2017-01-24 - ONGOING JAPANESE MALSPAM CAMPAIGN SPREADING URSNIF VARIANT

ASSOCIATED FILES:

 

NOTES:

 

EMAILS


Shown above:  Information from the spreadsheet tracker (part 1 of 3).

 


Shown above:  Information from the spreadsheet tracker (part 2 of 3).

 


Shown above:  Information from the spreadsheet tracker (part 3 of 3).

 


Shown above:  Screenshot from one of the emails on 2017-01-24.

 


Shown above:  Google translation for the above email.

 

EMAILS GATHERED:

(Read: Date/Time -- Sending address (spoofed) -- Subject -- Attachment)

 

ATTACHED ZIP ARCHIVES AND EXTRACTED FILES

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED .JS FILES:

 

TRAFFIC


Shown above:  Example an infection from malspam on 2017-01-17, filtered in Wireshark.

 


Shown above:  Example an infection from malspam on 2017-01-24, filtered in Wireshark.

 

HTTP REQUESTS BY THE .JS FILES FOR THE URSNIF BINARY:

URSNIF POST-INFECTION TRAFFIC:

 

MALWARE

URSNIF SAMPLES:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.