2017-12-13 - EMAIL ATTACHMENT EXPLOITS CVE-2017-11882 TO SPREAD LOKI BOT

ASSOCIATED FILES:

  • 2017-12-12-tracker-for-malspam-using-CVE-2017-11882.csv   (993 bytes)
  • 2017-12-12-malspam-using-CVE-2017-11882-1359-UTC.eml   (57,498 bytes)
  • 2017-12-12-malspam-using-CVE-2017-11882-1400-UTC.eml   (57,498 bytes)
  • 2017-12-12-malspam-using-CVE-2017-11882-1402-UTC.eml   (57,498 bytes)
  • 2017-12-12-malspam-using-CVE-2017-11882-1404-UTC.eml   (57,497 bytes)
  • 2017-12-12-malspam-using-CVE-2017-11882-1416-UTC.eml   (57,498 bytes)
  • 2017-12-13-malspam-using-CVE-2017-11882-traffic.pcap   (926,390 bytes)
  • 7571BA.exe   (286,720 bytes)
  • Order From Dekkogroup Canada.doc   (40,229 bytes)
  • em.exe   (385,024 bytes)
  • hp.exe   (438,272 bytes)
  • ki.exe   (442,368 bytes)
  • lj.exe   (434,176 bytes)

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from the spreadsheet racker.

 


Shown above:  Screenshot from one of the emails.

 


Shown above:  Email headers from one of the emails.

 

EMAIL INFORMATION:

 


Shown above:  RTF attachment from one of the emails.

 

TRAFFIC


Shown above:  SMB traffic from the infected Windows host filtered in Wireshark.

 


Shown above:  HTTP traffic from the infected Windows host filtered in Wireshark.

 

ASSOCIATED TRAFFIC:

 

FILE HASHES

MALWARE RETRIEVED FROM THE INFECTED WINDOWS HOST:

 

MALWARE RETRIEVED FROM THE INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Loki Bot malware persistent on the infected host.

 


Shown above:  Connecting to \\185.45.192.7\s as a shared drive on a Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.