2017-10-23 - BRAZIL MALSPAM PUSHES BANLOAD

ASSOCIATED FILES:

  • 2017-10-23-Brazil-malspam-traffic-example.pcap   (12,729,380 bytes)
  • 2017-10-23-Brazil-malspam-1513-UTC.txt   (2,194 bytes)
  • ORCAMEN00017ODB23102017414478005410000048705-1st-run.zip   (1,263,870 bytes)
  • ORCAMEN00017ODB23102017414478005410000048705-2nd-run.zip   (1,189,284 bytes)
  • log.txt   (96 bytes)
  • ta21352362.668   (11,494,246 bytes)
  • COMOMVIEW0.dat   (15 bytes)
  • COMOMVIEW0.exe   (348,273,152 bytes)

 

EMAIL


Shown above:  Screenshot from the email.

 

EMAIL INFO:

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 


Shown above:  Infection traffic filtered in Fiddler.

 

URLS FROM THE INFECTION TRAFFIC - 1ST DOWNLOADED FILE:

 

POST-INFECTION TRAFFIC FROM THE 2ND DOWNLOADED FILE:

 

MALWARE

DOWNLOADED MALWARE:

 

POST-INFECTION MALWARE:

 

IMAGES


Shown above:  Clicking on one of the email links.

 


Shown above:  1st downloaded file.

 


Shown above:  2nd downloaded file an hour or so later from the same email links.

 


Shown above:  Post-infection artifacts (some items deleted after the initial infection).

 

FINAL NOTES

Once again, here are the associated files:

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.