Sponsored by..

Wednesday 26 August 2015

Malware spam: "RE:resume" leads to Cryptowall

This fake resume spam has a malicious payload. I got part way through decrypting it to discover that @Techhelplistcom had done all the hard bits which saved me some effort. This particular spam delivers a version of the Cryptowall ransomware.

In the only sample I saw, the spam looks like this:

From:    emmetrutzmoser@yahoo.com
To:   
Date:    26 August 2015 at 23:29
Subject:    RE:resume
Signed by:    yahoo.com

Hi! my name is Janet Ronald it is my resume!Awaiting your prompt reply

Best regards

Janet Ronald
Attached was a file Janet_Ronald_resume.doc [VT 5/56] which (of course) contains a malicious macro that looks like this [pastebin].

The format of this message is very similar to this other fake resume spam seen recently, and a key feature here is that the message is really sent through Yahoo! and is not a forgery.

Deobfuscating the macro shows that a file is downloaded from http://46.30.46.60/444.jpg which is then run through a decoding mechanism to create (I think) %APPDATA%\278721985.exe. The Hybrid Analysis report shows some of this in action, but Techhelplist did the hard work of decrypting it..


To save a bit of time, a helpful soul left a note on the VT scan of the fake JPEG which leads to this VT report on the actual executable itself, and this then leads to this rather informative Hybrid Analysis report which has some nice screenshots.

Out of all the IPs and domains listed in those reports, I think these are probably the priorities to block:

46.30.46.60 (Eurobyte, Russia)
linecellardemo.net / 23.229.194.224 (GoDaddy, US)

You might want to block the entire 46.30.46.0/24 range because.. well, Russia really.

MD5s:
41177ea4a2c88a2b0d320219389ce27d
d1e23b09bb8f5c53c9e4d01f66db3654

1 comment:

Unknown said...

Glad you're back Conrad