2014-07-30 - PHISHING EMAIL - SUBJECT: FW : PAYMENT SLIP

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-07-30-phishing-malware-sandbox-analysis.pcap.zip
• ZIP of the malware:  2014-07-30-phishing-malware.zip

 

TODAY'S PHISHING EMAIL

 

MESSAGE TEXT:

Subject: FW : Payment Slip
Date: Wed, 30 Jul 2014 11:20:50 UTC
From: icegate@orientm.com
To: undisclosed-recipients:;

Good Day,

Please find attached our deposit payment as authorized by our bank below.
Kindly confirm and start mass production asap.

Looking forward to your immediate response.

Regards,

John Candy
Senior Account Manager.

--------- Original Message --------
From: HSBC Advising Service
To: alex.cheng@technomix.com.hk <alex.cheng@technomix.com.hk>

Subject: Payment Advice - Advice Ref:[G62315968954] / Priority payment /
Customer Ref:[DOC 24678]

Date: 30/06/14 12:00

Dear Sir/Madam,The attached payment advice is issued at the request of our
customer. The advice is for your reference only.

Yours faithfully,
Global Payments and Cash

Management HSBC ***********************************************
Last message received on 6/30

 

PRELIMINARY MALWARE ANALYSIS

FILE ATTACHMENT:

File name:  PAYMENT SLIP SZOETISW KARAMEN VETINAM.7z
File size:  464.2 KB ( 475331 bytes )
MD5 hash:  14968d88c49db1464c17f34da11bdc37
Detection ratio:  11 / 53
First submission:  2014-07-30 11:27:37 UTC
VirusTotal link:  https://www.virustotal.com/en/file/c39af73d982ada606d6bf045822b80a2b02a838c0b3e49f86cb40667d5c8c0d9/analysis/

 

EXTRACTED MALWARE:

File name:  PAYMENT SLIP SZOETISW KARAMEN VETINAM.exe
File size:  480.0 KB ( 491520 bytes )
MD5 hash:  fd621bbd1a7fcf6d84210e11ac16a310
Detection ratio:  13 / 54
First submission:  2014-07-30 12:35:02 UTC
VirusTotal link:  https://www.virustotal.com/en/file/744433f38a6aa3b8377f0b7b21b7d4cdb1797d81445ed1ad8fe68866a79b928d/analysis/

 

TRAFFIC FROM THE SANDBOX ANALYSIS

HTTP GET REQUESTS:

• 2014-07-30 13:57:32 UTC - 192.168.204.135:1029 - 185.28.21.30:80 - elaqi.3eeweb.com - POST /1/1/gate.php HTTP/1.0
• 2014-07-30 13:57:43 UTC - 192.168.204.135:1030 - 185.28.21.30:80 - elaqi.3eeweb.com - POST /1/1/gate.php HTTP/1.0

 

 

SNORT EVENTS

Emerging Threats and ETPRO signature hits from Sguil after using tcpreplay on Security Onion:

• 192.168.204.135:1029 - 185.28.21.30:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
• 192.168.204.135:1029 - 185.28.21.30:80 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (sid:2007695)
• 192.168.204.135:1029 - 185.28.21.30:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer (sid:2017930)
• 192.168.204.135:1029 - 185.28.21.30:80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (sid:2016173)
• 192.168.204.135:1029 - 185.28.21.30:80 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. (sid:2016870)
• 185.28.21.30:80 - 192.168.204.135:1029 - ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK (sid:2014563)
• 192.168.204.135:1030 - 185.28.21.30:80 - ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 (sid:2014562)

Sourcefire VRT signature reading the PCAP with Snort 2.9.6.0 on Ubuntu 14.04 LTS:

• 2014-07-30 13:57:32 UTC - 192.168.204.135:1029 - 185.28.21.30:80 - [1:21860:3] EXPLOIT-KIT Phoenix exploit kit post-compromise behavior
• 2014-07-30 13:57:32 UTC - 192.168.204.135:1029 - 185.28.21.30:80 - [1:27919:3] MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration
• 2014-07-30 13:57:32 UTC - 192.168.204.135:1029 - 185.28.21.30:80 - [1:21556:7] POLICY-OTHER Microsoft Windows 98 User-Agent string
• 2014-07-30 13:57:33 UTC - 185.28.21.30:80 - 192.168.204.135:1029 - [1:29870:2] MALWARE-CNC Win.Trojan.Pony HTTP response connection
• 2014-07-30 13:57:43 UTC - 192.168.204.135:1030 - 185.28.21.30:80 - [1:21860:3] EXPLOIT-KIT Phoenix exploit kit post-compromise behavior
• 2014-07-30 13:57:43 UTC - 192.168.204.135:1030 - 185.28.21.30:80 - [1:27919:3] MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration
• 2014-07-30 13:57:43 UTC - 192.168.204.135:1030 - 185.28.21.30:80 - [1:21556:7] POLICY-OTHER Microsoft Windows 98 User-Agent string
• 2014-07-30 13:57:44 UTC - 185.28.21.30:80 - 192.168.204.135:1030 - [1:29870:2] MALWARE-CNC Win.Trojan.Pony HTTP response connection

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-07-30-phishing-malware-sandbox-analysis.pcap.zip
• ZIP of the malware:  2014-07-30-phishing-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.