2017-06-29 - KOVTER INFECTION

NOTICE:

ASSOCIATED FILES:

  • 2017-06-28-Kovter-infection-traffic.pcap   (8,271,730 bytes)
  • 2017-06-29-Kovter-infection-traffic.pcap   (4,082,112 bytes)
  • 2017-06-28-UPS-malspam-0038-UTC.eml   (3,852 bytes)
  • 2017-06-28-UPS-malspam-2221-UTC.eml   (3,497 bytes)
  • 2017-06-28-Kovter-sample.exe   (503,434 bytes)
  • 2017-06-29-Kovter-sample.exe   (476,867 bytes)
  • UPS-Delivery-5874287.doc.js   (1,681 bytes)
  • UPS-Delivery-5874287.zip   (1,448 bytes)
  • UPS-Parcel-ID-8772984.doc.js   (1,671 bytes)
  • UPS-Parcel-ID-8772984.zip   (1,450 bytes)

 

EMAILS


Shown above:  Screenshot from an emails (1 of 2).

 


Shown above:  Screenshot from an emails (2 of 2).

 

EMAIL HEADERS:

 


Shown above:  Example of an extracted .js file from the attached zip archives.

 

TRAFFIC


Shown above:  Traffic from the infection on 2017-06-28 filtered in Wireshark.

 


Shown above:  Traffic from the infection on 2017-06-29 filtered in Wireshark.

 

PARTIAL URLS RECOVERED FROM THE .JS FILES:

POST-INFECTION TRAFFIC:


Shown above:  Post-infeciton traffic is similar to what we've seen before with Kovter.

 

FILE HASHES

SHA256 HASHES FOR THE ASSOCIATED MALWARE:

 

IMAGES


Shown above:  An example of post-infection artifacts noted on the infected hosts.

 


Shown above:  Other artifacts consistent with a Kovter infection.

 


Shown above:  As with other Kovter infections, the associated Windows registry key cannot be viewed.

 


Shown above:  An error I got each time shortly after the infection.

 

Click here to return to the main page.