Similar to yesterday – another round of these bits of crap.
This time there is a random subject of “Fax message#<RANDOM> ”
With the content of
Fax Message [Caller-ID: 1-407-194-7216]
You have received a 5 page fax at Wed, 26 Nov 2014 12:16:13 +0000.
http://79.96.168.112/messages/message3334739
View this fax using your PDF reader.
Thank you for using the MyFax service!
Several urls appear in the emails:
http://79.96.168.112/messages/message3334739
http://www.georgetowntearoom.com/messages/message3023511
http://www.globalfuturetech.com/messages/message6645774
http://de.net16.net/messages/message8270884
http://119.46.146.54/messages/message9830562
http://fahren-mit-martens.de/messages/message7702872
http://152.74.132.2/messages/message5929531
http://reliant.myzen.co.uk/messages/message3615225
http://grannysoven.com/messages/message1141993
http://184.172.40.199/messages/message9205490
http://jkmoto.cz/messages/message2540670
http://www.galvanus.com/messages/message1850017
http://vemo35.free.fr/messages/message0578247
http://195.64.210.107/messages/message1220336
This generates a zip file with a random number in it “ReceivedFaxMessage_pdf24.zip” containing “ReceivedFaxMessage_pdf.exe”:
SHA256 “0bd96769eab8efc42226cd36f6e7c27c400a4c35c2e906edc223d2fe3c44245a” Virustotal Report / Malwr Report
Different to the junk sent yesterday.
When run it contacted:
http://95.211.199.37:30377/2611uk3/W7VM1/0/61-SP1/0/
and
http://95.211.199.37:30377/2611uk3/W7VM1/1/0/0/
This IP was seen in yesterday’s junk.
Then downloaded 330kb file from:
http://aday.de/imgbak/w3.pnj (encrypted or obfiscated config file?)
SHA256 “cbaaf34ba1d98be767a2473d16e2b135499353e90c757464acc4a86a1a9c4cfc” VirusTotal Report / Malwr Report
Further HTTPS communication was with:
5.135.153.227 on port 4443 (Reverse dns of “ip-5-135-153.eu” at OVH in France)
inetnum: 5.135.152.0 – 5.135.159.255
netname: OVH
descr: OVH SAS
descr: Dedicated servers
descr: http://www.ovh.com
country: FR
The certificate on that ssl connection was issued on 25th November 2014 so a recently setup C&C server or hacked machine. It also looks like the nginx proxy on that machine can’t contact it’s host and is giving errors causing the malware to be more verbose about what it might be doing:
- 00:00:00.000 iexplore.exe[3992] (Count=3, Sent=974 , Received=1.05 K, ElapsedTime=2.735 s) 1 False + 0.016 True 1.844 s GET 502 357 text/html https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/14/error/Error%20code%20fccc0000,%200x545ad456/0/MY.ip.Addr.Redacted/ 2 False + 0.000 True 1.767 s GET 502 357 text/html https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/63/checkfile/20e3c0121144a0291fd42a0cf9ead6992d27f9bb/MY.ip.Addr.Redacted/ 11 False + 1.844 True 0.891 s GET 502 357 text/html https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/14/error/Check%20wininet.dll%20on%20server%20failed/0/MY.ip.Addr.Redacted/ - 00:00:00.781 iexplore.exe[2464] (Count=13, Sent=8.56 K, Received=13.21 K, ElapsedTime=1.314 s) 3 False + 0.000 False GET (None) https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/14/error/Error%20code%20fccc0000,%200x545ad456/0/MY.ip.Addr.Redacted/ 4 False + 0.016 True 0.954 s GET 502 357 text/html https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/63/checkfile/20e3c0121144a0291fd42a0cf9ead6992d27f9bb/MY.ip.Addr.Redacted/
Another commenter on VirusTotal reports that it redirects many banking sites traffic via 5.135.180.22 on port 80 (rdns ip-5-135-180.eu, another host at OVH).
thecomputerperson 
Pingback: Email “Fax Message #6464552 ” junk. | thecomputerperson