2018-06-04 - MORE MALSPAM PUSHING PASSWORD-PROTECTED WORD DOCS

ASSOCIATED FILES:

 

NOTES:

  • Tue 2018-05-29 - 146 files
  • Wed 2018-05-30 - 9 files
  • Thu 2018-05-31 - 116 files
  • Fri 2018-06-01 - 181 files
  • Sat 2018-06-02 - 311 files
  • Sun 2018-06-03 - 43 files
  • Mon 2018-06-04 - 69 files and counting

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domain and URLs:

 

EMAILS


Shown above:  Screenshot from the spreadsheet tracker.

 


Shown above:  Screenshot from one of the emails.

 

EMAIL EXAMPLES:

(READ: Date/Time -- Sending Address -- Subject -- Attachment name)

 

EXAMPLE OF THE EMAIL HEADERS:

Received: from mail13.tiranbro.com ([46.161.42.11]) by [removed] for [removed];
        Tue, 29 May 2018 16:03:43 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=default; d=tiranbro.com;
 h=From:Content-Type:Mime-Version:Subject:Message-Id:Date:To;[removed];
 bh=O/4z7dolnI/WI7L58+Bs3MGxZoU=;
 b=KpjNi3cYWiDW07Ohi/xN9ZMJA4bMTBbAgbWHVxExnRYY6JudM+/Ez1+2OZ34FmcHfV5ToRXsqEBe
   5LHf2BsyAgAOble+AdM4Q87Kp+FBxivYcmiNrJ2is9vc3eT/nYKrSlJeB/wdb0fcDBKTCG1tEGFp
   d1VuCRpbMVhPo6tunQk=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=default; d=tiranbro.com;
 b=OCcl37RY0KZhmSHfjP7N2bmhO4OrK/NQPhqhKHFUesWCsKY80769NgeBEG1OYv0lzVn50Fr3lYx7
   iAODzQXYpVNSmu6g9Quyz5NQo+4IC1qZkbZpmZjZPtSDTAc5YZMp/WJ4Vl+p4Od5UF5BkfoRH68k
   WUWyvzzWzn+OxKxbrBE=;
From: Ofelia Santa =?UTF-8?B?wqA=?= <bfcc@d6a43992.com>
Content-Type: multipart/mixed;
 boundary="Apple-Mail-AC4D618F-85BE-43E7-00C6-A3D8FC517F37"
Mime-Version: 1.0 (1.0)
Subject: About a position.
Message-Id: <0749aa26e943021016158642e6e28bb2@d6a43992.com>
Date: Tue, 29 May 2018 18:02:10 +0200
To: [removed]

 


Shown above:  Malicious Word document downloaded from link in the malspam.

 


Shown above:  Attached Word document after entering the password 123123.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  DNS Traffic that shows DNS queries for carder.bit to some outside DNS server.

 

HTTP TRAFFIC FROM AN INFECTED LAB HOST:

 

DNS TRAFFIC FROM AN INFECTED LAB HOST:

 

INFORMATION FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

SHA256 HASHES FOR ATTACHMENTS:

 

INFORMATION FOR GANDCRAB RANSOMWARE BINARY:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  GandCrab decryptor (1 of 2).

 


Shown above:  GandCrab decryptor (2 of 2).

 


Shown above:  GandCrab decryptor showing Dash method of payment.

 


Shown above:  GandCrab decryptor showing Bitcoin method of payment.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.