2017-10-10 - MALSPAM USING CVE-2017-0199 TO PUSH LOKI BOT
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-10-10-Loki-bot-malspam-traffic.pcap.zip 350 kB (350,219 bytes)
- 2017-10-10-Loki-bot-malspam-traffic.pcap (633,297 bytes)
- Zip archive of the email and some associated artifacts: 2017-10-10-Loki-bot-malspam-and-artifacts.zip 589 kB (588,789 bytes)
- 2017-10-10-Loki-bot-malspam-1231-UTC.eml (370,939 bytes)
- 7571BA.exe (675,840 bytes)
- REQ. FOR QUOTATION.doc (221,271 bytes)
NOTES:
- Malicious spam (malspam) with an attachment.
- Attachment is an RTF document with a CVE-2017-0199 exploit, and it's disguised as Word document.
- The exploit is designed to infect Windows hosts with Loki Bot malware.
Shown above: Screenshot of the email.
EMAIL HEADERS:
- Date: Tuesday, 2017-10-10 12:31 UTC
- Message-ID: <EF155C1DF6220F8C50551CA55107798F@bxgcorp.com>
- Subject: News about your order2105586505244
- From: "Ozean" <brenda.hodges@bxgcorp.com>
- Reply-To: "Ozean" <anjali@xcelcorp.com>
- Attachment name: REQ. FOR QUOTATION.doc
Shown above: Attachment is actually an RTF file with an exploit for CVE-2017-0199.
TRAFFIC
Shown above: Traffic from this infection filtered in Wireshark.
Shown above: Alerts on the infection traffic using the Emerging Threats and ETPRO rulesets in Sguil on Security Onion.
ASSOCIATED DOMAINS AND URLS:
- 192.254.235.79 port 80 - almahalliah.com - GET /images/htajem.hta
- 192.254.235.79 port 80 - almahalliah.com - GET /images/jem.exe
- 194.100.58.202 port 80 - www.lasihuolto.fi - POST /if/panel/five/fre.php
FILE HASHES
RTF WITH EXPLOIT FOR CVE-2017-0199:
- SHA256 hash: 34a19d2fb7e045bb1c985ed727beff59f169b3021ee67cfc462366a66ce14251
File size: 221,271 bytes
File name: REQ. FOR QUOTATION.doc
FOLLOW-UP MALWARE (LOKI-BOT):
- SHA256 hash: 54ef1c6df5b3b288366b560f7721f1cc5e556bd2fa3c8b0edee7fdb2fe871ffb
File size: 675,840 bytes
File location: C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-10-10-Loki-bot-malspam-traffic.pcap.zip 350 kB (350,219 bytes)
- Zip archive of the email and some associated artifacts: 2017-10-10-Loki-bot-malspam-and-artifacts.zip 589 kB (588,789 bytes)
Zip files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.