2017-04-05 - CERBER/KOVTER MALSPAM - SUBJECT: DELIVERY NOTIFICATION

ASSOCIATED FILES:

  • 2017-04-05-Cerber-Kovter-malspam-traffic.pcap   (1,277,728 bytes)
  • 2017-04-05-Cerber-Kovter-malspam.eml   (4,424 bytes)
  • 4503.tmp   (344 bytes)
  • 6fee.fe612   (15,984 bytes)
  • 84e9.tmp   (130 bytes)
  • FedEx-Package-ID-ETUV9Y4U.doc.js   (1,218 bytes)
  • FedEx-Package-ID-ETUV9Y4U.zip   (1,083 bytes)
  • _READ_THI$_FILE_JIUG_.jpeg   (462,645 bytes)
  • _READ_THI$_FILE_JSDUA_.txt   (1,337 bytes)
  • _READ_THI$_FILE_O070JFHE_.hta   (77,047 bytes)
  • a.doc   (8,589 bytes)
  • a1.exe   (273,065 bytes)
  • a2.exe   (363,983 bytes)
  • c65e.bat   (61 bytes)

NOTES:


Shown above:  Cerber now showing some bling.

 

EMAIL


Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

 


Shown above:  Attachment taken from the malspam.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

TRAFFIC CAUSED BY THE .JS FILE:

OTHER DOMAINS FROM THE .JS FILE:

CERBER POST-INFECTION HTTP TRAFFIC:

CERBER POST-INFECTION UDP TRAFFIC:

KOVTER POST-INFECTION HTTP TRAFFIC:

KOVTER POST-INFECTION HTTPS/SSL/TLS TRAFFIC:

 

FILE HASHES

ZIP ATTACHMENT FROM THE EMAIL:

.JS FILE EXTRACTED FROM THE ZIP ATTACHMENT:

CERBER AND KOVTER BINARIES:

 

ARFICACTS FOUND ON THE INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.