2017-01-25 - URSNIF INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-01-25-Ursnif-infection-traffic-2-pcaps.zip 9.8 kB (9,806 bytes)
- 2017-01-25-Ursnif-malspam-tracker.csv.zip 0.9 kB (899 bytes)
- 2017-01-25-Ursnif-emails-and-malware.zip 919.4 kB (919,413 bytes)
NOTES:
- This Ursnif infection is from an ongoing campaign of Japanese language malspam.
EMAILS
Shown above: Information from the spreadsheet tracker (part 1 of 2).
Shown above: Information from the spreadsheet tracker (part 2 of 2).
EMAILS GATHERED:
(Read: Date/Time -- Sending address (spoofed) -- Subject -- Attachment)
- 2017-01-25 07:27 UTC -- hm-japan@yacht.ocn[.]ne[.]jp -- (japanese characters) -- _01994-1_000003.zip
- 2017-01-25 07:29 UTC -- yokose@oregano.ocn[.]ne[.]jp -- (japanese characters) -- _01283-1_000052.zip
- 2017-01-25 07:34 UTC -- yumiko.suzuki@mountain.ocn[.]ne[.]jp -- (japanese characters) -- _05247-1_000055.zip
- 2017-01-25 07:37 UTC -- kamui-auto-syowa@true.ocn[.]ne[.]jp -- (japanese characters) -- _02301-1_000068.zip
- 2017-01-25 08:14 UTC -- inagaki@themis.ocn[.]ne[.]jp -- Fwd: -- image-001-650435.zip
- 2017-01-25 08:23 UTC -- bsn-to61146@leto.eonet[.]ne[.]jp -- Fwd: -- image-001-044125.zip
- 2017-01-25 08:53 UTC -- kazuki-gotoh@ab.auone-net[.]jp -- Re: -- image-001-901360.zip
- 2017-01-25 09:12 UTC -- kanagawa-asahi@yahoo[.]co[.]jp -- Fwd: -- (20170124-056749-9665660.xls).zip
- 2017-01-25 09:12 UTC -- tanaka-nenkin@iris.eonet[.]ne[.]jp -- (none) -- (20170124-105041-4586695.xls).zip
- 2017-01-25 09:17 UTC -- m.kimura-nanbu@mountain.ocn[.]ne[.]jp -- FW: -- (20170124-057112-5145173.xls).zip
ATTACHED ZIP ARCHIVES AND EXTRACTED FILES
SHA256 HASHES FOR THE EMAIL ATTACHMENTS:
- cf5005b5c192654a1bf69ab1f836891467188fca10be5649cfdb49140d9ca3f9 - (20170124-056749-9665660.xls).zip (15,550 bytes)
- cf5005b5c192654a1bf69ab1f836891467188fca10be5649cfdb49140d9ca3f9 - (20170124-057112-5145173.xls).zip (15,550 bytes)
- cf5005b5c192654a1bf69ab1f836891467188fca10be5649cfdb49140d9ca3f9 - (20170124-105041-4586695.xls).zip (15,550 bytes)
- 5eec3c0beb90062001b43a94c0fb13e03af25ede595b0a0f6b678ed5b9e6738f - _01283-1_000052.zip (13,791 bytes)
- 5eec3c0beb90062001b43a94c0fb13e03af25ede595b0a0f6b678ed5b9e6738f - _01994-1_000003.zip (13,791 bytes)
- 5eec3c0beb90062001b43a94c0fb13e03af25ede595b0a0f6b678ed5b9e6738f - _02301-1_000068.zip (13,791 bytes)
- 5eec3c0beb90062001b43a94c0fb13e03af25ede595b0a0f6b678ed5b9e6738f - _05247-1_000055.zip (13,791 bytes)
- 4c9a9f1980cb3169c7fa7c7d96a1419d980d4ece783994c686a3f3149be80047 - image-001-044125.zip (16,043 bytes)
- 4c9a9f1980cb3169c7fa7c7d96a1419d980d4ece783994c686a3f3149be80047 - image-001-650435.zip (16,043 bytes)
- 4c9a9f1980cb3169c7fa7c7d96a1419d980d4ece783994c686a3f3149be80047 - image-001-901360.zip (16,043 bytes)
SHA256 HASHES FOR THE EXTRACTED .WSF FILES:
- 183729d2832ffeb4ba02a98d64d2d95de686ac45308578665b1fef1cd02414c3 - (20170124-899021-0986655).xls.wsf (40,225 bytes)
- 1c4c3a2fac463f85b9c6a8f31ac7a0fea5e99248e01760a25bc4706f54d41fa8 - _09388-1_000017.wsf (37,643 bytes)
- f160ef635d308034ed53e22eb5605fa5bdfb43b5a0d0764fac38efbee1f47437 - image-001-904563.jpeg.wsf (43,934 bytes)
TRAFFIC
HTTP REQUESTS BY THE .WSF FILES FOR THE URSNIF BINARY:
- 81.169.145[.]165 port 80 www.cp4[.]de - GET /cp4/2401.exe
- NOTE: The above does a 301 redirect to the same URL using HTTPS.
URSNIF POST-INFECTION TRAFFIC:
- 188.0.104[.]83 port 80 - kgnene199meiwww[.]com - Ursnif callback traffic
- 93.79.40[.]11 port 80 - kgnene199meiwww[.]com - Ursnif callback traffic
- DNS query for iwdiwjdiwjdwdwd198[.]com - DNS response: Server failure
- DNS query for grohotibombivasebut45[.]com - DNS response: Server failure
MALWARE
URSNIF SAMPLE:
- f220a966aaffb0bab4956c35d392564993e310211c3b7b9e9834910258dea3da - Ursnif sample sample from 2017-01-25 (664,576 bytes)
Click here to return to the main page.