2017-10-03 - JAPANESE MALSPAM PUSHING URSNIF

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-10-03-Japanese-malspam-pushing-Ursnif.pcap.zip   398 kB (398,210 bytes)

• 2017-10-03-Japanese-malspam-pushing-Ursnif.pcap   (550,394 bytes)

• Zip archive of the malware:  2017-10-03-Japanese-malspam-pushing-Ursnif-malware-and-artifacts.zip   574 kB (574,310 bytes)

• 2017-10-03-Excel-spreadsheet-from-1st-wave-pushing-Ursnif.xls   (45,568 bytes)
• 2017-10-03-Excel-spreadsheet-from-2nd-wave-pushing-Ursnif.xls   (71,680 bytes)
• 2017-10-03-Japanese-malspam-for-Ursnif-0813-UTC.eml   (63,890 bytes)
• 2017-10-03-Japanese-malspam-for-Ursnif-0815-UTC.eml   (63,980 bytes)
• 2017-10-03-Japanese-malspam-for-Ursnif-0818-UTC.eml   (64,049 bytes)
• 2017-10-03-Japanese-malspam-for-Ursnif-0923-UTC.eml   (1,748 bytes)
• 2017-10-03-Japanese-malspam-for-Ursnif-0926-UTC.eml   (1,693 bytes)
• 2017-10-03-Japanese-malspam-for-Ursnif-0930-UTC.eml   (98,935 bytes)
• 2017-10-03-Japanese-malspam-for-Ursnif-0939-UTC.eml   (98,822 bytes)
• 2017-10-03-Ursnif-binary-from-nonudoka.top.exe   (483,328 bytes)

 

NOTES:

• From @tmmalanalyst - Oct-03,2017(JST). Japanese MalSpam attached XLS. Macro enabled infects #Ursnif #Malware. Leads file VT: (VT link) - (link to tweet)
• I saw this much later than @tmmalanalyst, when the domain for post-infection traffic was already off-line.
• Post-infection traffic in my pcap consists of DNS queries and TCP SYN packets to the server that were unanswered.

 

EMAILS

Shown above:  Screenshot from one of the emails (1st wave).

 

Shown above:  Screenshot from one of the emails (2nd wave).

 

INFORMATION FROM EMAILS GATHERED:

• Date/Time:  Tuesday 2017-10-03 as early as 08:13 UTC through at least 09:39 UTC

• From:  apoa-shop@r9.dion.ne.jp
• From:  hasegawa_akira@ace.ocn.ne.jp
• From:  ikuo-nagasaki@jupiter.jcom.co.jp
• From:  resets@docomo.ne.jp
• From:  sato.takashi@dc5.so-net.ne.jp
• From:  seikatsuhogo@kbh.biglobe.ne.jp
• From:  zbn16605@f5.dion.ne.jp

• Subject:  8月度請求書の件[0430]
• Subject:  8月度請求書の件[4325]
• Subject:  8月度請求書の件[4737]
• Subject:  249647 【公共料金請求書データ送付の件】
• Subject:  279505 【公共料金請求書データ送付の件】
• Subject:  436329 【公共料金請求書データ送付の件】
• Subject:  607225 【公共料金請求書データ送付の件】

• Attachment name:  KC_仮返品通知書.xls
• Attachment name:  3V_仮返品通知書.xls
• Attachment name:  SJ_仮返品通知書.xls
• Attachment name:  03_10_1452.xls
• Attachment name:  03_10_1765.xls
• Attachment name:  03_10_2200.xls
• Attachment name:  03_10_2783.xls

 

Shown above:  One of the Excel spreadsheets (1st wave).

 

Shown above:  One of the Excel spreadsheets (2nd wave).

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark (only DNS queryies and SYN packets for post-infection activity).

 

Shown above:  Screenshot of Fiddler capture when @tmmalanalyst checked it out earlier (link to tweet).

 

ASSOCIATED DOMAINS:

• 49.51.34.128 port 80 - nonudoka.top - GET /index   [generated by Excel spreadsheet from the 1st wave]
• 49.51.34.128 port 80 - nonudoka.top - GET /sego   [generated by Excel spreadsheet from the 2nd wave]
• 49.51.34.128 port 80 - nonudoka.top - GET /sato   [seen by @tmmalanalyst earlier]

POST-INFECTION TRAFFIC:

• 37.130.230.117 port 80 - de.tempestbytori.com - GET /images/[long string].[image-based file extension]
• 37.130.230.117 port 80 - de.tempestbytori.com - POST /images/[long string].[image-based file extension]

 

FILE HASHES

EMAIL ATTACHMENT - 1ST WAVE:

• SHA256 hash:  f6e22dc206adda972b4b92ccd7461cf8a269cc991bbde8890aa3a348f667c22e
  File size:  45,568 bytes
  File name:  [2 random English letters]_仮返品通知書.xls

EMAIL ATTACHMENT - 2ND WAVE:

• SHA256 hash:  d9cf40c30220b575e8a3a5c31e95a37dc5439474663f4d5bf3271c8adaa9489b
  File size:  71,680 bytes
  File name:  03_10_[4-digit number].xls

FOLLOW-UP MALWARE - URSNIF:

• SHA256 hash:  16f6b86ef2e83aa4acefe9a46af19ead99887f845f3c79987c3d039354e657c4
  File size:  562,688 bytes
  File location:  C:\Users\[username]\AppData\Roaming\Microsoft\Adsnserv\authpisp.exe

Shown above:  Malware persistent on the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-10-03-Japanese-malspam-pushing-Ursnif.pcap.zip   398 kB (398,210 bytes)
• Zip archive of the malware:  2017-10-03-Japanese-malspam-pushing-Ursnif-malware-and-artifacts.zip   574 kB (574,310 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.