From: Dora BainIn the sample I saw, the attached file was named Dora-Resume.doc and had a VirusTotal detection rate of 11/56. The Malwr report and Hybrid Analysis show that a script executes that tries to make a political statement along the way..
Date: 7 June 2016 at 03:37
Subject: Good morning
I visited your website today..
I'm currently looking for work either full time or as a intern to get experience in the field.
Please look over my CV and let me know what you think.
This downloads a file from 18.104.22.168/subid1.exe which is then saved as %APPDATA%\us_drones_kills_civilians.exe which VirusTotal gives a detection rate of 20/56 and seems to give an overall diagnosis as being Cerber ransomware.
The IP address of 22.214.171.124 is allocated to an apparent Seychelles shell company called Quasi Networks Ltd (which is probably Russian). There seems to be little if anything of value in 126.96.36.199/24 which could be a good candidate to block. Incidentally, the IP hosts best-booters.com which is likely to be a DDOS-for-hire site.
According to the VT report the malware scans for a response on port 6892 on the IP addresses 188.8.131.52 through to 184.108.40.206. However, this Hybrid Analysis indicates that the only server to respond is on 220.127.116.11 (GuardoMicro SRL, Romania) which is part of the notoriously bad 18.104.22.168/24 which is a good thing to block.
That report also shows traffic to ipinfo.io which is a legitimate "what is my IP" service. While not malicious in its own right, it does make a potentially good indicator of compromise.