2015-01-01 - PHISHING EMAIL - SUBJECT: FW: CONFIRMED PO 327872

ASSOCIATED FILES:

 

THE EMAIL

SCREENSHOT:

 

MESSAGE TEXT:

From: General Trading London <sales@gtl.co.uk>
Reply-To: <mhaufler.lissglobal@gmail.com>
Date: Thursday, January 1, 2015 at 2:54 PM CST
To: <sales@gtl.co.uk>
Subject: FW: Confirmed PO 327872

Hello Dear,

Happy new year to you.
Please find attached confirmed our PO after that we have chosen what to buy from your website and quote for us your best price to London UK.
Note that this is still a test order so if everything goes good with this order will order during this month 4x20ft containers to meet our market needs.
Send to us some photos please for the products chosen as in our PO below.

Waiting for your soonest reply

Samantha Jones
General Trading London
Office Address : 29 Shepherds Bush Road, Hammersmith, London W6 7LX, United Kingdom.
Postal Address : 27 Grasmere Avenue, Acton, London W3 6JT, United Kingdom.
Telephone : +44 (0) 208 123 0022 - +44 (0) 208 133 3130
Fax : +44 (0) 208 929 9871
Email : sales@gtl.co.uk - info@gtl.co.uk

AttachmentConfirmed PO 327872.doc (133.6 KB)

 

EMAIL HEADERS:

 

THE ATTACHMENT

File name:  Confirmed PO 327872.doc   (CVE-2012-0158)
File size:  98.9 KB (101276 bytes)
MD5 hash:  3611660c017e511dbc54e3132c56873c
Detection ratio:  13 / 56
First submission:  2015-01-01 22:22:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a54a03742e8d4cc7818700b5d305bbca2dd7a5deb8cd39dc0b85e368bed47f06/analysis/
Malwr link:  https://malwr.com/analysis/NTBiMWI2MzBmMDhjNGE2ZmI5MjY1MDgwYmRjMmY4MzU/

 

OPENING THE ATTACHMENT

NETWORK TRAFFIC:

 

SNORT EVENTS:

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7:

 

DROPPED MALWARE

File name:  dbx.exe
File size:  196.0 KB ( 200704 bytes )
MD5 hash:  6d31814c6b77f6c400d259e1435280af
Detection ratio:  4 / 56
First submission:  2015-01-01 17:24:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7b7465f0b9ed465d029cfa42a78fc02eb07449161ba619770c6d86ce9bcfd85b/analysis/
Malwr link:  https://malwr.com/analysis/YzJjOGU1YTE4ZTA4NGI1ZWFlNmM2OTY4OWFjMjRhOTU/


Shown above:  Registry entry showing where the dropped malware copied itself.

 

DROPPED MALWARE TRAFFIC AND EVENTS

NETWORK TRAFFIC:

 

SNORT EVENTS:

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7:

 

ARTIFACTS FROM THE INFECTED HOST

FILES FOUND AFTER RUNNING THE MALWARE:

 

SCREENSHOTS FROM THE TRAFFIC

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.