2017-06-07 - LOKI BOT MALSPAM - SUBJECT: RE:PURCHASE REQUEST
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-06-07-Loki-Bot-malspam-traffic.pcap.zip 132 kB (132,273 bytes)
- 2017-06-07-Loki-Bot-malspam-traffic.pcap (146,597 bytes)
- ZIP archive of the malware: 2017-06-07-Loki-Bot-malspam-and-artifacts.zip 169 kB (169,064 bytes)
- 2017-06-07-Loki-Bot-malspam-1249-UTC.eml (17,271 bytes)
- 2017-06-07-https-paste.ee-r-CBooD-0.txt (169,911 bytes)
- 7571BA.exe (20,992 bytes)
- Schedule_order.doc (14,286 bytes)
- Schedule_order.r03 (11,487 bytes)
- price_inv_2364723.vbs (593 bytes)
EMAILS
Shown above: Screen shot from the email.
EMAIL HEADERS:
- Date: Wednesday 2017-06-07 at 12:49 UTC
- From: "Besmido Lliladhar" <spurchasing@besmindo.com>
- Subject: Re:Purchase request
- Attachment: Schedule_order.r03 [RAR archive]
Shown above: Malicious Word document in RAR archive from the malspam.
Shown above: Contents of the embedded .js file from the Word document.
Shown above: HTTPS request generated by the embedded .js file.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.
ASSOCIATED DOMAINS:
- paste.ee - GET /r/CBooD/0 [HTTPS over port 443]
- 111.90.139.246 - deniumwears.xyz - POST /bolt/bolt.php
FILE HASHES
RAR ARCHIVE FROM THE EMAIL:
- SHA256 hash: 2bebe4a5acb9940a295a167aff62e81e9c11b55051450e1f8e979ff63d964071
File name: Schedule_order.r03
File size: 11,487 bytes
MALICIOUS WORD DOCUMENT EXTRACTED FROM THE RAR ARCHIVE:
- SHA256 hash: 326030d71dfb77f98d37eea3498d7dadd76c5ab59bd5fe279298c184ac3e08fa
File name: Schedule_order.doc
File size: 14,286 bytes
SUSPICIOUS FILE NOTED ON THE INFECTED HOST:
- SHA256 hash: 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
File location: C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe
File size: 20,992 bytes
File description: Appears to be a legitimate Microsoft file named svchost.exe
Shown above: Updated Windows registry begs the question, "Why would a legitimate file be used in this manner?"
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-06-07-Loki-Bot-malspam-traffic.pcap.zip 132 kB (132,273 bytes)
- ZIP archive of the malware: 2017-06-07-Loki-Bot-malspam-and-artifacts.zip 169 kB (169,064 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.