2014-09-05 - ASPROX BOTNET PHISHING EMAIL - SUBJECT: POSTAL NOTIFICATION

ASSOCIATED FILES:

 

NOTES:

 

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: FedEx Ground <support@techorchard.com>
Sent: Wednesday, September 03, 2014 7:13 AM CST
To: [redacted]
Subject: Postal Notification

FedEx

Dear Customer,

Your parcel has arrived at August 25th. Courier was unable to deliver the parcel to you.
To receive your parcel, print this label and go to the nearest office.

Get Shipment Label

FedEx 1995-2014

 

LINK FROM THE EMAIL:

69.89.11.76 - opencaldav.co.uk - GET /eng.php?fdx=Rp3Ctre9drHW6xVyJTRuwGqP1iMsUwith4IbIdjaHsc=

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE FROM EMAIL LINK:

File name:  Label_CA_Toronto.zip
File size:  88.9 KB ( 91013 bytes )
MD5 hash:  e3521de222c59cefef286defbf70edc2
Detection ratio:  13 / 55
First submission:  2014-09-05 20:26:47 UTC
VirusTotal link:  tps://www.virustotal.com/en/file/53efd60cf4afdab3b7f52874aea366086de339e4e51b8523a639457b147e95d6/analysis/

 

EXTRACTED MALWARE:

File name:  Label_CA_Toronto.exe
File size:  151.5 KB ( 155136 bytes )
MD5 hash:  3a168edf80c42ea38fbd465de6cf7631
Detection ratio:  7 / 55
First submission:  2014-09-05 11:27:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dfc697e9e4b1f473b55441d5a2b4a5517c6c2a8af9448644fbf4da4e3d583835/analysis/

 

DROPPED MALWARE FROM SANDBOX ANALYSIS (IN THE USER'S APPDATA\LOCAL\TEMP DIRECTORY):

File name:  2014-09-05-Asprox-malware-dropped-file.exe
File size:  170.0 KB ( 174080 bytes )
MD5 hash:  248ead99ad289175c9da1e05940cdbe4
Detection ratio:  3 / 55
First submission:  2014-09-05 20:38:11 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d95c681de2d608100d0c8a0ad1ef00eeca2652adcfd1223688b33b421a051879/analysis/

 

INFECTION TRAFFIC

FROM VM DOWNLOAD AND SANDBOX ANALYSIS OF THE MALWARE:

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.