From: Hester Stanley
Date: 29 June 2016 at 13:25
Subject: Financial report
Hello [redacted],
I have attached the financial report you requested.
Regards
Hester Stanley
Chief Executive Officer
Attached is a ZIP file containing some version of the recipient's email address, the words "report" or "freport" or "financial" plus a number. This contains a malicious .js file beginning with "swift".
Trusted analysis by another party (thank you as ever) gives download locations at:
115.146.42.43/5dtvzet
164.15.59.210/polytech/faculte/n0iqya
210.196.205.19/~pvpip/ypznpez0
65.99.205.183/~studiantec/w29xxnph
82.140.32.172/~haukebensch/3l6zu4
83.235.64.44/~astr-pap/3h59w9s
arquipiedra.cl/6xp7a8k5
benelist.cz/p3oyew2
buron.dk//xc71iuq
centralbs.com/wogium
centro-odontoiatrico-neuromuscolare.it/jtap3
Deutsch-Krone.privat.t-online.de/od24jb
dewaeletransportes.atspace.com/moqry4r9
dragoljub.50webs.com/2gkowrrg
dueto.sk/mdjhnlh
elipse.es/~elipse/8cbjb
enpeler.web.fc2.com/nryumnd
free.co.ca//s3po2n54
geduque.com.br/xu5u1hw
geiten.nl/jjupt07
greatlakessawingsolutions.com/zm70yfs7
jharanch.net/wsi8rh9g
josenria.nl/tohbw3e
joynergraphics.com/2e7qysyn
joynergraphics.com/9htk0ug
karosguren.web.fc2.com//sgejjt
kibridz.50webs.com/l2rvuivn
kitaori.net/r7zt9
labibliocancerdig.com/mhbgy5
laneylakes.com/fj521
maridea.cz/3w36st3
maridea.eu/3ofkxjlt
mayhemparkcom.sites.qwestoffice.net/gdduzqe
onlinepartners.no/kiwcpse
onwings.nl/~onwings.nl/zcr3r9
otherworldsbookstore.com/qmn38
otherworldsbookstore.com//w7q4o2
otherworldsbookstore.com/yluli4ye
pospesch.de/78uftb3
qualiphone.tv/fpmrb
sao24.net/0wnm7v
tczpug.org/z8nvas
teste-site.hi2.ro/7he6ez0
ulin.jp/1p5sqt
vimperk-haselburg.cz/kf27u5
www.notaverde.com/vq1ep
www.oemsen.gmxhome.de/sh91u3a
The payload is Locky ransomware, phoning home to the following servers:
93.170.123.219 (PE Gornostay Mikhailo Ivanovich aka time-host.net, Ukraine)
149.154.159.125 (EDIS, Germany)
151.236.17.45 (EDIS, Germany)
151.236.17.47 (EDIS, Germany)
194.31.59.147 (Hostbar, Russia)
I don't currently have a copy of the payload.
Recommended blocklist:
93.170.123.219
149.154.159.125
151.236.17.45
151.236.17.47
194.31.59.147