2017-06-16 - BOLETO MALSPAM

ASSOCIATED FILES:

• Zip archive of the pcaps:  2017-06-16-Boleto-malspam-pcaps.zip   3.4 MB (3,392,840 bytes)

• 2017-06-16-Boleto-malspam-link-from-PDF-attachment.pcap   (19,376 bytes)
• 2017-06-16-Boleto-malspam-link-from-email-full-infection.pcap   (3,974,698 bytes)

• Zip archive of the email, artifacts, and the associated CSV spreadsheet:  2017-06-16-Boleto-malspam-email-artifacts-etc.zip   4.9 MB (4,894,142 bytes)

• 16062017329800998812303133716062017.pdf   (46,862 bytes)
• 1606201732980099881230313371606201722085.vbs   (2,724 bytes)
• 2017-06-16-0830-UTC-Boleto-malspam.eml   (65,354 bytes)
• 2017-06-16-Boleto-malspam-artifacts-information.csv   (1,820 bytes)
• Ionic.Zip.Reduced.dll   (253,440 bytes)
• JAGGER-PC.aes   (16 bytes)
• JAGGER-PC.zip   (3,281,415 bytes)
• JAGGER-PCx.ocx   (384 bytes)
• SYSJAGGERPC53.xml   (3,366 bytes)
• c.cer   (905 bytes)
• crov.exe   (1,690,096 bytes)
• dll.dll.exe   (396,480 bytes)
• dzfftfff.0li.vbs   (114 bytes)
• eddfxv0i.ptn.vbs   (130 bytes)
• ps.exe   (452,608 bytes)

NOTES:

• It's been a while since I last documented this campaign back in January 2017 (link) and September 2016 before that (link).
• Unlike the emails I saw last year, there's now a PDF attachment included.
• The PDF attachment has a different link than the email, but they both redirect to the same bit.ly URL to send the same malware.
• Most of the artifacts found on the infected host are not inherently malicious.  It's just the way they're being used.

 

EMAIL

Shown above:  Screenshot of the email.

 

EMAIL HEADERS:

• Sending mail server:  gruporecovery.ltda
• From:  Boleto MICK <sender@gruporecovery.ltda>
• Subject:  Envio de Boleto - URGENTE - RECOVERY
• Message-ID:  <20170616090038.A45276667E@gruporecovery.ltda>
• Date: Fri, 16 Jun 2017 08:30:50 UTC
• Attachment name:  16062017329800998812303133716062017.pdf
• Link from the message:  5W9u7NP1.i7o8e15brw3eed5jabzl9hu3zuxx1o8l.top/3LSVdZ.php?3LSVdZ=5W9u7NP1MICK

 

ATTACHMENT

Shown above:  PDF attachment has a different link than the email.

 

Shown above:  However, it redirects to the same bit.ly and gfonseca.sslblindado.com URLs as the link from the email.

 

Shown above:  The downloaded VBS file.

 

TRAFFIC

Shown above:  Traffic from link in the PDF file, filtered in Wireshark (stopped after grabbing the .vbs file).

 

Shown above:  Traffic from link in the email message text, filtered in Wireshark (full infection).

 

ASSOCIATED DOMAINS:

• 65.181.127.152 port 80 - 5w9u7np1.i7o8e15brw3eed5jabzl9hu3zuxx1o8l.top - GET /3LSVdZ.php?3LSVdZ=5W9u7NP1MICK - link from email
• 65.181.127.152 port 80 - view.4tqgbgond2m7tbeo73jlvcd0vfkao7qm.pw - GET /16062017329800998812303133716062017.pdf - link from PDF attchment

• bit.ly - GET /2rxQGdd   [HTTPS] - redirects to gfonseca.sslblindado.com URL
• gfonseca.sslblindado.com - GET /mx/controls/sender/   [HTTPS] - returns VBS file

• 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/x
• 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/aw7.tiff
• 65.181.112.252 port 80 - www.petr4.in - GET /avs/index.php?[string of characters]
• 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/W7.zip
• 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/dll.dll
• 65.181.122.158 port 80 - 65.181.122.158 - GET /goodidea53/dll.dll.exe
• 65.181.112.252 port 80 - www.petr4.in - GET /avs/logs/index.php?[string of characters]
• 65.181.112.252 port 80 - www.petr4.in - GET /boaideia/index.php?[string of characters]
• 54.232.207.222 port 443 - ssl.suzukiburgman.top - unencrypted IRC traffic
• 158.69.99.214 port 80 - log.suzukiburgman.top - POST /mestre/admin/x.php
• 158.69.99.214 port 80 - log.suzukiburgman.top - POST /mestre/campaign/index.php?ACAO=PUSH

• imestre.suzukiburgman.top - Response 65.181.112.252 - no follow-up TCP traffic using this domain name
• 169.57.146.90 port 7094 - Attempted TCP connections but no response from the server

 

MALWARE

PDF ATTACHMENT:

• SHA256 hash:  4339c20a1a68871f7927fdc4628675da08018a8c6d9f57a02c56410aeb593d91
  File size:  46n862 bytes
  File name:  16062017329800998812303133716062017.pdf

DOWNLOADED VBS FILE:

• SHA256 hash:  2c96b9df6c0a4974f021ac5d8a4ffc9a5224220eaf9aa8d98cdb1d8eb60ad777
  File size:  2,724 bytes
  File name:  1606201732980099881230313371606201722085.vbs

 

IMAGES

Shown above:  Unecrypted IRC traffic noted on ssl.suzukiburgman.top (54.232.207.222 port 443).

 

Shown above:  Attempted TCP connections on 169.57.146.90 port 7094, but no response from the server.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcaps:  2017-06-16-Boleto-malspam-pcaps.zip   3.4 MB (3,392,840 bytes)
• Zip archive of the email, artifacts, and the associated CSV spreadsheet:  2017-06-16-Boleto-malspam-email-artifacts-etc.zip   4.9 MB (4,894,142 bytes)

Zip files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.