From: Frederic Spears
Date: 20 May 2016 at 10:29
Subject: Re:
Hi [redacted],
I wanted to follow up with you about your refund.
Please find the attached document
Regards,
Frederic Spears
CBS Corporation
The company name and sender's name varies from message to message. Attached is a ZIP file which contains elements of the recipient's name, which in turn contains one of a variety of malicious scripts. Out of the samples I have seen, I have so far found download locations of:
delicious-doughnuts.net/oqpkvlam
dev.hartis.org/asvfqh2vn
dugoutdad.com/0ygubbvvm
craftbeerventures.nl/hgyf46sx
babamal.com/av2qavqwv
forshawssalads.co.uk/af1fcqav
Only three of those download locations work so far (VirusTotal results [1] [2] [3]) and automated analysis of those [4] [5] [6] [7] [8] shows behaviour consistent with Locky ransomware. All of those reports show the malware phoning home to:
91.219.29.106 (FLP Kochenov Aleksej Vladislavovich / uadomen.com, Ukraine)
51.254.240.89 (Relink LLC, Russia / OVH, France)
138.201.118.102 (Hetzner, Germany)
Recommended blocklist:
91.219.29.106
51.254.240.89
138.201.118.102
1 comment:
Hello,
I use some of your post as defense element for our anti-spam solution but in some post like here, you write messages elements partially so could you post the complete eml file or at least precise details like name or pattern of file in the attachment archive ? Original headers could lead to a more complete analysis.
I have to thank you again for the work you do maintaining this blog and keeping us informed of attack we could have missed.
Best regards,
Leon Kame
Post a Comment