“Fax message#382675552 ” scam again..

Similar to yesterday – another round of these bits of crap.

This time there is a random subject of “Fax message#<RANDOM> ”

With the content of

Fax Message [Caller-ID: 1-407-194-7216]

You have received a 5 page fax at Wed, 26 Nov 2014 12:16:13 +0000.

View this fax using your PDF reader.
Thank you for using the MyFax service!

Several urls appear in the emails:

This generates a zip file with a random number in it “ReceivedFaxMessage_pdf24.zip” containing “ReceivedFaxMessage_pdf.exe”:

SHA256 “0bd96769eab8efc42226cd36f6e7c27c400a4c35c2e906edc223d2fe3c44245a” Virustotal Report / Malwr Report
Different to the junk sent yesterday.

When run it contacted:

This IP was seen in yesterday’s junk.

Then downloaded 330kb file from:
http://aday.de/imgbak/w3.pnj (encrypted or obfiscated config file?)

SHA256 “cbaaf34ba1d98be767a2473d16e2b135499353e90c757464acc4a86a1a9c4cfc” VirusTotal Report / Malwr Report

Further HTTPS communication was with: on port 4443 (Reverse dns of “ip-5-135-153.eu” at OVH in France)

inetnum: –
netname: OVH
descr: OVH SAS
descr: Dedicated servers
descr: http://www.ovh.com
country: FR

The certificate on that ssl connection was issued on 25th November 2014 so a recently setup C&C server or hacked machine. It also looks like the nginx proxy on that machine can’t contact it’s host and is giving errors causing the malware to be more verbose about what it might be doing:

-  00:00:00.000    iexplore.exe[3992] (Count=3, Sent=974 , Received=1.05 K, ElapsedTime=2.735 s)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
   1         False    + 0.016            True   1.844 s      GET     502       357       text/html,%200x545ad456/0/MY.ip.Addr.Redacted/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
   2         False    + 0.000            True   1.767 s      GET     502       357       text/html                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
   11        False    + 1.844            True   0.891 s      GET     502       357       text/html                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
-  00:00:00.781    iexplore.exe[2464] (Count=13, Sent=8.56 K, Received=13.21 K, ElapsedTime=1.314 s)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
   3         False    + 0.000            False               GET                         (None),%200x545ad456/0/MY.ip.Addr.Redacted/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
   4         False    + 0.016            True   0.954 s      GET     502       357       text/html                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    

Another commenter on VirusTotal reports that it redirects many banking sites traffic via on port 80 (rdns ip-5-135-180.eu, another host at OVH).

This entry was posted in Uncategorized. Bookmark the permalink.

One Response to “Fax message#382675552 ” scam again..

  1. Pingback: Email “Fax Message #6464552 ” junk. | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s