2018-01-02 - WHATSAPP-THEMED MALSPAM TAGETING BRAZIL (AGAIN)

ASSOCIATED FILES:

  • 2018-01-02-whatsapp-malspam-traffic.pcap   (15,560,361 bytes)
  • 2018-01-02-whatsapp-malspam-traffic.pcap   (15,560,361 bytes)
  • 2018-01-02-whatsapp-malspam-1443-UTC.eml   (3,581 bytes)
  • 124412.dat   (6,499,839 bytes)
  • 125412.dat   (5,440,967 bytes)
  • DISNEY0201.exe   (201,679,672 bytes)
  • DISNEY020118.exe   (202,065,232 bytes)
  • usernameHOSTNAME-PC0.txt   (3,364 bytes)
  • usernameHOSTNAME-PC1.txt   (3,360 bytes)
  • vIDEO.Nat.25.12.2017.exe   (3,490,816 bytes)

NOTES:


Shown above:  Flowchart for today's infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAIL


Shown above:  Screenshot of the email.

 

HEADER INFORMATION:

 

MESSAGE TEXT:

Número do Controle: 950637668 Prezado Usuário: [recipient's email address]

WhatsApp com você. Para visualizá-lo, clique no link abaixo.

Video.Wav.25.12.2017.AM:03.30

*****   Enviado via IPhone X   *****

 


Shown above:  Downloading malware from link in the email.

 


Shown above:  Saw this pop-up message, but the malware still infected my lab host..

 

TRAFFIC


Shown above:  HTTP traffic from the infection filtered in Wireshark.

 


Shown above:  HTTPS URLs noted in Fiddler web debugger.

 

ASSOCIATED DOMAINS:

 

MALWARE

MALWARE DOWNLOADED FROM LINK IN EMAIL:

FOLLOW-UP ZIP ARCHIVE (1 OF 2):

EXTRACTED EXECUTABLE (1 OF 2):

FOLLOW-UP ZIP ARCHIVE (2 OF 2):

EXTRACTED EXECUTABLE (2 OF 2):

 

IMAGES


Shown above:  Follow-up download for a zip archive with malware for the infection.

 


Shown above:  Contents of the zip archive and where it was dropped for persistence.

 


Shown above:  Two zip archives were retrieved by the initial installer, and the extracted EXE files were made persistent through scheduled tasks.

 


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Some alerts on the infection traffic from the Snort subscriber ruleset when reading the pcap with Snort 2.9.11.

 


Shown above:  Post-infection callback from the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.