Sponsored by..

Wednesday, 11 May 2016

Malware spam: Emailing: Photo 05-11-2016, 03 26 04

This spam comes with a malicious attachment:

From:    victim@victimdomain.tld
To:    victim@victimdomain.tld
Date:    11 May 2016 at 12:39
Subject:    Emailing: Photo 05-11-2016, 03 26 04

Your message is ready to be sent with the following file or link
attachments:

Photo 05-11-2016, 03 26 04


Note: To protect against computer viruses, e-mail programs may prevent
sending or receiving certain types of file attachments.  Check your e-mail
security settings to determine how attachments are handled.
It appears to come from the sender's own email address, but this is a simple forgery (explained here). Attached is a ZIP file with a name similar to Photo 05-11-2016, 03 26 04.zip (the numbers in the attachment
match the references in the email). It contains a .js file with a similar name.

Trusted third-party analysis (thank you!) shows the various scripts downloading from:

51941656.de.strato-hosting.eu/87yg7yyb
67.222.43.30/87yg7yyb
developinghands.com/87yg7yyb
gesdes.com/87yg7yyb
helpcomm.com/87yg7yyb
neihan8.tk/87yg7yyb
oldtimerfreunde-pfinztal.de/87yg7yyb
otakutamashi.cl/87yg7yyb
sarikamisotelleri.com/87yg7yyb

This drops a file with a detection rate of 3/56. This is likely to be Locky ransomware, a full analysis is pending. However an earlier Locky campaign today phoned home to:

185.82.202.170 (Host Sailor, United Arab Emirates)
88.214.236.11 (Overoptic Systems, UK / Russia)
5.34.183.40 (ITL, Ukraine)

According to a DeepViz report,  this sample has identical characteristics.

Recommended blocklist:
185.82.202.170
88.214.236.11
5.34.183.40
Posted by at
Labels: , , , , , ,

2 comments:

Unknown said...

Thank you for posting this. Just received one of these today. I knew it was spam because I didn't send a "Photo" from myself to myself, but I was curious as to how they were able to do it via my email address. Now I know!

11 May 2016 at 15:37
PC.Tech said...

ALL the ones posted above are bad, ya' think?

strato-hosting .eu/87yg7yyb - 192.166.192.45
67.222.43.30 /87yg7yyb
developinghands .com/87yg7yyb - 199.83.129.18 | 199.83.131.18
gesdes .com/87yg7yyb - 23.229.156.225
helpcomm .com/87yg7yyb - 108.48.19.108
neihan8 .tk/87yg7yyb - Could not find an IP address for this domain name.
oldtimerfreunde-pfinztal .de/87yg7yyb - 81.169.145.159
otakutamashi .cl/87yg7yyb - 192.185.16.84
sarikamisotelleri .com/87yg7yyb - 217.116.197.125

//

11 May 2016 at 17:28

Post a Comment

Subscribe to: Post Comments (Atom)