2014-11-26 - SANDWORM SAMPLE

ASSOCIATED FILES:

• ZIP file - Associated malware:  2014-11-26-sandworm-malware.zip
• ZIP file - Example of the phishing email headers (sanitized):  2014-11-26-sandworm-email-headers.txt.zip

 

NOTES:

• This is an example of the infamous Sandworm exploit, which uses a Powerpoint file to exploit the CVE-2014-4114 vulnerability.
• The .ppsx file was executed in a sandbox environment, different VMs, and a physical host, but each time the dropped malware generated an error.
• Tried this only on Windows 7 hosts--maybe I would've had better luck with Windows XP.
• Noticed the email shortly before Thanksgiving, and I'm thankful to have a Sandworm sample to share.

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

Subject: Re: Purchase Invoice
Date: Wed, 26 Nov 2014 08:16:43 UTC
From: Al Muntaser Trading Co <manup.talal@almuntaser.com>
To: Recipients <manup.talal@almuntaser.com>

Dear Sir,

Sequel to our previous conversation, kindly provide us the invoice of the attached purchase order so we can confirm and make payment.Many thanks

Regards,

Manup T.N.
Golden Crown Trading & General Contracting Co.
P.O. Box 26000, Safat 13120, Kuwait

Attachment:  Invoice.ppsx (142 KB)

 

PRELIMINARY MALWARE ANALYSIS

MALWARE ATTACHEMENT:

File name:  Invoice.ppsx
File size:  142.2 KB ( 145639 bytes )
MD5 hash:  5176d1383a7114039e71bbfccd578f92
Detection ratio:  15 / 56
First submission:  2014-11-26 08:02:49 UTC
VirusTotal link:  https://www.virustotal.com/en/file/d91daaeb385efbc23893390c721ed7fb2bde8c507e34129fb95a8caeda71d272/analysis/

 

DROPPED FILE AFTER RUNNING THE MALWARE:

File name:  putty.exe
File size:  182.9 KB ( 187287 bytes )
MD5 hash:  46c4bd9b2318552fe0812d41e3122170
Detection ratio:  19 / 56
First submission:  2014-11-30 01:10:10 UTC
VirusTotal link:  https://www.virustotal.com/en/file/17398b9cdd40136b32bc8fa811af21101589adb889246afbfcecc05464ced068/analysis/

 

SCREENSHOTS

When you run the Powerpoint file, it quickly asks for permission to run the dropped malware:

 

Shortly after that, the dropped malware stops working:

 

FINAL NOTES

Once again, here are the associated files:

• ZIP file - Associated malware:  2014-11-26-sandworm-malware.zip
• ZIP file - Example of the phishing email headers (sanitized):  2014-11-26-sandworm-email-headers.txt.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.