2016-10-31 - INFECTION TRAFFIC FROM EMAIL LINK
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2016-10-31-infection-traffic-from-email-link.pcap.zip 1.4 MB (1,411,395 bytes)
- 2016-10-31-malspam-traffic.pcap (1,500,452 bytes)
- 22016-10-31-email-and-files-from-an-infection.zip 189.0 kB (188,982 bytes)
- 2016-10-31-email-spoofing-Facebook-2106-UTC.eml (10,784 bytes)
- IMG_68794206_0521892.zip (7,082 bytes)
- IMG_68794206_0521896.js (35,416 bytes)
- [username]wz.gif (1,75,616 bytes)
- r1.log (53 bytes)
- sdaniurh77fhrhybss.ini (53 bytes)
Shown above: Screenshot of the email.
Shown above: Headers from the email.
Shown above: File downloaded from the goo[.]gl link in the email.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 216.58.195[.]238 port 80 - goo[.]gl - GET /OW2yn4
- 54.187.182[.]17 port 80 - ec2-54-187-182-17.us-west-2.compute.amazonaws[.]com - GET /v2/
- port 443 - www.4shared[.]com - GET /web/directDownload/oIrgFky1ce/h2n33y.fb1cd83ea3102487c881f12ec008cb5f (HTTPS/SSL/TLS)
- port 443 - dc619.4shared[.]com - GET /download/oIrgFky1ce/IMG_68794206_0521892.zip?[long string of characters]
- 216.244.86[.]88 port 443 - abydjeukoqkougrdf.migrate02.mylftv[.]com - Post-infection HTTPS/SSL/TLS traffic
FILE HASHES
ZIP archive downloaded from goo[.]gl link in email:
- SHA256 hash: c9c04d4e45eebb92a9ea502dcd47089561d4090ab5820a6b469db195bef709e5
File name: IMG_68794206_0521892.zip (7,082 bytes)
JS file extracted from the downloaded ZIP archive:
- SHA256 hash: 0c121f0099dd0bd70397263e56015378d9456b3d71a47537bc6ad19b3a61dd7c
File name: IMG_68794206_0521896.js (35,416 bytes)
DLL file dropped in the C:\\ProgramData\[username]\ directory:
- SHA256 hash: b4b0402b6bbe1cb82d56dd34aefc990c7b655f89054837d97363add0b721f735
File name: [username]wz.gif (1,75,616 bytes)
IMAGES
Shown above: Artifacts from the infected host.
Click here to return to the main page.