2015-03-24 - MALSPAM GENERATES CHANITOR/VAWTRAK

ASSOCIATED FILES:

• ZIP of pcap:  2015-03-24-Vawtrak-infection-traffic.pcap.zip
• ZIP of the malware:  2015-03-24-Vawtrak-malware.zip

 

EMAIL

 

TRAFFIC

Traffic from infected host:

• 2015-03-24 18:18:18 UTC - 191.194.254.215 port 80 - 91.194.254.215 - GET /us/file.exe
• 2015-03-24 18:18:21 UTC - 5.9.99.35 port 80 - savepic.su - GET /5503653.png
• 2015-03-24 18:19:20 UTC - 107.20.242.255 port 443 - HTTPS traffic to: api.ipify.org
• 2015-03-24 18:19:22 UTC - 192.251.226.206 port 443 - encrypted traffic to: l7gbml27czk3kvr5.tor2web.blutmagie.de
• 2015-03-24 18:19:32 UTC - 82.130.26.27 port 443 - encrypted traffic to: l7gbml27czk3kvr5.tor2web.fi
• 2015-03-24 18:19:34 UTC - 80.239.148.136 port 80 - aia.startssl.com - GET /certs/sub.class2.server.ca.crt
• 2015-03-24 18:19:34 UTC - 80.239.148.136 port 80 - aia.startssl.com - GET /certs/ca.crt
• 2015-03-24 18:20:06 UTC - 194.150.168.70 port 443 - encrypted traffic to: l7gbml27czk3kvr5.tor2web.org
• 2015-03-24 18:20:07 UTC - 38.229.70.4 port 443 - encrypted traffic to: l7gbml27czk3kvr5.tor2web.org

 

SNORT ALERTS

EmeringThreats / ETPRO ruleset (not counting ET POLICY or ET INFO rules):

• 5.9.99.35 port 80 - ETPRO TROJAN Probably Evil MS Office HTTP request to savepic.su (sid:2810166)
• 192.251.226.206 port 443 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (sid:2016806)
• 82.130.26.27 port 443 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (sid:2016806)
• 38.229.70.4 port 443 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (sid:2016806)

Snort (Cisco Talos) ruleset:

• 1.1.2.2 - [1:29456:2] PROTOCOL-ICMP Unusual PING detected
• 91.194.254.215 port 80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 91.194.254.215 port 80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• DNS request for: savepic.su - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• DNS request for: l7gbml27czk3kvr5.tor2web.org - [1:33216:1] INDICATOR-COMPROMISE DNS request for known malware domain tor2web.org

 

MALWARE

Malware from infected host:

• label_30192401.doc - MD5 hash: 1f2a562a4fcde5227cdf2d83c0279355
• C:Users\username\AppData\Local\Temp\444.exe - MD5 hash: 83c0b99427c026aad36b0d8204377702 (Chanitor)
• C:Users\username\AppData\Local\Temp\444.jpg - MD5 hash: 57e396baedfe1a034590339082b9abce
• C:Users\username\AppData\Local\Temp\___B727.exe - MD5 hash: 715a1df177c18416aa38bd8a28e342ea
• C:\ProgramData\LebsOnvaz\KasirAnemf.bey - MD5 hash: 938e07444c9363e64fe5e93cf5ff3a34 (Vawtrak)

 

 

FINAL NOTES

Once again, here are the associated files:

• ZIP of pcap:  2015-03-24-Vawtrak-infection-traffic.pcap.zip
• ZIP of the malware:  2015-03-24-Vawtrak-malware.zip

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.