Malware-Traffic-Analysis.net - 2017-10-10 - Malspam using CVE-2017-0199 to push Loki Bot

2017-10-10 - MALSPAM USING CVE-2017-0199 TO PUSH LOKI BOT

ASSOCIATED FILES:

Zip archive of the pcap: 2017-10-10-Loki-bot-malspam-traffic.pcap.zip 350 kB (350,219 bytes)

2017-10-10-Loki-bot-malspam-traffic.pcap (633,297 bytes)

Zip archive of the email and some associated artifacts: 2017-10-10-Loki-bot-malspam-and-artifacts.zip 589 kB (588,789 bytes)

2017-10-10-Loki-bot-malspam-1231-UTC.eml (370,939 bytes)

7571BA.exe (675,840 bytes)

REQ. FOR QUOTATION.doc (221,271 bytes)

NOTES:

Malicious spam (malspam) with an attachment.
Attachment is an RTF document with a CVE-2017-0199 exploit, and it's disguised as Word document.
The exploit is designed to infect Windows hosts with Loki Bot malware.

Shown above: Screenshot of the email.

EMAIL HEADERS:

Shown above: Attachment is actually an RTF file with an exploit for CVE-2017-0199.

Shown above: Traffic from this infection filtered in Wireshark.

Shown above: Alerts on the infection traffic using the Emerging Threats and ETPRO rulesets in Sguil on Security Onion.

ASSOCIATED DOMAINS AND URLS:

RTF WITH EXPLOIT FOR CVE-2017-0199:

SHA256 hash: 34a19d2fb7e045bb1c985ed727beff59f169b3021ee67cfc462366a66ce14251
File size: 221,271 bytes
File name: REQ. FOR QUOTATION.doc

FOLLOW-UP MALWARE (LOKI-BOT):

SHA256 hash: 54ef1c6df5b3b288366b560f7721f1cc5e556bd2fa3c8b0edee7fdb2fe871ffb
File size: 675,840 bytes
File location: C:\Users\[username]\AppData\Roaming\C72387\7571BA.exe

Once again, here are the associated files:

Zip archive of the pcap: 2017-10-10-Loki-bot-malspam-traffic.pcap.zip 350 kB (350,219 bytes)
Zip archive of the email and some associated artifacts: 2017-10-10-Loki-bot-malspam-and-artifacts.zip 589 kB (588,789 bytes)

Zip files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.