From: Eddie Savage
Date: 29 June 2016 at 22:47
Subject: Documents copies
Dear [redacted],
I am sending copies of the documents as attachments.
Thank you very much for your reply.
Regards
Eddie Savage
"Sales Director"
Attached is a ZIP file with the recipient's email address plus "DOC", "pdf" or "copy" plus a random number, contained within is a malicious .js file beginning with "swift".
Trusted analysis by another source (thank you!) gives download locations at:
12-land.co.jp/i3t2jhd
211.133.144.17/~doberuku/u9ux2e
213.191.128.17/~bilanca/zz8nws49
31.31.77.164/~belize/vg53s9
3210kawasemi.web.fc2.com/q1znrou
66.109.30.133/~PlcmSpIp/400mks
80.109.240.71/~g.koprinkov/a570ddjp
84.94.229.189/~mce12/ynkxugc
87.106.143.248/~regie/8j89l
alexiedb.home.ro/tttkjz2n
armaplate.co.uk/41h4c0bm
armaplate.co.uk/97mdwa
armaplate.co.uk/xi7cgp
bite-sportivi.it/ckgj83r
clientes.netvisao.pt/~night/05gwe
code-ltd.com/dhc12
daveshearth.com/hdifi
denchostation.web.fc2.com/rro9ws2
diskopolo.republika.pl/n8ctec1p
fujihoku.web.fc2.com/dusqvzj4
ghislain.dartois.pagesperso-orange.fr/iy53v0
humphrey.nl/1d25yqh
iranecs.ir/5klox7
karlsmart.com/9it3vmj4
ktbk.web.fc2.com/h4ur12
machinescript.hi2.ro/94sjyj
malgorzatakowal.republika.pl/jvmf7qcs
mm.pl/~kamilmg/usbcx
negep.com.br/1sr133q6
pcadesigneng.com/4zxlg
platanenhof-zschornewitz.homepage.t-online.de/cjv865
risenkeitai.ame-zaiku.com/swcbl4r
scale.kane-tsugu.com/f9h4q
selen.yu-nagi.com/g02tx18t
shimizubandfes.web.fc2.com/lntmd0g
sp31bielsko.republika.pl/f6q9z58p
sp31-bielsko.republika.pl/od5e898
topoeval.ro/z86ca14d
toushi.katsu-yori.com/sx83vt
vipoil.es/3y95xwon
vrkoc.eu/x4t68b
watanabekagu.web.fc2.com/iwiry
www.apec.cc/rffs1rs
The payload is Locky ransomware. The command and control servers appear to be the same as found here and I recommend you block them.
No comments:
Post a Comment