Below email seems to be arrived from United Parcel Service, International Shipping Company but its not. In fact it has a hidden link to a malicious website.
It downloads a binary invoice[random_number].JPG.exe with double extension which looks as if it is an image file.
Quick Heal detects this file as “Trojan.Menti.hygd”
When run, “Trojan.Menti.hygd” drops a copy of itself as a randomly named file:
%APPDATA%\random letter\random letters.exe
It also creates below registry key to run at Windows start.
HKCU\Software\Microsoft\Windows\Currentversion\Run\{GUID of Windows volume} = “%APPDATA%\random letters\random letters.exe”
The malware injects codes into the address space of the windows processes as below.
This trojan steals sensitive data from computer.
We suggest users to stay away from such emails.
Leave a reply