Email scams – various UPS delivery notifications or failures

Timestamps – across February 2017 and the latest on 1/3/2017 11:05 PM

Subjects

  • We could not deliver your parcel, #2992510
  • Delivery Notification, ID 01243538
  • Notification status of your delivery (UPS 002899036)
  • Unable to deliver your item, #009069115
  • New status of your UPS delivery (code: 09257453)

Sender IPs

207.210.200.162

108.179.230.35

107.170.219.63

188.214.210.128

173.254.28.90

Sender email addresses

www-data@vps1.senorcoders.com

wvchost@dallas127.arvixeshared.com

theminh9@box6065.bluehost.com

escapebg@vps35507.whmpanels.com

jdhillo1@just90.justhost.com

Attachments

All files are .zip and have a name related to “UPS”. Similar to a previous post, the attachment are made Matryoshka style. What’s interesting is that the deeper you go, the less matches you get on VirusTotal, like the example below :

virus total

  • Initial zip file – 29/57 – https://www.virustotal.com/ro/file/199205532525a062bc98b1bfedb10faa690bcee646f51d2cc6445eb00af01f9c/analysis/
  • Zip in zip file – 27/57 – https://www.virustotal.com/ro/file/dc98d8bc31f2c265543f15c8a056d93bb667e495d4fe48a1b37dfcf6b7646797/analysis/
  • JS in zip file – 24/55 – https://www.virustotal.com/ro/file/9d5ff533c69873f62b37d9ed6ca714a6ba9b4f7002c1b4eca1f4a56a1ba1b880/analysis/

File names

  • UPS-Delivery-Details-2992510.zip
  • UPS-Package-01243538.zip
  • UPS-Parcel-ID-002899036.zip
  • UPS-Package-009069115.zip

SHA256 Hashes

For each attachment thee are 3 different hashes – the one for the initial zip, the second for the zip file in the initial zip and the last for the JS file.

For the sake of consistency i’ll split them into the Zip and JS file

Zip

199205532525a062bc98b1bfedb10faa690bcee646f51d2cc6445eb00af01f9c
dc98d8bc31f2c265543f15c8a056d93bb667e495d4fe48a1b37dfcf6b7646797
bd14b837d57c0a4bbb2974a27c96a21a0902721dc739940092da3653b60ac891
c7e967da20964fea87cd56334968f26131354580e94b9afaccc84bb49ca8641b
7945edb372ab04891b86749630ca47407666dd6efeab44ac86908b97668117b7
b0e538eb7614dec1109a98b91fcb28e3652647fea8c773d88946035ef998e248
1b555b842882c4c7010852094360ff09b2a87a89fb6f060e2c228bfd07e810ca
1b555b842882c4c7010852094360ff09b2a87a89fb6f060e2c228bfd07e810ca
9ff179aee089afdb701bb4e2f26a69308e80f24c2304dc50764c795a5520526a
cf852544e67d42a72b3263afd57ce7f4d0afc5fb7fbc5cc5c703e136baa4aca7

JS

9d5ff533c69873f62b37d9ed6ca714a6ba9b4f7002c1b4eca1f4a56a1ba1b880
94a609237840bfc76dfab1c05261c624ac84266ee314df11bfa5350dc22b30a1
263ba2280e22f075a294be66b8bd82a5427f6183e70e7dceeaa42557e5c27a2c
3857eac7ff002f7a43f5158ab24426719991e1b744946576ac541eebf3abbb1c
d519f5b1f248a7ff992b3777a12f74c5ff2e15be62696bcc604414f17da10601

 

Extracted domains

mission-driven.co
phoenixweddingbands.com
libertadcaribe.cityguiabarranquilla.com
socalsailing.com
riavesti.com
dashboard.pplusglobal.com
ilicakasabasi.com
jddove.com
constructivemindfulness.com
fitnessdigezt.com
mvtrading.net
richmondyachtbasin.com
rorokindergarten.ro
brymer.net
redhawkrecords.com
avivamientohoy.com
baldwinlanding.com
wholesalehotelsuites.com
cravecraa.com
tulzaevents.com
leonbacchus.com

Post execution observations to be added

Update 1

A bit sloppy coding, as execution could not be done because of

ActiveXObject is not defined

Which is used only on IE. Dropped the idea of a manual sandbox and used hybrid-analysis.com :

  • https://www.hybrid-analysis.com/sample/3857eac7ff002f7a43f5158ab24426719991e1b744946576ac541eebf3abbb1c
  • https://www.hybrid-analysis.com/sample/263ba2280e22f075a294be66b8bd82a5427f6183e70e7dceeaa42557e5c27a2c
  • https://www.hybrid-analysis.com/sample/3c139ed7727cba459fa98fe64d21b325cd5543c67750c25ed3c494a638bc3713?environmentId=100
  • https://www.hybrid-analysis.com/sample/9d5ff533c69873f62b37d9ed6ca714a6ba9b4f7002c1b4eca1f4a56a1ba1b880?environmentId=100
  • https://www.hybrid-analysis.com/sample/d519f5b1f248a7ff992b3777a12f74c5ff2e15be62696bcc604414f17da10601?environmentId=100

All IOCs added on https://otx.alienvault.com/pulse/58bc18d45b9a13274ebc220a/