Jump to content
Nytro

SANDWORM SAMPLE

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

2014-11-26 - SANDWORM SAMPLE

ASSOCIATED FILES:

NOTES:

  • This is an example of the infamous Sandworm exploit, which uses a Powerpoint file to exploit the CVE-2014-4114 vulnerability.
  • The .ppsx file was executed in a sandbox environment, different VMs, and a physical host, but each time the dropped malware generated an error.
  • Tried this only on Windows 7 hosts--maybe I would've had better luck with Windows XP.
  • Noticed the email shortly before Thanksgiving, and I'm thankful to have a Sandworm sample to share.

EXAMPLE OF THE EMAILS

SCREENSHOT:

2014-11-26-phishing-email-screenshot.jpg

MESSAGE TEXT:

Subject: Re: Purchase Invoice

Date: Wed, 26 Nov 2014 08:16:43 UTC

From: Al Muntaser Trading Co <manup.talal@almuntaser.com>

To: Recipients <manup.talal@almuntaser.com>

Dear Sir,

Sequel to our previous conversation, kindly provide us the invoice of the attached purchase order so we can confirm and make payment.Many thanks

Regards,

Manup T.N.

Golden Crown Trading & General Contracting Co.

P.O. Box 26000, Safat 13120, Kuwait

Attachment
:
Invoice.ppsx
(142 KB)

PRELIMINARY MALWARE ANALYSIS

MALWARE ATTACHEMENT:

File name:
Invoice.ppsx

File size: 142.2 KB ( 145639 bytes )

MD5 hash: 5176d1383a7114039e71bbfccd578f92

Detection ratio: 15 / 56

First submission: 2014-11-26 08:02:49 UTC

VirusTotal link:

2014-11-26-phishing-email-attachment.jpg

DROPPED FILE AFTER RUNNING THE MALWARE:

File name:
putty.exe

File size: 182.9 KB ( 187287 bytes )

MD5 hash: 46c4bd9b2318552fe0812d41e3122170

Detection ratio: 19 / 56

First submission: 2014-11-30 01:10:10 UTC

VirusTotal link:

2014-11-26-phishing-email-dropped-malware.jpg

SCREENSHOTS

When you run the Powerpoint file, it quickly asks for permission to run the dropped malware:

2014-11-26-phishing-malware-image-01.jpg

Shortly after that, the dropped malware stops working:

2014-11-26-phishing-malware-image-02.jpg

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password. If you don't know it, email me at admin@malware-traffic-analysis.net and ask.

Click here to return to the main page.

Sursa: Malware-Traffic-Analysis.net - 2014-11-26 - Sandworm sample

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...