2018-03-30 - MALSPAM PUSHING URSNIF THROUGH BATCH FILES

ASSOCIATED FILES:

 

NOTES:

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS

EMAIL INFO:


Shown above:  Screen shot from one of the emails.

 

 


Shown above:  Extracting a batch file from one of the email attachments.

 

SHA256 HASHES FOR EMAIL ATTACHMENTS (ZIP FILES):

SHA256 HASHES FOR EXTRACTED BATCH FILES:

 


Shown above:  Beginning portion from one of the batch files (requests the decoy PDF document).

 


Shown above:  After several line feeds/carriage returns, malicious script starts at the end of the batch file.

 


Shown above:  Here's what it looks like, when run on a Windows 7 host.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Traffic from an another infection filtered in Wireshark, several hours later.

 

DECOY PDF FILES (NOT MALICIOUS):

REQUESTS FOR BASE64 STRING FOR FOLLOW-UP MALWARE:

POST-INFECTION CONNECTIVITY CHECK (2018-03-29):

POST-INFECTION CALLBACK TRAFFIC (2018-03-29):

POST-INFECTION CALLBACK TRAFFIC (2018-03-30):

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Malware persistent on an infected Windows host.

 


Shown above:  Scheduled task to periodically update the malware.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.