2017-10-03 - BRAZIL MALSPAM - SUBJ: FOTOS ENVIADAS VIA WHATSAPP MESSENGER WEB 03/10/2017 12:26:50

ASSOCIATED FILES:

  • 2017-10-03-Brazil-malspam-traffic.pcap   (2,200,771 bytes)
  • 2017-10-03-Brazil-malspam-1527-UTC.eml   (10,696 bytes)
  • Image05.zip   (619,728 bytes)
  • Fot0002.exe   (1,494,016 bytes)
  • 01.zip   (1,595,257 bytes)
  • CRYPTUI.dll   (3,176,960 bytes)
  • Yjnqqk.exe   (32,856 bytes)

 

EMAIL

EMAIL INFORMATION:

 


Shown above:  Screenshot from the email.

 


Shown above:  Malicious zip archive from link in the malspam.

 


Shown above:  Extracted malware from the downloaded zip archive.

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark (image edited to show HTTPS URLs).

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

EXTRACTED MALWARE FROM ZIP ARCHIVE:

FOLLOW-UP MALWARE (1 OF 3):

FOLLOW-UP MALWARE (2 OF 3):

FOLLOW-UP MALWARE (3 OF 3):

 

IMAGES


Shown above:  Malware persistent on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.