Sunday, May 15, 2016

***SPAM*** Invoice #34069680 [Malware]

Iam always more interested in SPAM emails rather than my Inbox. Today, I stumbled upon an email in my Spam box with subject Invoice #34069680. It had a spam-my named attachment along with it saying they have sent some of my shipment lol! and this is the invoice to the same.

I then de-activated my Anti-Virus software, downloaded the zip archive, extracted & it had a lonely file in it named invoice_copy_Bqa6Ci.js. It was in fact, no invoice document but a JavaScript file with following contents.

It seemed like it was obfuscated, so I went in to dig the thing deeper and de-obsfuscate it line-to-line by hand. The result I got is as below:

This clearly shows what it does. It downloads a file from either http://wherareyoufromff.com/25.exe or http://arendroukysdqq.com/25.exe (most probably the second URL is there as a fallback in case the first one fails), and saves it as 4194304.exe in your %TEMP% folder, and finally executes it upon successful download. Thenafter, you cannot tell how much the unknown executable saved in your %TEMP% folder will be able to exploit your system.

So beware! If you receive any email similar or exactly as this one, make sure don't download anything there in it.