Fake New Order on Hold serving Formbook Stealer

Our research team has identified a campaign in wild serving Formbook stealer. Based on the email content and sender it seems targeted towards UK. Below is the screenshot of the email body.

Screen Shot 2020-04-21 at 8.16.03 pm

  • Email Attachment – Scan 1722020 pdf.zip
  • Hash – e5eb58f54fa93643b576611712afcf27
  • Zipped Exe – Scan 1722020 pdf.exe – Any.Run
  • Hash – 2c30459f114032b16470666e7010e770

Infection Flow

Screen Shot 2020-04-22 at 2.11.52 pm

GET/POST Requests:

  • hxxp://www.pabloms.com/wtm/- 54.36.201.100
  • hxxp://www.briartekinternal.com/wtm – 192.0.78.25
  • hxxp://www.nwrefacing.com/wtm/ – 50.63.202.47
  • hxxp://www.nacemo.com/wtm/- 63.250.33.106
  • hxxp://www.dinezonekuwait.com/wtm/ – 216.239.34.21

 

 

 

Gozi ISFB RM3 and Me : A Diamond Model Approach

Readers!
Few weeks back I was invited to present at Malware and Reverse Engineering conference (MRE) and topic I chose to present is my understanding and research of Gozi ISFB over the years that is being noticed globally, with specific concentration on threat group operations in Australia.
Purpose of my presentation was to understand and learn about Gozi ISFB RM3 which is highly different from what we have seen in other regions. I have seen many analysis and articles on ISFB but very few provided information about following :
  • Gozi ISFB footprint
  • Adversaries
  • Capabilities
  • Infrastructure used
  • Target victims
The presentation was less technical and highly towards providing awareness on group operates and how we can protect us against the threat and can we? Lets start ..

Overall Statistics


Currently there are 38 individual groups (based on botid they use), across the globe,the table shows top 3 that are seen in Australia.

Infrastructure



    Infrastructure Overlap with Danabot


Above screenshot shows config from Danabot used by Affiliate ID 5 (zeus like) and Gozi ISFB RM3. Here, we can see that same inject server demo[.]maintrump[.]org is being used. This is clear indication that our adversaries are sharing infrastructure and working together.


Keitaro TDS


Keitaro TDS is a traffic distirbution system which is known to be used this group for web traffic filtering and distribution based on geo-location, user agents, device info etc.


BlackTDS


BlackTDS is a multitenant TDS tool that has been advertising its services on underground markets since the end of December 2017. BlackTDS offers a variety of services to its clients that they collectively refer to as a “Cloud TDS.” The operators claim that their Cloud TDS can handle social engineering and redirection to exploit kits (EKs) while preventing detection by bots — namely researchers and sandoxes. BlackTDS also includes access to fresh domains with clean reputations over HTTPS if required – https://www.proofpoint.com/us/threat-insight/post/drive-service-blacktds


Capabilities and Operations


 

With regards to monetization of stolen information we have seen new methods compared to just fund transfer to mule accounts. Few known methods are buying Bitcoins, buying products and resale once received, buying giftcards, cashapp transfer, transfer to paypal etc.

Mule recruitment Sample email


Above screenshot is a sample job advertisement to hire mules. Majority of times these mules are not aware that posters are part of such group. The mules are mostly looking for jobs from several days to weeks and are known to be in less fortunate demographics including students and immigrants. My next blog will concentrate on such environment that is responsible to fuel such activities.


Victims based on Configuration


47 banks on the target config and counting

Sample of Gozi ISFB RM3 configuration

RM3 Loader


When the initial loader (executable) is debugged we can see its version and build. Adversaries are calling it as RM3 – Full form is not known yet. Thanks to Vitali Kremez for the analysis.

Stage 2 inject code to send login info



Storing Victim Data


 


Hypothesized Operating model of the Adversary Group


  • Overlord – the one who looks after complete operations. Possibility they are part of organised crime. Very few evidence on what they are doing with the money beside living life of luxury. P.S. the name overlord is given by me
  • Operations
    • Coders
      • Senior Developers
        • Custom loaders
        • Bot developments
        • Writing banking injects
    • Junior developers
      • QA/review
      • minor updates
    • Botnet managers
      • Hosting providers
      • Traffic distribution system managers
  • Researchers
    • Target research and information gathering : Group of people that either had an account with targeted financial institutions or a disgruntled employee who may share information about target
  • Spammers
  • Phishers : This group is responsible in getting information or login details collected via generic credential phishing who accounts can be use to host initial delivery documents or send out email from
  • Recruitment
    • New coders
  • Sellers : Either sells data or advertised the service on forums
  • Accounts/Finance
    • Mule Operators/recruiters
      • Local
      • fly-in and fly-out
      • fraudsters to create fake business accounts
  • Finance managers : Either receives money from mules or responsible to buy other data/tools that can be used in the operations

Final Words


  • Understand our adversaries motives and intentions and make it hard for them to achieve their objectives.
  • Target what hurts them the most – which is money – if we make it harder for them to get what they want, in long run either they will stop or move else where
  • Another one is sharing – we do talk about sharing, creating standards, do lot of presentation, attend conferences and we have been doing this for years – however, do we need more ? Are we sharing information that useful or actionable ?
  • More involvement of Local authorities and giving them information to help in their investigation instead acting on the information and close out the doors because you did your job.
  • Look at a bigger picture in future – rather than a quick win in present.
  • Emerging technologies seems to be assisting cyber criminals more than organisations due to ease of availability and deployment within their infrastructure. Does these technologies vendors have some kind of compliance or standards or as long as they getting the money. Do organisations understand and assest these technologies and have some logic to detect them based on its footprint ?
  • As the group targets financial organisations, they do access the information via digital channels. Understand how they are accessing, baseline good traffic and monitor their digital identities/footprint. Keen eye will see difference which can be used a detection of such anomalies.
  • Bulletproof hosting providers and their abilities to mask adversarial activities with competitive rates assist further to accomplish objectives which is mostly financial gain.
  • Create mindset towards what these actors are doing and what kind of information they have at their disposal. With this we can answer what can happen. In intelligence, we gather information and assess it and based on that we find something to action on.
  • Lack of cyber laws within a region and corruption to certain extent also assist these cyber criminals to go on without any repurcusions. Can this change ?
  • Organisation concentrate on in-house awareness training and improving security contols and reducing risk by implementing various best practices, however most of the victims are non-employees and unaware of such existent threat. There should be programs to make sure these portential victims are well of an existent threat. Think beyond just a updating a website with known bads.

Yet another WanaCry Ransomware – Analysis

Recently, organizations are being targeted with new ransomware labelled as WanaCry.

Being curious, I downloaded the sample to understand how the malware actually behaved. The tests were performed on VM connected to internet and NOT connected to the internet. In both tests, machine was successfully infected.

Sample analysed : 84c82835a5d21bbcf75a61706d8ab549

As seen in the screenshot the executable is “Wana Decryptor 2.0”.

Following screenshot shows the process tree.

Screen Shot 2017-05-17 at 3.03.50 pm

In the screenshot above, the malware creates taskhsvc.exe which contains TOR data and the CnC server addresses :

  • 57g7spgrzlojinas.onion
  • gx7ekbenv2riucmf.onion

Looked at the dump file for @WanaDecryptor@.exe and identified same domains with additional .onion sites

  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Malware using .onion domains for CnC communications is a technique to stay resilient.

The sample, in my opinion, is a packer/installer that unpacks files shown in below screenshot and also creates @WanaDecrypto@.exe that continuously runs as a process. It is worth noting the folder “msg” and “TaskData” were created when VM was infected connected to internet connection. I will explain each file in the later section.

Executable when connected to internet creates two additional folder
called “msg” and “TaskData”.

Below are MD5 of the files that were in the “TaskData” Folder.

MD5 (./TaskData/Tor/libeay32.dll) = 6ed47014c3bb259874d673fb3eaedc85
MD5 (./TaskData/Tor/libevent-2-0-5.dll) = 90f50a285efa5dd9c7fddce786bdef25
MD5 (./TaskData/Tor/libevent_core-2-0-5.dll) =
e5df3824f2fcad0c75fd601fcf37ee70
MD5 (./TaskData/Tor/libevent_extra-2-0-5.dll) =
6d6602388ab232ca9e8633462e683739
MD5 (./TaskData/Tor/libgcc_s_sjlj-1.dll) = 73d4823075762ee2837950726baa2af9
MD5 (./TaskData/Tor/libssp-0.dll) = 78581e243e2b41b17452da8d0b5b2a48
MD5 (./TaskData/Tor/ssleay32.dll) = a12c2040f6fddd34e7acb42f18dd6bdc
MD5 (./TaskData/Tor/taskhsvc.exe) = fe7eb54691ad6e6af77f8a9a0b6de26d
MD5 (./TaskData/Tor/tor.exe) = fe7eb54691ad6e6af77f8a9a0b6de26d
MD5 (./TaskData/Tor/zlib1.dll) = fb072e9f69afdb57179f59b512f828a4

Folder “msg” contains language packs which also gets encrypted and gets
extension “.wnry”.

Below are the files that were created :

  1. @Please_Read_Me@
  2. @WanaDecryptor@.exe
  3. 00000000.res
  4. c.wnry – contains links to .onion sites and tor browser
  5. f.wnry – List of random files that are encrypted
  6. u.wnry – @WanaDecryptor@.exe decrypter file
  7. b.wnry – bitmap file containing decryption details
  8. r.wnry – some more information about decryption and instructions for the decryption tool
  9. s.wnry – Tor zip file
  10. t.wnry – encryption format instructions
  11. 00000000.eky – Infected machines private RSA key
  12. 00000000.pky – Microsoft public key – RSA 2048
  13. 00000000.res — Data for C2 communication
  14. taskdl.exe – file deletion tool
  15. taskse.exe – enumerates RDP connection and executes malware – TOR process runs underneath
  16. msg – language packs. See screenshot below.
  17. TaskData – TOR browser executable and other files. See screenshot below.

When the malware got executed it queried following domains :

– tor.relay.wardsback.org
– tor.ybti.net
– javadl-esd-secure.oracle.com
– belegost.csail.mit.edu
– tor1.mdfnet.se
– zebra620.server4you.de
– maatuska.471.se

System also communicated to 212.47.241.21 which resolves to sa1.sblo.ch. Ran the malware again and this time it went to different domains :

– tor.dizum.com
– tor1e1.digitale-gessellschaft.ch
– lon.anondroid.com

This could likely be due to malware using TOR. Analysed TOR process and saw multiple IP addresses hard-coded. Here you can find all the directory servers used by TOR.

Extensions that are getting encrypted :

Screen Shot 2017-06-11 at 1.10.12 am

Extract from PE Explorer :

Screen Shot 2017-06-11 at 12.58.42 pm

Extract from Sysmon can be found sysmon logs.

WannaCry Fact Sheet – Here.

Kill-chain Phases – Here.

Final Words :

  1. The malware was not delivered via phishing, but rather via EternalBlue Exploit, taking non-traditional way of infecting systems.
  2. No obfuscation was done – meaning when you open the executable you can see the functions.
  3. Exploit such as EthernalBlue, suggests that getting access to vulnerable systems with user interaction is available. The only we detected this was attacker actually use EternalBlue exploit for financial gain – WannaCry ransomware – however, others can just gain access to the system and perform other tasks. Motive, based on evidence, is financial gain.
  4. Although, patching of systems would have definitely helped, however, we must understand the exploit was only used after dump by Shadow Brokers. Although, the intention of the group would be to expose NSA and its tools, the exploit was used for financial gain. So, may be intention to expose NSA may have been for good, it just did more damage.
  5. Number of articles says that creator of malware made mistakes and they just earned 55 K. However, one must understand all those money are paid ransomware and one must also understand the affects/impact of the malware attack. Although, we cannot quantify the time spent to patch the systems, re-image infected systems, people not being in production globally, it is not small. Although, some analysis suggests that attackers were not sophisticated, but it worked.
  6. Can host based security controls would have helped? Controls such as Application whitelisting, no admin rights to logged in users, use of AppLocker in Windows may have helped in reducing the impact. However, how feasible is to apply this in a corporate environment ?

 

Hash Values – A Trivial Artefact

Readers!

Merry Christmas and Happy new year to all. The days of holiday spam and vendor predictions are here.

Here I am spending summer afternoon watching TV and writing on my blog. As I am bit lazy during holidays I am posting something simple. The post is about HASH values and how trivial they are in identifying malicious files/programs.

You can read about Hash here.

Hash values are important to first verify the files. Think of it as a signature or footprint. As living beings has a signature or footprint that we can recognise them from, similarly files  have something called digital footprint that we can identify them from.

Take example of HashCalculator. Following screenshot shows different hash values of HashCalc.exe.

hashcalc

As you can see HashCalc provides lot of information (digital footprint) of its own. With regards to security the hashes are normally used to verify the file as mentioned earlier. Let’s look at the output in brief for commonly used hash values :

  • MD5 – Based on Message Digest algorithm. Normally represent as 32 hexadecimal digits. Vulnerable to collision attacks. Read further here.
  • SHA-1 – Secure Hash Algorithm 1. Represented as 40 digit hexadecimal digits. Generates 160 bits message digest. Vulnerable to collision attacks. No longer in use and has been replaced by SHA-2 and SHA-3. Read further here.
  • SHA-256 – Secure Hash Algorithm 2. Represented as 64 digit hexadecimal digits. Generates six digests – SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256. Read further here.

Now, why the blog entry. The information is available on google and Wikipedia. Reason for the blog is Hash values are considered trivial/important in Threat Intelligence and/or cyber security world. Lots of OSINT, vendor intelligence systems share hash values of known malware dropper. This could be an executable, MS office document, Adobe document, image files etc.

Following are few scenarios where Hash values can assist :

  • Hash values can assist in identifying whether the file/program that we have is legitimate or not.
  • Lot of malware analysis blogs will always provide Hash value of identified file/program.
  • The Hash value is also used by Endpoint solutions to detect known malicious files/programs.
  • During Incident Response, one can also use Hash values in YARA rules to detect any malicious files/programs.
  • Organisations can have a list of program with the Hash values of known good  and authorised programs in their organisation, which than can be used to identify any unwanted programs on the system, either via endpoint for real time detection and/or during incident resposne. Benchmarking/Baselining is a complicated process and sometimes not feasible in large organisations.

NIST provides list of known good hash values of legitimate programs, that one can use to compare good vs bad. Read here.

Hash values are just another indicator that gives more targeted detection of malicious files/programs. IP address and URLs are dynamic, not 100% reliable and have low confidence level as a Threat Indicator and therefore Hash values is considered important artefact in Security world.

Happy Holidays!

 

Evoltin POS Malware – Kill Chain Mind Map

Readers!!!

Its been quite a while I have updated my blog posts, due to me spending  some quality time off the work and being with family.

Recently, was honoured to attend SANS FOR578 Cyber Threat Intelligence course taught by Robert M. Lee and it was excellent. I will be writing a separate blog post reviewing the course later.

Being on customer service environment, I have realised how important data visualisations are. When you are presenting your findings to C Level Executives, having tables, charts and graphics in the report, makes it easier to grasp and understand analyst ( or whoever wrote the report) point of view. We can visualise our findings about Organisational Risks, Threats, Incidents and many other departmental attributes in different manner.

For me, best visualisation is Mind Maps and I have used them to represent process, procedure, incidents etc. I also, use mind maps, when I am performing any investigations on incidents during IR, Forensics and/or Threat Hunting. It helps me track investigation steps and my findings. If the incident continues or the next business day, the mind map, helps me to start where I left, and also helps me trace back my steps rather looking at excel sheets or other textual representation or a case management system.

During the course, there was a good stress on making sure investigation or intelligence gathering information is represented in a manner that all levels of audience can understand. This is when I thought to create a mind map of a malware and its behaviour and how it can be represented on Kill Chain phases.

evoltin-pos-aka-nitloveposb

Above screenshot shows Kill Chain phases for Evoltin POS Malware and indicators that were identified during analysis and how they can associated to different Kill Chain phases. Rather presenting them on table or chart format, I believe the view via mind map is much more easy to grasp and better presented.

I will be creating more mind maps and uploading to my GitHub account. I normally, update IOC’s to Alienvault OTX, Blueliv, GitHub and ThreatConnect, but now I will also create similar Kill Chain Mind Map for every investigation I do.

Happy Mind Mapping!!!!!

YARA rule for Dridex

Have been learning YARA from few days and below is my first YARA rule for a IOCs collected while analysing a word document. Analysis concluded with presence of Dridex malware.

rule dridex : dridex
{
meta:
description = “Dridex Malware Indicators”
author = “Kunal Makwana”
date = “2016/04/03”
thread_level = 4
in_the_wild = true

strings:
$domain = “g-t-c-co.uk” nocase
$ip = “185.11.240.14” wide ascii
$mail = “ali73_2008027@yahoo.co.uk” wide ascii

condition:
$domain or $ip or $mail
}

Will be writing more as days go by.

Happy Malware Analysis!!!!!

A javascript file – Invoice from UK

It’s been quite a while I was able to analyse my spam emails. Recently, I received an email with a zip attachment claiming to be an invoice. Screenshot of the email below.

email

Email Analysis :

  • sender : Woodard.52@sunshine-yorkshire.co.uk
  • IP – extracted from the header : 130.204.206.58 – 602ad0ccae26.softphone.blizoo.bg – Blugaria
  • Sender does not know my name so addressed me with my email id – Chances of using a phishing tool – sending random phishing emails.
  • No mention of the organisation Mr Royce is representing – Likely sunshinecare – but no mention in signature. Sunshhine care is and provides health and social care services in UK.

Attachment:

  • Zip file with my email id : myemailid_addition_028146
  • Contains javascript : addition-7866.js

Javascript analysis:

  • Javascript seems to be incomplete and functions are not properly defined
  • only see eveal :  eval(aZRcdUoP1.split(”).reverse().join(”));
  • aZRcdUoP1 is only defined variable however it is commented out.
  • Function aZRcdUoP1.split is not defined at all.

There is no other html files in the attachment that references the script. Uploaded the file to VirusTotal and results were interesting – 22 vendors identified as malicious – https://www.virustotal.com/en/file/b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e/analysis/1466653302/

File was also analysed using jsdetox and jsunpack and nothing was detected. It is likely that same filename was analysed previously via VirusTotal which has links or IOC’s as detected by vendors.Below are the file details:

  • MD5: ee427a22d3a6e25251bbfb7bc3823140
  • SHA1: d675fddd4e85400a8f712792f6711dbf0e003c34
  • SHA256: b35cf64a33c965b36e4de6d7a6e1a6bb088d8070e202326c941700c6dfd8800e

JS was not able to execute as by default windows script host can only execute script with less than or equal to 1022 characters. You can always change it but the solution is beyond this article.

Final words:

The email address and language is quite good but malware/js is quite old and not properly scripted. Attachment is zip and with only one js. also, the malware is widely known.

Security Controls:

  • Endpoint protections – normally all corporate organiations has it
  • Changing file extensions – If for some reasons endpoints are not updated or not available on the system, a good way to make sure foreign files do not execute on the system, one can change their default application – for example an .js file on the system can be opened in notepad – can change from group policies. This will make sure any foreign/malicious javascript that managed to get into the system will open as text file which will not infect the system and notify user of a file which should not be there.
  • Email gateway tuning – must be properly tuned to make sure these type of emails are considered spam – mostly all properly tuned will do so – mentioned email/IP can be updated on the security devices.

Dridex malware dropper -New doc 115.doc

On a pleasant morning I received an email with an doc attachment. The email was not having any text or message. Subject was name of the attachment ‘New Doc 115’. It was my curious mind (place where the cat gets kills inevitably) that I decided to analyse it. The email actually identified it as a spam likely because of the sender or may be the attachment. But why ?

OLE documents with malicious macros are not new and this method is widely used to compromise a host. Once the doc file is accessed the embedded macros are executed (security options always prompts user to enable the macro). Following email is an example of such a social engineering attempted on my mailbox. The analysis conducted to identify indicators of compromise and what was the motive of the document/macros.

Spam email

email

Email Header Extract:

Looking at the email header we can see the sender is ali73_2008027@yahoo.co.uk with address 122.52.162.226.

Attachment : New Doc 115.doc

word-macro

The document has multiple macros. MS Word identifies and also shows security warnings. Once the macros are enabled document will drop malware and infect the host.

Below are the details of the doc file:

Filename New Doc 115.doc
Size 69632 bytes – 68 Kb
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251
Author 1, Template: Normal, Last Saved By: 1, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Feb 10 08:02:00 2016, Last Saved Time/Date: Wed Feb 10 08:02:00 2016
Number of Pages 1, Number of Words: 0, Number of Characters: 0, Security: 0
MD5 98803eca69d946c5060316959f5d6eec
SHA1 41772ad8a7e7aec1b72286bf0b02c67a1a1baeb2
SHA256 421dd4156a7fa04da8c8eb9f3322b653d70cdb63bd1acb90b064202a2af2b5f2
SHA512 cd048439a1839bb8d82922684771ca20a01238185b493eedd82380f14ab0afbf210c4caf4c8dbcfb0146b47becfe72dbe5153e44d08dfd3723e0dda766b16a42
External site analysis Virus Total Link

 

Static Malware Analysis

This section shows methods for static malware analysis using OfficeMalScanner and Oledump.

To extract malicious macros OfficeMalScanner was used.

officemalscanner
Using OfficeMalScanner’s info mode, malicious macros can be extracted.

  1. Extracted Macros can be viewed in text editor. The macros will give some idea about what macros are written to do.
  2. Function names within macros are written in Spanish. Further information were identified using Oledump as shown in following screenshot. Macros are stored as streams in the word doc.
  3. Oledump.py can be used to get required information as shown in the screenshot.

oledump macro extractoledump.py pathtofile/New doc 115.doc

embedded objectoledump.py -s 7 pathtofile/New doc 115.doc . Stream 7 is the embedded object

sambof macro
Stream 14 – Interesting Macro named ‘SamboF’

Main Functions with translation:

  1. CIF as String
  2. Fecha as Date – Date as Date
  3. CuentaPropia2 as String – Own account2 as String
  4. cadSQL as String – cad SQL instance
  5. ConceptoTr as String – ConceptTr as String
  6. Tipo as Byte – Kind as Byte
  7. SufijoOEM as String – Suffic OEM

The functions is likely looking for the specific attributes in the SQL database or documents holding financial records.

Dynamic Malware Analysis

  1. Macros were enabled to see how the system behaves and what changes to registry or process are made.
  2. With windows defender enabled, following signatures were triggered when document was downloaded.anti-virus detection
  3. Ran the macros on Windows VM with no anti-virus or anti-malware. Enabling macros, a file label8.exe under the user Temp directory is created.label.exe proc
  4. Process Explorer with Virus Total integration was used to identify changes on the system and process which can be checked against Virus Total in real-time but no new process identified besides label8.exe.
  5. PE explorer and OllyDBG gives error when the file is being accessed syaing its not an EXE

Opening the file in notepad shows HTML response code as shown below :

response

6. System performance affected drastically where by CPU usage went to 100% as shown in the screenshot below. Ending the exe process, improved the performance and CPU usage went to normal.

cpu usage

7. The interface was being sniffed by the IPS with Emerging Threats Traffic triggered following signatures :

ips signautresSignature ET CURRENT_EVENTS Dridex AlphaNum DL Feb 10 2016 triggered. Interface shown – Snorby installed on Security Onion.

From the triggered signature we can say the communications was related to Dridex Malware. The malware is designed to steal banking credentials and other personal information of the user such as financial records of the user. Following payload shows the host being communicated – g-t-c.co.uk.

Dridex payload

payload

Indicators associated with the malware:

  1. 11.240.14 – g-t-c-co.uk
  2. ali73_2008027@yahoo.co.uk
  3. 122. 52.162.226 – 122.52.162.226.pldt.net, Phillipines

From the analysis we can say that users are still being targetted with specific type of malware such as Dridex which is used for stealing banking credentials with intent for fianancial gain. The macros were identified suspicious by Windows Defender and Virus Total and therefore we can say the methods that were used to send the malware is known. Also , the email was actually identified by spam as the sender email was yahoo.co.uk.

Understand the exposure level of a user is high and so is the risk. Besides relying on anti-virus or spam gateway we must make sure users are aware of these techniques and educated with regards to spam and phishing.

NDISPlan phishing/malware email

Based on my previous blog entry about emails I have analysed an email that was received from *@ndis.gov.au.

From the email it seems that you have received an email for a Shelby’s plan. A question to ask who is Shelby ?

File name  – Shelby-MyNDISPlan.zip – Have checked online and identified this is indeed a spam email. myonlinesecurity.co.uk/ndisplan-fake-pdf-malware

Extracted file – Shelby- MyNDISPlan.scr – yes the plan is a screensaver 🙂

Exiftool results :

ExifTool Version Number : 10.00
File Name : Shelby- MyNDISPlan.scr
Directory : .
File Size : 40 kB
File Modification Date/Time : 2015:09:22 15:46:02+10:00
File Access Date/Time : 2015:09:23 16:01:49+10:00
File Inode Change Date/Time : 2015:09:23 15:59:42+10:00
File Permissions : rw——-
File Type : Win32 EXE
File Type Extension : exe
MIME Type : application/octet-stream
Machine Type : Intel 386 or later, and compatibles
Time Stamp : 2015:03:30 09:35:32+11:00
PE Type : PE32
Linker Version : 7.10
Code Size : 11264
Initialized Data Size : 29184
Uninitialized Data Size : 0
Entry Point : 0x18ee
OS Version : 4.0
Image Version : 0.0
Subsystem Version : 4.0
Subsystem : Windows GUI
File Version Number : 1.0.146.0
Product Version Number : 1.0.146.0
File Flags Mask : 0x0000
File Flags : (none)
File OS : Win32
Object File Type : Executable application
File Subtype : 0
Language Code : Spanish (Castilian)
Character Set : Unknown (90A0)
Company Name : MonlinA Corporation
File Description : MonlinA launch tools
File Version : 7.00.146
Internal Name : monlin.EXE
Legal Copyright : В©MonlinA Corporation. All rights reserved.
Original File Name : monlin.EXE
Product Name : MonlinAВ® launch tools
Product Version : 1.00.146

This is indeed suspicious as the SCR file has an exe embedded which is monlin.exe.

Dynamic analysis files provided no communication to any external hosts or IP addresses.

Likely the file changes values within registry or a process in relation to a screensaver. Also, will try and run the EXE and see the changes.

Sandbox > https://tria.ge/220423-q1jjmsggfk/behavioral1

Identified as Upatre – https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre