Iam always more interested in SPAM emails rather than my Inbox. Today, I stumbled upon an email in my Spam box with subject Invoice #34069680. It had a spam-my named attachment along with it saying they have sent some of my shipment lol! and this is the invoice to the same.
It seemed like it was obfuscated, so I went in to dig the thing deeper and de-obsfuscate it line-to-line by hand. The result I got is as below:
This clearly shows what it does. It downloads a file from either http://wherareyoufromff.com/25.exe or http://arendroukysdqq.com/25.exe (most probably the second URL is there as a fallback in case the first one fails), and saves it as 4194304.exe in your %TEMP% folder, and finally executes it upon successful download. Thenafter, you cannot tell how much the unknown executable saved in your %TEMP% folder will be able to exploit your system.
So beware! If you receive any email similar or exactly as this one, make sure don't download anything there in it.
Post a Comment