2015-05-11 - MALSPAM CAMPAIGN - FAKE AMERICAN AIRLINES MESSAGES

PCAP AND MALWARE:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SENDERS:

 

SCREENSHOT:

 

SCREENSHOT:

 

EXAMPLE OF THE MESSAGE TEXT:

Your payment has been processed and your credit card has been charged.

Please download and print your ticket from our website :
https://www.aa.com/flightInformation/viewOrder.do?order_id=9017937910&flight=WA794019

Below, you can find the order details and e-ticket information.

FLIGHT NUMBER / WA794019
DATE & TIME / May 11 2015, 13:30 CDT
DEPARTING / Washington, DC
TOTAL PRICE / $ 740.00

For more information regarding your order, contact our technical support by visiting :
http://www.aa.com/i18n/contactAA/contact-technical-support.jsp?

Thank you for flying with America Airlines.

 

EXAMPLES OF THE EMAIL HEADERS:

 

PRELIMINARY MALWARE ANALYSIS

FIRST SAMPLE:

Link to malware from the malspam:

Extracted File:  aa_ticket_9017937910.pif  (Fareit/Pony)  -  MD5 hash:  f21072077e88c74b9b6d67f81ae63d84
Second-stage download:  w1.exe  (Rovnix)  -  MD5 hash:  3f11c42687d09d4a56c715f671143a58

Traffic from malware analysis tools:

 

SECOND SAMPLE

Link to malware from the malspam:

Another link to malware from malspam:

Extracted file:  aa_ticket_8392051302.pif  or  aa_ticket_489965107764.pif  (Fareit/Pony)  -  MD5 hash:  379c67ae879872d3fa0b601892c59605
Second-stage download:  w2.exe (Rovnix)  -  MD5 hash:  6eb761ea46a40ad72018d3cee915c4cd

Traffic from malware analysis tools:

 

INFECTION TRAFFIC

ASSOCIATED DOMAINS:

 

TRAFFIC FROM AN INFECTED HOST THAT WAS LEFT ALONE FOR A WHILE:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

Talos (Snort subrscriber) ruleset from Snort 2.9.6.2 on Debian 7:

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.