2014-12-16 - MALWARE INFECTION FROM EMAIL ATTACHMENT

NOTICE:

ASSOCIATED FILES:

 

NOTES:

 

EXAMPLE OF THE EMAILS

SCREENSHOT:

 

MESSAGE TEXT:

From: Mao Kolander <transaction@larynx[.]co[.]uk>
Date: 16 December 2014 12:09:12 GMT
To:
Subject: Note D-57022RI-4035


===========================================
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
===========================================

Notification Number: 8018817
Mandate Number: 4909927
Date: December 16, 2014. 12:47pm

In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file "D-57022RI-4035.cab" for details.

Yours sincerely,
Mao Kolander
+07869 007210

AttachmentD-57022RI-4035.cab (30 KB)

 

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name:  D-57022RI-4035.cab
File size:  30,805 bytes
MD5 hash:  cfc6098ab3a1bbbb93c70fcf3f19cf5a
Detection ratio:  2 / 55
First submission:  2014-12-16 16:26:46 UTC
VirusTotal link:  https://www.virustotal.com/en/file/9d6065082b457c6991fdc14d6d2d72100f2772f2043739c05d7c0b4ecdc95893/analysis/

 

EXTRACTED MALWARE:

File name:  D-57022RI-4035.scr
File size:  42,496 bytes
MD5 hash:  74a2e5ead62897387b0eb5da549f881b
Detection ratio:  2 / 53
First submission:  2014-12-16 16:27:08 UTC
VirusTotal link:  https://www.virustotal.com/en/file/b5b9e420229272e29edcca73411a7fe93bc2c6c978425ff803d1ed7fe01c3e4e/analysis/

 

INFECTION TRAFFIC

ASSOCIATED DOMAINS:

 

EXECUTING THE EXTRACTED MALWARE IN A VM:

 

SNORT EVENTS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion running Suricata (not including ET INFO or ET POLICY rules):

 

SCREENSHOTS

RTF document that appears when you run the malware:

 

Connectivity check by the malware:

 

The HTTPS traffic filtered in Wireshark:

 

Click here to return to the main page.