Malware that spreads via a Facebook message attachment | Joachim De Zutter
May 2014

A message with a .ZIP file was received by a Facebook user.

Filename: Image0533.Zip
Filesize: 84032 bytes
MD5: ca2edea7175834ce80b0bc160d9c90cc
SHA1: 8b65f337fe215484206aee86fb4288578cf9dde8
SHA256: d3a03a73dde63e5ecdfa0c9de90555bdfcd14be177973430eb0384217b56369f

The .ZIP file contains a .JAR file.

Filename: Image0533.jar
Filesize: 61322 bytes
MD5: 40f44d6c6888705b8c7adb4d40bfc3c0
SHA1: c52975ac05600ab0c7aa88fe53e4e2101622fb80
SHA256: 2338bfed1afc7dd0ea41c48154aa74c7d4e721066c2bd28abdaaf23bb5c2fcbb

The .JAR file contains a .CLASS file

Filename: IMG_00017.class
Filesize: 69785 bytes
MD5: 294ff715bcb85e4582ea26b52bcaa8d0
SHA1: cde8bbea43e023267f61f5cda34a63ce361f32a1
SHA256: 9364c81c611800ab6d6bb1456f278c9f36a07ea0ba9d572e7fe904ee2b7080d3

On 31st of May 2014 the .JAR file tried to download a folder.zip file from Dropbox (dl.dropboxusercontent.com) using different path locations but it did not succeed.

https://www.virustotal.com/en/file/9364c81c611800ab6d6bb1456f278c9f36a07ea0ba9d572e7fe904ee2b7080d3/analysis/


Microsoft Security Essentials found an obfuscated class file named Momomo010.class that was executed by the Java Virtual Machine and provided a link to http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Exploit%3aJava%2fObfuscator.J&threatid=2147686604