Sponsored by..

Monday 23 May 2016

Malware spam: "Please find attached the file we spoke about yesterday" leads to Locky

This spam appears to come from random senders, and leads to Locky ransomware:

From:    Graham Roman
Date:    23 May 2016 at 11:59
Subject:    Re:

Hi [redacted]

Please find attached the file we spoke about yesterday.

Thank you,
Graham Roman
PCM, Inc.
Attached is a ZIP file starting with copy_invoice_ and then a random sequence. This contains a malicious script file which in the sample I analysed downloads an obfuscated binary from:

oakidea.com/by2eezw8
islandflavaja.com/0p1nz
dragqueenwig.com/itukabk


Automated analysis of the script [1] [2] shows it dropping a file klA1KMQj2D.exe which has a VirusTotal detection rate of 5/56. Those prior reports plus these additional analyses of the binary [3] [4] [5] show network traffic to:

188.166.168.250 (Digital Ocean, UK)
31.41.44.45 (Relink Ltd, Russia)
92.63.87.53 (MWTV, Latvia)


Those reports all demonstrate clearly that this is Locky ransomware, although the barely encrypted downloaded binaries are a new feature.

UPDATE

Trusted third-party analysis (thank you) shows some additional download locations:

4cornerbazaar.com/rcjmp
ap-shoes.com/r3mkkch
b2cfurniture.com.au/ztydt7
babyhalfoff.com/di286c
bekith.com/twe4puv
canalshopping.com.br/kf5d9
ereganto.com.br/4bxi09t
farmavips.com/hlnl21tf
fina-mente.com/kitrl2
hablatinamerica.com/mkhxrsm
jhplhomedecor.com/m637g
joyofgiving.com.au/1b6v94yu
la-mousson.de/pxwimc
lojaonline.eurobar.pt/kmdb4euf
maibey.com/bakcy9s
metallerie.com/uh0kd
mymy365.com/d7bd2
objetsdinterieur.com/0p1nz
peptide-manufacturer.com/jc6pxks
pro-lnz.com/9ed5v5v
promotionalsales.com.au/0iobfbwc
store.steelalborz.com/fw4i3ssf
stylelk.com/12opjwfh


The MD5s of decrypted downloaded files are:

0cef8d79dd32b5701768ffb3e80dd6c9
18e1591325994d60468e58b30bd47ec7
1e1b9729198cb392636ad4b8ec880284
1eacf23630db85c2af07d2657c1a0917
2742891aff1f20ee09a67d29c5b4157d
2f7373602c67761a1666c3170a0adfd9
4f4d754ffb9b33c5b2b7ec6c38dc6a30
517c1805c2b805a801a6132bfd9d7a69
64eef31dc4cd4dc1ca51b6686e4cdaa1
6fc220a8b95e2167c21d0e1f91a516cb
73552fcfff60a171965103d691679b43
8108de8bf200d4baa62541e9eeca2ee4
9125956e3ee99b9f59b595fcba9ac658
9da331f4353f5b0033c162eb308a8197
a01d60682ad5fadc9018908185e8cde3
aceec3d6334e925297efc8d4232473c2
afd40dca335530ec993d9cf91be96b4c
d69adb50c7f2436f5f7502f22b3a5714
dab81432d4d6241e47d7110b8d051f41
de6c020b8639fda713fbe2285dc6740c
eb3391cefb6634e587b58e0d6540c7c3
fb56f158f6f4c81f7bed2a7c4490fadb


One additional C2 server:

176.31.47.100 (Unihost, Seychelles / OVH , France)

Recommended blocklist:
188.166.168.250
31.41.44.45
92.63.87.53

176.31.47.100

1 comment:

DK said...


http://4cornerbazaar.com/rcjmp
http://ap-shoes.com/r3mkkch
http://b2cfurniture.com.au/ztydt7
http://babyhalfoff.com/di286c
http://bekith.com/twe4puv
http://canalshopping.com.br/kf5d9
http://dragqueenwig.com/itukabk
http://ereganto.com.br/4bxi09t
http://farmavips.com/hlnl21tf
http://fina-mente.com/kitrl2
http://grocery21.com/jf8fo
http://hablatinamerica.com/mkhxrsm
http://hanvietnhat.com/q6jxq
http://icarojeans.com.br/h4zamdet
http://imazushop.com/q6jxq
http://ishop-ghana.com/ys952w0
http://islandflavaja.com/0p1nz
http://itmteknoloji.com/sg0qtv
http://jhplhomedecor.com/m637g
http://joyofgiving.com.au/1b6v94yu
http://la-mousson.de/pxwimc
http://lojaonline.eurobar.pt/kmdb4euf
http://maibey.com/bakcy9s
http://metallerie.com/uh0kd
http://mymy365.com/d7bd2
http://nybrasil.com.br/09yva5
http://oakidea.com/by2eezw8
http://objetsdinterieur.com/0p1nz
http://peptide-manufacturer.com/jc6pxks
http://pldo.com.br/hqzi4e7
http://pro-lnz.com/9ed5v5v
http://promotionalsales.com.au/0iobfbwc
http://store.steelalborz.com/fw4i3ssf
http://stylelk.com/12opjwfh
http://tastyteaz.com/l7nkod
http://thoao.de/tjvap0