2014-09-26 - PHISHING CAMPAIGN - SUBJECT: TRANSACTION NOT COMPLETE

ASSOCIATED FILES:

 

NOTES:

 

 

EXAMPLES OF THE EMAILS

EXAMPLE OF EMAIL WITH ATTACHMENT ONLY:

From: "Barclays@email.barclays.co.uk" <orion2004.03.03@kub.biglobe.ne.jp>
Date: Friday, September 26, 2014 at 12:44 UTC
To:
Subject: Transaction not complete

Unable to complete your most recent Transaction.

Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.
For more details please see attached payment receipt .

Barclays is a trading name of Barclays Bank PLC and its subsidiaries.
Barclays Bank PLC is authorised by the Prudential Regulation Authority and
regulated by the Financial
Conduct Authority and the Prudential Regulation Authority (Financial
Services Register No. 122702).
Registered in England. Registered Number is 1026167 with registered office
at 1 Churchill Place, London E14 5HP.

Attachment: PaymentReceipt262.zip (11.2 KB)

 

EXAMPLE OF EMAIL WITH ATTACHMENT AND LINK TO MALWARE:

From: "Barclays@email.barclays.co.uk" <yoshi-.-taka@kyj.biglobe.ne.jp>
Reply-To: "Barclays@email.barclays.co.uk" <yoshi-.-taka@kyj.biglobe.ne.jp>
Date: Friday, September 26, 2014 at 13:26 UTC
To:
Subject: Transaction not complete

Unable to complete your most recent Transaction.

Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.


For more details please download payment receipt below:

http://michael-jones[dot]com/barclays-documents/PaymentReceipt262.php



Barclays is a trading name of Barclays Bank PLC and its subsidiaries.
Barclays Bank PLC
is authorised by the Prudential Regulation Authority and regulated by the
Financial
Conduct Authority and the Prudential Regulation Authority (Financial
Services Register
No. 122702). Registered in England. Registered Number is 1026167 with
registered
office at 1 Churchill Place, London E14 5HP.

Attachment: PaymentReceipt262.zip (11.2 KB)

 

EXAMPLE OF EMAIL WITH LINK TO MALWARE ONLY:

From: Administrator <denis.arsenijevic@telia.com>
Date: 26 September 2014 19:15:08 UTC
To:
Subject: Transaction not complete
Reply-To: Administrator <denis.arsenijevic@telia.com>

Unable to complete your most recent Transaction.

Currently your transaction has a pending status.
If the transaction was made by mistake please contact our customer service.


For more details please download payment receipt below:

http://darioscarpetcleaning[dot]com/Barclays-payments/PaymentReceipt262.php



Barclays is a trading name of Barclays Bank PLC and its subsidiaries.
Barclays Bank PLC
is authorised by the Prudential Regulation Authority and regulated by the
Financial
Conduct Authority and the Prudential Regulation Authority (Financial
Services Register
No. 122702). Registered in England. Registered Number is 1026167 with
registered
office at 1 Churchill Place, London E14 5HP.

 

PRELIMINARY MALWARE ANALYSIS

MALWARE - FIRST EXAMPLE:

Zip file:  PaymentReceipt262.zip
File size:  8.3 KB ( 8505 bytes )
MD5 hash:  e812a77b43a704d58bedcbe393aa9a76
Detection ratio:  13 / 55
First submission:  2014-09-26 17:07:16 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1f2fc330c8967ee14103012af40af7a103b2894b144a42885b5b35be14337ef9/analysis/
Extracted malware:  PaymentReceipt262.exe
File size:  19.5 KB ( 19968 bytes )
MD5 hash:  30285953db3457ea5e629990a3eb7e5a
Detection ratio:  14 / 55
First submission:  2014-09-26 13:36:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5149eb19e642e141818326b4ad670e9b74496881ea1de69c13786f021efda559/analysis/

 

 

MALWARE - SECOND EXAMPLE:

Zip file:  PaymentReceipt262_pdf.zip
File size:  8.5 KB ( 8664 bytes )
MD5 hash:  502d45f7a82962d96d2c2ff19ff4442a
Detection ratio:  4 / 55
First submission:  2014-09-26 17:45:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/2504897ed4ad32735843ddb10d452aa7059854b51f5ce62bd0e92e28683b6efd/analysis/
Extracted malware:  PaymentReceipt262_pdf.exe
File size:  38.0 KB ( 38912 bytes )
MD5 hash:  3376279ffbc918f64a4beb2464e48294
Detection ratio:  6 / 55
First submission:  2014-09-26 17:46:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/dddcc3aaaae00b8fbfda5e97f22e92945760b6dfd443cb892147e53ad85ba2eb/analysis/

 

 

DROPPED MALWARE - FROM INFECTING A VM WITH THE SECOND EXAMPLE:

File name:  xwbgb.exe
File size:  331.5 KB ( 339456 bytes )
MD5 hash:  c84b3e7ac73d8541ac49d59271c8bbaa
Detection ratio:  5 / 55
First submission:  2014-09-26 18:36:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7a3002f5ce5737148b434c5b974bc3fb5cd275391ed2d59dc0be1e276f38d274/analysis/

 

INFECTION TRAFFIC

DOWNLOADING THE SECOND EXAMPLE IN A WINDOWS VM:

 

EXECUTING THE EXTRACTED MALWARE:

NOTE: Malware was executed at 21:12 UTC, and the traffic started 5 minutes later.

 

SNORT EVENTS FROM THE VM INFECTION

Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.