2017-03-13 KOVTER/LOCKY MALSPAM - SUBJECT: STATUS OF YOUR UPS DELIVERY
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-03-13-Kovter-Locky-malspam-traffic.pcap.zip 792 kB (791,930 bytes)
- ZIP archive of the emails and malware: 2017-03-13-Kovter-Locky-malspam-artifacts.zip 632 kB (632,203 bytes)
Shown above: Screen shot of the email.
EMAIL HEADERS:
- Date: Monday, 2017-03-13 01:38:20 UTC
- Subject: Status of your UPS delivery ID:03667517
- From: koala@gator3121.hostgator.com
- Message-Id: <E1cnEwG-000EAG-DV@gator3121.hostgator.com>
- Received: from [192.185.146.210:31174] helo=gateway33.websitewelcome.com
Shown above: Attached zip archive from the email.
Shown above: Extracted .js file from the zip archive.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 50.62.238.1 port 80 - bv.truecompassdesigns.net - GET /counter/?[long string of characters]
- 173.201.141.128 port 80 - doctors.live - GET /counter/?1
- 173.201.141.128 port 80 - doctors.live - GET /counter/?2
- 77.73.66.227 port 80 - 77.73.66.227 - POST /checkupdate
- 185.117.72.90 port 80 - 185.117.72.90 - POST /upload.php
- 163.47.17.13 port 443 - strong.fenn.net.au - HTTPS/SSL/TLS traffic
- 163.47.17.13 port 80 - 163.47.17.13 - POST /
- 91.203.146.102 port 80 - 91.203.146.102 - POST /
- 223.7.167.219 port 80 - 223.7.167.219 - POST /
- 50.117.67.242 port 80 - 50.117.67.242 - POST /
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.
FILE HASHES
ATTACHMENT:
- SHA256 hash: 927d6da867594787e1a279d40fcd7e6867affd78b3c8b0fa23e71fa4ed3a4129
File description: Email attachment, file name: UPS-Label-03667517.zip
- SHA256 hash: 6543022758dae11efbe8565b4ae8aa9ad4125fe3f68c60e70a5d07236c262e7f
File description: Extracted .js file, file name: UPS-Label-03667517.doc.js
DOWNLOADED MALWARE:
- SHA256 hash: 85f2b584251421b7ff98b80739bbacb1ace3fd48b2f1e039733de9c06fd733b6
File description: Locky ransomware
- SHA256 hash: 895da1da5880dbaaaf3631c6fd0f84ffa5307fccb3b5f4611a9e0c413f7d1029
File description: Kovter malware
Artifacts from the infected host:
- C:\Users\[Username]\AppData\Local\20fe5\c2556.bat
- C:\Users\[Username]\AppData\Local\20fe5\32c39.733a25
- C:\Users\[Username]\AppData\Local\Temp\a.doc
- C:\Users\[Username]\AppData\Local\Temp\a1.exe
- C:\Users\[Username]\AppData\Local\Temp\a2.exe
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-03-13-Kovter-Locky-malspam-traffic.pcap.zip 792 kB (791,930 bytes)
- ZIP archive of the emails and malware: 2017-03-13-Kovter-Locky-malspam-artifacts.zip 632 kB (632,203 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.