From: AMAZON.COM [Mailer-daemon@amazon.com]
Date: 11 March 2016 at 09:09
Subject: Your Amazon order #137-89653734-2688148
Hello,
Thank you for your order. We'll let you know once your item(s) have dispatched.You can check the status of your order or make changes to it by visiting Your Orders on Amazon.com.
Order Details
Order #137-89653734-2688148 Placed on March 11, 2016
Order details and invoice in attached file.
Need to make changes to your order? Visit our Help page for more information and video guides.
We hope to see you again soon.
Amazon.com
Reference numbers vary from email to email. Attached is a file with a name similar to ORD137-89653734-2688148.zip which contains a malicious script of which I have seen just a single sample with a detection rate of 5/56. According to this Malwr report, the script downloads a binary from:
mercadohiper.com.br/system/logs/uy78hn654e.exe
That binary has a detection rate of 4/55. According to the Malwr report for the script and this Malwr report for the binary, it phones home to:
31.184.196.75 (Petersburg Internet Network, Russia)
91.219.30.254 (FLP Kochenov Aleksej Vladislavovich, Ukraine)
There are probably other download locations and C2s, I will update this post if I find out what they are.
UPDATE
Some additional C2s from various sources:
78.40.108.39 (PS Internet Company LLC. Kazakhstan)
31.184.196.78 (Petersburg Internet Network, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Ukraine)
Some additional download locations for this and other locky spam runs today:
solucionesdubai.com.ve/system/logs/uy78hn654e.exe
ghayatv.com/system/logs/uy78hn654e.exe
dolcevita-ykt.ru/system/logs/uy78hn654e.exe
Recommended blocklist:
31.184.196.75
91.219.30.254
78.40.108.39
31.184.196.78
91.234.32.192
No comments:
Post a Comment