Boleto Malspam Leads to Symmi
It starts with an email
The pdf button goes to a servint.net link, which in turn goes to dropbox.com
We're left with BOLETO-29-06-2016.PDF.zip, which extracts to BOLETO-29-06-2016.jar. Decompiling the jar file we see several interesting bits
the key and most of the crypto routine were pulled from avajava.com tutorials. After decrypting the files we're left with two 64 bit files, and two 32 bit files
We're left with BOLETO-29-06-2016.PDF.zip, which extracts to BOLETO-29-06-2016.jar. Decompiling the jar file we see several interesting bits
the key and most of the crypto routine were pulled from avajava.com tutorials. After decrypting the files we're left with two 64 bit files, and two 32 bit files
c4cb4fdf6369dd1342d2666171866ce5 is apparently calc.exe (?), the rest are packed with VMProtect. VT Links:
https://www.virustotal.com/en/file/2db1aa1eed26fd3805c121ed42af2a35f93af22932462f4919b190b1cf5464dc/analysis/
https://www.virustotal.com/en/file/2db1aa1eed26fd3805c121ed42af2a35f93af22932462f4919b190b1cf5464dc/analysis/
No comments:
Post a Comment