2017-09-06 - URSNIF INFECTION FROM JAPANESE MALSPAM

NOTICE:

ASSOCIATED FILES:

  • 2017-09-06-Ursnif-infection-traffic.pcap   (4,073,396 bytes)
  • 2017-09-06-Japanese-malspam-for-Ursnif-0700-UTC.eml   (72,052 bytes)
  • 2017-09-06-Japanese-malspam-for-Ursnif-0707-UTC.eml   (71,931 bytes)
  • 2017-09-06-Japanese-malspam-for-Ursnif-0709-UTC.eml   (72,040 bytes)
  • 2017-09-06-Japanese-malspam-for-Ursnif-0711-UTC.eml   (71,970 bytes)
  • 2017-09-06-malicious-spreadsheet-macro.txt   (3,241 bytes)
  • 2017-09-06-malicious-spreadsheet.xls   (51,712 bytes)
  • 2017-09-06-Ursnif.exe   (562,688 bytes)

 

RELATED TWEET:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAILS GATHERED:

(Read: Date/Time -- Sending address (spoofed) -- Subject)

 


Shown above:  One of the Excel spreadsheets.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

EMAIL ATTACHMENT:

FOLLOW-UP URSNIF MALWARE:

 

Click here to return to the main page.