From: Herman MiddletonAttached is a ZIP file with a name like f_license_5330349.zip which contains a randomly named .js script which is very highly obfuscated.
Date: 9 December 2016 at 07:40
Subject: Firewall Software
Hey [redacted], it is Herman. You've asked me to order new firewall software for our office computers.
Done and ready. Here, in the attachment, is the full invoice of the software counteragent.
Please check it out.
IT Support Manager
The Hybrid Analysis and Malwr report show that the script analysed downloads a component from welte.pl/mupze (there will probably be dozens of other locations) and appears to drop a DLL with a detection rate of 4/56. That Hybrid Analysis also detections C2 traffic to:
126.96.36.199/checkupdate [hostname: saluk1.example.com] (Total Server Solutions, US)
188.8.131.52/checkupdate (OVH, France)
It's worth mentioning perhaps that other Locky C2 servers seen in the past 12 hours are as follows:
184.108.40.206/checkupdate [hostname: mrn46.powerfulsecurities.com] (Miran, Russia)
220.127.116.11/checkupdate [hostame: prujio.com] (Layer6, Latvia)
18.104.22.168/checkupdate [hostname: free.example.com] (Informtehtrans, Russia)
22.214.171.124/checkupdate (Rinet LLC, Ukraine)
126.96.36.199/checkupdate (Agava, Russia)
188.8.131.52/checkupdate (Dunaevskiy Denis Leonidovich / Zomro, Ukraine)
Although some of these are from different sub-groups of Locky pushers, let's stick them all together for the sake of convenience. Note that there are a at least a couple of bad /24 blocks in there.