2014-09-17 - PHISHING EMAIL - SUBJECT: YOU HAVE A VOICE MESSAGE

ASSOCIATED FILES:

 

NOTES:

 


Emails from this campaign so far today.

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: LINE <oluwatumininu.akinade@oracle.com>
Date: Wednesday, September 17, 2014 at 13:49 UTC
To:
Subject: You have a voice message

LINE
LINE : Free Calls & Messages

LINE Notification You have a voice message, listen it now.
Time: 21:12:45 14.10.2014, Duration: 45sec
Copyright (c) 2014 All rights reserved

 

HTTP REQUEST THAT DOWNLOADED THE MALWARE:

  • 2014-09-17 14:34 UTC - 27.254.96.21 - ck41tours.com - GET /blog.php?line=fT8cLaOW6gkFOfKx7ZIr7Q
  •  

    PRELIMINARY MALWARE ANALYSIS

    ZIP FILE FROM LINK IN EMAIL:

    File name:  LINE_Call_(210)4583840.zip
    File size:  83.5 KB ( 85528 bytes )
    MD5 hash:  07d51f610538b0f225a32acd49d2cfdb
    Detection ratio:  15 / 54
    First submission:  2014-09-17 20:27:40 UTC
    VirusTotal link:  https://www.virustotal.com/en/file/1cb21dc352b36bca0facffcbb63ca7355532f65ebb393af9fc9403f8d96d9f1e/analysis/

     

    EXTRACTED MALWARE:

    File name:  LINE_Call_(210)4583840.exe
    File size:  134.0 KB ( 137216 bytes )
    MD5 hash:  1b2339a1be6d8587816ad632b71e1eaf
    Detection ratio:  14 / 55
    First submission:  2014-09-17 14:24:09 UTC
    VirusTotal link:  https://www.virustotal.com/en/file/7e2125c9df781020a45e653baf3355ae2aadf76c9da5228370ff961ab34174cd/analysis/

     

    DROPPED FILE WHEN EXECUTING MALWARE ON A VM:

    File name:  diem.exe
    File size:  394.5 KB ( 403968 bytes )
    MD5 hash:  cde53f22d8d79a1c4627dbed7b3614b8
    Detection ratio:  11 / 52
    First submission:  2014-09-17 20:58:05 UTC
    VirusTotal link:  https://www.virustotal.com/en/file/bfceabb1a3677800e58944899385d40f6edaf8a16bb0c2a4580fba69c09ad983/analysis/

     

    SANDBOX TRAFFIC

    FROM SANDBOX ANALYSIS OF THE MALWARE:


    Example of the HTTP POST requests from the sandbox analysis.

     

    INFECTED VM TRAFFIC

    Running the malware on a VM generated DNS queries for warzine.su which was not seen in the sandbox analysis.  It also received about 355 KB of data from 106.187.98.143 port 443 and dropped malware on the VM.

     

    HTTP REQUESTS BY THE INFECTED VM:

     

    DGA-STYLE DNS QUERIES FROM THE INFECTED VM:

     

    FINAL NOTES

    Once again, here are the associated files:

    ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

    Click here to return to the main page.