2017-04-28 - BANKING TROJAN MALSPAM - SUBJECT: UPS TRACKING NUMBER FOR SHIPMENT H6902644376
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-04-28-UPS-malspam-traffic.pcap.zip 465 kB (464,770 bytes)
- 2017-04-28-UPS-malspam-traffic.pcap (599,140 bytes)
- ZIP archive of the malware: 2017-04-28-UPS-malspam-and-artifacts.zip 272 kB (271,780 bytes)
- 2017-04-28-UPS-malspam-100129-UTC.eml (3,482 bytes)
- 2017-04-28-UPS-malspam-100140-UTC.eml (3,531 bytes)
- H6902644376.js (3,061 bytes)
- H6902644376.rar (1,298 bytes)
- last.conf (7,545 bytes)
- rad7DAC6.tmp.exe (366,434 bytes)
Shown above: Screen shot of the email.
EMAIL HEADERS:
- Date/Time: Friday 2017-04-28 at 10:01 UTC
- From: (spoofed) "UPS Corporation" <tracking@ups.com>
- Subject: UPS Tracking Number for shipment H6902644376
Shown above: Malicious attachment from the malspam is a RAR archive containing a .js downloader.
TRAFFIC
Shown above: Traffic from the infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 89.223.26.134 port 80 - 89.223.26.134 - GET /doc/file.php?act=dl&a=1
- 89.223.31.232 port 443 - HTTPS/SSL/TLS traffic
- 23.21.43.38 port 80 - httpbin.org - GET /ip
Shown above: HTTP request by the .js file for a Windows executable.
Shown above: Certificate data from the post-infection traffic.
Shown above: IP address check by the infected host.
FILE HASHES
EMAIL ATTACHMENT:
- SHA256 hash: c7f4f606611ab3651e01951e13cecb9cc3b0f69fa174515743efda1d45c73d5c
File name: H6902644376.rar
File size: 1,298 bytes
File description: Malicious RAR archive
- SHA256 hash: 06dc498492bfcb56b1954bfc05ba578e7c60f4cbc23c3d3cddcaddd4e00fb7ac
File name: H6902644376.js
File size: 3,061 bytes
File description: Extracted .js file
ARTIFACTS FROM THE INFECTED WINDOWS HOST:
- SHA256 hash: be7678a2c62ee93e52b73287873cdd8791580076eaa286f5afe8a124b285211a
File location: C:\Users\[username]\AppData\Local\Temp\rad7DAC6.tmp.exe
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\8d9b77bc-9e1e-4853-9059-6c224d4a7a84\01a15f40-2e53-43db-ab18-2ccee5139e8b.exe
File size: 366,434 bytes
File description:  A banking Trojan
- SHA256 hash: bd4bf39354cd12aed10b43008bf5834d9453ce09ac9d802cd62383752d534335
File location: C:\Users\[username]\AppData\Local\lugrade4\last.conf
File size: 7,545 bytes
File description:  Text file with configuration data for the infected host
WINDOWS REGISTRY UPDATE:
- Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value name: QuickAgent
Value type: REG_SZ
Value data: rundll32 shell32.dll,ShellExec_RunDLL "C:\Users\[username]\AppData\Local\Microsoft\Windows\8d9b77bc-9e1e-4853-9059-6c224d4a7a84\01a15f40-2e53-43db-ab18-2ccee5139e8b.exe"
IMAGES
Shown above: Some alerts on the traffic from the Emerging Threats Pro (ETPRO) ruleset using Sguil on Security Onion.
Shown above: Alerts after reading the pcap with Snort 2.9.9.0 on Debian 7 using the Snort Subscriber ruleset.
Shown above: Malware made persistent on the infected Windows host.
Shown above: Configuration file for the banking Trojan.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-04-28-UPS-malspam-traffic.pcap.zip 465 kB (464,770 bytes)
- ZIP archive of the malware: 2017-04-28-UPS-malspam-and-artifacts.zip 272 kB (271,780 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.