2017-10-11 - WHATSAPP-THEMED BRAZIL MALSPAM PUSHES BANLOAD MALWARE
ASSOCIATED FILES:
- Zip archive of the pcaps: 2017-10-11-Brazil-WhatsApp-malspam-traffic.pcap.zip 6.8 MB (6,830,092 bytes)
- 2017-10-11-WhatsApp-malspam-1st-run.pcap (3,528,066 bytes)
- 2017-10-11-WhatsApp-malspam-2nd-run.pcap (3,647,909 bytes)
- Zip archive of the email and malware: 2017-10-11-Brazil-WhatsApp-malspam-and-artifacts.zip 2.3 MB (2,347,664 bytes)
- 01.zip (1,586,625 bytes)
- 2017-10-11-WhatsApp-malspam-0501-UTC.eml (5,364 bytes)
- 2017-10-11-WhatsApp-malspam-1216-UTC.eml (17,682 bytes)
- WhatsAppImage2017-10-11at17.59.08.exe (1,816,064 bytes)
NOTES:
- Banload is a generic term given to downloaders that install banking Trojans. I most often see Banload associated with Brazil-based malspam.
- This post is very similar to malspam I documented earlier this month on 2017-10-03.
EMAIL INFORMATION:
Shown above: Screenshot from the 1st email.
Shown above: Screenshot from the 2nd email.
1ST EMAIL:
- Date: Wednesday, 2017-10-11 05:01 UTC
- From: [spoofed as recipient's email address]
- Subject: Recebemos varias Denuncias que seu WhatsApp esta postando Videos que estao Violando 11/10/2017 07:01:17
- Received: from web19.webwhats.ga ([80.211.135.104])
- X-PHP-Originating-Script: 0:cofjopovdstjveopxdwd.php
- Message-ID: <20171011050117.CAB1D8C4AF@web19.webwhats.ga>
- Link in the email: hxxps://storage.googleapis.com/improprio/Whatsapp.html
2ND EMAIL:
- Date: Wednesday, 2017-10-11 12:16 UTC
- From: [spoofed as recipient's email address]
- Subject: (WhatsApp Messenger) Voce acabou de receber uma mensagem WhatsApp Messenger 11/10/2017 02:16:19
- Received: from web5.mensagemwebwhatsapp.ml ([195.181.216.53])
- X-PHP-Originating-Script: 0:cofjopovdstjveopxdwd.php
- Message-ID: <20171011121619.5821B85399@web5.mensagemwebwhatsapp.ml>
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem1.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem2.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem3.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem4.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem5.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem6.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem7.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem8.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem9.jpeg
- Link in the email: hxxps://storage.googleapis.comujdeolsaxs/app.html?.imagem10.jpeg
Shown above: Clicking on an email link returns an EXE file (file extension showed as .php when I used Internet Explorer).
Shown above: Downloaded EXE (same file downloaded from both emails).
TRAFFIC
Shown above: Infection traffic filtered in Wireshark (1st run from link in 1st email).
Shown above: Infection traffic filtered in Wireshark (2nd run from link in 2nd email).
1ST RUN:
- port 443 (HTTPS) - storage.googleapis.com - GET /improprio/Whatsapp.html
- 159.203.99.120 port 80 - web.webmybookwhatspp.ml - GET /Improprio/
- port 443 (HTTPS) - storage.googleapis.com - GET /mywebs/WhatsAppImage2017-10-11at17.59.08.exe?cli=WhatsApp&/[random string]/[random string].php
- 192.241.205.43 port 80 - 192.241.205.43 - GET /update/01.zip/
- 174.138.34.248 port 80 - 174.138.34.248 - POST /f9t7w3q1/point.php
2ND RUN:
- port 443 (HTTPS) - storage.googleapis.com - GET /ujdeolsaxs/app.html
- 159.203.99.120 port 80 - webfotos.webmybookwhatspp.ml - GET /download/
- port 443 (HTTPS) - storage.googleapis.com - GET /mywebs/WhatsAppImage2017-10-11at17.59.08.exe?cli=WhatsApp&/[random string]/[random string].php
- 192.241.205.43 port 80 - 192.241.205.43 - GET /update/01.zip
- 174.138.34.248 port 80 - 174.138.34.248 - POST /f9t7w3q1/point.php
MALWARE
EXE DOWNLOADED CLICKING A LINK FROM THE EMAILS:
- SHA256 hash: ff536f061ad0348ffd4baa704ce14912d5a65a531575a60b4591aa6f3172c1a3
File name: WhatsAppImage2017-10-11at17.59.08.exe
File size: 1,816,064 bytes
FOLLOW-UP MALWARE (ZIP ARCHIVE) DOWNLOADED BY THE ABOVE FILE:
- SHA256 hash: a9d6bd61517aa2eb4b535d32ef04c0ee7c5254172837dd95ae0a63106497154c
File name: hxxp://192.241.205.43/update/01.zip
File size: 1,586,625 bytes
MALWARE RETRIEVED FROM INFECTED WINDOWS HOST (1 OF 2):
- SHA256 hash: b1151d1cc7d90149bafd5d8f099fe21c23f88a9dc4fbd56d9cda959e4858eb80
File location: C:\Users\[username]\AppData\Roaming\[random characters]\jli.dll
File size: 3,177,984 bytes
File description: Malicious DLL file (Banload) from the downloaded malware archive.
MALWARE RETRIEVED FROM INFECTED WINDOWS HOST (2 OF 2):
- SHA256 hash: 7cc34a5423bd3fc9fa63d20ebece4103e22e4360df5b9caa2b461069dac77f4d
File location: C:\Users\[username]\AppData\Roaming\[random characters]\[random characters].exe
File size: 15,936 bytes
File description: EXE from the downloaded malware archive, loads the above DLL (jli.dll).
WINDOWS REGISTRY UPDATE:
- Key name: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Value name: [random characters].exe
- Value type: REG_SZ
- Value data: C:\Users\[username]\AppData\Roaming\[random characters]\[random characters].exe
Shown above: Malware persistent on the infected Windows host.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcaps: 2017-10-11-Brazil-WhatsApp-malspam-traffic.pcap.zip 6.8 MB (6,830,092 bytes)
- Zip archive of the email and malware: 2017-10-11-Brazil-WhatsApp-malspam-and-artifacts.zip 2.3 MB (2,347,664 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.