2017-04-28 - BANKING TROJAN MALSPAM - SUBJECT: UPS TRACKING NUMBER FOR SHIPMENT H6902644376

ASSOCIATED FILES:

• ZIP archive of the pcap:  2017-04-28-UPS-malspam-traffic.pcap.zip   465 kB (464,770 bytes)

• 2017-04-28-UPS-malspam-traffic.pcap   (599,140 bytes)

• ZIP archive of the malware:  2017-04-28-UPS-malspam-and-artifacts.zip   272 kB (271,780 bytes)

• 2017-04-28-UPS-malspam-100129-UTC.eml   (3,482 bytes)
• 2017-04-28-UPS-malspam-100140-UTC.eml   (3,531 bytes)
• H6902644376.js   (3,061 bytes)
• H6902644376.rar   (1,298 bytes)
• last.conf   (7,545 bytes)
• rad7DAC6.tmp.exe   (366,434 bytes)

 

EMAIL

Shown above:  Screen shot of the email.

 

EMAIL HEADERS:

• Date/Time:  Friday 2017-04-28 at 10:01 UTC
• From:  (spoofed) "UPS Corporation" <tracking@ups.com>
• Subject:  UPS Tracking Number for shipment H6902644376

 

Shown above:  Malicious attachment from the malspam is a RAR archive containing a .js downloader.

 

TRAFFIC

Shown above:  Traffic from the infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 89.223.26.134 port 80 - 89.223.26.134 - GET /doc/file.php?act=dl&a=1
• 89.223.31.232 port 443 - HTTPS/SSL/TLS traffic
• 23.21.43.38 port 80 - httpbin.org - GET /ip

 

Shown above:  HTTP request by the .js file for a Windows executable.

 

Shown above:  Certificate data from the post-infection traffic.

 

Shown above:  IP address check by the infected host.

 

FILE HASHES

EMAIL ATTACHMENT:

• SHA256 hash:  c7f4f606611ab3651e01951e13cecb9cc3b0f69fa174515743efda1d45c73d5c
  File name:  H6902644376.rar
  File size:  1,298 bytes
  File description:  Malicious RAR archive

• SHA256 hash:  06dc498492bfcb56b1954bfc05ba578e7c60f4cbc23c3d3cddcaddd4e00fb7ac
  File name:  H6902644376.js
  File size:  3,061 bytes
  File description:  Extracted .js file

ARTIFACTS FROM THE INFECTED WINDOWS HOST:

• SHA256 hash:  be7678a2c62ee93e52b73287873cdd8791580076eaa286f5afe8a124b285211a
  File location:  C:\Users\[username]\AppData\Local\Temp\rad7DAC6.tmp.exe
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\8d9b77bc-9e1e-4853-9059-6c224d4a7a84\01a15f40-2e53-43db-ab18-2ccee5139e8b.exe
  File size:  366,434 bytes
  File description:  A banking Trojan

• SHA256 hash:  bd4bf39354cd12aed10b43008bf5834d9453ce09ac9d802cd62383752d534335
  File location:  C:\Users\[username]\AppData\Local\lugrade4\last.conf
  File size:  7,545 bytes
  File description:  Text file with configuration data for the infected host

WINDOWS REGISTRY UPDATE:

• Registry key:  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  Value name:  QuickAgent
  Value type:  REG_SZ
  Value data:  rundll32 shell32.dll,ShellExec_RunDLL "C:\Users\[username]\AppData\Local\Microsoft\Windows\8d9b77bc-9e1e-4853-9059-6c224d4a7a84\01a15f40-2e53-43db-ab18-2ccee5139e8b.exe"

 

IMAGES

Shown above:  Some alerts on the traffic from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.

 

Shown above:  Alerts after reading the pcap with Snort 2.9.9.0 on Debian 7 using the Snort Subscriber ruleset.

 

Shown above:  Malware made persistent on the infected Windows host.

 

Shown above:  Configuration file for the banking Trojan.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcap:  2017-04-28-UPS-malspam-traffic.pcap.zip   465 kB (464,770 bytes)
• ZIP archive of the malware:  2017-04-28-UPS-malspam-and-artifacts.zip   272 kB (271,780 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.