2018-07-03 - EMOTET INFECTION TRAFFIC WITH ZEUS PANDA BANKER

ASSOCIATED FILES:

• 2018-07-03-Emotet-malspam-12-email-examples.txt.zip   3.8 kB (3,804 bytes)

• 2018-07-03-Emotet-malspam-12-email-examples.txt   (11,850 bytes)

• 2018-07-03-Emotet-malspam-infection-traffic.pcap   6.5 MB (6,471,410 bytes)

• 2018-07-03-Emotet-malspam-infection-traffic.pcap   (7,684,057 bytes)/li>

• 2018-07-03-malware-associated-with-Emotet-infection.zip   442 kB (442,252 bytes)

• 2018-07-03-Emotet-malware-binary.exe   (106,496 bytes)
• 2018-07-03-Zeus-Panda-Banker-caused-by-Emotet.exe   (328,704 bytes)
• 2018-07-03-downloaded-Word-doc-with-macro-for-Emotet.doc   (260,352 bytes)

 

NOTES:

• Emotet followed-up with Zeus Panda Banker today, just like I saw yesterday.

Shown above:  Chain of events for today's infection.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domain:

• hxxp://www.2019voting.com/4th-July-2018/
• hxxp://www.anadolu-yapi.xyz/INVOICE-STATUS/Direct-Deposit-Notice/
• hxxp://www.bollywoodvillage.bid/STATUS/Order-7157584074/
• hxxp://www.codystaffing.com/Jul2018/854082/
• hxxp://www.download.viamedia.ba/Client/Auditor-of-State-Notification-of-EFT-Deposit/
• hxxp://www.farsheazam.com/wp-content/US_us/DOC/Pay-Invoice/
• hxxp://www.fuzoneeducations.com/Greeting-messages/
• hxxp://www.iamgauravkothari.com/IndependenceDay2018/
• hxxp://www.ineds.org.br/Order/Invoice-3868803421-07-03-2018/
• hxxp://www.kalyoncular.com.tr/Messages-2018/
• hxxp://www.live-jasmin-com.net/Messages-2018/
• hxxp://www.magazine.asifabih.com/Greeting-eCard/
• hxxp://www.kotizacija.branding.ba/TsUbf7QLJ/
• hxxp://avciogluaydinlatma.com/CQAPGgy/
• hxxp://www.elgg.tedzplace.ca/srfL4zx0IH/
• hxxp://www.creapackthai.com/ECd4TX4iyK/
• hxxp://iclub8.hk/Wu6OsKK/
• canariasmotor.top
• adshiepkhach.top

 

EMAILS

Shown above:  Example of the malspam (raw text with headers and formatting).

 

DATA FROM 12 EMAIL EXAMPLES OF THE MALSPAM:

• Received: from 10.0.0.2 ([196.25.35.242])
• Received: from 10.0.0.9 ([62.77.189.201])
• Received: from 10.0.0.20([221.163.32.101])
• Received: from 10.0.0.39 ([201.229.68.226])
• Received: from 10.0.0.43 ([60.250.207.85])
• Received: from 10.0.0.52 ([124.29.232.31])
• Received: from 10.0.0.59 ([221.163.32.101])
• Received: from 10.0.0.60 ([77.154.199.135])
• Received: from ([84.53.85.205])
• Received: from ([187.189.74.206])
• Received: from ([189.161.92.155])
• Received: from ([213.111.22.95])

 

SPOOFED SENDERS:

• From: Amanda Salitsky <[spoofed sending email address]>
• From: Crispin, David J. <[spoofed sending email address]>
• From: Jade Sivell <[spoofed sending email address]>
• From: John Doris <[spoofed sending email address]>
• From: Jon Forrester <[spoofed sending email address]>
• From: Lic. Enrique Alvarez <[spoofed sending email address]>
• From: Michele Davies <[spoofed sending email address]>
• From: Milan Marsic <[spoofed sending email address]>
• From: Nicola mobile <[spoofed sending email address]>
• From: Patrick Bingham <[spoofed sending email address]>
• From: Scott Crowe <[spoofed sending email address]>
• From: William King <[spoofed sending email address]>

 

SUBJECT LINES:

• Subject:  4th of July congratulation
• Subject:  4th of July eCard
• Subject:  4th of July Greeting eCard
• Subject:  Happy 4th of July Greeting Message
• Subject:  The Fourth of July wishes
• Subject: ACCOUNT#94895547-Milan Marsic
• Subject: Invoice 897614 from Patrick Bingham
• Subject: Invoices Overdue
• Subject: NYPXV7-16497063849
• Subject: Payment
• Subject: Purchases 2018
• Subject: Scott Crowe The 4th of July Greeting eCard

 

Shown above:  Word doc generated from link in the malspam.

 

INFECTION TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS FROM THE MALSPAM TO DOWNLOAD THE INITIAL WORD DOCUMENT:

• hxxp://www.2019voting.com/4th-July-2018/
• hxxp://www.anadolu-yapi.xyz/INVOICE-STATUS/Direct-Deposit-Notice/
• hxxp://www.bollywoodvillage.bid/STATUS/Order-7157584074/
• hxxp://www.codystaffing.com/Jul2018/854082/
• hxxp://www.download.viamedia.ba/Client/Auditor-of-State-Notification-of-EFT-Deposit/
• hxxp://www.farsheazam.com/wp-content/US_us/DOC/Pay-Invoice/
• hxxp://www.fuzoneeducations.com/Greeting-messages/
• hxxp://www.iamgauravkothari.com/IndependenceDay2018/
• hxxp://www.ineds.org.br/Order/Invoice-3868803421-07-03-2018/
• hxxp://www.kalyoncular.com.tr/Messages-2018/
• hxxp://www.live-jasmin-com.net/Messages-2018/
• hxxp://www.magazine.asifabih.com/Greeting-eCard/

URLS FROM MACRO IN THE DOWNLOADED WORD DOC TO GRAB AN EMOTET BINARY:

• hxxp://www.kotizacija.branding.ba/TsUbf7QLJ/
• hxxp://avciogluaydinlatma.com/CQAPGgy/
• hxxp://www.elgg.tedzplace.ca/srfL4zx0IH/
• hxxp://www.creapackthai.com/ECd4TX4iyK/
• hxxp://iclub8.hk/Wu6OsKK/

EMOTET INFECTION TRAFFIC:

• 45.63.31.206 port 80 - www.grabaspace.com - GET /Greeting-eCard/   - returned Word doc
• 64.13.232.218 port 80 - www.kotizacija.branding.ba - GET /TsUbf7QLJ/   - returned Emotet binary
• 189.197.62.222 port 443 - 189.197.62.222:443 - POST /   - caused by Emotet
• 178.18.125.1 port 443 - 178.18.125.1:8080 - POST /   - caused by Emotet
• 187.163.39.35 port 80 - attempted TCP connections, but no response from the server (caused by Emotet)
• 177.244.172.62 port 80 - attempted TCP connections, but no response from the server (caused by Emotet)
• 200.92.37.146 port 443 - attempted TCP connections, but no response from the server (caused by Emotet)
• 185.45.193.240 port 443 - canariasmotor.top - HTTPS/SSL/TLS traffic caused by Zeus Panda Banker
• DNS query for adshiepkhach.top (response: No such name)

 

MALWARE

MALWARE RETRIEVED FROM MY INFECTED WINDOWS HOST:

• SHA256 hash:  64c273bd9ecd24d41d8b540da31a0a5b906701b7b0ef0e3c4afeac244c38a51f
  File size:  260,352 bytes
  File name:  Greeting-Card-The-Fourth-of-July.doc   (random name invloving 4th of July or Independence Day)
  File description:  Word doc downloaded from link in one of the emails.  Has macro to retreive Emotet.

• SHA256 hash:  2162c42b68af7f56590335a0fcead8e19b1b103acdf0bc3d783db17c9c637999
  File size:  106,496 bytes
  File location:  C:\Users\[username]\AppData\Local\Microsoft\Windows\[random file name].exe
  File description:  Emotet malware binary downloaded by macro in downloaded Word doc

• SHA256 hash:  bc394ca7b7db058dab18ad8f612fe99c734006f034945b1336682e4728a4e932
  File size:  328,704 bytes
  File location:  C:\Users\[username]\AppData\Roaming\[existing directory path]\[random file name].exe
  File description:  Zeus Panda Banker downloaded by my Emotet-infected host

 

FINAL NOTES

Once again, here are the associated files:

• 2018-07-03-Emotet-malspam-12-email-examples.txt.zip   3.8 kB (3,804 bytes)
• 2018-07-03-Emotet-malspam-infection-traffic.pcap   6.5 MB (6,471,410 bytes)
• 2018-07-03-malware-associated-with-Emotet-infection.zip   442 kB (442,252 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.