2014-01-30 - ASPROX EMAILS AND MALWARE

ASSOCIATED FILES:

 

NOTES:

For this blog entry, I infected a physical host with Asprox malware from 27 Jan 2014.  The infected host became part of the botnet and sent more phishing emails.

First, here's are a couple of links that explain the traffic seen below:

Let's take a closer look at what happened...

 

ASPROX PHISHING EMAIL FROM 27 JAN 2014

Here's one of the emails that came through on 27 Jan 2014:

 

Here's the malware EXE extracted from the attachment:

 

INFECTING A HOST ON WEDNESDAY EVENING, 29 JAN 2014

The Snort events shown below from Security Onion are in GMT, while the PCAP shows my local time (US central time zone):

 

Here are highlights from the traffic as the host became infected (all times GMT):

 

MALWARE DROPPED DURING THE ORIGINAL INFECTION

This is where the original malware copied itself after it was executed:

Path and file name:  C:\Users\User-1\AppData\Local\irtjggll.exe
File size:  365.0 KB (373760 bytes)
MD5 hash:  0ccb0f978a9a9066a22534ac108c6ef1
Time created:  2014-01-30 00:42:17 GMT

After a quick look, I found these EXE files within the user's AppData directory:

Path and file name:  C:\Users\User-1\AppData\Local\lxrqqowx.exe
File size:  76.0 KB (77824 bytes)
MD5 hash:  773521dcc3ca8be57e8202ae37cf20dd
Time created:  2014-01-30 00:44:21 GMT
Path and file name:  C:\Users\User-1\AppData\Roaming\Vyifiqe\tumeyxk.exe
File size:  291.2 KB (298219 bytes)
MD5 hash:  6bffa1c615694909638f68350b396682
Time created:  2014 00:47:34 GMT
Path and file name:  C:\Users\User-1\AppData\Local\qpmxbuji.exe
File size:  136.0 KB (139264 bytes)
MD5 hash:  7b37752da4193ad2cdfba83f4a98503e
Time created:  2014-01-30 00:48:35 GMT
Path and file name:  C:\Users\User-1\AppData\Local\Temp\UpdateFlashPlayer_78a0e7bb.exe
File size:  142.3 KB (145721 bytes)
MD5 hash:  df5ab239bdf09a8716cabbdfa1d6a724
Time created:  2014-01-30 00:53:15 GMT
Path and file name:  C:\Users\User-1\AppData\Local\Temp\UpdateFlashPlayer_9453f040.exe
File size:  291.2 KB (298219 bytes)
MD5 hash:  b2534de2f7bb39ba7dbee16b6667fabf
Time created:  2014-01-30 00:53:15 GMT

 

POST INFECTION EMAIL ACTIVITY

The infected host began sending emails at 00:46 GMT, and it made several hundred attempts before I powered down the host.  Most of the attempts were denied by the mail servers.  The first 2 seconds of the activity saw 48 attempts to send emails.

Here's an example of the SMTP traffic from my infected host:


The Google mail server rejected this message...

 

NEW PHISHING EMAIL SENT BY THE INFECTED HOST

I extracted an email from the SMTP traffic in the PCAP to get a better look at the message being sent:

 

Here's the malware EXE extracted from the attachment:

The file had already been submitted to Virus Total about 8 hours before I submitted my copy:

File name:  Details_For_Arrears_Document_29-01-2014.exe
File size:  165.0 KB ( 168960 bytes )
MD5 hash:  3b636be10ba275b0cc7ecfca5fccc85e
VirusTotal link:  https://www.virustotal.com/en/file/631f2bcf232bf006976f0c09b38d67b00dd780201771b59692a1acfe05ac478e/analysis/
First submitted:  2014-01-29 19:24:20 GMT

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.