2017-06-07 - LOKI BOT MALSPAM - SUBJECT: RE:PURCHASE REQUEST

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-06-07-Loki-Bot-malspam-traffic.pcap.zip   132 kB (132,273 bytes)

• 2017-06-07-Loki-Bot-malspam-traffic.pcap   (146,597 bytes)

• ZIP archive of the malware:  2017-06-07-Loki-Bot-malspam-and-artifacts.zip   169 kB (169,064 bytes)

• 2017-06-07-Loki-Bot-malspam-1249-UTC.eml   (17,271 bytes)
• 2017-06-07-https-paste.ee-r-CBooD-0.txt   (169,911 bytes)
• 7571BA.exe   (20,992 bytes)
• Schedule_order.doc   (14,286 bytes)
• Schedule_order.r03   (11,487 bytes)
• price_inv_2364723.vbs   (593 bytes)

 

EMAILS

Shown above:  Screen shot from the email.

 

EMAIL HEADERS:

• Date:  Wednesday 2017-06-07 at 12:49 UTC
• From:  "Besmido Lliladhar" <spurchasing@besmindo.com>
• Subject:  Re:Purchase request
• Attachment:  Schedule_order.r03   [RAR archive]

 

Shown above:  Malicious Word document in RAR archive from the malspam.

 

Shown above:  Contents of the embedded .js file from the Word document.

 

Shown above:  HTTPS request generated by the embedded .js file.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

• paste.ee - GET /r/CBooD/0   [HTTPS over port 443]
• 111.90.139.246 - deniumwears.xyz - POST /bolt/bolt.php

 

FILE HASHES

RAR ARCHIVE FROM THE EMAIL:

• SHA256 hash:  2bebe4a5acb9940a295a167aff62e81e9c11b55051450e1f8e979ff63d964071
  File name:  Schedule_order.r03
  File size:  11,487 bytes

MALICIOUS WORD DOCUMENT EXTRACTED FROM THE RAR ARCHIVE:

• SHA256 hash:  326030d71dfb77f98d37eea3498d7dadd76c5ab59bd5fe279298c184ac3e08fa
  File name:  Schedule_order.doc
  File size:  14,286 bytes

SUSPICIOUS FILE NOTED ON THE INFECTED HOST:

• SHA256 hash:  121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
  File location:  C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe
  File size:  20,992 bytes
  File description:  Appears to be a legitimate Microsoft file named svchost.exe

Shown above:  Updated Windows registry begs the question, "Why would a legitimate file be used in this manner?"

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-06-07-Loki-Bot-malspam-traffic.pcap.zip   132 kB (132,273 bytes)
• ZIP archive of the malware:  2017-06-07-Loki-Bot-malspam-and-artifacts.zip   169 kB (169,064 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.