2014-11-21 - FAKE ANTI-VIRUS: WINDOWS ANTIBREACH MODULE

PCAP AND MALWARE:

 

NOTES:


Shown above: traffic that we saw for the original alert.

 

CHAIN OF EVENTS

ASSOCIATED DOMAINS:

 

IMMEDITELY AFTER RUNNING DOWNLOAD.VBS ON THE VM:

 

PAYMENT FORM WHEN YOU TRY TO ACTIVATE THE FAKE ANTI-VIRUS:

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOAD.VBS:

File name:  download.vbs
File size:  180.2 KB ( 184522 bytes )
MD5 hash:  e0773ebf39e80dce033ad48f8c264ac1
Detection ratio:  3 / 55
First submission:  2014-11-20 21:27:42 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5f77b751062ac148df295cef5ee6e91752362b5bdc6c90f560258bb45ad698c0/analysis/

 

FOLLOW-UP FAKE AV DOWNLOADED:

File name:  10e3c8d2c9b8105356f2eecf4de7202a.exe
File size:  1.1 MB ( 1107968 bytes )
MD5 hash:  ba4332c134a70ecdd130468f2cfa2c81
Detection ratio:  8 / 54
First submission:  2014-11-20 20:19:04 UTC
VirusTotal link:  https://www.virustotal.com/en/file/80c8903176f366e873c152c47de3e8370460fbd7f9a13aba127c7ad356e64961/analysis/

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.6.2 on Ubuntu 14.04 LTS (not counting preprocessor events):

 

SCREENSHOTS FROM THE INFECTED VM

This is the first window to pop up:

 

It shows up in the system tray looking like the Windows update icon

 

Here's the fake AV looking like it's scanning:

 

A couple of the errors that popped up from the system tray:

 

Other alerts that occasionally popped up in the lower right-hand portion of the desktop:

 

If you click to activate it...

 

You'll get the following payment window:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.