2017-06-01 - ZEUS PANDA BANKER INFECTION

NOTICE:

ASSOCIATED FILES:

  • 2017-06-01-Zeus-Panda-Banker-infection-traffic.pcap   (3,978,012 bytes)
  • TPD64730435.zip   (26,605 bytes)
  • Traffic_Police_Department - Parking_Ticket_Information.doc   (68,096 bytes)
  • suchka.exe   (188,417 bytes)
  • upd59213af8.exe   (299,008 bytes)

NOTES:


Shown above:  This is how I like traffic police...  Brash and sassy.

 

EMAIL


Shown above:  Screen shot from one of the emails.

 


Shown above:  Example of email headers (1 of 2).

 


Shown above:  Example of email headers (2 of 2).

 

EMAIL HEADERS:

 

MALWARE


Shown above:  Downloading the zip archive from a link in one of the emails to Google Docs.

 


Shown above:  The zip archive contained a Word document with malicious macros.

 

ZIP ARCHIVE DOWNLOADED FROM GOOGLE DOCS LINK IN ONE OF THE EMAILS:

WORD DOCUMENT EXTRACTED FROM ZIP ARCHIVE:

FILE DOWNLOADED BY THE WORD MACROS:

FOLLOW-UP MALWARE NOTED AFTER THE INITIAL INFECTION:


Shown above:  Follow-up malware made persistent on the infected host.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  Some alerts on the traffic from the Emerging Threats and ETPRO rulesets using Sguil and tcpreplay on Security Onion.

 

ASSOCIATED DOMAINS:

 

Click here to return to the main page.