Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mail from Myself never sent


  • Please log in to reply
9 replies to this topic

#1 User0069

User0069

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 22 March 2016 - 08:13 AM

Hi all,

Today a saw a spam in my gmail mailbox

I go to clear the box like everyday but the strange thing is that the mail was sent from myself.

In attach a .zip file with a .js inside

 

hxxps://www.sendspace.com/file/yyncfh

 

Can anyone tell me if the .js is something like ransomware?

Was my Google Account attached?

Thanks a lot

Gabriele


Edited by xXToffeeXx, 22 March 2016 - 08:47 AM.
Deactivated link to malware


BC AdBot (Login to Remove)

 


#2 lquarles

lquarles

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 22 March 2016 - 08:37 AM

Just delete the email and the file.   Whether it is ransomware or not is totally Irrelevant. It is a file that is obviously junk and quite likely malicious junk.  The last thing I would do is open it.


Edited by lquarles, 22 March 2016 - 08:38 AM.


#3 horsefilms

horsefilms

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mankato, Minnesota
  • Local time:04:46 PM

Posted 22 March 2016 - 08:46 AM

You can pretty much guarantee it's a form of ramsonware. 



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:46 PM

Posted 22 March 2016 - 08:48 AM

Hi all,
Today a saw a spam in my gmail mailbox
I go to clear the box like everyday but the strange thing is that the mail was sent from myself.
In attach a .zip file with a .js inside
 
hxxps://www.sendspace.com/file/yyncfh
 
Can anyone tell me if the .js is something like ransomware?
Was my Google Account attached?
Thanks a lot
Gabriele

Odd that it was sent from yourself, perhaps email spoofing or something similar.
 
It is a downloader for Locky (ransomware). The .exe has been taken down and replaced with one which says "STUPID LOCKY".
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 User0069

User0069
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 22 March 2016 - 08:55 AM

I deleted the mail and the zip it but my question is: how this happened? In the sent items I can't see anything and the strange is that my mail was in spam
I changed the password for my account, but is it really sufficient?
Can someone try to explain me how did I received this mail?
Is it simply spoofing or also a stolen account?
Thanks a lot
Gabriele


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:46 PM

Posted 22 March 2016 - 10:02 AM

Most likely email spoofing as indicated by xXToffeeXx.

You were fortunate...the developers of TeslaCrypt, CryptoWall, Locky, Ransom32 Ransomware, KeyBTC and XRTN Ransomware all have been known to use malicious .js files often found in zipped email attachments.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 22 March 2016 - 04:34 PM

 

Is it simply spoofing or also a stolen account?
 

 

It is simply spoofing.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 22 March 2016 - 05:29 PM

FYI: you can check that it was spoofed. Open the e-mail and use command "Show Original". This will show you all the details of the e-mail, including the headers.

 

Here are the headers of a SPAM e-mail I received:

 

Delivered-To: didier.stevens@gmail.com
Received: by 10.60.232.226 with SMTP id tr2csp1832978oec;
        Tue, 22 Mar 2016 04:57:13 -0700 (PDT)
X-Received: by 10.55.215.83 with SMTP id m80mr45917377qki.84.1458647833956;
        Tue, 22 Mar 2016 04:57:13 -0700 (PDT)
Return-Path: <1781c658f054b51361db8ea_1733f156@mirrorathese.win>
Received: from pedestalling.mirrorathese.win ([42.215.22.123])
        by mx.google.com with ESMTP id q67si10766268qgd.110.2016.03.22.04.57.12
        for <didier.stevens@gmail.com>;
        Tue, 22 Mar 2016 04:57:13 -0700 (PDT)

 

Notice the Received: from pedes....

This shows you from where the e-mail was sent.

 

Compare with the headers of your e-mail, and you will see that it does not come from Gmail.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 22 March 2016 - 05:37 PM

Indeed, like others said it's simple email spoofing.

 

And because I don't like guesswork...

 

I scanned the .zip file:

Jotti : 8/20

VirusTotal : 15/56

 

Content of the .zip is "HDU3042445004.js":

Spoiler

 

The specialists on this board may judge it!  :wink:

 

Greets!



#10 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum

Posted 22 March 2016 - 05:49 PM

FYI: you can check that it was spoofed. Open the e-mail and use command "Show Original". This will show you all the details of the e-mail, including the headers.
 
Notice the Received: from pedes....
This shows you from where the e-mail was sent.
 
Compare with the headers of your e-mail, and you will see that it does not come from Gmail.


Like Didier Stevens suggested, or Email Header Analysis.

https://toolbox.googleapps.com/apps/messageheader/
https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx
https://www.whatismyip.com/email-header-analyzer/
http://www.iptrackeronline.com/email-header-analysis.php
https://mxtoolbox.com/EmailHeaders.aspx
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users