Malware-Traffic-Analysis.net - 2014-07-30 - Malware infection from email attachment

2014-07-30 - MALWARE INFECTION FROM EMAIL ATTACHMENT

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

TODAY'S EMAIL

MESSAGE TEXT:

Subject: FW : Payment Slip
Date: Wed, 30 Jul 2014 11:20:50 UTC
From: icegate@orientm[.]com
To: undisclosed-recipients:;

Good Day,

Please find attached our deposit payment as authorized by our bank below.
Kindly confirm and start mass production asap.

Looking forward to your immediate response.

Regards,

John Candy
Senior Account Manager.

--------- Original Message --------
From: HSBC Advising Service
To: alex.cheng@technomix[.]com[.]hk <alex.cheng@technomix[.]com[.]hk>

Subject: Payment Advice - Advice Ref:[G62315968954] / Priority payment /
Customer Ref:[DOC 24678]

Date: 30/06/14 12:00

Dear Sir/Madam,The attached payment advice is issued at the request of our
customer. The advice is for your reference only.

Yours faithfully,
Global Payments and Cash

Management HSBC ***********************************************
Last message received on 6/30

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name: PAYMENT SLIP SZOETISW KARAMEN VETINAM.7z
File size: 475,331 bytes
MD5 hash: 14968d88c49db1464c17f34da11bdc37
Detection ratio: 11 / 53
First submission: 2014-07-30 11:27:37 UTC
VirusTotal link: https://www.virustotal.com/en/file/c39af73d982ada606d6bf045822b80a2b02a838c0b3e49f86cb40667d5c8c0d9/analysis/

EXTRACTED MALWARE:

File name: PAYMENT SLIP SZOETISW KARAMEN VETINAM.exe
File size: 491,520 bytes
MD5 hash: fd621bbd1a7fcf6d84210e11ac16a310
Detection ratio: 13 / 54
First submission: 2014-07-30 12:35:02 UTC
VirusTotal link: https://www.virustotal.com/en/file/744433f38a6aa3b8377f0b7b21b7d4cdb1797d81445ed1ad8fe68866a79b928d/analysis/

TRAFFIC FROM THE SANDBOX ANALYSIS

HTTP GET REQUESTS:

2014-07-30 13:57:32 UTC - 185.28.21[.]30:80 - elaqi.3eeweb[.]com - POST /1/1/gate.php HTTP/1.0
2014-07-30 13:57:43 UTC - 185.28.21[.]30:80 - elaqi.3eeweb[.]com - POST /1/1/gate.php HTTP/1.0

ALERTS

Emerging Threats and ETPRO signature hits from Sguil after using tcpreplay on Security Onion:

185.28.21[.]30:80 - ET TROJAN Fareit/Pony Downloader Checkin 2 (sid:2014411)
185.28.21[.]30:80 - ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System (sid:2007695)
185.28.21[.]30:80 - ET TROJAN Trojan Generic - POST To gate.php with no referer (sid:2017930)
185.28.21[.]30:80 - ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters (sid:2016173)
185.28.21[.]30:80 - ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5. (sid:2016870)
185.28.21[.]30:80 - ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK (sid:2014563)
185.28.21[.]30:80 - ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98 (sid:2014562)

Sourcefire VRT signature reading the PCAP with Snort 2.9.6.0 on Ubuntu 14.04 LTS:

2014-07-30 13:57:32 UTC - 185.28.21[.]30:80 - [1:21860:3] EXPLOIT-KIT Phoenix exploit kit post-compromise behavior
2014-07-30 13:57:32 UTC - 185.28.21[.]30:80 - [1:27919:3] MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration
2014-07-30 13:57:32 UTC - 185.28.21[.]30:80 - [1:21556:7] POLICY-OTHER Microsoft Windows 98 User-Agent string
2014-07-30 13:57:33 UTC - 185.28.21[.]30:80 - [1:29870:2] MALWARE-CNC Win.Trojan.Pony HTTP response connection
2014-07-30 13:57:43 UTC - 185.28.21[.]30:80 - [1:21860:3] EXPLOIT-KIT Phoenix exploit kit post-compromise behavior
2014-07-30 13:57:43 UTC - 185.28.21[.]30:80 - [1:27919:3] MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration
2014-07-30 13:57:43 UTC - 185.28.21[.]30:80 - [1:21556:7] POLICY-OTHER Microsoft Windows 98 User-Agent string
2014-07-30 13:57:44 UTC - 185.28.21[.]30:80 - [1:29870:2] MALWARE-CNC Win.Trojan.Pony HTTP response connection

Click here to return to the main page.