2014-09-03 - PHISHING EMAIL - SUBJECT: 1 NEW VOICEMAIL(S)

ASSOCIATED FILES:

 

NOTES:

 

PHISHING EMAIL

SCREENSHOT:

 

MESSAGE TEXT:

From: WhatsApp Messaging <carlosaraujo@grupovendex.es>
Sent: Tuesday, September 02, 2014 8:09 PM
To: [redacted]
Subject: 1 New Voicemail(s)

WhatsApp

You have a new voicemail!

Details:
Time of Call: Aug-29 2013 06:03:20
Lenth of Call: 40sec

Play

If you cannot play, move message to the "Inbox" folder.
2014 WhatsApp Inc

 

LINK TO MALWARE:

69.56.225.6 - sistersoffaith.org - GET /wp-content/plugins/gl.php?rec=9X9KHNmFT0mFnzdl3rAPpTss0Te5hvJ6eRfv5b6PHNg=
NOTE: This triggered the following signature: ET CURRENT_EVENTS Possible ASPROX Download URI Struct June 19 2014 (sid:2018589)

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE FROM EMAIL LINK:

File name:  VoiceMail.zip
File size:  88.1 KB ( 90184 bytes )
MD5 hash:  48c8326953a3761c4ee0c362263de07b
Detection ratio:  4 / 53
First submission:  2014-09-03 15:09:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a6c35c8edda2240c794871d8690c757912f521a46fd3283531988cdb3b44a9f5/analysis/


In most cases, the file name will contain a city and a phone number,
such as: VoiceMail_Chambersburg_(717)4583133.zip

 

EXTRACTED MALWARE:

File name:  VoiceMail.exe
File size:  141.5 KB ( 144896 bytes )
MD5 hash:  d37fbed0d4fb1f7851e4fe5eb16cea38
Detection ratio:  3 / 54
First submission:  2014-09-03 12:25:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fcf679f64d6b7ca8a579d0c5511dac9eaa50b199568d0ba2cfe97517b20ee4b0/analysis/


In most cases, the file name will contain a city and a phone number,
such as: VoiceMail_Chambersburg_(717)4583133.exe

 

DROPPED MALWARE IN USER'S APPDATA\LOCAL\TEMP DIRECTORY:

File name:  2014-09-03-phishing-malware-dropped-file.exe
File size:  166.0 KB ( 169984 bytes )
MD5 hash:  1af3256b57ad1c7a895b91ba779b71b6
Detection ratio:  21 / 54
First submission:  2014-09-02 21:38:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6e6ad860ebcacd64b96f466268bc9ebdab6e411bdd4c930c1a19e104ea196886/analysis/

 

INFECTION TRAFFIC

FROM SANDBOX ANALYSIS:

The DNS queries doesn't resolve, and the DNS server responds with: Server failure

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOT FROM THE HTTP TRAFFIC OVER PORT 443

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.