2014-07-02 - RECENT ASPROX BOTNET PHISHING EMAILS

ASSOCIATED FILES:

NOTES:

This blog entry compares 2 recent USPS-themed phishing emails from the Asprox botnet.  Note the differences between the emails.  Changes in the message content complicate efforts to block these phishing emails.  For more information on these recent Asprox emails, see the following links:

 

SCREENSHOTS OF THE EMAILS

FROM FRIDAY, 2014-06-27:

 

FROM WEDNESDAY, 2014-07-02:

 

HTTP GET REQUESTS FOR THE MALWARE:

 

PRELIMINARY MALWARE ANALYSIS

2014-06-27 MALWARE (ZIP FILE)

File name:  USPS_Receipt_US_city_name_2014-06-27.zip
File size:  98.8 KB ( 101141 bytes )
MD5 hash:  a5eaedb7ad1a651379855477f4164651
Detection ratio:  21 / 54
First submission:  2014-07-02 20:21:09 UTC
VirusTotal link:  https://www.virustotal.com/en/file/38e17f76e97ac21b728ebe6d5c5d074df6b7c62ea71c0bc7b723273da5515cf7/analysis/

 

2014-06-27 MALWARE (EXTRACTED EXE)

File name:  USPS_Receipt_US_city_name_2014-06-27.exe
File size:  149.5 KB ( 153088 bytes )
MD5 hash:  b1ffe5b1dcf6125bdfd2e713a7c2bdb4
Detection ratio:  20 / 53
First submission:  2014-07-02 20:21:30 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4ec0dc7e0fc1806bfd777caa2762d7f6f89d7e9db794c07dad2caea63d3a14ba/analysis/
Malwr link:  https://malwr.com/analysis/MTdiNDE2ZGFlYmY2NGE3MjgzZmNiZjdhOTU1YzQzYjQ/

 

2014-07-02 MALWARE (ZIP FILE)

File name:  Label_US_city_name_2014-07-02.zip
File size:  89.2 KB ( 91355 bytes )
MD5 hash:  c62571abb2579a08815a7fe9f444e726
Detection ratio:  4 / 53
First submission:  2014-07-02 20:18:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9a39c1ed1e3309fd9f530bc72f4ac84e022a926c9ba6df4266b73cc489d2e065/analysis/

 

2014-07-02 MALWARE (EXTRACTED EXE)

File name:  Label_US_city_name_2014-07-02.exe
File size:  128.5 KB ( 131584 bytes )
MD5 hash:  1e0c7da431950be356ee52985d7a4d8b
Detection ratio:  5 / 54
First submission:  2014-07-02 16:22:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b7ee27546d19721bdf927c11e217b556264c39584749f79dbfb774290793ff35/analysis/
Malwr link:  https://malwr.com/analysis/MzA3ZTY5MTE2Y2MxNGFiZWJlN2UxYjA0ZmRmMWQ3OGI/

 

SANDBOX TRAFFIC AND SNORT EVENTS

Traffic noted from the Malwr.com sandbox analysis of the 2014-06-27 malware:

Events that triggered reading the PCAP in snort:

 

Traffic noted from the Malwr.com sandbox analysis of the 2014-07-02 malware:

Events that triggered reading the PCAP in snort:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.