dat file to ASCII, it becomes apparent that the malware captures keystrokes and stores them in the. dat file reveals some hexadecimal values (as shown in Figure 7).Īfter converting the hexadecimal values from the. dat file with the naming convention of KB_XXXXXXX.dat. The directory \DPI Subsystem contains a copy of Ordy.exe called dpiss.exe which gets executed after reboot. The malware reads the machine GUUID and creates a directory in \AppData\Roaming with the GUUID as well as two subfolders: \DPI Subsystem and \Logs. Unpacking the file extracts the executable Ordy.exe (MD5: 1A9E533E870C4B0B5D6126A3E7609601, SHA256: F76A8BED84ED4177626A4B7B3ECED4AEABE93BE8CB500A1B2D5F3A662539C98D), with an Acrobat PDF icon (as shown in Figure 4), which tricks the user in thinking that this is a genuine PDF file.Īfter executing Ordy.exe, it creates a copy of itself in \AppData\Roaming\taskprocess.exe while Ordy.exe hides itself, and it adds taskprocess.exe to the scheduled tasks (as shown in Figure 5).Īdditionally, it creates a Registry entry to start itself automatically when Windows starts (as shown in Figure 6). After downloading the file, it appears that a compressed file has been downloaded, as previously discussed. The PDF only contains one page, characteristic of malicious PDF documents, and the PDF does not contain any text but only a link to “View File” (as shown in Figure 3).
When file extensions are not displayed in Windows, the downloaded file looks like any other compressed file (as shown in Figure 1), which makes it harder to spot that this file is indeed malicious.Īll emails contain the same message body shown in Figure 2, asking users to confirm the payment and customer details as outlined in the attached copy of the Swift advice. UUE files (Unix to Unix Encoding) are files encoded with uuencode, a program that converts binary files to text format for easy transfer while still allowing for the files to be easily opened using Winzip or similar un-archiving applications.
Over the past few weeks, our Phishing Defense Center has observed several emails with malicious PDF attachments that prompt the user to download a.
0 kommentar(er)
