Malware-Traffic-Analysis.net - A malware traffic analysis blog 2014-01-30

2014-01-30 - ASPROX EMAILS AND MALWARE

ASSOCIATED FILES:

ZIP of the PCAP: 2014-01-30-Asprox-malware-infection-traffic.pcap.zip
ZIP file of the malware: 2014-01-30-updated-Asprox-malware.zip
ZIP file of the dropped files: 2014-01-30-Asprox-malware-dropped-files.zip

NOTES:

For this blog entry, I infected a physical host with Asprox malware from 27 Jan 2014. The infected host became part of the botnet and sent more phishing emails.

First, here's are a couple of links that explain the traffic seen below:

Let's take a closer look at what happened...

ASPROX PHISHING EMAIL FROM 27 JAN 2014

Here's one of the emails that came through on 27 Jan 2014:

Here's the malware EXE extracted from the attachment:

INFECTING A HOST ON WEDNESDAY EVENING, 29 JAN 2014

The Snort events shown below from Security Onion are in GMT, while the PCAP shows my local time (US central time zone):

Here are highlights from the traffic as the host became infected (all times GMT):

00:44:20 192.168.1.109:49158 - 91.109.6.217:8080 - no domain - POST /763012C7B352704311B5D92CD06A884C2116DE79AE
00:44:20 91.109.6.217:8080 - 192.168.1.109:49158 - HTTP/1.1 200 OK

00:44:22 192.168.1.109:49159 - 91.239.15.212:80 - net-translscl.com - GET /b/shoe/159
00:44:23 91.239.15.212:80 - 192.168.1.109:49159 - HTTP/1.1 404 Not Found

00:44:23 192.168.1.109:49161 - 109.163.239.243:80 - bee-smoka.com - GET /libs30.15/jquery/
00:44:24 109.163.239.243:80 - 192.168.1.109:49161 - HTTP/1.1 200 OK (text/plain)

00:46:31 192.168.1.109:49172 - 78.46.240.107:8080 - no domain - POST /cb/board.pl
00:46:32 78.46.240.107:8080 - 192.168.1.109:49172 - HTTP/1.1 200 OK

00:47:37 192.168.1.109:49658 - 188.0.91.16:80 - presto-uniel.com - GET /b/eve/acbb88d5bb1755d71952f9ac
00:47:40 188.0.91.16:80 - 192.168.1.109:49658 - HTTP/1.1 200 OK (text/html)

00:52:08 192.168.1.109:51024 - 50.31.146.101:8080 - no domain - POST /cb/board.pl
00:52:08 50.31.146.101:8080 - 192.168.1.109:51024 - HTTP/1.1 200 OK

00:55:46 192.168.1.109:49159 - 5.228.165.172:80 - presto-uniel.com - POST /b/opt/EF662A19043ECF1413921216
00:55:56 5.228.165.172:80 - 192.168.1.109:49159 - HTTP/1.1 200 OK (text/html)

00:55:56 192.168.1.109:49160 - 5.228.165.172:80 - presto-uniel.com - GET /b/letr/DD782227D0AB9925C7074427
00:56:12 5.228.165.172:80 - 192.168.1.109:49160 - HTTP/1.1 200 OK (application/octet-stream)

00:56:12 192.168.1.109:49161 - 5.228.165.172:80 - presto-uniel.com - POST /b/opt/5F1A7708B17DC063A6D11D61
00:56:28 5.228.165.172:80 - 192.168.1.109:49161 - HTTP/1.1 200 OK (text/html)

00:56:29 192.168.1.109:49162 - 5.228.165.172:80 - presto-uniel.com - GET /b/letr/9F78D7B2E2AE774DF502AA4F
00:57:05 5.228.165.172:80 - 192.168.1.109:49162 - HTTP/1.1 200 OK (application/octet-stream)

MALWARE DROPPED DURING THE ORIGINAL INFECTION

This is where the original malware copied itself after it was executed:

Path and file name: C:\Users\User-1\AppData\Local\irtjggll.exe
File size: 365.0 KB (373760 bytes)
MD5 hash: 0ccb0f978a9a9066a22534ac108c6ef1
Time created: 2014-01-30 00:42:17 GMT

After a quick look, I found these EXE files within the user's AppData directory:

Path and file name: C:\Users\User-1\AppData\Local\lxrqqowx.exe
File size: 76.0 KB (77824 bytes)
MD5 hash: 773521dcc3ca8be57e8202ae37cf20dd
Time created: 2014-01-30 00:44:21 GMT

Path and file name: C:\Users\User-1\AppData\Roaming\Vyifiqe\tumeyxk.exe
File size: 291.2 KB (298219 bytes)
MD5 hash: 6bffa1c615694909638f68350b396682
Time created: 2014 00:47:34 GMT

Path and file name: C:\Users\User-1\AppData\Local\qpmxbuji.exe
File size: 136.0 KB (139264 bytes)
MD5 hash: 7b37752da4193ad2cdfba83f4a98503e
Time created: 2014-01-30 00:48:35 GMT

Path and file name: C:\Users\User-1\AppData\Local\Temp\UpdateFlashPlayer_78a0e7bb.exe
File size: 142.3 KB (145721 bytes)
MD5 hash: df5ab239bdf09a8716cabbdfa1d6a724
Time created: 2014-01-30 00:53:15 GMT

Path and file name: C:\Users\User-1\AppData\Local\Temp\UpdateFlashPlayer_9453f040.exe
File size: 291.2 KB (298219 bytes)
MD5 hash: b2534de2f7bb39ba7dbee16b6667fabf
Time created: 2014-01-30 00:53:15 GMT

POST INFECTION EMAIL ACTIVITY

The infected host began sending emails at 00:46 GMT, and it made several hundred attempts before I powered down the host. Most of the attempts were denied by the mail servers. The first 2 seconds of the activity saw 48 attempts to send emails.

00:46:39 - 192.168.1.109:49190 - 184.173.124.234:25 - C: MAIL FROM: <service_notice@mnduscourt.com>
00:46:39 - 192.168.1.109:49184 - 74.125.196.26:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49179 - 65.55.92.184:25 - C: MAIL FROM: <support317@mnduscourt.com>
00:46:39 - 192.168.1.109:49178 - 98.136.216.25:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:39 - 192.168.1.109:49173 - 98.136.216.26:25 - C: MAIL FROM: <service.389@mnduscourt.com>
00:46:39 - 192.168.1.109:49174 - 66.196.118.35:25 - C: MAIL FROM: <service_notice@mnduscourt.com>
00:46:39 - 192.168.1.109:49175 - 66.196.118.34:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49183 - 98.138.112.38:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:39 - 192.168.1.109:49191 - 150.70.162.143:25 - C: MAIL FROM: <service.601@mnduscourt.com>
00:46:39 - 192.168.1.109:49186 - 65.54.188.110:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49197 - 192.185.29.98:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49188 - 98.136.217.192:25 - C: MAIL FROM: <support.8@mnduscourt.com>
00:46:39 - 192.168.1.109:49181 - 65.54.188.110:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:39 - 192.168.1.109:49185 - 66.196.118.34:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49194 - 74.125.196.27:25 - C: MAIL FROM: <notice559@mnduscourt.com>
00:46:39 - 192.168.1.109:49193 - 66.94.25.228:25 - C: MAIL FROM: <service_notice@mnduscourt.com>
00:46:39 - 192.168.1.109:49199 - 65.55.92.136:25 - C: MAIL FROM: <support317@mnduscourt.com>
00:46:39 - 192.168.1.109:49192 - 65.39.178.143:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49180 - 173.194.78.26:25 - C: MAIL FROM: <support.8@mnduscourt.com>
00:46:39 - 192.168.1.109:49202 - 98.136.216.25:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49201 - 66.196.118.34:25 - C: MAIL FROM: <service_notice@mnduscourt.com>
00:46:39 - 192.168.1.109:49205 - 66.196.118.34:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:39 - 192.168.1.109:49206 - 66.196.118.34:25 - C: MAIL FROM: <service.389@mnduscourt.com>
00:46:39 - 192.168.1.109:49208 - 65.55.92.168:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49209 - 65.55.92.168:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:39 - 192.168.1.109:49203 - 66.196.118.34:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:39 - 192.168.1.109:49207 - 66.196.118.34:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:39 - 192.168.1.109:49213 - 74.125.196.27:25 - C: MAIL FROM: <service.146@mnduscourt.com>
00:46:39 - 192.168.1.109:49212 - 65.54.188.110:25 - C: MAIL FROM: <support317@mnduscourt.com>
00:46:40 - 192.168.1.109:49214 - 66.196.118.34:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:40 - 192.168.1.109:49219 - 65.55.92.184:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:40 - 192.168.1.109:49218 - 65.55.92.184:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:40 - 192.168.1.109:49217 - 66.196.118.34:25 - C: MAIL FROM: <service.389@mnduscourt.com>
00:46:40 - 192.168.1.109:49215 - 98.136.216.25:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:40 - 192.168.1.109:49216 - 98.136.216.25:25 - C: MAIL FROM: <service_notice@mnduscourt.com>
00:46:40 - 192.168.1.109:49222 - 98.136.216.25:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:40 - 192.168.1.109:49220 - 98.136.216.25:25 - C: MAIL FROM: <support.2@mnduscourt.com>
00:46:40 - 192.168.1.109:49221 - 66.196.118.34:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:40 - 192.168.1.109:49228 - 98.136.216.25:25 - C: MAIL FROM: <support535@mnduscourt.com>
00:46:40 - 192.168.1.109:49229 - 65.55.92.168:25 - C: MAIL FROM: <support317@mnduscourt.com>
00:46:40 - 192.168.1.109:49230 - 74.125.196.26:25 - C: MAIL FROM: <support.2@mnduscourt.com>
00:46:40 - 192.168.1.109:49227 - 65.54.188.110:25 - C: MAIL FROM: <notice533@mnduscourt.com>
00:46:40 - 192.168.1.109:49233 - 65.55.92.136:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:40 - 192.168.1.109:49234 - 65.55.92.136:25 - C: MAIL FROM: <manager@mnduscourt.com>
00:46:40 - 192.168.1.109:49236 - 98.136.216.25:25 - C: MAIL FROM: <support.8@mnduscourt.com>
00:46:40 - 192.168.1.109:49235 - 98.136.216.25:25 - C: MAIL FROM: <service_notice@mnduscourt.com>
00:46:40 - 192.168.1.109:49238 - 98.136.216.25:25 - C: MAIL FROM: <support.5@mnduscourt.com>
00:46:40 - 192.168.1.109:49237 - 66.196.118.34:25 - C: MAIL FROM: <support.2@mnduscourt.com>

Here's an example of the SMTP traffic from my infected host:

The Google mail server rejected this message...

NEW PHISHING EMAIL SENT BY THE INFECTED HOST

I extracted an email from the SMTP traffic in the PCAP to get a better look at the message being sent:

Here's the malware EXE extracted from the attachment:

The file had already been submitted to Virus Total about 8 hours before I submitted my copy:

File name: Details_For_Arrears_Document_29-01-2014.exe
File size: 165.0 KB ( 168960 bytes )
MD5 hash: 3b636be10ba275b0cc7ecfca5fccc85e
VirusTotal link: https://www.virustotal.com/en/file/631f2bcf232bf006976f0c09b38d67b00dd780201771b59692a1acfe05ac478e/analysis/
First submitted: 2014-01-29 19:24:20 GMT

FINAL NOTES

Once again, here are the associated files:

ZIP of the PCAP: 2014-01-30-Asprox-malware-infection-traffic.pcap.zip
ZIP file of the malware: 2014-01-30-updated-Asprox-malware.zip
ZIP file of the dropped files: 2014-01-30-Asprox-malware-dropped-files.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.