2017-07-03 - MORE UPS-THEMED MALSPAM PUSHING KOVTER
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-07-03-UPS-themed-Kovter-malspam-traffic.pcap.zip 3.4 MB (3,371,870 bytes)
- 2017-07-03-UPS-themed-Kovter-malspam-traffic.pcap (7,316,883 bytes)
- Zip archive of the emails and malware: 2017-07-03-UPS-themed-Kovter-malspam-and-artifacts.zip 359 kB (359,318 bytes)
- 2017-06-30-UPS-themed-Kovter-malspam-1557-UTC.eml (3,825 bytes)
- 2017-07-01-UPS-themed-Kovter-malspam-2003-UTC.eml (3,773 bytes)
- 2017-07-02-UPS-themed-Kovter-malspam-0930-UTC.eml (3,702 bytes)
- 2017-07-03-Kovter-sample-retrieved-by-js-file.exe (485,261 bytes)
- UPS-Label-07584276.doc.js (1,750 bytes)
- UPS-Label-07584276.zip (1,442 bytes)
- UPS-Package-06520201.doc.js (1,648 bytes)
- UPS-Package-06520201.zip (1,439 bytes)
- UPS-Package-07907895.doc.js (1,682 bytes)
- UPS-Package-07907895.zip (1,448 bytes)
RELATED BLOG POSTS:
- My Online Security - updated 2017-07-02: return of fake UPS cannot deliver malspam with an updated nemucod ransomware and Kovter payload (link)
- malware-traffic-analysis.net (this blog) - 2017-06-29: Kovter malspam - UPS delivery theme (link)
OTHERS NOTES:
- @dvk01uk (who runs My Online Security) has been seeing more stuff than I'm reporting here, like Nemucod ransomware with the Kovter. See the above link for details.
- Post-infection characteristics from my infected lab host are pretty much the same as I saw last time (see my link above).
EMAILS
EMAIL HEADERS:
- Date: Friday 2017-06-30 at 15:57 UTC
- From: networkc@server.srv2eua.com.br
- Subject: Courier was not able to deliver your parcel (ID07907895, UPS)
- Attachment: UPS-Package-07907895.zip
- Date: Saturday 2017-07-01 at 20:03 UTC
- From: anonymous@hosting-fabrika.ru
- Subject: Please recheck your delivery address (UPS parcel 06520201)
- Attachment: UPS-Package-06520201.zip
- Date: Sunday 2017-07-02 at 09:30 UTC
- From: webmaster@std-simbirsk.ru
- Subject: Parcel ID07584276 delivery problems, please review
- Attachment: UPS-Label-07584276.zip
TRAFFIC
Shown above: Traffic from an infection on 2017-07-03 using one of the extracted .js files, filtered in Wireshark.
PARTIAL URLS RECOVERED FROM THE .JS FILES:
- artdecorfashion.com - GET /counter [followed by long string of characters]
- csasesores.com.ar - GET /counter [followed by long string of characters]
- desinano.com.ar - GET /counter [followed by long string of characters]
- elita5.md - GET /counter [followed by long string of characters]
- goldwingclub.ru - GET /counter [followed by long string of characters]
- natiwa.com - GET /counter [followed by long string of characters]
- resedaplumbing.com - GET /counter [followed by long string of characters]
- singley-construction.com - GET /counter [followed by long string of characters]
- uploadmiller.miller-media.at - GET /counter [followed by long string of characters]
- vademecsa.com.ar - GET /counter [followed by long string of characters]
- vindexsa.com.ar - GET /counter [followed by long string of characters]
- winnicemoldawii.pl - GET /counter [followed by long string of characters]
- www.gloszp.pl - GET /counter [followed by long string of characters]
POST-INFECTION TRAFFIC:
- Various IP addresses and over TCP ports 80, 443, and 8080.
FILE HASHES
EMAIL ATTACHMENTS:
- SHA256 hash: de65e744295133f3c5c606d84947ce934a7562a941e29e83b675bbb66d78e7de
File name: UPS-Package-07907895.zip
- SHA256 hash: 714609929d73714ce1a45a2c17ecaf4ce94275d635858cbaea5e562e850a2a86
File name: UPS-Package-06520201.zip
- SHA256 hash: ac34b856837a8462952f8f3dcda6aead4e9333be653ae76dd08a69517c533927
File name: UPS-Label-07584276.zip (corrupt zip archive)
EXTRACTED .JS FILES:
- SHA256 hash: f577049733d77cf4abf99374741804257821c20d34f0f2986a83e1815512505f
File name: UPS-Package-07907895.doc.js
- SHA256 hash: 2d8a7a9265096a443a70ad640491d9e7063a76969e0ec7b1aec2ad8ecd4c288a
File name: UPS-Package-06520201.doc.js
- SHA256 hash: f645bed551d4188e84d5ced3239e033cc8869f754081c108de6481c32b962620
File name: UPS-Label-07584276.doc.js
KOVTER SAMPLE DOWNLOADED BY ONE OF THE .JS FILES:
- SHA256 hash: 5addc5c129282e9705b65b7156134e1c752a9ed2379a75471795c5c95e2a2110
File description: Kovter sample retrieved by one of the .js files on 2017-07-03
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-07-03-UPS-themed-Kovter-malspam-traffic.pcap.zip 3.4 MB (3,371,870 bytes)
- Zip archive of the emails and malware: 2017-07-03-UPS-themed-Kovter-malspam-and-artifacts.zip 359 kB (359,318 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.