2017-07-03 - MORE UPS-THEMED MALSPAM PUSHING KOVTER

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-07-03-UPS-themed-Kovter-malspam-traffic.pcap.zip   3.4 MB (3,371,870 bytes)

• 2017-07-03-UPS-themed-Kovter-malspam-traffic.pcap   (7,316,883 bytes)

• Zip archive of the emails and malware:  2017-07-03-UPS-themed-Kovter-malspam-and-artifacts.zip   359 kB (359,318 bytes)

• 2017-06-30-UPS-themed-Kovter-malspam-1557-UTC.eml   (3,825 bytes)
• 2017-07-01-UPS-themed-Kovter-malspam-2003-UTC.eml   (3,773 bytes)
• 2017-07-02-UPS-themed-Kovter-malspam-0930-UTC.eml   (3,702 bytes)
• 2017-07-03-Kovter-sample-retrieved-by-js-file.exe   (485,261 bytes)
• UPS-Label-07584276.doc.js   (1,750 bytes)
• UPS-Label-07584276.zip   (1,442 bytes)
• UPS-Package-06520201.doc.js   (1,648 bytes)
• UPS-Package-06520201.zip   (1,439 bytes)
• UPS-Package-07907895.doc.js   (1,682 bytes)
• UPS-Package-07907895.zip   (1,448 bytes)

RELATED BLOG POSTS:

• My Online Security - updated 2017-07-02: return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload   (link)
• malware-traffic-analysis.net (this blog) - 2017-06-29: Kovter malspam - UPS delivery theme   (link)

OTHERS NOTES:

• @dvk01uk (who runs My Online Security) has been seeing more stuff than I'm reporting here, like Nemucod ransomware with the Kovter.  See the above link for details.
• Post-infection characteristics from my infected lab host are pretty much the same as I saw last time (see my link above).

 

EMAILS

EMAIL HEADERS:

• Date:  Friday 2017-06-30 at 15:57 UTC
• From:  networkc@server.srv2eua.com.br
• Subject:  Courier was not able to deliver your parcel (ID07907895, UPS)
• Attachment:  UPS-Package-07907895.zip

• Date:  Saturday 2017-07-01 at 20:03 UTC
• From:  anonymous@hosting-fabrika.ru
• Subject:  Please recheck your delivery address (UPS parcel 06520201)
• Attachment:  UPS-Package-06520201.zip

• Date:  Sunday 2017-07-02 at 09:30 UTC
• From:  webmaster@std-simbirsk.ru
• Subject:  Parcel ID07584276 delivery problems, please review
• Attachment:  UPS-Label-07584276.zip

 

TRAFFIC

Shown above:  Traffic from an infection on 2017-07-03 using one of the extracted .js files, filtered in Wireshark.

 

PARTIAL URLS RECOVERED FROM THE .JS FILES:

• artdecorfashion.com - GET /counter [followed by long string of characters]
• csasesores.com.ar - GET /counter [followed by long string of characters]
• desinano.com.ar - GET /counter [followed by long string of characters]
• elita5.md - GET /counter [followed by long string of characters]
• goldwingclub.ru - GET /counter [followed by long string of characters]
• natiwa.com - GET /counter [followed by long string of characters]
• resedaplumbing.com - GET /counter [followed by long string of characters]
• singley-construction.com - GET /counter [followed by long string of characters]
• uploadmiller.miller-media.at - GET /counter [followed by long string of characters]
• vademecsa.com.ar - GET /counter [followed by long string of characters]
• vindexsa.com.ar - GET /counter [followed by long string of characters]
• winnicemoldawii.pl - GET /counter [followed by long string of characters]
• www.gloszp.pl - GET /counter [followed by long string of characters]

POST-INFECTION TRAFFIC:

• Various IP addresses and over TCP ports 80, 443, and 8080.

 

FILE HASHES

EMAIL ATTACHMENTS:

• SHA256 hash:  de65e744295133f3c5c606d84947ce934a7562a941e29e83b675bbb66d78e7de
  File name:  UPS-Package-07907895.zip

• SHA256 hash:  714609929d73714ce1a45a2c17ecaf4ce94275d635858cbaea5e562e850a2a86
  File name:  UPS-Package-06520201.zip

• SHA256 hash:  ac34b856837a8462952f8f3dcda6aead4e9333be653ae76dd08a69517c533927
  File name:  UPS-Label-07584276.zip (corrupt zip archive)

EXTRACTED .JS FILES:

• SHA256 hash:  f577049733d77cf4abf99374741804257821c20d34f0f2986a83e1815512505f
  File name:  UPS-Package-07907895.doc.js

• SHA256 hash:  2d8a7a9265096a443a70ad640491d9e7063a76969e0ec7b1aec2ad8ecd4c288a
  File name:  UPS-Package-06520201.doc.js

• SHA256 hash:  f645bed551d4188e84d5ced3239e033cc8869f754081c108de6481c32b962620
  File name:  UPS-Label-07584276.doc.js

KOVTER SAMPLE DOWNLOADED BY ONE OF THE .JS FILES:

• SHA256 hash:  5addc5c129282e9705b65b7156134e1c752a9ed2379a75471795c5c95e2a2110
  File description:  Kovter sample retrieved by one of the .js files on 2017-07-03

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-07-03-UPS-themed-Kovter-malspam-traffic.pcap.zip   3.4 MB (3,371,870 bytes)
• Zip archive of the emails and malware:  2017-07-03-UPS-themed-Kovter-malspam-and-artifacts.zip   359 kB (359,318 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.