Malware that spreads via a Facebook message attachment | Joachim De Zutter
May 2014

A message with a .ZIP file was received by a facebook user.

Filename: Image0533.Zip
Filesize: 84032 bytes
MD5: ca2edea7175834ce80b0bc160d9c90cc
SHA1: 8b65f337fe215484206aee86fb4288578cf9dde8
SHA256: d3a03a73dde63e5ecdfa0c9de90555bdfcd14be177973430eb0384217b56369f

The .ZIP file contains a .JAR file.

Filename: Image0533.jar
Filesize: 61322 bytes
MD5: 40f44d6c6888705b8c7adb4d40bfc3c0
SHA1: c52975ac05600ab0c7aa88fe53e4e2101622fb80
SHA256: 2338bfed1afc7dd0ea41c48154aa74c7d4e721066c2bd28abdaaf23bb5c2fcbb

The .JAR file contains a .CLASS file

Filename: IMG_00017.class
Filesize: 69785 bytes
MD5: 294ff715bcb85e4582ea26b52bcaa8d0
SHA1: cde8bbea43e023267f61f5cda34a63ce361f32a1
SHA256: 9364c81c611800ab6d6bb1456f278c9f36a07ea0ba9d572e7fe904ee2b7080d3

When executed, the .JAR file tried to resolve dl.dropboxusercontent.com which resolved to 54.225.176.212, 50.17.238.66, 50.17.184.208, 23.21.255.89, 54.204.12.159, 107.20.172.65, 54.243.101.245 and 54.243.82.45
On 31st of May 2014 it tried to download a folder.zip file from 54.225.176.212 using different path locations but it did not succeed.

https://www.virustotal.com/en/file/9364c81c611800ab6d6bb1456f278c9f36a07ea0ba9d572e7fe904ee2b7080d3/analysis/


Microsoft Security Essentials found an obfuscated class file named Momomo010.class that was executed by the Java Virtual Machine and provided a link to http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Exploit%3aJava%2fObfuscator.J&threatid=2147686604