2015-03-24 - CHANITOR/VAWTRAK INFECTION FROM EMAIL ATTACHMENT

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2015-03-24-Chanitor-and-Vawtrak-infection-traffic.pcap.zip
• 2015-03-24-Chanitor-and-Vawtrak-files.zip

 

EMAIL

 

TRAFFIC

Traffic from infected host:

• 2015-03-24 18:18:18 UTC - 191.194.254[.]215 port 80 - 91.194.254[.]215 - GET /us/file.exe
• 2015-03-24 18:18:21 UTC - 5.9.99[.]35 port 80 - savepic[.]su - GET /5503653.png
• 2015-03-24 18:19:20 UTC - port 443 - HTTPS traffic to: api.ipify[.]org
• 2015-03-24 18:19:22 UTC - 192.251.226[.]206 port 443 - encrypted traffic to: l7gbml27czk3kvr5.tor2web.blutmagie[.]de
• 2015-03-24 18:19:32 UTC - 82.130.26[.]27 port 443 - encrypted traffic to: l7gbml27czk3kvr5.tor2web[.]fi
• 2015-03-24 18:19:34 UTC - port 80 - aia.startssl[.]com - GET /certs/sub.class2.server.ca.crt
• 2015-03-24 18:19:34 UTC - port 80 - aia.startssl[.]com - GET /certs/ca.crt
• 2015-03-24 18:20:06 UTC - 194.150.168[.]70 port 443 - encrypted traffic to: l7gbml27czk3kvr5.tor2web[.]org
• 2015-03-24 18:20:07 UTC - 38.229.70[.]4 port 443 - encrypted traffic to: l7gbml27czk3kvr5.tor2web[.]org

 

ALERTS

EmeringThreats / ETPRO ruleset (not counting ET POLICY or ET INFO rules):

• 5.9.99[.]35 port 80 - ETPRO TROJAN Probably Evil MS Office HTTP request to savepic[.]su (sid:2810166)
• 192.251.226[.]206 port 443 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (sid:2016806)
• 82.130.26[.]27 port 443 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (sid:2016806)
• 38.229.70[.]4 port 443 - ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1) (sid:2016806)

Snort (Cisco Talos) ruleset:

• 91.194.254[.]215 port 80 - [1:11192:16] FILE-EXECUTABLE download of executable content
• 91.194.254[.]215 port 80 - [1:15306:18] FILE-EXECUTABLE Portable Executable binary file magic detected
• DNS request for: savepic[.]su - [1:27721:3] INDICATOR-COMPROMISE Suspicious .su dns query
• DNS request for: l7gbml27czk3kvr5.tor2web[.]org - [1:33216:1] INDICATOR-COMPROMISE DNS request for known malware domain tor2web[.]org

 

MALWARE

Malware from infected host:

• label_30192401.doc - MD5 hash: 1f2a562a4fcde5227cdf2d83c0279355
• C:Users\username\AppData\Local\Temp\444.exe - MD5 hash: 83c0b99427c026aad36b0d8204377702 (Chanitor)
• C:Users\username\AppData\Local\Temp\444.jpg - MD5 hash: 57e396baedfe1a034590339082b9abce
• C:Users\username\AppData\Local\Temp\___B727.exe - MD5 hash: 715a1df177c18416aa38bd8a28e342ea
• C:\ProgramData\LebsOnvaz\KasirAnemf.bey - MD5 hash: 938e07444c9363e64fe5e93cf5ff3a34 (Vawtrak)

 

 

Click here to return to the main page.