Still no sign of out bound connections, and I am not sure if I will ever see on at this point.
My next step is to do some static analysis of the code and see if there is any hints in there.
I did have a thought, the suspect file came attached to an HTML email?
That could be an effective way to see who possible loaded the exe, if you linked to a file on a web server from inside the html you could see it hit in the logs. Then scan those IP’s at a later date.
After much searching, all of the links in the file are going to groupon.com.
I was starting to get disappointed when I noticed some extra’s on some of the links…
There is division, user, source. This might be something to work with, but I doubt it will get anything more then an email to groupon to ask about it.
Each of the links appears to have a different user string attached like so.
But the source and division seem to be consistent.
If what I am thinking is correct the attacker is using groupon to manage the campaign, by using it’s methods of tracking. I am assuming that what ever they can see through the analytics allows them to see the IP of the source.
I will send an email to them, see if we get anywhere.
Also we can continue with the static analysis.