I’ve been receiving a lot of mails with Fax attachment lately. The attachment is a zip file with a virus. I’ve been analysing the binary a little bit and came up with the following interesting info.
Size and hash
rivy@spdy:~/Downloads/FAX$ ls -l FAX_20150226_1424989043_176.zip -rw-rw-r-- 1 rivy rivy 12790 Feb 27 19:47 FAX_20150226_1424989043_176.zip rivy@spdy:~/Downloads/FAX$ md5sum FAX_20150226_1424989043_176.zip c3a277e79afedb9538f4759e62bb3c64 FAX_20150226_1424989043_176.zip rivy@spdy:~/Downloads/FAX$ sha256sum FAX_20150226_1424989043_176.zip 72f7cfa43c61e2d9bb21a92ad60bc955f4c20b20997bb0ad204da6c6d2c464cd FAX_20150226_1424989043_176.zip rivy@spdy:~/Downloads/FAX$
As you can see the zip file is around 12k in size. Unzipping resulted in 1 executable with the same filename.
Archive: FAX_20150226_1424989043_176.zip inflating: FAX_20150226_1424989043_176.exe
Md5 and sha256 for this executable are:
rivy@spdy:~/Downloads/FAX$ ls -l FAX_20150226_1424989043_176.exe -rw-r--r-- 1 rivy rivy 39168 Feb 27 15:35 FAX_20150226_1424989043_176.exe rivy@spdy:~/Downloads/FAX$ md5sum FAX_20150226_1424989043_176.exe c2e9e728576d5f230d97cfc6960361fc FAX_20150226_1424989043_176.exe rivy@spdy:~/Downloads/FAX$ sha256sum FAX_20150226_1424989043_176.exe de32206ccde1b20a944c5ac4c49a565d9d65ba4786bacc37aa18c2ca7d83b39f FAX_20150226_1424989043_176.exe rivy@spdy:~/Downloads/FAX$
Looking for strings
Looking for plaintext strings in the binary is a quick and easy way to determine if software is harmfull. You can print all strings. Strings is one of the many usefull tools which are part of the binutils package on most Linux distributions.
rivy@spdy:~/Downloads/FAX$ strings FAX_20150226_1424989043_176.exe `tD<m= 8j Y /dln RRhqcap X[YZa ReplaceFileA GetACP IsBadWritePtr SetComputerNameW QueryDosDeviceW CreateJobObjectA ReadConsoleOutputA IsDebuggerPresent Beep _lopen GetProfileIntW TerminateProcess
The list was longer but I removed everything else. So what did we find until now.
- Mail with attachment from unknown person
- Attachment is a zip file which contains an executable
- Executable calls functions like SetComputerName and IsDebuggerPresent
This means that we can clearly conclude that this mail with FAX attachment is malware.
We are already sure that this attachment is malware. I queried Virustotal also for this binary. One can either upload a suspicious file or paste the hash to use Virustotal. Pasting the hash can be a good idea if the file can contains confidential information. These are the results.
As you can see, the last analysis happened 16 minutes ago. The malware is still very new. According to the “Additional Information” tab, the first upload happened 3 hours ago. Also, only 3 out of 57 AV vendors would detect this binary as malware.
This is a direct link to the analysis page of this malware.
Detecting this malware on your network
Clicking the “behavioural information” tab reveals even more interesting info. It lists which files are opened en written to. Take note of the “c:/autoexec.bat”!
We also see that the malware tries to make http GET requests with a User Agent string of “Mazilla/5.0”. Obviously this should be “Mozilla/5.0”. This typo makes it very easy to create IPS signatures to detect this malware on the network.