Malware-Traffic-Analysis.net - 2017-10-23

2017-10-23 - A RAT'S NEST OF ACTIVITY

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-10-23-RAT-activity.pcap.zip 4.9 MB (4,930,548 bytes)

2017-10-23-RAT-activity.pcap (8,719,986 bytes)

2017-10-23-RAT-activity-email-and-malware.zip 5.8 MB (5,753,294 bytes)

1.exe (850,432 bytes)

2.exe (1,149,440 bytes)

2017-10-23-RAT-malspam-0716-UTC.eml (454,594 bytes)

3.exe (1,149,440 bytes)

4.exe (1,477,120 bytes)

5.exe (1,509,888 bytes)

6.exe (1,362,432 bytes)

FRTRK.jar (484,834 bytes)

New Order.exe (879,104 bytes)

New Order.zip (328,818 bytes)

rundll.exe (7,680 bytes)

NOTES:

This malicious spam (malspam) is low-hanging fruit that should easily be caught by most spam filters.
ETPRO and Snort Subscriber rules had different RAT names for post-infection traffic to 213.183.58[.]34, such as Netwire RAT, NanoCore RAT, DarkKomet RAT, and Babylon RAT.
With 6 additional executables downloaded during the post-infection activity, this was a real "RAT's nest" of an infection.

Shown above: All you have to do is double-click that innocent-looking executable.

EMAIL

Shown above: Screenshot from the email.

EMAIL INFO:

Date: Monday, 2017-10-23 07:16 UTC
From: <nie0461@gmail[.]com> (spoofed)
Subject: Re: Urgent Order
Attachment name: New Order.zip

Shown above: Zip attachment and extracted malware.

TRAFFIC

Shown above: Infection traffic filtered in Wireshark.

Shown above: Alerts on the infection traffic from the Emerging Threats Pro (ET Pro) ruleset using Sguil on Security Onion.

Shown above: Some RAT-based alerts on the infection traffic from the Snort subscriber ruleset on Snort 2.9.11.

INFECTION TRAFFIC:

213.183.58[.]34 port 1030 - RAT-based post-infection callback traffic
213.183.58[.]34 port 5552 - RAT-based post-infection callback traffic
213.183.58[.]34 port 20000 - RAT-based post-infection callback traffic
213.183.58[.]34 port 54984 - RAT-based post-infection callback traffic
213.183.58[.]34 port 7777 - attempted TCP connections (no response from the server)
202.52.146[.]76 port 80 - farizcollection[.]com - GET /Panel/temp/upload/1.exe
202.52.146[.]76 port 80 - farizcollection[.]com - GET /Panel/temp/upload/2.exe
202.52.146[.]76 port 80 - farizcollection[.]com - GET /Panel/temp/upload/3.exe
202.52.146[.]76 port 80 - farizcollection[.]com - GET /Panel/temp/upload/4.exe
202.52.146[.]76 port 80 - farizcollection[.]com - GET /Panel/temp/upload/5.exe
202.52.146[.]76 port 80 - farizcollection[.]com - GET /Panel/temp/upload/6.exe

MALWARE

ZIP ATTACHMENT FROM THE EMAIL:

SHA256 hash: 7d14025275fbcd277f74aaaa0533bfe02f22c070a954c813d75140a8c352b36d
File name: New Order.zip
File size: 328,818 bytes

EXTRACTED MALWARE:

SHA256 hash: f5118f6534b0bb265f563421697bdcb29fed31267f75a71d7dd0da7a31be662a
File name: New Order.exe
File name: C:\Users\[username]\AppData\Local\Temp\svchost.exe
File size: 879,104 bytes

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

IMAGES

Most of the malware I found in the infected user's AppData\Local\Temp directory also copied itself to other locations. Too many to list here, so I just kept copies from that initial location.

Shown above: Malware retrieved from the infected user's AppData\Local\Temp directory.

Hey, look! Directories are all open on the server hosting the post-infection malware.

Click here to return to the main page.