Subject: Attached:Scan(70)
From: Zelma (Zelma937@victimdomain.tld)
To: victim@victimdomain.tld;
Date: Tuesday, 27 September 2016, 14:15
There does not appear to be any body text. My trusted source tells me that the subject is a combination of the words Attached / Copy / File / Emailing and Document / Receipt / Scan plus a random two-digit number. Attached is a ZIP file with a name similar to the subject, containing a malicious .wsf scriot.
This script then downloads components from one of the following locations:
akseko.ru/78hceef
altorelevo.net/78hceef
amsterdamrent.com/78hceef
art-asfalt.com/78hceef
australiandesignerweddings.com/78hceef
baitcalculator.com/78hceef
bb-alarm.com/78hceef
bezdeals.com/78hceef
brambory.net/78hceef
ccaglobal.org/78hceef
cg3dstudio.com/78hceef
cimetieremontroyal.com/78hceef
dashandling.com/78hceef
deadly-city.com/78hceef
dealerjoin.com/78hceef
diemsolutions.com/78hceef
essennarose.com/78hceef
eventbuzzuk.com/78hceef
fixturesexpress.com/78hceef
frecuenciaurbana.es/78hceef
gharazi.com/78hceef
google-seo-top.com/78hceef
gouri-gouri.com/78hceef
grijspaardt.nl/78hceef
haikhhoose.com/78hceef
hedefosgb.com/78hceef
homemadebakeryindonesia.com/78hceef
hurbtrade.com/78hceef
idealuze.com/78hceef
intardesign.com/78hceef
johnlesterart.com/78hceef
karacanalbum.com/78hceef
linbao.org/78hceef
maxtherm.net/78hceef
mediaalias.com/78hceef
mysolosource.com/78hceef
nerosk.ru/78hceef
peryskop.biz/78hceef
profsonstage.com/78hceef
speaklifegreetings.com/78hceef
upav.org/78hceef
usedtextilemachinerylive.com/78hceef
wssunhui.com/78hceef
www.musicbarpriatelia.sk/78hceef
xdesign-p.com/78hceef
The payload is Locky ransomware, phoning home to:
5.196.200.247/apache_handler.php (OVH, Ireland / Just Hosting, Russia)
62.173.154.240/apache_handler.php (JSC Internet-Cosmos, Russia)
uiwaupjktqbiwcxr.xyz/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
rflqjuckvwsvsxx.click/apache_handler.php [86.110.118.114] (Takewyn.com, Russia)
dypvxigdwyf.org/apache_handler.php [69.195.129.70] (Joe's Datacenter, US)
ntqgcmkmnratfnwk.org/apache_handler.php
wababxgqgiyfrho.su/apache_handler.php
ytqeycxnbpuygc.ru/apache_handler.php
ocuhfpcgyg.pl/apache_handler.php
cifkvluxh.su/apache_handler.php
sqiwysgobx.click/apache_handler.php
yxmagrdetpr.biz/apache_handler.php
xnoxodgsqiv.org/apache_handler.php
vmibkkdrlnircablv.org/apache_handler.php
Recommended blocklist:
5.196.200.0/24
62.173.154.240
86.110.118.114