Malicious Word Doc sends Nymaim and SSL data Exfiltration

NOTES:
The below infection traffic fits the pattern of Nymaim. I have not seen post infection traffic via HTTPS, UDP and TCP associated with Nymaim before. It is apparent that data is being exfiltrated, there for I provided all the IP addresses and domains for further analysis.

 

ASSOCIATED DOMAINS:

  • 46.249.54.179 – traptractors.eu – GET /system/logs/office.exe – Nymaim DOWNLOAD
  • 23.74.8.192 – z1.zedo.com – GET /robots.txt – POST INFECTION TRAFFIC
  • 45.32.152.165 – HTTPS PORT 443 – mediapartnersallowallow.pw – POST INFECTION TRAFFIC [ENCRYPTED]
  • 185.94.164.51 – UDP PORT 9293 – POST INFECTION TRAFFIC
  • 165.228.19.146 – UDP PORT 40287 – POST INFECTION TRAFFIC
  • 58.96.85.56 – UDP PORT 37320 – POST INFECTION TRAFFIC
  • 203.206.169.213 -TCP PORT 1099 – POST INFECTION TRAFFIC
  • 202.173.190.235 – TCP PORT 1099 – POST INFECTION TRAFFIC
  • 203.45.224.128 – UDP PORT 47116 – POST INFECTION TRAFFIC
  • 14.2.30.5 – UDP PORT 4514 – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: Malicious Word document attempting to get user to Enable Content [MACROS]

 

Shown above: Nymaim download from traptractors.eu “office.exe”

 

Shown above: Using msconfig shows Nymaim start-up location

 

Shown above: Post infection traffic “Nothing to see here”

 

Shown above: Post infection data exfiltration via https

 

MALICIOUS DOC AND PAYLOAD: