2014-09-02 - PHISHING CAMPAIGN - SUBJECT: ORDER NO. [10- OR 11-DIGIT NUMBER]

ASSOCIATED FILES:

 

NOTES:

 

 

Fake invoice that appears after executing the malware (with infection traffic happening behind the scenes, unrelated to this RTF file):

 

PHISHING EMAILS

SCREENSHOTS:

 

MESSAGE TEXT - EXAMPLE 1:

Subject: Order no. 39053084211
Date: Tue, 2 Sep 2014 09:17:17 UTC
From: Williams Uzdygan <item@pentagon-group.co.uk>
To: [redacted]

Thank you for using our services!
Your order #39053084211 will be shipped on 05.09.2014.

Date: September 02, 2014. 09:48am
Price: £145.80
Payment method: Wire transfer
Transaction number: 85812492CAA8

Please find the detailed information on your purchase in the attached file (sale_2014-09-02_09-16-16_39053084211.arj)

Best regards,
Sales Department
Williams Uzdygan
+07516301817

Attachment: sale_2014-09-02_09-16-16_39053084211.arj (26.6 KB)

 

MESSAGE TEXT - EXAMPLE 2:

Subject: Order no. 28083729575
Date: Tue, 2 Sep 2014 09:25:39 UTC
From: Tran Deherrera <order@wildwatchtours.co.uk>
To: [redacted]

Thank you for using our services!
Your order #28083729575 will be shipped on 03-09-2014.

Date: September 02, 2014. 09:58am
Price: £120.55
Payment method: Credit card
Transaction number: 7C4444F656DB5EA1EB

Please find the detailed information on your purchase in the attached file (sale_2014-09-02_09-24-16_28083729575.arj)

Best regards,
Sales Department
Tran Deherrera
+07750 287005

Attachment: sale_2014-09-02_09-24-16_28083729575.arj (27.4 KB)

 

EMAIL HEADERS - EXAMPLE 1:

 

EMAIL HEADERS - EXAMPLE 2:

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT - EXAMPLE 1:

File name:  2014-09-02-phishing-email-attachment-example-01.arj
File size:  26.6 KB ( 27247 bytes )
MD5 hash:  eb7b915ebd8efc440486d94a2d37c308
Detection ratio:  10 / 55
First submission:  2014-09-02 09:22:43 UTC
VirusTotal link:  https://www.virustotal.com/en/file/def252d71acd58cd72b0a6aa3ceb1e08a964d4a96622bd4241588a17a0a50a42/analysis/

 

EMAIL ATTACHMENT - EXAMPLE 2:

File name:  2014-09-02-phishing-email-attachment-example-02.arj
File size:  27.4 KB ( 28063 bytes )
MD5 hash:  e07e5d7832093e601a9aa5a564f6e964
Detection ratio:  10 / 55
First submission:  2014-09-02 09:42:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1e5c8c54fd47499cb267c5ddc9f54b0310546d631645a82bc3fb3ca7c96350bf/analysis/

 

EXTRACTED MALWARE - EXAMPLE 1:

File name:  2014-09-02-extracted-phishing-malware-example-01.exe
File size:  41.0 KB ( 41984 bytes )
MD5 hash:  ec82e15e73f51e373cf64380c04571d8
Detection ratio:  12 / 54
First submission:  2014-09-02 09:23:31 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a697d8c3a9e62a129715ea3a13722ff06ac5aa4fc208936b025e9b15990df596/analysis/

 

EXTRACTED MALWARE - EXAMPLE 2:

File name:  2014-09-02-extracted-phishing-malware-example-02.exe
File size:  42.0 KB ( 43008 bytes )
MD5 hash:  c633fdbd1c044cef57075fe4f042606c
Detection ratio:  11 / 55
First submission:  2014-09-02 09:43:05 UTC
VirusTotal link:  https://www.virustotal.com/en/file/724ffbe6085d4849d6d244135daee3d0468d17b0def1bc0d8c63f024972afd29/analysis/

 

DROPPED MALWARE IN USER'S APPDATA\LOCAL\TEMP\[random name] DIRECTORY:

File name:  2014-09-02-phishing-malware-dropped-file-01.exe
File size:  259.0 KB ( 265216 bytes )
MD5 hash:  503b6674563b53fa88dc8783453fb2e6
Detection ratio:  8 / 52
First submission:  2014-09-02 21:19:23 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e302f3db6136f6f8e5e79726b04b9b4c17b6b8dc4b3ee218a1e0b53f0e4c4608/analysis/

 

DROPPED FILE IN USER'S APPDATA\LOCAL\TEMP DIRECTORY:

File name:  2014-09-02-phishing-malware-dropped-file-02.bat
File size:  174 bytes (174 bytes)

 

INFECTION TRAFFIC

FROM SANDBOX ANALYSIS:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.