2017-12-11 - AUTOIT MALSPAM - SUBJECT: NFE - FISCAL

ASSOCIATED FILES:

• Zip archive of the 2 emails:  2017-12-11-two-fake-NF-e-malspam-NF-e-mails.zip   2.0 kB (1,973 bytes)
• Zip archive of the pcap:  2017-12-11-fake-NF-e-malspam-traffic.pcap.zip   7.8 MB (7,779,224 bytes)
• Saz archive of the Fiddler capture:  2017-12-11-fake-NF-e-malspam-traffic.saz   9.0 MB (9,044,549 bytes)
• Zip archive of the malware and artifacts:  2017-12-11-fake-NF-e-malware-and-artifacts.zip   18 MB (18,043,683 bytes)

NOTES:

• AutoIT script-based Windows executables in post-infection artifacts show don't appear to be inherently malicious.
• When these AutoIT executables load the appropriate data, that represents malicious activity.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

• hxxps://www.nfsefiscal.com/download/
• hxxps://www.dropbox.com/s/nvai6b1cw47hydr/NIF-NotaFiscalOnline.zip?dl=1
• hxxps://dl.dropboxusercontent.com/content_link/mH9Irb9YVe3LrBaTBl4RBu4VamLwGv8Jq4aLDrrqmFvbilQgP37FLVzRMFkMRO3O/file?dl=1
• hxxps://cl.ly/280t1k29462z/Fly.exim
• hxxps://my.cl.ly/content/280t1k29462z
• hxxps://d1ax1i5f2y3x71.cloudfront.net/items/313c0F2Q072I2r3V3Q0d/Fly.exim
• hxxps://cl.ly/2R231C0X3w0Q/But.exim
• hxxps://my.cl.ly/content/2R231C0X3w0Q
• hxxps://d26dzxoao6i3hh.cloudfront.net/items/2m2v0U2r1B3Q3C1B2L3p/But.exim

 

EMAILS

Shown above:  Screenshot from one of the emails.

 

EMAIL INFO:

• Received: from a18.fctspnotas.com ([80.211.151.103])
• Date: Monday, 2017-12-11 14:04 UTC
• From: NFe - FISCAL <administrativo@nfsefiscal.com>
• Subject: NFe - FISCAL
• Link in the message: hxxps://www.nfsefiscal.com/download/

• Received: from a16.fctspnotas.com ([80.211.224.212])
• Date: Monday, 2017-12-11 16:01 UTC
• From: NFe - FISCAL <administrativo@nfsefiscal.com>
• Subject: NFe - FISCAL
• Link in the message: hxxps://www.nfsefiscal.com/download/

 

Shown above:  Clicking on link from the email.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Traffic from the infection as seen in Fiddler.

 

INITIAL FILE DOWNLOAD:

• hxxps://www.nfsefiscal.com/download/
• hxxps://www.dropbox.com/s/nvai6b1cw47hydr/NIF-NotaFiscalOnline.zip?dl=1
• hxxps://dl.dropboxusercontent.com/content_link/mH9Irb9YVe3LrBaTBl4RBu4VamLwGv8Jq4aLDrrqmFvbilQgP37FLVzRMFkMRO3O/file?dl=1

POST-INFECTION TRAFFIC:

• hxxps://cl.ly/280t1k29462z/Fly.exim
• hxxps://my.cl.ly/content/280t1k29462z
• hxxps://d1ax1i5f2y3x71.cloudfront.net/items/313c0F2Q072I2r3V3Q0d/Fly.exim
• hxxp://35.196.225.252/index.php
• hxxp://35.196.225.252/favicon.ico
• hxxps://cl.ly/2R231C0X3w0Q/But.exim
• hxxps://my.cl.ly/content/2R231C0X3w0Q
• hxxps://d26dzxoao6i3hh.cloudfront.net/items/2m2v0U2r1B3Q3C1B2L3p/But.exim

 

MALWARE AND ARTIFACTS

ARTIFACTS FROM THE INFECTED WINDOWS HOST:

• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\BrowserHandler.exe
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\12109-6763-31200.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\16232-1808-17613.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\16722-4121-4114.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\17574-6916-29968.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\18318-25711-19612.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\19564-13882-27968.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\20758-24661-8579.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\226-17243-23413.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\23289-17656-2018.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\23293-203-11711.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\26301-20336-3040.dat (data)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\28412-20609-12801.dat (data used by BrowserHandler.exe)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\29162-13071-32370.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\29190-24662-13950.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\30277-9359-17535.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\30604-15555-6388.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\3116-4188-2833.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\31945-852-31182.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\3589-28556-10725.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\5894-29496-20771.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\5895-17798-5702.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\617-24279-18143.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\AuthorizedEvent\83-16089-32015.dat (small PNG image)
• C:\Users\[username]\AppData\Roaming\HelperAgent\HelperAgent.exe
• C:\Users\[username]\AppData\Roaming\HelperAgent\26230-29891-15867.sql (data used by HelperAgent.exe)
• C:\Users\[username]\AppData\Roaming\HelperAgent\3816-22684-29724.sql (data)
• C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HelperAgent.lnk
• C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PSafe Digital Security.lnk

ARTIFACTS FROM THE INFECTED WINDOWS HOST:

• SHA256 hash: bd46ceadcf6d3611b610d8b07f53f4018ab4a1b0fb796c4379b6afb581fe48ac
• File size: 558,594 bytes
• File name: NIF-NotaFiscalOnline.zip
• File description: Downloaded zip archive from link in the email.

• SHA256 hash: e47b5a3f665432fd496b5d3de0e7ff2feb1622034e0d3655078fd6c634c03caf
• File size: 985,600 bytes
• File name: NIF-NotaFiscalOnline.exe
• File description: Windows executable extracted from downloaded zip archive.

• SHA256 hash: 458e1348cf761259611e1f0aa9f1d8cfe20cd3f1a30c32bf8738ffaff1f106f5
• File size: 7,206,764 bytes
• File name: Fly.exim
• File description: Follow-up download, password-protected Zip archive.

• SHA256 hash: 9875b4ed399994f0f3e35abd6b63960b86ef672c87033b7d0848c478cbf95907
• File size: 1,254,959 bytes
• File name: But.exim
• File description: Follow-up download, password-protected Zip archive.

• SHA256 hash: 8498900e57a490404e7ec4d8159bee29aed5852ae88bd484141780eaadb727bb
• File size: 937,776 bytes
• File location: C:\Users\[username]\AppData\Roaming\AuthorizedEvent\BrowserHandler.exe
• File description: AutoIT alware persistent on the infected Windows host.
• NOTE: This is an AutoIT file that's probably not inherently malicious, but for what it's loading.

• SHA256 hash: d1c0e922f1413bc575bc651dd7aafb6f9b26e2f226fbc0e36b7fbe4f95027546
• File size: 462,128 bytes
• File location: C:\Users\[username]\AppData\Roaming\HelperAgent\HelperAgent.exe
• File description: AutoIT alware persistent on the infected Windows host.
• NOTE: This is an AutoIT file that's probably not inherently malicious, but for what it's loading.

 

IMAGES

Shown above:  Two shortcut files in the Start Menu's Startup folder for infection persistence.

 

Shown above:  The first shortcut file.

 

Shown above:  The second shortcut file.

 

Shown above:  Directories and files from the infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the 2 emails:  2017-12-11-two-fake-NF-e-malspam-NF-e-mails.zip   2.0 kB (1,973 bytes)
• Zip archive of the pcap:  2017-12-11-fake-NF-e-malspam-traffic.pcap.zip   7.8 MB (7,779,224 bytes)
• Saz archive of the Fiddler capture:  2017-12-11-fake-NF-e-malspam-traffic.saz   9.0 MB (9,044,549 bytes)
• Zip archive of the malware and artifacts:  2017-12-11-fake-NF-e-malware-and-artifacts.zip   18 MB (18,043,683 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.