2014-10-08 - PHISHING EMAIL - SUBJECT: FW:ORDER INQUIRY
ASSOCIATED FILES:
- ZIP of CSV spreadsheet with the emails seen today: 2014-10-08-phishing-email-tracking.csv.zip
- ZIP of PCAP from the malwr.com analysis: 2014-10-08-phishing-malware-analysis-from-malwr.com.pcap.zip
- ZIP of the malware: 2014-10-08-phishing-malware.zip
NOTES:
- This one is yet another phishing run with a malware attachment that triggered zbot-style alerts.
- Nothing too fancy here. The emails were all plain text.
EXAMPLE OF THE EMAILS
MESSAGE TEXT:
From: Al-Abid Steinberg <sales@asharf.com>
To:
Subject: Fw:Order Inquiry
Dear sales,
I am from Al Abid, Project manager Hitech Electric,
We wish to place an order for the following Items as listed in the above attached document. It is intended to be delivered within 34 days from the Order confirmation date since we will be needing it to complete our
outstanding projects.
Your urgent attention will be appreciated as we expect your quote which will include:
1. CIF
2. Terms of Payment (preferable T/T)
3. Certifying Body
4. Expected date of Delivery
Thanks for your co-operations.
Sincerely
Al Abid Steinberg
Project manager II
Hitech Electric
Kinhad Botswana
Attachment: PO-76489343.zip (618.4 KB)
EMAIL HEADERS:
According to the header, the email originated from 212-83-139-225.rev.poneytelecom.eu (212.83.139.225) and came through mx.asharf.com (84.19.27.186).
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: PO-76489343.zip
File size: 457.8 KB ( 468780 bytes )
MD5 hash: 440762c4491d0398eff686ddd8c54b61
Detection ratio: 6 / 55
First submission: 2014-10-08 18:13:18 UTC
VirusTotal link: https://www.virustotal.com/en/file/79950609db1e380b35b0054d812dad84c602ea1de653173cde6bcfff8a72d2f7/analysis/
EXTRACTED MALWARE:
File name: PO-76489343.exe
File size: 526.0 KB ( 538624 bytes )
MD5 hash: cda52292c0ab9b3e4fa074e141c4a6ed
Detection ratio: 7 / 55
First submission: 2014-10-08 18:13:26 UTC
VirusTotal link: https://www.virustotal.com/en/file/01e6c3b8dc9daea09b24f5b0052613bc0b35760c6cc1fab7e20d9cc243bca4d7/analysis/
Malwr link: https://malwr.com/analysis/NjMyOTY0ZGRkMWZmNDhmMGE1OGQ5NThhYjc0ODkxZmQ/#
DROPPED MALWARE:
File name: feite.exe
File size: 221.0 KB ( 226304 bytes )
MD5 hash: b4fa3d3be36fa175af935940bbd7e299
Detection ratio: 45 / 55
First submission: 2014-10-08 23:36:49 UTC
VirusTotal link: https://www.virustotal.com/en/file/db08e8a050535a5f1e743e1eb022aa02c3c3309b4317134150413ecbbcef953d/analysis/
NOTE: The extracted malware dropped several other files... See the Malwr link above for a complete list.
INFECTION TRAFFIC
PCAP FROM MALWR.COM ANALYSIS OF THE MALWARE:
- 2014-10-08 18:14:38 UTC - 192.168.56.102:1066 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/file.php
- 2014-10-08 18:14:38 UTC - 192.168.56.102:1067 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/file.php
- 2014-10-08 18:14:49 UTC - 192.168.56.102:1073 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/file.php
- 2014-10-08 18:14:56 UTC - 192.168.56.102:1076 - 74.125.28.103:80 - www.google.com GET /webhp
- 2014-10-08 18:14:56 UTC - 192.168.56.102:1075 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/ph55p.php
- 2014-10-08 18:14:56 UTC - 192.168.56.102:1077 - 46.149.110.103:80 - sgb-sy.com - POST /gulf5unb/000oo000oophp/ph55p.php
SNORT EVENTS FROM THE MALWR.COM ANALYSIS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):
- 192.168.56.102:1066 - 46.149.110.103:80 - ET TROJAN Zbot POST Request to C2 (sid:2019141)
- 192.168.56.102:1066 - 46.149.110.103:80 - ET TROJAN Zeus POST Request to CnC - URL agnostic (sid:2013976)
- 192.168.56.102:1066 - 46.149.110.103:80 - ET TROJAN Generic - POST To .php w/Extended ASCII Characters (sid:2016858)
- 46.149.110.103:80 - 192.168.56.102:1066 - ET TROJAN Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment (sid:2016742)
- 192.168.56.102:1073 - 46.149.110.103:80 - ET TROJAN Generic -POST To file.php w/Extended ASCII Characters (sid:2016172)
- 192.168.56.102:1076 - 74.125.28.103:80 - ET TROJAN Zeus Bot GET to Google checking Internet connectivity (sid:2013076)
Sourcefire VRT ruleset from Snort 2.9.6.2 on Debian 7 (not counting preprocessor events):
- 2014-10-08 18:14:38 UTC - 192.168.56.102:various - 46.149.110.103:80 - [1:25050:5] MALWARE-CNC Win.Trojan.Zeus variant outbound connection (x3)
SCREENSHOTS FROM THE TRAFFIC
FINAL NOTES
Once again, here are the associated files:
- ZIP of CSV spreadsheet with the emails seen today: 2014-10-08-phishing-email-tracking.csv.zip
- ZIP of PCAP from the malwr.com analysis: 2014-10-08-phishing-malware-analysis-from-malwr.com.pcap.zip
- ZIP of the malware: 2014-10-08-phishing-malware.zip
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.