2017-11-15 - BANLOAD INFECTION FROM BRAZIL MALSPAM

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-11-15-Banload-infection.pcap.zip   9.5 MB (9,493,115 bytes)

• 2017-11-15-Banload-infection.pcap   (10,065,400 bytes)

• 2017-11-15-Banload-email-and-malware.zip   20.6 MB (20,620,006 bytes)

• 2017-11-15-Banload-malspam-1415-UTC.eml   (1,571 bytes)
• BrofWorks0.dat   (15 bytes)
• BrofWorks0.exe   (373,434,880 bytes)
• SYS547474548446832   (9,977,886 bytes)
• whatsapp_Foto_safada_as_completo.exe   (3,355,648 bytes)
• whatsapp_Foto_safada_as_completo.zip   (1,547,986 bytes)

 

EMAIL

Shown above:  Screenshot from the email.

 

EMAIL INFO:

• Date:  Wednesday, 2017-11-15 14:13 UTC
• From:  [spoofed as recipient's address]
• Subject:  Conseguei as fotos olha ai

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

URLS FROM THE INFECTION TRAFFIC:

• 34.201.65[.]110 port 80 - 34.201.65[.]110 - GET /fofocaonline
• 34.201.65[.]110 port 80 - 34.201.65[.]110 - GET /fofocaonline/
• port 80 - bit[.]ly - GET /2AOc3Ia
• port 443 (HTTPS) - cdn.fbsbx[.]com - GET /v/t59.2708-21/23419082_867269373447104_1320564789818163200_n.zip/whatsapp_Foto_safada_as_completo.zip?oh=
  1513a4fa6cc7096daa4c605f108c7106&oe=5A0E470B&dl=1
• 104.31.69[.]18 port 443 (HTTPS) - www.cabanadosol[.]net - GET /venhanovembrocomgosto/BrofWorksshoppingsys0.zip
• 177.53.141[.]29 port 80 - 177.53.141[.]29 - GET /GeneralMaximus/notify.php?MD=[infected host information]
• www.google[.]com[.]br - GET /
• www.horariodebrasilia[.]org - GET /

 

MALWARE

DOWNLOADED MALWARE:

• SHA256 hash:  45529a3aebac3aaa519c92dde2ae9a70de3d3de4d5b21204c465427e3c6e7c62
  File size:  1,547,986 bytes
  File name:  whatsapp_Foto_safada_as_completo.zip
  File location:  hxxps[:]//cdn.fbsbx[.]com/v/t59.2708-21/23419082_867269373447104_1320564789818163200_n.zip/whatsapp_Foto_safada_as_completo.zip?oh=
  1513a4fa6cc7096daa4c605f108c7106&oe=5A0E470B&dl=1
  File description:  Zip archive downloaded after clicking link from the email

• SHA256 hash:   5475fe85291d663c8de1f8de19da62733dcb80c48cff8add876712689f20c17b
  File size:   3,355,648 bytes
  File name:   whatsapp_Foto_safada_as_completo.exe
  File description:   Extracted executable from downloaded zip archive

 

POST-INFECTION MALWARE:

• SHA256 hash:  66374d950956df8795c9bce2e7a80117428d67ef1cc5228311dd849aa609d22c
  File size:  9,977,886 bytes
  File location:  C:\Users\[username]\AppData\Roaming\GENRSEAMARALTG\SYS547474548446832
  File location:  hxxps[:]//www.cabanadosol[.]net/venhanovembrocomgosto/BrofWorksshoppingsys0.zip
  File description:  Follow-up zip archive retrieved after running the extracted executable

• SHA256 hash:  1bb4d573b1808e8094d379b108ca90d6e0a9a8a0fc0e2fe91a5ee94d701cbed0
  File size:  15 bytes
  File location:  C:\Users\[username]\AppData\Roaming\GENRSEAMARALTG\BrofWorks0.dat
  File description:  Text file from the follow-up zip archive

• SHA256 hash:  2b9d656a704e6ee197143d0577eaa48e131d26b69acca2cd49e418b6bfa825a4
  File size:  373,434,880 bytes
  File location:  C:\Users\[username]\AppData\Roaming\GENRSEAMARALTG\BrofWorks0.exe
  File description:  Executable from the follow-up zip archive

 

IMAGES

Shown above:  Clicking a link in the email returns the initial zip archive.

 

Shown above:  The downloaded zip archive contains malware.

 

Shown above:  Some artifacts seen during this infection.

 

Shown above:  Shortcut added to the Start Menu's Startup folder to create a persistent infection.

 

Click here to return to the main page.