Again, a zip file is attached, that contains an executable. Here are the md5 hash values:
46ea3e441be4ba82fa2d059a5ca45f23 Booking-Com-Reservation.exe
e877998eef741bc7ed688584ed7595b6 Booking-Reservation-Details-NUM930833336.zip
It uses the same host (yerurr.com).
Interestingly enough, there is either a timer or a wait for the next reboot: after a reboot and having waited for a while, there was some activity to a site in Germany (www.floodwave.de) to get /services/images/servicesa.exe (md5sum: 8d39f983e08f68ca4ccb3a92f5e4a7ac). This file is not recognized as malware by any antivirus (VirusTotal Report)
When rebooted one more time, the machine followed the same cycle: request to Google, resolution of yerurr.com, POST /was/tnk.php. I stopped there, but I suspect that the machine would probably do something after a time, which I will try this week-end.
No comments:
Post a Comment