2014-07-08 - ASPROX BOTNET FAKE E-ZPASS PHISHING EMAILS

ASSOCIATED FILES:

 

TODAY'S EMAILS

SCREENSHOTS:



 

SUBJECT LINES:

 

MESSAGE:

Dear customer,

You have not paid for driving on a toll road. This invoice is sent repeatedly,
please service your debt in the shortest possible time.

The invoice can be downloaded here.

 

LINKS FROM THE EMAILS TO THE MALWARE:

NOTE: The account for www.gettingleadswithcraigslist.com was suspended by the time I checked the link

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE:

File name:  E-ZPass_San_Antonio.zip
File size:  56.7 KB ( 58028 bytes )
MD5 hash:  b667faf93d1b846ee4d0b9656d0d282b
Detection ratio:  4 / 54
First submission:  2014-07-08 20:24:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/611c8bff331db2f7a2c79c96b897264cb96dccd292460507acb6e0ed29b6f167/analysis/

 

EXTRACTED MALWARE:

File name:  E-ZPass_San_Antonio.exe
File size:  84.0 KB ( 86016 bytes )
MD5 hash:  351c4b6611117ab2f5f8af8710e0bd52
Detection ratio:  5 / 54
First submission:  2014-07-08 20:25:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/16d1f3f1f9c095e8a1fda728edab565065d91adcd04cf691ac1433222f37f11b/analysis/
Malwr link:  https://malwr.com/analysis/YjhlYTZmZGUyMmExNDFjNmI4MGQ3MTU3YjhiYTcwNTg/

 

CALLBACK TRAFFIC FROM SANDBOX ANALYSIS OF MALWARE

2014-07-08 20:34 UTC - 192.168.56.102:1039 - 212.45.17.15:8080 - 212.45.17.15:8080 - POST /460326245047F2B6E405E92260B09AA0E35D7CA2B1

 

SNORT EVENTS

Snort events noted from the malware download PCAP:

Snort events noted on PCAP from sandbox anlaysis of the malware:

NOTE: These Snort events were taken from Sguil using tcpreplay on Security Onion and reading the PCAP from a Snort installation on Ubuntu 14.04 LTS.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.