2018-07-02 - EMOTET INFECTION TRAFFIC WITH ZEUS PANDA BANKER
ASSOCIATED FILES:
- 2018-07-02-Emotet-malspam-16-email-examples.txt.zip 4.8 kB (4,767 bytes)
- 2018-07-02-Emotet-malspam-16-email-examples.txt (15,796 bytes)
- 2018-07-02-Emotet-malspam-infection-traffic-in-AD-environment.pcap.zip 4.6 MB (4,620,312 bytes)
- 2018-07-02-Emotet-malspam-infection-traffic-in-AD-environment.pcap (5,303,730 bytes)/li>
- 2018-07-02-malware-associated-with-Emotet-infection.zip 541 kB (541,462 bytes)
- 2018-07-02-downloaded-Word-doc-with-macro-for-Emotet.doc (232,192 bytes)
- 2018-07-02-Emotet-malware-binary-1-of-2.exe (208,896 bytes)
- 2018-07-02-Emotet-malware-binary-2-of-2.exe (203,776 bytes)
- 2018-07-02-Zeus-Panda-Banker-caused-by-Emotet.exe (223,744 bytes)
NOTES:
- Generated this infection in an Active Directory (AD) environment, just to see if anything unusual happened.
- So the traffic in today's pcap is a little messier than in my normal blog posts.
- From what I can tell, nothing unusual happened, other than the expected infection traffic.
Shown above: Chain of events for today's infection.
WEB TRAFFIC BLOCK LIST
Indicators are not a block list. If you feel the need to block web traffic, I suggest the following URLs and domain:
- hxxp://all4mums.ru/Client/Past-Due-invoice/
- hxxp://chinaspycam.com/includes/languages/english/html_includes/En/DOC/Account-20064/
- hxxp://chouett-vacances.com/Payment-and-address/Invoice-70195027-070118/
- hxxp://cqfsbj.cn/DOC/Auditor-of-State-Notification-of-EFT-Deposit/
- hxxp://minami.com.tw/DOC/Account-55907/
- hxxp://nagoyamicky.com/cacheqblog/Payment-and-address/Invoice-3838804/
- hxxp://own-transport.com/pub/OVERDUE-ACCOUNT/tracking-number-and-invoice-of-your-order/
- hxxp://www.caglarturizm.com.tr/INVOICE-STATUS/Please-pull-invoice-47924/
- hxxp://www.customaccessdatabase.com/En/Purchase/HRI-Monthly-Invoice/
- hxxp://www.gracetexpro.com/Greeting-eCard/
- hxxp://www.jxprint.ru/Order/Payment/
- hxxp://www.legionofboomfireworks.com/Statement/Direct-Deposit-Notice/
- hxxp://www.marcoantoniocasares.com/Purchase/Pay-Invoice/
- hxxp://www.perezdearceycia.cl/wp-content/FILE/Invoice-23382229-070218/
- hxxp://www.sewamobilbengkulu.web.id/4th-July-2018/
- hxxp://zlc-aa.org/New-Order-Upcoming/588052/
- hxxp://clubvolvoitalia.it/r3z6/
- hxxp://ericconsulting.com/7I3eUNF/
- hxxp://www.goldenfell.ru/media/5DzF30jL/
- hxxp://jmamusical.jp/wordpress/wp-content/L8J0igh/
- hxxp://www.mobsterljud.se/VJkuLg/
- hxxp://74.79.26.193:990/whoami.php
- canariasmotor.top
EMAILS
Shown above: Example of the malspam (raw text with headers and formatting).
DATA FROM 16 EMAIL EXAMPLES OF THE MALSPAM:
- Received: from ([80.14.105.108])
- Received: from ([103.55.69.138])
- Received: from ([137.59.225.35])
- Received: from ([196.250.41.105])
- Received: from ([221.163.32.101])
- Received: from 10.0.0.0 ([119.148.37.228])
- Received: from 10.0.0.16 ([211.221.155.202])
- Received: from 10.0.0.20 ([117.240.219.106])
- Received: from 10.0.0.28 ([189.194.248.28])
- Received: from 10.0.0.28 ([220.249.72.99])
- Received: from 10.0.0.30 ([221.163.32.101])
- Received: from 10.0.0.36 ([14.51.231.1])
- Received: from 10.0.0.40 ([187.144.210.26])
- Received: from 10.0.0.49 ([122.160.85.51])
- Received: from 10.0.0.59 ([90.86.57.136])
- Received: from 10.0.0.63 ([221.163.32.101])
SPOOFED SENDERS:
- From: alexa.ballantine@gmail.com <[spoofed sending email address]>
- From: Jamacapq@sbcglobal.net <[spoofed sending email address]>
- From: ramakrishna3sbc32@gmail.com <[spoofed sending email address]>
- From: Amanda Fisher <[spoofed sending email address]>
- From: Andrew Clough <[spoofed sending email address]>
- From: andy <[spoofed sending email address]>
- From: Beacon Systems <[spoofed sending email address]>
- From: CYNTHIA HARRY <[spoofed sending email address]>
- From: Darren Hamm <[spoofed sending email address]>
- From: Kira Holden <[spoofed sending email address]>
- From: Marina Eckert <[spoofed sending email address]>
- From: Mike Andrews <[spoofed sending email address]>
- From: Phil Gibson <[spoofed sending email address]>
- From: Priyanka Kapadia <[spoofed sending email address]>
- From: robert biggs <[spoofed sending email address]>
- From: Terry Nelson <[spoofed sending email address]>
SUBJECT LINES:
- Subject: The Fourth of July wishes
- Subject: =?UTF-8?B?Vm9zIGZhY3R1cmVzIGltcGF5w6llcyBkdSAwMi8wNy8yMDE4ICMwMTUtNTgyMQ==?=
- Subject: Darren Hamm 4th of July Greeting Card
- Subject: Final Account
- Subject: INCORRECT INVOICE
- Subject: Invoice Number 13915
- Subject: Invoice Number 55057
- Subject: Invoice# 3988726
- Subject: Outstanding INVOICE FQOVN/2773110/730
- Subject: Outstanding INVOICE XOJR/7763411/6403
- Subject: Please send copy invoice
- Subject: RE: Outstanding INVOICE BIA/066250/5423
- Subject: RTZM3-9044531941
- Subject: Sales Invoice
- Subject: Seperate Remittance Advice Layout - paper document A4
- Subject: Votre facture du 02 juillet Nr. 08296866
Shown above: Word doc generated from link in the malspam.
INFECTION TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
URLS FROM THE MALSPAM TO DOWNLOAD THE INITIAL WORD DOCUMENT:
- hxxp://all4mums.ru/Client/Past-Due-invoice/
- hxxp://chinaspycam.com/includes/languages/english/html_includes/En/DOC/Account-20064/
- hxxp://chouett-vacances.com/Payment-and-address/Invoice-70195027-070118/
- hxxp://cqfsbj.cn/DOC/Auditor-of-State-Notification-of-EFT-Deposit/
- hxxp://minami.com.tw/DOC/Account-55907/
- hxxp://nagoyamicky.com/cacheqblog/Payment-and-address/Invoice-3838804/
- hxxp://own-transport.com/pub/OVERDUE-ACCOUNT/tracking-number-and-invoice-of-your-order/
- hxxp://www.caglarturizm.com.tr/INVOICE-STATUS/Please-pull-invoice-47924/
- hxxp://www.customaccessdatabase.com/En/Purchase/HRI-Monthly-Invoice/
- hxxp://www.gracetexpro.com/Greeting-eCard/
- hxxp://www.jxprint.ru/Order/Payment/
- hxxp://www.legionofboomfireworks.com/Statement/Direct-Deposit-Notice/
- hxxp://www.marcoantoniocasares.com/Purchase/Pay-Invoice/
- hxxp://www.perezdearceycia.cl/wp-content/FILE/Invoice-23382229-070218/
- hxxp://www.sewamobilbengkulu.web.id/4th-July-2018/
- hxxp://zlc-aa.org/New-Order-Upcoming/588052/
URLS FROM MACRO IN THE DOWNLOADED WORD DOC TO GRAB AN EMOTET BINARY:
- hxxp://clubvolvoitalia.it/r3z6/
- hxxp://ericconsulting.com/7I3eUNF/
- hxxp://www.goldenfell.ru/media/5DzF30jL/
- hxxp://jmamusical.jp/wordpress/wp-content/L8J0igh/
- hxxp://www.mobsterljud.se/VJkuLg/
EMOTET INFECTION TRAFFIC:
- 156.67.209.70 port 80 - www.sewamobilbengkulu.web.id - GET /4th-July-2018/ - returned Word doc
- 94.141.21.54 port 80 - clubvolvoitalia.it - GET /r3z6/ - returned Emotet binary
- 92.27.116.104 port 80 - attempted TCP connections, but no response from the server (caused by Emotet)
- 24.173.127.246 port 443 - 24.173.127.246:443 - POST / - caused by Emotet
- 185.45.193.240 port 443 - canariasmotor.top - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
- 74.79.26.193 port 990 - 74.79.26.193:990 - GET /whoami.php - caused by Emotet
- 74.79.26.193 port 990 - 74.79.26.193:990 - POST / - caused by Emotet
MALWARE
MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:
- SHA256 hash: 4b3159ce83df623e093304b48ebf600a4932a2dc8067792b5dec5248d29c4ccf
File size: 232,192 bytes
File name: wishes-July-4th.doc (random name invloving 4th of July or Independence Day)
File description: Word doc downloaded from link in one of the emails. Has macro to retreive Emotet.
- SHA256 hash: da4e4afbc50adfaa1b0e3d9288ec77346d9b4ebc6bc8538c7801ef4412b19b71
File size: 208,896 bytes
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
File description: Emotet malware binary downloaded by macro in downloaded Word doc
- SHA256 hash: 47280253fad49f9f5ebacb420b30985fc68f22fd3a6e51f41571648ce77a8edd
File size: 203,776 bytes
File location: C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
File description: Updated Emotet malware binary after the host was infected for a while
- SHA256 hash: 2527c9eb597bd85c4ca2e7a6550cc7480dbb3129dd3d6033e66e82b0988ee061
File size: 223,744 bytes
File location: C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
File description: Zeus Panda Banker downloaded by my Emotet-infected host
FINAL NOTES
Once again, here are the associated files:
- 2018-07-02-Emotet-malspam-16-email-examples.txt.zip 4.8 kB (4,767 bytes)
- 2018-07-02-Emotet-malspam-infection-traffic-in-AD-environment.pcap.zip 4.6 MB (4,620,312 bytes)
- 2018-07-02-malware-associated-with-Emotet-infection.zip 541 kB (541,462 bytes)
Zip archives are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.