2018-03-30 - MALSPAM PUSHING POSSIBLE URSNIF THROUGH BATCH FILES

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• Zip archive of the malspam tracker:  2018-03-30-possible-Ursnif-malspam-tracker.csv.zip   1.3 kB (1,272 bytes)
• Zip archive of the infection traffic:  2018-03-30-possible-Ursnif-infection-traffic-2-pcaps.zip   12.8 MB (12,726,386 bytes)
• Zip archive of the associated emails, malware, and artifacts:  2018-03-30-malspam-and-possible-Ursnif-malsware.zip   3.8 MB (3,810,214 bytes)

 

NOTES:

• In two infections from this malspam, I got two variants of Ursnif.
• One sample used HTTP GET and POST requests in the post-infection traffic over TCP port 80
• The other sample used tor traffic for the post-infection activity
• From what I understand, these are both possibly Ursnif.
• The associated PDF files are decoys.  They are not malicious, but they may be unique enough, they may an indicator.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

• hxxp[:]//www.ebbsoft[.]com/gifs/gp.php
• hxxp[:]//www.ebbsoft[.]com/gifs/us.php
• hxxp[:]//www.birbantband[.]it/images/gen.php
• hxxp[:]//www.birbantband[.]it/images/up.php
• hxxp[:]//www.humancad[.]com/gr.php
• hxxp[:]//www.humancad[.]com/ut.php
• hxxps://www.fasttrackse[.]com/gr.php
• hxxps://www.fasttrackse[.]com/ut.php
• hxxp[:]//pansardo[.]com/daily.php
• f11.karilor[.]at
• abn.zitti[.]at
• torafy[.]cn
• hxxp[:]//wiadomo[.]com/logs/duho.rar

 

EMAILS

EMAIL INFO:

Shown above:  Screen shot from one of the emails.

 

• Date/Time: As early as Wendesday 2018-03-28 at 00:35 UTC through at least Friday 2018-03-30 at 16:17 UTC

• Received: from smtpcmd12140.aruba[.]it ([62.149.156[.]140])
• Received: from smtpfree-g.aruba[.]it ([62.149.128[.]214])
• Received: from smtpcmd02101.aruba[.]it ([62.149.158[.]101])
• Received: from smtp204.alice[.]it ([82.57.200[.]100])
• Received: from elasmtp-masked.atl.sa.earthlink[.]net ([209.86.89[.]68])
• Received: from vmi135137.contaboserver[.]net ([5.189.176[.]126])
• Received: from smtpcmd01240.aruba[.]it ([62.149.156[.]170])
• Received: from smtpcmd0643.aruba[.]it ([62.149.156[.]43])
• Received: from libero[.]it ([213.209.8[.]33])

• From: "FEDEX AGENT" <amministrazione@aiau[.]it>
• From: "Fedex" <claudianewenergy@aruba[.]it>
• From: "Secure FedEx" <ufficio.tecnicollpp@comune-rondissone.to[.]it>
• From: "FedEx" <casimiro.merendino@alice[.]it>
• From: "FEDEX AGENT" <markbadhwar@earthlink[.]net>
• From: "FEDEX SUPPORT" <maria.leuci@aorncaserta[.]it>
• From: "FEDEX AGENT" <nevenka@trasportipeserico[.]it>
• From: "FEDEX INFO" <info@meridianaeventi[.]com>
• From: "FEDEX SUPPORT" <emanuele.paolo@libero[.]it>
• From: "FEDEX AGENT" <vincecopia@libero[.]it>

• Subject: Penelope Stewart company FedEx
• Subject: Isaac Mathis your agent FedEx
• Subject: Lisa Maloney manager FedEx
• Subject: Steven MacDonald FedEx company
• Subject: Zoe Coleman your manager FedEx
• Subject: Joanne Weston FedEx
• Subject: Andrew Newman your manager FedEx
• Subject: Dan Sutherland manager FedEx
• Subject: Eric Ince agent FedEx
• Subject: Olivia Smith company FedEx

 

Shown above:  Extracting a batch file from one of the email attachments.

 

SHA256 HASHES FOR EMAIL ATTACHMENTS (ZIP FILES):

• 1e0d99b677189829a54a1d7d9bc6e380a275bb92a16d35330eb88f1d1dca49f8 - 63.doc
• cda7844049550b46a2b8e7352f8645910b4bb8bbe24df9d565746ff1b3619c71 - 82.doc
• 082c5a96d49dcead978d067c4cebfd2b2232181ae9d65162917e09b0f633a766 - 89.doc
• fd83df715755b5c454dd8ce11f0906d9c025d0f802fe4edd3d987f9e22754af5 - 144.doc
• e4eb08385e98050fa3d6c38d1c91a1cf5ea8cb0a032e2cd24a001743a8180a49 - 175.doc
• adeae5afd133efe3905c977889d799ac145423fe463bf40cb5211a36c65c75fc - 180.doc
• ab75d9f83499c86997dda1aeb2d6c5a1a68b57a4b8ae4b8efaa2cc16e32c006c - 184.doc
• d8efc2289508d9a6e81c09146652130aa6e215a9251a361587dd66b6b3197c74 - 227.doc
• 5ea1d1667ca5963cad5c20a9989adaf520b0ec21c2b27e89b806d92914746b98 - 254.doc
• e47434db908809d37cbb0c22baf6b0ac8c65f16a38e85e0140db439ce78a2c19 - 301.doc
• 0aa1ff490e398ca9bc16130e843da231f9289d2abb2303e3ddf9430d4b72b059 - 316.doc
• 58f652a7bd5f84ed95e4e5c0382acd05eb7a59d0b3cd35c4631a924d8035df8a - 340.doc
• e7e9375250e30f7a57f13b2553003f6b021d79488ba408170faadd3306b71bca - 395.doc
• 450c184787963e568916893774cf6226674aceac7048e72cd9a3dce30174043a - 458.doc
• 768e2e96a252be53bb550afa9e507a6c67d928a0cec58d3633e6fd894a1b0b57 - 463.doc
• bfb0970951e28653a58f863071c144f17e0fda32b1681f7e4af4d141ecf7d94e - 487.doc

SHA256 HASHES FOR EXTRACTED BATCH FILES:

• 54d0d0fe45368446e1b86cd7d36dbfbb8e6cb7a476339e84672566d8355d4cde - BX59687039412.bat
• bc6ff921b8ae9c754aa7853d6a3949973c2f88023d9df199a5e15e94cbe1e350 - DM485700945.bat
• a65cb2ef007beaaf2c00c749d976110c7432370f2c7f91fb9fc25ed36a7f72fd - DR940596994.bat
• 81821ec46f20e8ed493af7477a818507ccfbba460a5d5c45160660002357c7ca - HT.495-495860491.bat
• a72d07a99ce3135a4b49db1f60db8ca0839f03ed94f476a229d79df6a5faf004 - JP.857593048.PDF.bat
• 87ca438e3ffc5242fc7b669dc4f587ac5467694fc8fd7efa3008ee5a972d73d1 - OF.495093846.bat
• 99882cc77414dcb0b64fbd2afa77b7cbf4503274067762f19bf793a75e57495d - TF.48678398483.bat
• 6c570f32c543548f29028a958deeb54a8aaf14aecc72251dc0c601d8a3492df7 - VK678404951.bat
• 94a405b37fee16f10ff29f0e91b79f2772b8613c9047faaa046667e2edeae46c - VT8675940951.bat

 

Shown above:  Beginning portion from one of the batch files (requests the decoy PDF document).

 

Shown above:  After several line feeds/carriage returns, malicious script starts at the end of the batch file.

 

Shown above:  Here's what it looks like, when run on a Windows 7 host.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

Shown above:  Traffic from an another infection filtered in Wireshark, several hours later.

 

DECOY PDF FILES (NOT MALICIOUS):

• port 443 (HTTPS) - www.tnt[.]com - GET /dam/tnt_express_media/express-master/downloads/docs/AIR_Transport_SectionII_Lithium_Batteries.pdf
• port 80 - www.fedex[.]com - GET /images/fbo_images/Job_aid/GFBO_JobAid.pdf

REQUESTS FOR BASE64 STRING FOR FOLLOW-UP MALWARE:

• 173.247.240[.]210 port 80 - www.humancad[.]com - GET /gr.php
• 173.247.240[.]210 port 80 - www.humancad[.]com - GET /ut.php

POST-INFECTION CONNECTIVITY CHECK (2018-03-29):

• port 80 - google[.]com - GET /
• port 80 - www.google[.]com - GET /

POST-INFECTION CALLBACK TRAFFIC (2018-03-29):

• 49.51.138[.]88 port 80 - f11.karilor[.]at - GET /wpapi/[long string of characters]
• 198.105.244[.]64 port 80 - abn.zitti[.]at - POST /wpapi/[long string of characters]
• 198.105.244[.]64 port 80 - torafy[.]cn - POST /wpapi/[long string of characters]

POST-INFECTION CALLBACK TRAFFIC (2018-03-30):

• 208.88.4[.]113 port 80 - wiadomo[.]com - GET /logs/duho.rar
• various IP addresses over various ports - various domain names - Tor traffic

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

File size:  389,108 bytes
File name:  AIR_Transport_SectionII_Lithium_Batteries.pdf
File description:  Decoy PDF document called by batch file on 2018-03-29, not malicious.

File size:  3,198,297 bytes
File name:  GFBO_JobAid.pdf
File description:  Decoy PDF document called by batch file on 2018-03-30, not malicious.

• SHA256 hash:  02697c7b28b85bc08e2bc35289b7c3a366872cd820b954bc870c3135ca5b65bb
  File size:  404,058 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\WinHelperKP.cab
  File description:  Microsoft .cab file (converted from base64 text) from 2018-03-29.

• SHA256 hash:  51cfcf85942dc9dddc0bb06aa6af85d37de44e19ca64bac0c643b90a03b40eb5
  File size:  543,744 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\WinHelperKP.exe
  File location:  C:\Users\[username]\AppData\Roaming\Microsoft\[random name]\[random name].exe
  File description:  Malware extracted from the above .cab file on 2018-03-29 (possibly Ursnif)

• SHA256 hash:  7c0a62f7cbbcd11db9b50534f1efd088ee934712170fc281d765862986ab0bb4
  File size:  549,888 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\WinHelperKP.exe
  File location:  C:\Users\[username]\AppData\Roaming\Microsoft\[random name]\[random name].exe
  File description:  Possible Ursnif sample from similar infection on 2018-03-30.

 

IMAGES

Shown above:  Malware persistent on an infected Windows host.

 

Shown above:  Scheduled task to periodically update the malware.

 

Click here to return to the main page.