2014-09-30 - PHISHING EMAIL - SUBJECT: REQUIREMENT.

ASSOCIATED FILES:

• ZIP of PCAP from a VM infection:  2014-09-30-phishing-malware-VM-infection.pcap.zip
• ZIP of the phishing malware:  2014-09-30-phishing-malware.zip
• ZIP of dropped files from the VM infection:  2014-09-30-phishing-malware-dropped-files-on-infected-VM.zip

 

NOTES:

• This is an isolated phishing email that doesn't appear to be wide-scale.
• The email was sent to a non-existent recipient:  lovemakingd5@[company name redacted].com
• It's a relatively generic phishing message in plain text with Zbot-style malware.

 

TEXT OF THE EMAIL

From: nexline trading <laurence.mallet@glynwed.fr>
Date: Tuesday, September 30, 2014 at 20:25 UTC
To: Recipients <laurence.mallet@glynwed.fr>
Subject: Requirement.

Dear Sir

Kindly confirmed that the attached payment of the above proforma is correct and get back to me.

Regards
Abduo alshami
AcctDept

Attachment:   pan 2.zip (490.9 KB)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  pan 2.zip
File size:  363.4 KB ( 372076 bytes )
MD5 hash:  1658a4f21ae43b6a3ecb191a8325cde4
Detection ratio:  15 / 55
First submission:  2014-10-01 00:41:59 UTC
VirusTotal link:  https://www.virustotal.com/en/file/182c6ada401b77e831fb095edcc3648b9308b850e7c278af696356f3a5dde5d1/analysis/

 

EXTRACTED MALWARE:

File name:  pan 2.scr
File size:  783.5 KB ( 802304 bytes )
MD5 hash:  9b86e8972cf269e99781cbb921743462
Detection ratio:  15 / 55
First submission:  2014-09-30 23:45:13 UTC
VirusTotal link:  https://www.virustotal.com/en/file/ef93ceabd334a79e9af9edd139a4d5fb4bd2c46da6938eb901cc0885412940c6/analysis/

 

DROPPED FILES ON THE INFECTED VM:

AppData\Local\Temp\FB_CA15.tmp.exe   -   https://www.virustotal.com/en/file/129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689/analysis/
AppData\Roaming\Iguzy\ypaky.kiz   -   https://www.virustotal.com/en/file/a43753f4e2ff47757e020558e80dbdfe36652f90218625001fa9f5b23b2c6b67/analysis/
AppData\Roaming\Ogicac\yzse.exe   -   https://www.virustotal.com/en/file/7ba1d7f123aa0deb72a0e140dcbca90ef10e6d2afd360c5fe2e97d83cdd760d0/analysis/
AppData\Roaming\sra\yats.bat   -   Text file with one line:   start /d "C:\Users\User-1\AppData\Roaming\sra" yats.exe
AppData\Roaming\sra\yats.exe   -   same file as pan 2.scr (see extracted malware shown above)
AppData\Roaming\Ylihh\seumo.tmp   -   https://www.virustotal.com/en/file/8b24c38754dba0a2bedcc3a3821b623fc3f730ad42d86aa2280e14bcd7cb2dca/analysis/

 

INFECTION TRAFFIC

INFECTING A VM WITH THE EXTRACTED MALWARE:

• 23:58:01 UTC - 172.16.165.132:49286 - 81.17.30.42:80 - 81.17.30.42- POST /office/dammy/helps/file.php
• 23:58:01 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/file.php
• 23:58:02 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/file.php
• 23:58:31 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
• 23:58:31 UTC - 172.16.165.132:49288 - 173.194.115.50:80 - www.google.com - GET /webhp
• 23:58:31 UTC - 172.16.165.132:49286 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
• 23:58:32 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
• 23:58:32 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php
• 23:58:32 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - 81.17.30.42 - POST /office/dammy/helps/gate.php

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET POLICY or ET INFO events):

• 2014-09-30 23:58:31 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer (sid:2017930)
• 2014-09-30 23:58:31 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (sid:2016173)
• 2014-09-30 23:58:31 UTC - 172.16.165.132:49287 - 81.17.30.42:80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
• 2014-09-30 23:58:31 UTC - 172.16.165.132:49288 - 173.194.115.50:80 - ET TROJAN Zeus Bot GET to Google checking Internet connectivity (sid:2013076)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not including preprocessor rules):

• 2014-09-30 23:58:01 UTC - 172.16.165.132:various - 81.17.30.42:80 - [1:25050:5] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x3)
• 2014-09-30 23:58:31 UTC - 172.16.165.132:various - 81.17.30.42:80 - [1:29884:1] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x5)
• 2014-09-30 23:58:31 UTC - 172.16.165.132:49288 - 173.194.115.50:80 - [1:30570:2] MALWARE-CNC Win.Trojan.Zeus variant outbound connection attempt

 

SCREENSHOTS FROM THE TRAFFIC

Example of the callback traffic:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of PCAP from a VM infection:  2014-09-30-phishing-malware-VM-infection.pcap.zip
• ZIP of the phishing malware:  2014-09-30-phishing-malware.zip
• ZIP of dropped files from the VM infection:  2014-09-30-phishing-malware-dropped-files-on-infected-VM.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.