2017-06-12 - MALSPAM - SUBJECT: CONFIRMATION REQUIRED
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-06-12-payment-malspam-traffic.pcap.zip 600 kB (600,090 bytes)
- 2017-06-12-payment-malspam-traffic.pcap (712,789 bytes)
- ZIP archive of the malware: 2017-06-12-payment-malspam-and-artifacts.zip 904 kB (903,735 bytes)
- 2017-06-12-payment-malspam.eml (253,322 bytes)
- Payment2017.doc (180,224 bytes)
- javs.exe (661,480 bytes)
EMAILS
Shown above: Screen shot from the email.
EMAIL HEADERS:
- Date: Monday 2017-06-12 at 07:43 UTC
- From: Customer Service Pixel <cspixel@lyto.mobi>
- Subject: Confirmation Required
- Attachment: Payment2017.doc
Shown above: Malicious Word document from the malspam.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 192.185.41.237 port 80 - weekendnerd.com - GET /supredo.exe [HTTP request for malware binary after enabling macros on the Word document]
- whatismyipaddress.com - Post-infection location check
- port 587 - smtp.mail.com - Email sent from the infected host via SMTP TLS (encrypted)
FILE HASHES
WORD DOCUMENT FROM THE EMAIL:
- SHA256 hash: 1ad96e21f18c6c337e75d05d632ea020e409921784249a919f945056d30b1e0c
File size: 180,224 bytes
File name: Payment2017.doc
FOLLOW-UP MALWARE (PREDATOR PAIN):
- SHA256 hash: f5f915bab2da6d58e9c07823cd89594f631425a041cd2e642b5f1a64ca23203e
File size: 661,480 bytes
HTTP request: weekendnerd.com/supredo.exe
Location on the infected Windows host: C:\Users\[username]\AppData\Roaming\Cpudlls.exe
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-06-12-payment-malspam-traffic.pcap.zip 600 kB (600,090 bytes)
- ZIP archive of the malware: 2017-06-12-payment-malspam-and-artifacts.zip 904 kB (903,735 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.