From serviceuk@safilo.comAttached is a file ship20150817.zip which in turn contains a malicious executable ship20150817.exe which has a detection rate of 4/56. According to these automated analysis tools [1] [2] the malware attempts to phone home to:
Date Wed, 19 Aug 2015 17:47:46 +0700
Subject SHIPMENT NOTICE
Dear Customer,
please be informed that on Aug 19, 2015 we sent you the following items:
1 pieces from order 1I5005729
1 pieces from order 1I5005841
IMPORTANT
To find out all details concerning your orders and shipments open the file here attached
or go to the Order status page of the site.
Safilo UK Ltd.
serviceuk@safilo.com
-------
megapolisss006.su/go/gate.php
.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to all of them. This domain is hosted on the following IPs:
195.2.88.196 (Zenon N.S.P., Russia)
94.229.22.39 (Bashrtcomm LIR, Russia)
94.229.22.42 (Bashrtcomm LIR, Russia)
You might want to consider blocking:
195.2.88.0/24
94.229.16.0/21
This though is the recommended minimum blocklist:
195.2.88.196
94.229.22.39
94.229.22.42
I am not entirely certain of the payload as the download locations seem to be unreliable.
3 comments:
Where you have been ? Long time no updates ? lol
The sunny Republic of Ireland :)
oh!Cool!
Thank you for stunning updates. You are the Boss :-)
Post a Comment