Hoy me encontré este correo de parte de un contacto y bueno analicé un poco los archivos y encontré lo siguiente:
Cita del mensaje:
Segue em anexo o comprovante de depósito em sua conta corrente.Aqui el codigo fuente:
x-store-info:4r51+eLowCe79NzwdU2kRyU+pBy2R9QCTJuRFCxvGsoxm+RIG1Qs+ROPj8eKukn2kW1bviD12a26uvM/wNXQrPRz5lPTwd5t0qoJWbDwAIxx1S6JKkxymw==
Authentication-Results: hotmail.com; sender-id=softfail (sender IP is 69.164.222.202) header.from= @hotmail.com; dkim=none header.d=hotmail.com; x-hmca=fail
X-Message-Status: n:0:n
X-SID-PRA: financeiro@ddprag.com.br < @hotmail.com>
X-SID-Result: SoftFail
X-DKIM-Result: None
X-AUTH-Result: FAIL
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTmjqhOzvWWho7JRFyayOF2GOwYRpr8Z3iGGzkINWxzdCRrFnGOL3C5DcuR1i+LlvOhGCLviNjXtGP086YnxN83M6SrC2zrOZnouq8RKw4rY9eQl+aamBs8k
Received: from li137-202.members.linode.com ([69.164.222.202]) by COL0-MC2-F16.Col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4900);
Sun, 29 Jan 2012 14:05:53 -0800
Received: from li137-202.members.linode.com (localhost [127.0.0.1])
by li137-202.members.linode.com (8.14.3/8.14.3/Debian-9.4) with ESMTP id q0TM5r0o000640
for <Tocallo106@hotmail.com>; Sun, 29 Jan 2012 17:05:53 -0500
Received: (from www-data@localhost)
by li137-202.members.linode.com (8.14.3/8.14.3/Submit) id q0TM5rFt000639;
Sun, 29 Jan 2012 17:05:53 -0500
Date: Sun, 29 Jan 2012 17:05:53 -0500
Message-Id: <201201292205.q0TM5rFt000639@li137-202.members.linode.com>
To: @hotmail.com
Subject: Segue em anexo o comprovante de depósito em sua conta corrente.
X-PHP-Originating-Script: 0:index.php
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: "financeiro@ddprag.com.br" < @hotmail.com>
Return-Path: www-data@debian
X-OriginalArrivalTime: 29 Jan 2012 22:05:54.0165 (UTC) FILETIME=[2B86BA50:01CCDED2]
</head>
<body bgcolor="#ffffff">
<img name="comprovante" src="http://s3.amazonaws.com/Comprovanteonline/comprovante.jpg" width="1249" height="356" border="0" id="comprovante" usemap="#m_comprovante" alt="" /><map name="m_comprovante" id="m_comprovante">
<area shape="rect" coords="8,0,215,149" href="http://s3.amazonaws.com/Comprovanteonline/Comprovante_Deposito.pdf.exe" title="Comprovante_Deposito.pdf" alt="Comprovante_Deposito.pdf" />
</map>
</body>
</html>
Doble extensión en el archivo a descargar:
:http://s3.amazonaws.com/Comprovanteonline/Comprovante_Deposito.pdf.exeAl ver los Resources desde el PE Explorer nos encontramos esto tanto curioso:
// <DFM> TFORM1 = class(TForm);
object Form1: TForm1
Left = 221
Top = 121
BorderStyle = bsNone
Caption = 'Euro Currency Convertor'
ClientHeight = 584
ClientWidth = 1171
Color = clBtnFace
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = 'MS Sans Serif'
Font.Style = []
OldCreateOrder = False
OnCreate = FormCreate
OnShow = FormShow
PixelsPerInch = 96
TextHeight = 13
object EuroLabel: TLabel
Left = 170
Top = 48
Width = 48
Height = 13
Caption = 'EuroLabel'
end
object BEFLabel: TLabel
Left = 170
Top = 78
Width = 46
Height = 13
Caption = 'BEFLabel'
end
object CurrLabel: TLabel
Left = 110
Top = 14
Width = 45
Height = 13
Caption = 'CurrLabel'
end
object Label2: TLabel
Left = 170
Top = 14
Width = 34
Height = 13
Caption = 'equals:'
end
object Label5: TLabel
Left = 246
Top = 48
Width = 22
Height = 13
Caption = 'Euro'
end
object Label6: TLabel
Left = 246
Top = 78
Width = 20
Height = 13
Caption = 'BEF'
end
object Image1: TImage
Left = 24
Top = 176
Width = 241
Height = 145
end
object Image2: TImage
Left = 376
Top = 104
Width = 105
Height = 105
end
object InputEdit: TEdit
Left = 7
Top = 9
Width = 88
Height = 21
TabOrder = 0
Text = '100'
end
object EuroButton: TButton
Left = 383
Top = 333
Width = 354
Height = 96
Caption = 'Euro -- BEF'
TabOrder = 1
OnClick = EuroButtonClick
end
object BEFButton: TButton
Left = 7
Top = 74
Width = 411
Height = 235
Caption = 'BEF -- Euro'
TabOrder = 2
OnClick = BEFButtonClick
end
object Button1: TButton
Left = 160
Top = 96
Width = 75
Height = 25
Caption = 'Button1'
TabOrder = 3
OnClick = Button1Click
end
object Edit1: TEdit
Left = 97
Top = 288
Width = 121
Height = 21
TabOrder = 4
Text = 'http://s3.amazonaws.com/marinho/wmi.dll'
end
object Edit2: TEdit
Left = 264
Top = 208
Width = 121
Height = 21
TabOrder = 5
Text = 'c:\winsys\wmi.dll'
end
object Edit3: TEdit
Left = 272
Top = 232
Width = 121
Height = 21
TabOrder = 6
Text = 'http://s3.amazonaws.com/marinho/wmsan.exe'
end
object Edit4: TEdit
Left = 114
Top = 360
Width = 121
Height = 21
TabOrder = 7
Text = 'c:\winsys\wmsan.exe'
end
object Edit5: TEdit
Left = 83
Top = 208
Width = 121
Height = 21
TabOrder = 8
Text = 'http://s3.amazonaws.com/marinho/wsan.exe'
end
object Edit6: TEdit
Left = 424
Top = 232
Width = 121
Height = 21
TabOrder = 9
Text = 'c:\winsys\wsan.exe'
end
object Edit7: TEdit
Left = 360
Top = 333
Width = 121
Height = 21
TabOrder = 10
Text = 'http://s3.amazonaws.com/marinho/wmita.exe'
end
object Edit8: TEdit
Left = 640
Top = 136
Width = 121
Height = 21
TabOrder = 11
Text = 'c:\winsys\wmita.exe'
end
object Edit9: TEdit
Left = 704
Top = 333
Width = 121
Height = 21
TabOrder = 12
Text = 'http://s3.amazonaws.com/marinho/BROWN.exe'
end
object Edit10: TEdit
Left = 608
Top = 483
Width = 121
Height = 21
TabOrder = 13
Text = 'c:\winsys\BROWN.exe'
end
object Timer1: TTimer
Interval = 100
OnTimer = Timer1Timer
Left = 272
Top = 56
end
end
Borland Edition (c) 2004 - 2008 Pierre le Riche / Professional Software Development
This program must be run under Win32..$7
El analisis fue mas bien estatico, no lo ejecute, pero con un hexa o PE Explorer se ven las rutas, archivos que crea, otros que descarga.
Crea una carpeta oculta al administrador en:
c:\winsys\Donde se alojan los demas ejecutables:
c:\winsys\BROWN.exe
c:\winsys\wmita.exe
c:\winsys\wsan.exe
c:\winsys\wmsan.exe
c:\winsys\wmi.dllAqui algunas capturas:
Analisis online:
Analisis Anubis:
http://anubis.iseclab.org/?action=result&task_id=1ac567298a7aa0ef49991a1b01813af36&call=firstAnalisis VirusTotal:
https://www.virustotal.com/file/24030137d3bf55a81b687bc3df719a8c5708e35fb1232eec94ae5b9ae59b2370/analysis/1327946094/Pd: Antes de subirlo a VirusTotal la tasa era 22/41, en este ultimo scan la tasa baja a 19, con lo que lo van modificando aunque no queda FUD a todos los AV´s.
Malwarebytes solo detecta el archivo BROWN.exe (heuristics shuriken), de los demas no dice nada.
Saludos.