2014-08-18 - ASPROX BOTNET PHISHING EMAIL - SUBJECT: PAYMENT FOR DRIVING ON TOLL ROAD

ASSOCIATED FILES:

 

SCREENSHOT:

 

MESSAGE TEXT:

From: Collection Agency <refund@llbmexico.com>
Reply-To: Collection Agency <refund@llbmexico.com>
Date: Monday, August 18, 2014 at 5:47 UTC
To:
Subject: Payment for driving on toll road

E-ZPass
Service Center

Dear customer,

You have not paid for driving on a toll road. This invoice is sent repeatedly,
please service your debt in the shortest possible time.

Get Invoice

Terms & Conditions | Site Map | Privacy Policy | Phishing Policy   2014 E-ZPass

 

LINK TO MALWARE FROM THE EMAIL:

50.62.66.1 - raptoreng.com/wordpress/wp-content/uploads/wysija/themes/smoke/index.php?to=qXamfszxhzbqNhhhYKsg2ZLP4lI9hOxFyc3P4LOt5pU=

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  E-ZPass_your_city_here.zip
File size:  80.0 KB ( 81965 bytes )
MD5 hash:  97d2eba9d1df824b0c138c014e9644c6
Detection ratio:  4 / 53
First submission:  2014-08-19 18:09:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e6af65e049bb099f388bb34696d00cac23ea416f0399d4a89e7dd61a867fe8d4/analysis/

 

EXTRACTED FILE:

File name:  E-ZPass_your_city_here.exe
File size:  127.0 KB ( 130048 bytes )
MD5 hash:  378918bf2dfeee122c7b37eec82a4880
Detection ratio:  3 / 53
First submission:  2014-08-19 18:10:06 UTC
VirusTotal link:  https://www.virustotal.com/en/file/48117befcae8b6c84d35da4b62bdb8414dba43dfeebc5e4f14a276513443737a/analysis/

 

FOLLOW-UP MALWARE 1 OF 2:

File name:  UpdateFlashPlayer_66db8c5e.exe
File size:  302.7 KB ( 309950 bytes )
MD5 hash:  439c369bf81a4f6b412630e093eeddfe
Detection ratio:  15 / 53
First submission:  2014-08-19 15:21:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d138af7386a8e10d6075dff62ee8b0d89f6aba5e72b04b367a983150e3e79a3b/analysis/

 

FOLLOW-UP MALWARE 2 OF 2:

File name:  UpdateFlashPlayer_b4a18ea9.exe
File size:  172.0 KB ( 176128 bytes )
MD5 hash:  d7979841d49514c985aa24f2bcfe71ea
Detection ratio:  4 / 52
First submission:  2014-08-19 21:28:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2c9382e2a36d04672554c0633aa38ed54587054b2a0c9dc3805e3815fb0f5bc4/analysis/

 

INFECTION TRAFFIC

FROM SANDBOX ANALYSIS OF THE MALWARE:

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.0 on Ubuntu 14.04 LTS:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.