Home / malware TrojanDownloader:JS/Swabfex.P
First posted on 07 March 2016.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:JS/Swabfex.P.
Explanation :
Installation
The malware typically installs itself as a .zip archived email attachment and uses some form of social engineering to get the user to click the file.
See what the email typically looks like below:
The contents of the attached zip archive is a JavaScript file with a similar name. The malware is executed when the user double-clicks on the script. See the screenshot of the JavaScript file below:
This threat has a few variants and the only difference is the URLs used in their obfuscation behavior (as of the time of the analysis - December 17, 2015).
Payload
Downloads malware and runs files
When the malware is installed and ran, it connects to a remote host through HTTP and downloads an executable file.
The file is saved in the %TEMP% directory as.exe, for example 1.exe.
This malware has also been seen to download variants of the Tescrypt Ransomware family.
Additional information
We have seen this threat use the following file names for the attachment: $RV5XTK2.zip Your order #00438783 is approved.zip 00000142614.zip doc.zip 0000105620.zip doc_03x8lZpU3X.zip 000121561.zip document-00000310850.zip 00112321.zip document0000182514.zip 11162015 44115 PM.zip document_00926720.zip America_Airlines_Ticket_00000166017.zip fax-00000570999.zip Court_Notification_00000135992.zip fax00000201518.zip Delivery_Notification_00000311671.zip fax_00000523833.zip E-Ticket_00000162243.zip img.zip E-ZPass_00000156429.zip info.zip E-ZPass_Invoice_00000144593.zip info_05mCRNAVKk.zip FedEx_ID_00000512178.zip inv_0015.zip Indebted for driving on toll road #0000375149.zip inv_003.zip Indebtedness for driving on toll road #0000865760.zip invoice_copy_0dJjoJn0dsf.zip Invoice_00000191030.zip output6.zip Notice to Appear.zip scan-00000209333.zip Notice to appear in Court #00923981.zip scan00000138284.zip Notice_to_Appear_00000113844.zip scan_00000741887.zip Order_00000122476.zip scanned-00000337132.zip Payment for driving on toll road, invoice #000383135.zip scanned00000659313.zip Refund_Payment_Details_000395157.zip task-00000482466.zip Tax_Refund_00000111558.zip task00000453441.zip Your e-ticket #00000929404.zip
Analysis by Ray Roberts and Allan SepilloLast update 07 March 2016