From "Lynnette Slater"
Date Tue, 19 Jul 2016 10:47:09 +0200
Subject Business Analysis
I attached the detailed business analysis (updated}
Phone: +1 (181) 133-27-50
Fax: +1 (181) 133-27-49
The message will appear to be "from" different individuals, varying from message to message. However, the main part of the body text is always the same.
Attached is a ZIP file containing elements of the recipients email address and some random letters and numbers. I have been unable to obtain a copy of the attachment at the moment, but it is likely to be Locky ransomware and if I get further details I will post them here.
My usual trusted source for analysis (thank you) reports that these ZIP files contain a malicious .wsf script which downloads a component from one of the following locations:
I don't have a decrypted sample of the binary at present, although the C2 locations are reported as:
126.96.36.199/upload/_dispatch.php (SpaceWeb CJSC, Russia)
188.8.131.52/upload/_dispatch.php (Internet Hosting Ltd, Russia)
184.108.40.206/upload/_dispatch.php (MAROSNET Telecommunication Company, Russia)
220.127.116.11/upload/_dispatch.php (United Networks of Ukraine, Ltd, Ukraine)