From: Louis - Buvasport [louis64@buvasport.com]
Date: 19 April 2016 at 13:29
Subject: Facture : 1985 corrigée
Cher Client,
Veuillez trouver en pièce-jointe, la facture de vos achats. SANS FRAIS DE TRANSPORT
Votre marchandise est partie et vous devriez la recevoir dans les prochains jours.
Si vous avez des questions, n'hésitez pas à nous contacter.
Cordialement,
BUVA SPORTS
Attached is a file 093887283-19.04.2016.zip which contains a semi-randomly named script (e.g. 741194709-18.04.2016.PDF.js) with VirusTotal detection rates of 6/56 [1] [2]. According to these Malwr reports [3] [4] the script downloads a file from one of the following locations:
pushdkim.com/267h67c5e
pay.360degreeinfo.com/267h67c5e
There are probably other scripts with different download locations, the binary has a detection rate of 10/55.The Hybrid Analysis report shows that this executable attempts to download another executable from:
buhjolk.at/files/Yd6aGF.exe
At the moment that location is 404ing and the main payload fails, although that could be easily fixed I guess. This is probably attempting to drop Locky ransomware.
The loader also attempts to interact with some servers belonging to BMG, possibly to generate false data for anyone doing network analysis.
To be on the safe side, it might be worth blocking:
93.79.82.215 (Telesweet, Ukraine)
No comments:
Post a Comment