Notes
  • Malspam was attempting to come across as Adobe containing link to malware
  • Malware downloaded while Microsoft Word encountered an error trying to open the actual document
PCAP and Malware
Email Information
  • The email details were in two different formats:

Version A

Sender: billing@adobe.com

Recipient: Redacted

Subject: Adobe Invoice

Version B

Sender: billing@adobe.com

Recipient: Redacted

Subject: Thank you for your purchase

  • Contains the following link embedded: hxxp://80.242.123.211[:]888/Invoice.doc
Network Traffic

Initial Request:

  • 2015-04-07 XX:XX:XX UTC - 80.242.123.211:888 - 80.242.123.211:888 - GET /dro.exe

  • The malware didnt run after downloading, so I found it in my 'C:\Users\USER\AppData\Local\Temp' directory and executed it manually from there to generate to following traffic:

  • 2015-04-07 02:34:05 UTC - 5.196.186.17 - poppingb.com - POST /and2/and.php
  • 2015-04-07 02:34:06 UTC - 80.242.123.211:888 - 80.242.123.211:888 - GET /spread1.exe
  • 2015-04-07 02:34:08 UTC - 5.196.186.17 - poppingb.com - POST /and2/and.php
  • 2015-04-07 02:34:09 UTC - 80.242.123.211:888 - 80.242.123.211:888 - GET /darky.exe
  • 2015-04-07 02:34:11 UTC - 5.196.186.17 - poppingb.com - POST /and2/and.php
  • 2015-04-07 02:34:12 UTC - 80.242.123.211:888 - 80.242.123.211:888 - GET /run.exe
  • 2015-04-07 02:34:16 UTC - 5.196.186.17 - poppingb.com - POST /and2/and.php
  • 2015-04-07 02:35:29 UTC - 80.242.123.208 - fdshjfsh324332432.com - POST /dffgbDFGvf465/YYf.php
IDS alerts using the Emerging Threats Pro Ruleset (ET POLICY and ET INFO disabled) on Snort 2.9.7

2015-04-07 02:34:05 UTC - 192.168.120.167:50640 -> 5.196.186.17:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-07 02:34:05 UTC - 192.168.120.167:50640 -> 5.196.186.17:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-04-07 02:34:08 UTC - 192.168.120.167:50642 -> 5.196.186.17:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-07 02:34:08 UTC - 192.168.120.167:50642 -> 5.196.186.17:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-04-07 02:34:11 UTC - 192.168.120.167:50644 -> 5.196.186.17:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-07 02:34:11 UTC - 192.168.120.167:50644 -> 5.196.186.17:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-04-07 02:34:16 UTC - 192.168.120.167:50646 -> 5.196.186.17:80 - ETPRO TROJAN Win32/Gamarue.AQ Checkin
2015-04-07 02:34:16 UTC - 192.168.120.167:50646 -> 5.196.186.17:80 - ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2015-04-07 02:35:29 UTC - 192.168.120.167:50647 -> 80.242.123.208:80 - ET TROJAN Fareit/Pony Downloader Checkin 2
2015-04-07 02:35:30 UTC - 80.242.123.208:80 -> 192.168.120.167:50647 - ETPRO TROJAN Fareit/Pony Downloader CnC response

Malware Information

Invoice.doc

dro.exe

spread1.exe

darky.exe - Pony/Fareit

run.exe

PCAP and Malware

If you have any feedback or questions please email me at jack@malwarefor.me
Additionally, you can reach out on Twitter or follow for for updates