2017-03-14 KOVTER INFECTION WITH NEMUCOD RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-03-14-Kovter-infection-with-Nemucod-ransomware-infection.pcap.zip   1.2 MB (1,215,216 bytes)
• 2017-03-14-email-example-and-Kovter-malware-and-Nemucod-ransomware.zip   341.1 kB (341,050 bytes)

 

NOTES:

Today's infection didn't include Locky rasomware with the Kovter malware.  Instead, I saw Nemucod ransomware with the Kovter infection for the Windows host I tested.

Shown above:  Desktop of the infected Windows host.

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date:  Tuesday, 2017-03-14 14:57 UTC
• Subject:  Status of your UPS delivery ID:01588569
• From:  therapyprofits@host.rxjkj[.]com
• Message-Id:  <E1cnnt8-000BTJ-Rn@host.rxjkj[.]com>
• Received:  from [67.225.133.251:49419] helo=host.rxjkj[.]com

 

Shown above:  Attached zip archive from the email.

 

Shown above:  Extracted .js file from the zip archive.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTION:

• 50.63.32[.]1 port 80 - bessondesign[.]com - GET /counter/?000000151qYt[long string]_ERoiE
• 72.167.3[.]1 port 80 - stihocom[.]com - GET /counter/?000000151qYt[long string]_ERoi2
• 72.167.3[.]1 port 80 - stihocom[.]com - GET /counter/?000000151qYt[long string]_ERoi3
• 72.167.3[.]1 port 80 - stihocom[.]com - GET /counter/?000000151qYt[long string]_ERoi4
• 72.167.3[.]1 port 80 - stihocom[.]com - GET /counter/?000000151qYt[long string]_ERoi5
• 185.117.72[.]90 port 80 - 185.117.72[.]90 - POST /upload2.php
• 204.115.119[.]159 port 80 - 204.115.119[.]159 - POST /
• 203.255.83[.]72 port 80 - 203.255.83[.]72 - POST /
• 104.27.192[.]49 port 80 - 104.27.192[.]49 - POST /
• Various IP addresses port 443 and port 8080 - HTTPS/SSL/TLS post-infection traffic

• kanhona[.]com - GET /counter/?000000151qYt[long string] - Another URL from the extracted .js file
• stihocom[.]com - GET /counter/?000000151qYt[long string] - Another URL from the extracted .js file
• milwaukeewings[.]com - GET /counter/?000000151qYt[long string] - Another URL from the extracted .js file
• aao.hawaiiconvention[.]com - GET /counter/?000000151qYt[long string] - Another URL from the extracted .js file

 

Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil on Security Onion.

 

FILE HASHES

SOME FILES FROM THE ZIP ARCHIVE:

• e0146815fdcda65410c9d9d13982a233b2e8b0db7d8f8f490d93e1de9b0b6928 - 2017-03-14-javascript-returned-from-bessondesign_com.txt
• 938d580848ff68493858af25e5769fc63c4e410d6dbceae5524d082019d438ff - 2765b.png (.exe file, Kovter)
• a697377b3d12be8561795bdb9b63f0277194cbfa0d2ae8e70c0b8ab0f50b023a - UPS-Label-01588569.doc.js
• 0d968cf281024044ce2d36f9f983d0bdca8411144a04dbf4e74a46e75d8798e8 - UPS-Label-01588569.zip
• 3c9dd68870563d9d8c0be97ca378ad02aa147b3b5dea54730c78f93782508b20 - a.doc
• fe705ebadce6ad84624fded141abf645265f6b7989a3913f4b6d73ed1b07ab58 - cdd59eca86.png (.txt file, looks like script related to Nemucod ransomware)

Artifacts on the infected host:

• C:\Users\[Username]\AppData\Local\254e\b329.bat
• C:\Users\[Username]\AppData\Local\254e\2ce1.65341
• C:\Users\[Username]\AppData\Local\Temp\a.doc
• C:\Users\[Username]\AppData\Local\Temp\a.txt   (Nemucod ransomware decryption instructions)
• C:\Users\[Username]\AppData\Local\Temp\a1.exe
• C:\Users\[Username]\AppData\Local\Temp\a2.exe

 

Click here to return to the main page.