Subject: Shipping informationThe sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.
From: Charles Burgess
Date: Thursday, 1 September 2016, 9:30
Dear customer,
Our shipping service is sending the order form due to the request from your company.
Please fill the attached form with precise information.
Very truly yours,
Charles Burgess
Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4
Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24
No comments:
Post a Comment