2014-10-28 - ASPROX BOTNET EMAILS SERVE FREE PIZZA
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2014-10-28-free-Pizza-Asprox-botnet-emails.csv.zip
- 2014-10-28-malware-from-free-Pizza-Asprox-botnet-emails.zip
- 2014-10-28-Asprox-free-pizza-malware-sandbox-analysis-analysis.pcap.zip
NOTES:
- As early as Monday 2014-10-27, the Asprox botnet started sending fake Pizza Hut emails with the subject line: Free Pizza
- Another subject line is: 55th Anniversary and Free Pizza
- For another example, see: https://wordtothewise.com/2014/10/spam-malware-phish/
EXAMPLE OF THE EMAILS
SCREENSHOT:
MESSAGE TEXT:
From: Pizza Hut <support@gameroomdesigns[.]net>
Reply-To: Pizza Hut <upport@gameroomdesigns[.]net>
Date: Monday, October 27, 2014 at 19:33 UTC
Subject: Free Pizza
Pizza Hut
MAKE IT GREAT
Free personal Pan Pizza
Today we are celebrating our 55th anniversary and we want you to share this celebration with us - you may get a free pizza in any of our restaurants.
Get Free Pizza Coupon
The offer is valid through November 5th, 2014.
Copyright (c) 2014 | All right reserved | Pizza Hut
EXAMPLE OF A LINK TO THE MALWARE:
navbcn[.]com - GET /title.php?pizza=zbXJaeu6meBKvp93EGAHdy0kKh0xW51b8k+TprK9nRA
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: PizzaHut_Coupon.zip
File size: 105,455 bytes
MD5 hash: e8045d8c9851b509a7bd25c9969cded2
Detection ratio: 3 / 53
First submission: 2014-10-28 23:06:16 UTC
VirusTotal link: https://www.virustotal.com/en/file/dd3ea06d7dc1522e061c83e481b3758bdce6fe970e5d90b3d00e633ff14a4677/analysis/
EXTRACTED MALWARE:
File name: PizzaHut_Coupon.exe
File size: 184,320 bytes
MD5 hash: 191a02952905cc0037753700636c3339
Detection ratio: 4 / 54
First submission: 2014-10-28 23:06:27 UTC
VirusTotal link: https://www.virustotal.com/en/file/03264df33e8766c86be99bf351531500b9101d8d21addf5a86e331097885544f/analysis/
INFECTION TRAFFIC
FROM SANDBOX ANALYSIS OF THE MALWARE:
- 2014-10-28 23:08:33 UTC - 85.12.29[.]172:8080 - POST /index.php
Click here to return to the main page.