2017-11-03 - NYMAIM INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-11-03-Nymaim-infection-traffic.pcap.zip   597.6 kB (597,574 bytes)

• 2017-11-03-Nymaim-infection-traffic.pcap   (803,489 bytes)

• 2017-11-03-Nymaim-malware.zip   662.8 kB (662,818 bytes)

• Invoice.doc   (95,744 bytes)
• 1.exe   (715,264 bytes)

• 2017-11-03-Nymaim-malspam-example.eml.zip   2.2 kB (2,150 bytes)

• 2017-11-03-Nymaim-malspam-example.eml   (4,992 bytes)

• 2017-11-03-Nymaim-notes.txt.zip   1.4 kB (1,433 bytes)

• 2017-11-03-Nymaim-notes.txt   (2,830 bytes)

 

NOTES:

• See "2017-11-03-Nymaim-notes.txt" for domains, IP addresses, file hashes, and other indicators.
• The malspam sample was provided by individuals best described as "miscreant punchers."  Thanks for the info!  You know who you are.

 

IMAGES

Shown above:  Screenshot from the email.

 

Shown above:  Infection traffic in Wireshark.

 

Shown above:  Alerts on the infection traffic from the Emerging Threats Pro (ET Pro) ruleset using Sguil on Security Onion.

 

Click here to return to the main page.