Smokeloader 2017-09-20 MalSpam

Sender: sale@customercare.sap – [SPOOFED EMAIL ADDRESS]
Subject: SAP PAYMENT PAST DUE-

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-09-21-Smokeloader-pcap.zip

 

Shown above: Email with link to Macro Word Document to begin infection chain

 

Shown above: Macro Word Document leading to the download and installation of Smokeloader

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • hatnhuagiare.com/index.html.php?id=[Base64 email address of recipient] – Link to MalDoc
  • vinaes.com.vn – GET /cr2mgmts.exe – Smokeloader download
  • 52.11.24.162 – czancovene.top – Post infection C2
  • 52.11.24.162 – framyerisa.top – Post infection C2
  • niellypote.top – Unresolved DNS query
  • hoarpstise.top – Unresolved DNS query
  • rhautarama.top – Unresolved DNS query
  • scetregano.top – Unresolved DNS query

UPDATED DNS QUERIES [2017-10-09]

  • loanseciti.top – Unresolved DNS query
  • jouilarise.top – Unresolved DNS query
  • spignigede.top – Unresolved DNS query
  • a9c384669e98.net – Unresolved DNS query
  • a9c384669e47.com – Unresolved DNS query
  • a9c384669e10.net – Unresolved DNS query

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with the Smokeloader malspam

 

Shown above: DNS traffic  associated with the Smokeloader malspam

 

Shown above: SSL Certificate associated with command and control (C2) traffic -admin@web.local – MyCompany LLC

 

Shown above: SSL Certificate details associated with command and control (C2) traffic

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM: