Sunday, May 15, 2016

***SPAM*** Invoice #34069680 [Malware]

Iam always more interested in SPAM emails rather than my Inbox. Today, I stumbled upon an email in my Spam box with subject Invoice #34069680. It had a spam-my named attachment along with it saying they have sent some of my shipment lol! and this is the invoice to the same.

I then de-activated my Anti-Virus software, downloaded the zip archive, extracted & it had a lonely file in it named invoice_copy_Bqa6Ci.js. It was in fact, no invoice document but a JavaScript file with following contents.

It seemed like it was obfuscated, so I went in to dig the thing deeper and de-obsfuscate it line-to-line by hand. The result I got is as below:

This clearly shows what it does. It downloads a file from either http://wherareyoufromff.com/25.exe or http://arendroukysdqq.com/25.exe (most probably the second URL is there as a fallback in case the first one fails), and saves it as 4194304.exe in your %TEMP% folder, and finally executes it upon successful download. Thenafter, you cannot tell how much the unknown executable saved in your %TEMP% folder will be able to exploit your system.

So beware! If you receive any email similar or exactly as this one, make sure don't download anything there in it.

No comments:

Post a Comment