From: FedEx International Ground [terry.mcnamara@luxmap.com]Attached is a ZIP file FedEx_ID_000179376.zip which contains a malicious script FedEx_ID_000179376.doc.js which is highly obfuscated but which becomes clearer when deobfuscated. This Hybrid Analysis on the sample shows that the script downloads ransomware from opros.mskobr.ru but a quick examination of the code reveals several download locations:
Date: 2 August 2016 at 18:53
Subject: [REDACTED], Unable to deliver your item, #000179376
Dear [Redacted],
This is to confirm that one or more of your parcels has been shipped.
Please, open email attachment to print shipment label.
Thanks and best regards,
Terry Mcnamara,
Support Manager.
opros.mskobr.ru
alacahukuk.com
www.ortoservis.ru
aksoypansiyon.com
samurkasgrup.com
Three of those domains are on the same IP (77.245.148.51), so we can assume that the server is completely compromised. If we extend that principle to the other servers then you might want to block traffic to:
195.208.64.20 (ROSNIIROS, Russia)
77.245.148.51 (Bilisim Teknolojileri Yazilim San. Tic. Ltd. Sti., Turkey)
5.101.153.32 (Beget Ltd, Russia)
A couple of binaries are dropped onto the system, a.exe (detection rate 2/53) [may not be malicious] and a2.exe (detection rate 7/53).
The payload seems to be Nemucod / Crypted or some related ransomware.
Recommended blocklist:
195.208.64.20
77.245.148.51
5.101.153.32