2016-10-31 - FACEBOOK-THEMED MALSPAM: "DENUNCIA DE RACISMO EM SEU PERFIL"

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-10-31-malspam-traffic.pcap.zip   1.4 MB (1,411,359 bytes)

• 2016-10-31-malspam-traffic.pcap   (1,500,452 bytes)

• ZIP archive of the malware:  2016-10-31-malspam-artifacts.zip   188 kB (188,192 bytes)

• 2016-10-31-2106-UTC-malspam.eml   (10,784 bytes)
• IMG_68794206_0521892.zip   (7,082 bytes)
• IMG_68794206_0521896.js   (35,416 bytes)
• [username]wz.gif   (1,75,616 bytes)
• r1.log   (53 bytes)
• sdaniurh77fhrhybss.ini   (53 bytes)

 

EMAIL

Shown above:  Screenshot of the malspam.

 

Shown above:  Headers from the malspam.

 

Shown above:  File downloaded from the goo.gl link in the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 216.58.195.238 port 80 - goo.gl - GET /OW2yn4
• 54.187.182.17 port 80 - ec2-54-187-182-17.us-west-2.compute.amazonaws.com - GET /v2/
• 199.101.134.236 port 443 - www.4shared.com - GET /web/directDownload/oIrgFky1ce/h2n33y.fb1cd83ea3102487c881f12ec008cb5f (HTTPS/SSL/TLS)
• 204.155.149.88 port 80 - dc619.4shared.com - GET /download/oIrgFky1ce/IMG_68794206_0521892.zip?[long string of characters]
• 216.244.86.88 port 443 - abydjeukoqkougrdf.migrate02.mylftv.com - Post-infection HTTPS/SSL/TLS traffic

 

FILE HASHES

ZIP archive downloaded from goo.gl link in email:

• SHA256 hash:  c9c04d4e45eebb92a9ea502dcd47089561d4090ab5820a6b469db195bef709e5
  File name:  IMG_68794206_0521892.zip   (7,082 bytes)

JS file extracted from the downloaded ZIP archive:

• SHA256 hash:  0c121f0099dd0bd70397263e56015378d9456b3d71a47537bc6ad19b3a61dd7c
  File name:  IMG_68794206_0521896.js   (35,416 bytes)

DLL file dropped in the ProgramData\[username] directory:

• SHA256 hash:  b4b0402b6bbe1cb82d56dd34aefc990c7b655f89054837d97363add0b721f735
  File name:  [username]wz.gif   (1,75,616 bytes)

 

IMAGES

Shown above:  Artifacts from the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2016-10-31-malspam-traffic.pcap.zip   1.4 MB (1,411,359 bytes)
• ZIP archive of the malware:  2016-10-31-malspam-artifacts.zip   188 kB (188,192 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.