2015-01-27 - UPATRE/DYRE MALSPAM WAVE - SUBJECT: VOICE MESSAGE

ASSOCIATED FILES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE CHARACTERISTICS:

Sender (spoofed): "Admin" <no-replay@voice_global.co.uk>
Subject: Voice Message
Attachment name: voice#[7 random digits].zip

 

INFECTION TRAFFIC

EXTRACTING THE MALWARE FROM THE ZIP AND INFECTING A VM:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Talos (Sourcefire VRT) ruleset from Snort 2.9.7.0 on Debian 7:

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  voice#5734223.zip
File size:  10.9 KB ( 11149 bytes )
MD5 hash:  ad6a9ccf06269f3fde4343694f020df9
Detection ratio:  13 / 57
First submission:  2015-01-27 12:15:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/f90a0953931e9a1793e5cc597cd8dd0fc1689b7240169663b7ec9a5633076f58/analysis/

 

EXTRACTED MALWARE:

File name:  voice.exe
File size:  26.5 KB ( 27136 bytes )
MD5 hash:  39941126cc7e3064c1d3546f6babed79
Detection ratio:  12 / 57
First submission:  2015-01-27 12:17:22 UTC
VirusTotal link:  https://www.virustotal.com/en/file/858626c43c6ba34f59c0064168b734610b1dfead0107ba1d27f2049cdcc1386b/analysis/
Malwr link:  https://malwr.com/analysis/ZjdiNWU1NzU5NjdhNDZjNDllMjJjNjdhNmQ5MjA4NzM/

 

DROPPED MALWARE (1 OF 3):

File name:  C:\Windows\KHEjkGgXApfKThf.exe
File size:  410.0 KB ( 419840 bytes )
MD5 hash:  028ebc2c61156781868199de0b44caaf
Detection ratio:  9 / 56
First submission:  2015-01-27 15:20:51 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b7194a81a653880c9a084f8628bbfe165f9cb72f5ff2bb385636cfdc9076ce51/analysis/
Malwr link:  https://malwr.com/analysis/NjUyMzM4ZTkwYWY0NGQwOTlkYzYxNGJhNGExZDFhMGM/

 

DROPPED MALWARE (2 OF 3):

File name:  C:\Windows\Temp\FC8E.tmp
File size:  441.0 KB ( 451584 bytes )
MD5 hash:  d9a3d5c3c06f3429b65db7b84b50bed4
Detection ratio:  35 / 57
First submission:  2015-01-26 15:30:03 UTC
VirusTotal link:  https://www.virustotal.com/en/file/948f5dee6e752a593949c327781bae2d3e8994d4c00074228bed6e1156fe3402/analysis/
Malwr link:  https://malwr.com/analysis/MGQxZThhMjBkYWQ3NDk5MDgxNjRhNTQxZjAwYzE5ZTU/

 

DROPPED MALWARE (3 OF 3):

File name:  C:\Windows\Temp\DBE.tmp
File size:  112.0 KB ( 114688 bytes )
MD5 hash:  40a59f55199e4578267dfb883747be9f
Detection ratio:  0 / 57
First submission:  2015-01-27 17:42:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1fa614e5ae8e7b2307851227e5f7324ea38b57416e14518a730d3071dd0ba956/analysis/
Malwr link:  https://malwr.com/analysis/M2NkZDJhODAxMmQ3NDUxM2FhMzRhZTMyZDczNTFkM2I/

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.