2019-01-21 - EMOTET INFECTION WITH GOOTKIT

NOTICE:

ASSOCIATED FILES:

  • 2019-01-21-Emotet-infection-with-Gootkit.pcap   (7,595,455 bytes)
  • 2019-01-21-Emotet-EXE-retreived-by-Word-macro.exe   (159,744 bytes)
  • 2019-01-21-Gootkit-retrieved-by-Emotet-infected-host.exe   (299,520 bytes)
  • 2019-01-21-INF-file-for-Gootkit.txt   (305 bytes)
  • 2019-01-21-downloaded-Word-doc-with-macro-for-Emotet.doc   (265,289 bytes)

NOTES:

 


Shown above:  Flow chart for today's Emotet malspam infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domains:

 

DOWNLOADED WORD DOC


Shown above:  Downloaded Word doc with macro for Emotet

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

DOWNLOAD OF INITIAL WORD DOCUMENT:

TRAFFIC TO RETREIVE EMOTET EXE CAUSED BY WORD MACRO:

EMOTET POST-INFECTION TRAFFIC:

GOOTKIT POST-INFECTION TRAFFIC:

 

MALWARE

INITIAL WORD DOC:

EMOTET BINARIES:

 

Click here to return to the main page.