2016-11-30 - MALSPAM - SUBJECT: DHL ITALY - INFORMAZIONI RICHIESTE

ASSOCIATED FILES:

• ZIP archive of the pcap:  2016-11-30-malspam-traffic.pcap.zip   960 kB (960,236 bytes)

2016-11-30-malspam-traffic.pcap   (1,386,631 bytes)

• ZIP archive of the malware:  2016-11-30-malspam-email-and-artifacts.zip   298 kB (297,882 bytes)

2016-11-30-1412-UTC.eml   (13,83 bytes)

294DHL.zip   (1,201 bytes)

cnvfrepl.exe   (523,264 bytes)

0603.js   (12,312 bytes)

Scheduled-task-0603.txt   (3,390 bytes)

 

NOTES:

• The .js file extraced from the .zip is location-specific.
• I had to come from an Italian IP address for the server at umzuegeberlin.com to respond with the appropriate traffic.
• The follow-up .exe file is definitely VM-aware.
• The follow-up .exe and follow-up .js file were kept persistent through the Windows registry.
• The follow-up .js file also had a scheduled task to keep it persistent.

 

THE EMAIL

Shown above:  Screenshot of the email.

 

Shown above:  Traffic from the email link retrieving a malicious zip archive.

 

EMAIL HEADER INFO:

• Date/time:  Wednesday 2016-11-30 14:12:12 UTC
• From:  DHL9 <dhl9.info.italy@dhl.com>
• Subject:  DHL Italy - informazioni richieste
• Message-ID:  <Y017319.9499121@sohu.com>
• Received from:  smtp_3.177 (123.125.123.1)

LINK FROM THE MESSAGE TEXT:

• 84.2.35.141 port 80 - www.diamondfitness.hu - GET /css/294DHL.php

 

THE MALICIOUS ZIP ARCHIVE

Shown above:  Screenshot of the email.

 

ZIP ARCHIVE:

• SHA256 hash:  c016c9db1a1e10a67f9f61b62d0a93da7e531e5de9f4902cfc1c5d3b70559cba
  File name:  294DHL.zip (1,201 bytes)
  

EXTRACTED .JS FILE:

• SHA256 hash:  885edb4fbc5606be0717fc0b775a866b15f1fb6d54809d2cdc445810af889255
  File name:  294DHL.js (2,804 bytes)
  

 

TRAFFIC

Shown above:  Infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS/URLS:

• 217.160.223.82 port 80 - umzuegeberlin.com - GET /l2.php
• 79.133.53.30 port 80 - tischlerei-kreiner.at - GET /l2.php?cmd=p&id=0603&rnd=0.8606539626560696   [different random numbers in later requests]
• 194.58.100.59 port 80 - 194.58.100.59 - POST /core/fix832922.ms
• 104.20.0.85 port 80 - www.ietf.org - GET /rfc/rfc1237.txt
• 188.93.210.48 port 80 - 188.93.210.48 - GET /uploads/xgofrlht.png
• 188.93.210.48 port 80 - 188.93.210.48 - GET /uploads/sys.png
• 188.93.210.48 port 80 - domtablesthemultihdis.info - Ursnif/Dreambot callback traffic

 

Shown above:  Signature hits from the Emerging Threats and ET Pro rulesets using Sguil on Security Onion.

 

Shown above:  Signature hits for Ursnif from the Snort subscriber ruleset using Snort 2.9.8.3 on Debian 7.11

 

POST-INFECTION FILE HASHES

DOWNLOADED .EXE FILE:

• SHA256 hash:  277de04755087440d4e1d2e05978466f2ce6edecb63c7b3431d90a9b6b8311c7   (523,264 bytes)
  File name:  C:\Users\[username]\AppData\Local\Temp\248924.exe
  File name:  C:\Users\[username]\AppData\Roaming\colbobby\cnvfrepl.exe

DOWNLOADED .JS FILE:

• SHA256 hash: 2978aa2273e506d495a1cd21ed12e0ea639a0dd5776948b0afe555535db6488a   (12,312 bytes)
  File name:  C:\Users\[username]\0603.js

 

Shown above:  Entries from the registry of the infected Windows host for persistence.

 

FINAL NOTES

Once again, here are the associated archives:

• ZIP archive of the pcap:  2016-11-30-malspam-traffic.pcap.zip   960 kB (960,236 bytes)
• ZIP archive of the malware:  2016-11-30-malspam-email-and-artifacts.zip   298 kB (297,882 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.