2018-11-23 - QUICK POST: EMOTET INFECTION WITH GOOTKIT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2018-11-23-Emotet-infection-with-Gootkit.pcap.zip   6.1 MB (6,050,723 bytes)

• 2018-11-23-Emotet-infection-with-Gootkit.pcap   (6,681,966 bytes)

• 2018-11-23-Emotet-with-Gootkit-malware-and-artifacts.zip   387 kB (387,161 bytes)

• 2018-11-23-downloaded-Word-doc-with-macro-for-Emotet.doc   (97,024 bytes)
• 2018-11-23-Emotet-malware-binary.exe   (135,168 bytes)
• 2018-11-23-Gootkit-retrieved-by-Emotet-infected-host.exe   (2,283,008 bytes)
• 2018-11-23-Gootkit.inf.txt   (224 bytes)

NOTES:

• @xorsthingsv2, @James_inthe_box, @avman1995, and @nazywam identified the follow-up malware during this Twitter discussion after I caught a sample yesterday.
• I'm seeing a lot of new Word docs, but no new XML docs recently used by Emotet.
• I stopped seeing those XML docs as of Wednesday 2018-11-21, so the timeframe I saw the XML docs was from Friday 2018-11-16 through Tuesday 2018-11-20.

 

Shown above:  Flow chart for recent Ursnif malspam infections I've seen.

 

IMAGES

Shown above:  Traffic from today's infection filtered in Wireshark.

 

Shown above:  Certificate data from the Gootkit post-infection traffic.

 

Shown above:  More certificate data from the Gootkit post-infection traffic.

 

Click here to return to the main page.