2014-12-05 - UPATRE/DYRE PHISHING CAMPAIGN - SUBJECT: VIDEO SHOWS NORWEGIAN FIGHTER PILOT'S

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

Date:  Friday, 2014-12-05 at 12:47:49 UTC
Subject:  Video shows Norwegian fighter pilot's
From:  news@cnn.com
To:

CNN.com

Video shows Norwegian fighter pilot's close call with Russian MiG

(CNN) -- It was a routine call for the Norwegian fighter pilot participating in NATO's Quick Reaction Alert mission, high in the sky off Norway's coast.

He was tasked with investigating and identifying an aircraft that had entered the mission's patrol area in international airspace northwest of Norway.

Fluffy clouds dotted the piercing blue atmosphere, and it looked like it would be a non-eventful mission, until something gray darted in front of the Norwegian pilot's F-16 -- a Russian MiG fighter, according to the Norwegian Defence Ministry.
FULL STORY
  • comment on CNN stories and blogs
  • submit and comment on iReport assignments
  • receive breaking news e-mail alerts
  • receive e-mail newsletters
Thank you,
CNN

© 2007 Cable News Network LP, LLLP | One CNN Center - Atlanta, GA 30303 | To view our privacy policy, click here.

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  BreakingNews_pdf73.zip
File size:  10.6 KB ( 10814 bytes )
MD5 hash:  7aad4a6a94fe2577f1a8c1ddc8a16aa7
Detection ratio:  4 / 55
First submission:  2014-12-05 12:55:01 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d312db90c3e7d419849cd5cfc877d69a9f1f7ce105153f52611a65786c95775c/analysis/

 

EXTRACTED MALWARE (UPATRE):

File name:  BreakingNews_pdf.exe
File size:  23.0 KB ( 23552 bytes )
MD5 hash:  860ac28e0373dad2d20b4f93586f5996
Detection ratio:  5 / 55
First submission:  2014-12-05 12:55:34 UTC
VirusTotal link:  https://www.virustotal.com/en/file/815ea1fe70c2427f4d862cf47f8c03af0a1db8768f79edec22aaad15be7d0d12/analysis/
Malwr link:  https://malwr.com/analysis/Y2E4YTMyNTNlZDE2NDI3OTk5NDY3ZGRjNWQyNGVmZGQ/

 

DROPPED MALWARE ON THE INFECTED VM (DYRE):

File name:  kJLbteAIPpIpFHl.exe
File size:  496.0 KB ( 507904 bytes )
MD5 hash:  356d8267d90e1b9fcfc57775f4558d6b
Detection ratio:  9 / 55
First submission:  2014-12-05 13:03:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6b3c5d2b2704b9b20fb6458c87f8e1c8ff1f52f969e2bacd9c96edc436398751/analysis/
Malwr link:  https://malwr.com/analysis/ZWZmZmYwYzkwNDdjNDIwNmI2NzgyZGM3MmU3M2ExMzY/

 

INFECTION TRAFFIC

DOWNLOADING THE ZIP FILE:

 

EXECUTING THE EXTRACTED EXE (UPATRE) IN A VM:

 

DYRE TRAFFIC FROM THE INFECTED VM:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets monitoring the VM infection with Suricata 2.0.4 on Security Onion:

 

Sourcefire VRT ruleset using tcpreplay and Snort 2.9.7.0 on Security Onion:

 

SCREENSHOTS FROM THE TRAFFIC

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.