2014-07-25 - PHISHING EMAIL - MALWARE DROPPED CRYPTOWALL - SUBJECT: RE: IMPORTANT DOCUMENTS

ASSOCIATED FILES:

 

NOTES:

 

TODAY'S PHISHING EMAIL

Saw the following email today:

 

MESSAGE TEXT:

From: Neal London <Neal.London@bofa.com>
Date: Friday, July 25, 2014 at 13:06 UTC
To:
Subject: RE: Important Documents

Please check attached documents regarding your Bofa account.

Neal London
Bank Of America
817-236-3135 office
817-971-3464 cell
Neal.London@bofa.com

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.

 

PRELIMINARY MALWARE ANALYSIS

FILE ATTACHMENT

File name:  Documents.zip
File size:  9.8 KB ( 9986 bytes )
MD5 hash:  b99d38332e6939baa2c2a057a37daefc
Detection ratio:  16 / 53
First submission:  2014-07-25 15:58:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/256d3022d6a0446708000e7cf4d34f0a0671058edf67c7de00033e50a65becd6/analysis/

 

EXTRACTED MALWARE:

File name:  Documents.Scr
File size:  22.5 KB ( 23040 bytes )
MD5 hash:  dc4d0bd7fb9e647501c3b0d75aa2be65
Detection ratio:  6 / 52
First submission:  2014-07-25 16:10:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9dc39f7ba4b6b31c7b55303c656e44c1782ed45e9de5a5aeca19cf018f2af9d9/analysis/

 

CRYPTOWALL DROPPED ON AN INFECTED VM:

File name:  a6d206d.exe
File size:  177.5 KB ( 181760 bytes )
MD5 hash:  57dab9371bd0710200810d8796040e8e
Detection ratio:  4 / 53
First submission:  2014-07-25 16:46:41 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6bb8d45a46f4c56f8286e02779600971d1b2eeddcf7dea0b1d1e62191f8323ed/analysis/

 

TRAFFIC FROM THE SANDBOX ANALYSIS

HTTP GET REQUESTS:

 

OTHER TRAFFIC:

 

SNORT EVENTS

Emerging Threats and ETPRO signature hits from Sguil after using tcpreplay on Security Onion for the sandbox analysis:

 

Sourcefire VRT signature reading the sandbox analysis pcap with Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

CRYPTOWALL (THE DROPPED MALWARE) IN ACTION

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.