2015-02-03 - GUEST BLOG ENTRY BY JACK MOTT - MALSPAM - SUBJECT: INVOICE FROM LIBERTY

NOTES:

 

PCAP FILES:

 

MALSPAM DETAILS

Date/Time range:   2015-02-02 from 09:12 to 11:36 UTC

Observed Subjects:

Observed attachments:   invoice[10 random digits].doc/.docm

Observed Senders:

 

EMAIL SCREENSHOT:

 

EMAIL TEXT:

Dear XXXX XXXX

Your paid invoice is attached.

Thank you for your business - we appreciate it very much.

Sincerely,

Liberty CFS NV, Inc.

 

TRAFFIC FROM INFECTED VM

 

 

SNORT EVENTS

Signature hits from the Emerging Threats and ETPRO rulesets:

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  invoice7040125066.doc
File size:  38.5 KB (39,489 bytes)
MD5 hash:  cd5fdb7574010fd23f9501523fdc2aa4
Detection ratio:  15 / 56
First submission:  2015-02-02 16:43:17 UTC
VirusTotal link:  https://www.virustotal.com/en/file/386990fb92835fdcf1c6e9c0bfdf04cf6b23ac16ba89e0a1a03d5ef001f34756/analysis/

NOTES:

 

Document before running the Macro, enticing users to click to reveal actual content:

 

Document after enabling Macros, which reveals the "content" and leads users to believe the attachment is legitimate.

 

The malicious Word document first spawns cmd and uses ping.exe to test connectivity.  Once successful, it then spawns cscript.exe to run a PowerShell instance to download the first stage malware (vv.exe / winlogin.exe / 444.exe).

 

Observed cscript.exe command:  cscript.exe "c:\Users\User\AppData\Local\Temp\adobeacd-update.vbs"

 

Observed PowerShell command:  powershell.exe -noexit -ExecutionPolicy bypass -noprofile -file C:\Users\User\AppData\Local\Temp\adobeacd-update.ps1

 

MALWARE PAYLOAD:

File name:  C"\Users\User\AppData\Roaming\Windows\winlogin.exe
File size:  119.5 KB ( 122368 bytes )
MD5 hash:  235b02e0d243e7bdebefe68d6a0ec8ec
Detection ratio:  28 / 56
First submission:  2015-02-02 16:49:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4c78b0b7e26f32b6a1b59ea4aa2a9ba7d46471ec99bff3adf724a0c66a2ea2d4/analysis/
Malwr link:  https://malwr.com/analysis/MmFlNTcxYjRkNDhjNGFkNTkyYjQ0NzUwMmI2NGQyZTQ/

 

Click here to return to the main page.