Timeline

• Originally infected with the URL http://singin.loginto.me/050915/dsfihkfisgbdfsdfbsdkfs.php?id=Rand+1106&token1=bW9yaWFiKzk0Ng%3D%3D&token2=cmF2aXZAaHlicmlkc2VjLmNvbQ%3D%3D&C=Click. Then it downloaded a file called Details.zip, which has inside an exe file with hebrew name.
• For the exe file the MD5: f589827c4cf94662544066b80bfda6ab
• For the exe file the SHA1: 7351ae5ad8856ff3f6721c79799a50bcc73340af
• For the exe file the SHA256: f10909905711d915be97bb0fae6b08fa19881f02e0c1eea4b00ad0b7a988861b
• VirusTotal
• Hybrid-Analysis
• This is the same capture as CTU-133-1

Tue Sep 8 09:11:43 CEST 2015

Win3 started

Tue Sep 8 09:13:08 CEST 2015

Open IE

Tue Sep 8 09:15:42 CEST 2015 Access the infected URL

It dowloaded the file Details.zip MD5: f589827c4cf94662544066b80bfda6ab

I click to open the zip file

Tue Sep 8 09:16:16 CEST 2015

Double click the exe file. It seems to fail, because it ask to select a program to open the file. But it actually worked!

231.748|80|302|754|487|49158|565|0|GET|http://singin.loginto.me/050915/dsfihkfisgbdfsdfbsdkfs.php?id=Rand+1106&token1=bW9yaWFiKzk0Ng%3D%3D&token2=cmF2aXZAaHlicmlkc2VjLmNvbQ%3D%3D&C=Click|161|192.161.48.59|10.0.2.103|"text/html; charset=UTF-8"|"-"|"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)" 232.108|80|200|86441|86137|49158|461|0|GET|http://singin.loginto.me/050915/Details.zip|0|192.161.48.59|10.0.2.103|"application/zip" "-"|"Mozilla/4.0|(compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)"

Thu Sep 10 14:18:59 CEST 2015

power off win3