“Fax message#382675552 ” scam again..

Similar to yesterday – another round of these bits of crap.

This time there is a random subject of “Fax message#<RANDOM> ”

With the content of

Fax Message [Caller-ID: 1-407-194-7216]

You have received a 5 page fax at Wed, 26 Nov 2014 12:16:13 +0000.

http://79.96.168.112/messages/message3334739

View this fax using your PDF reader.
Thank you for using the MyFax service!

Several urls appear in the emails:

http://79.96.168.112/messages/message3334739
http://www.georgetowntearoom.com/messages/message3023511
http://www.globalfuturetech.com/messages/message6645774
http://de.net16.net/messages/message8270884
http://119.46.146.54/messages/message9830562
http://fahren-mit-martens.de/messages/message7702872
http://152.74.132.2/messages/message5929531
http://reliant.myzen.co.uk/messages/message3615225
http://grannysoven.com/messages/message1141993
http://184.172.40.199/messages/message9205490
http://jkmoto.cz/messages/message2540670
http://www.galvanus.com/messages/message1850017
http://vemo35.free.fr/messages/message0578247
http://195.64.210.107/messages/message1220336

This generates a zip file with a random number in it “ReceivedFaxMessage_pdf24.zip” containing “ReceivedFaxMessage_pdf.exe”:

SHA256 “0bd96769eab8efc42226cd36f6e7c27c400a4c35c2e906edc223d2fe3c44245a” Virustotal Report / Malwr Report
Different to the junk sent yesterday.

When run it contacted:
http://95.211.199.37:30377/2611uk3/W7VM1/0/61-SP1/0/
and
http://95.211.199.37:30377/2611uk3/W7VM1/1/0/0/

This IP was seen in yesterday’s junk.

Then downloaded 330kb file from:
http://aday.de/imgbak/w3.pnj (encrypted or obfiscated config file?)

SHA256 “cbaaf34ba1d98be767a2473d16e2b135499353e90c757464acc4a86a1a9c4cfc” VirusTotal Report / Malwr Report

Further HTTPS communication was with:
5.135.153.227 on port 4443 (Reverse dns of “ip-5-135-153.eu” at OVH in France)

inetnum: 5.135.152.0 – 5.135.159.255
netname: OVH
descr: OVH SAS
descr: Dedicated servers
descr: http://www.ovh.com
country: FR

The certificate on that ssl connection was issued on 25th November 2014 so a recently setup C&C server or hacked machine. It also looks like the nginx proxy on that machine can’t contact it’s host and is giving errors causing the malware to be more verbose about what it might be doing:

-  00:00:00.000    iexplore.exe[3992] (Count=3, Sent=974 , Received=1.05 K, ElapsedTime=2.735 s)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
   1         False    + 0.016            True   1.844 s      GET     502       357       text/html  https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/14/error/Error%20code%20fccc0000,%200x545ad456/0/MY.ip.Addr.Redacted/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
   2         False    + 0.000            True   1.767 s      GET     502       357       text/html  https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/63/checkfile/20e3c0121144a0291fd42a0cf9ead6992d27f9bb/MY.ip.Addr.Redacted/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
   11        False    + 1.844            True   0.891 s      GET     502       357       text/html  https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/14/error/Check%20wininet.dll%20on%20server%20failed/0/MY.ip.Addr.Redacted/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
-  00:00:00.781    iexplore.exe[2464] (Count=13, Sent=8.56 K, Received=13.21 K, ElapsedTime=1.314 s)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     
   3         False    + 0.000            False               GET                         (None)     https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/14/error/Error%20code%20fccc0000,%200x545ad456/0/MY.ip.Addr.Redacted/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
   4         False    + 0.016            True   0.954 s      GET     502       357       text/html  https://5.135.153.227:4443/2611uk3/W7VM1_W617601.BDB8B06F8475FFF3541298376604B875/63/checkfile/20e3c0121144a0291fd42a0cf9ead6992d27f9bb/MY.ip.Addr.Redacted/                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    

Another commenter on VirusTotal reports that it redirects many banking sites traffic via 5.135.180.22 on port 80 (rdns ip-5-135-180.eu, another host at OVH).

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to “Fax message#382675552 ” scam again..

  1. Pingback: Email “Fax Message #6464552 ” junk. | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s