Faktura5.js

system · 2017-02-23T17:07:19.000Z

My father got a .js file in his mail today, and it´s very new, only a few days old.

https://www.hybrid-analysis.com/search?query=Faktura5

Only 5 hits on hybrid analysis.

How long until it is added to avast?

I’m afraid it´s ransomware…

Pondus · 2017-02-23T17:10:35.000Z

Upload and scan it here www.virustotal.com if scanned before, click rescan
Post link to scan result here

I'm afraid it´s ransomware..

Most likely the ransomware downloader

Pondus · 2017-02-23T17:16:08.000Z

How to send samples to avast > https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

They will also recive it from VirusTotal

TrueIndian · 2017-02-23T17:18:28.000Z

Marie79 post:1:

My father got a .js file in his mail today, and it´s very new, only a few days old.

https://www.hybrid-analysis.com/search?query=Faktura5

Only 5 hits on hybrid analysis.

How long until it is added to avast?

I’m afraid it´s ransomware…

Avast! mail shield blocks these as soon as they arrive as a e-mail.

Mail shield has some algorithms that detect these numecod downloaders.Even if avast doesn’t detect in virustotal report doesn’t mean they don’t protect us.

Pondus · 2017-02-23T17:19:55.000Z

Avast! [b]mail shield[/b] blocks these as soon as they arrive as a e-mail.

Not if you use webmail ;)

TrueIndian · 2017-02-23T17:23:03.000Z

Pondus post:5:

Avast! [b]mail shield[/b] blocks these as soon as they arrive as a e-mail.
Not if you use webmail ;)

Well that’s the only way you get infected with these…webmail services have their own spam filter to block these.Gmail for example blocks js downloads.Same with most of the webmail services which are very secure.

There is a reason why you don’t see too many cerber/locky infected systems over here since most are blocked at the arrival.The one’s that are missed are blocked during the binary download and caught by IDP.

I have found these type of downloader type malware come in a IT office based systems where webmail is very much used.

system · 2017-02-23T17:24:52.000Z

He was too fast, threw it away before I got to see the file.

The senders mail adress used was mailto:ldingwall@inetlink.ca
and it was a dropbox-link.

Perhaps someone else can help with the reporting.

Pondus · 2017-02-23T17:27:50.000Z

So far i only recive this in my Yahoo mail and one time in my FastMail (fake American Express)

My oldest mail accounts, Hotmail / Gmail seems to eat all crap they try to send

TrueIndian · 2017-02-23T17:29:30.000Z

Now that changes things…Malware writers never seem to attack web mail since its so secure.

I have seen dropbox links on reverse.it…Never thought they actually use it to infect users.

It would still be classified as spam by the avast mail filter and if it arrives in web mail it goes straight to junk anyway.But this is really a good way for malware writers to bypass antiviruses like avast that have specific filters.

P.S. It would be more interesting if someone from avast labs chips in on this.

Pondus · 2017-02-23T17:30:39.000Z

Marie79 post:7:

He was too fast, threw it away before I got to see the file.

The senders mail adress used was mailto:ldingwall@inetlink.ca
and it was a dropbox-link.

Perhaps someone else can help with the reporting.

Searching the hash i found it, already uploaded

https://www.virustotal.com/en/file/8c401cf64cdee877d5d9ad0ec4873d02c0e4330fcf7db9a70bf05d122880fd1d/analysis/

system · 2017-02-23T17:33:14.000Z

Pondus post:10:

Marie79 post:7:

He was too fast, threw it away before I got to see the file.

The senders mail adress used was mailto:ldingwall@inetlink.ca
and it was a dropbox-link.

Perhaps someone else can help with the reporting.

Searching the hash i found it, already uploaded

https://www.virustotal.com/en/file/8c401cf64cdee877d5d9ad0ec4873d02c0e4330fcf7db9a70bf05d122880fd1d/analysis/

Thanks for that!

TrueIndian · 2017-02-23T17:33:20.000Z

Well its still tough for av vendors to detect js downloaders since they are polymorphic malware.So if avast can’t block it in the mail the only way we have is to block it during the binary download process and there is where Avvast behaviour shield comes into play detecting these as IDP.ALEXA.51

system · 2017-02-23T17:35:09.000Z

TrueIndian post:9:

Now that changes things…Malware writers never seem to attack web mail since its so secure.

I have seen dropbox links on reverse.it…Never thought they actually use it to infect users.

It would still be classified as spam by the avast mail filter and if it arrives in web mail it goes straight to junk anyway.But this is really a good way for malware writers to bypass antiviruses like avast that have specific filters.

P.S. It would be more interesting if someone from avast labs chips in on this.

If the dad in question actually do click on the link, wich he most certainly did, I will have to save him…

TrueIndian · 2017-02-23T18:01:26.000Z

I have requested someone from avast to answer our queries

JiříŠembera · 2017-02-23T21:19:20.000Z

Hi,

thank you for letting us know about these new campaigns. We are currently analysing them and hopefully we’ll have new generic detections in place soon. In the meantime our other detection engines should cover the most of the malware downloaded when the .js script is executed (it’s usually just a downloader, not directly harmful).

Jiri

savcin · 2017-02-27T09:18:00.000Z

MultiString detection for this script file has been created.

Announcements