Malware-Traffic-Analysis.net - 2014-07-09 - Asprox botnet fake funeral announcement phishing emails

2014-07-09 - ASPROX BOTNET FAKE FUNERAL ANNOUNCEMENT PHISHING EMAILS

ASSOCIATED FILES:

ZIP of PCAP(s): 2014-07-09-Asprox-traffic-all-pcaps.zip
ZIP of the malware: 2014-07-09-Asprox-malware-example.zip

TODAY'S EMAILS

SCREENSHOTS:

SUBJECT LINE:

Funeral of your friend

MESSAGE:

Funeral Announcement

Hereby we want to share your sorrow for your dear friend who passed away on Sunday, July 6, 2014.
You are cordially invited to express your sympathy in memory of your friend at a celebration of life service
that will be held on Tuesday, July 8, 2014 at the Ocker Funeral Home.

Please find more detailed information about the memorial service here.

Sincerely,
Funeral Home Secretary,
[different names used]

LINKS FROM THE EMAILS TO THE MALWARE:

64.90.54.129 - www.ifim.com.br/components/api/YdBbXBf/a5jNAQKCBj3rVKcFxhEKfTL50hMnzF4BxI0=/inv
192.55.193.162 - www.javinapolitano.es/tmp/api/HKJ+J8od8ngSZbvc1WbsJPh0w7NoaBC3W7pGoKeAm3o=/inv

NOTE: The link above for www.javinapolitano.es did not work for me.

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP:

File name: FuneralInvitation_San_Antonio.zip
File size: 78.5 KB ( 80391 bytes )
MD5 hash: 5eb4150af5a153241b2aee1bd78e8033
Detection ratio: 3 / 54
First submission: 2014-07-09 18:17:19 UTC
VirusTotal link: https://www.virustotal.com/en/file/7ca5f69099a9f002255cbfe12b378818b7daae087d85e38098d1069919e6daa8/analysis/

EXTRACTED FILE:

File name: FuneralInvitation_San_Antonio.exe
File size: 118.0 KB ( 120832 bytes )
MD5 hash: f389a95e7cb672c37501143e9d418def
Detection ratio: 4 / 54
First submission: 2014-07-09 18:17:33 UTC
VirusTotal link: https://www.virustotal.com/en/file/3405743613d8393f430bde91070b690c04a03dcbe64cee79c56ad001f2a6a468/analysis/
Malwr link: https://malwr.com/analysis/NzFkYWM4MjFmYzJjNGYyYjg4NTQ0M2VmZjY4NDBhZjg/

CALLBACK TRAFFIC FROM SANDBOX ANALYSIS OF MALWARE

Malwr.com sandbox analysis - 2014-07-09-Asprox-malware-sandbox-analysis-01.pcap

18:19:39 UTC - 192.168.56.102:1039 - 142.4.60.242:443 - POST /460326245047F2B6E405E92260B09AA0E35D7CA2B1

Other sandbox analysis on the same malware earlier in the day - 2014-07-09-Asprox-malware-sandbox-analysis-02.pcap

16:30:56 UTC - 172.16.165.135:49183 - 92.240.232.232:443 - POST /BBFC8F9EDEB972DE1BE5401CED593A5ABB33E12DA8
16:31:02 UTC - 172.16.165.135:49184 - 188.165.192.116:8080 - POST /BBFC8F9EDEB972DE1BE5401CED593A5ABB33E12DA8
16:31:02 UTC - 172.16.165.135:49185 - 113.53.247.147:443 - POST /BBFC8F9EDEB972DE1BE5401CED593A5ABB33E12DA8
16:31:08 UTC - 172.16.165.135:49186 - 94.32.67.214:8080 - POST /BBFC8F9EDEB972DE1BE5401CED593A5ABB33E12DA8
16:31:11 UTC - 172.16.165.135:49188 - 50.57.139.41:8080 - POST /BBFC8F9EDEB972DE1BE5401CED593A5ABB33E12DA8
16:31:14 UTC - 172.16.165.135:49189 - 203.157.142.2:8080 - POST /BBFC8F9EDEB972DE1BE5401CED593A5ABB33E12DA8
16:31:17 UTC - 172.16.165.135:49191 - 212.45.17.15:8080 - POST /BBFC8F9EDEB972DE1BE5401CED593A5ABB33E12DA8

FINAL NOTES

Once again, here are the associated files:

ZIP of PCAP(s): 2014-07-09-Asprox-traffic-all-pcaps.zip
ZIP of the malware: 2014-07-09-Asprox-malware-example.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

p>Click here to return to the main page.