NDISPlan phishing/malware email

Based on my previous blog entry about emails I have analysed an email that was received from *@ndis.gov.au.

From the email it seems that you have received an email for a Shelby’s plan. A question to ask who is Shelby ?

File name  – Shelby-MyNDISPlan.zip – Have checked online and identified this is indeed a spam email. myonlinesecurity.co.uk/ndisplan-fake-pdf-malware

Extracted file – Shelby- MyNDISPlan.scr – yes the plan is a screensaver 🙂

Exiftool results :

ExifTool Version Number : 10.00
File Name : Shelby- MyNDISPlan.scr
Directory : .
File Size : 40 kB
File Modification Date/Time : 2015:09:22 15:46:02+10:00
File Access Date/Time : 2015:09:23 16:01:49+10:00
File Inode Change Date/Time : 2015:09:23 15:59:42+10:00
File Permissions : rw——-
File Type : Win32 EXE
File Type Extension : exe
MIME Type : application/octet-stream
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2015:03:30 09:35:32+11:00
PE Type : PE32
Linker Version : 7.10
Code Size : 11264
Initialized Data Size : 29184
Uninitialized Data Size : 0
Entry Point : 0x18ee
OS Version : 4.0
Image Version : 0.0
Subsystem Version : 4.0
Subsystem : Windows GUI
File Version Number :
Product Version Number :
File Flags Mask : 0x0000
File Flags : (none)
File OS : Win32
Object File Type : Executable application
File Subtype : 0
Language Code : Spanish (Castilian)
Character Set : Unknown (90A0)
Company Name : MonlinA Corporation
File Description : MonlinA launch tools
File Version : 7.00.146
Internal Name : monlin.EXE
Legal Copyright : В©MonlinA Corporation. All rights reserved.
Original File Name : monlin.EXE
Product Name : MonlinAВ® launch tools
Product Version : 1.00.146

This is indeed suspicious as the SCR file has an exe embedded which is monlin.exe.

Dynamic analysis files provided no communication to any external hosts or IP addresses.

Likely the file changes values within registry or a process in relation to a screensaver. Also, will try and run the EXE and see the changes.

Sandbox > https://tria.ge/220423-q1jjmsggfk/behavioral1

Identified as Upatre – https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s