Subject: Please Pay AttentionThe name of the sender will vary. In the sample I analysed, a ZIP file was attached with a filename beginning
From: Bill Rivera
Date: Wednesday, 23 November 2016, 9:45
Dear [redacted], we have received your payment but the amount was not full.
Probably, this occurred due to taxes we take from the amount.
All the details are in the attachment - please check it out.
lastpayment_ followed by the first part of the recipients email address. This archive contains a randomly-named malicious .JS script that looks like this.
This particular script (and there will be others) downloads a malicious component from one of the following locations:
nielsredeker.nl/gmcoirnrm
gurlfanam.net/krwjx
vedicmotet.com/61y7mljr4
praam.cz/iessl
nightpeople.co.il/xklqq33nr
According to this Malwr report a malicious DLL is dropped with an MD5 of def0d0070d4aed411b84ebd713fd8b92 and a detection rate of 6/56.
The Hybrid Analysis clearly shows the ransomware in action and shows it communicating with the following URLs:
95.213.186.93/information.cgi [hostname: djaksa.airplexalator.com] (Selectel, Russia)
195.123.209.8/information.cgi [hostname: kostya234.itldc-customer.net] (Layer6, Latvia)
213.32.66.16/information.cgi (OVH, France)
Recommended blocklist:
95.213.186.93
195.123.209.8
213.32.66.16
No comments:
Post a Comment