2017-09-06 - JAPANESE MALSPAM PUSHING URSNIF

ASSOCIATED FILES:

  • 2017-09-06-Japanese-malspam-pushing-Ursnif-traffic.pcap   (4,073,396 bytes)
  • 2017-09-06-Japanese-Ursnif-spreadsheet-macro.txt   (3,241 bytes)
  • 2017-09-06-Japanese-malspam-attachment.xls   (51,712 bytes)
  • 2017-09-06-Japanese-malspam-for-Ursnif-0700-UTC.eml   (72,052 bytes)
  • 2017-09-06-Japanese-malspam-for-Ursnif-0707-UTC.eml   (71,931 bytes)
  • 2017-09-06-Japanese-malspam-for-Ursnif-0709-UTC.eml   (72,040 bytes)
  • 2017-09-06-Japanese-malspam-for-Ursnif-0711-UTC.eml   (71,970 bytes)
  • 2017-09-06-followup-Ursnif-binary.exe   (562,688 bytes)

 

RELATED TWEET:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAILS GATHERED:

(Read: Date/Time -- Sending address (spoofed) -- Subject)

 


Shown above:  One of the Excel spreadsheets.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

EMAIL ATTACHMENT:

FOLLOW-UP URSNIF MALWARE:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.