2014-10-07 - MALWARE INFECTION FROM EMAIL ATTACHMENT
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2014-10-07-email-tracker.csv.zip
- 2014-10-07-running-the-malware-in-a-VM.pcap.zip
- 2014-10-07-malware-samples.zip
NOTES:
- This one has characteristics of an Asprox botnet email:
- The URL for downloading the zip file has the same pattern I've noticed in other Asrpox botnet emails (see below).
- The same URL gave different file names when I downloaded it by proxying through different IP addresses:
- Those different file names have different file hashes for what's really the same malware:
- Post-infection traffic from the infected VM is similar to some of the traffic I've seen before with malware from Asprox botnet emails.
- A good description of recent Asprox botnet meail activity can be found at: https://stopmalvertising.com/malware-reports/asprox-update-version-2050.html
- I've included a spreadsheet listing the dates, times, and senders on 494 emails with the same subject line. This particular wave of emails started on Thursday, 2014-10-02.
EXAMPLE OF THE EMAILS
SCREENSHOT:
MESSAGE TEXT:
From: LINE <stamps@kingsign[.]com>
Sent: Monday, October 06, 2014 4:23 PM
To:
Subject: You have a voice message
LINE LINE: Free Calls & Messages
You have a voice message, listen it now
LINE NOTIFICATION Time: 21:12:45 01 Oct 2014, Duration: 45sec
Coypright (c) 2014 All rights reserved
PRELIMINARY MALWARE ANALYSIS
EMAIL ATTACHMENT:
File name: LINE_Call.zip
File size: 82,323 bytes
MD5 hash: 92d86a4847988aad3eaef5d609308c97
Detection ratio: 5 / 55
First submission: 2014-10-07 23:18:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/7929c2c9b585ef354bcd5e89a8ddc0fda68254b6bcfb6b6e5f08d4233e023a63/analysis/
EXTRACTED MALWARE:
File name: LINE_Call.exe
File size: 131,072 bytes
MD5 hash: 68edcf990db2e27af7d0f42abf8740ba
Detection ratio: 5 / 54
First submission: 2014-10-07 23:18:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/e4ac9107b13fed461776035c4e7abf99b95f6d6eec4ce813804118168e96dc70/analysis/
INFECTION TRAFFIC
DOWNLOADING AND EXECUTING THE MALWARE ON A VM:
- 2014-10-07 22:21:47 UTC - 5.101.153[.]13:80 - ufahostel[.]net - GET /cache.php?line=N0y0+6A5BRlOjajVITibzg
- 2014-10-07 22:31:27 UTC - 96.30.22[.]96:8080 - 96.30.22[.]96:8080 - POST /index.php
SNORT EVENTS FROM VM INFECTION
Emerging Threats events from Sguil on Security Onion:
- 2014-10-07 22:21:54 UTC - 5.101.153[.]13:80 - ET POLICY ZIPPED EXE in transit (sid:2001404)
- 2014-10-07 22:31:27 UTC - 96.30.22[.]96:8080 - ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
- 2014-10-07 22:31:27 UTC - 96.30.22[.]96:8080 - ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2 (sid:2018359)
SCREENSHOTS FROM THE TRAFFIC
When you try the link, and it doesn't like your source IP address, you get the following message:
I got this one by proxying through a Canadian IP address:
Kuluoz/Asprox-style callback traffic from the infected VM:
Click here to return to the main page.