Search the Ashley Madison hacked leaked database (enter name or
email)
Nothing found
The profile_relationship column specifies the relationship
status.
const ATTACHED_FEMALE_SEEKING_MALE = 1;
const ATTACHED_MALE_SEEKING_FEMALE = 2;
const SINGLE_MALE_SEEKING_FEMALE = 3;
const SINGLE_FEMALE_SEEKING_MALE = 4;
const MALE_SEEKING_MALE = 5;
const FEMALE_SEEKING_FEMALE = 6;
So, if it's a "2", it's a cheating man. The pref_opento items,
which is a list of sexual fantasies users are open to:
1: "Threesome"
3: "Being Dominant/Master"
4: "Being Submissive/Slave"
6: "Bondage"
7: "Conventional Sex"
11: "Fetishes"
14: "Nothing Kinky"
15: "One-Night Stands"
17: "Role Playing"
18: "Sex Talk"
19: "Spanking"
21: "Experimenting with Tantric Sex"
22: "Transvestitism"
23: "Experimenting with Sex Toys"
23: "Exploring with Sex Toys"
26: "Aggressiveness"
27: "Blindfolding"
28: "Bubble Bath for 2"
29: "Cuddling & Hugging"
30: "Curious - Domination"
31: "Curious - Submission"
32: "Dressing Up/Lingerie"
33: "Erotic Movies"
34: "Erotic Tickling"
36: "Extended Foreplay/Teasing"
37: "Gentleness"
38: "Good With Your Hands"
39: "Kissing"
40: "Light Kinky Fun"
41: "Likes to be Watched/Exhibitionism"
42: "Likes to Give Oral Sex"
43: "Likes to Receive Oral Sex"
44: "Likes to Go Slow"
45: "Lots of Stamina"
46: "Open to Experimentation"
48: "Sensual Massage"
49: "Sharing Fantasies"
50: "Someone I Can Teach"
51: "Someone Who Can Teach Me"
52: "You Like to Cross Dress"
They also have a "looking for" section. Those numbers are:
1: "A Don Juan"
4: "Sense of Humor"
6: "Aggressive/Take Charge Nature"
9: "Average Sex Drive"
10: "Confidence"
11: "Discretion/Secrecy"
12: "Dislikes Routine"
14: "Good Personal Hygiene"
16: "Has a Secret Love Nest"
17: "High Sex Drive"
18: "Imagination"
19: "Likes Routine"
30: "A Professional/Well Groomed"
31: "Stylish/Classy"
32: "Casual Jeans/T-shirt Type"
33: "Tattoos"
34: "Body Piercing"
35: "BBW"
36: "Full Size Body"
37: "Muscular/Fit Body"
38: "Petite Figure"
39: "Slim to Average Body"
40: "Tall Height"
41: "Short Height"
42: "Long Hair"
43: "Short Hair"
44: "Girl Next Door"
45: "Naughty Girl"
46: "Bad Boy"
47: "Boy Next Door"
48: "Creative and Adventurous"
49: "Relaxed and Easy Going"
50: "Hopeless Romantic"
51: "A Father Figure"
52: "Not Possessive"
53: "A Good Listener"
54: "Good Communicator"
55: "Disease Free"
56: "Drug Free"
57: "Casual/Social Drinker"
58: "Seeking a Sugar Baby"
59: "Seeking a Sugar Daddy"
60: "Natural Breasts"
61: "Facial Hair"
62: "Tall, Dark and Handsome"
Sponsored by..
Thursday 20 August 2015
Wednesday 19 August 2015
Malware spam: "SHIPMENT NOTICE" / "serviceuk@safilo.com"
From serviceuk@safilo.comAttached is a file ship20150817.zip which in turn contains a malicious executable ship20150817.exe which has a detection rate of 4/56. According to these automated analysis tools [1] [2] the malware attempts to phone home to:
Date Wed, 19 Aug 2015 17:47:46 +0700
Subject SHIPMENT NOTICE
Dear Customer,
please be informed that on Aug 19, 2015 we sent you the following items:
1 pieces from order 1I5005729
1 pieces from order 1I5005841
IMPORTANT
To find out all details concerning your orders and shipments open the file here attached
or go to the Order status page of the site.
Safilo UK Ltd.
serviceuk@safilo.com
-------
megapolisss006.su/go/gate.php
.SU (Soviet Union) domains are bad news in general, if you can I would recommend blocking traffic to all of them. This domain is hosted on the following IPs:
195.2.88.196 (Zenon N.S.P., Russia)
94.229.22.39 (Bashrtcomm LIR, Russia)
94.229.22.42 (Bashrtcomm LIR, Russia)
You might want to consider blocking:
195.2.88.0/24
94.229.16.0/21
This though is the recommended minimum blocklist:
195.2.88.196
94.229.22.39
94.229.22.42
I am not entirely certain of the payload as the download locations seem to be unreliable.
Monday 10 August 2015
Malware spam: "Gabriel Daniel" / "Resume" / "Gabriel_Daniel_resume.doc"
From: alvertakarpinskykcc@yahoo.comInterestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro [pastebin] which has a VirusTotal detection rate of 2/56.
Date: 10 August 2015 at 19:40
Subject: Resume
Signed by: yahoo.com
Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter
Kind regards
Gabriel Daniel
As far as I can tell, it appears to download a disguised JPG file from 46.30.43.179/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on..
So, it is pretty clear that the payload here is Cryptowall (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?v=c91jzn46yr
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?b=86v97tziud5m
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?o=ups5xom3u2sb01
It also directs the visitor to various personalised ransom pages hosted on 80.78.251.170 (Agava, Russia).
Recommended blocklist:
46.30.43.179
80.78.251.170
conopizzauruguay.com
MD5:
e34cf893098bd17ae9ef18b04cff58aa
Malware spam: "Premium Charging MI Package for Merchant 17143013" / "GEMS@worldpay.com"
From: GEMS@worldpay.com
Date: 10 August 2015 at 10:17
Subject: Premium Charging MI Package for Merchant 17143013
*** Please do not reply to this Message *** Attached is the Management Information to support your Monthly Invoice. Should you have any queries, please refer to your usual helpdesk number.
So far I have seen only one sample with named 17143013 01.docm. Despite having a detection rate of 5/55 at VirusTotal, the document is malformed and is Base 64 encoded. When manually decoded it still has a detection rate of 5/55 and it contains this malicious macro [pastebin] which then downloads a component from:
gardinfo.net/435rg4/3245rd2.exe
This is exactly the same payload as seen in this spam run also from this morning.
Malware spam: "Your order 10232 from Create Blinds Online: Paid" / "orders@createblindsonline.co.uk"
From: orders@createblindsonline.co.uk
Reply-To: orders@createblindsonline.co.uk
Date: 10 August 2015 at 07:59
Subject: Your order 10232 from Create Blinds Online: Paid
We would like to thank you for your recent order.
Order Status updated on: 10/08/2015
Your Customer ID: 1761
Your Order ID: 10232
Invoice Number: 10232
Delivery Note:
We received your order and payment on Aug/102015
Your order details are attached:
Kind regards
Create Blinds Online Team
This electronic message contains information from Create Blinds Online which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.
Attached is a file invoice-10232.doc which comes in at least two different variants [1] [2] containing a macro that looks like this [pastebin]. This attempts to download a malicious binary from one of the following locations:
mbmomti.com.br/435rg4/3245rd2.exe
j-choi.asia/435rg4/3245rd2.exe
The VirusTotal detection rate for this is 3/55. The Malwr report and Hybrid Analysis reports show that it generates traffic to 78.47.119.85 (Hetzner, Germany). The payload is almost definitely the Dridex banking trojan.
MD5s:
0864bc6951795b86d435176c3320a8bc
e3f30c2195c565e88a8534b15c7b942e
ba4ec70aa2179be4387a4aef10a8cd4f
Friday 7 August 2015
Malware spam: "Sleek Granite Computer" / "saepe 422-091-2468.zip" / "nulla.exe"
From: mafecoandohob [mafecoandohob@bawhhorur.com]The only sample of this I had was malformed and the attachment wasn't attached properly. However, if properly formatted it would have been named saepe 422-091-2468.zip and it contains a malicious executable named nulla.exe.
To: Karley Pollich
Date: 7 August 2015 at 13:17
Subject: Sleek Granite Computer
Good day!
If you remember earlier this week we discussed with You our new project which we intend to start next month.
For Your kind review we enclose here the business plan and all the related documents.
Please send us an e-mail in case You have any comments or proposed changes.
According to our calculations the project will start bringing profit in 6 months.
Thanks in advance.
Karley Pollich
Dynamic Response Strategist
Pagac and Sons
Toys, Games & Jewelery
422-091-2468
This has a VirusTotal detection rate of 4/55 with Sophos identifying it as a variant of Upatre. The Hybrid Analysis report shows a typical Upatre / Dyre traffic pattern to:
195.154.241.208:12800/0608us12/6FsvE66Gy1/0/61-SP1/0/FDMBEFJBMKBEMM
195.154.241.208:12800/0608us12/6FsvE66Gy1/41/2/18/FDMBEFJBMKBEMM
This IP address belongs to Online SAS in France who seem to have hosted quite a bit of this stuff recently, the hostname identifies it as belonging to poneytelecom.eu. Traffic is also spotted to:
37.57.144.177 (Triolan / Content Delivery Network, Ukraine)
95.143.141.50 (LTnet, Czech Republic)
There is also non-malicious traffic to icanhazip.com to identify the IP address of the infected machine. This is worth monitoring though as it is a potential indicator of compromise. The payload is almost definitely the Dyre banking trojan.
Recommended blocklist:
195.154.241.208
37.57.144.177
95.143.141.50
MD5:
9520d04a140c7ca00e3c4e75dd9ccd9f
Thursday 6 August 2015
Malware spam: "Voice message from 07773403290" / ""tel: 07773403290" [non-mail-user@voiplicity.co.uk]"
From "tel: 07773403290" [non-mail-user@voiplicity.co.uk]I was not able to determine if there was any body text from my sample collector, however each sample had an identical attachment message_01983527496.wav.zip which contains a malicious executable message_01983527496.exe. This has a VirusTotal detection rate of 5/55 and automated analysis tools [1] [2] show it POSTing to:
Date Thu, 06 Aug 2015 11:54:43 +0300
Subject RE: Voice message from 07773403290
wedspa.su/go/gate.php
This is hosted on a RU-Center IP address of 185.26.113.229 in Russia. Furthmore, a malicious executable is downloaded from the following locations:
globalconspiracy.hj.cx/1.exe
mastiksoul.org/1.exe
In turn, this has a detection rate of 2/55 and automated analysis of this [1] [2] show that it phones home to 212.47.196.149 (Web Hosting Solutions, Estonia).
The payload is unclear at this point, but you can guarantee that it will be nothing good.
Recommended blocklist:
185.26.113.229
212.47.196.149
MD5s:
da575b916f419b9e8bfea12168fa9902
f3ede4ebcd4b6debf15646a3d1a8bbd1
Spam: "The Funding Institute" / thefundinginstitute.org and fundinginstitute.org, Patchree Patchrint and Anthony Christopher Jones (yet again)
A tip from "Jimmy" in this post reveals a new name for the scheme, simply called "The Funding Institute" and although apparently using the domain thefundinginstitute.org, it is actually hosted on a crappy free website at fundinginstitute.myfreesites.net.
I haven't personally received spam about this one, but it is not hard to find examples [1] [2] [3] [4] and the one from discard.email is the most interesting (I copy it here in its entirety):
The Funding Institute is offering the Grant Funding and Proposal Writing Essentials Course
to be held in New York, New York on the campus of The State University of New York from July 15-17, 2015. Interested development professionals, researchers, faculty, and graduate students should register as soon as possible, as demand means that seats will fill up quickly. Please forward, post, and distribute this e-mail to your colleagues and listservs.
All participants will receive certification in professional Grant writing. For more information call (213) 347-4899 or visit The Funding Institute website.
Please find the program description below:
The Funding Institute's
Grant Funding and Proposal Writing Essentials Course will be held in New York, New Yorkon the campus of the The State University of New YorkJuly 15-17, 20158:00 AM - 5:00 PM
The Grant Funding and Proposal Writing Essentials Course
is an intensive and detailed introduction to the process, structure, and skill of professional proposal writing. This course is characterized by its ability to act as a thorough overview, introduction, and refresher at the same time. In this course, participants will learn the entire proposal writing process and complete the course with a solid understanding of not only the ideal proposal structure, but a holistic understanding of the essential factors, which determine whether or not a
program gets funded. Through the completion of interactive exercises and activities, participants will complement expert lectures by putting proven techniques into practice. This course is designed for both the beginner looking for a thorough introduction and the intermediate looking for a refresher course that will strengthen their grant acquisition skills. This class, simply put, is designed to get results by creating professional grant proposal writers.
Participants will become competent program planning and proposal writing professionals after successful completion of the Grant Funding and Proposal Writing Essentials Course. In three active and informative days, students will be exposed to the art of successful grant writing practices, and led on a journey that ends with a masterful grant proposal.
The Grant Funding and Proposal Writing Essentials Course consists of three (3) subject areas that will be completed during the three-day workshop.
(1) Fundamentals of Program Planning
This session is centered on the belief that "it's all about the program." This intensive session will teach professional program development essentials and program evaluation. While most grant writing "workshops" treat program development and evaluation as separate from the writing of a proposal, this class will teach students the relationship between overall program planning and grant writing.
(2) Proposal Writing Essentials
Designed for both the novice and experienced grant writer, this component will make each student an overall proposal writing specialist. In addition to teaching the basic components of a grant proposal, successful approaches, and the do's and don'ts of grant writing, this course is infused with expert principles that will lead to a mastery of the process. Strategy resides at the forefront of this course's intent to illustrate grant writing as an integrated, multidimensional, and dynamic
endeavor. Each student will learn to stop writing the grant and to start writing the story. Ultimately, this class will illustrate how each component of the grant proposal represents an opportunity to use proven techniques for generating support.
(3) Funding Research
At its foundation, this course will address the basics of foundation, corporation, and government grant research. However, this course will teach a strategic funding research approach that encourages students to see research not as something they do before they write a proposal, but as an integrated part of the grant seeking process. Students will be exposed to online and database research tools, as well as publications and directories that contain information about foundation, corporation, and
government grant opportunities. Focusing on funding sources and basic social science research, this course teaches students how to use research as part of a strategic grant acquisition effort.
Registration
$495.00 tuition includes all materials and certificates.
Each student will receive:
*The Funding Institute's Certificate in Professional Grant Writing
*The Guide to Successful Grant Writing
*The Grant Writer's Workbook with sample proposals, forms, and outlines
Registration Methods
1) On-Line - Complete the online registration form here and we'll send your confirmation by e-mail.
2) By Phone - Call (213) 347-4899 to register by phone. Our friendly Program Coordinators will be happy to assist you and answer your questions.
3) By E-mail - Reply to this e-mail with your name, organization, and basic contact information and we will reserve your slot and send your Confirmation Packet.
We respect your privacy and want to ensure that interested parties are made aware of The Funding Institute's programs and schedules. This is intended to be a one-time announcement. In any event, you should not receive any more announcements unless there
is a program next year in your area. To be excluded from next year's announcement, reply to this e-mail and write "Exclude" in the subject line.
That site also lists some partly redacted email headers, I highlight the most interesting ones:
Return-Path: newyXXX@Xpma11.orgIn those headers, the server identifies itself as "ipma11.org" which is related to this scam site operating last year. You can read a RipOffReport complaint about that scheme here, which explains what I understand of the business operation quite thoroughly. The server IP address of 107.179.95.116 (RaptorNode, Los Angeles) is also the same IP as used for the following nameservers:
X-Original-To: ronaldwhXXXXX@Xpambog.com
Received: from raptor.ipma11.org (unknown [107.179.95.116])
by mx.discard.email (Postfix) with ESMTPS id 3lMjVB6cp4z1yVV
for ronaldwhXXXXX@Xpambog.com; Thu, 9 Apr 2015 02:08:02 +0200 (CEST)
Received: (qmail 32427 invoked by uid 0); 9 Apr 2015 00:05:27 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=private; d=ipma11.org;
b=UvQsXfni3YL14EmWF9UY0bAUcpMT4H6jxUsnnNCEF2C9ZYEGuzlmhre4JQ7Klssu;
Received: from pool-173-55-54-221.lsanca.fios.verizon.net (HELO ipma11.org) (newyXXX@Xpma11.org@173.55.54.221)
by 107.179.95.116 with ESMTPA; 9 Apr 2015 00:05:27 -0000
From: The Funding Institute newyXXX@Xpma11.org
To: ronaldwhXXXXX@Xpambog.com
Subject: Grant Funding Essentials Course (July 15-17, 2015: The State University of New York)
Date: 08 Apr 2015 16:47:50 -0700
Message-ID: 20150408164749.086B4XXXXXXXXXXX@Xpma11.org
MIME-Version: 1.0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
ns1.ipma11.org
ns2.ipma11.org
This indicates that the email really did originate from the owners of ipma11.org (Jones and Patchrint) rather than it being a forgery. If we go further back in the email headers, we can see another IP address of 173.55.54.221 which (according to DomainTools) is in La Puente, California. According to WhitePages.com that location is consistent with the Hacienda Heights address of Patchree Patchrint.
It link her with a cellphone number of (626) 330-1793 and a potential home address of 16008 Shadybend Dr Hacienda Hts, CA 91745-2229, an address which was previously mentioned in the comments of this post.
Although their website lists a contact address of "info@thefundinginstitute.org" the underlying HTML tells a different story..
<u><a href="mailto:grantfundingusa@gmail.com" data-attached-link="{"type":"Email","url":"grantfundingusa@gmail.com","title":"grantfundingusa@gmail.com"}" class="wz-link"> info@thefundinginstitute.org</a></u>"grantfundingusa" again connects to this post for the scammy "Institute of Project Management America" scheme. The other contact details listed on the site are a telephone number of 213-347-4899 and a fax number of 877-538-3831.
As a side note, that fax number also appears on a very similar looking but defunct site using the domain projectmanagementinternational.org (just a forwarder to another crappy free web host at projectmanagementinternational.zohosites.com) which also lists a couple of other contact numbers of 323-813-8387 and 800-288-8387 the latter of which can be seen in this spam which is almost identical to "The Funding Institute" spam.
Another point of comparison is the similarity in design elements and wording between "The Funding Institute" and "Grant Funding USA", which uses a similar compass logo and almost exactly the same wording.
Overall, there are so many similarities between "The Funding Institute" and other schemes run by Jones and Patchrint. The complaints against these two (apart from a string of failed LA restaurants) are of courses that abruptly change locations from prestigious venues to much shabbier ones, of tutors who are recruited at the last minute and are often under-prepared (some of whom claim not to have been paid) leading to low-quality courses, and of course endless spam to promote the ever-changing names of these schemes which have an awful reputation.
I would not recommend doing business with this pair, and if you think you have been treated unfairly then I suggest you take legal advice or approach law enforcement, the BBB or regulatory authorities.
Wednesday 5 August 2015
Malware spam: "Booking Confirmation - Accumentia (16/9/15)" / "David Nyaruwa [david.nyaruwa@soci.org]"
From David Nyaruwa [david.nyaruwa@soci.org]Note that I believe that "Accumentia" is a typo for "Acumentia" but has actually been copied from the SCI's own website verbatim.
Date Wed, 05 Aug 2015 13:38:23 +0300
Subject Booking Confirmation - Accumentia (16/9/15)
Please find attached a proforma invoice for Accumentia's booking of the council room
on 16/09/15. The deposit to confirm the booking is 25% (ie £205.50) with the balance
due by the date of the meeting.
Regards,
David Nyaruwa
Project Accountant
SCI, 14-15 Belgrave Square, London, SW1X 8PS
T: +44 (0)20 7598 1536 E: mailto:david.nyaruwa@soci.org <mailto:patricia.cornell@soci.org>
W: www.soci.org
SCI - where science meets business
Phenotypic Approaches in Drug Discovery<https://www.soci.org/Events/Display-Event.aspx?EventCode=FCHEM441>,
18 March 2015, SCI, London, UK
Arrested Gels: Dynamics, Structure and Application,<https://www.soci.org/Events/Display-Event?EventCode=coll148>
23-25 March 2015, Gonville & Caius, Cambridge, UK
32nd Process Development Symposium<https://www.soci.org/Events/Display-Event.aspx?EventCode=FCHEM150>,
25-27 March 2015, Churchill College, Cambridge, UK
Reagentless Synthesis<https://www.soci.org/Events/Display-Event?EventCode=fchem440>,
1 April 2015, SCI, London, UK
For the full events listing and more information go to http://www.soci.org/Events
Attached is a file named Accumentia Booking (16-9-15).doc which comes in at least two different versions [VirusTotal results 6/56 and 7/56] which contain a macro that looks like this [pastebin] and which according to Hybrid Analysis [1] [2] download malware from the following locations:
hunde-detektive.de/75yh4/8g4gffr.exe
naturallyconvenient.co.za/75yh4/8g4gffr.exe
This file has a detection rate of 4/55 and the Malwr report shows that it phones home to the familiar IP of:
194.58.111.157 (Reg.RU, Russia)
I strongly recommend that you block traffic to that IP. The payload is the Dridex banking trojan.
MD5s:
1f259a88f61e45cc6f357f2fc8dacb9c
259e882d0ffafab3437390ec7203f54d
2a7b74cac1fde6c09a06065cb83ba640
Malware spam: "IMPORTANT - Document From Ofcom Spectrum Licensing" / "Spectrum.licensing@ofcom.org.uk"
From: Spectrum.licensing@ofcom.org.uk
Date: 5 August 2015 at 07:46
Subject: IMPORTANT - Document From Ofcom Spectrum Licensing
Dear Sir/Madam,
Please find attached an electronic version of important documents relating to your Wireless Telegraphy licence or application.
Please read the document carefully and keep it for future reference.
If any details within this letter are incorrect, please notify Ofcom Spectrum Licensing as soon as possible. It is the Licensee's responsibility to ensure all information we hold is correct and current.
If you have any enquiries relating to this document, please email
spectrum.licensing@ofcom.org.uk
Yours faithfully,
Ofcom Spectrum Licensing
Riverside House
2a Southwark Bridge Road
London SE1 9HA
Phone: 020 7981 3131
Fax: 020 7981 3235
Textphone: 020 7981 3043
In the sample I saw, the attachment was OFCOM_REN04_20150715_0976659.docm [VT 4/46] which contains this malicious macro [pastebin] which (according to this analysis) downloads a malware executable from:
naturallyconvenient.co.za/75yh4/8g4gffr.exe
This has a detection rate of 4/52 and automated analysis tools [1] [2] show it phoning home to:
194.58.111.157 (Reg.RU, Russia)
That IP has been used for badness a few times recently and I definitely recommend that you block traffic to it. The payload is most likely to be the Dridex banking trojan.
MD5s:
2934c524678e7e1447653e72a1e8ca3b
d9bf9f695433705dc4fc5986d170ba1f
Tuesday 4 August 2015
Malware spam: "Need your attention"
From: Hilda BucknerIn that case, the attachment is victimname_JM_1646.doc (other messages have differently-named attachments, but all with the victim's name in them) which in this case contains this malicious macro [pastebin].
Date: 4 August 2015 at 13:29
Subject: Need your attention: OO-6212/863282
Greetings
Hope you are well
Please find attached the statement that matches back to your invoices.
Can you please sign and return.
What that macro does (other ones may be slightly different) is download a VBS script from pastebin.com/download.php?i=0rYd5TK3 [link here, safe to click] which is then saved as %TEMP%\nnjBHccs.vbs.
That VBS then downloads a file from 5.196.241.204/bt/bt/ched.php which is then saved as %TEMP%\JHVHsd.exe which currently has a detection rate of zero (MD5 = 00dca835bb93708797a053a3b540db16).
The Malwr report indicates that this phones home to 80.247.233.18 (NFrance Conseil, France). The payload is probably the Dridex banking trojan.
Note that the malware also sends apparantly non-malicious traffic to itmages.ru , for example:
itmages.ru/image/view/2815551/2b6f1599
itmages.ru/image/view/2815537/2b6f1599
Therefore I would suggest that monitoring for traffic to itmages.ru is a fairly good indicator of compromise.
Malware spam: "INVOICE HH / 114954" / "haywardsheath@hpsmerchant.co.uk"
From [haywardsheath@hpsmerchant.co.uk]
Date Tue, 04 Aug 2015 12:19:56 +0200
Subject INVOICE HH / 114954
Please find attached INVOICE HH / 114954
--
Automated mail message produced by DbMail.
Registered to Heating & Plumbing Supplies, License MBS2009358.
Attached is a file R-20787.doc which contains a malicious macro like this one [pastebin] that comes in at least two different versions, downloading from the following URLs:
mszpdorog.hu/45g33/34t2d3.exe
cvaglobal.com/45g33/34t2d3.exe
The Hybrid Analysis reports [1] [2] give some insight as the the characteristics of the malicious document. The downloaded file has a VirusTotal detection rate of 3/55. Automated analysis [1] [2] shows traffic to the following IPs:
194.58.111.157 (Reg.RU, Russia)
62.210.214.106 (Iliad / Online S.A.S., France)
31.131.251.33 (Selectel, Russia)
The payload is the Dridex banking trojan.
Recommended blocklist:
194.58.111.157
62.210.214.106
31.131.251.33
MD5s:
8f3063ef8032799f71507b8f88f8a1c5
64011582b5dfa8fd79d823957a569b5f
3303a507e6584136c39c354085760987
Monday 3 August 2015
Malware spam: "E-bill : 6200228913 - 31.07.2015 - 0018" / "noreply.UK.ebiller@lyrecobusinessmail.com"
From: noreply.UK.ebiller@lyrecobusinessmail.comThe attachment is named 0018_6200228913.docm which contains a malicious macro like this one [pastebin]. So far I have seen three different variants (Hybrid Analysis reports [1] [2] [3]) which then go and download a malicious binary from one of the following locations:
Date: 2 August 2015 at 03:00
Subject: E-bill : 6200228913 - 31.07.2015 - 0018
Dear customer,
Please find enclosed your new Lyreco invoicing document nA^° 6200228913 for a total amount of 43.20 GBP, and
due on 31.08.2015
We would like to remind you that all of your invoices are archived electronically free of charge and can be reviewed by
you at any time.
For any questions or queries regarding your invoices, please contact Customer Service on Tel : 0845 7676999*.
Your Lyreco Customer Service
*** Please do not reply to the sender of this email.
This e-mail, including any attachments to it, may contain company confidential and/or personal information.
If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the
information contained within it.
Please notify immediately by return e-mail of the error and then delete the original e-mail by replying to
wise.cs.iqt@lyreco.com ***
orpigagny.com/w45r3/8l6mk.exe
audiobienentendre.fr/w45r3/8l6mk.exe
immobilier-roissyenbrie.com/w45r3/8l6mk.exe
All of these sites are hosted on 94.23.55.169 (OVH, France). The binary has a detection rate of 4/55. This Malwr report shows it phoning home to 46.36.219.141 (FastVPS, Estonia). The payload is probably the Dridex banking trojan.
Recommended blocklist:
46.36.219.141
94.23.55.169
MD5s:
939EE3B203B79F6422EF4A96FDE11393
1C76B4A8CFA4227DCFCF0FD2C2C4BA37
D0EC5C08C0A7F744C620CFA28F96521E
147D2E6E2D5903FE694DDC59BCB55DD0
Saturday 1 August 2015
Spam: Countrywide Money Ltd (countrywidemoney.co.uk)
You know things must be desperate when a business turns to spam. Here's a dubious-looking spam that seems to be presenting itself in a way that looks like a get-rich-quick scheme.
From: Countrywide Money [info@countrywidemoney.co.uk]
Reply-To: Info@countrywidemoney.co.uk
Date: 1 August 2015 at 05:11
Subject: Extra Income FOR YOU!
Incidentally, the Unsubscibe link doesn't work. Tsk tsk.
Now, I'm sure this is a legitimate business offer and not some sort of scam. But all those banknotes and the general pitch seems to suit an operation in Lagos rather than one in the UK. So, what can we find out about this Countrywide Money Ltd?
Let's start with the WHOIS details for the domain countrywidemoney.co.uk:
Domain name:
countrywidemoney.co.uk
Registrant:
Countrywide Money
Registrant type:
UK Individual
Registrant's address:
The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.
A non-trading individual? Let's look at that web site for a moment..
Well, it doesn't look like a personal homepage to me. But we can look up the details of Countrywide Money Ltd at Companies House to see what we can find. It turns out that the sole director is one "Tony Edwards" who should presumably be listed on the domain WHOIS:
DIRECTOR: EDWARDS, TONY MR
Appointed: 07/06/2012
Date of Birth: 24/10/1972
Nationality: BRITISH
No. of Appointments: 3
Address:
53 FEATHER DELL
HATFIELD
UNITED KINGDOM
AL10 8DE
Country/State of Residence: UNITED KINGDOM
Let's have a look at the flashy offices in Hatfield, eh? Oh.. it looks like a residential address.
A bit of a disappointment really as the web site and brochure look so promising. A little bit more digging at DueDil shows some equally disappointing looking financials.
Hmmm.
One other odd thing, the "About Us" page says that they were founded in 2002..
But Companies House says they were only incorporated in 2012:
That's kind of.. odd. There must be some rational explanation for the discrepancy.
Anyway, I'm not sure why this person feels that promoting their business through spam is appropriate. I certainly won't be signing up to this scheme.
UPDATE 6/2/16
Somebody claiming to be Tony Edwards has made several angry comments on the end of this post, but has not addressed the simple query of where they got their mailing list from. This somewhat incoherent, ill-informed and badly spelled comments cumulated in something that could easily be misinterpreted as a threat of blackmail and even violence.
These comments are connected to a Google+ profile that looks to be genuine, but it is possible I suppose that they are coming from an imposter. My personal opinion is that if they are genuine then they simply show how unprofessional Mr Edwards is.
An explanation as to how the spam email ended up with a non opt-in address would be good. An apology for spamming would be perfectly acceptable. Threats are not.
From: Countrywide Money [info@countrywidemoney.co.uk]
Reply-To: Info@countrywidemoney.co.uk
Date: 1 August 2015 at 05:11
Subject: Extra Income FOR YOU!
For further information on registration to become an agent, please call our introducer help Desk on 0800 195 3757; to Unsubscribe Click Here!
Incidentally, the Unsubscibe link doesn't work. Tsk tsk.
Now, I'm sure this is a legitimate business offer and not some sort of scam. But all those banknotes and the general pitch seems to suit an operation in Lagos rather than one in the UK. So, what can we find out about this Countrywide Money Ltd?
Let's start with the WHOIS details for the domain countrywidemoney.co.uk:
Domain name:
countrywidemoney.co.uk
Registrant:
Countrywide Money
Registrant type:
UK Individual
Registrant's address:
The registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service.
A non-trading individual? Let's look at that web site for a moment..
Well, it doesn't look like a personal homepage to me. But we can look up the details of Countrywide Money Ltd at Companies House to see what we can find. It turns out that the sole director is one "Tony Edwards" who should presumably be listed on the domain WHOIS:
DIRECTOR: EDWARDS, TONY MR
Appointed: 07/06/2012
Date of Birth: 24/10/1972
Nationality: BRITISH
No. of Appointments: 3
Address:
53 FEATHER DELL
HATFIELD
UNITED KINGDOM
AL10 8DE
Country/State of Residence: UNITED KINGDOM
Let's have a look at the flashy offices in Hatfield, eh? Oh.. it looks like a residential address.
A bit of a disappointment really as the web site and brochure look so promising. A little bit more digging at DueDil shows some equally disappointing looking financials.
Hmmm.
One other odd thing, the "About Us" page says that they were founded in 2002..
That's kind of.. odd. There must be some rational explanation for the discrepancy.
Anyway, I'm not sure why this person feels that promoting their business through spam is appropriate. I certainly won't be signing up to this scheme.
UPDATE 6/2/16
Somebody claiming to be Tony Edwards has made several angry comments on the end of this post, but has not addressed the simple query of where they got their mailing list from. This somewhat incoherent, ill-informed and badly spelled comments cumulated in something that could easily be misinterpreted as a threat of blackmail and even violence.
These comments are connected to a Google+ profile that looks to be genuine, but it is possible I suppose that they are coming from an imposter. My personal opinion is that if they are genuine then they simply show how unprofessional Mr Edwards is.
An explanation as to how the spam email ended up with a non opt-in address would be good. An apology for spamming would be perfectly acceptable. Threats are not.
Tuesday 28 July 2015
Malware spam: "Incoming Fax" / "Internal ONLY"
From: Incoming Fax [Incoming.Fax@victimdomain]
Date: 18 September 2014 at 08:39
Subject: Internal ONLY
**********Important - Internal ONLY**********
File Validity: 28/07/2015
Company : http://victimdomain
File Format: Microsoft word
Legal Copyright: Microsoft
Original Filename: (#2023171)Renewal Invite Letter sp.doc
********** Confidentiality Notice **********.
This e-mail and any file(s) transmitted with it, is intended for the exclusive use by the person(s) mentioned above as recipient(s).
This e-mail may contain confidential information and/or information protected by intellectual property rights or other rights. If you
are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying, or action taken
in relation to the contents of and attachments to this e-mail is strictly prohibited and may be unlawful. If you have received this
e-mail in error, please notify the sender and delete the original and any copies of this e-mail and any printouts immediately from
your system and destroy all copies of it.
(#2023171)Renewal Invite Letter sp.exe
Attached is a Word document with a malicious macro. The Hybrid Analysis report shows it downloading components from several locations, but doesn't quite catch the malicious binary being downloaded from:
http://umontreal-ca.com/word/word.exe
This has a VirusTotal detection rate of 2/55.
umontreal-ca.com (89.144.10.200 / ISP4P, Germany) is a known bad domain. Other analysis is pending, however the payload is likely to be the Dyre banking trojan.
UPDATE:
This Hybrid Analysis report shows traffic to the following IPs:
67.222.202.183 (Huntel.net, US)
195.154.163.4 (Online SAS, France)
192.99.35.126 (OVH, Canada)
95.211.189.208 (Leaseweb, Netherlands)
Recommended blocklist:
89.144.10.200
67.222.202.183
195.154.163.4
192.99.35.126
95.211.189.208
Malware spam: "Your Air France boarding documents on 3Aug" / "cartedembarquement@airfrance.fr"
From: Air France [cartedembarquement@airfrance.fr]
Reply-To: noreply@airfrance.fr
Date: 28 July 2015 at 10:32
Subject: Your Air France boarding documents on 3Aug
Attached is your Air France boarding pass.
Attached is your boarding pass in PDF format.
Important information
- Your boarding pass in PDF format is only valid when printed. Please print this document and present it at the airport. Please print your boarding pass in PDF format.
If you are not able to print your boarding pass, please print it at the airport, using a Self-Service Kiosk or at a check-in counter.
Thank you for choosing Air France. We wish you a pleasant flight. This is an automatically generated e-mail. Please do not reply. Legal notice Air France is committed to protecting your privacy. Our privacy policy specifies:
- how we use the data we collect about you
- the measures we employ to protect your privacy.
You will also find the procedure for limiting the use of your data.
Attached is a file Boarding-documents.docm which comes in several variants, but carries the same exact payload as this earlier attack today.
Malware spam: "Please Find Attached - Report form London Heart Centre" / "lhc.reception@heart.org.uk"
From lhc.reception@heart.org.uk
Date Tue, 28 Jul 2015 14:15:05 +0700
Subject Please Find Attached - Report form London Heart Centre
(See attached file: calaidzis, hermione.doc)
Attached is a file calaidzis, hermione.docm which comes in at least three different versions [1] [2] [3] which download a malicious binary from one of the following locations:
http://laperleblanche.fr/345/wrw.exe (94.23.1.145 / OVH, France)
http://chloedesign.fr/345/wrw.exe (85.236.156.24 / Barizco Inc., France)
http://ce-jeffdebruges.com/345/wrw.exe (94.23.1.145 / OVH, France)
This is saved as %TEMP%\treviof.exe and has a detection rate of 4/55. Automated analysis tools [1] [2] [3] report that it phones home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
I recommend that you block that IP. The malware is the Dridex banking trojan.
MD5s:
5be14022a092eec9855e28c2498f5ada
04e3ab669c516b04f92a631aa1498ba9
550599ad64385497110f8bdb28164be2
5c8aa48a831675fa2b8e09821d37671a
Monday 27 July 2015
Malware spam: "Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715" / "[1NAV PROD RCS] " / "donotreply@royal-canin.fr"
From "[1NAV PROD RCS] " [donotreply@royal-canin.fr]Attached to the message is a file Order Confirmation RET-396716 230715.xml (it wasn't attached properly in the samples I saw) with a VirusTotal detection rate of 1/55, which in turn contains a malicious macro that looks like this [pastebin] which downloads an executable from one of the following locations (there are probably more):
Date Mon, 27 Jul 2015 18:49:16 +0700
Subject Order Confirmation RET-396716 Your Ref.: JL0815/1333 230715
Please find attached your Sales Order Confirmation
Note: This e-mail was sent from a notification only e-mail address that
cannot accept incoming e-mail. PLEASE DO NOT REPLY TO THIS MESSAGE.
http://www.madagascar-gambas.com/yffd/yfj.exe
http://technibaie.net/yffd/yfj.exe
http://blog.storesplaisance.com/yffd/yfj.exe
This is saved as %TEMP%\ihhadnic.exe, and has a detection rate of 2/55. Automated analysis tools [1] [2] [3] show that it attempts to phone home to:
93.171.132.5 (PE Kartashev Anton Evgen'evich, Ukraine)
MD5s:
CA6E11BAA28B724E032326898D8A1A3C
E5DA1A23BC4B530CDEA3E17B1E34C4DA
97832482A5E3D541779F591B4DA94017
6FCD67F5C5C96A98687737DC93305B3F
Friday 24 July 2015
Evil network: Malicious RATs (including milano.exe) on 185.19.85.128/26 (Datawire AG)
From: wholesale.uganda@anisuma.com"Anisuma Traders" is the name of a legitimate trading corporation with operations in several African countries, although they are not sending the spam. It looks like a phish, right? Wrong..
To: "tariq@paramountdistributors.com" [wholesale.uganda@anisuma.com]
Date: 24 July 2015 at 13:31
Subject: re:invoice
Attention
Please confirm your consignee name and address on the BL
http://a.pomf.se/cvpkgu.rar
please let update me
thanks
The apparent link to a .rar file caught my eye. In fact, the download location is not pomf.se (a defunct Swedish site) but the click chain goes like this:
http://ge.tt/api/1/files/1XjW10L2/0/blob?download
http://api.ge.tt/1/files/1XjW10L2/0/blob?download
http://ec2-54-155-123-115.eu-west-1.compute.amazonaws.com:9009/streams/1XjW10L2/stu.rar?sig=-U7AIHwQKNyk4BP6A2uOe9UYEFBYCm3SADo&type=download
Both the Malwr and Hybrid Analysis reports show that it hooks into the OS and attempts to avoid detection. Crucially, they both show network traffic to gee.duia.eu on 185.19.85.138 (Datawire, Switzerland).
So, McAfee thinks this is a RAT and there's suspect network traffic, but what do the email headers tell us?
Received: from mail.anisuma.com (mail.jackys.com [83.111.201.118])The "X-MDRemoteIP" header shows that the email originates from the same server it is phoning home to. This is unusual because most spam these days come from botnets, and if the originating server gets shut down for spam then the infected clients won't be able to phone home. The email routes through servers belong to jackys.com in the UAE, perhaps indicating that someone has altered their systems to allow the malicious traffic to route through.
(using TLSv1 with cipher AES128-SHA (128/128 bits))
(No client certificate requested)
by [redacted] (Postfix) with ESMTPS id A8CE2AF548
for [redacted]; Fri, 24 Jul 2015 12:32:29 +0000 (UTC)
Received: from [10.85.138.34] by mail.jackys.com (Cipher TLSv1:-SHA:128) (MDaemon PRO v12.5.3)
with ESMTP id md50009556350.msg
for [redacted]; Fri, 24 Jul 2015 16:33:59 +0400
X-Spam-Processed: mail.jackys.com, Fri, 24 Jul 2015 16:33:59 +0400
(not processed: message from trusted or authenticated source)
X-MDRemoteIP: 185.19.85.138
X-Return-Path: prvs=164718a849=wholesale.uganda@anisuma.com
X-Envelope-From: wholesale.uganda@anisuma.com
X-MDaemon-Deliver-To: [redacted]
Content-Type: multipart/alternative; boundary="===============0415218432=="
MIME-Version: 1.0
Subject: re:invoice
To: "tariq@paramountdistributors.com" <wholesale.uganda@anisuma.com>
From: wholesale.uganda@anisuma.com
Date: Fri, 24 Jul 2015 13:31:09 +0100
185.19.85.138 is therefore a server of interest, but a quick look at the IP and the neighbourhood indicate that this isn't just a single popped server.. there are 58 IPs hosting what appears to be malicious data (listed at the end) taking up the entire 185.19.85.128/26 range.
I'm betting that renting a /26 slice of Swiss servers isn't cheap.
Out of all the malicious domains (listed at the end of the post), one stands out boss.milano22.com (because the binary is named milano.exe). That is related to this malware, but the WHOIS details reveal no clues.
Another one that also caught my eye because it is multihomed on so many IPs is zexio.no-ip.biz which is related to this malware from 2012 which is variously identified as Shakblades and/or Blackshades, both illicit RAT tools.
Looking at various other domains shows that they are connected with other malicious activity over the past two years or so. What that means is that this operation is not only big, but has been going on for some time.
For research purposes, a copy of the malware is here (Zip file, password=infected)
Personally, I would recommend that you block all dynamic DNS domains on a corporate network, and combined with the other potentially malicious domains gives the following recommended blocklist:
185.19.85.128/26
a5b4c3d2e1.com
3utilities.com
blogsyte.com
brasilia.me
chickenkiller.com
craftx.biz
ddns.me
ddns.net
dnsiskinky.com
duia.eu
dvrcam.info
eating-organic.net
game-server.cc
game-host.org
geekgalaxy.com
gotdns.com
homeip.net
isa-geek.net
glory297.org
hopto.org
linkpc.net
milano22.com
minecraftnoob.com
mlbfan.org
no-ip.biz
no-ip.info
no-ip.org
noip.me
noip.us
redirectme.net
serveblog.net
serveftp.com
sytes.net
zapto.org
zicoyanky.pw
Malicious IPs:
185.19.85.133
185.19.85.134
185.19.85.135
185.19.85.136
185.19.85.137
185.19.85.138
185.19.85.139
185.19.85.140
185.19.85.141
185.19.85.142
185.19.85.143
185.19.85.144
185.19.85.145
185.19.85.146
185.19.85.147
185.19.85.148
185.19.85.149
185.19.85.150
185.19.85.151
185.19.85.152
185.19.85.153
185.19.85.154
185.19.85.155
185.19.85.156
185.19.85.157
185.19.85.158
185.19.85.159
185.19.85.160
185.19.85.161
185.19.85.162
185.19.85.163
185.19.85.164
185.19.85.165
185.19.85.166
185.19.85.167
185.19.85.168
185.19.85.169
185.19.85.170
185.19.85.171
185.19.85.172
185.19.85.173
185.19.85.174
185.19.85.175
185.19.85.176
185.19.85.177
185.19.85.178
185.19.85.179
185.19.85.180
185.19.85.181
185.19.85.182
185.19.85.183
185.19.85.184
185.19.85.185
185.19.85.186
185.19.85.187
185.19.85.188
185.19.85.189
185.19.85.190
Malicious domains:
fort.ugo10.minecraftnoob.com
mtxcg.craftx.biz
6306921.no-ip.biz
1mathieucg.no-ip.biz
artengo.no-ip.biz
asawakath.no-ip.biz
asrxxx.no-ip.biz
bluemountain55.no-ip.biz
bluntmosphere.no-ip.biz
businessdb04.no-ip.biz
charssi693.no-ip.biz
chobitsshocks.no-ip.biz
daniel123k.no-ip.biz
debug.no-ip.biz
divin32.no-ip.biz
donkriss101.no-ip.biz
draynet1.no-ip.biz
fatal889321.no-ip.biz
freebandz.no-ip.biz
freeyou2014.no-ip.biz
gptman5.no-ip.biz
gptmanster5.no-ip.biz
ian1954.no-ip.biz
icediamant.no-ip.biz
ikemello.no-ip.biz
infosearch898.no-ip.biz
itisnotreal.no-ip.biz
jskvikel.no-ip.biz
kobsrat.no-ip.biz
lizzykane.no-ip.biz
lolwot.no-ip.biz
maicol.no-ip.biz
michael8776.no-ip.biz
miker790.no-ip.biz
milano22.no-ip.biz
mortexmutex.no-ip.biz
natilexx.no-ip.biz
nonysa.no-ip.biz
oezeokobe1.no-ip.biz
oneprouddad.no-ip.biz
rumberocalle.no-ip.biz
serenity786.no-ip.biz
sm3351.no-ip.biz
sslcertificates.no-ip.biz
stroperjilles.no-ip.biz
update28459.no-ip.biz
uzolion.no-ip.biz
windowsupdate995.no-ip.biz
wizard2002.no-ip.biz
wowyougotme.no-ip.biz
wuwksterboss.no-ip.biz
zexio.no-ip.biz
new.game-server.cc
nnicrosoft.3utilities.com
obinnabio.blogsyte.com
joeban.chickenkiller.com
ceedata.dnsiskinky.com
bio4kobs.geekgalaxy.com
kan3.gotdns.com
boss.milano22.com
microsoftcorp.serveftp.com
shadybiodata.dvrcam.info
izimother.no-ip.info
lopta10.no-ip.info
nzvat.no-ip.info
test13.no-ip.info
biodataczar.brasilia.me
streetdesciple.ddns.me
austinrat.noip.me
marct2702.noip.me
bigtoby35.ddns.net
businessdb00.ddns.net
layziebone009.ddns.net
mikey0147.ddns.net
cagbbio.eating-organic.net
new.homeip.net
pcuser.homeip.net
updated.homeip.net
spynet.homelinux.net
microdude.isa-geek.net
akconsult.linkpc.net
enitan.linkpc.net
server23.redirectme.net
serialcheck55.serveblog.net
obasanjo.sytes.net
sadsix.sytes.net
window.sytes.net
internet.game-host.org
coza.glory297.org
makingpay.hopto.org
tudorsdetails.mlbfan.org
ayool.no-ip.org
ayool1.no-ip.org
ayool2.no-ip.org
beastyyou.no-ip.org
business11.no-ip.org
chuks052.no-ip.org
cryptoesel.no-ip.org
dextercom.no-ip.org
divin32.no-ip.org
doingit108.no-ip.org
fazbar2013.no-ip.org
frankspecht.no-ip.org
immo506.no-ip.org
immo886.no-ip.org
jackro.no-ip.org
lizzykane.no-ip.org
micheal4fingax-07.no-ip.org
milano99.no-ip.org
morechedder.no-ip.org
mywaylife.no-ip.org
orangeroom.no-ip.org
papakamsi4moni7.no-ip.org
spongebob30.no-ip.org
ukon.no-ip.org
win7test.no-ip.org
zenithsales.no-ip.org
0tazbox.zapto.org
bellwiz2.zapto.org
bluemountain.zapto.org
bluemountain66.zapto.org
client.zapto.org
hessu.zapto.org
hessubs.zapto.org
izilife.zapto.org
sadsix.zapto.org
tazbox.zapto.org
tinubu.zapto.org
win7test.zapto.org
x631.zapto.org
xecuter.zapto.org
xecuter2.zapto.org
www.zicoyanky.pw
twitch.noip.us
a5b4c3d2e1.com
gee.duia.eu
Thursday 23 July 2015
Malware spam: "Order Form for Job Number 2968347" / "steve.champion@printing.com"
From "steve.champion@printing.com" [steve.champion@printing.com]
Date Thu, 23 Jul 2015 18:23:44 +0700
Subject Order Form for Job Number 2968347
Hello ,
Thanks for your order, job reference 2968347. Please open the attached order form,
read it and check it.
To Accept your order:
- Visit http://www.printing.com/uk/
- Sign in (see below if you don't have a username or you've forgotten your password);
- In the "My Orders" section, click on job 2968347;
- Click the "Accept" button at the bottom of the screen;
If you have any queries about the order please call me before you accept it.
Thanks again for your order!
Kind Regards,
Steve Champion
printing.com Middlesbrough
Cargo Fleet Offices
Middlesbrough Rd
Middlesbrough
TS6 6XH
Tel: 01642 205649
Fax:
Email: steve.champion@printing.com
Franchises are independently owned and operated under licence. Dan James Limited.
Registered in England No. 5164910 Registered Address: Rede House, 69-71 Corporation
Road, Middlesbrough, TS1 1LY VAT Registration No.: GB 847 8229 85
Attached is a file OrderForm2968347.docm which I have seen in three different versions (there are maybe more) with various detection rates [1] [2] [3]. They contain a malicious macro like this one [pastebin].
The macro downloads a malicious binary from one of the following locations:
solution-acouphene.fr/mini/mppy.exe
surflinkmobile.fr/mini/mppy.exe
verger-etoile.fr/mini/mppy.exe
All of these are on the same compromised OVH France server of 94.23.1.145. The binary has a detection rate of just 2/54 and it is saved as %TEMP%\ihhadnic.exe. Automated analysis [1] [2] [3] shows attempted network traffic to:
85.25.199.246 (PlusServer AG, Germany)
194.58.96.45 (Reg.Ru, Russia)
31.131.251.33 (Selectel, Russia)
The payload appears to be the Dridex banking trojan.
Recommended blocklist:
85.25.199.246
194.58.96.45
31.131.251.33
94.23.1.145
MD5s:
74fca464697b5816acfe9140ee387ecd
fd8291e5147abef45654f3da6d5cfc28
a32eb507c674d82c6161bb606f594782
a3e64d3f4fa2168315428e573746caf4
Wednesday 22 July 2015
Malware spam: "Payment Receipt" / "donotreply@dart-charge.co.uk"
From [donotreply@dart-charge.co.uk]The samples I saw had no body text and an attachment PaymentReceipt.xml [VT 5/55] which is an XML file [pastebin] with a Base64 encoded section which magically transforms into a malicious Word macro.
Date Wed, 22 Jul 2015 19:26:51 +0700
Subject Payment Receipt
This macro downloads a malicious binary from:
http://puerta.fr/sandra/write.exe
Other versions of the attachment may download the same binary from different locations. This is saved as %TEMP%\mikapolne.exe and has a VirusTotal detection rate of 26/55. Automated analysis [1] [2] [3] shows it communicating with:
194.58.96.45 (Reg.Ru, Russia)
This IP has been in use in this other campaign today and is well worth blocking.
MD5s:
89e93a926de9c212a2b148722c938ba3
38f9913a89f00badb2a78c6f19c33544
Malware spam: HMRC application with reference XXXX XXXX XXXX XXXX received / noreply@hmrc.gov.uk
From: noreply@hmrc.gov.uk [noreply@hmrc.gov.uk]
Date: 22 July 2015 at 13:19
Subject: HMRC application with reference 5CSS 1QDX 27KH LRFM received
The application with reference number 5CSS 1QDX 27KH LRFM submitted by you or your agent to register for HM Revenue & Customs (HMRC) has been received and will now be verified. HMRC will contact you if further information is needed.
The original of this email was scanned for viruses by the Government Secure Intranet virus scanning service supplied by Vodafone in partnership with Symantec. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email was certified virus free.
Communications via the GSi may be automatically logged, monitored and/or recorded for legal purposes.
Attached is a file 2015_MURI_FOA_ONR_FOA_14-012_FINAL_EGS.doc with a VirusTotal detection rate of 7/55 which if opened (not advised) pretends to be an encrypted document that requires Active Content to be enabled.
vinestreetfilms.com/wp-content/plugins/jetpack/_inc/genericons/genericons/rtl/78672738612836.txt
midlandspestcontrol.net/wp-includes/js/tinymce/themes/advanced/skins/o2k7/78672738612836.txt
midlandspestcontrol.net//wp-includes/js/tinymce/themes/advanced/skins/o2k7/fafa.txt
This includes another malicious script. This then leads to the download of a malicious binary from:
anacornel.com/images/desene/united.exe
This has a VirusTotal detection rate of just 2/55. Automated analysis is pending.
MD5s:
605905df205b6c266856990a49abdfef
1fdb0af80d01739410a3eef67c4144ff
UPDATE: a Hybrid Analysis report is here, but it does not add much more detail.
Subscribe to:
Posts (Atom)