From: canon@victimdomain.tld
Date: 10 March 2016 at 09:02
Subject: Attached File
In the sample I saw, there was an attachment victimname@victimdomain.tld_07567_273772.zip which contained a randomly-named script with a detection rate of 5/57. Automated analysis [1] [2] shows that this is the Locky ransomware, and it downloads a binary from:
buyfuntees.com/system/logs/7t6f65g.exe
This binary has a detection rate of just 1/56. Those reports indicate that the malware phones home to:
31.184.196.78 (Petersburg Internet Network Ltd, Russia)
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
There are probably many other download locations and some more C2s as well, I will update this post if I see them.
UPDATE
This additional analysis is from a trusted third party (thank you!)
Additional download locations:
behrozan.ir/system/logs/7t6f65g.exe
fashion-boutique.com.ua/system/logs/7t6f65g.exe
fortyseven.com.ar/system/logs/7t6f65g.exe
iwear.md/system/logs/7t6f65g.exe
lady-idol.6te.net/system/logs/7t6f65g.exe
ncrweb.in/system/logs/7t6f65g.exe
xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe
Additional C2s:
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
91.234.33.149 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)
Sender is canon or copier or epson or scanner or xerox at the victim's domain.
Recommended blocklist:
31.184.196.78
78.40.108.39
91.219.30.254
91.234.33.149
No comments:
Post a Comment