Thursday, 22 January 2015

MyFax Fax message - fake malware


Alert Summary:
MyFax Fax message email contains a link, if clicked auto-downloads a malicious Zip file

Headers: (Note: the Fax Ref is random)
From: "MyFax" {no-replay@my-fax.com}
Subject: Fax #4437781
Message body:
Fax message

http://79.96.0.123/_.RECEIVED_FAX/incoming_letter.html
Sent date: Thu, 22 Jan 2015 14:53:17 +0000

Links to website....
http://79.96.0.123/_.RECEIVED_FAX/incoming_letter.html

Once you arrive at the site an auto-download of a zip file takes place:

fax_message92386.zip
Inside the Zip file is a windows executable:
fax_message37690.exe
MD5 Hashes:
be2ebc60c9386b1a550be26a4d5fbe55  [1]
Malware Information:
VirusTotal Report [1] (hits 5/55 Virus Scanners)

Hybrid Analysis Report  [1]

Malwr Report [1]


Summary:


  • Performs some HTTP requests
  • Steals private information from local Internet browsers
  • Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)
  • Creates an Alternate Data Stream (ADS)
  • Installs itself for autorun at Windows startup



Cheers,

Steve
Sanesecurity.com

No comments: