2017-10-03 - BRAZIL MALSPAM - SUBJ: FOTOS ENVIADAS VIA WHATSAPP MESSENGER WEB 03/10/2017 12:26:50

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-10-03-Brazil-malspam-traffic.pcap.zip   2.1 MB (2,086,437 bytes)

• 2017-10-03-Brazil-malspam-traffic.pcap   (2,200,771 bytes)

• Zip archive of the email and malware:  2017-10-03-Brazil-malspam-email-and-artifacts.zip   4.4 MB (4,433,976 bytes)

• 2017-10-03-Brazil-malspam-1527-UTC.eml   (10,696 bytes)
• Image05.zip   (619,728 bytes)
• Fot0002.exe   (1,494,016 bytes)
• 01.zip   (1,595,257 bytes)
• CRYPTUI.dll   (3,176,960 bytes)
• Yjnqqk.exe   (32,856 bytes)

 

EMAIL

EMAIL INFORMATION:

• Date/Time:  Tuesday, 2017-10-03 at 15:26 UTC
• From:  [spoofed as recipient's email address]
• Subject:  Fotos Enviadas via WhatsApp Messenger WEB 03/10/2017 12:26:50
• Link in the email:  hxxps://storage.googleapis.com/whatsap/web.html

 

Shown above:  Screenshot from the email.

 

Shown above:  Malicious zip archive from link in the malspam.

 

Shown above:  Extracted malware from the downloaded zip archive.

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark (image edited to show HTTPS URLs).

 

ASSOCIATED DOMAINS:

• 216.58.194.176 port 443 (HTTPS) - storage.googleapis.com - GET /whatsap/web.html
• 165.227.157.104 port 80 - web.smswhats.cf - GET /Abrir/index.php
• 165.227.157.104 port 80 - web.smswhats.cf - GET /Baixar/
• 216.58.194.176 port 443 (HTTPS) - storage.googleapis.com - GET /whatsfoto/Image05.zip?cli=WhatsApp&/kEIPvLMiLI/SPrE7HawNj.php
• 104.236.154.156 port 80 - 104.236.154.156 - GET /ssl/01.zip
• 165.227.14.21 port 80 - sx.xcl13nt3s.cc - POST /c1y8t4a0/notify.php

 

FILE HASHES

ZIP ARCHIVE AFTER CLICKING LINK FROM THE EMAIL:

• SHA256 hash:  e2215de00191f2a784d2000ab3978beed5e99f34f5b900fbf8fbcc6018a6b67c
  File name:  Image05.zip
  File size:  619,728 bytes

EXTRACTED MALWARE FROM ZIP ARCHIVE:

• SHA256 hash:  57d411028a4859ec1cb3a2a198127382e479256a582f498215550318ae5f2d77
  File name:  Fot0002.exe
  File size:  1,494,016 bytes

FOLLOW-UP MALWARE (1 OF 3):

• SHA256 hash:  19108623284d27fdc06c6165f9b8994d38f6a1823d8fa57f3e6622bf22ec5798
  File location:  hxxp://104.236.154.156/ssl/01.zip
  File size:  1,595,257 bytes
  File description:  Malware archive downloaded from 104.236.154.156 by the initial malware

FOLLOW-UP MALWARE (2 OF 3):

• SHA256 hash:  8aba2557feffc7ef42e38d4fcd01ac89e01037e05056e4d1e0037478fadcc4b1
  File location:  C:\Users\[username]\AppData\Roaming\zJoeWmKgyp\CRYPTUI.dll
  File size:  3,176,960 bytes
  File description:  DLL from follow-up malware archive

FOLLOW-UP MALWARE (3 OF 3):

• SHA256 hash:  f38a0519768ac094b635e4b4b6fbc836a04d87b1944f57499bd02404bfe670d9
  File location:  C:\Users\[username]\AppData\Roaming\zJoeWmKgyp\Yjnqqk.exe
  File size:  32,856 bytes
  File description:  EXE from follow-up malware archive - not inherently malicious, only loads/runs CRYPTUI.dll

 

IMAGES

Shown above:  Malware persistent on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-10-03-Brazil-malspam-traffic.pcap.zip   2.1 MB (2,086,437 bytes)
• Zip archive of the email and malware:  2017-10-03-Brazil-malspam-email-and-artifacts.zip   4.4 MB (4,433,976 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.