Apple Order Acknowledgement W244415849

Spam Subject:
Order Acknowledgment W244415849.

Malicious URL(s):
hxxp://ftp.eburneenne.com/ShvFZsdb/index.html

Apple-Order W244415849

Through JS redirector at hxxp://gcg-t.com/rt4NU8a5/js.js, spam lands victims to BH Exploit kit hosted at 50.116.19.23. Following document.location script is used to eventually redirect victim to BH:

document.location=’hxxp://50.116.19.23/showthread.php?t=d7ad916d1c0396ff’;

Victim machine is first infected with Pony downloader from the following location:
hxxp://50.116.19.23/q.php?f=ba33e&e=2

File: readme.exe
MD5: 43e83090e4a3d044b5df34f95f5c266e
Size: 1,46,432 bytes

This Pony Loader posts to a C&C at http://www.alberghi.com /pony/gate.php, hosted at IP address 109.168.126.112. And then downloads 3 identical Gameover Zeus payloads from the following URL’s:

1. monaschool.com/fG6ZHMWF.exe
2. raadstudies.ir/Kw7hE7.exe
3. jmservice.servicos.ws/Mk4Lf.exe

Gameover installes in %APPDAT%\Ygecpu\gyiky. It had following file properties:

MD5: 68abfd809fb0713d70f7a752806c257e
Size: 3,05,704 bytes
Digital Signature: This file is digitally signed by ‘nYZbvA3YL8XjBMx’
Certificate Validity: 04/10/2012 to 01/01/2040
Timestamp: 2010:11:02 17:04:24+01:00
Company Name: Microsoft Corporation
File Description: Windows Disk Diagnostic User Resolver
Internal Name: DFDWiz.exe
Legal Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: DFDWiz.exe
Product Name: Microsoft® Windows® Operating System

During analysis, Gameover Zeus variant dropzone was identified at 161.6.67.119:11373 & 94.240.227.44:12399.
Webinjects were downloaded from 122.99.102.189:28515. The Gameover variant had a BitID “ppca10” and CID “5555”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: