2018-07-02 - EMOTET INFECTION TRAFFIC WITH ZEUS PANDA BANKER

ASSOCIATED FILES:

• 2018-07-02-Emotet-malspam-16-email-examples.txt.zip   4.8 kB (4,767 bytes)

• 2018-07-02-Emotet-malspam-16-email-examples.txt   (15,796 bytes)

• 2018-07-02-Emotet-malspam-infection-traffic-in-AD-environment.pcap.zip   4.6 MB (4,620,312 bytes)

• 2018-07-02-Emotet-malspam-infection-traffic-in-AD-environment.pcap   (5,303,730 bytes)/li>

• 2018-07-02-malware-associated-with-Emotet-infection.zip   541 kB (541,462 bytes)

• 2018-07-02-downloaded-Word-doc-with-macro-for-Emotet.doc   (232,192 bytes)
• 2018-07-02-Emotet-malware-binary-1-of-2.exe   (208,896 bytes)
• 2018-07-02-Emotet-malware-binary-2-of-2.exe   (203,776 bytes)
• 2018-07-02-Zeus-Panda-Banker-caused-by-Emotet.exe   (223,744 bytes)

 

NOTES:

• Generated this infection in an Active Directory (AD) environment, just to see if anything unusual happened.
• So the traffic in today's pcap is a little messier than in my normal blog posts.
• From what I can tell, nothing unusual happened, other than the expected infection traffic.

Shown above:  Chain of events for today's infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

• hxxp://all4mums.ru/Client/Past-Due-invoice/
• hxxp://chinaspycam.com/includes/languages/english/html_includes/En/DOC/Account-20064/
• hxxp://chouett-vacances.com/Payment-and-address/Invoice-70195027-070118/
• hxxp://cqfsbj.cn/DOC/Auditor-of-State-Notification-of-EFT-Deposit/
• hxxp://minami.com.tw/DOC/Account-55907/
• hxxp://nagoyamicky.com/cacheqblog/Payment-and-address/Invoice-3838804/
• hxxp://own-transport.com/pub/OVERDUE-ACCOUNT/tracking-number-and-invoice-of-your-order/
• hxxp://www.caglarturizm.com.tr/INVOICE-STATUS/Please-pull-invoice-47924/
• hxxp://www.customaccessdatabase.com/En/Purchase/HRI-Monthly-Invoice/
• hxxp://www.gracetexpro.com/Greeting-eCard/
• hxxp://www.jxprint.ru/Order/Payment/
• hxxp://www.legionofboomfireworks.com/Statement/Direct-Deposit-Notice/
• hxxp://www.marcoantoniocasares.com/Purchase/Pay-Invoice/
• hxxp://www.perezdearceycia.cl/wp-content/FILE/Invoice-23382229-070218/
• hxxp://www.sewamobilbengkulu.web.id/4th-July-2018/
• hxxp://zlc-aa.org/New-Order-Upcoming/588052/
• hxxp://clubvolvoitalia.it/r3z6/
• hxxp://ericconsulting.com/7I3eUNF/
• hxxp://www.goldenfell.ru/media/5DzF30jL/
• hxxp://jmamusical.jp/wordpress/wp-content/L8J0igh/
• hxxp://www.mobsterljud.se/VJkuLg/
• hxxp://74.79.26.193:990/whoami.php
• canariasmotor.top

 

EMAILS

Shown above:  Example of the malspam (raw text with headers and formatting).

 

DATA FROM 16 EMAIL EXAMPLES OF THE MALSPAM:

• Received: from ([80.14.105.108])
• Received: from ([103.55.69.138])
• Received: from ([137.59.225.35])
• Received: from ([196.250.41.105])
• Received: from ([221.163.32.101])
• Received: from 10.0.0.0 ([119.148.37.228])
• Received: from 10.0.0.16 ([211.221.155.202])
• Received: from 10.0.0.20 ([117.240.219.106])
• Received: from 10.0.0.28 ([189.194.248.28])
• Received: from 10.0.0.28 ([220.249.72.99])
• Received: from 10.0.0.30 ([221.163.32.101])
• Received: from 10.0.0.36 ([14.51.231.1])
• Received: from 10.0.0.40 ([187.144.210.26])
• Received: from 10.0.0.49 ([122.160.85.51])
• Received: from 10.0.0.59 ([90.86.57.136])
• Received: from 10.0.0.63 ([221.163.32.101])

 

SPOOFED SENDERS:

• From:  alexa.ballantine@gmail.com <[spoofed sending email address]>
• From:  Jamacapq@sbcglobal.net <[spoofed sending email address]>
• From:  ramakrishna3sbc32@gmail.com <[spoofed sending email address]>
• From: Amanda Fisher <[spoofed sending email address]>
• From: Andrew Clough <[spoofed sending email address]>
• From: andy <[spoofed sending email address]>
• From: Beacon Systems <[spoofed sending email address]>
• From: CYNTHIA HARRY <[spoofed sending email address]>
• From: Darren Hamm <[spoofed sending email address]>
• From: Kira Holden <[spoofed sending email address]>
• From: Marina Eckert <[spoofed sending email address]>
• From: Mike Andrews <[spoofed sending email address]>
• From: Phil Gibson <[spoofed sending email address]>
• From: Priyanka Kapadia <[spoofed sending email address]>
• From: robert biggs <[spoofed sending email address]>
• From: Terry Nelson <[spoofed sending email address]>

 

SUBJECT LINES:

• Subject:  The Fourth of July wishes
• Subject: =?UTF-8?B?Vm9zIGZhY3R1cmVzIGltcGF5w6llcyBkdSAwMi8wNy8yMDE4ICMwMTUtNTgyMQ==?=
• Subject: Darren Hamm 4th of July Greeting Card
• Subject: Final Account
• Subject: INCORRECT INVOICE
• Subject: Invoice Number 13915
• Subject: Invoice Number 55057
• Subject: Invoice# 3988726
• Subject: Outstanding INVOICE FQOVN/2773110/730
• Subject: Outstanding INVOICE XOJR/7763411/6403
• Subject: Please send copy invoice
• Subject: RE: Outstanding INVOICE BIA/066250/5423
• Subject: RTZM3-9044531941
• Subject: Sales Invoice
• Subject: Seperate Remittance Advice Layout - paper document A4
• Subject: Votre facture du 02 juillet Nr. 08296866

 

Shown above:  Word doc generated from link in the malspam.

 

INFECTION TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM THE MALSPAM TO DOWNLOAD THE INITIAL WORD DOCUMENT:

• hxxp://all4mums.ru/Client/Past-Due-invoice/
• hxxp://chinaspycam.com/includes/languages/english/html_includes/En/DOC/Account-20064/
• hxxp://chouett-vacances.com/Payment-and-address/Invoice-70195027-070118/
• hxxp://cqfsbj.cn/DOC/Auditor-of-State-Notification-of-EFT-Deposit/
• hxxp://minami.com.tw/DOC/Account-55907/
• hxxp://nagoyamicky.com/cacheqblog/Payment-and-address/Invoice-3838804/
• hxxp://own-transport.com/pub/OVERDUE-ACCOUNT/tracking-number-and-invoice-of-your-order/
• hxxp://www.caglarturizm.com.tr/INVOICE-STATUS/Please-pull-invoice-47924/
• hxxp://www.customaccessdatabase.com/En/Purchase/HRI-Monthly-Invoice/
• hxxp://www.gracetexpro.com/Greeting-eCard/
• hxxp://www.jxprint.ru/Order/Payment/
• hxxp://www.legionofboomfireworks.com/Statement/Direct-Deposit-Notice/
• hxxp://www.marcoantoniocasares.com/Purchase/Pay-Invoice/
• hxxp://www.perezdearceycia.cl/wp-content/FILE/Invoice-23382229-070218/
• hxxp://www.sewamobilbengkulu.web.id/4th-July-2018/
• hxxp://zlc-aa.org/New-Order-Upcoming/588052/

URLS FROM MACRO IN THE DOWNLOADED WORD DOC TO GRAB AN EMOTET BINARY:

• hxxp://clubvolvoitalia.it/r3z6/
• hxxp://ericconsulting.com/7I3eUNF/
• hxxp://www.goldenfell.ru/media/5DzF30jL/
• hxxp://jmamusical.jp/wordpress/wp-content/L8J0igh/
• hxxp://www.mobsterljud.se/VJkuLg/

EMOTET INFECTION TRAFFIC:

• 156.67.209.70 port 80 - www.sewamobilbengkulu.web.id - GET /4th-July-2018/   - returned Word doc
• 94.141.21.54 port 80 - clubvolvoitalia.it - GET /r3z6/   - returned Emotet binary
• 92.27.116.104 port 80 - attempted TCP connections, but no response from the server (caused by Emotet)
• 24.173.127.246 port 443 - 24.173.127.246:443 - POST /   - caused by Emotet
• 185.45.193.240 port 443 - canariasmotor.top - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• 74.79.26.193 port 990 - 74.79.26.193:990 - GET /whoami.php   - caused by Emotet
• 74.79.26.193 port 990 - 74.79.26.193:990 - POST /   - caused by Emotet

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  4b3159ce83df623e093304b48ebf600a4932a2dc8067792b5dec5248d29c4ccf
  File size:  232,192 bytes
  File name:  wishes-July-4th.doc   (random name invloving 4th of July or Independence Day)
  File description:  Word doc downloaded from link in one of the emails.  Has macro to retreive Emotet.

• SHA256 hash:  da4e4afbc50adfaa1b0e3d9288ec77346d9b4ebc6bc8538c7801ef4412b19b71
  File size:  208,896 bytes
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
  File description:  Emotet malware binary downloaded by macro in downloaded Word doc

• SHA256 hash:  47280253fad49f9f5ebacb420b30985fc68f22fd3a6e51f41571648ce77a8edd
  File size:  203,776 bytes
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
  File description:  Updated Emotet malware binary after the host was infected for a while

• SHA256 hash:  2527c9eb597bd85c4ca2e7a6550cc7480dbb3129dd3d6033e66e82b0988ee061
  File size:  223,744 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
  File description:  Zeus Panda Banker downloaded by my Emotet-infected host

 

FINAL NOTES

Once again, here are the associated files:

• 2018-07-02-Emotet-malspam-16-email-examples.txt.zip   4.8 kB (4,767 bytes)
• 2018-07-02-Emotet-malspam-infection-traffic-in-AD-environment.pcap.zip   4.6 MB (4,620,312 bytes)
• 2018-07-02-malware-associated-with-Emotet-infection.zip   541 kB (541,462 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.