First Foundation Bank Secure Email Notification

We analyzed following malicious attachment that is used in First foundation Bank theme spam on February 14 2013:

Spam Subject:
First Foundation Bank Secure Email Notification – 29834077

Mail From:
“FF-inc Secure Notification” <secure.notification@ff-inc.com>
Spam Template:

You have received a secure message

Read your secure message by opening the attachment, secure_mail_29834077. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it in a Web browser. To access from a mobile device, forward this message to mobile@res.ff-inc.com to receive a mobile login URL.

If you have concerns about the validity of this message, please contact the sender directly. For questions about secure e-mail encryption service, please contact technical support at 888.230.9081.

2000-2013 First Foundation Inc. All rights reserved.

File: secure_mail_29834077.zip
MD5: e6454c2cb43c669906fcdbe199a195f3
Size: 118,086 bytes

Pony downloader posts to its dropzone at hxxp://88.190.210.199/ponyb/gate.php. It was also configured to download 3 Gameover Zeus payloads from following locations:

1. hxxp://angeloelacicca.altervista.org/kcprVD.exe
2. hxxp://www.dalcin.it/d2sqx.exe
3. hxxp://geeksleaks.com/h0L7.exe
Gameover installes in %APPDATA%\Qaajda\okubha.exe and had following file properties:

File: okubha.exe
MD5: e1b3e6a075ac40ff5ecc8c37d3bbced4
Size: 309,760 bytes
Time-Stamp: 2013-02-5 20:09:27
This Gameover Zeus variant posts to a dropzone at 99.109.198.196:21961. Webinjects were downloaded from 174.110.150.207:23173. The Gameover variant had a botid of “citif14”.

Following P2P Drones were found embedded inside the Gameover Zeus payload:

70.137.132.232:18161
99.109.198.196:21961
72.227.149.1:19320
94.67.187.38:12457
1.186.47.244:16276
71.43.217.3:11403
190.203.42.42:12579
93.177.174.72:10119
120.61.188.154:29013
94.65.14.73:22510
64.219.121.189:13503
66.229.110.89:28898
194.94.127.98:25549
223.204.193.72:22233
95.57.163.144:12290
174.110.150.207:16149
91.99.200.6:29806
74.235.184.84:27524
213.189.69.49:13564

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: