2014-10-07 - PHISHING CAMPAIGN - SUBJECT: YOU HAVE VOICE MESSAGE

ASSOCIATED FILES:

 

NOTES:

 

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: LINE <stamps@kingsign.com>
Sent: Monday, October 06, 2014 4:23 PM
To:
Subject: You have a voice message

LINE LINE: Free Calls & Messages

You have a voice message, listen it now
LINE NOTIFICATION Time: 21:12:45 01 Oct 2014, Duration: 45sec
Coypright (c) 2014 All rights reserved

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  LINE_Call.zip
File size:  80.4 KB ( 82323 bytes )
MD5 hash:  92d86a4847988aad3eaef5d609308c97
Detection ratio:  5 / 55
First submission:  2014-10-07 23:18:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7929c2c9b585ef354bcd5e89a8ddc0fda68254b6bcfb6b6e5f08d4233e023a63/analysis/

 

EXTRACTED MALWARE:

File name:  LINE_Call.exe
File size:  128.0 KB ( 131072 bytes )
MD5 hash:  68edcf990db2e27af7d0f42abf8740ba
Detection ratio:  5 / 54
First submission:  2014-10-07 23:18:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e4ac9107b13fed461776035c4e7abf99b95f6d6eec4ce813804118168e96dc70/analysis/
Malwr link:  https://malwr.com/analysis/ZGU2NGM4YzMwMDA3NGI2NjhjNzJhZjZmMWI0YmM4ODU/

 

INFECTION TRAFFIC

DOWNLOADING AND EXECUTING THE MALWARE ON A VM:

 

SNORT EVENTS FROM VM INFECTION

Emerging Threats events from Sguil on Security Onion:

 

SCREENSHOTS FROM THE TRAFFIC

When you try the link, and it doesn't like your source IP address, you get the following message:

 

I got this one by proxying through a Canadian IP address:

 

Kuluoz/Asprox-style callback traffic from the infected VM:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.