2016-12-19 - PORTUGUESE VOCHER MALSPAM - SUBJECT: ?

ASSOCIATED FILES:

  • 2016-12-19-traffic-from-Portuguese-malspam.pcap   (1,868,602 bytes)
  • 2016-12-19-image-used-in-the-malspam.jpg   (80,620 bytes)
  • 2016-12-19-malspam-0803-UTC.eml   (2,549 bytes)
  • 2016-12-19-malspam-0938-UTC.eml   (2,632 bytes)
  • Comprovante.vbs   (6,183 bytes)
  • comprovante.zip   (2,454 bytes)
  • form1.dll   (2,180,096 bytes)
  • instal.bat   (64 bytes)

NOTES:


Shown above:  Chain of events for this malicious spam.

 

THE EMAILS


Shown above:  First email seen on Monday 2016-12-19 at 08:03 UTC.

 


Shown above:  Second email seen on Monday 2016-12-19 at 09:38 UTC.

 

EMAIL HEADERS:

Date/time sent:  Monday, 2016-12-19 08:03 UTC
From:  info <info@yardleyproducts.com>
X-Originating-Ip:  13.95.24.51   (Netherlands - Microsoft Corporation)
Authentication-Results:  smtp.mailfrom="www-data@live.com"
Authentication-Results:  smtp.helo="codac09.codac09.a4.internal.cloudapp.net"
Authentication-Results:  dkim=none (message not signed)

Date/time sent:  Monday, 2016-12-19 09:38 UTC
From:  admin <admin@condaleplastics.com>
X-Originating-Ip:  13.81.202.7   (Netherlands - Microsoft Corporation)
Authentication-Results:  smtp.mailfrom="www-data@live.com"
Authentication-Results:  smtp.helo="dect03.dect03.a1.internal.cloudapp.net"
Authentication-Results:  dkim=none (message not signed)

 

SUJBECT AND MESSAGE TEXT (PORTUGUESE):

Subject:  ?

Oi deu certo a transferencia, consegui nao foi o valor todo mais garanto
que essa semana eu finalizo esse pagamento.
confirma pramim e me manda o
total do restante hoje ainda
mandei R$ 372,00 !!

comprovante Segue em anexo

 

GOOGLE TRANSLATION OF THE MESSAGE TEXT (ENGLISH):

Hi it worked the transfer, I got it was not the whole amount more I guarantee
That this week I finish this payment.
Confirm me and send me the
Total of the rest today
I sent R $ 372,00 !!

Voucher attached

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

EXTRACTED .VBS FILE:

MALWARE DLL:

 

IMAGES


Shown above:  First HTTP request by the .vbs file for the malware DLL.

 


Shown above:  Second HTTP request by the .vbs file for the batch file.

 


Shown above:  Malware DLL and the batch file stored on the infected host.

 


Shown above:  Process Explorer showing the malware DLL run with Mixintal as the entry point.

 


Shown above:  Registry entry under HKEY_LOCAL_MACHINE that keeps the malware persistent.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.