Tag Archives: malware

Mails with FAX attachment

Leave a reply

I’ve been receiving a lot of mails with Fax attachment lately. The attachment is a zip file with a virus. I’ve been analysing the binary a little bit and came up with the following interesting info.

Size and hash

rivy@spdy:~/Downloads/FAX$ ls -l FAX_20150226_1424989043_176.zip
-rw-rw-r-- 1 rivy rivy 12790 Feb 27 19:47 FAX_20150226_1424989043_176.zip
rivy@spdy:~/Downloads/FAX$ md5sum FAX_20150226_1424989043_176.zip
c3a277e79afedb9538f4759e62bb3c64  FAX_20150226_1424989043_176.zip
rivy@spdy:~/Downloads/FAX$ sha256sum FAX_20150226_1424989043_176.zip
72f7cfa43c61e2d9bb21a92ad60bc955f4c20b20997bb0ad204da6c6d2c464cd  FAX_20150226_1424989043_176.zip
rivy@spdy:~/Downloads/FAX$

As you can see the zip file is around 12k in size. Unzipping resulted in 1 executable with the same filename.

Archive:  FAX_20150226_1424989043_176.zip
  inflating: FAX_20150226_1424989043_176.exe

Md5 and sha256 for this executable are:

rivy@spdy:~/Downloads/FAX$ ls -l FAX_20150226_1424989043_176.exe
-rw-r--r-- 1 rivy rivy 39168 Feb 27 15:35 FAX_20150226_1424989043_176.exe
rivy@spdy:~/Downloads/FAX$ md5sum FAX_20150226_1424989043_176.exe
c2e9e728576d5f230d97cfc6960361fc  FAX_20150226_1424989043_176.exe
rivy@spdy:~/Downloads/FAX$ sha256sum FAX_20150226_1424989043_176.exe
de32206ccde1b20a944c5ac4c49a565d9d65ba4786bacc37aa18c2ca7d83b39f  FAX_20150226_1424989043_176.exe
rivy@spdy:~/Downloads/FAX$

Looking for strings

Looking for plaintext strings in the binary is a quick and easy way to determine if software is harmfull. You can print all strings. Strings is one of the many usefull tools which are part of the binutils package on most Linux distributions.

rivy@spdy:~/Downloads/FAX$ strings FAX_20150226_1424989043_176.exe
`tD<m=
8j	Y
/dln
RRhqcap
X[YZa
ReplaceFileA
GetACP
IsBadWritePtr
SetComputerNameW
QueryDosDeviceW
CreateJobObjectA
ReadConsoleOutputA
IsDebuggerPresent
Beep
_lopen
GetProfileIntW
TerminateProcess

The list was longer but I removed everything else. So what did we find until now.

  • Mail with attachment from unknown person
  • Attachment is a zip file which contains an executable
  • Executable calls functions like SetComputerName and IsDebuggerPresent

This means that we can clearly conclude that this mail with FAX attachment is malware.

Virustotal results

We are already sure that this attachment is malware. I queried Virustotal also for this binary. One can either upload a suspicious file or paste the hash to use Virustotal. Pasting the hash can be a good idea if the file can contains confidential information. These are the results.
Mail with fax attachment
As you can see, the last analysis happened 16 minutes ago. The malware is still very new. According to the “Additional Information” tab, the first upload happened 3 hours ago. Also, only 3 out of 57 AV vendors would detect this binary as malware.
This is a direct link to the analysis page of this malware.

Detecting this malware on your network

Clicking the “behavioural information” tab reveals even more interesting info. It lists which files are opened en written to. Take note of the “c:/autoexec.bat”!
We also see that the malware tries to make http GET requests with a User Agent string of “Mazilla/5.0”. Obviously this should be “Mozilla/5.0”. This typo makes it very easy to create IPS signatures to detect this malware on the network.