2014-09-30 - PHISHING EMAIL - SUBJECT: REQUIREMENT.
ASSOCIATED FILES:
- ZIP of PCAP from a VM infection: 2014-09-30-phishing-malware-VM-infection.pcap.zip
- ZIP of the phishing malware: 2014-09-30-phishing-malware.zip
- ZIP of dropped files from the VM infection: 2014-09-30-phishing-malware-dropped-files-on-infected-VM.zip
NOTES:
- This is an isolated phishing email that doesn't appear to be wide-scale.
- The email was sent to a non-existent recipient: lovemakingd5@[company name redacted].com
- It's a relatively generic phishing message in plain text with Zbot-style malware.
TEXT OF THE EMAIL
From: nexline trading <laurence.mallet@glynwed.fr>
Date: Tuesday, September 30, 2014 at 20:25 UTC
To: Recipients <laurence.mallet@glynwed.fr>
Subject: Requirement.
Dear Sir
Kindly confirmed that the attached payment of the above proforma is correct and get back to me.
Regards
Abduo alshami
AcctDept
Attachment: pan 2.zip (490.9 KB)
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: pan 2.zip
File size: 363.4 KB ( 372076 bytes )
MD5 hash: 1658a4f21ae43b6a3ecb191a8325cde4
Detection ratio: 15 / 55
First submission: 2014-10-01 00:41:59 UTC
VirusTotal link: https://www.virustotal.com/en/file/182c6ada401b77e831fb095edcc3648b9308b850e7c278af696356f3a5dde5d1/analysis/
EXTRACTED MALWARE:
File name: pan 2.scr
File size: 783.5 KB ( 802304 bytes )
MD5 hash: 9b86e8972cf269e99781cbb921743462
Detection ratio: 15 / 55
First submission: 2014-09-30 23:45:13 UTC
VirusTotal link: https://www.virustotal.com/en/file/ef93ceabd334a79e9af9edd139a4d5fb4bd2c46da6938eb901cc0885412940c6/analysis/
DROPPED FILES ON THE INFECTED VM:
AppData\Local\Temp\FB_CA15.tmp.exe - https://www.virustotal.com/en/file/129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689/analysis/
AppData\Roaming\Iguzy\ypaky.kiz - https://www.virustotal.com/en/file/a43753f4e2ff47757e020558e80dbdfe36652f90218625001fa9f5b23b2c6b67/analysis/
AppData\Roaming\Ogicac\yzse.exe - https://www.virustotal.com/en/file/7ba1d7f123aa0deb72a0e140dcbca90ef10e6d2afd360c5fe2e97d83cdd760d0/analysis/
AppData\Roaming\sra\yats.bat - Text file with one line: start /d "C:\Users\User-1\AppData\Roaming\sra" yats.exe
AppData\Roaming\sra\yats.exe - same file as pan 2.scr (see extracted malware shown above)
AppData\Roaming\Ylihh\seumo.tmp - https://www.virustotal.com/en/file/8b24c38754dba0a2bedcc3a3821b623fc3f730ad42d86aa2280e14bcd7cb2dca/analysis/
INFECTION TRAFFIC
INFECTING A VM WITH THE EXTRACTED MALWARE:
- 23:58:01 UTC - 172.16.165.132:49286 - 81.17.30.42:80 - 81.17.30.42- POST /office/dammy/helps/file.php
- 23:58:01 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/file.php
- 23:58:02 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/file.php
- 23:58:31 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
- 23:58:31 UTC - 172.16.165.132:49288 - 173.194.115.50:80 - www.google.com - GET /webhp
- 23:58:31 UTC - 172.16.165.132:49286 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
- 23:58:32 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
- 23:58:32 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
- 23:58:32 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
SNORT EVENTS FROM SANDBOX ANALYSIS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET POLICY or ET INFO events):
- 2014-09-30 23:58:31 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer (sid:2017930)
- 2014-09-30 23:58:31 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (sid:2016173)
- 2014-09-30 23:58:31 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
- 2014-09-30 23:58:31 UTC - 172.16.165.132:49288 - 173.194.115.50:80 - ET TROJAN Zeus Bot GET to Google checking Internet connectivity (sid:2013076)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):
- 2014-09-30 23:58:01 UTC - 172.16.165.132:various - 81.17.30.42:80 - [1:25050:5] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x3)
- 2014-09-30 23:58:31 UTC - 172.16.165.132:various - 81.17.30.42:80 - [1:29884:1] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x5)
- 2014-09-30 23:58:31 UTC - 172.16.165.132:49288 - 173.194.115.50:80 - [1:30570:2] MALWARE-CNC Win.Trojan.Zeus variant outbound connection attempt
SCREENSHOTS FROM THE TRAFFIC
Example of the callback traffic:
FINAL NOTES
Once again, here are the associated files:
- ZIP of PCAP from a VM infection: 2014-09-30-phishing-malware-VM-infection.pcap.zip
- ZIP of the phishing malware: 2014-09-30-phishing-malware.zip
- ZIP of dropped files from the VM infection: 2014-09-30-phishing-malware-dropped-files-on-infected-VM.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.