Wednesday, October 15, 2014

phish campaign named "Payment Advice "


This post will be my first attempt to write about malware analysis since im kinda new in this arena so bear with me :)
  • i came across the following file that was sent via email 
    • Filename: 9757f0417b34d3029876c6e715c81935  Payment Advice.zip
      • unzipped file: a14b8cf65e2195d228b9b982e9e4d54c  Payment Advice.exe
    • Dropper Site: woof:://tundecube[.]com/Payment%20Advice.zip
Once the file is executed it goes ahead and performs the following actions on the system:
  • It drops the following files:
    • sides.exe a14b8cf65e2195d228b9b982e9e4d54c on the following location %AppData%\Microsoft\Windows\Templates\
    • WindowsUpdate.exe a14b8cf65e2195d228b9b982e9e4d54c on the following location %AppData%
    • pid.txt e22dd5dabde45eda5a1a67772c8e25dd on the following location %AppData%
    • pidloc.txt cc02e1e3d512cb89ab8fce39614e7260 on the following location %AppData%
  • it performs the following operations on the registry:
    • it sets side.exe to be ran at startup
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\side  =  C:\Users\Peter\AppData\Roaming\Microsoft\Windows\Templates\side.exe
    • it sets WindowsUpdate.exe to be ran at startup as well even it is the same file as side.exe probably in order to setup a backup persistence mechanism.
      • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update  =  C:\Users\Peter\AppData\Roaming\WindowsUpdate.exe
    • it opens a listener on port 49951 on localhost
  • it performs the following  connections
    • 66.171.248.172/whatismyipaddress.com:80 
    • 203.169.229.58/ns58.hostingspeed.net:21
    • 203.169.229.58/ns58.hostingspeed.net: 2927
So on performing deeper analysis on these communications the malware queries whatismyipaddress in order to gather the victim's public ip address. then it performs an ftp connection to ns58.hostingspeed.net. on this connection it uploads a file called    Logger_Notification_PETER-PC 10.15.2014 1:39:00 PM.txt see below for ftp connection and initial content of the file.

and here are the contents of the file uploaded which is suspect the file is a keylogger that sends logs of the system every 40 minutes :


once 40 minutes have passed it sends a report of the data it has collected see below: 

This is how this malware operated it acts as a keylogger and a trojan. thank you for reading.





Posted by at No comments:
Subscribe to: Posts (Atom)