2017-06-12 - MALSPAM - SUBJECT: CONFIRMATION REQUIRED

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-06-12-payment-malspam-traffic.pcap.zip   600 kB (600,090 bytes)

• 2017-06-12-payment-malspam-traffic.pcap   (712,789 bytes)

• ZIP archive of the malware:  2017-06-12-payment-malspam-and-artifacts.zip   904 kB (903,735 bytes)

• 2017-06-12-payment-malspam.eml   (253,322 bytes)
• Payment2017.doc   (180,224 bytes)
• javs.exe   (661,480 bytes)

 

EMAILS

Shown above:  Screen shot from the email.

 

EMAIL HEADERS:

• Date:  Monday 2017-06-12 at 07:43 UTC
• From:  Customer Service Pixel <cspixel@lyto.mobi>
• Subject:  Confirmation Required
• Attachment:  Payment2017.doc

 

Shown above:  Malicious Word document from the malspam.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 192.185.41.237 port 80 - weekendnerd.com - GET /supredo.exe     [HTTP request for malware binary after enabling macros on the Word document]
• whatismyipaddress.com - Post-infection location check
• port 587 - smtp.mail.com - Email sent from the infected host via SMTP TLS (encrypted)

 

FILE HASHES

WORD DOCUMENT FROM THE EMAIL:

• SHA256 hash:  1ad96e21f18c6c337e75d05d632ea020e409921784249a919f945056d30b1e0c
  File size:  180,224 bytes
  File name:  Payment2017.doc

FOLLOW-UP MALWARE (PREDATOR PAIN):

• SHA256 hash:  f5f915bab2da6d58e9c07823cd89594f631425a041cd2e642b5f1a64ca23203e
  File size:  661,480 bytes
  HTTP request:  weekendnerd.com/supredo.exe
  Location on the infected Windows host:  C:\Users\[username]\AppData\Roaming\Cpudlls.exe

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-06-12-payment-malspam-traffic.pcap.zip   600 kB (600,090 bytes)
• ZIP archive of the malware:  2017-06-12-payment-malspam-and-artifacts.zip   904 kB (903,735 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.