From: Britney Hart
Date: 16 May 2016 at 13:15
Subject: Re:
hi [redacted]
I have attached a revised spreadsheet contains customers. Please check if it's correct
Regards,
Britney Hart
Other variations of the body text seen so far:
I have attached a revised spreadsheet contains general journal entries. Please check if it's correct
I have attached a revised spreadsheet contains estimates. Please check if it's correct
Attached is a ZIP file with three identical malicious .js files. The ones I have seen so far download from
fundaciontehuelche.com.ar/897kjht4g34
thetestserver.net/fg45g4g
technobuz.com/876jh5g4g4
There are probably other download locations. Each one downloads a slightly different binary (VirusTotal prognosis [1] [2] [3]) and automated analysis [5] [6] [7] [8] [9] shows the malware phoning home to:
188.127.231.124 (SmartApe, Russia)
31.184.197.72 (Petersburg Internet Network, Russia)
92.222.71.26 (RunAbove / OVH, France)
149.202.109.202 (Evgenij Rusachenko aka lite-host.in, Russia / OVH, France)
The payload is Locky ransomware.
Recommended blocklist:
188.127.231.124
31.184.197.72
92.222.71.26
149.202.109.202
Additional download sites
ReplyDeletehttp://albany.asn.au/0843r43ttg4g
http://aquatixbottle.com/nhftgrg45
http://deanstum.com/gnhy5jh4g
http://fashmedia.co.uk/mhgh44g4
http://fundaciontehuelche.com.ar/897kjht4g34
http://lhhme.com.sg/09756y4g
http://modulofm.com.br/drg4g45g
http://muscleinjuries.com/0934f4fr4g
http://neophrontech.com/8j656hg45hg
http://optimus-communication.com/6y45gj445
http://scpremiumbikes.com/4g45gh45
http://srilaktours.com/096r23e23r
http://sunlite.com.au/j76jn5nbv
http://tafeta.ca/32r45h5
http://technobuz.com/876jh5g4g4
http://thetestserver.net/fg45g4g
http://versus.uz/87i65hgr
http://visionpharmapk.com/32svbrth67