2016-05-10 - TUESDAY MALSPAM HUNT - CERBER, LOCKY, AND PORTUGUESE MALSPAM

ASSOCIATED FILES:

• ZIP archive with the data:  2016-05-10-malspam-data.zip   7.3 MB (7,290,169 bytes)

 

EMAILS AND ATTACHMENTS

Shown above:  Data from the .csv spreadsheet on 8 emails from today's malspam.

 

Shown above:  Data from the .csv spreadsheet on 8 attachments from today's malspam.

 

Shown above:  Locky malspam example 1 of 2.

 

Shown above:  Locky malspam example 2 of 2.

 

Shown above:  Cerber malspam example.

 

Shown above:  Portuguese malspam example.

 

TRAFFIC

Shown above:  Traffic from executing one of the extracted .hta files, filtered in Wireshark.

 

ASSOCIATED DOMAINS:

HTTP REQUESTS FOR LOCKY FROM ONE OF THE .HTA FILES:

• 87.106.53.6 port 80 - airconditioning-outlet.co.uk - GET /ad.exe
• 46.30.212.102 port 80 - anustyle.co.uk - GET /ad.exe
• 179.107.83.250 port 80 - atlfitness.com.br - GET /ad.exe
• 160.153.33.104 port 80 - aw-store.com - GET /ad.exe
• 54.241.22.111 port 80 - bedbugsurvivalguide.com - GET /ad.exe
• 139.162.58.95 port 80 - bellenuits.com - GET /ad.exe
• 192.117.12.154 port 80 - buyemergencylight.com - GET /ad.exe
• 52.6.107.10 port 80 - casarenodirect.com - GET /ad.exe
• 200.98.197.36 port 80 - cenasuniformes.com.br - GET /ad.exe
• 184.164.156.210 port 80 - clearancezone.com.au - GET /ad.exe
• 52.65.92.194 port 80 - coating-supplies.com.au - GET /ad.exe
• 103.16.128.166 port 80 - davidjubermann.com - GET /ad.exe
• 50.62.168.5 port 80 - demarcojewels.com - GET /ad.exe
• 192.249.113.43 port 80 - elitesup.com - GET /ad.exe
• 66.147.244.66 port 80 - fashionpoppers.com - GET /ad.exe
• 50.63.119.14 port 80 - getdattee.com - GET /ad.exe
• 103.38.10.109 port 80 - gmdengineering.com.au - GET /ad.exe
• 188.40.28.173 port 80 - homesdreams.com - GET /ad.exe
• 192.249.113.43 port 80 - lcdistributing.com - GET /ad.exe
• 69.162.104.130 port 80 - lcdonline.com.br - GET /ad.exe
• 119.59.120.32 port 80 - liftmaxthailand.com - GET /ad.exe
• 23.229.242.166 port 80 - lyintl.com - GET /ad.exe
• 186.202.153.10 port 80 - magnumautomotivo.com.br - GET /ad.exe
• 50.62.227.32 port 80 - mailboxesflorida.com - GET /ad.exe
• 23.235.196.128 port 80 - melodyderm.com - GET /ad.exe
• 186.202.153.108 port 80 - merlindistribuidora.com.br - GET /ad.exe
• 52.64.39.102 port 80 - metersdirect.com.au - GET /ad.exe
• 162.213.193.150 port 80 - mikronjoalheria.com.br - GET /ad.exe
• 23.235.220.84 port 80 - millersportsaspen.com - GET /ad.exe
• 109.228.9.247 port 80 - mosaicworld.co.uk - GET /ad.exe
• 185.66.171.8 port 80 - myfashionfavourites.com - GET /ad.exe
• 95.142.152.194 port 80 - new-exhibitions.heckfordclients.co.uk - GET /ad.exe
• 67.20.76.133 port 80 - outletsmarcas.com - GET /ad.exe
• 160.153.50.192 port 80 - pgkdistribution.co.uk - GET /ad.exe
• 192.186.229.215 port 80 - pittora.com - GET /ad.exe
• 185.92.247.46 port 80 - ribastiendaonline.com - GET /ad.exe
• 67.20.84.126 port 80 - seatsshop.com - GET /ad.exe
• 74.220.207.142 port 80 - shoesmackers.com - GET /ad.exe
• 177.12.173.166 port 80 - shopnutri.com.br - GET /ad.exe
• 142.4.49.157 port 80 - shoppingsin.com - GET /ad.exe
• 213.186.33.171 port 80 - sky-hero.com - GET /ad.exe
• 67.231.106.60 port 80 - store.pinkupcape.com - GET /ad.exe
• 186.202.126.233 port 80 - videale.com.br - GET /ad.exe
• 136.243.204.62 port 80 - vizyt-shop.com - GET /ad.exe
• 177.12.173.214 port 80 - volparts.com.br - GET /ad.exe
• 166.62.10.30 port 80 - warehousestudiochicago.com - GET /ad.exe
• 46.166.163.195 port 80 - wholesalejaipurkurti.com - GET /ad.exe
• 82.165.151.207 port 80 - zanvair.co.uk - GET /ad.exe

HTTP REQUESTS FOR LOCKY FROM THE .JS FILES:

• 46.235.10.71 port 80 - renklitatlar.com - GET /y78fj34f3
• 108.174.196.88 port 80 - www.designzer.com - GET /y78fj34f3

POST-INFECTION CALLBACK FROM THE LOCKY INFECTIONS:

• 185.82.202.170 port 80 - 185.82.202.170 - POST /userinfo.php

HTTP REQUEST FOR CERBER FROM THE .DOT FILE:

• 188.165.242.106 port 80 - pompe-distribution.com - GET /h.jpg?BkKSelC1CS=45

HTTP REQUESTS FROM THE PORTUGUESE MALSPAM:

• 52.39.113.52 port 80 - www.entregasrapidasweb.com.br - GET /consultas.php   [link from the email]
• 169.57.253.213 port 80 - 169.57.253.213 - GET /iss/amoresexo.zip   [caused by executing the downloaded .js file]

 

ZIP ARCHIVE CONTENTS

• 2016-05-10-Cerber-malspam-traffic.pcap   (440,078 bytes)
• 2016-05-10-Locky-malspam-traffic-1-of-2.pcap   (7,341,712 bytes)
• 2016-05-10-Locky-malspam-traffic-2-of-2.pcap   (225,956 bytes)
• 2016-05-10-malspam-data.csv   (1,603 bytes)
• 2016-05-10-portuguese-malspam-traffic.pcap   (1,704,304 bytes)

• artifacts-from-infected-hosts / 2016-05-10-Cerber-sample.exe   (411,648 bytes)
• artifacts-from-infected-hosts / 2016-05-10-Cerber_# DECRYPT MY FILES #.html   (12,579 bytes)
• artifacts-from-infected-hosts / 2016-05-10-Cerber_# DECRYPT MY FILES #.txt   (11,247 bytes)
• artifacts-from-infected-hosts / 2016-05-10-Cerber_# DECRYPT MY FILES #.vbs   (204 bytes)
• artifacts-from-infected-hosts / 2016-05-10-Locky-sample-1-of-2.exe   (470,528 bytes)
• artifacts-from-infected-hosts / 2016-05-10-Locky-sample-2-of-3.exe   (110,531 bytes)
• artifacts-from-infected-hosts / 2016-05-10-Locky_HELP_instructions.bmp   (3,436,338 bytes)
• artifacts-from-infected-hosts / 2016-05-10-Locky_HELP_instructions.html   (1,780 bytes)
• artifacts-from-infected-hosts / 2016-05-10-boleto-malspam-artifact-from-infected-host.dll   (324,608 bytes)

• attachments / 181j28.3797-x.dot   (224,085 bytes)
• attachments / benny_invoices_291339.zip   (12,893 bytes)
• attachments / copy_ronald_847561.zip   (12,831 bytes)
• attachments / scan-1-of-3.zip   (5,341 bytes)
• attachments / scan-2-of-3.zip   (5,390 bytes)
• attachments / scan-3-of-3.zip   (5,342 bytes)
• attachments / susan_copy_193610.zip   (12,893 bytes)

• extracted-or-downloaded-files / 00003104530364.js   (15,237 bytes)
• extracted-or-downloaded-files / 00004009530388.js   (15,178 bytes)
• extracted-or-downloaded-files / 00004304662954.js   (15,169 bytes)
• extracted-or-downloaded-files / NF09348548421873901.vbs   (10,452 bytes)
• extracted-or-downloaded-files / confirm_nqu9L5i290.hta   (24,625 bytes)
• extracted-or-downloaded-files / document_pzHSAwQn56.hta   (24,602 bytes)

• malspam / 2016-05-10-0909-UTC.eml   (19,195 bytes)
• malspam / 2016-05-10-0914-UTC.eml   (19,287 bytes)
• malspam / 2016-05-10-0923-UTC.eml   (19,295 bytes)
• malspam / 2016-05-10-0932-UTC.eml   (8,682 bytes)
• malspam / 2016-05-10-0934-UTC.eml   (8,743 bytes)
• malspam / 2016-05-10-0949-UTC.eml   (8,719 bytes)
• malspam / 2016-05-10-1331-UTC.eml   (304,048 bytes)
• malspam / 2016-05-10-1402-UTC.eml   (1,475 bytes)

 

FINAL NOTES

Once again, here is the associated file:

• ZIP archive with the data:  2016-05-10-malspam-data.zip   7.3 MB (7,290,169 bytes)

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.