2015-08-26 - UPATRE/DYRE MALSPAM

PCAP/MALWARE/ETC:

 

NOTES:

 

IMAGES

Shown below: Screenshots from some of the malspam.

Shown below: HTTP traffic from the pcap.  I let the infected host run well over an hour.

Shown below: Some filtering and altered column displays in Wireshark to show certificate data in the Dyre traffic.

Shown below: Sguil in Security Onion using Suricata and the ET and ET Pro rulesets.  I used tcpreplay and got tired of waiting for the pcap to finish.

Shown below: Alerts from the Snort registered ruleset using Snort 2.9.7.5.  This is from the /var/log/snort/alert file.

 

20 EMAIL EXAMLES

From: "Bode, Ebert and Pagac" <unity_unity7@strategies.com>
Subject: Fax #oUJWSwGCz from Juliana Fahey
Date: Wed, 26 Aug 2015 13:00:47 +0000
Attachment: fax_oUJWSwGCz_Bode, Ebert and Pagac_Juliana Fahey.zip - 16,250 bytes - MD5: 0d28a71cc96f4ebcbe563280c8b609d5
Extracted malware: Invoice Sipesstad.exe - 45,568 bytes - MD5: 643b2151c1bcc576d15edcef1e41732e

From: "Ryan and Sons" <z_kelly@settledebts.com>
Subject: Fax #fLjr1SFi from Drake Haley
Date: Wed, 26 Aug 2015 14:02:49 +0000
Attachment: fax_fLjr1SFi_Ryan and Sons_Drake Haley.zip - 16,260 bytes - MD5: e01d9d8342d7e1a7558822bade351074
Extracted malware: Invoice West Bruce.exe - 45,568 bytes - MD5: e8222451a700b9e66d37f8aa98774bbc

From: "Orn Group" <hanksgiving@oscanowres.com>
Subject: Fax #6p3YA76i from Ernestine Krajcik Sr.
Date: Wed, 26 Aug 2015 14:06:24 +0000
Attachment: fax_6p3YA76i_Orn Group_Ernestine Krajcik Sr..zip - 16,255 bytes - MD5: a1a10d51a4f78ff45224b0c063dce6cc
Extracted malware: Invoice Batzton.exe - 45,568 bytes - MD5: 0ce21c4d410915f8cfa14e42e20036c5

From: "Howe-Pagac" <capplebyn@scitor.com>
Subject: Fax #Ty0or1frz from Addison Lakin Sr.
Date: Wed, 26 Aug 2015 14:07:16 +0000
Attachment: fax_Ty0or1frz_Howe-Pagac_Addison Lakin Sr..zip - 16,270 bytes - MD5: 1e62088179fde5d9f1218723a2725848
Extracted malware: Invoice Lake Nolastad.exe - 45,568 bytes - MD5: fb8e19a58dcb2ad97b47c427dabd9be0

From: "Williamson Group" <m5psk3y9xl39kbl@holland1916.com>
Subject: Fax #SFkaryjfkj from Nikolas Hartmann DVM
Date: Wed, 26 Aug 2015 14:07:35 +0000
Attachment: fax_SFkaryjfkj_Williamson Group_Nikolas Hartmann DVM.zip - 16,261 bytes - MD5: 84389deab5f12f991e261a90fe0ebae4
Extracted malware: Invoice South Reid.exe - 45,568 bytes - MD5: 9fb20f467b61366df7cf67d9ed1af417

From: "Pollich, Koss and Rodriguez" <se07c274.007@cdcmanagement.com>
Subject: Fax #gdRplN1oj from Mrs. Bailey Wolf
Date: Wed, 26 Aug 2015 14:08:18 +0000
Attachment: fax_gdRplN1oj_Pollich, Koss and Rodriguez_Mrs. Bailey Wolf.zip - 16,275 bytes - MD5: db13907274f8a2d41a525b68bd64de8c
Extracted malware: Invoice Lake Nolan.exe - 45,568 bytes - MD5: 9e444bdfad43bfe85f9327d9356d4de4

From: "Hackett-Crooks" <edna@mtm-inc.net>
Subject: Fax #SWskRqOSS from Alda Beatty DVM
Date: Wed, 26 Aug 2015 14:10:48 +0000
Attachment: fax_SWskRqOSS_Hackett-Crooks_Alda Beatty DVM.zip - 16,270 bytes - MD5: 99d8000b917aa7f90f901e291cce326f
Extracted malware: Invoice Bayleeborough.exe - 45,568 bytes - MD5: fb8e19a58dcb2ad97b47c427dabd9be0

From: "Predovic, Beer and Stiedemann" <scan.097@pkgimpressions.com>
Subject: Fax #qcJlJ6U from Maeve West
Date: Wed, 26 Aug 2015 14:11:52 +0000
Attachment: fax_qcJlJ6U_Predovic, Beer and Stiedemann_Maeve West.zip - 16,271 bytes - MD5: 9e5b2b2243f97f097145d1448a156938
Extracted malware: Invoice Webershire.exe - 45,568 bytes - MD5: 1e47356d4b47f6f8a043ccbaec7a7d61

From: "Romaguera Group" <concierge@thenicole.com>
Subject: Fax #RzxyGL30Q from Kaela Baumbach
Date: Wed, 26 Aug 2015 14:13:27 +0000
Attachment: fax_RzxyGL30Q_Romaguera Group_Kaela Baumbach.zip - 16,276 bytes - MD5: ff461d1a6636098720b3041520e0f45c
Extracted malware: Invoice West Yvette.exe - 45,568 bytes - MD5: af07d19a0ec16399555911a0b77db51e

From: "Lueilwitz-Cruickshank" <terrycardello@insurelinx.com>
Subject: Fax #hfd7ZjMJ from Karley Cremin DVM
Date: Wed, 26 Aug 2015 14:13:43 +0000
Attachment: fax_hfd7ZjMJ_Lueilwitz-Cruickshank_Karley Cremin DVM.zip - 16,262 bytes - MD5: 82bd563f6f85c2d7c20df0d6eca1c856
Extracted malware: Invoice New Michellestad.exe - 45,568 bytes - MD5: 553ca2822b618ccf265c775a2c4bba71

From: "Bartoletti and Sons" <ter@acadianamazda.com>
Subject: Fax #H6quEDiy1U from Ms. Amparo Kris
Date: Wed, 26 Aug 2015 14:14:29 +0000
Attachment: fax_H6quEDiy1U_Bartoletti and Sons_Ms. Amparo Kris.zip - 16,286 bytes - MD5: 7761b6774a1b2e40217afbe068625fe7
Extracted malware: Invoice Alvaborough.exe - 45,568 bytes - MD5: df6f0ed39a53a8570a95f43b31220cd6

From: "Lehner LLC" <katherine@sjgiants.com>
Subject: Fax #0agIoC from Madalyn Hirthe
Date: Wed, 26 Aug 2015 14:16:38 +0000
Attachment: fax_0agIoC_Lehner LLC_Madalyn Hirthe.zip - 16,275 bytes - MD5: 6d31ebe38a96f4ef7286d147e88a06b8
Extracted malware: Invoice West Sister.exe - 45,568 bytes - MD5: c0b41641fa4519f0f516cd9b882018f2

From: "Quigley, Willms and Torphy" <conncarla@roundalab.org>
Subject: Fax #1QFPfihBHk from Eusebio Trantow
Date: Wed, 26 Aug 2015 14:17:57 +0000
Attachment: fax_1QFPfihBHk_Quigley, Willms and Torphy_Eusebio Trantow.zip - 16,254 bytes - MD5: 242d183338ab11ece409b6b4237d3045
Extracted malware: Invoice Hansenton.exe - 45,568 bytes - MD5: 4c638f20ecd9169215434bebc0a13d44

From: "Shanahan and Sons" <lanoramiabazmpi@alf-ltd.com>
Subject: Fax #ghrhcd from Alanna Wuckert DDS
Date: Wed, 26 Aug 2015 14:19:09 +0000
Attachment: fax_ghrhcd_Shanahan and Sons_Alanna Wuckert DDS.zip - 16,291 bytes - MD5: f34a9d68bf26aac0bfe56edafc18f29b
Extracted malware: Invoice South Rhiannashire.exe - 45,568 bytes - MD5: 9e444bdfad43bfe85f9327d9356d4de4

From: "Mohr-Sawayn" <alan@groveis.com>
Subject: Fax #drkcpa from Gunnar Franecki
Date: Wed, 26 Aug 2015 14:20:10 +0000
Attachment: fax_drkcpa_Mohr-Sawayn_Gunnar Franecki.zip - 16,290 bytes - MD5: d1e11f11ae8619eb37afa984e06f95e2
Extracted malware: Invoice Port Busterberg.exe - 45,568 bytes - MD5: 5ca31e955204fbdadddf8b05a28bc903

From: "Cormier, Schultz and Grady" <yhwyj97@allhoops.com>
Subject: Fax #PpHg8HMd2B from Joany Quigley
Date: Wed, 26 Aug 2015 14:20:30 +0000
Attachment: fax_PpHg8HMd2B_Cormier, Schultz and Grady_Joany Quigley.zip - 16,272 bytes - MD5: 80a9372104789cf074cfdffc8c7a6d4f
Extracted malware: Invoice New Sedrickchester.exe - 45,568 bytes - MD5: 4c638f20ecd9169215434bebc0a13d44

From: "Koepp, Jaskolski and Hegmann" <mian@damianbreach.com>
Subject: Fax #0PAd0GTCV from Dameon Hirthe
Date: Wed, 26 Aug 2015 14:20:37 +0000
Attachment: fax_0PAd0GTCV_Koepp, Jaskolski and Hegmann_Dameon Hirthe.zip - 16,268 bytes - MD5: 6d31ebe38a96f4ef7286d147e88a06b8
Extracted malware: Invoice East Kiera.exe - 45,568 bytes - MD5: 5aec137fc1ab9502024ea757432e507e

From: "Renner Inc" <d126029zlg@afriheritage.com>
Subject: Fax #MjSFu6Pqb from Mabelle Braun
Date: Wed, 26 Aug 2015 14:22:51 +0000
Attachment: fax_MjSFu6Pqb_Renner Inc_Mabelle Braun.zip - 16,290 bytes - MD5: 548c3bfd39e43f52513a4adbd6bee443
Extracted malware: Invoice West Clovisstad.exe - 45,568 bytes - MD5: 5ca31e955204fbdadddf8b05a28bc903

From: "Boehm Inc" <testabrook@nccf-cares.org>
Subject: Fax #JGjdbkd560 from Maymie Streich
Date: Wed, 26 Aug 2015 14:23:00 +0000
Attachment: fax_JGjdbkd560_Boehm Inc_Maymie Streich.zip - 16,278 bytes - MD5: 43350e66563f5cf86a2ec1d1298ccf0f
Extracted malware: Invoice North Sammyland.exe - 45,568 bytes - MD5: 04f23eb9538426252a6d305d9ee1d9be

From: "Hermann-O'Reilly" <duffys845@lsgp.ca>
Subject: Fax #42S369eaL from Sammie Heidenreich
Date: Wed, 26 Aug 2015 15:10:07 +0000
Attachment: fax_42S369eaL_Hermann-O'Reilly_Sammie Heidenreich.zip - 16,266 bytes - MD5: 478c2f26ab60fb1522aaef93a4751e3f
Extracted malware: Invoice Eulahaven.exe - 45,568 bytes - MD5: df25f2794c9caaf66d33bdaf8da63a7c

 

MALWARE

THE 20 ATTACHMENTS (IN ALPHABETICAL ORDER):

 

THE 20 ITEMS OF EXTRACTED UPATRE MALWARE (IN ALPHABETICAL ORDER):

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.