2015-01-01 - PHISHING EMAIL - SUBJECT: FW: CONFIRMED PO 327872

ASSOCIATED FILES:

• ZIP - PCAP of Word document executed in a VM:  2015-01-01-phishing-email-word-attachment-executed-on-VM.pcap.zip
• ZIP - PCAP of dropped malware run on a live host:  2015-01-01-phishing-email-dropped-malware-executed-on-live-host.pcap.zip
• ZIP - associated malware:  2015-01-01-phishing-malware-and-artifacts.zip

 

THE EMAIL

SCREENSHOT:

 

MESSAGE TEXT:

From: General Trading London <sales@gtl.co.uk>
Reply-To: <mhaufler.lissglobal@gmail.com>
Date: Thursday, January 1, 2015 at 2:54 PM CST
To: <sales@gtl.co.uk>
Subject: FW: Confirmed PO 327872

Hello Dear,

Happy new year to you.
Please find attached confirmed our PO after that we have chosen what to buy from your website and quote for us your best price to London UK.
Note that this is still a test order so if everything goes good with this order will order during this month 4x20ft containers to meet our market needs.
Send to us some photos please for the products chosen as in our PO below.

Waiting for your soonest reply

Samantha Jones
General Trading London
Office Address : 29 Shepherds Bush Road, Hammersmith, London W6 7LX, United Kingdom.
Postal Address : 27 Grasmere Avenue, Acton, London W3 6JT, United Kingdom.
Telephone : +44 (0) 208 123 0022 - +44 (0) 208 133 3130
Fax : +44 (0) 208 929 9871
Email : sales@gtl.co.uk - info@gtl.co.uk

Attachment:  Confirmed PO 327872.doc (133.6 KB)

 

EMAIL HEADERS:

 

THE ATTACHMENT

File name:  Confirmed PO 327872.doc   (CVE-2012-0158)
File size:  98.9 KB (101276 bytes)
MD5 hash:  3611660c017e511dbc54e3132c56873c
Detection ratio:  13 / 56
First submission:  2015-01-01 22:22:45 UTC
VirusTotal link:  https://www.virustotal.com/en/file/a54a03742e8d4cc7818700b5d305bbca2dd7a5deb8cd39dc0b85e368bed47f06/analysis/
Malwr link:  https://malwr.com/analysis/NTBiMWI2MzBmMDhjNGE2ZmI5MjY1MDgwYmRjMmY4MzU/

 

OPENING THE ATTACHMENT

NETWORK TRAFFIC:

• 2015-01-01 21:51:17 UTC - 192.168.138.158:49167 - 31.170.166.151:80 - ng01.hostingsiteforfree.com - GET /dbx.exe

 

SNORT EVENTS:

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2015-01-01 21:51:17 UTC - 192.168.138.158:49167 - 31.170.166.151:80 - ETPRO TROJAN Common Downloader Header Pattern UH (sid:2803274)
• 2015-01-01 21:51:17 UTC - 192.168.138.158:49167 - 31.170.166.151:80 - ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile (sid:2019714)

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7:

• 2015-01-01 21:51:17 UTC - 31.170.166.151:80 - 192.168.138.158:49167 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• 2015-01-01 21:51:17 UTC - 31.170.166.151:80 - 192.168.138.158:49167 - [1:648:14] INDICATOR-SHELLCODE x86 NOOP (x12)
• 2015-01-01 21:51:17 UTC - 31.170.166.151:80 - 192.168.138.158:49167 - [1:23256:5] FILE-EXECUTABLE Armadillo v1.71 packer file magic detected

 

DROPPED MALWARE

File name:  dbx.exe
File size:  196.0 KB ( 200704 bytes )
MD5 hash:  6d31814c6b77f6c400d259e1435280af
Detection ratio:  4 / 56
First submission:  2015-01-01 17:24:19 UTC
VirusTotal link:  https://www.virustotal.com/en/file/7b7465f0b9ed465d029cfa42a78fc02eb07449161ba619770c6d86ce9bcfd85b/analysis/
Malwr link:  https://malwr.com/analysis/YzJjOGU1YTE4ZTA4NGI1ZWFlNmM2OTY4OWFjMjRhOTU/

Shown above:  Registry entry showing where the dropped malware copied itself.

 

DROPPED MALWARE TRAFFIC AND EVENTS

NETWORK TRAFFIC:

• 2015-01-01 22:45:16 UTC - 192.168.138.158:49203 - 38.103.14.201:1863 - dbxviewer.ddns.net:1863 - GET /1978.functions
• 2015-01-01 22:45:29 UTC - 192.168.138.158:49204 - 38.103.14.201:1863 - myversion|2.5.5.1
• 2015-01-01 22:52:12 UTC - 192.168.138.158:49205 - 38.103.14.201:1863 - myversion|2.5.5.1
• 2015-01-01 22:52:43 UTC - 192.168.138.158:49206 - 38.103.14.201:1863 - myversion|2.5.5.1

 

SNORT EVENTS:

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 2015-01-01 22:45:16 UTC - 192.168.138.158:49203 - 38.103.14.201:1863 - ET TROJAN Win32/Xtrat.A Checkin (sid:2016275)
• 2015-01-01 22:45:29 UTC - 192.168.138.158:49204 - 38.103.14.201:1863 - ET TROJAN W32/Dinwod.Dropper CnC Beacon (sid:2018101)
• 2015-01-01 22:45:30 UTC - 38.103.14.201:1863 - 192.168.138.158:49204 - ETPRO TROJAN Win32/Xtrat.B CnC Traffic (sid:2804292)
• 2015-01-01 22:45:51 UTC - 38.103.14.201:1863 - 192.168.138.158:49204 - ETPRO TROJAN Xtrat/Bifrose/VBKrypt CnC Channel Keepalive (sid:2804254)

Sourcefire VRT ruleset from Snort 2.9.7.0 on Debian 7:

• 2015-01-01 22:45:16 UTC - 192.168.138.158:49203 - 38.103.14.201:1863 - [1:20099:5] MALWARE-CNC Win.Trojan.Xtrat.A variant outbound connection

 

ARTIFACTS FROM THE INFECTED HOST

FILES FOUND AFTER RUNNING THE MALWARE:

• C:\Users\[username]\AppData\Local\Microsoft\Windows\Temporary Internet Files\dbx.exe
• C:\Users\[username]\AppData\Local\Microsoft\Windows\Temporary Internet Files\1978.functions
• C:\Users\[username]\AppData\Roaming\Arcamax\Arcamax.exe
• C:\Users\[username]\AppData\Roaming\Microsoft\Windows\jMrLuGry\jMrLuGry.dat
• C:\Users\[username]\AppData\Roaming\Microsoft\Windows\jMrLuGry\jMrLuGry.nfo
• C:\Users\[username]\AppData\Roaming\Microsoft\Windows\jMrLuGry\jMrLuGry.svr

 

SCREENSHOTS FROM THE TRAFFIC

 

FINAL NOTES

Once again, here are the associated files:

• ZIP - PCAP of Word document executed in a VM:  2015-01-01-phishing-email-word-attachment-executed-on-VM.pcap.zip
• ZIP - PCAP of dropped malware run on a live host:  2015-01-01-phishing-email-dropped-malware-executed-on-live-host.pcap.zip
• ZIP - associated malware:  2015-01-01-phishing-malware-and-artifacts.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.