Email “Fax Message #6464552 ” junk.

E-mail comes through with a subject line similar to: “Fax Message #5522951 ” with a random number.

The message body looks like this:

Fax Message [Caller-ID: 1-407-378-1024]

You have received a 3 page fax at Mon, 1 Dec 2014 14:16:54 +0000.

http://www.nlp-books.net/document/faxmessage.php

View this fax using your PDF reader.
Thank you for using the MyFax service!

The URLs contained are a multitude of hacked sites:

http://www.nlp-books.net/document/faxmessage.php
http://onlinecypruscasino.com/document/faxmessage.php
http://netembilgisayar.com/document/faxmessage.php
http://mobel800.com/document/faxmessage.php
http://mubinka.com/document/faxmessage.php
http://mortgageleadnet.com/document/faxmessage.php
http://burlesonfugitiverecovery.com/document/faxmessage.php
http://typesoflearning.org/document/faxmessage.php

The SMTP servers sending seem to be:
85.97.129.129
71.13.145.6
68.67.62.194
24.37.176.50
63.172.62.66
86.40.134.125
80.86.43.60
23.25.23.205
174.93.235.214

The links give you a file SHA256 9bb41ac8fc5fb79c58411dc137fd46ef5e130b753f436eec1a22c529f1305703 named

“doc21641_pdf.zip” which extracts to “doc21641_pdf.exe”. VirusTotal Report / Malwr Report

When run it sends two requests:

http://80.248.222.238:15060/0112uk2/W7VM1/0/61-SP1/0/
http://80.248.222.238:15060/0112uk2/W7VM1/1/0/0/

It disguises it’s requests as:
“User-Agent: realUpdate”
Something I don’t remember from the 3 previous – similar – infections.

Both requests return 0 bytes.
The server is in france and hosted by:

inetnum: 80.248.222.0 – 80.248.222.255
descr: FR-NERIM-80-248-222
org: ORG-NA20-RIPE
netname: VIRTUAL-HOSTING-PA3
remarks: INFRA-AW
country: FR

It also DNS resolves wholesale-motoroilonline.com and then requests /images/t2.pnj from the host.
This redirects to http://www.wholesale-motoroilonline.com and the DNS request and request is retried.

http://www.wholesale-motoroilonline.com/images/t2.pnj (hosted on 192.163.217.66 / server.amssyntheticoil.com)

Net Range 192.163.192.0 – 192.163.255.255
CIDR 192.163.192.0/18
Name UNIFIEDLAYER-NETWORK-13
Handle NET-192-163-192-0-1

After downloading it extracts and spawns another process from the “C:\Users\<username>\AppData\Local\” folder.. SHA256 040766e3569e2a73fa0e22a2447edb9e2c31f9891ebc82af42c700f02a64961a

VirusTotal Report / Malwr Report.

It then makes further requests using explorer.exe:

-  00:00:00.000    fwyql.exe[3768] (Count=4, Sent=557 , Received=356.42 K, ElapsedTime=1.797 s)                                                                                                                                                                                                                                                                                                      
   1         False    + 0.000             False               GET                       (None)                    http://80.248.222.238:15060/0112uk2/W7VM1/0/61-SP1/0/                                                                                                                                         
   2         False    + 0.047             False               GET                       (None)                    http://80.248.222.238:15060/0112uk2/W7VM1/1/0/0/                                                                                                                                              
   3         False    + 0.109             True   0.283 s      GET     301     568       text/html                 http://wholesale-motoroilonline.com/images/t2.pnj                                                                                      http://www.wholesale-motoroilonline.com/images/t2.pnj  
   4         False    + 0.391             True   1.407 s      GET     200     355.87 K  text/plain                http://www.wholesale-motoroilonline.com/images/t2.pnj                                                                                                                                         
-  00:11:34.204    Explorer.EXE[3912] (Count=8, Sent=1.95 K, Received=117.52 K, ElapsedTime=10.985 s)                                                                                                                                                                                                                                                                                                      
   5         False    + 0.000             True   1.766 s      GET     200     757       application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/cert/my.ip.masked.here/                                                                                     
   6         False    + 1.765             True   2.923 s      GET     200     805       application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/0/Win_7_SP1_32bit/1069/my.ip.masked.here/                                                                     
   7         False    + 4.703             True   1.610 s      GET     200     197       application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/1/KxskFNkhMvobihpvNHQcRMxTXhygpqU/my.ip.masked.here/                                                          
   8         False    + 4.703             True   3.001 s      GET     200     52.91 K   application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/httprdc/my.ip.masked.here/                                                                                  
   9         False    + 6.343             True   2.939 s      GET     200     52.91 K   application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/httprdc/8my.ip.masked.here/                                                                                  
   10        False    + 7.718             True   1.720 s      GET     200     4.99 K    application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/respparser/my.ip.masked.here/                                                                               
   11        False    + 9.296             True   1.689 s      GET     200     4.99 K    application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/5/respparser/my.ip.masked.here/                                                                               
   13        False    + 10.984            True   1.626 s      GET     200     197       text/plain                https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/14/user/henry/0/my.ip.masked.here/                                                                            

This server (202.153.35.133) has no RDNS and is hosted in Hyderabad in India:

inetnum: 202.153.32.0 – 202.153.47.255
netname: EXCELL-NET
descr: Excell Media Pvt Ltd
descr: Cable ISP
descr: Hyderabad A.P, India
country: IN

Further “errors”, similar to the previous analysis, show more information about what it might be stealing:

   14  False    + 178.671            True   1.658 s      GET     200     197       text/plain                https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/14/error/<strong>send%20browser%20snapshot%20failed</strong>/0/86.164.189.213/               
   15  False    + 178.671            True   1.689 s      GET     200     197       text/plain                https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/14/twg32/<strong>cannot%20get</strong>/0/86.164.189.213/                                     
   16  False    + 180.328            True   1.798 s      GET     200     1.13 K    application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/23/217162868/uBpCFodxIIocBPaHMTCnyLaPbRtKAdf/86.164.189.213/                
   17  False    + 183.687            True   3.876 s      POST    200     197       text/plain                https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/63/generalinfo/86.164.189.213/                                              
   18  False    + 206.015            True   1.595 s      GET     200     197       application/octet-stream  https://202.153.35.133:4443/0112uk2/W7VM1_W617601.0E5B3B080E7C4EFF42F9B6187EA23DB8/1/FcUYTwjrIbXODWguWiaTFakmLbUpkGK/86.164.189.213/                           

The SSL certificate for this run was generated on “‎01 ‎December ‎2014 15:20:10” which indicates another very active / recent setup for this intrusion attempt.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

One Response to Email “Fax Message #6464552 ” junk.

  1. Pingback: “Payment Advice – Advice Ref:[GB580659] / CHAPS credits” Spam with Virus | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s