2017-05-26 - MALSPAM - SUBJECT: DHL TRACKING NUMBER FOR SHIPMENT 97 93745 186

ASSOCIATED FILES:

  • 2017-05-26-DHS-malspam-traffic.pcap   (1,495,969 bytes)
  • 2017-05-25-DHL-malspam-024959-UTC.eml   (1,255 bytes)
  • 2017-05-25-DHL-malspam-225407-UTC.eml   (1,237 bytes)
  • 34cf4593-e97c-459b-b49d-bf21da142526.exe   (284,514 bytes)
  • invoice-0063827410370260857-000001870346531780753154078347.pdf.js   (21,338 bytes)
  • invoice-0063827410370260857-000001870346531780753154078347.zip   (5985 bytes)
  • jebfc.exe   (272,226 bytes)

NOTES:

 

EMAIL


Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

 


Shown above:  Link from the email goes to a fake DHL page that sends a zip archive.

 


Shown above:  Zip archive from the fake DHL page contains a .js downloader.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 


Shown above:  Fake DHL site sending the malicious zip archive.

 


Shown above:  HTTP request by the extracted .js file for a Windows executable.

 


Shown above:  Certificate data from the post-infection traffic.

 


Shown above:  IP address check by the infected host.

 

FILE HASHES

ZIP ARCHIVE SENT BY FAKE DHL SITE:

ARTIFACTS FROM THE INFECTED WINDOWS HOST:

WINDOWS REGISTRY UPDATE:

 

IMAGES


Shown above:  Malware made persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.