2015-01-26 - DRIDEX MALSPAM WAVE - SUBJECT: BERENDSEN UK LTD INVOICE 60020918 117

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: <donotreply@berendsen.co.uk>
Date: Monday, January 26, 2015 at 3:23 AM CST
To: [redacted]
Subject: Berendsen UK Ltd Invoice 60020918 117

        Dear Sir/Madam,

Please find attached your invoice dated 1st January.
All queries should be directed to your branch that provides the service. This detail can be found on your invoice.


Thank you.
___________________________________________________________
This e-mail and any attachments it may contain is confidential and
intended for the use of the named addressee(s) only. If you are not
the intended recipient, you have received it in error, please
immediately contact the sender and delete the material from your
computer system. You must not copy, print, use or disclose its
contents to any person. All e-mails are monitored for traffic data and
the content for security purposes.
Berendsen UK Ltd, part of the Berendsen plc Group.
Registered Office: 4 Grosvenor Place, London, SW1X 7DL.
Registered in England No. 228604

Attachment: IRN001526_60020918_I_01_01.DOC

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT (FIRST FILE HASH NOTED):

File name:  2015-01-26-IRN001526_60020918_I_01_01.DOC (Revision 37)
File size:  34.0 KB ( 34816 bytes )
MD5 hash:  ff1c846d2fc66e2e61678755e6a45f78
Detection ratio:  13 / 57
First submission:  2015-01-26 07:45:20 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0425efe9926a2224ab2116142b769e924252320194a347f52d0800c6005caeec/analysis/

 

EMAIL ATTACHMENT (SECOND FILE HASH NOTED):

File name:  2015-01-26-IRN001526_60020918_I_01_01.DOC (Revision 39)
File size:  38.5 KB ( 39424 bytes )
MD5 hash:  fceda48793964545a4f101dab47823c3
Detection ratio:  13 / 57
First submission:  2015-01-26 07:39:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/17b2a838cf97a51a957b4fdac872da5275099eafe51d9ef36e4ccd0807863cd6/analysis/

 

INFECTION TRAFFIC

ASSOCIATED DOMAINS:

 

TRAFFIC FROM INFECTING A VM:

 

SNORT EVENTS FROM INFECTED VM

Significant events from Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Significant events from Talos/Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7:

 

FOLLOW-UP MALWARE AND ARTIFACTS

DROPPED MALWARE IN THE USER'S APPDATA\LOCAL\TEMP FOLDER:

File name:  LAVUBDAJLCD.exe
File size:  128.0 KB ( 131072 bytes )
MD5 hash:  ef9572f4a9431f66d7a21c8b948b6054
Detection ratio:  7 / 57
First submission:  2015-01-26 12:26:27 UTC
VirusTotal link:  https://www.virustotal.com/en/file/edc0f556ac67e623b0e7cb0388df0f405465e1e349f6eda304e47fe56eed06bf/analysis/

 

OTHER FILES FOUND:

 

TEXT FROM 111.BAT:

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.