2014-09-11 - ASPROX BOTNET PHISHING CAMPAIGN - SUBJECT: HOME DELIVERY NOTIFICATION

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOTS:

 

EXAMPLE MESSAGE TEXT:

From: DPD Services <dpd_support@locautocenter.it>
Reply-To: DPD Services <dpd_support@locautocenter.it>
Date: Thursday, September 11, 2014 at 12:29 UTC
To:
Subject: Home Delivery Notification

DPD

DPD - Parcel Services and Parcel Shipping
Welcome to DPD
Delivery Notification

Track-Id: DP-U0032831029

We could not deliver your parcel. Download Delivery Label here.
Copyright 2014 (C) All rights reserved

 

DOWNLOADING THE MALWARE:

 

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILES FROM THE PHISHING LINKS:

File name:  Label-CA-Toronto.zip
File size:  71.3 KB ( 73007 bytes )
MD5 hash:  2ab2c5473377caa90fc22936b8fa72c5
Detection ratio:  8 / 55
First submission:  2014-09-11 18:25:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/82676991f92b5c00d1e71310a475a21bda932c1444058a771d4be05960105efc/analysis/

 

File name:  Label-FR.zip
File size:  71.3 KB ( 72991 bytes )
MD5 hash:  f5f821149e8ce69c030c7b03b33212db
Detection ratio:  8 / 55
First submission:  2014-09-11 19:28:35 UTC
VirusTotal link:  https://www.virustotal.com/en/file/46aabdabc45d01e24aad5cadb275928ef3dbc0892cfb0681e7c1a6b835a63301/analysis/

 

EXTRACTED MALWARE (SAME FROM BOTH ZIP FILES):

File name:  Label-CA-Toronto.exe and Label-FR.exe
File size:  107.5 KB ( 110080 bytes )
MD5 hash:  a6ba2cadc7c6891a5f437b212a18ac52
Detection ratio:  9 / 54
First submission:  2014-09-11 11:40:52 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c5d4898d76e9e2d4a8d0d72ada2e084b0843bce8d74a85ce1b9bdd1d64dc8417/analysis/

 

INFECTION TRAFFIC

FROM LIVE ANALYSIS OF THE MALWARE:

 

FROM RUNNING THE MALWARE IN A VM A FEW MINUTES LATER:

 

SNORT EVENTS NOTED

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.