2017-09-14 - FAKE MICROSOFT UPDATE MALSPAM WITH .EXE ATTACHMENTS

ASSOCIATED FILES:

• Zip archive of the pcaps:  2017-09-14-fake-Microsoft-update-traffic-pcaps.zip   76 kB (76,261 bytes)

• 2017-09-14-traffic-from-1st-sample.pcap   (1,445 bytes)
• 2017-09-14-traffic-from-3rd-sample.pcap   (82,799 bytes)

• Zip archive of the spreadsheet racker:  2017-09-14-fake-Microsoft-update-tracker.csv.zip   1.5 kB (1,506 bytes)

• 2017-09-14-fake-Microsoft-update-tracker.csv   (5,256 bytes)

• Zip archive of the emails and malware:  2017-09-14-fake-Microsoft-update-emails-and-malware.zip   120 kB (120,385 bytes)

• 2017-09-14-1st-sample.exe   (36,864 bytes)
• 2017-09-14-2nd-sample.exe   (41,472 bytes)
• 2017-09-14-3rd-sample.exe   (27,648 bytes)
• 2017-09-14-follow-up-malware-from-3rd-sample.exe   (75,264 bytes)
• Fake-Microsoft-emails-on-2017-09-11-thru-09-13.txt   (27,613 bytes)

NOTES:

• Who sends .exe attachments with malspam any more?
• The person who wrote this malware seems inexperienced (the malware is a bit buggy).
• The 1st sample required MSWINSCK.OCX which is an older file from pre-WindowsXP days.
• The 1st sample also crashed if it didn't find a bitcoin wallet file named wallet.dat, so I had to create a fake one.  (See traffic images below for details.)
• I was unable to generate any network traffic from the 2nd sample.
• Follow-up malware downloaded by the 3rd sample crashed.
• So far, this is not a very effective campaign.

 

EMAILS

Shown above:  Screenshot from the spreadsheet tracker.

 

Shown above:  Screenshot from an email on 2017-09-13.

 

EMAILS NOTED:

• READ: Date/time -- Subject line -- attachment name

• 2017-09-10 10:42 UTC   --   Subject: Important Microsoft Update 2017. Install it now   --   Attachment: Microsoft_Update2017.exe
• 2017-09-11 15:23 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: 2gs07a1.exe
• 2017-09-11 16:03 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: tqyty.exe
• 2017-09-11 18:35 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: s74qjb.exe
• 2017-09-11 22:32 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: whxj6e.exe
• 2017-09-12 03:10 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: v8jeft2.exe
• 2017-09-12 07:44 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: sixmiz1.exe
• 2017-09-12 07:45 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: 7h3k251.exe
• 2017-09-12 13:24 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: dv4r691r.exe
• 2017-09-12 13:30 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: ap5h5v.exe
• 2017-09-12 13:44 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: 3is5wv2.exe
• 2017-09-12 13:45 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: wd1ls729.exe
• 2017-09-12 18:44 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: 70n2mx3d.exe
• 2017-09-12 21:32 UTC   --   Subject: Free Microsoft Update for Windows 7/8/10.   --   Attachment: cv2yn52z.exe
• 2017-09-13 16:45 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: 3aum4j3.exe
• 2017-09-13 17:06 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: 97ai7q1.exe
• 2017-09-13 18:43 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: mwe8jb2s.exe
• 2017-09-13 18:45 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: 0x8sn.exe
• 2017-09-13 18:46 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: vzgtw.exe
• 2017-09-13 18:47 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: hcb1kt6j.exe
• 2017-09-13 18:57 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: bcc3d21w.exe
• 2017-09-13 19:00 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: ql1pix2w.exe
• 2017-09-13 21:00 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: 9qel8cf.exe
• 2017-09-13 21:03 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: 5cypsk1.exe
• 2017-09-13 21:07 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: k6tet82.exe
• 2017-09-13 21:10 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: zclt52.exe
• 2017-09-13 21:15 UTC   --   Subject: Install The Microsoft Update before its too late!   --   Attachment: sxuhop.exe

 

TRAFFIC

Shown above:  Traffic from the 1st example of the malspam attachments.

 

Shown above:  Traffic from the 3rd example of the malspam attachments.

 

ASSOCIATED URLS:

• hxxp://80.208.230.159/bitcoin.php?   (caused by the 1st sample)
• hxxp://80.208.230.159/windowsupdate.exe   (caused by the 3rd sample)

 

ASSOCIATED MALWARE

ATTACHED EXE FILE, 1ST SAMPLE:

• SHA256 hash:  f7c1a5f0d4aff56c06906325d318c25be2bde84b3762d30133c05c9ae2ecb125
  File size:  36,864 bytes
  File description:  Bitcoin wallet stealer

ATTACHED EXE FILE, 2ND SAMPLE:

• SHA256 hash:  5c5c242d06914c6a4b991bca68d0007edffa5322f7b9c08803cec82515d7fc35
  File size:  41,472 bytes
  File description:  Unknown malware (could not generate any traffic from this one)

ATTACHED EXE FILE, 3RD SAMPLE:

• SHA256 hash:  ae84ec7474428a2abbb09a927e2702f8ee4dea3b46b4218dde9528e5737764b6
  File size:  27,648 bytes
  File description:  File downloader

FOLLOW-UP MALWARE:

• SHA256 hash:  3c2843e28d1f28cb643627417a8902771f24ffbb23e22ae73c2761a5710e6286
  File size:  75,264 bytes
  File location:  hxxp://80.208.230.159/windowsupdate.exe
  File location:  C:\Users\[username]\AppData\Local\Temp\bSgKeKuKlIvOvU.exe
  File description:  Follow-up malware downloaded by 3rd sample

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcaps:  2017-09-14-fake-Microsoft-update-traffic-pcaps.zip   76 kB (76,261 bytes)
• Zip archive of the spreadsheet racker:  2017-09-14-fake-Microsoft-update-tracker.csv.zip   1.5 kB (1,506 bytes)
• Zip archive of the emails and malware:  2017-09-14-fake-Microsoft-update-emails-and-malware.zip   120 kB (120,385 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.