2014-09-04 - PHISHING CAMPAIGN - SUBJECT: FEDEX | SHIPPING NOTIFICATION UPDATE [NUMBER]

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: Marc Eubanks <25ndpoop@FedExShipping1.com>
Reply-To: Marc Eubanks <25ndpoop@FedExShipping1.com>
Date: Thursday, September 4, 2014 at 7:29 UTC
To: [redacted]
Subject: FedEx | Shipping Notification Update 1

Dear [redacted],
Unfortunately we failed to deliver a postal package to you that was sent on the 25th of August.
Please print out the invoice attached and collect the package at our office.

Marc Eubanks
Customer Service Department
Your Fedex
www.fedex.com

This email is protected by copyright and trademark laws under US and International law. All rights reserved 1995-2014 FedEx

Attachment: fedex invoice.doc (53 KB)

 

EMAIL HEADERS:

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  fedex invoice.doc
File size:  39.2 KB ( 40139 bytes )
MD5 hash:  6a3c4d3bb4e07abe27a254f48feba132
Detection ratio:  3 / 54
First submission:  2014-09-04 12:28:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9bbcd4dd671871832a4ff4f16892799c488462e375f19b2a893b0dc2db0979d1/analysis/

 

DOWNLOADED MALWARE 1 OF 3:

File name:  beta.exe
File size:  187.5 KB ( 192000 bytes )
MD5 hash:  de4a8d9dac69f67ada65b6212d63c38c
Detection ratio:  11 / 55
First submission:  2014-09-04 11:47:56 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ff8b67338a0a59e690848dc2acb166949a906983023d4cd483125a5548c68b5b/analysis/

 

DOWNLOADED MALWARE 2 OF 3:

File name:  Microsoft.exe
File size:  1.4 MB ( 1425408 bytes )
MD5 hash:  b150d1fd3c57ab81c31d45ae381b5315
Detection ratio:  19 / 55
First submission:  2014-09-04 12:46:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2c4c4efbed081dc29bc349988407306dcf94680c30dad7ae0da31a85fa9ca8b0/analysis/

 

DOWNLOADED MALWARE 3 OF 3:

File name:  loader2.exe
File size:  76.0 KB ( 77824 bytes )
MD5 hash:  3177aab3324276a161ad158aa0a701b6
Detection ratio:  16 / 55
First submission:  2014-09-04 16:31:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e61213bb8ee7894fad6813e34a5d2f36753a3dc644906324cc0db9d84b16ed85/analysis/

 

INFECTION TRAFFIC

EXECUTING THE MALWARE ON A WINDOWS 7 VM:

 

SNORT EVENTS FROM INFECTED VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.