2017-07-05 - MALWARE INFECTION FROM JAPANESE MALSPAM
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-07-05-malware-infection-from-Japanese-malspam.pcap.zip 207 kB (207,244 bytes)
- 2017-07-05-malware-infection-from-Japanese-malspam.pcap (315,863 bytes)
- 2017-07-05-Japanese-emails-and-malware.zip 413.4 kB (413,472 bytes)
- 2017-07-05-Japanese-malspam-0612-UTC.eml (108,941 bytes)
- 2017-07-05-Japanese-malspam-0622-UTC.eml (109,035 bytes)
- 2017-07-05-Japanese-malspam-0633-UTC.eml (108,996 bytes)
- 2017-07-05-Japanese-malspam-0654-UTC.eml (108,945 bytes)
- 2017-07-05-Japanese-malspam-0657-UTC.eml (109,054 bytes)
- 2017-07-05-Japanese-malspam-0722-UTC.eml (108,955 bytes)
- 2017-07-05-Japanese-malspam-0728-UTC.eml (108,908 bytes)
- 29459.exe (202,240 bytes)
- 7428086_2017.xls (79,872 bytes)
RELATED TWEET:
- From @tmmalanalyst - Jul-05,2017(JST) evening. MalSpam attached xls. XLS open download malware. It's considered to be #URLZone? #Bebloh? (VT link) - (link to tweet)
EMAILS
Shown above: Screenshot from one of the emails.
EMAILS GATHERED:
(Read: Date/Time -- Sending address (spoofed) -- Subject -- Attachment name)
- 2017-07-05 06:12 UTC -- cr045@ybb[.]ne[.]jp -- ご請求額 -- 0017857_2017.xls
- 2017-07-05 06:33 UTC -- okaere3@f2.dion[.]ne[.]jp -- ご請求額 -- 1794411_2017.xls
- 2017-07-05 06:54 UTC -- h_sakamoto@sepia.ocn[.]ne[.]jp -- ご請求額 -- 7038863_2017.xls
- 2017-07-05 06:57 UTC -- nakamura-masahiko@kbh.biglobe[.]ne[.]jp -- ご請求額 -- 1159287_2017.xls
- 2017-07-05 07:22 UTC -- ayanoshiotani@kfa.biglobe[.]ne[.]jp -- ご請求額 -- 5174352_2017.xls
- 2017-07-05 07:28 UTC -- m.yonezaki@live[.]jp -- ご請求額 -- 0266544_2017.xls
Shown above: One of the Excel spreadsheets.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
POST-INFECTION TRAFFIC:
- 91.239.200[.]176 port 80 - liomericka504[.]cz - GET /tr.exe - URL to retrieve follow-up binary after enabling macros in .xls file
- 46.183.166[.]84 port 80 - bifoop[.]com - GET /oko.exe - alternate URL to retrieve follow-up binary
- www.google[.]com - post-infection connectivity check
- 185.22.174[.]149 port 443 - centler[.]at - HTTPS/SSL/TLS post-infection traffic
FILE HASHES
EMAIL ATTACHMENT:
- SHA256 hash: a2602b9c94a2bdbcac75b95d4430d4cda3a79986c016ac2ef2211afb00420f24
File name: 1234567_2017.xls [7 random digits before _2017.xls]
File size: 79,872 bytes
FOLLOW-UP MALWARE:
- SHA256 hash: a7d74a1baab262eb697cd8b8c812a459b6e4265f73fa74f4c657e8d4482db7f8
File location: C:\Users\[username]\Roaming\29459.exe [random digits before .exe]
File size: 202,240 bytes
Shown above: Binary downloaded by .xls attachment.
Click here to return to the main page.