ADP Recent Transaction

We analyzed following malicious attachment that is used in ADP themed spam on February 07 & 08 2013:

Spam Template:

We were unable to process your recent transaction. Please verify your details and try again.
If the problem persists, contact us to complete your order.

Transaction details are shown in the attached file.

Reference #239814359000

This e-mail has been sent from an automated system.
PLEASE DO NOT REPLY.

The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you.

Attachment:

File: ADP – Recent Transaction
MD5: c8b3ea47a1f2080dbede84a9f7940de7
Size: 131,584 bytes

Pony downloader posts to its dropzone at hxxp://archiv.social-neos.eu/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://84.1.156.73/KhCt.exe
2. hxxp://plcontractors.co.uk/UWcZzRs.exe
3. hxxp://k3security.co.za/tMDrS.exe

Gameover installes in %APPDATA%\Ybna\unyfl.exe and had following file properties:

File: ylkas.exe
Size: 359,936 bytes
MD5: 53cf45f6ab62b633393924b86b6c8d76
Time-Stamp: 2013-02-05 20:09:27
Company Name: Microsoft Corporation
File Description: Microsoft Windows Setup Utility
File Version: 9.00.00.4503
Internal Name: a6ize
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Original Filename: a6ize
Product Name: Microsoft(R) Windows Media Player
Product Version: 9.00.00.4503

This Gameover Zeus variant posts to a dropzone at 180.251.247.89:12043. Webinjects were downloaded from 99.76.3.38:11350. The Gameover variant had a botid of “dotmanf8”.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload:

180.251.247.89:12043
74.15.177.4:24291
99.76.3.38:11350
75.47.232.67:20840
71.2.233.139:18736
76.182.182.56:12604
1.186.47.244:16276
87.5.135.46:10028
94.68.61.135:14511
69.39.74.6:14775
71.42.56.253:22652
189.13.190.37:18570
85.75.3.38:28599
41.141.251.253:26258
161.184.174.65:14545
37.191.204.170:15619
66.117.77.134:15387
74.235.184.84:27524
66.229.110.89:28898

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: