Sponsored by..

Wednesday 5 February 2014

"Payment Fund" spam with Wire.Transfer.rar attachment

It's rare to see malware with a .RAR attachment, but this is one of those unusual beasts..

From:     Alison George allison.george@transferduc.nl
Date:     5 February 2014 22:41
Subject:     Payment Fund

ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
to your bank confirmed by the FedWire.
Transaction ID: 99076900
Date: 2/3/2014
Transfer Origination: Fedline

Please review the attached copy of transaction report,
Federal Reserve Financial Services
Creating Nationwide Solutions for Your Payment Needs
20th Street and Constitution Avenue N.W.
Washington, D.C. 20551
Attached is a file Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind.

The VirusTotal detection rate is 7/50 but most automated analysis tools seem to be having problems with the executable, so perhaps it is hardened against analysis or is simply corrupt. The ThreatExpert report (for some reason not showing in their database right now) has the following details:

Submission Summary:

  • Submission details:
    • Submission received: 5 February 2014, 04:39:38 PM
    • Processing time: 6 min 0 sec
    • Submitted sample:
      • File MD5: 0x12F1265162AAD712C271DAC6A9B5E564
      • Filesize: 248,320 bytes
  • Summary of the findings:
What's been found Severity Level
Creates a startup registry entry.

Technical Details:

Memory Modifications
  • There was a new process created in the system:
Process Name Process Filename Main Module Size
server.exe %Temp%\server.exe 57,344 bytes

Registry Modifications
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      • babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."

      so that %Temp%\server.exe runs every time Windows starts
    • [HKEY_CURRENT_USER\Environment]
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      • 5PmM1jWi05 = "%AppData%\y183imD2\java.exe.lnk"
      • babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."

      so that %Temp%\server.exe runs every time Windows starts

Other details
  • To mark the presence in the system, the following Mutex object was created:
    • babe8364d0b44de2ea6e4bcccd70281e

No comments: