From: Glenna JohnsonSender names and that long hexadecimal number with vary. Attached is a randomly-named ZIP file containing a malicious .js script beginning with "business card" [example]. The payload appears to be Locky ransomware.
Date: 4 August 2016 at 10:18
Subject: Business card
Hello [redacted],
I have attached the new business card design.
Please let me know if you need a change
King regards,
Glenna Johnson
c75b53fd1ea488ebe8eaf068fd5c9dd13f1848f4d3a7
This Hybrid Analysis of the script gives plenty of detail as to what is going on. My trusted sources tell me that the list of download locations is quite short:
escapegasmech.com/048220y5
goldjinoz.com/0a3tg
platimunjinoz.ws/13fo8lnl
regeneratewert.ws/1qvvu9lu
traveltotre.in/2c4ykij7
This drops a binary with a detection rate of 8/54. The earlier Hybrid Analysis report shows it phoning home to:
31.41.46.29/php/upload.php (Relink Ltd, Russia) [hostname: ip.cishost.ru]
185.129.148.19/php/upload.php (MWTV, Latvia)
91.219.29.35/php/upload.php (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine) [hostname: 35.29.219.91.colo.ukrservers.com]
All of those network blocks have a pretty poor reputation and I recommend that you block their entire ranges.
Recommended blocklist:
31.41.40.0/21
185.129.148.0/24
91.219.28.0/22