2016-10-23 - ADWIND (JRAT) MALSPAM - SUBJ: ** CURRENT BALANCE SAS - XPRESSMONEY **

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-10-23-malspam-traffic.pcap.zip   280.1 kB (280,083 bytes)

• 2016-10-23-malspam-traffic.pcap   (309,434 bytes)

• ZIP archive of the malware:  2016-10-23-malspam-and-downloaded-malware.zip   311.8 kB (311,808 bytes)

• 2016-10-23-malspam.eml   (72,673 bytes)
• Current_Balcance_October_11_23_06_scan01_jpeg.jar   (260,408 bytes)

NOTES:

• Documenting a malicious email I received with a link to Adwind (jRAT) malware.

 

TRAFFIC

Shown above:  Screenshot of the email.

 

MESSAGE HEADERS:

• Mail server:  199.217.115.24 - falcon966.dedicatedpanel.com
• Message-ID header:  <20161023085323.94FBEB81025E5C3B@xpressmoney.com>
• Date/time:  Sunday, 2016-10-23 15:53 UTC
• From:  <xm.creditcontrol@xpressmoney.com>
• To:  <admin@malware-traffic-analysis.net>
• Subject:  ** Current Balance SAS - XpressMoney **

 

MESSAGE TEXT:

Greetings,

Current Balance - SAS -XpressMoney

        Date         :         Oct 22, 2016

Kindly download the attached report

Click to view     Click to download

Regards,

Credit control Team
Xpress Money Services Limited | P.O. Box 643996, Dubai, UAE
Tel: +971 4 8186107 | Fax: +971 4 8186000
xm.creditcontrol@xpressmoney.com www.xpressmoney.com
______________________________________________

 

TRAFFIC

Shown above:  Traffic from the pcap filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 91.194.84.69 port 80 - nimdizayn.com - GET /Current_Balcance_October_11_23_06_scan01_jpeg.jar - Download link from malspam
• 158.69.56.128 port 4040 - boscpakloka.myvnc.com - Adwind (jRAT) callback (assylias.Inc SSL cert)

 

FILE HASHES

DOWNLOADED .JAR FILE:

• SHA256 hash:  1487e0e9b31e3d23c1908131d5860f040bc2d454508283bd6b44e17c574e997e
  File name:  Current_Balcance_October_11_23_06_scan01_jpeg.jar   (260,408 bytes)

Shown above:  The malicious .jar file.

 

IMAGES

Shown above:  Hits from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

Shown above:  Registry entry for persistence from an infected host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-10-23-malspam-traffic.pcap.zip   280.1 kB (280,083 bytes)
• ZIP archive of the malware:  2016-10-23-malspam-and-downloaded-malware.zip   311.8 kB (311,808 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.