Malware-Traffic-Analysis.net - 2017-06-14

2017-06-14 - TRICKBOT INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

TWEETS ABOUT TODAY'S #TRICKBOT ACTIVITY:

OTHER NOTES:

The first wave used PDF attachments with embedded .xlsm spreadsheets containing macros.
Emails from the next wave had no subject, no message text, and ZIP attachments containing EXE files that had already been used the previous week.
This blog post does not provide any copies of the emails or Trickbot malware from the second wave, since it is old malware.

Shown above: An example of the emails.

8 EXAMPLES FROM THE FIRST WAVE:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (PDF) -- EMBEDDED .XLSM FILE

2017-06-14 09:19:20 UTC -- "Kris" <Kris.waterton@ncacademy[.]co[.]uk> -- Emailing: 75064761 -- 75064761.PDF -- 0000850979953.xlsm
2017-06-14 09:23:49 UTC -- "Stacie" <Stacie.hastings@andyrh.globalnet[.]co[.]uk> -- Emailing: 364358435 -- 364358435.PDF -- 0000255379449.xlsm
2017-06-14 09:24:08 UTC -- "Wilfredo" <Wilfredo.burns@caterpillarparties[.]co[.]uk> -- Emailing: 855177611 -- 855177611.PDF -- 0000821029184.xlsm
2017-06-14 09:25:06 UTC -- "Ora" <Ora.battle@macrosave[.]co[.]uk> -- Emailing: 010516440 -- 010516440.PDF -- 0000370369406.xlsm
2017-06-14 10:10:08 UTC -- "Seymour" <Seymour.grundy@g0slh.worldonline[.]co[.]uk> -- Emailing: 03049302 -- 03049302.PDF -- 0000896782173.xlsm
2017-06-14 10:11:14 UTC -- "Antony" <Antony.morley@leighcommunitytrust[.]co[.]uk> -- Emailing: 512339633 -- 512339633.PDF -- 0000806624686.xlsm
2017-06-14 10:12:25 UTC -- "Derick" <Derick.holloway@hutsby[.]co[.]uk> -- Emailing: 93122911 -- 93122911.PDF -- 000020640652.xlsm
2017-06-14 10:13:37 UTC -- "Ophelia" <Ophelia.cowie@conundra[.]co[.]uk> -- Emailing: 897791635 -- 897791635.PDF -- 0000145510097.xlsm

4 EXAMPLES FROM THE NEXT WAVE:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (ZIP) -- EXTRACTED .EXE FILE

2017-06-14 12:25:35 UTC -- Susie <Susie@katheteriseren[.]nl> -- [no subject] -- img_1903.zip -- IMG_4892.exe
2017-06-14 12:47:16 UTC -- Pamela <Pamela@d-amelia[.]com> -- [no subject] -- img_3246.zip -- IMG_4892.exe
2017-06-14 13:14:03 UTC -- Etta <Etta@nodejobs[.]com> -- [no subject] -- img_5603.zip -- IMG_4892.exe
2017-06-14 13:33:52 UTC -- Rosalie <Rosalie@CMETravelResources[.]com> -- [no subject] -- img_8872.zip -- IMG_4892.exe

Shown above: An example of the PDF files attached to the malspam.

Shown above: An example of the embedded Excel spreadsheets seen when opening the PDF files.

SHA256 HASHES FOR THE PDF ATTACHMENTS:

0b0aeccdb275ad0477836d7ea9ba827af765dcba67a48742e871fae1c9043f9e - 512339633.PDF
443765dd952be1dca6b33ca8f1914b25b243f4f44f3fb6173e77fd225dd5126e - 897791635.PDF
58d3013f2712d5f20403441a270edf46a94b7e47e16d6859bd3cdd16954e3219 - 93122911.PDF
59a758567b264d674ce0dd0aa9b3d70218bd3740b68d65428695c1e55f7d4205 - 03049302.PDF
7d9dc623befec47ad98e760109dcc16a26a3b8eba2d8455e5a163699e0ca1ce2 - 75064761.PDF
d6fd3a6396d96cd3932c0c2e20878175612e95ab9933f17fd95fc80cbd40b7c6 - 010516440.PDF
d7d7a0c220a5877cf21712a0e672d277d092ccf22f9a9df55161aa245615d7a8 - 855177611.PDF
e7890a3765ba8900fb75243845477575b27d5d2fb738b2dea91ed413aa86b221 - 364358435.PDF

SHA256 HASHES FOR THE EXTRACTED .XLSM FILES:

04fda74df457a0f5bc311823d0ba80f4a1742a2722ff19617a67b672e33b6927 - 0000255379449.xlsm
314d13fdb3ebc1836b39c7cbcbb2106f9023040d99d72f353a3bfcd2dcac83f0 - 000020640652.xlsm
38650bc9607386a1e54b63c6d5a18f65da184cb93586803347f82b563d163a71 - 0000370369406.xlsm
4ebe0627e66c6c3f02f599fdbcc00418cb7add2205157383ed7177859142cd3e - 0000145510097.xlsm
4f9d90fc3ba8bfe49bdcbf6b5c444c6801d9f9514d1e0490ba1b2bac26fcac2d - 0000850979953.xlsm
6413b501d3b464b94f896e9dd34458b8e2a7bb95703c4915aae660ec619a0661 - 0000821029184.xlsm
abc4555ad061e1aaefb96c57c68089f59e524ca14d2e762588c83dc38c278ebb - 0000896782173.xlsm
b8e4524202afd14538bda968f45b15a1e06b056972068b3c0b0865794426ea6e - 0000806624686.xlsm

MALWARE RETRIEVED FROM INFECTED HOST:

SHA256 hash: 1ee95d04939a30d43c45b0a26eb175cb87c862690078645336e9e437cc668452
File size: 342,016 bytes
File location: C:\Users\[uysername]\AppData\Local\Temp\fungedsp8.exe
File description: Windows EXE for Trickbot

URLS FROM THE EXCEL MACROS FILES TO DOWNLOAD TRICKBOT:

TRICKBOT POST-INFECTION TRAFFIC:

port 80 - wtfismyip[.]com - GET /text - IP address check
186.103.161[.]204 port 443 - encrypted post-infection traffic
195.69.196[.]77 port 447 - encrypted post-infection traffic
94.140.121[.]174 port 443 - attempted TCP connections, but no response from the server

Shown above: Traffic from the infection filtered in Wireshark.

Shown above: Certificate data from traffic to 186.103.161[.]204 port 443.

Shown above: Certificate data from traffic to 195.69.196[.]77 port 447.

Shown above: Malware copies itself and does a ROT1 on the filename (minus the .exe file extension).

Click here to return to the main page.