2017-02-20 - UNIDENTIFIED MALWARE INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 017-02-20-unidentified-malware-infection-traffic.pcap.zip   833.6 kB (833,562 bytes)

• 017-02-20-unidentified-malware-infection-traffic.pcap   (1,080,088 bytes)

• 2017-02-20-email-and-malware.zip   462 kB (462,398 bytes)

• 2017-02-20-malspam-1738-UTC.eml   (31,259 bytes)
• Camera radar notification.js   (954 bytes)
• Cameraradarnotification.zip   (767 bytes)
• System and Security.exe   (352,768 bytes)
• upd9abc1cf3.exe   (215,503 bytes)

NOTES:

• EmergingThreats alerts on the post-infection traffic indicate this malicious spam (malspam) may be distributing Zeus Panda Banker.

Shown above:  Flowchart for this infection traffic.

 

EMAIL

Shown above:  Screenshot from the email.

 

EMAIL HEADERS:

• Date:  Monday 2017-02-20 at 17:38 UTC
• From (possibly spoofed):  "Arnie Kestner" <arniekt3@accountant[.]com>
• Subject:  radar photo proof 57628324
• Message-ID:  <trinity-864b056e-4b65-4291-827b-8f75e89e8abd-1487612282235@3capp-mailcom-lxa07>

 

EMAIL MESSAGE:

Reason: negligent driving
Camera radar.

Hello
You’ve been issued with a driver’s violation:

The fee shall be accredited within the statutory period of up to 25.02.2017. This is an automated message, please do not reply.

Case No: 05776
Date of infringement: 18/02/2017
Amount due: 22.25 CAD

Please read notification [Link to: ideasprototyped.com/Cameraradarnotification.zip]

 

DOWNLOADED FILE:

Shown above:  Zip archive downloaded from link in the email.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 69.89.31[.]217 port 80 - ideasprototyped[.c]om - GET /Cameraradarnotification.zip   [link from the email]
• 50.62.247[.]1 port 80 - lareinetravel[.]com - GET /1adtibeoclofyobozypki.exe?UhdjPs   [malware download by .js file]
• 5.34.180[.]227 port 443 - porevo12[.]com -   [Post-infection HTTPS/SSL/TLS traffic associated with Zeus Panda Banker]

 

FILE HASHES

ZIP ARCHIVE FROM LINK IN THE EMAIL:

• SHA256 hash:  af86502737641ffbc66f5d47240f5d362167c9cab079b6554d70778896382653   (767 bytes)
  File name:  Cameraradarnotification.zip

 

EXTRACTED .JS FILE:

• SHA256 hash:  13e9f1e10f564a4667abe415b8477ed13a9c15955fa38a889e2e6f57351c1481   (954 bytes)
  File name:  Camera radar notification.js

 

MALWARE DOWNLOADED BY .JS FILE:

• SHA256 hash:  ddea84e16b6b829512d5a1bd93c3d0db768a5d7ecd4c419ab70c53f4b1d555e4   (352,768 bytes)
  File location:  C:\Users\[username]\AppData\Roaming\Identities\System and Security.exe
  File location:  C:\Users\[username]\AppData\RoamingWZS45.exE

 

FOLLOW-UP MALWARE NOTED:

• SHA256 hash:  2375a171b77127674c743222c3bc4b296f96f5d3f021bced6ff7121c02a0cb3a   (215,503 bytes)
  File location:  C:\Users\[username]\AppData\Local\Temp\upd9abc1cf3.exe

 

IMAGES

Shown above:  Alerts on the post-infection traffic from the ETPRO rulesets using Sguil on Security Onion.

 

Click here to return to the main page.