From: Orval Burgess
Date: 8 March 2016 at 11:10
Subject: Compensation - Reference Number #368380
Dear Customer,
The mistake made will be compensated promptly, please do not worry.
Please take a look at the file attached (scanned document) as it contains all the information.
Sincerely,
Orval Burgess
Account Manager
Attached is a file named in a similar format to SCAN_00_368380.zip which contains TWO malicious scripts named in a format similar to email.864036956.js (VirusTotal results [1] [2] [3] [4]) and automated analysis tools [5] [6] [7] [8] [9] [10] [11] [12] show binary download locations at:
ministerepuissancejesus.com/o097jhg4g5
ozono.org.es/k7j6h5gf
Those same reports indicate the malware attempts to phone home to the following IPs:
89.108.85.163 (Agava Ltd, Russia)
151.236.14.51 (EDIS, Netherlands)
149.154.157.14 (EDIS, Italy)
37.235.53.18 (EDIS, Spain)
192.121.16.196 (EDIS, Sweden)
Those automated reports all indicate that this is the Locky ransomware.
UPDATE
A trusted source also informs me of these additional download locations;
51457642.de.strato-hosting.eu/980k7j6h5
besttec-cg.com/89ok8jhg
cyberbuh.pp.ua/97kh65gh5
fkaouane.free.fr/67uh54gb4
het-havenhuis.nl/099oj6hg
kokoko.himegimi.jp/54g4
lahmar.choukri.perso.neuf.fr/78hg4wg
surfcash.7u.cz/0o9k7jh55
www.vtipnetriko.cz/9oi86j5hg4
In addition, there is another IP address the malware phones home to:
212.47.223.19 (Web Hosting Solutions Oy, Estonia)
Recommended blocklist:
89.108.85.163
151.236.14.51
149.154.157.14
37.235.53.18
192.121.16.196
212.47.223.19
No comments:
Post a Comment