Subject: Please Pay AttentionThe name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
From: Bill Rivera
Date: Wednesday, 23 November 2016, 9:45
Dear [redacted], we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment - please check it out.
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script that looks like this.
This particular script (and there will be others) downloads a malicious component from one of the following locations:
According to this Malwr report a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56.
The Hybrid Analysis clearly shows the ransomware in action and shows it communicating with the following URLs:
18.104.22.168/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
22.214.171.124/information.cgi [hostname: kostya234.itldc-customer.net] (Layer6, Latvia)
126.96.36.199/information.cgi (OVH, France)