It's rare to see malware with a .RAR attachment, but this is one of those unusual beasts..
From: Alison George allison.george@transferduc.nl
Date: 5 February 2014 22:41
Subject: Payment Fund
ALERT! A bank Wire transaction, Has just been rejected from checking 656778*** account.
to your bank confirmed by the FedWire.
Transaction ID: 99076900
Date: 2/3/2014
Transfer Origination: Fedline
Please review the attached copy of transaction report,
Federal Reserve Financial Services
Creating Nationwide Solutions for Your Payment Needs
20th Street and Constitution Avenue N.W.
Washington, D.C. 20551
Attached is a file
Wire.Transfer.rar which you will need to unpack with a suitable application. In turn this creates a file
Wire-Report which is actually an executable, but missing the .exe extension.. so you have to add that to get infected. Hmmm.. the phrase "some assembly required" springs to mind.
The VirusTotal detection rate is
7/50 but most automated analysis tools seem to be having problems with the executable, so perhaps it is hardened against analysis or is simply corrupt. The ThreatExpert report (for some reason not showing in their database right now) has the following details:
Submission Summary:
- Submission details:
- Submission received: 5 February 2014, 04:39:38 PM
- Processing time: 6 min 0 sec
- Submitted sample:
- File MD5: 0x12F1265162AAD712C271DAC6A9B5E564
- Filesize: 248,320 bytes
What's been found |
Severity Level |
Creates a startup registry entry. |
|
Technical Details:
|
Memory Modifications |
- There was a new process created in the system:
Process Name |
Process Filename |
Main Module Size |
server.exe |
%Temp%\server.exe |
57,344 bytes |
|
Registry Modifications |
- The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
so that %Temp%\server.exe runs every time Windows
starts
- [HKEY_CURRENT_USER\Environment]
- SEE_MASK_NOZONECHECKS = "1"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- 5PmM1jWi05 = "%AppData%\y183imD2\java.exe.lnk"
- babe8364d0b44de2ea6e4bcccd70281e = ""%Temp%\server.exe" .."
so that %Temp%\server.exe runs every time Windows
starts
|
Other details |
- To mark the presence in the system, the following Mutex object was created:
- babe8364d0b44de2ea6e4bcccd70281e
No comments:
Post a Comment