Malware-Traffic-Analysis.net - 2014-11-12 - Asprox botnet fake Starbucks emails delivered Sirius Win 7 Antivirus 2014

2014-11-12 - ASPROX BOTNET FAKE STARBUCKS EMAILS DELIVERED SIRIUS WIN 7 ANTIVIRUS 2014

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2014-11-12-Asprox-malware-and-artifacts.zip 369.8 kB (369,756 bytes)
2014-11-12-Asprox-malspam-6-examples.zip 12.8 kB (12,792 bytes)

NOTES:

Saw a fresh wave of fake Starbucks emails from the Asprox botnet today. The links point to a zip file that infected my VM with malware called: Sirius Win 7 Antivirus 2014
My infected VM also did a bit of spamming, sending out fake Delta Airlines phishing emails before I took it off-line.

EXAMPLE OF THE EMAILS

SCREENSHOTS:

All six emails were fake Starbucks messages received on 2014-11-12, but this one has a few mistakes and
looks like it was originally sent on 2014-11-10.

LINK TO MALWARE FROM THESE EMAILS:

From: "Starbucks" <support@handycup[.]cz>
Subject: Enjoy your Starbucks Card eGift

Link: mundwerkfreital[.]de/error.php?stb=5aJGjk0nRdCwCLB5BSGJ9OVeZSjT9scAVkGNcSLdXzg

From: "Starbucks" <support@freighttraindigital[.]com>
Subject: Enjoy your Starbucks Card eGift

Link: ritphipsi[.]org/diff.php?stb=skw1QZozuKje0qjjrhzL8CaR1KIHwp6lcrmQ4iBrjpM

From: "Starbucks" <support@ulg.mediagiantdesign[.]com>
Subject: Starbucks Card eGift

Link: stormgeeks[.]com/dump.php?stb=KlHUP9Acz83sJOW8xdPVxSTPjF+I+6G6JrxViBND/C8

From: USPS <shawn@mclarensolutions[.]com[.]au>
Subject: Postal Notification Service

Link: vandammedhe[.]eu/search.php?stb=FHrTiIxaP+2THgoy4qzOjvPEEAAWh+dRZQU87G55HgI

From: "Starbucks" <support@alvarogl[.]com>
Subject: Starbucks Card eGift

Link: owireduyeboahandassociates[.]com/login.php?stb=UIUE39nFGpVxycMpyCfnSIc92jjwrISVcGz21oaNhTs

From: "Starbucks" <support@geldersespringkussenverhuur[.]nl>
Subject: Enjoy your Starbucks Card eGift

Link: postprodsons[.]com/defines.php?stb=9VyzWC5VJcDySbbeoYEaUqxjDeIjSUgpUpFpqT3M6Zo

PRELIMINARY MALWARE ANALYSIS

DOWNLOADED ZIP FILE:

File name: Starbucks_eGift.zip
File size: 71,950 bytes
MD5 hash: 3cb651464905715a0a571f6bd434a7a9
Detection ratio: 13 / 55
First submission: 2014-11-12 19:25:08 UTC
VirusTotal link: https://www.virustotal.com/en/file/e6dc1655d31aec69533d9c8bec205615a164b66eed48176cd63140707a3a5cde/analysis/

EXTRACTED MALWARE:

File name: Starbucks_eGift.exe
File size: 109,568 bytes
MD5 hash: 37f9766153ea52766d11839868f10648
Detection ratio: 13 / 55
First submission: 2014-11-12 19:25:45 UTC
VirusTotal link: https://www.virustotal.com/en/file/c21d40e8cd713a1dbdf6491abd9ce3dc11ba3f3312c7081fcb3be353b8b8e89f/analysis/

SOME DROPPED ARTIFACTS ON THE INFECTED VM:

DROPPED EXE (1 OF 2):

File name: pvmqjsqv.exe
File size: 111,616 bytes
MD5 hash: 3a682c34371938570231f466be7c53a8
Detection ratio: 5 / 54
First submission: 2014-11-12 19:26:49 UTC
VirusTotal link: https://www.virustotal.com/en/file/a8ee33e4d8fc0900a3b99aff70437d4b878c7031eca48928300234e48938c77a/analysis/

DROPPED EXE (2 OF 2):

File name: reqxtpxq.exe
File size: 80.5 KB ( 82432 bytes )
MD5 hash: eae6fd5531d1101332b47b33ac7bdad3
Detection ratio: 4 / 53
First submission: 2014-11-12 17:23:12 UTC
VirusTotal link: https://www.virustotal.com/en/file/0b1bfdd4a4fce450429fb9494b5d860cc1a0bdb2e4a122790596aa01bd6aa55e/analysis/

INFECTION TRAFFIC

DOWNLOADING THE MALWARE FROM LINK IN THE EMAIL:

18:27:18 UTC - 185.21.100[.]134:80 - mundwerkfreital[.]de - GET /error.php?stb=5aJGjk0nRdCwCLB5BSGJ9OVeZSjT9scAVkGNcSLdXzg

INFECTION TRAFFIC WHEN RUNNING THE MALWARE AND SEEING THE FAKE ANTI-VIRUS:

18:34:01 UTC - 212.129.21[.]210:443 - POST /index.php
18:34:09 UTC - 89.144.14[.]44:80 - glohhstt7.com - GET /FiGcq15uk9c0jEnSjQhDBrRmh4c5HvCnn8aPPAvnpVV2L9p2jjtNsJJPyVqNhQ==
18:36:04 UTC - 212.129.21[.]210:443 - POST /index.php
18:38:08 UTC - 212.129.21[.]210:443 - POST /index.php
18:40:10 UTC - 212.129.21[.]210:443 - POST /index.php
18:40:12 UTC - 212.26.132[.]65:443 - POST /cb/board.pl
18:42:33 UTC - 212.129.21[.]210:443 - POST /index.php
18:44:35 UTC - 212.129.21[.]210:443 - POST /index.php
18:46:29 UTC - 72.51.46[.]206:8080 - POST /cb/board.pl
18:46:37 UTC - 212.129.21[.]210:443 - POST /index.php

Lots of SMTP traffic [I let this run much longer than I intended...]

TRAFFIC FOR THE WEB PAGE THAT APPEARED WHEN I CLICKED TO REGISTER THE PRODUCT:

18:39:10 UTC - 89.144.14[.]44:80 - glohhst7[.]com - GET /fV1ZWTobDzEb1zQdLFOmB4folVTIY2uXvKVA2yfMctZiq_f8Cvr7W49_4ueCkuu_9vSv_02l
18:39:10 UTC - 89.144.14[.]44:80 - glohhst7[.]com - serveral other HTTP GET requests for the web page components

SNORT EVENTS

Signature hits from Emerging Threats and ETPRO rulesets from Sguil on Security Onion:

ET TROJAN Kuluoz/Asprox Activity (sid:2017895)
ET TROJAN Kuluoz/Asprox CnC Response (sid:2019187)
ET TROJAN Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6) (sid:2018336)
ETPRO TROJAN Common Downloader Header Pattern HCa (sid:2803304)

SCREENSHOTS

Trying one of the email links in a web browser got me the malicious zip file:

When I ran the fake Starbucks malware, I got the following message:

Shortly after running the malware, I got a notification from the fake anti-virus that my system had been breached:

Here's the fake anti-virus Sirius Win 7 Antivirus 2014 doing a fake scan on the infected VM:

Another fake reminder, as the malware tries to get me to register:

Here's the window that pops up when you try to register:

The infected VM will occasionally generate more fake anti-virus alerts like this one:

I couldn't run the registry editor or look at any of the files in my infected VM's AppData\Local\Temp directory. I would always get one of these warnings:

Meanwhile, here's some of the HTTP POST traffic generated by the infected VM:

Here's HTTP web traffic associated with this particular version of the Sirius Win 7 Antivirus 2014 malware:

Here's an example of the fake Delta Airlines phishing emails sent by my infected VM before I took it off-line:

Click here to return to the main page.