Trojan.Drixed Notes: Excel meostore.net

1. Trojan.Drixed
2. Reported by neonprimetime security
3. http://neonprimetime.blogspot.com
4.  
5. *****
6. 123.30.210.118
7. 199.16.199.2
8. hxxp://meostore.net/js/bin.exe
9. hxxp://199.16.199.2/js/bin.exe
10. *****
11. Trojan.Downloader.Drixed
12. Trojan.Drixed
13. xls
14. md5sum: ee3dd31abd4fc9af4214df7d385c5c4e
15. *****
16. From: "faxtastic!" <[email protected]>
17. Subject: Fax from +4921154767199 Pages: 1
18. 3l71l93Nvnz3mH7b-0-2015031714240625332.xls
19. *****
20. It appears Office12\EXCEL.EXE is using VBA Macros to make udp dns queries about for meostore.net
21. It appears Office12\EXCEL.EXE makes tcp calls port 80 then out to meostore.net
22. It appears Office12\EXCEL.EXE is looking for Office14\EXCEL.EXE (different versions) as well ad Acrobat, Powerpoint, and Word
23. *****
24. Files touched:
25. \AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
26. \AppData\Roaming\Microsoft\Windows\Cookies
27. \AppData\Local\Temp\2015031714240625332-1.xls
28. \AppData\Roaming\Microsoft\Office\Excel12.pip
29. \AppData\Local\Temp\CVR7C40.tmp.cvr
30. \AppData\Local\Temp\97344.od
31. \Local Settings\History\History.IE5\index.dat
32. \Application Data\Microsoft\Office\Recent\2015031714240625332-1.LNK
33. \Application Data\Microsoft\Office\Recent\2015031714240625332-2.LNK
34. \Application Data\Microsoft\Office\Recent\index.dat
35. *****
36. Processes C:\Program Files\Microsoft Office\Office12\EXCEL.EXE is looking for:
37. \Windows\explorer.exe
38. \Windows\System32\taskhost.exe
39. \Program Files\Microsoft Office\Office14\EXCEL.EXE
40. \Program Files\Microsoft Office\Office12\POWERPNT.EXE
41. \Program Files\Microsoft Office\Office14\POWERPNT.EXE
42. \Program Files\Microsoft Office\Office12\WINWORD.EXE
43. \Windows\System32\cmd.exe
44. \Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
45. \Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
46. \Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
47. \WINDOWS\system32\ctfmon.exe