2017-02-20 - MALSPAM - SUBJECT: RADAR PHOTO PROOF 57628324

ASSOCIATED FILES:

  • 2017-02-20-malspam-traffic.pcap   (1,080,088 bytes)
  • 2017-02-20-malspam-1738-UTC.eml   (31,259 bytes)
  • Camera radar notification.js   (954 bytes)
  • Cameraradarnotification.zip   (767 bytes)
  • System and Security.exe   (352,768 bytes)
  • upd9abc1cf3.exe   (215,503 bytes)

NOTES:


Shown above:  Flowchart for this infection traffic.

 

EMAIL


Shown above:  Screenshot from the email.

 

EMAIL HEADERS:

 

EMAIL MESSAGE:

Reason: negligent driving
Camera radar.

Hello
You’ve been issued with a driver’s violation:

The fee shall be accredited within the statutory period of up to 25.02.2017. This is an automated message, please do not reply.

Case No: 05776
Date of infringement: 18/02/2017
Amount due: 22.25 CAD

Please read notification [Link to: ideasprototyped.com/Cameraradarnotification.zip]

 

DOWNLOADED FILE:


Shown above:  Zip archive downloaded from link in the email.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ZIP ARCHIVE FROM LINK IN THE EMAIL:

 

EXTRACTED .JS FILE:

 

MALWARE DOWNLOADED BY .JS FILE:

 

FOLLOW-UP MALWARE NOTED:

 

IMAGES


Shown above:  Alerts on the post-infection traffic from the ETPRO rulesets using Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.