USPS 02193131 delivers Bugat/Feodo

Subject:
DELIVERY CONFIRMATION FROM USPS 02193131
Attachment:
MYUPS_ID3M764824495.htm

USPS 02193131

The spam contained an encoded script which is used to redirect to a Phoenix Exploit kit at rehjsdgfjhskjksd[.]su:8080 /images/aublbzdni.php hosted at IP addresse(s):

78.83.233.242
83.238.208.55
125.19.103.198
41.168.5.140
61.187.191.16
62.85.27.129
199.71.214.180
200.169.13.84
202.143.147.35
202.149.85.37
210.56.23.100
210.56.24.226
210.109.108.210
211.44.250.173
219.94.194.138

First it drops a malicious flash file downloaded from rehjsdgfjhskjksd[.]su:8080 /images/gogpjljshzjma.swf. This flash file had  following properties.

File: gogpjljshzjma.swf
Size: 7,785 bytes
MD5: 4ae8dbe82d6340550beee51fd81095d7

This flash file carries CVE-2011-0611 exploited and was detected by 15 of 43 AV vendors on VirusTotal.

A malicious PDF file was also downloaded from rehjsdgfjhskjksd[.]su:8080 /images/xoypgqgvxzjudqk4.php. This PDF file had the following properties:

File: xoypgqgvxzjudqk4.php
Size: 13,151 bytes
MD5: 562612faccaab571660837f31f118042

The PDF file carries CVE-2010-0188 exploit and was detected by 28 of 43 AV vendors on VirusTotal.

If exploitation is successful, it redirects to pobolinovkans[.]su:8080 /images/jw.php?i=15, a Bugat/Feodo variant with the following properties is downloaded:

File: gsxohsapcpklkti.exe
MD5: e2149880d462b2bc29969ea1b1101ab0
Size: 88,576 bytes

Bugat/Feodo is installed as:
File: C:\Documents and Settings\Administrator\Application Data\KB00090109.exe. It had following properties:

MD5: a39ec23a671019ee07066c8aa94308cf
Size: 88,576 bytes
Timestamp: 2011:03:25 06:01:22+01:00

This Bugat/Feodo retrieved its configuration file/target list from a command and control server at nolwzyzsqkhjkqhomc[.]ru:8080 /rwx/B1_3n9/in/. This domain is hosted at the following IP addresses on a fast flux infrastructure:

79.101.30.15
94.20.30.91
94.23.30.157
83.170.91.152
85.214.204.32
88.190.22.72
91.121.7.5
91.121.91.111
112.78.124.115
124.124.212.172
173.224.220.224
178.162.154.214

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: