2014-08-09 - PHISHING EMAIL - SUBJECT: NEW REQUEST FOR AN OFFER

ASSOCIATED FILES:

• ZIP of PCAP(s):  2014-08-08-phishing-malware-02-traffic.pcap.zip
• ZIP of the malware:  2014-08-08-phishing-malware-02.zip

 

THE PHISHING EMAIL

SCREENSHOT:

 

MESSAGE TEXT:

From: Aisha Nadiath <sales@newmanflanqe.com>
Date: Friday, August 8, 2014 at 8:33 UTC
Subject: New Request for an offer

Dear Sir,

We are participating in an on going bid.

Please quote us the Offer products at a reasonable prices as mentioned in this tender document.

Thanks and Best Regards,

Aisha Nadiath
Purchase Manager
Overseas New Manflange Co. Ltd.

Attachment: Tender-013.zip (291.9 KB)

 

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  Tender-013.zip
File size:  215.3 KB ( 220501 bytes )
MD5 hash:  95515c7fbe05c1e5faafe8fe55cec57f
Detection ratio:  14 / 54
First submission:  2014-08-08 06:25:07 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a00b4365b5716c5f2b9f5d62d5c9fd3e7f880089a16f91224ed03df03c1a0c39/analysis/

 

EXTRACTED MALWARE:

File name:  Tender-013.exe
File size:  366.5 KB ( 375296 bytes )
MD5 hash:  17ecbfa39ec3e5f5ba93fdd9d0885fde
Detection ratio:  15 / 53
First submission:  2014-08-08 08:27:47 UTC
VirusTotal link:  https://www.virustotal.com/en/file/313b7051761561bc585bc7fe3689ae283f28f2ea54ccceaaffadacf18acc887e/analysis/

 

INFECTION TRAFFIC

FROM RUNNING THE MALWARE IN A VM:

• 23:41:52 UTC - 172.16.165.133:53202 - 172.16.165.2:53 - DNS query for: jifcotradingllc.biz (did not resolve)
• 23:41:53 UTC - 172.16.165.133:53470 - 172.16.165.2:53 - DNS query for: brotherlyworship.biz (did not resolve)
• 23:42:06 UTC - 172.16.165.133:65362 - 172.16.165.2:53 - DNS query for: brotherlyworshippers.biz (did not resolve)
• 23:42:19 UTC - 172.16.165.133:64376 - 172.16.165.2:53 - DNS query for: dreamswitchedmylife.biz (did not resolve)
• 23:42:24 UTC - 172.16.165.133:60897 - 172.16.165.2:53 - DNS query for: businessswitchedmylife.biz (did not resolve)
• 23:42:25 UTC - 172.16.165.133:52243 - 172.16.165.2:53 - DNS query for: nobemetalkam.com (did not resolve)
• 23:42:38 UTC - 172.16.165.133:64758 - 172.16.165.2:53 - DNS query for: heavensbreedonline.com
• 23:42:38 UTC - 172.16.165.133:49160 - 199.175.51.62:80 - heavensbreedonline.com - POST /imges/order.php

 

SNORT EVENTS FROM RUNNING THE MALWARE IN A VM

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 23:42:38 UTC - 172.16.165.133:49160 - 199.175.51.62:80 - ETPRO TROJAN Win32/Neurevt.A Checkin 3 (sid:2807970)
• 23:42:38 UTC - 172.16.165.133:49160 - 199.175.51.62:80 - ET TROJAN Win32/Neurevt Check-in 4 (sid:2018784)

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP(s):  2014-08-08-phishing-malware-02-traffic.pcap.zip
• ZIP of the malware:  2014-08-08-phishing-malware-02.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.