2018-05-29 - DHL-THEMED MALSPAM WITH LINKS TO .JS FILE DOWNLOADER

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the spreadsheet tracker:  2018-05-29-DHL-themed-malspam-spreadsheet-tracker.csv.zip   1.2 kB (1,161 bytes)

• 2018-05-29-DHL-themed-malspam-spreadsheet-tracker.csv   (2,186 bytes)

• Zip archive of 10 email examples:  2018-05-29-DHL-themed-malspam-10-email-examples.zip   248 kB (248,447 bytes)

• 2018-05-28-DHL-themed-malspam-0508-UTC.eml   (190,207 bytes)
• 2018-05-28-DHL-themed-malspam-1739-UTC.eml   (189,925 bytes)
• 2018-05-28-DHL-themed-malspam-2038-UTC.eml   (190,060 bytes)
• 2018-05-28-DHL-themed-malspam-2109-UTC.eml   (68,446 bytes)
• 2018-05-28-DHL-themed-malspam-2208-UTC.eml   (189,957 bytes)
• 2018-05-28-DHL-themed-malspam-2211-UTC.eml   (190,113 bytes)
• 2018-05-28-DHL-themed-malspam-2216-UTC.eml   (190,137 bytes)
• 2018-05-28-DHL-themed-malspam-2251-UTC.eml   (190,321 bytes)
• 2018-05-28-DHL-themed-malspam-2336-UTC.eml   (190,365 bytes)
• 2018-05-29-DHL-themed-malspam-0146-UTC.eml   (190,225 bytes)

• Zip archive of the infection traffic:  2018-05-29-DHL-themed-malspam-infection-traffic.pcap.zip   3.5 MB (3,521,632 bytes)

• 2018-05-29-DHL-themed-malspam-infection-traffic.pcap   (5,847,764 bytes)

• Zip archive of the malware:  2018-05-29-malware-from-DHL-themed-malspam-infection.zip   554 kB (554,413 bytes)

• DHL-Express-Customer-Invoice.js   (17,004 bytes)
• TempRNi25.eXe   (228,352 bytes)
• hero.exe   (598,016 bytes)

 

NOTES:

• I left the recipents in the To: line in the sanitized email examples, because every recipient I saw this malspam from was BCC-ed.

Shown above:  My attempt at a flowchart for today's infection traffic.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• cityofdifferentips[.]gq
• winterforcing[.]info
• wolahedbune[.]com
• hxxp[:]//37.48.125[.]107/hero.exe
• hxxp[:]//www.abhinish[.]com/wp-content/plugins/js_composer/assets/lib/prettyphoto/images/g_frugality_patholytic.html
• hxxp[:]//www.applauce[.]no/modules/mod_ariimageslidersa/w_aureous_vertically.html
• hxxp[:]//www.bizplace[.]co[.]uk/ghhgtr65d/f_balaenoid_Jordanian.html
• hxxp[:]//www.brigittenyc[.]com/P_neurocardiac_crippledom.html
• hxxp[:]//www.dannemking[.]com.au/loggers/F_strong_corollated.html
• hxxp[:]//www.dilsedilli[.]com/wp-content/plugins/unyson/framework/includes/container-types/box/Q_disprepare_rime.html
• hxxp[:]//www.maratonianos[.]es/d_urushi_naphthalenoid.html
• hxxp[:]//www.rentcar[.]pl//blog/wp-content/uploads/2018/05/p_Petrinist_vacuefy.html
• hxxp[:]//www.rgriggsphoto[.]com/i_unpitying_skibby.html
• hxxp[:]//www.tinkhuyenmai99[.]com/wp-content/uploads/p_overstately_monodromic.html

 

EMAILS

10 EMAIL EXAMPLES:

(Read: date/time - received from -- sending address -- subject)

• 2018-05-28 05:08 UTC -- nh502-vm11.bullet.mail.kks.yahoo[.]co[.]jp ([183.79.56[.]156]) -- DHL <godricgryffindor0731@yahoo[.]co[.]jp> -- Your Invoice Number #113634
• 2018-05-28 17:39 UTC -- nh605-vm3.bullet.mail.ssk.yahoo[.]co[.]jp ([182.22.90[.]76]) -- DHL Post <okatsu12000@yahoo[.]co[.]jp> -- Your Invoice Number #75935
• 2018-05-28 20:38 UTC -- nh602-vm14.bullet.mail.ssk.yahoo[.]co[.]jp ([182.22.90[.]39]) -- DHL Post <hamanakahideo@yahoo[.]co[.]jp> -- Invoice Number #90617
• 2018-05-28 21:09 UTC -- nh504-vm4.bullet.mail.kks.yahoo[.]co[.]jp ([183.79.57[.]90]) -- DHL <kakasipower@yahoo[.]co[.]jp> -- Invoice Number #187256
• 2018-05-28 22:08 UTC -- nh602-vm6.bullet.mail.ssk.yahoo[.]co[.]jp ([182.22.90[.]31]) -- DHL Post <kouji06302000@yahoo[.]co[.]jp> -- Your Invoice Number #193333
• 2018-05-28 22:11 UTC -- nh501.bullet.mail.kks.yahoo[.]co[.]jp ([183.79.56[.]130]) -- DHL Express <kapel0505@yahoo[.]co[.]jp> -- Your Invoice Number #223306
• 2018-05-28 22:16 UTC -- nh504-vm7.bullet.mail.kks.yahoo[.]co[.]jp ([183.79.57[.]93]) -- DHL <srbwg315@yahoo[.]co[.]jp> -- Invoice Number #54281
• 2018-05-28 22:51 UTC -- nh602-vm12.bullet.mail.ssk.yahoo[.]co[.]jp ([182.22.90[.]37]) -- DHL <hirobottle@yahoo[.]co[.]jp> -- Invoice Number #110779
• 2018-05-28 23:36 UTC -- nh604-vm12.bullet.mail.ssk.yahoo[.]co[.]jp ([182.22.90[.]69]) -- DHL <mikixshiki@yahoo[.]co[.]jp> -- Invoice Number #120405
• 2018-05-29 01:46 UTC -- nh505-vm12.bullet.mail.kks.yahoo[.]co[.]jp ([183.79.57[.]114]) -- DHL <kekosugi00@yahoo[.]co[.]jp> -- Your Invoice Number #95575

 

Shown above:  Screen shot from one of the emails.

 

Shown above:  Following a link from one of the emails resulted in some redirects and a downloaded .js file.

 

Shown above:  The downloaded .js file.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

 

URLS FROM THE EMAILS:

• hxxp[:]//www.abhinish[.]com/wp-content/plugins/js_composer/assets/lib/prettyphoto/images/g_frugality_patholytic.html
• hxxp[:]//www.applauce[.]no/modules/mod_ariimageslidersa/w_aureous_vertically.html
• hxxp[:]//www.bizplace[.]co[.]uk/ghhgtr65d/f_balaenoid_Jordanian.html
• hxxp[:]//www.brigittenyc[.]com/P_neurocardiac_crippledom.html
• hxxp[:]//www.dannemking[.]com[.]au/loggers/F_strong_corollated.html
• hxxp[:]//www.dilsedilli[.]com/wp-content/plugins/unyson/framework/includes/container-types/box/Q_disprepare_rime.html
• hxxp[:]//www.maratonianos[.]es/d_urushi_naphthalenoid.html
• hxxp[:]//www.rentcar[.]pl//blog/wp-content/uploads/2018/05/p_Petrinist_vacuefy.html
• hxxp[:]//www.rgriggsphoto[.]com/i_unpitying_skibby.html
• hxxp[:]//www.tinkhuyenmai99[.]com/wp-content/uploads/p_overstately_monodromic.html

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 185.18.199[.]251 port 80 - maratonianos[.]es - GET /d_urushi_naphthalenoid.html
• 111.118.215[.]40 port 80 - winterforcing[.]info - GET /klein/index.html
• 46.30.42[.]66 port 443 - cityofdifferentips[.]gq - GET /XUUXbQkOx.js (HTTPS)
• 46.30.42[.]66 port 443 - cityofdifferentips[.]gq - GET /js.php (HTTPS)
• 111.118.215[.]40 port 80 - winterforcing[.]info - GET /get/new/get.php (returned .js file)
• 111.118.215[.]40 port 80 - winterforcing[.]info - GET /get/get.php?yDokni (returned 1st executable)
• 185.224.249[.]152 port 80 - wolahedbune[.]com - POST /kryaka/index.php
• 37.48.125[.]107 port 80 - 37.48.125[.]107 - GET /hero.exe (returned 2nd executable)
• 37.48.125[.]114 port 98 - Encrypted or encoded traffic, possibly caused by 2nd executable

 

FILE HASHES

DOWNLOADED .JS FILE:

• SHA256 hash:  7521284ee6f9b45f5efe44cf7c449a3ed6fc86d71018fc071cd5c93f98bbafb8
  File size:  17,004 bytes
  File name:  DHL-Express-Customer-Invoice.js

1ST MALWARE EXECUTABLE:

• SHA256 hash:  cca8206696979428e9f4fec0153e2623a95a7ff206f6c68ce262a1dc59d0579c
  File size:  228,352 bytes
  File location:  C:\Users\[username]\AppData\Local\TempRNi25.eXe

2ND MALWARE EXECUTABLE PERSISTENT ON THE INFECTED WINDOWS HOST:

• SHA256 hash:  a8d9739b395df4ceaf14bb51c962368008bd24d00cf98456fdbcd7f58e959a5e
  File size:  598,016 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\hero.exe
  File location:  C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeServices.exe

 

Click here to return to the main page.