Nytro Posted November 30, 2014 Report Share Posted November 30, 2014 2014-11-26 - SANDWORM SAMPLE ASSOCIATED FILES:ZIP file - Associated malware: 2014-11-26-sandworm-malware.zip TXT file - Example of the phishing email with headers (sanitized): 2014-11-26-sandworm-email-with-headers.txt NOTES:This is an example of the infamous Sandworm exploit, which uses a Powerpoint file to exploit the CVE-2014-4114 vulnerability. The .ppsx file was executed in a sandbox environment, different VMs, and a physical host, but each time the dropped malware generated an error. Tried this only on Windows 7 hosts--maybe I would've had better luck with Windows XP. Noticed the email shortly before Thanksgiving, and I'm thankful to have a Sandworm sample to share. EXAMPLE OF THE EMAILS SCREENSHOT:MESSAGE TEXT: Subject: Re: Purchase InvoiceDate: Wed, 26 Nov 2014 08:16:43 UTCFrom: Al Muntaser Trading Co <manup.talal@almuntaser.com>To: Recipients <manup.talal@almuntaser.com>Dear Sir,Sequel to our previous conversation, kindly provide us the invoice of the attached purchase order so we can confirm and make payment.Many thanksRegards,Manup T.N.Golden Crown Trading & General Contracting Co.P.O. Box 26000, Safat 13120, KuwaitAttachment: Invoice.ppsx (142 KB) PRELIMINARY MALWARE ANALYSIS MALWARE ATTACHEMENT:File name: Invoice.ppsxFile size: 142.2 KB ( 145639 bytes )MD5 hash: 5176d1383a7114039e71bbfccd578f92Detection ratio: 15 / 56First submission: 2014-11-26 08:02:49 UTCVirusTotal link: https://www.virustotal.com/en/file/d91daaeb385efbc23893390c721ed7fb2bde8c507e34129fb95a8caeda71d272/analysis/DROPPED FILE AFTER RUNNING THE MALWARE:File name: putty.exeFile size: 182.9 KB ( 187287 bytes )MD5 hash: 46c4bd9b2318552fe0812d41e3122170Detection ratio: 19 / 56First submission: 2014-11-30 01:10:10 UTCVirusTotal link: https://www.virustotal.com/en/file/17398b9cdd40136b32bc8fa811af21101589adb889246afbfcecc05464ced068/analysis/ SCREENSHOTS When you run the Powerpoint file, it quickly asks for permission to run the dropped malware:Shortly after that, the dropped malware stops working: FINAL NOTES Once again, here are the associated files:ZIP file - Associated malware: 2014-11-26-sandworm-malware.zip TXT file - Example of the phishing email with headers (sanitized): 2014-11-26-sandworm-email-with-headers.txt The ZIP file is password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask. Click here to return to the main page.Sursa: Malware-Traffic-Analysis.net - 2014-11-26 - Sandworm sample Quote Link to comment Share on other sites More sharing options...
