Monday, 2 March 2015

JP Morgan Access Secure Message Malcolm Romero

JP Morgan Access Secure Message Malcolm Romero malware just arriving...


Headers:
From: "JP Morgan Access" {service@jpmorgan.com}
Subject: JP Morgan Access Secure Message
Message body:
Please check attached file(s) for your latest account documents regarding your online account.

Malcolm Romero
Level III Account Management Officer
817-177-5708 office
817-359-4134 cell
Malcolm.Romero@jpmorgan.com

Investments in securities and insurance products are:
NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE

2015 JPMorgan Chase & Co.

CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you.



There's a Zip file attached to the email:
JP Morgan Access - Secure.zip

Inside the Zip file is a Windows Executable scr file:
JP Morgan Access - Secure.scr
SHA256 Hashes:
e6326d840a7656321ea9a946efb2a57f15ab6cf3b07a668e8a14bb56229150e  [1]

Malware Information:

VirusTotal Report [1] (hits 5/57 Virus Scanners)

Malwr Report [1]

Hybrid Analysis Report [1]

Cheers,

Steve
Sanesecurity.com

2 comments:

Anonymous said...

Can you please share the payload?

JP Morgan said...

Thanks for such details, this was very helpful to me.