Malware-Traffic-Analysis.net - 2014-07-08 - Asprox botnet fake E-ZPass phishing emails

2014-07-08 - ASPROX BOTNET FAKE E-ZPASS PHISHING EMAILS

ASSOCIATED FILES:

ZIP of PCAP(s): 2014-07-08-Asprox-malware-both-pcaps.zip
ZIP of the malware: 2014-07-08-Asprox-malware-example.zip

TODAY'S EMAILS

SCREENSHOTS:

SUBJECT LINES:

Pay for driving on toll road
Indebted for driving on toll road

MESSAGE:

Dear customer,

You have not paid for driving on a toll road. This invoice is sent repeatedly,
please service your debt in the shortest possible time.

The invoice can be downloaded here.

LINKS FROM THE EMAILS TO THE MALWARE:

89.111.177.168 - www.find-chehov.ru/components/api/j7OvR4AB6QsrYgMBWRSXoMpKpkfhv4p6JtLkMaMaxAI=/toll
66.147.244.62 - www.gettingleadswithcraigslist.com/wp-content/api/clQeVmQqKbKfdm3APlvUlinpF35TfVDjzbQBileNonc=/toll

NOTE: The account for www.gettingleadswithcraigslist.com was suspended by the time I checked the link

PRELIMINARY MALWARE ANALYSIS

ZIP FILE:

File name: E-ZPass_San_Antonio.zip
File size: 56.7 KB ( 58028 bytes )
MD5 hash: b667faf93d1b846ee4d0b9656d0d282b
Detection ratio: 4 / 54
First submission: 2014-07-08 20:24:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/611c8bff331db2f7a2c79c96b897264cb96dccd292460507acb6e0ed29b6f167/analysis/

EXTRACTED MALWARE:

File name: E-ZPass_San_Antonio.exe
File size: 84.0 KB ( 86016 bytes )
MD5 hash: 351c4b6611117ab2f5f8af8710e0bd52
Detection ratio: 5 / 54
First submission: 2014-07-08 20:25:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/16d1f3f1f9c095e8a1fda728edab565065d91adcd04cf691ac1433222f37f11b/analysis/
Malwr link: https://malwr.com/analysis/YjhlYTZmZGUyMmExNDFjNmI4MGQ3MTU3YjhiYTcwNTg/

CALLBACK TRAFFIC FROM SANDBOX ANALYSIS OF MALWARE

2014-07-08 20:34 UTC - 192.168.56.102:1039 - 212.45.17.15:8080 - 212.45.17.15:8080 - POST /460326245047F2B6E405E92260B09AA0E35D7CA2B1

SNORT EVENTS

Snort events noted from the malware download PCAP:

89.111.177.168:80 - 192.168.56.102:53848 - [1:2001404:5] ET POLICY ZIPPED EXE in transit
89.111.177.168:80 - 192.168.56.102:53848 - [1:2012228:1] ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related

Snort events noted on PCAP from sandbox anlaysis of the malware:

192.168.56.102:1039 - 212.45.17.15:8080 - [1:31244:2] MALWARE-CNC Win.Trojan.Kuluoz outbound connection attempt
192.168.56.102:1039 - 212.45.17.15:8080 - [1:2807771:1] ETPRO TROJAN Win32/Kuluoz.D Checkin
192.168.56.102:1039 - 212.45.17.15:8080 - [1:2017895:5] ET CURRENT_EVENTS Kuluoz/Asprox Activity Dec 23 2013
192.168.56.102:1039 - 212.45.17.15:8080 - [1:2018359:1] ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2

NOTE: These Snort events were taken from Sguil using tcpreplay on Security Onion and reading the PCAP from a Snort installation on Ubuntu 14.04 LTS.

FINAL NOTES

Once again, here are the associated files:

ZIP of PCAP(s): 2014-07-08-Asprox-malware-both-pcaps.zip
ZIP of the malware: 2014-07-08-Asprox-malware-example.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.