From: alvertakarpinskykcc@yahoo.comInterestingly, the email does really appear to come via Yahoo!'s mail servers. Attached is a document Gabriel_Daniel_resume.doc which contains this malicious macro [pastebin] which has a VirusTotal detection rate of 2/56.
Date: 10 August 2015 at 19:40
Subject: Resume
Signed by: yahoo.com
Hi my name is Gabriel Daniel doc is my resume
I would appreciate your immediate attention to this matter
Kind regards
Gabriel Daniel
As far as I can tell, it appears to download a disguised JPG file from 46.30.43.179/1.jpg (Eurobyte LLC, Russia) which appears to be an encrypted executable. I wasn't able to decode all of the macro, however this Hybrid Analysis report shows clearly what is going on..
So, it is pretty clear that the payload here is Cryptowall (which encrypts all the victim's files). The same Hybrid Analysis report shows that it POSTS information to:
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?v=c91jzn46yr
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?b=86v97tziud5m
conopizzauruguay.com/wp-content/wp-content/themes/twentythirteen/cccc.php?o=ups5xom3u2sb01
It also directs the visitor to various personalised ransom pages hosted on 80.78.251.170 (Agava, Russia).
Recommended blocklist:
46.30.43.179
80.78.251.170
conopizzauruguay.com
MD5:
e34cf893098bd17ae9ef18b04cff58aa
1 comment:
Post a Comment