2017-04-03 - DHL INVOICE MALSPAM/PHOTO MALSPAM - VARIOUS SUBJECT LINES

ASSOCIATED FILES:

  • 2017-04-03-DHL-malspam-traffic.pcap   (10,643,014 bytes)
  • 2017-04-03-fake-DHL-malspam-0928-UTC.eml   (22,764 bytes)
  • 2017-04-03-fake-DHL-malspam-1117-UTC.eml   (22,746 bytes)
  • 2017-04-03-fake-DHL-malspam-1220-UTC.eml   (22,812 bytes)
  • 2017-04-03-fake-image-malspam-1357-UTC.eml   (22,126 bytes)
  • 2017-04-03-fake-image-malspam-1546-UTC.eml   (22,646 bytes)
  • 2017-04-03-fake-image-malspam-1646-UTC.eml   (22,391 bytes)
  • 33521.exe   (353,965 bytes)
  • 462137.exe   (295,936 bytes)
  • Balt.dll   (49,152 bytes)
  • Commercial_CVS_inv.03.04.2017.cvs.js   (25,273 bytes)
  • Commercial_CVS_inv.03.04.2017.zip   (15,870 bytes)
  • img-20170403-0014,jpeg.zip  (15,446 bytes)
  • img-20170403-0054.jpeg.js   (24,464 bytes)

 

NOTES:

 

EMAIL


Shown above:  Screen shot of an email from the first wave.

 


Shown above:  Screen shot of an email from the second wave.

 

EMAIL HEADERS - FIRST WAVE:

 

EMAIL HEADERS - SECOND WAVE:

 


Shown above:  Attachment taken from the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

EMAIL ATTACHMENTS:

EXTRACTED JS FILES:

FILES RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Some alerts on the traffic from the Emerging Threats Pro (ETPRO) rulesets using Sguil on Security Onion.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.