From: Sarah [johnson@jbrakes.com]The attached file is SCANNED DOCS,jpg.z which is a type of compressed file. If you have the right file decompression software, it will extact a malicious executable SCANNED DOCS,jpg.exe which has a VirusTotal detection rate of 17/55.
Date: 29 October 2015 at 08:27
Subject: Documents for Review and Comments
Hi Morning,
Attached are the return documents.
Call me if you need anything.
See you soon. :)
Sarah
According to various automated analysis tools [1] [2] [3] it drops a file %TEMP%\XP000.TMP\M.exe which itself has a detection rate of 19/54. Out of all the standard analysis tools I have used, only Comodo CAMAS identified the network traffic, a POST to:
eyeseen.net/swift/gate.php
This is hosted on a SoftLayer IP of 198.105.221.5 in Singapore. A quick look at VirusTotal indicates a lot of badness on this IP address, so it is probably one worth blocking.
The payload is Pony / Fareit, which is basically a password stealer.
MD5s:
25a322b9ea5c709c4376bf58527f198a
efc7210f7dbce441f74e3c9f07f28a2e
79ca99c3f751ae334d0340284242e4f6
No comments:
Post a Comment