From: PATRICA GROVESThe name of the sender will vary. Attached is a malicious Word document with a name like Payslip_Dec_2016_6946345.doc which has a VirusTotal detection rate of 12/55.
Date: 19 December 2016 at 10:12
Subject: Payslip for the month Dec 2016.
Dear customer,
We are sending your payslip for the month Dec 2016 as an attachment with this mail.
Note: This is an auto-generated mail. Please do not reply.
This Hybrid Analysis clearly shows Locky ransomware in action when the document is opened.
According to my usual reliable source, the various versions of this download a component from one of the following locations:
023pc.cn/8hrnv3
aguamineralsantacruz.com.br/8hrnv3
allard-g.be/8hrnv3
as-kanal-rohrreinigung.de/8hrnv3
aspecta-aso.net/8hrnv3
audehd.com/8hrnv3
audreyetsteve.fr/8hrnv3
baugildealtmark.de/8hrnv3
berstetaler.de/8hrnv3
birdhausdesign.com/8hrnv3
bperes.com.br/8hrnv3
brainfreezeapp.com/8hrnv3
delreywindows.com/8hrnv3
democracyandsecurity.org/8hrnv3
factoryfreeapparel.com/8hrnv3
garosero5.com/8hrnv3
globaser3000.com/8hrnv3
grafiquesvaros.com/8hrnv3
routerpanyoso.50webs.com/8hrnv3
skyers.awardspace.com/8hrnv3
www.andmax-rehabilitacja.pl/8hrnv3
www.bandhiga.com/8hrnv3
www.clinicafisiosan.com/8hrnv3
www.de-klinker.be/8hrnv3
www.foyerstg.pro/8hrnv3
www.globalchristiantrust.com/8hrnv3
www.neumayr-alkoven.com/8hrnv3
zimbabweaids.awardspace.com/8hrnv3
The malware then phones home to one of the following locations:
176.121.14.95/checkupdate (Rinet LLC, Ukraine)
193.201.225.124/checkupdate (PE Tetyana Mysyk, Ukraine)
188.127.237.76/checkupdate (SmartApe, Russia)
46.148.26.82/checkupdate (Infium, Latvia / Ukraine)
A DLL is dropped with a detection rate of 12/52.
Recommended blocklist:
176.121.14.95
193.201.225.124
188.127.237.76
46.148.26.82