Monday, 23 March 2015

photo vodafone.com Pic_0004_mar2015.JPEG

photo vodafone.com Pic_0004_mar2015.JPEG incoming malware

Headers:
From: mail@vodafone.com
Subject: Re: photo
Message body:

Sent from my iPhone
----
sigismund


There's a Zip file attached to the email:
Pic_0004_mar2015.JPEG.zip

Inside the Zip file is an exe file (Note: the double extension trick: dangerous executable:
Pic_0004_mar2015.JPEG.exe
Sha256 Hashes:
873c9ee854b3aee345262c49dda76c25cae146f5efc545b0ac99f53af2dd7c51  [1]

Malware Anti-Virus Reports:
VirusTotal Report [1] (hits 9/57 Virus Scanners)
Malwr Report [1]

Malware Summary:
  • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
  • Executed a process and injected code into it, probably while unpacking
  • Steals private information from local Internet browsers
  • Harvests credentials from local FTP client softwares
  • Connects to an IRC server, possibly part of a botnet
  • Creates an Alternate Data Stream (ADS)
  • Installs itself for autorun at Windows startup

Cheers,

Steve
Sanesecurity.com

No comments: