From: Donnie emilyAttached is a randomly-named ZIP file, in the sample I have seen they begin with:
Date: 12 March 2016 at 14:01
Subject: Urgent Notice # 78815053
Dear Customer!
According to our data you owe our company a sum of $452,49. There are records saying that you have ordered goods in a total amount of $ 452,49 in the third quarter of 2015.
Invoice has been paid only partially. The unpaid invoice #78815053 is enclosed below for your revision.
We are writing to you, hoping for understanding and in anticipation of the early repayment of debt.
Please check out the file and do not hesitate to pay off the debt.
Otherwise we will have to start a legal action against you.
Regards,
Donnie emily
758 N Davis St, Jacksonville,
FL 17323
Phone nr: 026-762-3482
- letter_
- confirm_
- access_
- unconfirmed_operation_
- operation_
- details_
- details_
- post_
- mail_
bonjovijonqq.com/69.exe?1
bonjovijonqq.com/80.exe?1
This is Teslacrypt ransomware, although it is possible that some variants of this message may drop Locky. Both these binaries are slightly different (VirusTotal results [19] [20]) and they appear to phone home to:
vtechshop.net/wcspng.php
sappmtraining.com/wp-includes/theme-compat/wcspng.php
shirongfeng.cn/images/lurd/wcspng.php
It also attempts to contact the domain multibrandphone.com but that was not resolving at the time of analysis. It also appears to phone home to:
31.184.196.78 (Petersburg Internet Network Ltd, Russia)
91.234.32.192 (FOP Sedinkin Olexandr Valeriyovuch, Russia)
The domain bonjovijonqq.com is purely malicious and is hosted on the following IPs:
192.210.144.130 (Hudson Valley Host / Colocrossing, US)
54.212.162.6 (Amazon AWS, US)
212.119.87.77 (Middle East Internet Company Limited, Saudi Arabia)
78.135.108.94 (Sadecehosting, Turkey)
The following malicious domains are also on the same servers:
nnrtsdf34dsjhb23rsdf.spannflow.com
bonjovijonqq.com
returnyourfiless.ru
pren874bwsdbmbwe.returnyourfiless.ru
spannflow.com
howareyouqq.com
witchbehereqq.com
invoiceholderqq.com
joecockerhereqq.com
fe3xr7qvyc.joecockerhereqq.com
lenovomaybenotqq.com
hellomississmithqq.com
thisisyourchangeqq.com
kvs5d8t3uc.thisisyourchangeqq.com
itsyourtimeqq.su
blizzbauta.com
q4bfgr7bdn4nrfsnmdf.blizzbauta.com
yesitisqqq.com
thisisitsqq.com
blablaworldqq.com
fromjamaicaqq.com
hellomydearqq.com
arendroukysdqq.com
itisverygoodqq.com
goonwithmazerqq.com
helloyoungmanqq.com
mafianeedsyouqq.com
mafiawantsyouqq.com
soclosebutyetqq.com
isthereanybodyqq.com
lenovowantsyouqq.com
ogxl0vcjum.thisisyourchangeqq.com
gutentagmeinliebeqq.com
hellomisterbiznesqq.com
In fact, there are a vast number of malicious IPs and servers in this cluster. I simply haven't had time to look at them all yet.
Recommended blocklist:
192.210.144.130
54.212.162.6
212.119.87.77
78.135.108.94
31.184.196.78
91.234.32.192
multibrandphone.com
sappmtraining.com
shirongfeng.cn
vtechshop.net