2014-11-26 - SANDWORM SAMPLE

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

Subject: Re: Purchase Invoice
Date: Wed, 26 Nov 2014 08:16:43 UTC
From: Al Muntaser Trading Co <manup.talal@almuntaser.com>
To: Recipients <manup.talal@almuntaser.com>

Dear Sir,

Sequel to our previous conversation, kindly provide us the invoice of the attached purchase order so we can confirm and make payment.Many thanks

Regards,

Manup T.N.
Golden Crown Trading & General Contracting Co.
P.O. Box 26000, Safat 13120, Kuwait

AttachmentInvoice.ppsx (142 KB)

 

PRELIMINARY MALWARE ANALYSIS

MALWARE ATTACHEMENT:

File name:  Invoice.ppsx
File size:  142.2 KB ( 145639 bytes )
MD5 hash:  5176d1383a7114039e71bbfccd578f92
Detection ratio:  15 / 56
First submission:  2014-11-26 08:02:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d91daaeb385efbc23893390c721ed7fb2bde8c507e34129fb95a8caeda71d272/analysis/

 

DROPPED FILE AFTER RUNNING THE MALWARE:

File name:  putty.exe
File size:  182.9 KB ( 187287 bytes )
MD5 hash:  46c4bd9b2318552fe0812d41e3122170
Detection ratio:  19 / 56
First submission:  2014-11-30 01:10:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/17398b9cdd40136b32bc8fa811af21101589adb889246afbfcecc05464ced068/analysis/

 

SCREENSHOTS

When you run the Powerpoint file, it quickly asks for permission to run the dropped malware:

 

Shortly after that, the dropped malware stops working:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.