2017-05-03 – WHATSAPP MALSPAM – SUBJECT: MISSED VOICE MESSAGE

ASSOCIATED FILES:

  • ZIP archive of the email and malware:  2017-05-03-whatsapp-malspam-and-malware.zip   438 kB (437,927 bytes)

EMAIL

Shown above:  Screen shot from one of the emails.

EMAIL HEADERS:

  • Date/Time:  Wednesday 2017-05-03 as early 12:38 UTC through at least 1608 UTC
  • From:  (spoofed) “WhatsApp” <no-reply@acctalerts.com>
  • Subject:  Missed voice message

Shown above:  Header lines from one of the emails.

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

Shown above:  TCP stream of the URL from the email using HTTP instead of HTTPS.

ASSOCIATED DOMAINS:

  • 198.252.106.149 port 443 – muabantiengame.com – GET /wp-content/themes/ddd/voice.html?kjdfhjjdfjdfhjdfifdhijhkfdhfdjbjfdnfbnaiewiuweewnwebmn wenbewbewbewbnwejbwejewjhwejewjewjhewjhewhewjhewhjjehewhjhjewhjewhjwehjewhjwejhwehjwehjhjwehjejhewjhewjhehjewjewjhewjhewjh   [HTTPS download for zip file]
  • 188.226.145.50 port 443 – www.security-support.tech – GET /hcamp1.gif   [HTTPS download for follow-up EXE]

FILE HASHES

ZIP ARCHIVE DOWNLOADED FROM LINK IN THE EMAIL:

  • SHA256 hash:  01ecf50b51f0d8d9d9b28c5ad4628dbfbf4fe2cb4c04c5bbef54834d7fee27dd File name:  Voicemail.zip File size:  6,324 bytes

.JS FILE EXTRACTED FROM THE ZIP ARCHIVE:

  • SHA256 hash:  22e47af467e655c0b9a636f37852277a042bdb8286f47ad4abaf6dde3cfc09ec File name:  Voicemail.js File size:  15,972 bytes

FOLLOW-UP .EXE DOWNLOADED BY THE .JS FILE:

  • SHA256 hash:  87296f9c51aefc66a2289a488ad968f430aedd52f55039ad514bf568624f9b56 File location:  C:\Users\[username]\klo5.exe File size:  1,042,432 bytes

IMAGES

Shown above:  Downloading the zip archive from the email link.

Shown above:  The extracted .js file from the zip archive.

Shown above:  Follow-up executable crashing (on Windows 7 virtual machine or Windows 7 physical host).

FINAL NOTES

Once again, here are the associated files:

  • ZIP archive of the email and malware:  2017-05-03-whatsapp-malspam-and-malware.zip   438 kB (437,927bytes)

ZIP files are password-protected with the standard password.  If you don’t know it, look at the “about” page of this website.

Click here to return to the main page.

Leave a Reply

Your email address will not be published. Required fields are marked *