2014-10-08 - PHISHING EMAIL - SUBJECT: FW:ORDER INQUIRY

ASSOCIATED FILES:

• ZIP of CSV spreadsheet with the emails seen today:  2014-10-08-phishing-email-tracking.csv.zip
• ZIP of PCAP from the malwr.com analysis:  2014-10-08-phishing-malware-analysis-from-malwr.com.pcap.zip
• ZIP of the malware:  2014-10-08-phishing-malware.zip

 

NOTES:

• This one is yet another phishing run with a malware attachment that triggered zbot-style alerts.
• Nothing too fancy here.  The emails were all plain text.

 

EXAMPLE OF THE EMAILS

MESSAGE TEXT:

From: Al-Abid Steinberg <sales@asharf.com>
To:
Subject: Fw:Order Inquiry

Dear sales,

I am from Al Abid, Project manager Hitech Electric,
We wish to place an order for the following Items as listed in the above attached document. It is intended to be delivered within 34 days from the Order confirmation date since we will be needing it to complete our
outstanding projects.
Your urgent attention will be appreciated as we expect your quote which will include:

1. CIF
2. Terms of Payment (preferable T/T)
3. Certifying Body
4. Expected date of Delivery

Thanks for your co-operations.

Sincerely
Al Abid Steinberg
Project manager II
Hitech Electric
Kinhad Botswana

Attachment: PO-76489343.zip (618.4 KB)

 

EMAIL HEADERS:

According to the header, the email originated from 212-83-139-225.rev.poneytelecom.eu (212.83.139.225) and came through mx.asharf.com (84.19.27.186).

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  PO-76489343.zip
File size:  457.8 KB ( 468780 bytes )
MD5 hash:  440762c4491d0398eff686ddd8c54b61
Detection ratio:  6 / 55
First submission:  2014-10-08 18:13:18 UTC
VirusTotal link:  https://www.virustotal.com/en/file/79950609db1e380b35b0054d812dad84c602ea1de653173cde6bcfff8a72d2f7/analysis/

 

EXTRACTED MALWARE:

File name:  PO-76489343.exe
File size:  526.0 KB ( 538624 bytes )
MD5 hash:  cda52292c0ab9b3e4fa074e141c4a6ed
Detection ratio:  7 / 55
First submission:  2014-10-08 18:13:26 UTC
VirusTotal link:  https://www.virustotal.com/en/file/01e6c3b8dc9daea09b24f5b0052613bc0b35760c6cc1fab7e20d9cc243bca4d7/analysis/
Malwr link:  https://malwr.com/analysis/NjMyOTY0ZGRkMWZmNDhmMGE1OGQ5NThhYjc0ODkxZmQ/#

 

DROPPED MALWARE:

File name:  feite.exe
File size:  221.0 KB ( 226304 bytes )
MD5 hash:  b4fa3d3be36fa175af935940bbd7e299
Detection ratio:  45 / 55
First submission:  2014-10-08 23:36:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/db08e8a050535a5f1e743e1eb022aa02c3c3309b4317134150413ecbbcef953d/analysis/

NOTE: The extracted malware dropped several other files...  See the Malwr link above for a complete list.

 

INFECTION TRAFFIC

PCAP FROM MALWR.COM ANALYSIS OF THE MALWARE:

• 2014-10-08 18:14:38 UTC - 192.168.56.102:1066 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/file.php
• 2014-10-08 18:14:38 UTC - 192.168.56.102:1067 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/file.php
• 2014-10-08 18:14:49 UTC - 192.168.56.102:1073 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/file.php
• 2014-10-08 18:14:56 UTC - 192.168.56.102:1076 - 74.125.28.103:80 - www.google.com GET /webhp
• 2014-10-08 18:14:56 UTC - 192.168.56.102:1075 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/ph55p.php
• 2014-10-08 18:14:56 UTC - 192.168.56.102:1077 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/ph55p.php

 

SNORT EVENTS FROM THE MALWR.COM ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 192.168.56.102:1066 - 46.149.110.103:80 - ET TROJAN Zbot POST Request to C2 (sid:2019141)
• 192.168.56.102:1066 - 46.149.110.103:80 - ET TROJAN Zeus POST Request to CnC - URL agnostic (sid:2013976)
• 192.168.56.102:1066 - 46.149.110.103:80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
• 46.149.110.103:80 - 192.168.56.102:1066 - ET TROJAN Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment (sid:2016742)
• 192.168.56.102:1073 - 46.149.110.103:80 - ET TROJAN Generic -POST To file.php w/Extended ASCII Characters (sid:2016172)
• 192.168.56.102:1076 - 74.125.28.103:80 - ET TROJAN Zeus Bot GET to Google checking Internet connectivity (sid:2013076)

Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not counting preprocessor events):

• 2014-10-08 18:14:38 UTC - 192.168.56.102:various - 46.149.110.103:80 - [1:25050:5] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x3)

 

SCREENSHOTS FROM THE TRAFFIC

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of CSV spreadsheet with the emails seen today:  2014-10-08-phishing-email-tracking.csv.zip
• ZIP of PCAP from the malwr.com analysis:  2014-10-08-phishing-malware-analysis-from-malwr.com.pcap.zip
• ZIP of the malware:  2014-10-08-phishing-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.