2017-06-07 - LOKI BOT MALSPAM - SUBJECT: RE:PURCHASE REQUEST

ASSOCIATED FILES:

  • 2017-06-07-Loki-Bot-malspam-traffic.pcap   (146,597 bytes)
  • 2017-06-07-Loki-Bot-malspam-1249-UTC.eml   (17,271 bytes)
  • 2017-06-07-https-paste.ee-r-CBooD-0.txt   (169,911 bytes)
  • 7571BA.exe   (20,992 bytes)
  • Schedule_order.doc   (14,286 bytes)
  • Schedule_order.r03   (11,487 bytes)
  • price_inv_2364723.vbs   (593 bytes)

 

EMAILS


Shown above:  Screen shot from the email.

 

EMAIL HEADERS:

 


Shown above:  Malicious Word document in RAR archive from the malspam.

 


Shown above:  Contents of the embedded .js file from the Word document.

 


Shown above:  HTTPS request generated by the embedded .js file.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

RAR ARCHIVE FROM THE EMAIL:

MALICIOUS WORD DOCUMENT EXTRACTED FROM THE RAR ARCHIVE:

SUSPICIOUS FILE NOTED ON THE INFECTED HOST:


Shown above:  Updated Windows registry begs the question, "Why would a legitimate file be used in this manner?"

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.