2017-06-08 - PORTUGUESE MALSPAM - NOTIFICACAO IPTU

ASSOCIATED FILES:

  • 2017-06-08-Portuguese-malspam-traffic.pcap   (9,261,121 bytes)
  • 2017-06-07-Portuguese-malspam-1740-UTC.eml   (2,148 bytes)
  • 63466336034690346.etwe   (9,660,419 bytes)
  • Iptu-_-2017.zip   (1,126,288 bytes)

 

EMAILS


Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

 

INITIAL MALWARE


Shown above:  Clicking link from the email redirects to a Dropbox URL for a zip archive.

 


Shown above:  Contents on the zip archive.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Some of the post-infection traffic.

 

ASSOCIATED DOMAINS AND URLS:

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

FILE EXTRACTED FROM THE ZIP ARCHIVE:

MALWARE RETRIEVED FROM THE INFECTED HOST:


Shown above:  Zip archive downloaded during the infection.

 


Shown above:  Files noted on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.