2017-09-14 - FAKE MICROSOFT UPDATE MALSPAM WITH .EXE ATTACHMENTS
ASSOCIATED FILES:
- Zip archive of the pcaps: 2017-09-14-fake-Microsoft-update-traffic-pcaps.zip 76 kB (76,261 bytes)
- 2017-09-14-traffic-from-1st-sample.pcap (1,445 bytes)
- 2017-09-14-traffic-from-3rd-sample.pcap (82,799 bytes)
- Zip archive of the spreadsheet racker: 2017-09-14-fake-Microsoft-update-tracker.csv.zip 1.5 kB (1,506 bytes)
- 2017-09-14-fake-Microsoft-update-tracker.csv (5,256 bytes)
- Zip archive of the emails and malware: 2017-09-14-fake-Microsoft-update-emails-and-malware.zip 120 kB (120,385 bytes)
- 2017-09-14-1st-sample.exe (36,864 bytes)
- 2017-09-14-2nd-sample.exe (41,472 bytes)
- 2017-09-14-3rd-sample.exe (27,648 bytes)
- 2017-09-14-follow-up-malware-from-3rd-sample.exe (75,264 bytes)
- Fake-Microsoft-emails-on-2017-09-11-thru-09-13.txt (27,613 bytes)
NOTES:
- Who sends .exe attachments with malspam any more?
- The person who wrote this malware seems inexperienced (the malware is a bit buggy).
- The 1st sample required MSWINSCK.OCX which is an older file from pre-WindowsXP days.
- The 1st sample also crashed if it didn't find a bitcoin wallet file named wallet.dat, so I had to create a fake one. (See traffic images below for details.)
- I was unable to generate any network traffic from the 2nd sample.
- Follow-up malware downloaded by the 3rd sample crashed.
- So far, this is not a very effective campaign.
EMAILS
Shown above: Screenshot from the spreadsheet tracker.
Shown above: Screenshot from an email on 2017-09-13.
EMAILS NOTED:
- READ: Date/time -- Subject line -- attachment name
- 2017-09-10 10:42 UTC -- Subject: Important Microsoft Update 2017. Install it now -- Attachment: Microsoft_Update2017.exe
- 2017-09-11 15:23 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: 2gs07a1.exe
- 2017-09-11 16:03 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: tqyty.exe
- 2017-09-11 18:35 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: s74qjb.exe
- 2017-09-11 22:32 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: whxj6e.exe
- 2017-09-12 03:10 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: v8jeft2.exe
- 2017-09-12 07:44 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: sixmiz1.exe
- 2017-09-12 07:45 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: 7h3k251.exe
- 2017-09-12 13:24 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: dv4r691r.exe
- 2017-09-12 13:30 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: ap5h5v.exe
- 2017-09-12 13:44 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: 3is5wv2.exe
- 2017-09-12 13:45 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: wd1ls729.exe
- 2017-09-12 18:44 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: 70n2mx3d.exe
- 2017-09-12 21:32 UTC -- Subject: Free Microsoft Update for Windows 7/8/10. -- Attachment: cv2yn52z.exe
- 2017-09-13 16:45 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 3aum4j3.exe
- 2017-09-13 17:06 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 97ai7q1.exe
- 2017-09-13 18:43 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: mwe8jb2s.exe
- 2017-09-13 18:45 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 0x8sn.exe
- 2017-09-13 18:46 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: vzgtw.exe
- 2017-09-13 18:47 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: hcb1kt6j.exe
- 2017-09-13 18:57 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: bcc3d21w.exe
- 2017-09-13 19:00 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: ql1pix2w.exe
- 2017-09-13 21:00 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 9qel8cf.exe
- 2017-09-13 21:03 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: 5cypsk1.exe
- 2017-09-13 21:07 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: k6tet82.exe
- 2017-09-13 21:10 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: zclt52.exe
- 2017-09-13 21:15 UTC -- Subject: Install The Microsoft Update before its too late! -- Attachment: sxuhop.exe
TRAFFIC
Shown above: Traffic from the 1st example of the malspam attachments.
Shown above: Traffic from the 3rd example of the malspam attachments.
ASSOCIATED URLS:
- hxxp://80.208.230.159/bitcoin.php? (caused by the 1st sample)
- hxxp://80.208.230.159/windowsupdate.exe (caused by the 3rd sample)
ASSOCIATED MALWARE
ATTACHED EXE FILE, 1ST SAMPLE:
- SHA256 hash: f7c1a5f0d4aff56c06906325d318c25be2bde84b3762d30133c05c9ae2ecb125
File size: 36,864 bytes
File description: Bitcoin wallet stealer
ATTACHED EXE FILE, 2ND SAMPLE:
- SHA256 hash: 5c5c242d06914c6a4b991bca68d0007edffa5322f7b9c08803cec82515d7fc35
File size: 41,472 bytes
File description: Unknown malware (could not generate any traffic from this one)
ATTACHED EXE FILE, 3RD SAMPLE:
- SHA256 hash:  ae84ec7474428a2abbb09a927e2702f8ee4dea3b46b4218dde9528e5737764b6
File size:  27,648 bytes
File description:  File downloader
FOLLOW-UP MALWARE:
- SHA256 hash:  3c2843e28d1f28cb643627417a8902771f24ffbb23e22ae73c2761a5710e6286
File size:  75,264 bytes
File location:  hxxp://80.208.230.159/windowsupdate.exe
File location:  C:\Users\[username]\AppData\Local\Temp\bSgKeKuKlIvOvU.exe
File description:  Follow-up malware downloaded by 3rd sample
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcaps: 2017-09-14-fake-Microsoft-update-traffic-pcaps.zip 76 kB (76,261 bytes)
- Zip archive of the spreadsheet racker: 2017-09-14-fake-Microsoft-update-tracker.csv.zip 1.5 kB (1,506 bytes)
- Zip archive of the emails and malware: 2017-09-14-fake-Microsoft-update-emails-and-malware.zip 120 kB (120,385 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.