2016-06-09 - BOLETO MALSPAM

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-06-09-boleto-malspam-traffic.pcap.zip   1.8 MB (1,784,929 bytes)

• 2016-06-09-boleto-malspam-traffic.pcap   (1,937,154 bytes)

• ZIP archive of the malspam/malware/etc:  2016-06-09-boleto-malspam-and-malware.zip   1.7 MB (1,658,062 bytes)

• 2016-06-08-1432-UTC-boleto-malspam.eml   (4,354 bytes)
• 2016-06-09-HTTPS-requests-seen-from-the-infected-host.txt   (366 bytes)
• Gerar_Boleto_472289_COBRACAPI_Maio_Inst_BR.js   (15,397 bytes)
• Media-Sys.dll   (1,677,824 bytes)

 

NOTES:

• Like my previous post today ( link ), I found more malicious spam (malspam) after searching for material on an ISC diary I wrote for Wednesday, 2016-06-09 ( link ).

Shown above:  A screenshot of the email.

 

TRAFFIC

Shown above:  Traffic filtered in Wireshark (image edited to fit all the information in).

Shown above:  HTTPS URLs associated with this traffic.

 

ASSOCIATED DOMAINS:

• 104.27.183.85 port 443 - dahamarli.xyz - SSL traffic for downloading the follow-up malware.
• 200.98.161.148 port 444 - c.fihajaut.xyz - SSL traffic (possible callback traffic)
• 104.27.183.85 port 80 - dahamarli.xyz - HTTP possible callback traffic

 

IMAGES

Shown above:  Clicking on the link from the email.

 

Shown above:  Opening the .js file in a text editor.

 

Shown above:  Callback traffic over TCP port 444 (decoded as SSL).

 

Shown above:  HTTP callback after the previous SSL traffic.

 

Shown above:  Malware found on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-06-09-boleto-malspam-traffic.pcap.zip   1.8 MB (1,784,929 bytes)
• ZIP archive of the malspam/malware/etc:  2016-06-09-boleto-malspam-and-malware.zip   1.7 MB (1,658,062 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.