2014-07-11 - FAKE PURCHASE INVOICE PHISHING EMAILS

ASSOCIATED FILES:

 

TODAY'S EMAILS

SCREENSHOTS:





 

SUBJECT LINE:

Payment for [recipient's email address]

 

EXAMPLE OF THE MESSAGE TEXT:

Thanks for shopping with our company today! Your order is currently processing.

BILLING DETAILS

Purchase Number: Q135946436
Order Date: 7.31 AM Wed, Jul 11, 2014
Customer Email: [redacted]

Outright Purchase: 6752 USD

Download your invoice

Please click the link given above to get more details about your order.

 

LINKS FROM THE EMAILS TO THE MALWARE:

NOTE: I aquired a copy of the malware from the first link.  By the time I checked the other links, Dropbox had removed the malware.

 

TRAFFIC FROM SANDBOX ANALYSIS

IP ADDRESSES AND DOMAINS CALLED BY THE MALWARE:

 

HTTP TRAFFIC FROM THE PCAP:

NOTE:  [!] shows where more malware was returned.

 

PRELIMINARY MALWARE ANALYSIS

MALWARE FROM PHISHING EMAIL LINK:

File name:  Invoice_349.PDF.scr
File size:  133.8 KB ( 137042 bytes )
MD5 hash:  a2929c03164efd23e7007b05a3de8da4
Detection ratio:  1 / 54
First submission:  2014-07-11 21:46:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/28e8e70a068e49062b7eb028cf97b18eece72573ca7ae644995f3f692cfa7cc5/analysis/
Malwr link:  https://malwr.com/analysis/MjQ0MzBhMGI2MzhhNDgzYjlmYmM5NTE4ZmQ5ZWJhZDQ/

 

FOLLOW-UP MALWARE 1 OF 2:

File name:  res.exe
File size:  220.5 KB ( 225792 bytes )
MD5 hash:  0c55c1a7e7c14c239b7535039a922150
Detection ratio:  2 / 54
First submission:  2014-07-11 23:41:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a1e9af4632ff0eb5b3eb21285f5909ad8e28c326d71489707e7ea2f76e28e34b/analysis/
Malwr link:  https://malwr.com/analysis/ZmYxYTJkMDI5MGFlNDI3ZDhhY2NmNzQwNTIyZGYyMWU/

 

FOLLOW-UP MALWARE 2 OF 2:

File name:  p.exe
File size:  180.0 KB ( 184320 bytes )
MD5 hash:  c24ead56a5532bfc8840d9b602aebbe2
Detection ratio:  2 / 54
First submission:  2014-07-11 21:23:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e7e70c62c8741f9394edf394554d46a2fc41ca8fb51a6a5141f042eaf50cb956/analysis/
Malwr link:  https://malwr.com/analysis/OTRkY2QxZDAyMDMzNGZjOWFlMzU2ZDU4MjlmYzY1OGQ/

 

SNORT EVENTS

Sourcefire VRT ruleset from Snort 2.9.6.0 running on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.