2017-06-16 - BOLETO MALSPAM
ASSOCIATED FILES:
- Zip archive of the pcaps: 2017-06-16-Boleto-malspam-pcaps.zip 3.4 MB (3,392,840 bytes)
- 2017-06-16-Boleto-malspam-link-from-PDF-attachment.pcap (19,376 bytes)
- 2017-06-16-Boleto-malspam-link-from-email-full-infection.pcap (3,974,698 bytes)
- Zip archive of the email, artifacts, and the associated CSV spreadsheet: 2017-06-16-Boleto-malspam-email-artifacts-etc.zip 4.9 MB (4,894,142 bytes)
- 16062017329800998812303133716062017.pdf (46,862 bytes)
- 1606201732980099881230313371606201722085.vbs (2,724 bytes)
- 2017-06-16-0830-UTC-Boleto-malspam.eml (65,354 bytes)
- 2017-06-16-Boleto-malspam-artifacts-information.csv (1,820 bytes)
- Ionic.Zip.Reduced.dll (253,440 bytes)
- JAGGER-PC.aes (16 bytes)
- JAGGER-PC.zip (3,281,415 bytes)
- JAGGER-PCx.ocx (384 bytes)
- SYSJAGGERPC53.xml (3,366 bytes)
- c.cer (905 bytes)
- crov.exe (1,690,096 bytes)
- dll.dll.exe (396,480 bytes)
- dzfftfff.0li.vbs (114 bytes)
- eddfxv0i.ptn.vbs (130 bytes)
- ps.exe (452,608 bytes)
NOTES:
- It's been a while since I last documented this campaign back in January 2017 (link) and September 2016 before that (link).
- Unlike the emails I saw last year, there's now a PDF attachment included.
- The PDF attachment has a different link than the email, but they both redirect to the same bit.ly URL to send the same malware.
- Most of the artifacts found on the infected host are not inherently malicious. It's just the way they're being used.
Shown above: Screenshot of the email.
EMAIL HEADERS:
- Sending mail server: gruporecovery.ltda
- From: Boleto MICK <sender@gruporecovery.ltda>
- Subject: Envio de Boleto - URGENTE - RECOVERY
- Message-ID: <20170616090038.A45276667E@gruporecovery.ltda>
- Date: Fri, 16 Jun 2017 08:30:50 UTC
- Attachment name: 16062017329800998812303133716062017.pdf
- Link from the message: 5W9u7NP1.i7o8e15brw3eed5jabzl9hu3zuxx1o8l.top/3LSVdZ.php?3LSVdZ=5W9u7NP1MICK
ATTACHMENT
Shown above: PDF attachment has a different link than the email.
Shown above: However, it redirects to the same bit.ly and gfonseca.sslblindado.com URLs as the link from the email.
Shown above: The downloaded VBS file.
TRAFFIC
Shown above: Traffic from link in the PDF file, filtered in Wireshark (stopped after grabbing the .vbs file).
Shown above: Traffic from link in the email message text, filtered in Wireshark (full infection).
ASSOCIATED DOMAINS:
- 65.181.127.152 port 80 - 5w9u7np1.i7o8e15brw3eed5jabzl9hu3zuxx1o8l.top - GET /3LSVdZ.php?3LSVdZ=5W9u7NP1MICK - link from email
- 65.181.127.152 port 80 - view.4tqgbgond2m7tbeo73jlvcd0vfkao7qm.pw - GET /16062017329800998812303133716062017.pdf - link from PDF attchment
- bit.ly - GET /2rxQGdd [HTTPS] - redirects to gfonseca.sslblindado.com URL
- gfonseca.sslblindado.com - GET /mx/controls/sender/ [HTTPS] - returns VBS file
- 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/x
- 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/aw7.tiff
- 65.181.112.252 port 80 - www.petr4.in - GET /avs/index.php?[string of characters]
- 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/W7.zip
- 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/dll.dll
- 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/dll.dll.exe
- 65.181.112.252 port 80 - www.petr4.in - GET /avs/logs/index.php?[string of characters]
- 65.181.112.252 port 80 - www.petr4.in - GET /boaideia/index.php?[string of characters]
- 54.232.207.222 port 443 - ssl.suzukiburgman.top - unencrypted IRC traffic
- 158.69.99.214 port 80 - log.suzukiburgman.top - POST /mestre/admin/x.php
- 158.69.99.214 port 80 - log.suzukiburgman.top - POST /mestre/campaign/index.php?ACAO=PUSH
- imestre.suzukiburgman.top - Response 65.181.112.252 - no follow-up TCP traffic using this domain name
- 169.57.146.90 port 7094 - Attempted TCP connections but no response from the server
MALWARE
PDF ATTACHMENT:
- SHA256 hash: 4339c20a1a68871f7927fdc4628675da08018a8c6d9f57a02c56410aeb593d91
File size: 46n862 bytes
File name: 16062017329800998812303133716062017.pdf
DOWNLOADED VBS FILE:
- SHA256 hash: 2c96b9df6c0a4974f021ac5d8a4ffc9a5224220eaf9aa8d98cdb1d8eb60ad777
File size: 2,724 bytes
File name: 1606201732980099881230313371606201722085.vbs
IMAGES
Shown above: Unecrypted IRC traffic noted on ssl.suzukiburgman.top (54.232.207.222 port 443).
Shown above: Attempted TCP connections on 169.57.146.90 port 7094, but no response from the server.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcaps: 2017-06-16-Boleto-malspam-pcaps.zip 3.4 MB (3,392,840 bytes)
- Zip archive of the email, artifacts, and the associated CSV spreadsheet: 2017-06-16-Boleto-malspam-email-artifacts-etc.zip 4.9 MB (4,894,142 bytes)
Zip files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.