2014-10-27 - KEYLOGGER INFECTION FROM EMAIL ATTACHMENT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2014-10-27-keylogger-infection-traffic-01.pcap.zip
• 2014-10-27-keylogger-infection-traffic-02.pcap.zip
• 2014-10-27-keylogger-malware-and-dropped-files.zip

 

NOTES:

• The malware is a spyware/keylogger that the Emerging Threats team created signatures for about 10 days ago.

 

EXAMPLES OF THE EMAILS

SCREENSHOTS:

 

MESSAGE TEXT:

Subject: Payment via Western Union
Date: Mon, 27 Oct 2014 04:22:18 UTC
From: Utaniko (Hong Kong) Limited <account@xiamenrocks[.]biz>
Reply-To: phone2000ltd@gmail[.]com
To:

Hello Sir,

Good Day

As discussed I have send you $9,525 USD for October Shipment, I sent you via Western Union.
Also $5,000 USD instead of $5,500 USD because since Mr.Mark has dropped his plans to visit the GZ Fair.

I have attached sender information and MTCN please check and confirm on return email, also inform us on the reciept of funds.

Trust clear now.

Thanks/Regards
--
MAHESH MIRCHANDANI
NAMASTE
tel : + 56 2 26 77 31 66
fax : + 56 2 26 77 54 46
dir : + 56 2 34 89 11 01
cel : + 56 9 9 346 88 20
account@xiamenrocks[.]biz
www.namarfgttste[.]cl

Attachment::  Western Union sender information.rar

 

EMAIL HEADER LINES:

Highlighted portions above show this email came from a mail server at 27.54.90[.]115.

 

PRELIMINARY MALWARE ANALYSIS

ATTACHED RAR FILE:

File name:  Western Union sender information.rar
File size:  984,820 bytes
MD5 hash:  d2ba06b7a5cf73c5cbb6316bd693e4da
Detection ratio:  8 / 54
First submission:  2014-10-27 05:10:55 UTC
VirusTotal link:  https://www.virustotal.com/en/file/1cc7740867972c1157352f73da8dd991207644604afbbf4e72d6448983383d6a/analysis/

 

EXTRACTED MALWARE:

File name:  Western Union sender information.exe
File size:  1,038,336 bytes
MD5 hash:  a5c4cecd8f9f8e79e1b3177467e432c4
Detection ratio:  10 / 52
First submission:  2014-10-27 05:15:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a4ea777ac5cc5014295b571475ff4fc5df0f37093beb10ff90dd541b26709fa3/analysis/

NOTE: When executed, this file copied itself to the user's
AppData\Roaming\Microsoft\ folder as Atiesrx.exe

 

DROPPED MALWARE (1 OF 2):

File name:  IpOverUsbSvrc.exe
File size:  8,192 bytes
MD5 hash:  b2219b693b8087cfecf8398ff47774e4
Detection ratio:  5 / 53
First submission:  2014-10-25 16:49:38 UTC
VirusTotal link:  https://www.virustotal.com/en/file/4efdba83132aaab21cadfcf624d6f7ce5fa89e6497d8f302388303cdb9b3a023/analysis/

 

DROPPED MALWARE (2 OF 2):

File name:  magao1.exe
File size:  1,290,336 bytes
MD5 hash:  7a7f53012e171dedd95c92fd2ad8c0e2
Detection ratio:  16 / 52
First submission:  2014-10-27 14:06:25 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7989d8a9e6ba7b3cf7487134497ca10cc432bd747be00fd8cf5684343019c91f/analysis/

The file magao1.exe shows up on the user's desktop after running the original malware.
If the user double-clicks magao1.exe, it calls an image stored in the user's AppData folder named 37.jpg.
37.jpg is a small image of a fake Western Union form with poor resolution, and it's barely recognizable (see below).

 

INFECTION TRAFFIC

INFECTION TRAFFIC FROM THE SANDBOX TOOL:

• 13:06:06 UTC - 5.199.167[.]26:80 - xxdrgdurxx[.]ws - GET /include/newage.txt
• 13:06:06 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:06:07 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:06:10 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:06:11 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:06:58 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:07:00 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:07:00 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:07:00 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:07:58 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:08:02 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:08:02 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:08:02 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:08:55 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:08:55 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:08:57 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:08:59 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:09:54 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:09:54 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:09:54 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:09:54 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:10:45 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:10:45 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:10:48 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:10:48 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:11:36 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:11:36 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:11:36 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:11:36 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:12:31 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:12:31 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:12:33 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:12:33 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:13:20 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:13:20 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:13:22 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:13:22 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:14:15 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:14:15 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:14:19 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:14:19 UTC - 5.199.167[.]26:80 - www.xxdrgdurxx[.]ws - GET /country.php

 

INFECTION TRAFFIC FROM A PHYSICAL HOST ROUTED THROUGH AN ANONYMOUS PROXY:

• 13:22:51 UTC - 68.171.217[.]250:80 - xxdrgdurxx[.]ws - GET /include/newage.txt
• 13:22:51 UTC - 5.199.167[.]26:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:22:51 UTC - 68.171.217[.]250:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:22:51 UTC - 68.171.217[.]250:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:22:51 UTC - 68.171.217[.]250:80 - xxdrgdurxx[.]ws - GET /include/newage.txt
• 13:22:51 UTC - 68.171.217[.]250:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:23:33 UTC - 68.171.217[.]250:80 - xxdrgdurxx[.]ws - GET /include/newage.txt
• 13:23:34 UTC - 5.199.167[.]26:80 - ikeguruobiri[.]com - POST /temporary.php
• 13:23:34 UTC - 68.171.217[.]250:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:23:47 UTC - 68.171.217[.]250:80 - xxdrgdurxx[.]ws - GET /include/newage.txt
• 13:23:48 UTC - 68.171.217[.]250:80 - www.xxdrgdurxx[.]ws - GET /country.php
• 13:23:48 UTC - 5.199.167[.]26:80 - ikeguruobiri[.]com - POST /temporary.php

 

SIGNATURE EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (not including ET INFO or ET POLICY rules):

• 5.199.167[.]26:80 - ET TROJAN Win32/Spy.KeyLogger.ODN Checkin (sid:2019467)
• 68.171.217[.]250:80 - ETPRO TROJAN Win32.KSpyPro.A Checkin (sid:2803111)
• 68.171.217[.]250:80 - ET TROJAN Win32/Spy.KeyLogger.ODN Exfiltrating Data (sid:2019468)
• 68.171.217[.]250:80 - ET TROJAN W32/Spy.KeyLogger.OCI CnC Checkin (sid:2017343)

 

SCREENSHOTS FROM THE INFECTION TRAFFIC

 

Click here to return to the main page.