2015-01-02 - FAKE TARGET PHISHING EMAILS FROM THE ASPROX BOTNET

PCAP AND MALWARE:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOTS:

 

EXAMPLE OF THE MESSAGE TEXT:

From: "Target.com" <sherit@dakricorp.com>
Reply-To: "Target.com" <sherit@dakricorp.com>
Date: Friday, January 2, 2015 at 2:57 PM CST
To:
Subject: Acknowledgment of Order

TARGET

As Thanksgiving nears we want to advise you that our online shop has an order addressed to you. You may pick it in any store of Target.com closest to you within four days.

Please, open the link for full order information.

Always yours,
Target.com

privacy policy | cookies | terms & conditions | CA privacy rights | CA transparency in supply chains act | about this site
© 2014 Target Brands, Inc. Target, the Bullseye Design and Bullseye Dog are trademarks of Target Brands, Inc. All rights reserved.

 

LINKS TO THE MALWARE:

 

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name:  Target_OrderID-522726-Boston.zip
File size:  81.4 KB ( 83394 bytes )
MD5 hash:  a1487e707ab530658258c0813272c318
Detection ratio:  9 / 55
First submission:  2015-01-03 00:07:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1b0fbbead396e2ec21e0703793f46680e6e7e96ce0036aae548ad669d89ec7bd/analysis/

 

EXTRACTED MALWARE:

File name:  Target_OrderID-522726-Boston.exe
File size:  126.5 KB ( 129536 bytes )
MD5 hash:  1e0396dd06a86baa811937cfc4024c95
Detection ratio:  13 / 56
First submission:  2015-01-02 19:02:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/3ad9df812cb8124357f5bf87cd7eda0c954523fd2b74b4a1fac803e07397dd70/analysis/
Malwr link:  https://malwr.com/analysis/ZjZlODZiMGZiMTNjNDJhMDg5NWE4ZTE4YjUyMThjN2M/

 

INFECTION TRAFFIC

ASSOCIATED DOMAINS:

 

TRAFFIC:

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7 (not including preprocessor rules:

 

SCREENSHOTS FROM THE TRAFFIC

Downloading the malicious zip file from the email link:

 

Post-infection traffic after running the extracted malware on a VM:

 

FINAL NOTES

Once again, here are the PCAP and ZIP files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.