2014-09-30 - POSSIBLE ZBOT INFECTION FROM EMAIL ATTACHMENT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-09-30-possible-Zbot-infection.pcap.zip
• 2014-09-30-possible-Zbot-malware.zip
• 2014-09-30-files-from-infected-host.zip

 

NOTES:

• This is an isolated phishing email that doesn't appear to be wide-scale.
• The email was sent to a non-existent recipient:  lovemakingd5@[company name redacted].com
• It's a relatively generic phishing message in plain text with Zbot-style malware.

 

TEXT OF THE EMAIL

From: nexline trading <laurence.mallet@glynwed[.]fr>
Date: Tuesday, September 30, 2014 at 20:25 UTC
To: Recipients <laurence.mallet@glynwed[.]fr>
Subject: Requirement.

Dear Sir

Kindly confirmed that the attached payment of the above proforma is correct and get back to me.

Regards
Abduo alshami
AcctDept

Attachment:   pan 2.zip

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  pan 2.zip
File size:  372,076 bytes
MD5 hash:  1658a4f21ae43b6a3ecb191a8325cde4
Detection ratio:  15 / 55
First submission:  2014-10-01 00:41:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/182c6ada401b77e831fb095edcc3648b9308b850e7c278af696356f3a5dde5d1/analysis/

 

EXTRACTED MALWARE:

File name:  pan 2.scr
File size:  802,304 bytes
MD5 hash:  9b86e8972cf269e99781cbb921743462
Detection ratio:  15 / 55
First submission:  2014-09-30 23:45:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef93ceabd334a79e9af9edd139a4d5fb4bd2c46da6938eb901cc0885412940c6/analysis/

 

DROPPED FILES ON THE INFECTED VM:

AppData\Local\Temp\FB_CA15.tmp.exe   -   https://www.virustotal.com/en/file/129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689/analysis/
AppData\Roaming\Iguzy\ypaky.kiz   -   https://www.virustotal.com/en/file/a43753f4e2ff47757e020558e80dbdfe36652f90218625001fa9f5b23b2c6b67/analysis/
AppData\Roaming\Ogicac\yzse.exe   -   https://www.virustotal.com/en/file/7ba1d7f123aa0deb72a0e140dcbca90ef10e6d2afd360c5fe2e97d83cdd760d0/analysis/
AppData\Roaming\sra\yats.bat   -   Text file with one line:   start /d "C:\Users\[username]\AppData\Roaming\sra" yats.exe
AppData\Roaming\sra\yats.exe   -   same file as pan 2.scr (see extracted malware shown above)
AppData\Roaming\Ylihh\seumo.tmp   -   https://www.virustotal.com/en/file/8b24c38754dba0a2bedcc3a3821b623fc3f730ad42d86aa2280e14bcd7cb2dca/analysis/

 

INFECTION TRAFFIC

INFECTING A VM WITH THE EXTRACTED MALWARE:

• 23:58:01 UTC - 81.17.30[.]42:80 - 81.17.30[.]42- POST /office/dammy/helps/file.php
• 23:58:01 UTC - 81.17.30[.]42:80 - 81.17.30[.]42 - POST /office/dammy/helps/file.php
• 23:58:02 UTC - 81.17.30[.]42:80 - 81.17.30[.]42 - POST /office/dammy/helps/file.php
• 23:58:31 UTC - 81.17.30[.]42:80 - 81.17.30[.]42 - POST /office/dammy/helps/gate.php
• 23:58:31 UTC - 173.194.115[.]50:80 - www.google[.]com - GET /webhp
• 23:58:31 UTC - 81.17.30[.]42:80 - 81.17.30[.]42 - POST /office/dammy/helps/gate.php
• 23:58:32 UTC - 81.17.30[.]42:80 - 81.17.30[.]42 - POST /office/dammy/helps/gate.php
• 23:58:32 UTC - 81.17.30[.]42:80 - 81.17.30[.]42 - POST /office/dammy/helps/gate.php
• 23:58:32 UTC - 81.17.30[.]42:80 - 81.17.30[.]42 - POST /office/dammy/helps/gate.php

 

SIGNATURE HITS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET POLICY or ET INFO events):

• 2014-09-30 23:58:31 UTC - 81.17.30[.]42:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer (sid:2017930)
• 2014-09-30 23:58:31 UTC - 81.17.30[.]42:80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (sid:2016173)
• 2014-09-30 23:58:31 UTC - 81.17.30[.]42:80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
• 2014-09-30 23:58:31 UTC - 173.194.115[.]50:80 - ET TROJAN Zeus Bot GET to Google checking Internet connectivity (sid:2013076)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

• 2014-09-30 23:58:01 UTC - 81.17.30[.]42:80 - [1:25050:5] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x3)
• 2014-09-30 23:58:31 UTC - 81.17.30[.]42:80 - [1:29884:1] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x5)
• 2014-09-30 23:58:31 UTC - 173.194.115[.]50:80 - [1:30570:2] MALWARE-CNC Win.Trojan.Zeus variant outbound connection attempt

 

SCREENSHOTS FROM THE TRAFFIC

Example of the callback traffic:

 

Click here to return to the main page.