2014-11-12 - ASPROX BOTNET FAKE STARBUCKS PHISHING EMAILS - DELIVERED SIRIUS WIN 7 ANTIVIRUS 2014

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOTS:


All six emails were fake Starbucks messages received on 2014-11-12, but this one has a few mistakes and
looks like it was originally sent on 2014-11-10.

 

LINK TO MALWARE FROM THESE EMAILS:

From:  "Starbucks" <support@handycup.cz>
Subject:  Enjoy your Starbucks Card eGift

Link:  mundwerkfreital[.]de/error.php?stb=5aJGjk0nRdCwCLB5BSGJ9OVeZSjT9scAVkGNcSLdXzg

From:  "Starbucks" <support@freighttraindigital.com>
Subject:  Enjoy your Starbucks Card eGift

Link:  ritphipsi[.]org/diff.php?stb=skw1QZozuKje0qjjrhzL8CaR1KIHwp6lcrmQ4iBrjpM

From:  "Starbucks" <support@ulg.mediagiantdesign.com>
Subject:  Starbucks Card eGift

Link:  stormgeeks[.]com/dump.php?stb=KlHUP9Acz83sJOW8xdPVxSTPjF+I+6G6JrxViBND/C8

From:  USPS <shawn@mclarensolutions.com.au>
Subject:  Postal Notification Service

Link:  vandammedhe[.]eu/search.php?stb=FHrTiIxaP+2THgoy4qzOjvPEEAAWh+dRZQU87G55HgI

From:  "Starbucks" <support@alvarogl.com>
Subject:  Starbucks Card eGift

Link:  owireduyeboahandassociates[.]com/login.php?stb=UIUE39nFGpVxycMpyCfnSIc92jjwrISVcGz21oaNhTs

From:  "Starbucks" <support@geldersespringkussenverhuur.nl>
Subject:  Enjoy your Starbucks Card eGift

Link:  postprodsons[.]com/defines.php?stb=9VyzWC5VJcDySbbeoYEaUqxjDeIjSUgpUpFpqT3M6Zo

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  Starbucks_eGift.zip
File size:  70.3 KB ( 71950 bytes )
MD5 hash:  3cb651464905715a0a571f6bd434a7a9
Detection ratio:  13 / 55
First submission:  2014-11-12 19:25:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e6dc1655d31aec69533d9c8bec205615a164b66eed48176cd63140707a3a5cde/analysis/

 

EXTRACTED MALWARE:

File name:  Starbucks_eGift.exe
File size:  107.0 KB ( 109568 bytes )
MD5 hash:  37f9766153ea52766d11839868f10648
Detection ratio:  13 / 55
First submission:  2014-11-12 19:25:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c21d40e8cd713a1dbdf6491abd9ce3dc11ba3f3312c7081fcb3be353b8b8e89f/analysis/
Malwr link:  https://malwr.com/analysis/OGVlZWY0NGQ4ZGNjNGY5ZDlhNjNlMzNhYzFlYjM4NDM/

 

SOME DROPPED ARTIFACTS ON THE INFECTED VM:

 

DROPPED EXE (1 OF 2):

File name:  pvmqjsqv.exe
File size:  109.0 KB ( 111616 bytes )
MD5 hash:  3a682c34371938570231f466be7c53a8
Detection ratio:  5 / 54
First submission:  2014-11-12 19:26:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a8ee33e4d8fc0900a3b99aff70437d4b878c7031eca48928300234e48938c77a/analysis/

 

DROPPED EXE (2 OF 2):

File name:  reqxtpxq.exe
File size:  80.5 KB ( 82432 bytes )
MD5 hash:  eae6fd5531d1101332b47b33ac7bdad3
Detection ratio:  4 / 53
First submission:  2014-11-12 17:23:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0b1bfdd4a4fce450429fb9494b5d860cc1a0bdb2e4a122790596aa01bd6aa55e/analysis/

 

INFECTION TRAFFIC

DOWNLOADING THE MALWARE FROM LINK IN THE EMAIL:

 

INFECTION TRAFFIC WHEN RUNNING THE MALWARE AND SEEING THE FAKE ANTI-VIRUS:

 

TRAFFIC FOR THE WEB PAGE THAT APPEARED WHEN I CLICKED TO REGISTER THE PRODUCT:

 

SNORT EVENTS

Signature hits from Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

 

SCREENSHOTS

Trying one of the email links in a web browser got me the malicious zip file:

 

When I ran the fake Starbucks malware, I got the following message:

 

Shortly after running the malware, I got a notification from the fake anti-virus that my system had been breached:

 

Here's the fake anti-virus Sirius Win 7 Antivirus 2014 doing a fake scan on the infected VM:

 

Another fake reminder, as the malware tries to get me to register:

 

Here's the window that pops up when you try to register:

 

The infected VM will occasionally generate more fake anti-virus alerts like this one:

 

I couldn't run the registry editor or look at any of the files in my infected VM's AppData\Local\Temp directory.  I would always get one of these warnings:

 

Meanwhile, here's some of the HTTP POST traffic generated by the infected VM:

 

Here's HTTP web traffic associated with this particular version of the Sirius Win 7 Antivirus 2014 malware:

 

Here's an example of the fake Delta Airlines phishing emails sent by my infected VM before I took it off-line:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.