2014-09-30 - PHISHING EMAIL - SUBJECT: REQUIREMENT.

ASSOCIATED FILES:

 

NOTES:

 

TEXT OF THE EMAIL

From: nexline trading <laurence.mallet@glynwed.fr>
Date: Tuesday, September 30, 2014 at 20:25 UTC
To: Recipients <laurence.mallet@glynwed.fr>
Subject: Requirement.

Dear Sir

Kindly confirmed that the attached payment of the above proforma is correct and get back to me.

Regards
Abduo alshami
AcctDept

Attachment:   pan 2.zip (490.9 KB)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  pan 2.zip
File size:  363.4 KB ( 372076 bytes )
MD5 hash:  1658a4f21ae43b6a3ecb191a8325cde4
Detection ratio:  15 / 55
First submission:  2014-10-01 00:41:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/182c6ada401b77e831fb095edcc3648b9308b850e7c278af696356f3a5dde5d1/analysis/

 

EXTRACTED MALWARE:

File name:  pan 2.scr
File size:  783.5 KB ( 802304 bytes )
MD5 hash:  9b86e8972cf269e99781cbb921743462
Detection ratio:  15 / 55
First submission:  2014-09-30 23:45:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef93ceabd334a79e9af9edd139a4d5fb4bd2c46da6938eb901cc0885412940c6/analysis/

 

DROPPED FILES ON THE INFECTED VM:

AppData\Local\Temp\FB_CA15.tmp.exe   -   https://www.virustotal.com/en/file/129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689/analysis/
AppData\Roaming\Iguzy\ypaky.kiz   -   https://www.virustotal.com/en/file/a43753f4e2ff47757e020558e80dbdfe36652f90218625001fa9f5b23b2c6b67/analysis/
AppData\Roaming\Ogicac\yzse.exe   -   https://www.virustotal.com/en/file/7ba1d7f123aa0deb72a0e140dcbca90ef10e6d2afd360c5fe2e97d83cdd760d0/analysis/
AppData\Roaming\sra\yats.bat   -   Text file with one line:   start /d "C:\Users\User-1\AppData\Roaming\sra" yats.exe
AppData\Roaming\sra\yats.exe   -   same file as pan 2.scr (see extracted malware shown above)
AppData\Roaming\Ylihh\seumo.tmp   -   https://www.virustotal.com/en/file/8b24c38754dba0a2bedcc3a3821b623fc3f730ad42d86aa2280e14bcd7cb2dca/analysis/

 

INFECTION TRAFFIC

INFECTING A VM WITH THE EXTRACTED MALWARE:

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

 

SCREENSHOTS FROM THE TRAFFIC

Example of the callback traffic:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.