Malware-Traffic-Analysis.net - 2017-01-24

2017-01-24 - URSNIF INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-01-24-Ursnif-infection-traffic.pcap.zip 552.2 kB (552,233 bytes)
2017-01-24-Ursnif-malspam-tracker.csv.zip 1.7 kB (1,733 bytes)
2017-01-24-Ursnif-emails-and-malware.zip 1.2 MB (1,174,105 bytes)

EMAILS

Shown above: Information from the spreadsheet tracker (part 1 of 3).

Shown above: Information from the spreadsheet tracker (part 2 of 3).

Shown above: Information from the spreadsheet tracker (part 3 of 3).

Shown above: Screenshot from one of the emails on 2017-01-24.

Shown above: Google translation for the above email.

EMAILS GATHERED:

(Read: Date/Time -- Sending address (spoofed) -- Subject -- Attachment)

2017-01-17 01:36 UTC -- <rhwoo@green.ocn[.]ne[.]jp> -- (in Japanese) -- 1'16-1'17.48053966.ZIP
2017-01-19 07:42 UTC -- <fumitaka-takebe@yahoo[.]co[.]jp> -- (in Japanese) -- TC1229619882376.zip
2017-01-19 08:27 UTC -- <rose.78@polka.ocn[.]ne[.]jp> -- (in Japanese) -- ATT20170119.zip
2017-01-19 08:48 UTC -- <kouzou_kawakami@kcn[.]ne[.]jp> -- (in Japanese) -- Pdf81356953481126509016.zip
2017-01-22 23:52 UTC -- <gsurvey@yahoo[.]co[.]jp> -- (in Japanese) -- FullSizeRender.zip
2017-01-23 01:54 UTC -- <knissin.sekkei@yahoo[.]co[.]jp> -- JPG [1/8] -- image1,image2,image3.zip
2017-01-23 01:59 UTC -- <shikokusteel@green.ocn[.]ne[.]jp> -- (in Japanese) -- image1,image2,image3.zip
2017-01-23 04:01 UTC -- <t-shigeta@lagoon.ocn[.]ne[.]jp> -- I -- IMGP3027.ZIP
2017-01-23 04:26 UTC -- <y-seibu@docomo[.]ne[.]jp> -- II -- IMGP4907.ZIP
2017-01-23 04:48 UTC -- <uehonmati@m3.kcn[.]ne[.]jp> -- III -- IMGP8161.ZIP
2017-01-24 07:23 UTC -- <k-oogaito@cello.ocn[.]ne[.]jp> -- (in Japanese) -- 01.17_0198515456907314879PDF.zip
2017-01-24 07:36 UTC -- <qqw49cqd@yahoo[.]co[.]jp> -- (in Japanese) -- 01.17_0344904520348982136PDF.zip
2017-01-24 07:45 UTC -- <antecedentske904@yahoo[.]co[.]jp> -- (in Japanese) -- Doc55107781393986527696.zip
2017-01-24 07:57 UTC -- <sb2@yahoo[.]co[.]jp> -- (in Japanese) -- Doc13034368140546788037.zip
2017-01-24 08:34 UTC -- <toukai-s@ab.auone-net[.]ne[.]jp> -- (in Japanese) -- 1.16_1.17_260663909.zip
2017-01-24 08:40 UTC -- <shoei216@f5.dion[.]ne[.]jp> -- 12 (rest in Japanese) -- 12-787301272485511.zip
2017-01-24 08:40 UTC -- <light@yahoo[.]co[.]jp> -- 12.2016 -- 12-153918903548537.zip
2017-01-24 09:47 UTC -- <shu-setsubi@tra.bbiq[.]ne[.]jp> -- 2017-2016 -- 12-S09600506667041.zip

ATTACHED ZIP ARCHIVES AND EXTRACTED FILES

SHA256 HASHES FOR THE EMAIL ATTACHMENTS:

0f3fe8a92c4a876b7e9967f1fe734d67ee2b3033cf17446326c4f2c36cc12aed - image1,image2,image3.zip (3,575 bytes)
196c2e3a9e82ee95ac76c553c615240fb0ea09a5a4b4f049901d5207bd203e18 - Doc13034368140546788037.zip (40,230 bytes)
196c2e3a9e82ee95ac76c553c615240fb0ea09a5a4b4f049901d5207bd203e18 - Doc55107781393986527696.zip (40,230 bytes)
1a28cdd50d2286f1d0352a787cbf7bb4d8ef22fda09d171c3be08503869f7b70 - 01.17_0198515456907314879PDF.zip (15,312 bytes)
1a28cdd50d2286f1d0352a787cbf7bb4d8ef22fda09d171c3be08503869f7b70 - 01.17_0344904520348982136PDF.zip (15,312 bytes)
392a6560431afeeb1d9715e297bbec9c53492f4ff502111c119ffe1daef67bdf - FullSizeRender.zip (2,184 bytes)
46177e8e486e884bf2b8cc523e888c52cc25342bbfdded4ba89b5af118ea4cf7 - IMGP3027.ZIP (3,388 bytes)
46177e8e486e884bf2b8cc523e888c52cc25342bbfdded4ba89b5af118ea4cf7 - IMGP4907.ZIP (3,388 bytes)
46177e8e486e884bf2b8cc523e888c52cc25342bbfdded4ba89b5af118ea4cf7 - IMGP8161.ZIP (3,388 bytes)
478c9988d17198614da2942ebb7ca0a42244c37ff91cdb3b6c671f233c1917eb - 1.16_1.17_260663909.zip (15,323 bytes)
701f478a1e3f642fd60f490857627888923be41db0c6c864746138c368c8a76d - 12-153918903548537.zip (16,684 bytes)
701f478a1e3f642fd60f490857627888923be41db0c6c864746138c368c8a76d - 12-787301272485511.zip (16,684 bytes)
701f478a1e3f642fd60f490857627888923be41db0c6c864746138c368c8a76d - 12-S09600506667041.zip (16,684 bytes)
9fa26146e2c7444bd83cb2b7c919e7a58ccdab22badee7d85bb538153d5ff84a - Pdf81356953481126509016.zip (13,688 bytes)
a57e772f14acb5bfa3bc25a0457fab059870912f960194fef83fb0e7b04b6f77 - 1'16-1'17.48053966.ZIP (8,994 bytes)
c0232656732e92d7facd1af375a3f070293a4e29e2ceb22b22fbcb204eafde28 - TC1229619882376.zip (13,978 bytes)
e5eed106ec1b682d56deb6457bfbda1acf77fe6216310ee1828d98a8b8e2cd82 - ATT20170119.zip (27,965 bytes)

SHA256 HASHES FOR THE EXTRACTED .JS FILES:

01e4db57d6466fe55a87cf405e7faa78928aec8b838707ca4d6d1e892710d888 - 1'16-1'17.80549021.rtf.js (24,067 bytes)
0548080571b928a73114f62a02cc56f5e494e19da0110e5ca3c65ab6b8102123 - SM9900289278684.doc.js (39,965 bytes)
35b293bc6053170d8e4c8edbdde43916f6144bf790f702292ed19227ca2ac7fc - 12-X32094875000293.XLS.js (40,187 bytes)
4960b51b3a4690b6edd78196e5de823c00d8a0cd3d917b6eaa3ac30a7d69651a - IMGP6119-08900-001.JPEG.js (17,261 bytes)
681af952b1a1b551715873de9ada6b58d7111d3808a1d093fc04546352f4983b - ATT20170119.txt.js (38,599 bytes)
715571c4f549a0875e183ae230b47f0f89bdcb92de634e3abb39a85a485a602e - Doc1099289388728737872.doc.js (40,038 bytes)
7e23df677a570fb87e86a39a1b5c9a5744aef0983cde2dc45ccbea1b2861a764 - image1,image2,image3.pdf.js (11,307 bytes)
8e3a9a4a93e3dcadd27ff1c4e3e3b034b8c467af27384b51a8b1c0b2b4f5c8ce - 1.16_1.17_095643801.TIFF.js (37,512 bytes)
9dd17698ea21624d37b5a56b9512230d984949f5d869429b00ec5fbacff29869 - Pdf9210980298883719991.PDF.js (38,200 bytes)
b610fdbd10b4350a81a35ef7a4cbc2aa8d764739cb0eb87c91e52f0182dc4bcf - II0990113884-00193.pdf.js (42,141 bytes)
decd46caa47ecb8e6c6c56cbce98db4becad3721c077d45e5f8bdb94efb6790f - FullSizeRender.jpg.js (5,101 bytes)
e3d0976d5e9db399121050ac1a9955c0ab87c212107fe00eb39e23f32eb5ff92 - 01.17_0293538409856340968.pdf.js (39,061 bytes)

TRAFFIC

Shown above: Example an infection from malspam on 2017-01-17, filtered in Wireshark.

Shown above: Example an infection from malspam on 2017-01-24, filtered in Wireshark.

HTTP REQUESTS BY THE .JS FILES FOR THE URSNIF BINARY:

luisserranoiraola[.]com - GET /img/esp/tfax.exe
www.seniorenakademie-berlin[.]de - GET /images/open_air.exe
seehasenachter[.]de - GET /styles/outloo.exe
rucnitkani[.]cz - GET /files/onedrvs.exe

URSNIF POST-INFECTION TRAFFIC:

grohotibombivasebut45[.]com - Ursnif callback domain from 2017-01-17 (resolved) and 2017-01-24 (not resolved)
kgnene199meiwww[.]com - Ursnif callback domain from 2017-01-17 (not resolved) and 2017-01-24 (resolved)
iwdiwjdiwjdwdwd198[.]com - Ursnif callback domain from 2017-01-17 (not resolved)

MALWARE

URSNIF SAMPLES:

5feeee23ecd310ed552b56c1992d5e7f6dbf4e656224a9f3073b83770768e994 - Ursnif sample sample from 2017-01-17 (517,566 bytes)
fc51a5f57f82929dbc6be215691121acdc4a34b0c6430fe444cec65299901059 - Ursnif sample sample from 2017-01-23 (595,968 bytes)

Click here to return to the main page.