2014-09-01 - PHISHING EMAIL - SUBJECT: STATEMENT AS AT 01/09/2014

ASSOCIATED FILES:

 

PHISHING EMAIL

SCREENSHOT:

 

MESSAGE TEXT:

Date: Mon, 01 Sep 2014 12:01:01 UTC
From: Cathy Rossi <C.Rossi@tcreidelectrical.co.uk>
To: skigang@snowwhores.co.uk
Subject: Statement as at 01/09/2014

Please find attached statement from T C REID (ELECTRICAL) LTD as at 01/09/2014.

Attachment: D0110109.PDF.zip (273 KB)

 

EMAIL HEADERS:

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  D0110109.PDF.zip
File size:  273.3 KB ( 279827 bytes )
MD5 hash:  b95728c4d8edd9ad604c468ed2cc3810
Detection ratio:  18 / 55
First submission:  2014-09-01 11:27:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2203dc77f69ff84e439fb16b8d14b47fc9a5cfe3a6fa247b93dd72174db8920c/analysis/

 

File name:  D0110109.PDF.exe
File size:  341.1 KB ( 349334 bytes )
MD5 hash:  13d33a9ff6c77a3b7d08a4557d0a5e67
Detection ratio:  13 / 55
First submission:  2014-09-01 11:28:44 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dd96f70183fd6f9482243e04b02a75c66040bafa64f612aebc99b4302709f1d7/analysis/

 

INFECTION TRAFFIC

FROM INFECTED VM:

Saw repeated Zeus-related DGA DNS requests, but no actual traffic from the infected VM.

 

A sandbox analysis shows the HTTP POST requests, if the domains had actually resolved to an IP address:


POST /updatec HTTP/1.1
Host: 1mudi5wie0xwlv309geyd4xsk.com
Accept-Encoding:
Connection: close
Content-Length: 592

 

SNORT EVENTS FROM INFECTED VM (ONLY DNS QUERIES AND NO HTTP TRAFFIC)

Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.