Subject: updated detailsThe spam comes from different senders with a different hexadecimal number in it. Attached is a ZIP file with a random name, containing a malicious .wsf script. Analysis of a sample shows the script download from:
From: Faith Davidson (Davidson.43198@optimaestate.com)
Date: Wednesday, 27 July 2016, 11:13
Attached is the updated details about the company account you needed
King regards
Faith Davidson
c57b98d01fd8a94bbf77f902b84f7c0ee46c514051b555c2be
beauty-jasmine.ru/6dc2y
There will be many more download locations in addition to that. It drops an executable which appears to be Locky ransomware with a detection rate of 7/55. Analysis of this payload is pending, however the C2 servers may well be the same as found here.
UPDATE
The C2 locations for this variant are:
5.9.253.173/upload/_dispatch.php (Dmitry Zheltov, Russia / Hetzner, Germany)
178.62.232.244/upload/_dispatch.php (Digital Ocean, Netherlands)
151.80.207.170/upload/_dispatch.php (Evgenij Rusachenko, Russia / OVH, France)
Recommended blocklist:
5.9.253.160/27
178.62.232.244
151.80.207.168/30
1 comment:
This particular script contains only three download locations:
beauty-jasmine.ru/6dc2y (decrypted .exe: cef28528e186d81c4693d2712ef9e138)
takemaruko.web.fc2.com/29t1j (decrypted .exe: 4c8f2d9d28f1b3f75f799a1a88e88b75)
hotstreams.ru/sam9xqp0 (decrypted .exe: 28011927d39ec45c7cba20b8c1db22f7)
Post a Comment