Subject: Agreement formThe name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..
From: Marlin Gibson
Date: Wednesday, 7 September 2016, 9:35
Hi there,
Roberta assigned you to make the payment agreement for the new coming employees.
Here is the agreement form. Please finish it urgently.
Best Regards,
Marlin Gibson
Support Manager
308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js
Automated analysis [1] [2] shows that the scripts [partly deobfuscated example] attempt to download a binary from one of the following locations:
donttouchmybaseline.ws/ecf2k1o
canonsupervideo4k.ws/afeb6
malwinstall.wang/fsdglygf
listofbuyersus.co.in/epzugs
Of those locations, only the first three resolve, as follows:
donttouchmybaseline.ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k.ws 51.255.227.230 (OVH, France / Kitdos)
malwinstall.wang 51.255.227.230 (OVH, France / Kitdos)
The registration details for all those domains are the same:
Registry Registrant ID:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Registry Admin ID:
These are the same details as found here. We know from that incident that the download locations are actually spread around a bit:
23.95.106.206 (New Wave NetConnect, US)
51.255.227.230 (OVH, France / Kitdos)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
216.244.68.195 (Wowrack, US)
217.13.103.48 (1B Holding ZRT, Hungary)
The following also presumably evil sites are also hosted on those IPs:
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name
Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:
51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name
UPDATE
My trusted source (thank you) says that it phones home to the following IPs and URLs:
91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota.org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg.work/data/info.php
balichpjuamrd.work/data/info.php
mvvdhnix.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti.work/data/info.php
iruglwxkasnrcq.pl/data/info.php
xketxpqxj.work/data/info.php
qkmecehteogblx.su/data/info.php
bbskrcwndcyow.su/data/info.php
nqjacfrdpkiyuen.ru/data/info.php
ucjpevjjl.work/data/info.php
nyxgjdcm.info/data/info.php
In addition to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
No comments:
Post a Comment