Mr Jones wants you to appear in court!

Published: 2013-12-24
Last Updated: 2013-12-24 00:54:04 UTC
by Daniel Wesemann (Version: 1)
4 comment(s)

Wondering what the Costco / Walmart malware (yesterday's diary) was up to, we ran it in a lab environment. It happily connected to its Command&Control (C&C), and soon after started spamming the next round of bait. The upcoming scam email apparently looks like this:

and it comes complete with an EXE, named something like "Court_Notice_Jones_Day_Washington.exe", current MD5 84fae8803a2fcba2d5f868644cb55dd6 (Virustotal)

The C&C of the original Costco sample was at and A supplemental binary was pulled from If you have additional information on this scam or yesterday's Costco/Walmart version, please share in the comments below. Thanks to Francis Trudeau of Emerging Threats for help with the analysis and gathering the C&C traffic.


Keywords: malware scam spam
4 comment(s)


This is from the Asprox botnet.
Asprox shifted to spamming with malware attachments about halfway thru December.

Aside from the Asprox IP addresses:
the consistency in Envelope headers, From headers, and HELO, as apposed to the aexp-nacha-whatever from Cutwails. The kuluoz/dofoiol trojans. The Message-ID header has the netbios name of the infected windows computer, giving that touch of personal interest.

The http get /hexadecimal hash and POST encrypted key.bin and data.bin.

The beauty contest winner "my CV" emails and these fake emails have another commonality --
The wholesome all-American 50's white-woman names:
Ruth Tailor
Ruth Mason
Karen Tailor
Alena Mason
Emily Mason
Dorothy Smith

Occasionally you find commonality in Asprox's language: the "you should download it", matter-of-fact style was in several Asprox fake airline emails that came out like 6 months apart.
I wanted to point out that we have an open signature for this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Kuluoz/Asprox Activity Dec 23 2013"; flow:established,to_server; content:!"Referer|3a|"; http_header; pcre:"/^\/[A-Za-z0-9]{8,}+$/U"; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64|3b| rv|3a|25.0) Gecko/20100101 Firefox/25.0"; http_header; fast_pattern:64,20; content:!"Host|3a|"; http_header; depth:5; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})\r$/Hmi"; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,; classtype:trojan-activity; sid:2017895; rev:2;)

This alerts on the initial call back POST on port 8080:

POST /A5B3CAE4DF83F1B95E128FCD1059612F65094B3160 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Content-Length: 317
Cache-Control: no-cache
There have been 9 different malware samples distributed by this campaign, which began on December 23rd at approximately 7:45 AM (US Central Time GMT -6)

Here are the relative distributions of each, where the first number is the number of spam samples collected in the Malcovery Security Spam Data Mine. The second column is the domain name used, the third is the MD5 of the .zip attachment, and lastly, in 15 minute increments, the first and last time period in which spam bearing this attachment was seen.

11633 | | 442e746ad1d185dd1683b1aa964f6e56 (2013-12-23 07:45 to 2013-12-23 21:00)
5979 | | 267d9f829ea2e3620ee62c52fcb4ebe9 (2013-12-23 16:30 to 2013-12-24 05:15)

4365 | | b2f8e5d86d7c50b5017e88527d8ce334 (2013-12-24 07:45 to 2013-12-24 20:00)
142 | | 76cdb2bad9582d23c1f6f4d868218d6c (2013-12-24 08:00 to 2013-12-24 16:00)
651 | | 0f0bb7b4f67b3bd90e944fcf7473b9d8 (2013-12-24 14:15 to 2013-12-24 20:00)

3054 | | 30336df44c6808175bf4a7c212d3e2f8 (2013-12-25 14:15 to 2013-12-26 03:00)
3236 | | f97795c2124f60596eb8faf18307ac35 (2013-12-25 05:15 to 2013-12-25 23:00)

3500 | | d181af2b32830119c0538851a8b53af8 (2013-12-26 06:00 to 2013-12-26 16:30)
484 | | 7c572385f09773237805a52e2fc106e9 (2013-12-26 12:00 to 2013-12-26 17:15)

samples are available to qualified researchers. More details here:
Gary Warner
A new version of the JonesDay spam has begun this morning (Dec 27 @ 6:15 AM US Central time, GMT -6).

Current detection is rather abysmal:

Diary Archives