Monthly Archives: February 2013

Scanned Image from a Xerox WorkCentre

We analyzed following malicious attachment that is used in Xerox Scanned Image theme spam on February 14 2013:

Spam Subject:
Scanned Image from a Xerox WorkCentre

Spam Template:

Device Name: Not Set
Device Model: Scab-3871N
Location: Not Set

File Format: PDF (Medium)
File Name: Scan_02-13-2013-245.zip
Resolution: 200dpi x 200dpi

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: hxxp://www.adobe.com/

File: Scan_02-13-2013_245.zip
MD5: 2688370c5fd8bc197141a55d43883ad4
Size: 117,606 bytes

Pony downloader posts to its dropzone at hxxp://88.190.210.199/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://www.inaji.jp/5Ncs.exe
2. hxxp://w6050v1kc.homepage.t-online.de/KYrngX.exe
3. hxxp://socialighter.co.za/3N0k.exe
Gameover installes in %APPDATA%\Iriwb\tuoqf.exe and had following file properties:

File: tuoqf.exe
MD5: cd08cfedf5033ce7b18a0e1be4d23501
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at 66.229.110.89:28898. Webinjects were downloaded from 174.110.150.207:23173. The Gameover variant had a botid of “dotf14.

Following P2P Drones were found embedded inside the Gameover Zeus payload:

1.186.47.244:16276
72.227.149.1:19320
108.211.64.46:23323
71.43.217.3:11403
94.67.187.38:12457
66.229.110.89:28898
190.203.42.42:12579
74.235.184.84:27524
94.65.14.73:22510
194.94.127.98:25549
223.204.193.72:22233
120.61.188.154:29013
91.99.200.6:29806
64.219.121.189:13503
174.110.150.207:16149
95.57.163.144:12290
71.86.150.224:20781
213.189.69.49:13564

First Foundation Bank Secure Email Notification

We analyzed following malicious attachment that is used in First foundation Bank theme spam on February 14 2013:

Spam Subject:
First Foundation Bank Secure Email Notification – 29834077

Mail From:
“FF-inc Secure Notification” <secure.notification@ff-inc.com>
Spam Template:

You have received a secure message

Read your secure message by opening the attachment, secure_mail_29834077. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.230.9081.

2000-2013 First Foundation Inc. All rights reserved.

File: secure_mail_29834077.zip
MD5: e6454c2cb43c669906fcdbe199a195f3
Size: 118,086 bytes

Pony downloader posts to its dropzone at hxxp://88.190.210.199/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://angeloelacicca.altervista.org/kcprVD.exe
2. hxxp://www.dalcin.it/d2sqx.exe
3. hxxp://geeksleaks.com/h0L7.exe
Gameover installes in %APPDATA%\Qaajda\okubha.exe and had following file properties:

File: okubha.exe
MD5: e1b3e6a075ac40ff5ecc8c37d3bbced4
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at 99.109.198.196:21961. Webinjects were downloaded from 174.110.150.207:23173. The Gameover variant had a botid of “citif14”.

Following P2P Drones were found embedded inside the Gameover Zeus payload:

70.137.132.232:18161
99.109.198.196:21961
72.227.149.1:19320
94.67.187.38:12457
1.186.47.244:16276
71.43.217.3:11403
190.203.42.42:12579
93.177.174.72:10119
120.61.188.154:29013
94.65.14.73:22510
64.219.121.189:13503
66.229.110.89:28898
194.94.127.98:25549
223.204.193.72:22233
95.57.163.144:12290
174.110.150.207:16149
91.99.200.6:29806
74.235.184.84:27524
213.189.69.49:13564

Action Required – Time Sensitive Material (Detma.org)

We analyzed following malicious attachment that is used in Detma.org theme spam on February 12 2013:

Spam Subject:
Action Required – Time Sensitive Material
From Address:
“Unemployment Assistance@detma.org” <info@detma.org>

Spam Template:

Action Required

File: case#95648678394857345~93245725793248.zip
MD5: dd28a6cc3df2b1608dc15a4b397013b4
Size: 102,170 bytes

Pony downloader posts to its dropzone at hxxp://carmine.warsheet.com/forum/viewtopic.php hosted at IP address 174.122.102.165. It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://seunig.de/L5Fvb.exe
2. hxxp://limitedltd.be/CtSfQca3.exe
3. hxxp://visiterlareunion.fr/3gyrJ8B8.exe
Gameover installes in %APPDATA%\Ixra\osso.exe and had following file properties:

File: oss.exe
Size: 309,760 bytes
MD5: 93e6daf13f5239af3d7a44ecfee1b3c5
Time-Stamp: 2013-02-05 20:09:27
This Gameover Zeus variant posts to a dropzone at 180.251.247.89:12043. Webinjects were downloaded from 95.137.226.107:12656. The Gameover variant had a botid of “bofaf12” and cid of 5555.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload:

182.53.159.239:21908
193.206.41.25:23766
202.29.48.110:27464
194.219.108.252:13955
99.54.188.39:28335
83.111.92.83:19194
117.198.82.160:16553
105.227.214.178:13349
85.238.56.148:10598
174.110.150.207:16149
120.61.165.227:28649
213.189.69.49:13564
168.216.148.2:17586
74.235.184.84:27524
41.97.100.220:24282
194.94.127.98:25549
82.211.186.140:29092
94.68.61.135:14511

ADP Recent Transaction

We analyzed following malicious attachment that is used in ADP themed spam on February 07 & 08 2013:

Spam Template:

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details are shown in the attached file.

Reference #239814359000

This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

Attachment:

File: ADP – Recent Transaction
MD5: c8b3ea47a1f2080dbede84a9f7940de7
Size: 131,584 bytes

Pony downloader posts to its dropzone at hxxp://archiv.social-neos.eu/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://84.1.156.73/KhCt.exe
2. hxxp://plcontractors.co.uk/UWcZzRs.exe
3. hxxp://k3security.co.za/tMDrS.exe

Gameover installes in %APPDATA%\Ybna\unyfl.exe and had following file properties:

File: ylkas.exe
Size: 359,936 bytes
MD5: 53cf45f6ab62b633393924b86b6c8d76
Time-Stamp: 2013-02-05 20:09:27
Company Name: Microsoft Corporation
File Description: Microsoft Windows Setup Utility
File Version: 9.00.00.4503
Internal Name: a6ize
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Original Filename: a6ize
Product Name: Microsoft(R) Windows Media Player
Product Version: 9.00.00.4503

This Gameover Zeus variant posts to a dropzone at 180.251.247.89:12043. Webinjects were downloaded from 99.76.3.38:11350. The Gameover variant had a botid of “dotmanf8”.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload:

180.251.247.89:12043
74.15.177.4:24291
99.76.3.38:11350
75.47.232.67:20840
71.2.233.139:18736
76.182.182.56:12604
1.186.47.244:16276
87.5.135.46:10028
94.68.61.135:14511
69.39.74.6:14775
71.42.56.253:22652
189.13.190.37:18570
85.75.3.38:28599
41.141.251.253:26258
161.184.174.65:14545
37.191.204.170:15619
66.117.77.134:15387
74.235.184.84:27524
66.229.110.89:28898