2017-05-03 - UNIDENTIFIED MALWARE FROM WHATSAPP-THEMED MALSPAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-05-03-WhatsApp-themed-emails-and-unidentified-malware-sample.zip   438.9 kB (438,875 bytes)

• 2017-05-03-WhatsApp-themed-malspam-1338-UTC.eml   (3,039 bytes)
• 2017-05-03-WhatsApp-themed-malspam-1608-UTC.eml   (3,337 bytes)
• Voicemail.js   (15,972 bytes)
• Voicemail.zip   (6,324 bytes)
• klo5.exe   (1,042,432 bytes)

 

EMAIL

Shown above:  Screen shot from one of the emails.

 

EMAIL HEADERS:

• Date/Time:  Wednesday 2017-05-03 as early 12:38 UTC through at least 1608 UTC
• From:  (spoofed) "WhatsApp" <no-reply@acctalerts[.]com>
• Subject:  Missed voice message

 

Shown above:  Header lines from one of the emails.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  TCP stream of the URL from the email using HTTP instead of HTTPS.

 

ASSOCIATED DOMAINS:

• 198.252.106[.]149 port 443 - muabantiengame[.]com - GET /wp-content/themes/ddd/voice.html?kjdfhjjdfjdfhjdfifdhijhkfdhfdjbjfdnfbnaiewiuweewnwebmn
  wenbewbewbewbnwejbwejewjhwejewjewjhewjhewhewjhewhjjehewhjhjewhjewhjwehjewhjwejhwehjwehjhjwehjejhewjhewjhehjewjewjhewjhewjh   [HTTPS download for zip file]
• 188.226.145[.]50 port 443 - www.security-support[.]tech - GET /hcamp1.gif   [HTTPS download for follow-up EXE]

 

FILE HASHES

ZIP ARCHIVE DOWNLOADED FROM LINK IN THE EMAIL:

• SHA256 hash:  01ecf50b51f0d8d9d9b28c5ad4628dbfbf4fe2cb4c04c5bbef54834d7fee27dd
  File name:  Voicemail.zip
  File size:  6,324 bytes

.JS FILE EXTRACTED FROM THE ZIP ARCHIVE:

• SHA256 hash:  22e47af467e655c0b9a636f37852277a042bdb8286f47ad4abaf6dde3cfc09ec
  File name:  Voicemail.js
  File size:  15,972 bytes

FOLLOW-UP .EXE DOWNLOADED BY THE .JS FILE:

• SHA256 hash:  87296f9c51aefc66a2289a488ad968f430aedd52f55039ad514bf568624f9b56
  File location:  C:\Users\[username]\klo5.exe
  File size:  1,042,432 bytes

 

IMAGES

Shown above:  Downloading the zip archive from the email link.

 

Shown above:  The extracted .js file from the zip archive.

 

Shown above:  Follow-up executable crashing (on Windows 7 virtual machine or Windows 7 physical host).

 

Click here to return to the main page.