2018-01-03 - URSNIF OR NOT? INFECTION TRAFFIC FROM A MALSPAM WORD DOC

ASSOCIATED FILES:

  • 2018-01-03-malspam-infection-traffic.pcap   (258,533 bytes)
  • 2018-01-02-malspam-2300-UTC.txt   (75,797 bytes)
  • 2018-01-02-malspam-attachment-Invoice_INV-6183092.doc   (53,760 bytes)
  • 2018-01-03-dutox.exe   (115,200 bytes)
  • 2018-01-03-uvcmarm.bat.txt   (332 bytes)

NOTES:

2018-01-04 UPDATE:


Shown above:  Thanks, Jack!

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

 

EMAIL


Shown above:  Screenshot of the email.

 

EMAIL INFORMATION:

 


Shown above:  Attached Word document from the email with malicious macro.

 

TRAFFIC


Shown above:  Initial infection traffic filtered in Wireshark.

 

ASSOCIATED TRAFFIC:

 

MALWARE

WORD DOCUMENT FROM THE MALSPAM:

EXECUTABLE RETRIEVED AFTER ENABLING THE WORD DOCUMENT MACROS:

 

IMAGES


Shown above:  HTTP request and response for the malicious executable.

 


Shown above:  Post-infection SSL/TLS traffic.

 


Shown above:  Alerts from Sguil in Security Onion using Suricata and the EmergingThreats Pro (ETPRO) ruleset.

 


Shown above:  Malicious executable and associated batch file on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.