Malware-Traffic-Analysis.net - 2017-04-03 - Ursnif and Pushdo infection Archived: 2026-04-05 17:48:16 UTC NOTICE: The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website. ASSOCIATED FILES: 2017-04-03-Ursnif-and-Pushdo-infection.pcap.zip   9.2 MB (9,156,400 bytes) 2017-04-03-Ursnif-and-Pushdo-infection.pcap   (10,643,014 bytes) 2017-04-03-Ursnif-and-Pushdo-emails-and-malware.zip   685.7 kB (685,705 bytes) 2017-04-03-DHL-themed-malspam-0928-UTC.eml   (22,764 bytes) 2017-04-03-DHL-themed-malspam-1117-UTC.eml   (22,746 bytes) 2017-04-03-DHL-themed-malspam-1220-UTC.eml   (22,812 bytes) 2017-04-03-image-themed-malspam-1357-UTC.eml   (22,126 bytes) 2017-04-03-image-themed-malspam-1546-UTC.eml   (22,646 bytes) 2017-04-03-image-themed-malspam-1646-UTC.eml   (22,391 bytes) 33521.exe   (353,965 bytes) 462137.exe   (295,936 bytes) Balt.dll   (49,152 bytes) Commercial_CVS_inv.03.04.2017.cvs.js   (25,273 bytes) Commercial_CVS_inv.03.04.2017.zip   (15,870 bytes) img-20170403-0014,jpeg.zip  (15,446 bytes) img-20170403-0054.jpeg.js   (24,464 bytes) NOTES: Saw two waves of malspam with zip attachments containing .js files that generated the same infection traffic. Post-infection traffic generated alerts for Ursnif and Pushdo. EMAIL http://malware-traffic-analysis.net/2017/04/03/index2.html Page 1 of 6 Shown above:  Screen shot of an email from the first wave. Shown above:  Screen shot of an email from the second wave. EMAIL HEADERS - FIRST WAVE: Date:  Monday 2017-04-03 at 09:27 UTC From:  Subject:  commercial invoice - customer 4364201038 102642523877 Attachment name:  Commercial_CVS_inv.03.04.2017.zip Extracted file name:  Commercial_CVS_inv.03.04.2017.cvs.js Date:  Monday 2017-04-03 at 11:17 UTC From:  Subject:  NOTICE CUSTOMS CHARGES 0094793224 767285436700 Attachment name:  Commercial_CVS_inv.03.04.2017.zip Extracted file name:  Commercial_CVS_inv.03.04.2017.cvs.js Date:  Monday 2017-04-03 at 12:20 UTC From:  Subject:  Dhl Commercial Invoices 6807164709 856884589470 Attachment name:  Commercial_CVS_inv.03.04.2017.zip http://malware-traffic-analysis.net/2017/04/03/index2.html Page 2 of 6 Extracted file name:  Commercial_CVS_inv.03.04.2017.cvs.js EMAIL HEADERS - SECOND WAVE: Date:  Monday 2017-04-03 at 13:57 UTC From:  marco.desiderio@cogug[.]com Subject:  photo 08 Attachment name:  img-20170403-0089,jpeg.zip Extracted file name:  img-20170403-0054.jpeg.js Date:  Monday 2017-04-03 at 15:46 UTC From:  direzione@nyloq[.]com Subject:  img_2550 Attachment name:  img-20170403-0014,jpeg.zip Extracted file name:  img-20170403-0054.jpeg.js Date:  Monday 2017-04-03 at 16:46 UTC From:  marzia.berghella@yahoo[.]com[.]hk Subject:  photo 2DNXAY Attachment name:  img-20170403-0015,jpeg.zip Extracted file name:  img-20170403-0054.jpeg.js Shown above:  Attachment taken from the malspam. TRAFFIC http://malware-traffic-analysis.net/2017/04/03/index2.html Page 3 of 6 Shown above:  Traffic from the infection filtered in Wireshark. ASSOCIATED DOMAINS: 178.136.218[.]52 port 80 - sillo[.]net - GET /1002.exe 31.135.125[.]26 port 80 - monsteradds[.]at - GET /x64.bin   --   [Ursnif module download] 52.52.2[.]146 port 80 - constitution[.]org - GET /usdeclar.txt   --   [Gozi/Ursnif/Papras connectivity check] 5.248.126[.]219 port 80 - sillo[.]net - GET /30.bin   --   [Zbot Generic URI/header struct .bin] Various IP addresses on port TCP 80 - various domains - POST /   --   [Pushdo.s checkin] Various IP addresses on various TCP ports - various domains - Tor traffic Various IP addresses on various ports - attempted TCP connections and non-Tor traffic FILE HASHES EMAIL ATTACHMENTS: SHA256 hash:  1b402c3ccfe5380425023022614abc4af53369536bda9c70b3074e50484bb340 File name:  Commercial_CVS_inv.03.04.2017.zip http://malware-traffic-analysis.net/2017/04/03/index2.html Page 4 of 6 SHA256 hash:  ef3bbbace6eeaf06c2101612d45d694f734b6759ec89b83db0e3d07ea5c49f57 File name:  img-20170403-0014,jpeg.zip File name:  img-20170403-0015,jpeg.zip File name:  img-20170403-0089,jpeg.zip EXTRACTED JS FILES: SHA256 hash:  faad4f8730db9825cfc5fd29f105a16849c83e61e836d68b2e3eff55fe0f1ec5 File name:  Commercial_CVS_inv.03.04.2017.cvs.js SHA256 hash:  a62712ff422477b15e512d3d83285d61c760c468e8f8bae26a7e5f0174e57db9 File name:  img-20170403-0054.jpeg.js FILES RETRIEVED FROM THE INFECTED HOST: SHA256 hash:  94380803ac48bec2ca431f968240f4444fdc3a30bd04dbc62bf099bf0ece01f8 File location:  C:\Users\[username]\AppData\Local\Temp\33521.exe File location:  C:\Users\[username]\AppData\Roaming\Microsoft\Cmcfspex\admpptsp.exe SHA256 hash:  d26161bc381625ade7fb51db987f2e69c244acc642911948b1507860e90fd3f9 File location:  C:\Users\[username]\AppData\Local\Temp\462137.exe File location:  C:\Users\[username]\bsebegfabe.exe SHA256 hash:  7b1bcab8e3aa932c6ebac8df67d0797b0c8aaa3a7870408085341500687720a6 File location:  C:\Users\[username]\AppData\Local\Temp\Balt.dll IMAGES Shown above:  Some alerts on the traffic from the Emerging Threats Pro (ETPRO) rulesets using Sguil on Security Onion. Click here to return to the main page. http://malware-traffic-analysis.net/2017/04/03/index2.html Page 5 of 6 Source: http://malware-traffic-analysis.net/2017/04/03/index2.html http://malware-traffic-analysis.net/2017/04/03/index2.html Page 6 of 6