2014-12-16 - MALWARE INFECTION FROM EMAIL ATTACHMENT
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2014-12-16-malspam-tracker.csv.zip 1.2 kB (1,195 bytes)
- 2014-12-16-unidentified-malware-run-on-VM.pcap.zip 74.2 kB (74,156 bytes)
- 2014-12-16-unidentified-malware-and-artifacts.zip 71.6 kB (71,599 bytes)
NOTES:
- On 2014-12-16 from 12:09 to 13:20 UTC, I noticed a wave of 12 emails with .cab attachments containing malware.
- These had spoofed UK sending addresses, and they were sent to recipients in the UK.
- Various sending IP addresses for the messages indicate this was a botnet-based campaign.
EXAMPLE OF THE EMAILS
SCREENSHOT:
MESSAGE TEXT:
From: Mao Kolander <transaction@larynx[.]co[.]uk>
Date: 16 December 2014 12:09:12 GMT
To:
Subject: Note D-57022RI-4035
===========================================
This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.
===========================================
Notification Number: 8018817
Mandate Number: 4909927
Date: December 16, 2014. 12:47pm
In an effort to protect your Banking account, we have frozen your account until such time that it can be safely restored by you. Please view attached file "D-57022RI-4035.cab" for details.
Yours sincerely,
Mao Kolander
+07869 007210
Attachment: D-57022RI-4035.cab (30 KB)
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: D-57022RI-4035.cab
File size: 30,805 bytes
MD5 hash: cfc6098ab3a1bbbb93c70fcf3f19cf5a
Detection ratio: 2 / 55
First submission: 2014-12-16 16:26:46 UTC
VirusTotal link: https://www.virustotal.com/en/file/9d6065082b457c6991fdc14d6d2d72100f2772f2043739c05d7c0b4ecdc95893/analysis/
EXTRACTED MALWARE:
File name: D-57022RI-4035.scr
File size: 42,496 bytes
MD5 hash: 74a2e5ead62897387b0eb5da549f881b
Detection ratio: 2 / 53
First submission: 2014-12-16 16:27:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/b5b9e420229272e29edcca73411a7fe93bc2c6c978425ff803d1ed7fe01c3e4e/analysis/
INFECTION TRAFFIC
ASSOCIATED DOMAINS:
- 195.246.8[.]75 - www.lamas[.]si
- 212.227.55[.]94 - fotocb[.]de
- 37.205.62[.]70 - stmarys-andover[.]org[.]uk
- 83.137.145[.]154 - dequinnzangersborne[.]nl
EXECUTING THE EXTRACTED MALWARE IN A VM:
- 2014-12-16 16:08:59 UTC - 65.55.50[.]157:80 - windowsupdate.microsoft[.]com - GET /
- 2014-12-16 16:14:00 UTC - 195.246.8[.]75:443 - www.lamas[.]si - HTTPS traffic
- 2014-12-16 16:14:06 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:14:12 UTC - 37.205.62[.]70:443 - stmarys-andover[.]org[.]uk - HTTPS traffic
- 2014-12-16 16:14:18 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:14:29 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:14:40 UTC - 37.205.62[.]70:443 - stmarys-andover[.]org[.]uk - HTTPS traffic
- 2014-12-16 16:14:51 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:15:07 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:15:23 UTC - 37.205.62[.]70:443 - stmarys-andover[.]org[.]uk - HTTPS traffic
- 2014-12-16 16:15:39 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:16:00 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:16:22 UTC - 37.205.62[.]70:443 - stmarys-andover[.]org[.]uk - HTTPS traffic
- 2014-12-16 16:16:43 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:17:09 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:17:35 UTC - 37.205.62[.]70:443 - stmarys-andover[.]org[.]uk - HTTPS traffic
- 2014-12-16 16:18:01 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:18:32 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:19:03 UTC - 37.205.62[.]70:443 - stmarys-andover[.]org[.]uk - HTTPS traffic
- 2014-12-16 16:19:34 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:20:10 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:21:42 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:22:23 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:24:05 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:24:51 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
- 2014-12-16 16:26:43 UTC - 83.137.145[.]154:443 - dequinnzangersborne[.]nl - HTTPS traffic
- 2014-12-16 16:27:34 UTC - 212.227.55[.]94:443 - fotocb[.]de - HTTPS traffic
SNORT EVENTS
Emerging Threats and ETPRO rulesets from Sguil on Security Onion running Suricata (not including ET INFO or ET POLICY rules):
- 2014-12-16 16:09:00 UTC - 65.55.50[.]157:80 - ET TROJAN Possible Zeus GameOver? Connectivity Check 2 (sid:2019155)
SCREENSHOTS
RTF document that appears when you run the malware:
Connectivity check by the malware:
The HTTPS traffic filtered in Wireshark:
Click here to return to the main page.