Malware-Traffic-Analysis.net - 2017-06-29 - Kovter malspam

2017-06-29 - KOVTER MALSPAM - UPS DELIVERY THEME

ASSOCIATED FILES:

Zip archive of the pcap: 2017-06-29-Kovter-malspam-traffic.pcap.zip 7.6 MB (7,633,996 bytes)

2017-06-28-UPS-themed-Kovter-malspam-traffic.pcap (8,271,730 bytes)

2017-06-29-UPS-themed-Kovter-malspam-traffic.pcap (4,082,112 bytes)

Zip archive of the emails and malware: 2017-06-29-Kovter-malspam-and-artifacts.zip 705 kB (705,282 bytes)

2017-06-28-UPS-malspam-0038-UTC.eml (3,852 bytes)

2017-06-28-UPS-malspam-2221-UTC.eml (3,497 bytes)

2017-06-28-Kovter-sample.exe (503,434 bytes)

2017-06-29-Kovter-sample.exe (476,867 bytes)

UPS-Delivery-5874287.doc.js (1,681 bytes)

UPS-Delivery-5874287.zip (1,448 bytes)

UPS-Parcel-ID-8772984.doc.js (1,671 bytes)

UPS-Parcel-ID-8772984.zip (1,450 bytes)

EMAILS

Shown above: Screenshot from an emails (1 of 2).

Shown above: Screenshot from an emails (2 of 2).

EMAIL HEADERS:

Date: Wednesday 2017-06-28 as 00:38 UTC
From: bappidgreat@server003.webhosting24x7.net
Subject: Delivery Notification, ID 5874287
Attachment: UPS-Delivery-5874287.zip

Date: Wednesday 2017-06-28 as 22:21 UTC
From: maligin@bitrix272.timeweb.ru
Subject: Problems with item delivery, n.8772984
Attachment: UPS-Parcel-ID-8772984.zip

Shown above: Example of an extracted .js file from the attached zip archives.

TRAFFIC

Shown above: Traffic from the infection on 2017-06-28 filtered in Wireshark.

Shown above: Traffic from the infection on 2017-06-29 filtered in Wireshark.

PARTIAL URLS RECOVERED FROM THE .JS FILES:

amis-spb.ru - GET /counter [followed by long string of characters]
artdecorfashion.com - GET /counter [followed by long string of characters]
desinano.com.ar - GET /counter [followed by long string of characters]
elita5.md - GET /counter [followed by long string of characters]
goldwingclub.ru - GET /counter [followed by long string of characters]
modx.mbalet.ru - GET /counter [followed by long string of characters]
natiwa.com - GET /counter [followed by long string of characters]
perdasbasalti.it - GET /counter [followed by long string of characters]
resedaplumbing.com - GET /counter [followed by long string of characters]

POST-INFECTION TRAFFIC:

Various IP addresses and over TCP ports 80, 443, and 8080.

Shown above: Post-infeciton traffic is similar to what we've seen before with Kovter.

FILE HASHES

SHA256 HASHES FOR THE ASSOCIATED MALWARE:

f24ea3eaf788302a4af13a63cd44624edabb86d2c8b96482b0c7422fb982bb2d - UPS-Delivery-5874287.zip [email attachment]
708dbe2ac4d71502e59984aba525ae7cf2401308b9017c347d734a8e9fcc95ec - UPS-Delivery-5874287.doc.js [extracted .js file]
45489e63844a6ac3e72f2a4ba1799d99558908b3c9eea398c81a98c93af94f43 - 2017-06-28-Kovter-sample.exe [follow-up malware]

28f36adc74fd31724c24702223073efea14f9759f43b99a395df933cfe4fe9da - UPS-Parcel-ID-8772984.zip [email attachment]
76bbeb10f02697952612a83b991570070b7c1598abef3383b7f2182b9072e0da - UPS-Parcel-ID-8772984.doc.js [extracted .js file]
26b1f1df386879044711fd6aeba55d6de8590409cd47d09f2b06211199bf00f2 - 2017-06-29-Kovter-sample.exe [follow-up malware]

IMAGES

Shown above: An example of post-infection artifacts noted on the infected hosts.

Shown above: Other artifacts consistent with a Kovter infection.

Shown above: As with other Kovter infections, the associated Windows registry key cannot be viewed.

FINAL NOTES

Shown above: An error I got each time shortly after the infection.

Once again, here are the associated files:

Zip archive of the pcap: 2017-06-29-Kovter-malspam-traffic.pcap.zip 7.6 MB (7,633,996 bytes)
Zip archive of the emails and malware: 2017-06-29-Kovter-malspam-and-artifacts.zip 705 kB (705,282 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.