Tag Archives: Detma

Action Required – Time Sensitive Material (Detma.org)

We analyzed following malicious attachment that is used in Detma.org theme spam on February 12 2013:

Spam Subject:
Action Required – Time Sensitive Material
From Address:
“Unemployment Assistance@detma.org” <info@detma.org>

Spam Template:

Action Required

File: case#95648678394857345~93245725793248.zip
MD5: dd28a6cc3df2b1608dc15a4b397013b4
Size: 102,170 bytes

Pony downloader posts to its dropzone at hxxp://carmine.warsheet.com/forum/viewtopic.php hosted at IP address 174.122.102.165. It was also configured to download 3 Gameover Zeus payloads from following locations:
1. hxxp://seunig.de/L5Fvb.exe
2. hxxp://limitedltd.be/CtSfQca3.exe
3. hxxp://visiterlareunion.fr/3gyrJ8B8.exe
Gameover installes in %APPDATA%\Ixra\osso.exe and had following file properties:

File: oss.exe
Size: 309,760 bytes
MD5: 93e6daf13f5239af3d7a44ecfee1b3c5
Time-Stamp: 2013-02-05 20:09:27
This Gameover Zeus variant posts to a dropzone at 180.251.247.89:12043. Webinjects were downloaded from 95.137.226.107:12656. The Gameover variant had a botid of “bofaf12” and cid of 5555.

Following P2P Drones were found embedded inside the installed Gameover Zeus payload:

182.53.159.239:21908
193.206.41.25:23766
202.29.48.110:27464
194.219.108.252:13955
99.54.188.39:28335
83.111.92.83:19194
117.198.82.160:16553
105.227.214.178:13349
85.238.56.148:10598
174.110.150.207:16149
120.61.165.227:28649
213.189.69.49:13564
168.216.148.2:17586
74.235.184.84:27524
41.97.100.220:24282
194.94.127.98:25549
82.211.186.140:29092
94.68.61.135:14511

Advertisements