2015-01-21 - UPATRE/DYRE PHISHING RUN - SUBJECT: EMPLOYEE DOCUMENTS - INTERNAL USE

ASSOCIATED FILES:

• ZIP of the pcap:  2015-01-21-Upatre-Dyre-infection-traffic.pcap.zip
• ZIP of the malware:  2015-01-21-Upatre-Dyre-malware-and-artifacts.zip

 

NOTES:

• Began: 2015-01-21 12:43 UTC
• Ended: 2015-01-21 13:21 UTC
• Duration: 38 minutes
• From: no-replay@invoice.com
• Subject: Employee Documents - Internal Use

 

EXAMPLE

MESSAGE TEXT:

From: invoice <no-replay@invoice.com>
Sent: Wednesday, January 21, 2015 6:43 AM CST
To: [redacted]
Subject: Employee Documents - Internal Use

DOCUMENT NOTIFICATION, Powered by NetDocuments

DOCUMENT NAME: Employee Documents

DOCUMENT LINK: http://ep[.]nelsonmandelabay[.]gov[.]za/DOCUMENT~STORAGE_DATA/get.last_invoice.html

Documents are encrypted in transit and store in a secure repository

---------------------------------------------------------------------------------
This message may contain information that is privileged and confidential.
If you received this transmission in error, please notify the sender by reply email and delete the message and any attachments.

 

FOLLOWING THE LINK:

 

INFECTION TRAFFIC

CLICKING ON LINK FROM THE EMAIL:

• 2015-01-21 15:46:19 UTC - 41.191.89.2 port 80 - ep.nelsonmandelabay.gov.za - GET /DOCUMENT~STORAGE_DATA/get.last_invoice.html
• 2015-01-21 15:46:19 UTC - 50.87.63.202 port 80 - afreshperspective.com - GET /js/jquery-1.41.15.js
• 2015-01-21 15:46:19 UTC - 92.60.66.184 port 80 - imisnc.it - GET /js/jquery-1.41.15.js
• 2015-01-21 15:46:19 UTC - 216.113.194.26 port 80 - www.rosewoodmanor.org - GET /js/jquery-1.41.15.js
• 2015-01-21 15:46:19 UTC - 89.42.216.133 port 80 - crts.ro - GET /js/jquery-1.41.15.js
• 2015-01-21 15:46:28 UTC - 41.191.89.2 port 80 - ep.nelsonmandelabay.gov.za - GET /favicon.ico
• 2015-01-21 15:46:28 UTC - 89.42.216.133 port 80 - crts.ro - GET /js/jquery-1.41.15.js?aCNDrnl3=[user-agent string]&hjmcSOLrVb5fK5a=1846&
  kZuJV1OyPrXdK0=1267859342&OjyOcmABhJHuu=gDyC5hx734Wu1.js
• 2015-01-21 15:46:30 UTC - 41.191.89.2 port 80 - ep.nelsonmandelabay.gov.za - GET /DOCUMENT~STORAGE_DATA/ie_top.gif
• 2015-01-21 15:46:30 UTC - 89.42.216.133 port 80 - crts.ro - GET /js/jquery-1.41.15.js?get_message=3290013886

 

RUNNING THE DOWNLOADED MALWARE ON A VM:

• 2015-01-21 15:50:03 UTC - 202.153.35.133 port 44141 - 202.153.35.133:44141 - GET /2101uk22/WIN-BS4EUJ1KO34/0/61-SP1/0/
• 2015-01-21 15:50:04 UTC - 202.153.35.133 port 44141 - 202.153.35.133:44141 - GET /2101uk22/WIN-BS4EUJ1KO34/1/0/0/
• 2015-01-21 15:50:05 UTC - 209.235.144.9 port 80 - dipford.com - GET /mandoc/info22.pdf
• 2015-01-21 15:50:09 UTC - 202.153.35.133 port 44161 - 202.153.35.133:44161 - GET /2101uk22/WIN-BS4EUJ1KO34/41/7/4/
• 2015-01-21 15:50:19 UTC - 173.194.73.127 port 19302 - UDP STUN traffic to stun1.l.google.com
• 2015-01-21 15:50:27 UTC - 50.7.245.130 port 443 - encrypted SSL session
• 2015-01-21 15:50:58 UTC - 91.185.239.153 port 443 - encrypted SSL sessions
• 2015-01-21 15:51:14 UTC - 86.106.30.102 port 80 - utokatalin.ro - GET /administrator/ml2from2.tar
• 2015-01-21 15:51:15 UTC - 176.114.0.58 port 1025 - encrypted SSL session
• 2015-01-21 15:51:46 UTC - 93.190.137.149 port 443 - encrypted SSL sessions

 

SNORT EVENTS FROM SANDBOX ANALYSIS

Emerging Threats and ETPRO rulesets from Sguil on Security Onion (without ET POLICY or ET INFO events):

• 89.42.216.133 port 80 - ET CURRENT_EVENTS Upatre Redirector Jan 9 2015 (sid:2020159)
• 89.42.216.133 port 80 - ET CURRENT_EVENTS Upatre Redirector IE Requesting Payload Jan 19 2015 (sid:2020212)
• 202.153.35.133 port 44141 - ET TROJAN Upatre Common URI Struct Dec 01 2014 (sid:2019847)
• 209.235.144.9 port 80 - ET TROJAN Common Upatre Header Structure (sid:2018394)
• 209.235.144.9 port 80 - ET TROJAN Common Upatre Header Structure 2 (sid:2018635)
• 91.185.239.153 port 443 - ET TROJAN Possible Dyre SSL Cert (fake state) (sid:2019833)

Sourcefire VRT/Talos ruleset from Snort 2.9.7.0 on Debian 7 (not counting preprocessor events):

• 89.42.216.133 port 80 - [1:27875:3] EXPLOIT-KIT Javascript obfuscation technique - has been observed in Rmayana/DotkaChef/DotCache exploit kit (x2)
• 202.153.35.133 port 44141 - [1:33146:1] MALWARE-CNC Win.Trojan.Upatre variant outbound connection

 

PRELIMINARY MALWARE ANALYSIS

ZIP FILE FROM LINK:

File name:  invoice_pdf69301.zip
File size:  9.3 KB ( 9548 bytes )
MD5 hash:  0bdf685d380e5550bf13ae9f6cdd154f
Detection ratio:  8 / 55
First submission:  2015-01-21 18:09:48 UTC
VirusTotal link:  https://www.virustotal.com/en/file/5d317f6cc8d7af18c57ff4fa13c6cad2b40ced075b833c8b548ec1bec6bc80c9/analysis/

 

EXTRACTED MALWARE - UPATRE:

File name:  invoice_pdf19366.exe
File size:  15.5 KB ( 15872 bytes )
MD5 hash:  706378854efad81d13203303161f41cf
Detection ratio:  8 / 49
First submission:  2015-01-21 18:10:15 UTC
VirusTotal link:  https://www.virustotal.com/en/file/6f8cf43e41ca954b99fcd45ad878e168bd76d3764b7c87cbe28656d8ce2edf78/analysis/
Malwr link:  https://malwr.com/analysis/MjU1NTQwZmVlNDhiNGY4M2I3Y2VmNjExYjY2YTc4NGY/

 

DROPPED MALWARE ON INFECTED VM (1 OF 2) - DYRE:

File name:  C:\Windows\PIBKbaJIccQGfuY.exe
File size:  411.0 KB ( 420864 bytes )
MD5 hash:  ed74d93a7507471879385205fe92dd3c
Detection ratio:  4 / 56
First submission:  2015-01-21 13:32:33 UTC
VirusTotal link:  https://www.virustotal.com/en/file/e21a3d32dfc55ff70d1241defdbc36b6c65bcdda4b14c2ceabfaf25f68f35c07/analysis/
Malwr link:  https://malwr.com/analysis/NmIwODNkMWU1NGRhNDJiMWExYWMzNTI0ODU1NDcyNzE/

 

DROPPED MALWARE ON INFECTED VM (2 OF 2) - DYRE-RELATED:

File name:  C:\Windows\Temp\E93B.tmp
File size:  441.0 KB ( 451584 bytes )
MD5 hash:  4df95e133ed489ef4f0736eabb16ba2e
Detection ratio:  20 / 54
First submission:  2015-01-21 16:41:12 UTC
VirusTotal link:  https://www.virustotal.com/en/file/51d2a9844f0aa605bcfa13ad2fd1679939d5b4accf18a8d2f55168f4f625ccd6/analysis/
Malwr link:  https://malwr.com/analysis/YWU1ZDRhMmMxNzg1NGU0YmFkYzFlZGM4MDJlNzgwMDU/

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of the pcap:  2015-01-21-Upatre-Dyre-infection-traffic.pcap.zip
• ZIP of the malware:  2015-01-21-Upatre-Dyre-malware-and-artifacts.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.