2015-01-21 - UPATRE/DYRE PHISHING RUN - SUBJECT: EMPLOYEE DOCUMENTS - INTERNAL USE

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE

MESSAGE TEXT:

From: invoice <no-replay@invoice.com>
Sent: Wednesday, January 21, 2015 6:43 AM CST
To: [redacted]
Subject: Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://ep[.]nelsonmandelabay[.]gov[.]za/DOCUMENT~STORAGE_DATA/get.last_invoice.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential.
If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

 

FOLLOWING THE LINK:

 

INFECTION TRAFFIC

CLICKING ON LINK FROM THE EMAIL:

 

RUNNING THE DOWNLOADED MALWARE ON A VM:

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Sourcefire VRT/Talos ruleset from Snort 2.9.7.0 on Debian 7 (not counting preprocessor events):

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE FROM LINK:

File name:  invoice_pdf69301.zip
File size:  9.3 KB ( 9548 bytes )
MD5 hash:  0bdf685d380e5550bf13ae9f6cdd154f
Detection ratio:  8 / 55
First submission:  2015-01-21 18:09:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d317f6cc8d7af18c57ff4fa13c6cad2b40ced075b833c8b548ec1bec6bc80c9/analysis/

 

EXTRACTED MALWARE - UPATRE:

File name:  invoice_pdf19366.exe
File size:  15.5 KB ( 15872 bytes )
MD5 hash:  706378854efad81d13203303161f41cf
Detection ratio:  8 / 49
First submission:  2015-01-21 18:10:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6f8cf43e41ca954b99fcd45ad878e168bd76d3764b7c87cbe28656d8ce2edf78/analysis/
Malwr link:  https://malwr.com/analysis/MjU1NTQwZmVlNDhiNGY4M2I3Y2VmNjExYjY2YTc4NGY/

 

DROPPED MALWARE ON INFECTED VM (1 OF 2) - DYRE:

File name:  C:\Windows\PIBKbaJIccQGfuY.exe
File size:  411.0 KB ( 420864 bytes )
MD5 hash:  ed74d93a7507471879385205fe92dd3c
Detection ratio:  4 / 56
First submission:  2015-01-21 13:32:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e21a3d32dfc55ff70d1241defdbc36b6c65bcdda4b14c2ceabfaf25f68f35c07/analysis/
Malwr link:  https://malwr.com/analysis/NmIwODNkMWU1NGRhNDJiMWExYWMzNTI0ODU1NDcyNzE/

 

DROPPED MALWARE ON INFECTED VM (2 OF 2) - DYRE-RELATED:

File name:  C:\Windows\Temp\E93B.tmp
File size:  441.0 KB ( 451584 bytes )
MD5 hash:  4df95e133ed489ef4f0736eabb16ba2e
Detection ratio:  20 / 54
First submission:  2015-01-21 16:41:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/51d2a9844f0aa605bcfa13ad2fd1679939d5b4accf18a8d2f55168f4f625ccd6/analysis/
Malwr link:  https://malwr.com/analysis/YWU1ZDRhMmMxNzg1NGU0YmFkYzFlZGM4MDJlNzgwMDU/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.