2014-09-18 - PHISHING CAMPAIGN - NATWEST AND FAKE FAX MESSAGES

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOTS:

 

MESSAGE TEXT - FAKE NATWEST EMAIL:

From: "secure@doc-us.com" <secure@doc-us.com>
Date: Thursday, September 18, 2014 at 10:37 UTC
To:

You have a new private message from NatWest

To view/read this your secure message please click here

Email Encryption Provided by NatWest. Learn More.
Email Security Powered by Voltage IBE
Copyright 2014 National Westminster Bank Plc. All rights reserved.

To unsubscribe please clickhere
National Westminster Bank Plc. All rights, save as expressly granted, are reserved. Reproduction in any form of any part of the contents of this website without our prior written consent is prohibited unless for personal use only.

To view/read this your secure message please click here

 

MESSAGE TEXT - FAKE FAX EMAIL:

From: "secure@docs-thl.com" <secure@docs-thl.com>
Date: Thursday, September 18, 2014 at 10:36 UTC
To:
Subject: Fax

You have received a new fax. This fax was received by Fax Server.
The fax has been downloaded to dropbox service (Google Inc).

To view your fax message, please download from the link below. It's operat ed by Dropbox and safety.

http://pintoreservicios.com/iudtyvveno/awgvlopvkk.html

Received Fax Det ails
---------------------------------------------------------------- ----------------------
Received on: 16/09/2014 08:14 AM
Number of Pages: 1
From (ID): 503-879-20098
Duration of Fax: 0:00:29
Transfer Speed: 4400

Received Status: Success
Num ber of Errors: 0
Port Received: NP_104
------------------------ ------------------------------------------------------------

T his e-mail has been sent from an automated system.
PLEASE DO NOT REP LY.

The information contained in this message may be privilege d, confidential and protected from disclosure. If the reader of this messag e is not the intended recipient, or an employee or agent responsible for de livering this message to the intended recipient, you are hereby notified th at any dissemination, distribution or copying of this communication is stri ctly prohibited. If you have received this communication in error, please n otify your representative immediately and delete this message from your com puter. Thank you.

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE - FIRST EXAMPLE:

File name:  document_09182014.zip
File size:  7.3 KB ( 7447 bytes )
MD5 hash:  35d584d43036ace4ab5e9b5c1754baa7
Detection ratio:  18 / 54
First submission:  2014-09-18 09:53:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6e7633fd8a2a0518b89ed17e435d426c4ccb5ab8f9b3d55d5a4ccc5f7c2c5719/analysis/

 

EXTRACTED MALWARE - FIRST EXAMPLE:

File name:  document_09182014.scr
File size:  19.5 KB ( 19968 bytes )
MD5 hash:  2580ddd3beb3924654a9f9aec9e195a0
Detection ratio:  16 / 55
First submission:  2014-09-18 09:38:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/72f0fa8c053fab90a43ed18ff5bb962de6d31f13b7dc7fb078afb0ba1ded4722/analysis/

 

DROPPED MALWARE - FIRST EXAMPLE:

File name:  avsem.exe
File size:  444.0 KB ( 454656 bytes )
MD5 hash:  890defc75b7a896a7a84cbb5a7538f37
Detection ratio:  22 / 54
First submission:  2014-09-18 13:03:40 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6102d59bbe05aff4ba699823f177e020436aa76c756c4fc26e6dd54581894c28/analysis/

 

ZIP FILE - SECOND EXAMPLE:

File name:  Document81264_pdf.zip
File size:  7.7 KB ( 7892 bytes )
MD5 hash:  c21fec7842565899c7dee6b416cd1204
Detection ratio:  10 / 55
First submission:  2014-09-18 17:34:50 UTC
VirusTotal link:  https://www.virustotal.com/en/file/fe0a774b669ed7d75b2d37ebb8da9d79ad386bb0f4dca9e6cbbcd6aed7a430ae/analysis/

 

EXTRACTED MALWARE - SECOND EXAMPLE:

File name:  Document81264_pdf.scr
File size:  20.0 KB ( 20480 bytes )
MD5 hash:  8f602ab1e9288adbb80a93e50bdbe144
Detection ratio:  7 / 53
First submission:  2014-09-18 17:35:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7259b1adda698861a8251685887953d892dff2eb5b141d9051db03cbfcc2c76a/analysis/

 

DROPPED MALWARE - SECOND EXAMPLE (1 OF 2):

File name:  kjyzp.exe
File size:  378.0 KB ( 387072 bytes )
MD5 hash:  301df83591485e0b4604dc1cee954e6c
Detection ratio:  5 / 53
First submission:  2014-09-18 20:08:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e23f5c74de75bd846a1e4d2f58be71fecb1548e9b51c2b4ad2c6caff3cb50437/analysis/

 

DROPPED MALWARE - SECOND EXAMPLE (2 OF 2):

File name:  vcllf.exe
File size:  390.0 KB ( 399360 bytes )
MD5 hash:  80ad0c1aadb6520ca0c999ebebf264e1
Detection ratio:  3 / 55
First submission:  2014-09-18 19:26:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f686300b3d2e356ce64ffa7e8b2998baa29f889101e7bec73f85e2c020e0aa8a/analysis/

 

VM INFECTION TRAFFIC - EXAMPLE 1

Downloading document_09182014.zip and executing the malware in a VM:

 

VM INFECTION TRAFFIC - EXAMPLE 2

Downloading Document81264_pdf.zip and executing the malware in a VM:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.