2017-09-06 - URSNIF INFECTION FROM JAPANESE MALSPAM
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-09-06-Ursnif-infection-traffic.pcap.zip 3.8 MB (3,781,666 bytes)
- 2017-09-06-Ursnif-infection-traffic.pcap (4,073,396 bytes)
- 2017-09-06-Japanese-malspam-for-Ursnif-4-examples.zip 580 kB (580,265 bytes)
- 2017-09-06-Japanese-malspam-for-Ursnif-0700-UTC.eml (72,052 bytes)
- 2017-09-06-Japanese-malspam-for-Ursnif-0707-UTC.eml (71,931 bytes)
- 2017-09-06-Japanese-malspam-for-Ursnif-0709-UTC.eml (72,040 bytes)
- 2017-09-06-Japanese-malspam-for-Ursnif-0711-UTC.eml (71,970 bytes)
- 2017-09-06-malware-from-Ursnif-infection.zip 580 kB (580,265 bytes)
- 2017-09-06-malicious-spreadsheet-macro.txt (3,241 bytes)
- 2017-09-06-malicious-spreadsheet.xls (51,712 bytes)
- 2017-09-06-Ursnif.exe (562,688 bytes)
RELATED TWEET:
- From @tmmalanalyst: Sep-06,2017(JST). Japanese MalSpam attached xls. Macro enabled infects #Ursnif #Malware. Leads xls file VT: (VT link) - (link to tweet)
EMAILS
Shown above: Screenshot from one of the emails.
EMAILS GATHERED:
(Read: Date/Time -- Sending address (spoofed) -- Subject)
- 2017-09-06 07:00 UTC -- mina-a-yu.yoshi2t@jupiter.jcom[.]co[.]jp -- 399104 【公共料金請求書データ送付の件】
- 2017-09-06 07:07 UTC -- nckei4@ksf.biglobe[.]ne[.]jp -- 090646 【公共料金請求書データ送付の件】
- 2017-09-06 07:09 UTC -- yamada.masuo@green.ocn[.]ne[.]jp -- 018648 【公共料金請求書データ送付の件】
- 2017-09-06 07:11 UTC -- ntakuya.nakauchi@lagoon.ocn[.]ne[.]jp -- 428247 【公共料金請求書データ送付の件】
Shown above: One of the Excel spreadsheets.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
Shown above: Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.
ASSOCIATED DOMAINS:
- 185.115.140[.]143 port 80 - berurn[.]com - GET /videos.exe
- 188.190.7[.]128 port 80 - analyticstat[.]online - GET /t32.bin
- curlmyip[.]net - GET /
- 149.202.132[.]130 port 80 - sl.nortup[.]com - GET /images/[long string of characters].jpeg
- 149.202.132[.]130 port 80 - sl.nortup[.]com - GET /images/[long string of characters].gif
- Various IP addresses, various ports - various domains - Tor traffic
FILE HASHES
EMAIL ATTACHMENT:
- SHA256 hash: 3f415553b7b22919c75f733c3403aa6f4396d8d62d1178e9b3a4ba54ac53300e
File size: 51,712 bytes
File name: 支払伝票 (2017.09.05).xls
FOLLOW-UP URSNIF MALWARE:
- SHA256 hash: 46da8289c027a187b14826f3648d61c187398ad170ef60ec3311b5dae3b52d61
File size: 562,688 bytes
File location: C:\Users\[username]\AppData\Roaming\11565.exe
File location: C:\Users\[username]\AppData\Roaming\Microsoft\Aecaider\avicbrkr.exe
Click here to return to the main page.