2017-09-06 - JAPANESE MALSPAM PUSHING URSNIF

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-09-06-Japanese-malspam-pushing-Ursnif-traffic.pcap.zip   3.8 MB (3,781,666 bytes)

• 2017-09-06-Japanese-malspam-pushing-Ursnif-traffic.pcap   (4,073,396 bytes)

• Zip archive of the malware:  2017-09-06-Japanese-malspam-pushing-Ursnif-malware-and-artifacts.zip   580 kB (580,265 bytes)

• 2017-09-06-Japanese-Ursnif-spreadsheet-macro.txt   (3,241 bytes)
• 2017-09-06-Japanese-malspam-attachment.xls   (51,712 bytes)
• 2017-09-06-Japanese-malspam-for-Ursnif-0700-UTC.eml   (72,052 bytes)
• 2017-09-06-Japanese-malspam-for-Ursnif-0707-UTC.eml   (71,931 bytes)
• 2017-09-06-Japanese-malspam-for-Ursnif-0709-UTC.eml   (72,040 bytes)
• 2017-09-06-Japanese-malspam-for-Ursnif-0711-UTC.eml   (71,970 bytes)
• 2017-09-06-followup-Ursnif-binary.exe   (562,688 bytes)

 

RELATED TWEET:

• From @tmmalanalyst - Sep-06,2017(JST). Japanese MalSpam attached xls. Macro enabled infects #Ursnif #Malware. Leads xls file VT: (VT link) - (link to tweet)

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAILS GATHERED:

(Read: Date/Time -- Sending address (spoofed) -- Subject)

• 2017-09-06 07:00 UTC -- mina-a-yu.yoshi2t@jupiter.jcom.co.jp -- 399104 【公共料金請求書データ送付の件】
• 2017-09-06 07:07 UTC -- nckei4@ksf.biglobe.ne.jp -- 090646 【公共料金請求書データ送付の件】
• 2017-09-06 07:09 UTC -- yamada.masuo@green.ocn.ne.jp -- 018648 【公共料金請求書データ送付の件】
• 2017-09-06 07:11 UTC -- ntakuya.nakauchi@lagoon.ocn.ne.jp -- 428247 【公共料金請求書データ送付の件】

 

Shown above:  One of the Excel spreadsheets.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

• 185.115.140.143 port 80 - berurn.com - GET /videos.exe
• 188.190.7.128 port 80 - analyticstat.online - GET /t32.bin
• curlmyip.net - GET /
• 149.202.132.130 port 80 - sl.nortup.com - GET /images/[long string of characters].jpeg
• 149.202.132.130 port 80 - sl.nortup.com - GET /images/[long string of characters].gif
• Various IP addresses, various ports - various domains - Tor traffic

 

FILE HASHES

EMAIL ATTACHMENT:

• SHA256 hash:  3f415553b7b22919c75f733c3403aa6f4396d8d62d1178e9b3a4ba54ac53300e
  File size:  51,712 bytes
  File name:  支払伝票（2017.09.05).xls

FOLLOW-UP URSNIF MALWARE:

• SHA256 hash:  46da8289c027a187b14826f3648d61c187398ad170ef60ec3311b5dae3b52d61
  File size:  562,688 bytes
  File location:  C:\Users\[username]\AppData\Roaming\11565.exe
  File location:  C:\Users\[username]\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-09-06-Japanese-malspam-pushing-Ursnif-traffic.pcap.zip   3.8 MB (3,781,666 bytes)
• Zip archive of the malware:  2017-09-06-Japanese-malspam-pushing-Ursnif-malware-and-artifacts.zip   580 kB (580,265 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.