLOADED BY THE INFECTED HOST:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.