2017-05-26 - MALSPAM - SUBJECT: DHL TRACKING NUMBER FOR SHIPMENT 97 93745 186
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-26-DHL-malspam-traffic.pcap.zip 933 kB (932,556 bytes)
- 2017-05-26-DHS-malspam-traffic.pcap (1,495,969 bytes)
- ZIP archive of the malware: 2017-05-26-DHL-malspam-and-artifacts.zip 424 kB (424,382 bytes)
- 2017-05-25-DHL-malspam-024959-UTC.eml (1,255 bytes)
- 2017-05-25-DHL-malspam-225407-UTC.eml (1,237 bytes)
- 34cf4593-e97c-459b-b49d-bf21da142526.exe (284,514 bytes)
- invoice-0063827410370260857-000001870346531780753154078347.pdf.js (21,338 bytes)
- invoice-0063827410370260857-000001870346531780753154078347.zip (5985 bytes)
- jebfc.exe (272,226 bytes)
NOTES:
- Thanks to @mesa_matt who recently identified this as Corebot (link).
- I previously saw similar malspam pushing the same type of malware (without the fake DHL site) on 2017-04-28.
Shown above: Screen shot of the email.
EMAIL HEADERS:
- Date/Time: Thursday 2017-05-25 at 22:49 UTC
- From: (spoofed) "DHL Corporation" <dhl@bulletproofmedia.biz>
- Subject: DHL Tracking Number for shipment 97 93745 186
- Date/Time: Thursday 2017-05-25 at 22:54 UTC
- From: (spoofed) "DHL Corporation" <dhl@digialbums.net>
- Subject: DHL Tracking Number for shipment 97 93745 186
Shown above: Link from the email goes to a fake DHL page that sends a zip archive.
Shown above: Zip archive from the fake DHL page contains a .js downloader.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 89.223.26.202 port 80 - dhldeliverymailservice.com - GET /documentdir/9793745186 [URL for fake DHL page]
- 89.223.26.202 port 80 - dhldeliverymailservice.com - GET /content2/9793745186 [returned zip archive]
- 89.223.26.202 port 80 - dhldeliverymailservice.com - GET /s2000350/iso/ [returned follow-up EXE]
- 89.223.31.232 port 443 - 89.223.31.232 - Post-infection HTTPS/SSL/TLS traffic
- 107.20.224.87 port 80 - httpbin.org - GET /ip
Shown above: Fake DHL site sending the malicious zip archive.
Shown above: HTTP request by the extracted .js file for a Windows executable.
Shown above: Certificate data from the post-infection traffic.
Shown above: IP address check by the infected host.
FILE HASHES
ZIP ARCHIVE SENT BY FAKE DHL SITE:
- SHA256 hash: 387eeb5f35fc2b61d0c94c638f3eae78637441def39e77c81bf09d2653abe9d5
File name: invoice-0063827410370260857-000001870346531780753154078347.zip
File size: 5,985 bytes
File description: Malicious zip archive
- SHA256 hash: 7ad1e498d4a11d4dc221064525dd50b370a05e8dcfb481da4edf9a353e9322e5
File name: invoice-0063827410370260857-000001870346531780753154078347.pdf.js
File size: 21,338 bytes
File description: Extracted .js file
ARTIFACTS FROM THE INFECTED WINDOWS HOST:
- SHA256 hash: 3c74fe8c148812a0b5606aa19a81c98f30ec761f12924115ed8e02eb2f2e3213
File location: C:\Users\[username]\AppData\Local\Temp\jebfc.exe
File size: 272,226 bytes
File description: Executable downloaded by the extracted .js file
- SHA256 hash: 921e596509aeddde19888e76fa9b08df248950c8cb479920f5252b10aa25d0ae
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\66372fd0-8d07-4cab-9690-54a63e36d082\34cf4593-e97c-459b-b49d-bf21da142526.exe
File size: 284,514 bytes
File description: Malware made persistent on the infected host
WINDOWS REGISTRY UPDATE:
- Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name: bba00065-1351-41f5-b7a5-6d148cabed17
Value type: REG_SZ
Value data: rundll32 shell32.dll,ShellExec_RunDLL "C:\Users\[username]\AppData\Local\Microsoft\Windows\66372fd0-8d07-4cab-9690-54a63e36d082\34cf4593-e97c-459b-b49d-bf21da142526.exe"
IMAGES
Shown above: Malware made persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-26-DHL-malspam-traffic.pcap.zip 933 kB (932,556 bytes)
- ZIP archive of the malware: 2017-05-26-DHL-malspam-and-artifacts.zip 424 kB (424,382 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.