# 2017-04-03 - DHL INVOICE MALSPAM/PHOTO MALSPAM - VARIOUS SUBJECT LINES **malware-traffic-analysis.net/2017/04/03/index2.html** ASSOCIATED FILES: ZIP archive of the pcap: [2017-04-03-DHL-malspam-traffic.pcap.zip 9.2 MB](http://malware-traffic-analysis.net/2017/04/03/2017-04-03-DHL-malspam-traffic.pcap.zip) (9,156,384 bytes) 2017-04-03-DHL-malspam-traffic.pcap (10,643,014 bytes) ZIP archive of the malware: [2017-04-03-DHL-and-image-malspam-and-artifacts.zip](http://malware-traffic-analysis.net/2017/04/03/2017-04-03-DHL-and-image-malspam-and-artifacts.zip) 694 kB (684,209 bytes) 2017-04-03-fake-DHL-malspam-0928-UTC.eml (22,764 bytes) 2017-04-03-fake-DHL-malspam-1117-UTC.eml (22,746 bytes) 2017-04-03-fake-DHL-malspam-1220-UTC.eml (22,812 bytes) 2017-04-03-fake-image-malspam-1357-UTC.eml (22,126 bytes) 2017-04-03-fake-image-malspam-1546-UTC.eml (22,646 bytes) 2017-04-03-fake-image-malspam-1646-UTC.eml (22,391 bytes) 33521.exe (353,965 bytes) 462137.exe (295,936 bytes) Balt.dll (49,152 bytes) Commercial_CVS_inv.03.04.2017.cvs.js (25,273 bytes) Commercial_CVS_inv.03.04.2017.zip (15,870 bytes) img-20170403-0014,jpeg.zip (15,446 bytes) img-20170403-0054.jpeg.js (24,464 bytes) NOTES: Saw two waves of malspam with zip attachments containing .js files that generated the same infection traffic. Post-infection traffic generated alerts for Ursnif and Pushdo. Also reported at: https://myonlinesecurity.co.uk/spoofed-dhl-shipment-notificationdelivers-unknown-malware/ ## EMAIL ----- _Shown above: Screen shot of an email from the first wave._ _Shown above: Screen shot of an email from the second wave._ EMAIL HEADERS - FIRST WAVE: Date: Monday 2017-04-03 at 09:27 UTC From: Subject: commercial invoice - customer 4364201038 102642523877 Attachment name: Commercial_CVS_inv.03.04.2017.zip Extracted file name: Commercial_CVS_inv.03.04.2017.cvs.js Date: Monday 2017-04-03 at 11:17 UTC From: Subject: NOTICE CUSTOMS CHARGES 0094793224 767285436700 Attachment name: Commercial_CVS_inv.03.04.2017.zip Extracted file name: Commercial_CVS_inv.03.04.2017.cvs.js Date: Monday 2017-04-03 at 12:20 UTC From: Subject: Dhl Commercial Invoices 6807164709 856884589470 ----- Attachment name: Commercial_CVS_inv.03.04.2017.zip Extracted file name: Commercial_CVS_inv.03.04.2017.cvs.js EMAIL HEADERS - SECOND WAVE: Date: Monday 2017-04-03 at 13:57 UTC From: marco.desiderio@cogug.com Subject: photo 08 Attachment name: img-20170403-0089,jpeg.zip Extracted file name: img-20170403-0054.jpeg.js Date: Monday 2017-04-03 at 15:46 UTC From: direzione@nyloq.com Subject: img_2550 Attachment name: img-20170403-0014,jpeg.zip Extracted file name: img-20170403-0054.jpeg.js Date: Monday 2017-04-03 at 16:46 UTC From: marzia.berghella@yahoo.com.hk Subject: photo 2DNXAY Attachment name: img-20170403-0015,jpeg.zip Extracted file name: img-20170403-0054.jpeg.js _Shown above: Attachment taken from the malspam._ ----- ## TRAFFIC _Shown above: Traffic from the infection filtered in Wireshark._ ASSOCIATED DOMAINS: 178.136.218.52 port 80 - sillo.net - GET /1002.exe 31.135.125.26 port 80 - monsteradds.at - GET /x64.bin -- [Ursnif module download] 52.52.2.146 port 80 - constitution.org - GET /usdeclar.txt -- [Gozi/Ursnif/Papras _connectivity check]_ 5.248.126.219 port 80 - sillo.net - GET /30.bin -- [Zbot Generic URI/header struct _.bin]_ Various IP addresses on port TCP 80 - various domains - POST / -- [Pushdo.s _checkin]_ Various IP addresses on various TCP ports - various domains - Tor traffic Various IP addresses on various ports - attempted TCP connections and non-Tor traffic ## FILE HASHES ----- EMAIL ATTACHMENTS: SHA256 hash: 1b402c3ccfe5380425023022614abc4af53369536bda9c70b3074e50484bb340 File name: Commercial_CVS_inv.03.04.2017.zip SHA256 hash: ef3bbbace6eeaf06c2101612d45d694f734b6759ec89b83db0e3d07ea5c49f57 File name: img-20170403-0014,jpeg.zip File name: img-20170403-0015,jpeg.zip File name: img-20170403-0089,jpeg.zip EXTRACTED JS FILES: SHA256 hash: faad4f8730db9825cfc5fd29f105a16849c83e61e836d68b2e3eff55fe0f1ec5 File name: Commercial_CVS_inv.03.04.2017.cvs.js SHA256 hash: a62712ff422477b15e512d3d83285d61c760c468e8f8bae26a7e5f0174e57db9 File name: img-20170403-0054.jpeg.js FILES RETRIEVED FROM THE INFECTED HOST: SHA256 hash: 94380803ac48bec2ca431f968240f4444fdc3a30bd04dbc62bf099bf0ece01f8 File location:  C:\Users\[username]\AppData\Local\Temp\33521.exe File location:  C:\Users\ [username]\AppData\Roaming\Microsoft\Cmcfspex\admpptsp.exe SHA256 hash: d26161bc381625ade7fb51db987f2e69c244acc642911948b1507860e90fd3f9 File location:  C:\Users\[username]\AppData\Local\Temp\462137.exe File location:  C:\Users\[username]\bsebegfabe.exe SHA256 hash: 7b1bcab8e3aa932c6ebac8df67d0797b0c8aaa3a7870408085341500687720a6 File location:  C:\Users\[username]\AppData\Local\Temp\Balt.dll ## IMAGES ----- _[Shown above: Some alerts on the traffic from the Emerging Threats Pro (ETPRO) rulesets](http://docs.emergingthreats.net/bin/view/Main/WebSearch)_ _[using Sguil on Security Onion.](https://securityonion.net/)_ ## FINAL NOTES Once again, here are the associated files: ZIP archive of the pcap: [2017-04-03-DHL-malspam-traffic.pcap.zip 9.2 MB](http://malware-traffic-analysis.net/2017/04/03/2017-04-03-DHL-malspam-traffic.pcap.zip) (9,156,384 bytes) ZIP archive of the malware: [2017-04-03-DHL-and-image-malspam-and-artifacts.zip](http://malware-traffic-analysis.net/2017/04/03/2017-04-03-DHL-and-image-malspam-and-artifacts.zip) 694 kB (684,209 bytes) ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website. [Click here to return to the main page.](http://malware-traffic-analysis.net/index.html) -----