2017-11-15 - BRAZIL MALSPAM PUSHES BANLOAD MALWARE
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-11-15-Brazil-malspam-pushes-Banload.pcap.zip 9.5 MB (9,493,139 bytes)
- 2017-11-15-Brazil-malspam-pushes-Banload.pcap (10,065,400 bytes)
- Zip archive of the malware: 2017-11-15-Brazil-malspam-and-artifacts.zip 20.6 MB (20,619,360 bytes)
- 2017-11-15-Banload-malspam-1415-UTC.eml (1,571 bytes)
- BrofWorks0.dat (15 bytes)
- BrofWorks0.exe (373,434,880 bytes)
- SYS547474548446832 (9,977,886 bytes)
- whatsapp_Foto_safada_as_completo.exe (3,355,648 bytes)
- whatsapp_Foto_safada_as_completo.zip (1,547,986 bytes)
Shown above: Screenshot from the email.
EMAIL INFO:
- Date: Wednesday, 2017-11-15 14:13 UTC
- From: [spoofed as recipient's address]
- Subject: Conseguei as fotos olha ai
TRAFFIC
Shown above: Infection traffic filtered in Wireshark.
URLS FROM THE INFECTION TRAFFIC:
- 34.201.65.110 port 80 - 34.201.65.110 - GET /fofocaonline
- 34.201.65.110 port 80 - 34.201.65.110 - GET /fofocaonline/
- port 80 - bit.ly - GET /2AOc3Ia
- port 443 (HTTPS) - cdn.fbsbx.com - GET /v/t59.2708-21/23419082_867269373447104_1320564789818163200_n.zip/whatsapp_Foto_safada_as_completo.zip?oh=
1513a4fa6cc7096daa4c605f108c7106&oe=5A0E470B&dl=1 - 104.31.69.18 port 443 (HTTPS) - www.cabanadosol.net - GET /venhanovembrocomgosto/BrofWorksshoppingsys0.zip
- 177.53.141.29 port 80 - 177.53.141.29 - GET /GeneralMaximus/notify.php?MD=[infected host information]
- www.google.com.br - GET /
- www.horariodebrasilia.org - GET /
MALWARE
DOWNLOADED MALWARE:
- SHA256 hash: 45529a3aebac3aaa519c92dde2ae9a70de3d3de4d5b21204c465427e3c6e7c62
File size: 1,547,986 bytes
File name: whatsapp_Foto_safada_as_completo.zip
File location: hxxps://cdn.fbsbx.com/v/t59.2708-21/23419082_867269373447104_1320564789818163200_n.zip/whatsapp_Foto_safada_as_completo.zip?oh=
1513a4fa6cc7096daa4c605f108c7106&oe=5A0E470B&dl=1
File description: Zip archive downloaded after clicking link from the email
- SHA256 hash: 5475fe85291d663c8de1f8de19da62733dcb80c48cff8add876712689f20c17b
File size: 3,355,648 bytes
File name: whatsapp_Foto_safada_as_completo.exe
File description: Extracted exectuable from downloaded zip archive
POST-INFECTION MALWARE:
- SHA256 hash: 66374d950956df8795c9bce2e7a80117428d67ef1cc5228311dd849aa609d22c
File size: 9,977,886 bytes
File location: C:\Users\[username]\AppData\Roaming\GENRSEAMARALTG\SYS547474548446832
File location: hxxps://www.cabanadosol.net/venhanovembrocomgosto/BrofWorksshoppingsys0.zip
File description: Follow-up zip archive after running the extracted executable
- SHA256 hash: 1bb4d573b1808e8094d379b108ca90d6e0a9a8a0fc0e2fe91a5ee94d701cbed0
File size: 15 bytes
File location: C:\Users\[username]\AppData\Roaming\GENRSEAMARALTG\BrofWorks0.dat
File description: Text file from the follow-up zip archive
- SHA256 hash: 2b9d656a704e6ee197143d0577eaa48e131d26b69acca2cd49e418b6bfa825a4
File size: 373,434,880 bytes
File location: C:\Users\[username]\AppData\Roaming\GENRSEAMARALTG\BrofWorks0.exe
File description: Exectuable from the follow-up zip archive
IMAGES
Shown above: Clicking a link in the email returns the initial zip archive.
Shown above: The downloaded zip archive contains malware.
Shown above: Some artifacts seen during this infection.
Shown above: Shortcut added to the Start Menu to create a persistent infection.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-11-15-Brazil-malspam-pushes-Banload.pcap.zip 9.5 MB (9,493,139 bytes)
- Zip archive of the malware: 2017-11-15-Brazil-malspam-and-artifacts.zip 20.6 MB (20,619,360 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.