Discount Gift Certificates – Part 3

Still no sign of out bound connections, and I am not sure if I will ever see on at this point.
My next step is to do some static analysis of the code and see if there is any hints in there.

I did have a thought, the suspect file came attached to an HTML email?
That could be an effective way to see who possible loaded the exe, if you linked to a file on a web server from inside the html you could see it hit in the logs. Then scan those IP’s at a later date.

After much searching, all of the links in the file are going to groupon.com.
I was starting to get disappointed when I noticed some extra’s on some of the links…

There is division, user, source. This might be something to work with, but I doubt it will get anything more then an email to groupon to ask about it.
Each of the links appears to have a different user string attached like so.

user=3DDYS6OKLRAMKYYLDPUVAYRXSE3NMMNR3ETX39NA6LFNF8G
user=3DOBPAXTL39667KKV9YNBX7U6K00
user=3DXKHPO5YGT7OX9O42NUL1YK1CB9E

But the source and division seem to be consistent.
utm_source=3Dwelcome_day0&amp=;utm_medium=3Demail
division=3Dmiami

If what I am thinking is correct the attacker is using groupon to manage the campaign, by using it’s methods of tracking. I am assuming that what ever they can see through the analytics allows them to see the IP of the source.

I will send an email to them, see if we get anywhere.

Also we can continue with the static analysis.