2016-04-05 - TESLACRYPT MALSPAM - SUBJ: ACTUAL STATUS ON YOUR BALANCE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-04-05-TeslaCrypt-from-malspam-traffic.pcap.zip  1.0 MB (1,027,546 bytes)
• ZIP archive of the emails and malware:  2016-04-05-TeslaCrypt-malspam-emails-and-malware.zip  327.0 kB (327,028 bytes)

 

NOTES:

• Today I saw malicious spam (malspam) with .js-based attachments deliver TeslaCrypt similar to waves of malspam already reported, such as:

• https://myonlinesecurity.co.uk/actual-status-on-your-balance-49166-js-malware-leads-to-teslacrypt-ransomware/
• https://techhelplist.com/spam-list/1065-incoming-transaction-declined-id-malware
• http://blog.dynamoo.com/2016/03/malware-spam-additional-information.html

 

EMAILS

EMAIL EXAMPLES:

• From: Rosanna Aguiar -- Subj: Actual Status on Your Balance 27003
• From: Morton Seal -- Subj: Actual Status on Your Balance 93990
• From: Benetta Guillory -- Subj: Actual Status on Your Balance 88860
• From: Leigh Mcclung -- Subj: Actual Status on Your Balance 94249
• From: Kelvin Corl -- Subj: Actual Status on Your Balance 97835

 

ATTACHMENTS:

• Attachment name: bill_invoices_427897.zip -- MD5 hash: 75db7be6455f400b2e61b515a83b2714
• Attachment name: copy_greg_589120.zip -- MD5 hash: c961ce40b1a6e0c560ed2733c4540130
• Attachment name: cassie_copy_500450.zip -- MD5 hash: 5b76de1afb1fe48859aac03442d8603c
• Attachment name: copy_m8r-o0m7rg_613733.zip -- MD5 hash: 5a9051d0064bbdf68d4cef0e444ac753
• Attachment name: bam_copy_474035.zip -- MD5 hash: a805af25e93bb25625e3eb473d7d2c88

 

EXTRACTED .JS FILES:

• Extracted file name: report_qvThfu.js -- MD5 hash: 11df3084f0438d8ca6bda38c13b70a38
• Extracted file name: report_xfGUmj.js -- MD5 hash: 1086fd107f8137f5e2103208352ee16a
• Extracted file name: transaction_yoReNp.js -- MD5 hash: 3b1b73508474bd1cf8166343ce48d201
• Extracted file name: document_rCDXCI.js -- MD5 hash: 02a7f25a7b295bdefdf404a3c85e7215
• Extracted file name: doc_iMXGLN.js -- MD5 hash: d067919f1b9e8db0d916a44ab6959faa

 

TRAFFIC

Shown above:  Pcap for this blog entry's traffic filtered in Wireshark.

 

NOTE: I ran each of the extracted .js files on a host in my lab.  Notice the 3 different IP addresses for marvellrulesqq.com.

ASSOCIATED DOMAINS:

• 54.212.162.6 port 80 - marvellrulesqq.com - GET /70.exe?1
• 104.161.60.151 port 80 - marvellrulesqq.com - GET /70.exe?1
• 185.118.142.154 port 80 - marvellrulesqq.com - GET /70.exe?1
• 23.229.239.227 port 80 - addagapublicschool.com - POST /binfile.php
• 194.228.3.204 port 80 - helpdesk.keldon.info - POST /plugins/editors/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/binfile.php

 

MALWARE

CONTENTS OF TODAY'S EMAIL AND MALWARE ARCHIVE:

• 2016-04-05-TeslaCrypt-decrypt-insructions.html
• 2016-04-05-TeslaCrypt-decrypt-insructions.png
• 2016-04-05-TeslaCrypt-decrypt-insructions.txt

• 2016-04-05-TeslaCrypt-from-malspam.exe   (Virus Total link)   (Malwr link)

• 2016-04-05-malspam-example-01.eml
• 2016-04-05-malspam-example-02.eml
• 2016-04-05-malspam-example-03.eml
• 2016-04-05-malspam-example-04.eml
• 2016-04-05-malspam-example-05.eml

• bam_copy_474035.zip
• bill_invoices_427897.zip
• cassie_copy_500450.zip
• copy_greg_589120.zip
• copy_m8r-o0m7rg_613733.zip

• doc_iMXGLN.js
• document_rCDXCI.js
• report_qvThfu.js
• report_xfGUmj.js
• transaction_yoReNp.js

 

IMAGES

Shown above:  An example of the Windows desktop infected with malware from this malspam.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-04-05-TeslaCrypt-from-malspam-traffic.pcap.zip  1.0 MB (1,027,546 bytes)
• ZIP archive of the emails and malware:  2016-04-05-TeslaCrypt-malspam-emails-and-malware.zip  327.0 kB (327,028 bytes)

The ZIP files are password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.