Subject: Document from PaigeIn this case there was an attached file DOC-20161005-WA0002793.zip containing a malicious script [pastebin] DOC-20161005-WA0002715.wsf.
From: Paige cuddie (Paige592035@gmail.com)
Date: Wednesday, 5 October 2016, 9:37
Automated analysis [1] [2] shows this sample downloads from:
euple.com/65rfgb?EfTazSrkG=eLKWKtL
There will be many other locations besides this.
Those same reports show the malware (in this case Locky ransomware) phoning home to:
88.214.236.36/apache_handler.php (Overoptic Systems, UK / Russia)
109.248.59.100/apache_handler.php (Ildar Gilmutdinov aka argotel.ru, Russia)
The sample I found downloaded a legitimate binary from ciscobinary.openh264.org/openh264-win32-v1.3.zip presumably as an anti-analysis technique.
Recommended blocklist:
88.214.236.0/23
109.248.59.0/24
No comments:
Post a Comment