2014-08-08 - PHISHING EMAIL - SUBJECT: RE: PURCHASE ORDER

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-08-08-phishing-malware-01-sandbox-analysis.pcap.zip
• ZIP of the malware:  2014-08-08-phishing-malware-01.zip

 

THE PHISHING EMAIL

SCREENSHOT:

 

MESSAGE TEXT:

From: Japan Manufatural Company <manufacturalsales@gmail.com>
Reply-To: <manufacturalsales@gmail.com>
Date: Friday, August 8, 2014 at 1:32 UTC
Subject: RE: PURCHASE ORDER

Sir.Kindly check my purchase order on the attach file and get back to us immedialey for the payment to be made.

Best Regard,

JAPAN NEPOL STEEL COMPANY

Fujitsu Kosugi Building 1812-10 Shimonumabe,
Nakahara-ku. Kawasaki-shi,
Kanagawa Japan.

Tel.: +81 - 813-678-9902
Email:manufacturalsales@gmail.com

Attachment: PURCHASE ORDER.rar (272 KB)

 

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  PURCHASE ORDER.rar
File size:  200.7 KB ( 205490 bytes )
MD5 hash:  2d62935b885a4cbef5db682dbf2614c3
Detection ratio:  24 / 54
First submission:  2014-08-08 04:30:57 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b1e9aaac9a35faea36d82dc2d4d060e424b652751251523166ede7d1537e351d/analysis/

 

EXTRACTED MALWARE:

File name:  rach.exe
File size:  217.3 KB ( 222502 bytes )
MD5 hash:  ba3888f22e448fd79b220106155d2b66
Detection ratio:  27 / 53
First submission:  2014-08-08 07:09:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/0ef66e8730340315b1f821e096c4ef6aeda02c89cef3d5ddc09c3804287684bb/analysis/

 

INFECTION TRAFFIC

TRAFFIC FROM SANDBOX ANALYSIS OF THE MALWARE:

• 19:31:58 UTC - 172.16.165.135:49191 - 23.63.227.177:80 - crl.microsoft.com - GET /pki/crl/products/CodeSignPCA.crl
• 19:32:00 UTC - 172.16.165.135:49192 - 74.86.13.122:80 - rachelserodioadvogados.com.br - GET /images/rach.bin
• 19:32:14 UTC - 172.16.165.135:49193 - 74.86.13.122:80 - rachelserodioadvogados.com.br - POST /images/secure.php
• 19:32:14 UTC - 172.16.165.135:49194 - 74.125.225.84:80 - www.google.com - GET /webhp
• 19:32:15 UTC - 172.16.165.135:49196 - 23.4.53.163:80 - crl.geotrust.com - GET /crls/secureca.crl
• 19:32:15 UTC - 172.16.165.135:49197 - 199.7.59.72:80 - gtglobal-ocsp.geotrust.com - GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3
  lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6aQ%3D%3D
• 19:32:15 UTC - 172.16.165.135:49198 - 173.194.115.73:80 - clients1.google.com - GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodj
  XCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEYuQla7EZTc
• 19:32:15 UTC - 172.16.165.135:49199 - 74.86.13.122:80 - rachelserodioadvogados.com.br - POST /images/secure.php
• 19:32:16 UTC - 172.16.165.135:49193 - 74.86.13.122:80 - rachelserodioadvogados.com.br - POST /images/secure.php
• 19:33:18 UTC - 172.16.165.135:49200 - 93.184.215.200:80 - mscrl.microsoft.com - GET /pki/mscorp/crl/mswww(6).crl

 

SNORT EVENTS FROM SANDBOX ANALYSIS TRAFFIC

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 172.16.165.135:49192 - 74.86.13.122:80 - ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download (sid:2010348)
• 172.16.165.135:49192 - 74.86.13.122:80 - ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin (sid:2018052)
• 172.16.165.135:49192 - 74.86.13.122:80 - ET TROJAN Possible Zbot Activity Common Download Struct (sid:2017836)
• 172.16.165.135:49193 - 74.86.13.122:80 - ET TROJAN Zeus POST Request to CnC - URL agnostic (sid:2013976)
• 172.16.165.135:49193 - 74.86.13.122:80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
• 172.16.165.135:49194 - 74.125.225.84:80 - ET TROJAN Zeus Bot GET to Google checking Internet connectivity (sid:2013076)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-08-08-phishing-malware-01-sandbox-analysis.pcap.zip
• ZIP of the malware:  2014-08-08-phishing-malware-01.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.