From "Boyd Dennis"The sender name and details vary, although it all follows the same pattern. Attached is a ZIP file containing elements of the recipients email address and some random digits. Contained within is a .wsf script that downloads a file from one of the following locations (thank you to my source for analysis):
Date Mon, 18 Jul 2016 11:34:11 +0200
Subject bank account report
How is it going?
Thank you very much for responding my email in a very short time. Attached is the
bank account report. Please look at it again and see if you have any disapproval.
--Yours faithfully,Boyd DennisHSBC HLDGSPhone: +1 (593) 085-57-81, Fax: +1 (593)
I don't have a copy of the payload at present, but it does phone home to:
126.96.36.199 (SpaceWeb CJSC, Russia)
188.8.131.52 (JSC Server, Russia)
184.108.40.206 (United Networks Of Ukraine Ltd , Ukraine)
220.127.116.11 (MegaHosterNetwork, Ukraine)
The payload appears to be Locky ransomware.