2014-09-24 - PHISHING CAMPAIGN - SUBJECT: OVERDUE PAYMENT: 884272725375713

ASSOCIATED FILES:

 

NOTES:

 

 

EXAMPLES OF THE EMAILS

SCREENSHOTS:

 

MESSAGE TEXT EXAMPLE 1:

Subject: Automatic reminder: 557678737295229
Date: Wed, 24 Sep 2014 13:08:51 UTC
From: Delinda Mcspirit <statement@webbroker.co.uk>
To:

Greetings,

This is Delinda from DSB Offshore Ltd. After a review of our records, we have found your account is past due.
Account ID: 1DYBWL5. This notice is a reminder your payment is due.

Best regards,
Delinda Mcspirit
DSB Offshore Ltd
statement@webbroker.co.uk
+07710212241

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

Attachmentapplication_557678737295229_1DYBWL5.rar (31.5 KB)

 

MESSAGE TEXT EXAMPLE 2:

Subject: Late payment: 211893769213047
Date: Wed, 24 Sep 2014 12:59:07 UTC
From: Geraldo Cabreja <statement@coldencommoncc.co.uk>
To:

Good afternoon,

This is Geraldo from Linde Material Handling UK Ltd. After a review of our records, we have found your account is past due.
Account ID: 4OP34S9. This notice is a reminder your payment is due.

Best regards,
Geraldo Cabreja
Linde Material Handling UK Ltd
statement@coldencommoncc.co.uk
+07564-305-986

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

---
Questa e-mail è priva di virus e malware perché è attiva la protezione avast! Antivirus.
http://www.avast.com

Attachmentcontention_211893769213047_4OP34S9.rar (30.8 KB)

 

MESSAGE TEXT EXAMPLE 3:

Subject: Overdue Payment: 884272725375713
Date: Wed, 24 Sep 2014 12:22:09 UTC
From: Malcolm Speller <proposition@gogreen-drivingschool.co.uk>
To:

Good morning,

This is Malcolm from Chris Lewis Fire and Security. After a review of our records, we have found your account is past due.
Account ID: 0PUB5L0. This notice is a reminder your payment is due.

Kind regards,
Malcolm Speller
Chris Lewis Fire and Security
proposition@gogreen-drivingschool.co.uk
+07952 493 393

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

Attachmentapproval_884272725375713_0PUB5L0.rar (32.6 KB)

 

 

PRELIMINARY MALWARE ANALYSIS

EXAMPLE 1:

Attachment name:  application_557678737295229_1DYBWL5.rar   -   31.5 KB ( 32249 bytes )   -   MD5 hash:  cff41c39bd07f35dc5b8e1339a33a241
VirusTotal link:  https://www.virustotal.com/en/file/1944df443059cb41ad391e824a301a304564b5d88f84d77a41413efbb0fac82f/analysis/
Extracted file:  application_557678737295229_1DYBWL5.exe   -   48.0 KB ( 49152 bytes )   -   MD5 hash:  c6bc0a46745e3d1138f443e4d4defde1
VirusTotal link:  https://www.virustotal.com/en/file/977249710ee8926c9982b61593662a2de93234047929dc5f036cb5885dfd9dd5/analysis/

 

EXAMPLE 2:

Attachment name:  contention_211893769213047_4OP34S9.rar   -   30.8 KB ( 31545 bytes )   -   MD5 hash:  9db8be19abfc6d237482e6a71693cb99
VirusTotal link:  https://www.virustotal.com/en/file/4fce6c450f4c0d172c3f451d190b2e049a35d35f078d036be3ab0566d45c7f2c/analysis/
Extracted file:  contention_211893769213047_4OP34S9.exe   -   46.5 KB ( 47616 bytes )   -   MD5 hash:  8fab91e1dcceb22d38410ff542fee3d2
VirusTotal link:  https://www.virustotal.com/en/file/16d63d550001880457e83ae33a099f6ff7b05fa96881acb67551f4fc155f90fe/analysis/

 

EXAMPLE 3:

Attachment name:  approval_884272725375713_0PUB5L0.rar   -   32.6 KB ( 33369 bytes )   -   MD5 hash:  ed5a66265d70f164fbca5fb3407ba2ef
VirusTotal link:  https://www.virustotal.com/en/file/82d04142941078b12ef7a8ee77c104df5685b7313611f2bd1a834f0dba48a290/analysis/
Extracted file:  approval_884272725375713_0PUB5L0.exe   -   49.0 KB ( 50176 bytes )   -   MD5 hash:  c607c906d09bbc25f9ff3536093178d2
VirusTotal link:  https://www.virustotal.com/en/file/7594891e4aae292dde81d5d86a72b4a0b80a122000029a2242ae95b52f2147d9/analysis/

 

DROPPED MALWARE FROM ONE OF THE SAMPLES:

File name:  suhoi.exe
File size:  322.5 KB ( 330240 bytes )
MD5 hash:  0a8d1182de7e4bbdc6c292ba85b542c7
Detection ratio:  2 / 55
First submission:  2014-09-24 15:30:29 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b925b06d9c3ce3051d2de2662a0310d7e9ef141c139823557dd4751e0c964d8e/analysis/

 

INFECTION TRAFFIC

Executing contention_211893769213047_4OP34S9.exe in a VM:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

SCREENSHOTS

RTF document presented by the malware on the infected VM:

 

Artifacts found in the infected VM user's AppData\Local\Temp directory:

 

The malware's connectivity check from the infected VM:

 

Malware callback traffic hitting a sinkhole:

 

DGA-style DNS queries generated by the infected VM:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.