2017-10-03 - JAPANESE MALSPAM PUSHING URSNIF
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-10-03-Japanese-malspam-pushing-Ursnif.pcap.zip 398 kB (398,210 bytes)
- 2017-10-03-Japanese-malspam-pushing-Ursnif.pcap (550,394 bytes)
- Zip archive of the malware: 2017-10-03-Japanese-malspam-pushing-Ursnif-malware-and-artifacts.zip 574 kB (574,310 bytes)
- 2017-10-03-Excel-spreadsheet-from-1st-wave-pushing-Ursnif.xls (45,568 bytes)
- 2017-10-03-Excel-spreadsheet-from-2nd-wave-pushing-Ursnif.xls (71,680 bytes)
- 2017-10-03-Japanese-malspam-for-Ursnif-0813-UTC.eml (63,890 bytes)
- 2017-10-03-Japanese-malspam-for-Ursnif-0815-UTC.eml (63,980 bytes)
- 2017-10-03-Japanese-malspam-for-Ursnif-0818-UTC.eml (64,049 bytes)
- 2017-10-03-Japanese-malspam-for-Ursnif-0923-UTC.eml (1,748 bytes)
- 2017-10-03-Japanese-malspam-for-Ursnif-0926-UTC.eml (1,693 bytes)
- 2017-10-03-Japanese-malspam-for-Ursnif-0930-UTC.eml (98,935 bytes)
- 2017-10-03-Japanese-malspam-for-Ursnif-0939-UTC.eml (98,822 bytes)
- 2017-10-03-Ursnif-binary-from-nonudoka.top.exe (483,328 bytes)
NOTES:
- From @tmmalanalyst - Oct-03,2017(JST). Japanese MalSpam attached XLS. Macro enabled infects #Ursnif #Malware. Leads file VT: (VT link) - (link to tweet)
- I saw this much later than @tmmalanalyst, when the domain for post-infection traffic was already off-line.
- Post-infection traffic in my pcap consists of DNS queries and TCP SYN packets to the server that were unanswered.
EMAILS
Shown above: Screenshot from one of the emails (1st wave).
Shown above: Screenshot from one of the emails (2nd wave).
INFORMATION FROM EMAILS GATHERED:
- Date/Time: Tuesday 2017-10-03 as early as 08:13 UTC through at least 09:39 UTC
- From: apoa-shop@r9.dion.ne.jp
- From: hasegawa_akira@ace.ocn.ne.jp
- From: ikuo-nagasaki@jupiter.jcom.co.jp
- From: resets@docomo.ne.jp
- From: sato.takashi@dc5.so-net.ne.jp
- From: seikatsuhogo@kbh.biglobe.ne.jp
- From: zbn16605@f5.dion.ne.jp
- Subject: 8月度請求書の件[0430]
- Subject: 8月度請求書の件[4325]
- Subject: 8月度請求書の件[4737]
- Subject: 249647 【公共料金請求書データ送付の件】
- Subject: 279505 【公共料金請求書データ送付の件】
- Subject: 436329 【公共料金請求書データ送付の件】
- Subject: 607225 【公共料金請求書データ送付の件】
- Attachment name: KC_仮返品通知書.xls
- Attachment name: 3V_仮返品通知書.xls
- Attachment name: SJ_仮返品通知書.xls
- Attachment name: 03_10_1452.xls
- Attachment name: 03_10_1765.xls
- Attachment name: 03_10_2200.xls
- Attachment name: 03_10_2783.xls
Shown above: One of the Excel spreadsheets (1st wave).
Shown above: One of the Excel spreadsheets (2nd wave).
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark (only DNS queryies and SYN packets for post-infection activity).
Shown above: Screenshot of Fiddler capture when @tmmalanalyst checked it out earlier (link to tweet).
ASSOCIATED DOMAINS:
- 49.51.34.128 port 80 - nonudoka.top - GET /index [generated by Excel spreadsheet from the 1st wave]
- 49.51.34.128 port 80 - nonudoka.top - GET /sego [generated by Excel spreadsheet from the 2nd wave]
- 49.51.34.128 port 80 - nonudoka.top - GET /sato [seen by @tmmalanalyst earlier]
POST-INFECTION TRAFFIC:
- 37.130.230.117 port 80 - de.tempestbytori.com - GET /images/[long string].[image-based file extension]
- 37.130.230.117 port 80 - de.tempestbytori.com - POST /images/[long string].[image-based file extension]
FILE HASHES
EMAIL ATTACHMENT - 1ST WAVE:
- SHA256 hash: f6e22dc206adda972b4b92ccd7461cf8a269cc991bbde8890aa3a348f667c22e
File size: 45,568 bytes
File name: [2 random English letters]_仮返品通知書.xls
EMAIL ATTACHMENT - 2ND WAVE:
- SHA256 hash: d9cf40c30220b575e8a3a5c31e95a37dc5439474663f4d5bf3271c8adaa9489b
File size: 71,680 bytes
File name: 03_10_[4-digit number].xls
FOLLOW-UP MALWARE - URSNIF:
- SHA256 hash: 16f6b86ef2e83aa4acefe9a46af19ead99887f845f3c79987c3d039354e657c4
File size: 562,688 bytes
File location: C:\Users\[username]\AppData\Roaming\Microsoft\Adsnserv\authpisp.exe
Shown above: Malware persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-10-03-Japanese-malspam-pushing-Ursnif.pcap.zip 398 kB (398,210 bytes)
- Zip archive of the malware: 2017-10-03-Japanese-malspam-pushing-Ursnif-malware-and-artifacts.zip 574 kB (574,310 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.