Created
June 13, 2013 16:47
-
-
Save peczenyj/5775331 to your computer and use it in GitHub Desktop.
malware que utiliza locaweb, amazon s3 e muito mais.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Delivered-To: xxxxxxxxxx@gmail.com | |
| Received: by 10.58.86.195 with SMTP id r3csp27923vez; | |
| Thu, 13 Jun 2013 09:24:12 -0700 (PDT) | |
| X-Received: by 10.236.7.164 with SMTP id 24mr1158812yhp.192.1371140651823; | |
| Thu, 13 Jun 2013 09:24:11 -0700 (PDT) | |
| Return-Path: <51b94f0a38a58264550024da@systemofvc.newssender.com.br> | |
| Received: from hm2256-10.locaweb.com.br (hm2256-10.locaweb.com.br. [187.45.217.76]) | |
| by mx.google.com with ESMTP id x64si28623839yhm.60.2013.06.13.09.24.10 | |
| for <xxxxxxxxxx@gmail.com>; | |
| Thu, 13 Jun 2013 09:24:11 -0700 (PDT) | |
| Received-SPF: pass (google.com: domain of 51b94f0a38a58264550024da@systemofvc.newssender.com.br designates 187.45.217.76 as permitted sender) client-ip=187.45.217.76; | |
| Authentication-Results: mx.google.com; | |
| spf=pass (google.com: domain of 51b94f0a38a58264550024da@systemofvc.newssender.com.br designates 187.45.217.76 as permitted sender) smtp.mail=51b94f0a38a58264550024da@systemofvc.newssender.com.br | |
| Message-Id: <51b9f22b.64bbec0a.2ef8.ffffbd79SMTPIN_ADDED_MISSING@mx.google.com> | |
| Received: from localhost (10.30.92.231) by hm2256.locaweb.com.br id hn7p2m15crs3 for <xxxxxxxxxx@gmail.com>; Thu, 13 Jun 2013 13:19:50 -0300 (envelope-from <51b94f0a38a58264550024da@systemofvc.newssender.com.br>) | |
| Date: Thu, 13 Jun 2013 13:19:50 -0300 | |
| From: =?UTF-8?B?TWFyY29zIEEuIE51bmVz?= <j.a_notificacao@email.com> | |
| To: xxxxxxxxxxxxxxxxxxxxx@gmail.com | |
| Subject: =?UTF-8?Q?Notifica=C3=A7=C3=A3o!?= | |
| Mime-Version: 1.0 | |
| Content-Type: multipart/alternative; | |
| boundary="--==_mimepart_51b9f0d3b7e1e_22ba127000058686"; | |
| charset=UTF-8 | |
| Content-Transfer-Encoding: 7bit | |
| x-message-id: 51b9ef7236e1d9abf700044c | |
| x-contact-id: 51b9dd932234cb575c69bce4 | |
| x-locaweb-id: 2Ci3nsJMUiMlvcWbMUIrMTs-R2CImujdJc88SVRjqwJMHW8Uqs9ud6AaSkDwl1Ldvn6IHckL_j0KQVdODGU0gOU9ujW6LbF70PshAZuRmgcC_OFXGBxC82k1ltnmi4S1zbtwdgLk_JuNZYmAQe_rbZvarGY4xjJmAbe6lCIkvOA= | |
| x-locaweb-id2: M2QzZjU1NTQ0NjJkMzgzZjQyM2Y1NDU3NDY3OTU5MzIzOTdhNDk0NTQ1NzU0OTQ1MzUzMTYyNmQ1NjdhM2YzZDNjNmEyZTYxNWY2ZTZmNzQ2OTY2Njk2MzYxNjM2MTZmNDA2NTZkNjE2OTZjMmU2MzZmNmQzZQ== | |
| ----==_mimepart_51b9f0d3b7e1e_22ba127000058686 | |
| Date: Thu, 13 Jun 2013 13:19:50 -0300 | |
| Mime-Version: 1.0 | |
| Content-Type: text/plain; | |
| charset=UTF-8 | |
| Content-Transfer-Encoding: quoted-printable | |
| Content-ID: <51b9f0d77e0c0_22ba12700005875e@saascloud0089.mail> | |
| <!-- | |
| .style1 { | |
| font-size: 18px; | |
| font-weight: bold; | |
| font-family: Georgia, "Times New Roman", Times, serif; | |
| } | |
| .style2 { | |
| font-family: "Courier New", Courier, monospace; | |
| font-size: 16px; | |
| } | |
| --> | |
| Cobran=C3=A7a e Fiscaliza=C3=A7=C3=A3o | |
| Auto de Infra=C3=A7=C3=A3o e Notifica=C3=A7=C3=A3o de Lan=C3=A7amento | |
| Comunica=C3=A7=C3=B5es Relacionadas a Restitui=C3=A7=C3=A3o e Compensa=C3= | |
| =A7=C3=A3o | |
| NF-F-Emitida. | |
| https://www.fazenda.sp.gov.br/nfe/documentos-fiscais/62322544325345-Proc-= | |
| Nfe | |
| =C2=A0 | |
| =C2=A0 | |
| =C2=A0 | |
| Se voc=C3=AA n=C3=A3o deseja mais receber nossos e-mails, cancele sua ins= | |
| cri=C3=A7=C3=A3o atrav=C3=A9s do link %{link}= | |
| ----==_mimepart_51b9f0d3b7e1e_22ba127000058686 | |
| Date: Thu, 13 Jun 2013 13:19:50 -0300 | |
| Mime-Version: 1.0 | |
| Content-Type: text/html; | |
| charset=UTF-8 | |
| Content-Transfer-Encoding: quoted-printable | |
| Content-ID: <51b9f0d790d60_22ba1270000588f9@saascloud0089.mail> | |
| <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www= | |
| .w3.org/TR/REC-html40/loose.dtd"> | |
| <html xmlns=3D"http://www.w3.org/1999/xhtml"> | |
| <body><p> | |
| <meta content=3D"text/html; charset=3Diso-8859-1" http-equiv=3D"Content-= | |
| Type" /></p> | |
| <p> | |
| </p><title></title><style type=3D"text/css"><![CDATA[<!--.style1 { | |
| font-size: 18px; | |
| font-weight: bold; | |
| font-family: Georgia, "Times New Roman", Times, serif; | |
| } | |
| .style2 { | |
| font-family: "Courier New", Courier, monospace; | |
| font-size: 16px; | |
| } | |
| --> ]]></style><div align=3D"justify"> | |
| <p> | |
| <img src=3D"https://s3-ap-northeast-1.amazonaws.com/img003/Notafiscal.j= | |
| pg" /></p> | |
| <p class=3D"style1"> | |
| Cobran=C3=A7a e Fiscaliza=C3=A7=C3=A3o</p> | |
| <p class=3D"style2"> | |
| Auto de Infra=C3=A7=C3=A3o e Notifica=C3=A7=C3=A3o de Lan=C3=A7amento</= | |
| p> | |
| <p class=3D"style2"> | |
| Comunica=C3=A7=C3=B5es Relacionadas a Restitui=C3=A7=C3=A3o e Compensa=C3= | |
| =A7=C3=A3o</p> | |
| <p class=3D"style2"> | |
| NF-F-Emitida.</p> | |
| <p> | |
| <span class=3D"style2"><a href=3D"https://emailmarketing.locaweb.com.br= | |
| /messages/51b9ef7236e1d9abf700044c/clicks/51b9dd932234cb575c69bce4/51b9efed36e1d9189c002be3">= | |
| https://www.fazenda.sp.gov.br/nfe/documentos-fiscais/62322544325345-Proc-= | |
| Nfe</a></span></p> | |
| <p> | |
| <img alt=3D"" border=3D"0" height=3D"55" id=3D"CERTIFICADO" name=3D"CER= | |
| TIFICADO" src=3D"https://s3-ap-northeast-1.amazonaws.com/img003/certifica= | |
| do.gif" width=3D"129" /></p> | |
| <p> | |
| =C2=A0</p> | |
| <p> | |
| =C2=A0</p> | |
| </div> | |
| <p> | |
| =C2=A0</p><p id=3D"emkt_unsubscribe_link">Se voc=C3=AA n=C3=A3o deseja m= | |
| ais receber nossos e-mails, <a href=3D"http://emailmarketing.locaweb.com.= | |
| br/unsubscribes/51b9ef7236e1d9abf700044c/51b9dd932234cb575c69bce4?emkt_c=3D1371135379">cancele = | |
| sua inscri=C3=A7=C3=A3o neste link</a></p><img src=3D"http://emailmarketi= | |
| ng.locaweb.com.br/messages/51b9ef7236e1d9abf700044c/openings/51b9dd932234cb575c69bce4" width=3D= | |
| "1" height=3D"1" border=3D"0" /></body> | |
| </html> | |
| ----==_mimepart_51b9f0d3b7e1e_22ba127000058686-- |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1 - email: | |
| > Cobrança e Fiscalização | |
| > | |
| > Auto de Infração e Notificação de Lançamento | |
| > | |
| > Comunicações Relacionadas a Restituição e Compensação | |
| > | |
| > NF-F-Emitida. | |
| > | |
| > https://www.fazenda.sp.gov.br/nfe/documentos-fiscais/62322544325345-Proc-Nfe | |
| 2- link na verdade para | |
| https://emailmarketing.locaweb.com.br/messages/51b9ef7236e1d9abf70004 | |
| 4c/clicks/51b9dd932234cb575c69bce4/51b9efed36e1d9189c002be3 | |
| vejamos: | |
| $ curl -vs https://emailmarketing.locaweb.com.br/messages/51b9ef7236e1d9abf70004 | |
| 4c/clicks/51b9dd932234cb575c69bce4/51b9efed36e1d9189c002be3 | |
| * About to connect() to emailmarketing.locaweb.com.br port 443 (#0) | |
| * Trying 186.202.140.101... | |
| * Connected to emailmarketing.locaweb.com.br (186.202.140.101) port 443 (#0) | |
| * successfully set certificate verify locations: | |
| * CAfile: none | |
| CApath: /etc/ssl/certs | |
| * SSLv3, TLS handshake, Client hello (1): | |
| * SSLv3, TLS handshake, Server hello (2): | |
| * SSLv3, TLS handshake, CERT (11): | |
| * SSLv3, TLS handshake, Server key exchange (12): | |
| * SSLv3, TLS handshake, Server finished (14): | |
| * SSLv3, TLS handshake, Client key exchange (16): | |
| * SSLv3, TLS change cipher, Client hello (1): | |
| * SSLv3, TLS handshake, Finished (20): | |
| * SSLv3, TLS change cipher, Client hello (1): | |
| * SSLv3, TLS handshake, Finished (20): | |
| * SSL connection using DHE-RSA-AES256-SHA | |
| * Server certificate: | |
| * subject: C=BR; postalCode=04543-900; ST=Sao Paulo; L=Sao Paulo; street=1830, 10 and. torre 4; street=Av. Juscelino Kubtscheck; O=LOCAWEB LTDA; OU=hospedagem de sites; OU=Comodo PremiumSSL Wildcard; CN=*.locaweb.com.br | |
| * start date: 2008-06-27 00:00:00 GMT | |
| * expire date: 2013-08-13 23:59:59 GMT | |
| * common name: *.locaweb.com.br (matched) | |
| * issuer: C=US; ST=UT; L=Salt Lake City; O=The USERTRUST Network; OU=http://www.usertrust.com; CN=UTN-USERFirst-Hardware | |
| * SSL certificate verify ok. | |
| > GET /messages/51b9ef7236e1d9abf700044c/clicks/51b9dd932234cb575c69bce4/51b9efed36e1d9189c002be3 HTTP/1.1 | |
| > User-Agent: curl/7.29.0 | |
| > Host: emailmarketing.locaweb.com.br | |
| > Accept: */* | |
| > | |
| < HTTP/1.1 302 Found | |
| < Server: nginx | |
| < Date: Thu, 13 Jun 2013 16:43:33 GMT | |
| < Content-Type: text/html; charset=utf-8 | |
| < Transfer-Encoding: chunked | |
| < Connection: keep-alive | |
| < Status: 302 Found | |
| < Location: https://s3.amazonaws.com/N-F-Eletr2014/Notafiscal62322544325345.zip | |
| < X-UA-Compatible: IE=Edge,chrome=1 | |
| < Cache-Control: no-cache | |
| < X-Request-Id: 3494c2f97c50e80ddd07e38224867011 | |
| < X-Runtime: 0.008162 | |
| < X-Rack-Cache: miss | |
| < | |
| * Connection #0 to host emailmarketing.locaweb.com.br left intact | |
| <html><body>You are being <a href="https://s3.amazonaws.com/N-F-Eletr2014/Notafiscal62322544325345.zip">redirected</a>.</body></html> | |
| 3- seguindo o link temos: | |
| $ curl -vs https://s3.amazonaws.com/N-F-Eletr2014/Notafiscal62322544325345.zip > a.zip | |
| * About to connect() to s3.amazonaws.com port 443 (#0) | |
| * Trying 72.21.211.130... | |
| * Connected to s3.amazonaws.com (72.21.211.130) port 443 (#0) | |
| * successfully set certificate verify locations: | |
| * CAfile: none | |
| CApath: /etc/ssl/certs | |
| * SSLv3, TLS handshake, Client hello (1): | |
| } [data not shown] | |
| * SSLv3, TLS handshake, Server hello (2): | |
| { [data not shown] | |
| * SSLv3, TLS handshake, CERT (11): | |
| { [data not shown] | |
| * SSLv3, TLS handshake, Server finished (14): | |
| { [data not shown] | |
| * SSLv3, TLS handshake, Client key exchange (16): | |
| } [data not shown] | |
| * SSLv3, TLS change cipher, Client hello (1): | |
| } [data not shown] | |
| * SSLv3, TLS handshake, Finished (20): | |
| } [data not shown] | |
| * SSLv3, TLS change cipher, Client hello (1): | |
| { [data not shown] | |
| * SSLv3, TLS handshake, Finished (20): | |
| { [data not shown] | |
| * SSL connection using RC4-MD5 | |
| * Server certificate: | |
| * subject: C=US; ST=Washington; L=Seattle; O=Amazon.com Inc.; CN=s3.amazonaws.com | |
| * start date: 2010-10-08 00:00:00 GMT | |
| * expire date: 2013-10-07 23:59:59 GMT | |
| * common name: s3.amazonaws.com (matched) | |
| * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)09; CN=VeriSign Class 3 Secure Server CA - G2 | |
| * SSL certificate verify ok. | |
| > GET /N-F-Eletr2014/Notafiscal62322544325345.zip HTTP/1.1 | |
| > User-Agent: curl/7.29.0 | |
| > Host: s3.amazonaws.com | |
| > Accept: */* | |
| > | |
| < HTTP/1.1 200 OK | |
| < x-amz-id-2: rcyxNwO5NT7b8U86l0Roe//AtcyiMF12HdR7a56PXJ32+0iMZhSJr8/oaJQ/29oS | |
| < x-amz-request-id: 469933DBAA26A0EC | |
| < Date: Thu, 13 Jun 2013 16:44:08 GMT | |
| < Last-Modified: Thu, 13 Jun 2013 14:32:02 GMT | |
| < ETag: "68fc0922f0167709825947d71e96281a" | |
| < Accept-Ranges: bytes | |
| < Content-Type: application/zip | |
| < Content-Length: 76042 | |
| < Server: AmazonS3 | |
| < | |
| { [data not shown] | |
| * Connection #0 to host s3.amazonaws.com left intact | |
| 4- analise | |
| $ unzip a.zip | |
| Archive: a.zip | |
| inflating: Notafiscal62322544325345.cpl | |
| $ file Notafiscal62322544325345.cpl | |
| Notafiscal62322544325345.cpl: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed | |
| MALWARE DETECTADO | |
| 5 - email original no proximo arquivo |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment