2017-10-03 - BRAZIL MALSPAM - SUBJ: FOTOS ENVIADAS VIA WHATSAPP MESSENGER WEB 03/10/2017 12:26:50
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-10-03-Brazil-malspam-traffic.pcap.zip 2.1 MB (2,086,437 bytes)
- 2017-10-03-Brazil-malspam-traffic.pcap (2,200,771 bytes)
- Zip archive of the email and malware: 2017-10-03-Brazil-malspam-email-and-artifacts.zip 4.4 MB (4,433,976 bytes)
- 2017-10-03-Brazil-malspam-1527-UTC.eml (10,696 bytes)
- Image05.zip (619,728 bytes)
- Fot0002.exe (1,494,016 bytes)
- 01.zip (1,595,257 bytes)
- CRYPTUI.dll (3,176,960 bytes)
- Yjnqqk.exe (32,856 bytes)
EMAIL INFORMATION:
- Date/Time: Tuesday, 2017-10-03 at 15:26 UTC
- From: [spoofed as recipient's email address]
- Subject: Fotos Enviadas via WhatsApp Messenger WEB 03/10/2017 12:26:50
- Link in the email: hxxps://storage.googleapis.com/whatsap/web.html
Shown above: Screenshot from the email.
Shown above: Malicious zip archive from link in the malspam.
Shown above: Extracted malware from the downloaded zip archive.
TRAFFIC
Shown above: Infection traffic filtered in Wireshark (image edited to show HTTPS URLs).
ASSOCIATED DOMAINS:
- 216.58.194.176 port 443 (HTTPS) - storage.googleapis.com - GET /whatsap/web.html
- 165.227.157.104 port 80 - web.smswhats.cf - GET /Abrir/index.php
- 165.227.157.104 port 80 - web.smswhats.cf - GET /Baixar/
- 216.58.194.176 port 443 (HTTPS) - storage.googleapis.com - GET /whatsfoto/Image05.zip?cli=WhatsApp&/kEIPvLMiLI/SPrE7HawNj.php
- 104.236.154.156 port 80 - 104.236.154.156 - GET /ssl/01.zip
- 165.227.14.21 port 80 - sx.xcl13nt3s.cc - POST /c1y8t4a0/notify.php
FILE HASHES
ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:
- SHA256 hash: e2215de00191f2a784d2000ab3978beed5e99f34f5b900fbf8fbcc6018a6b67c
File name: Image05.zip
File size: 619,728 bytes
EXTRACTED MALWARE FROM ZIP ARCHIVE:
- SHA256 hash: 57d411028a4859ec1cb3a2a198127382e479256a582f498215550318ae5f2d77
File name: Fot0002.exe
File size: 1,494,016 bytes
FOLLOW-UP MALWARE (1 OF 3):
- SHA256 hash: 19108623284d27fdc06c6165f9b8994d38f6a1823d8fa57f3e6622bf22ec5798
File location: hxxp://104.236.154.156/ssl/01.zip
File size: 1,595,257 bytes
File description: Malware archive downloaded from 104.236.154.156 by the initial malware
FOLLOW-UP MALWARE (2 OF 3):
- SHA256 hash: 8aba2557feffc7ef42e38d4fcd01ac89e01037e05056e4d1e0037478fadcc4b1
File location: C:\Users\[username]\AppData\Roaming\zJoeWmKgyp\CRYPTUI.dll
File size: 3,176,960 bytes
File description: DLL from follow-up malware archive
FOLLOW-UP MALWARE (3 OF 3):
- SHA256 hash: f38a0519768ac094b635e4b4b6fbc836a04d87b1944f57499bd02404bfe670d9
File location: C:\Users\[username]\AppData\Roaming\zJoeWmKgyp\Yjnqqk.exe
File size: 32,856 bytes
File description: EXE from follow-up malware archive - not inherently malicious, only loads/runs CRYPTUI.dll
IMAGES
Shown above: Malware persistent on the infected host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-10-03-Brazil-malspam-traffic.pcap.zip 2.1 MB (2,086,437 bytes)
- Zip archive of the email and malware: 2017-10-03-Brazil-malspam-email-and-artifacts.zip 4.4 MB (4,433,976 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.