From: Melisa Keller
Date: 9 March 2016 at 12:08
Subject: FW: Invoice 2016-M#111812
Dear server,
Please find attached 2 invoices for processing.
Yours sincerely,
Melisa Keller
Financial Manager
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
Attached is a file with a name similar to Payment_2016_March_111812.zip which contains two scripts, which in the samples I have seen all start with "see_it" or "problem". These malicious scripts all have low detection rates [1] [2] [3] [4] [5] [6]. The Malwr reports for those samples [7] [8] [9] [10] [11] [12] show that the scripts download a binary from:
ihsanind.com/system/logs/87jhg44g5
nguoitieudungthongthai.com/system/logs/987i6u5y4t
astralia.ro/08o76g445g [404]
Only two of the download locations work, dropping binaries with a detection rate of 5/55 [1] [2]. Note that there may be other download locations.
The Malwr reports indicate that the malware phones home to:
78.40.108.39 (PS Internet Company LLC, Kazakhstan)
149.154.157.14 (EDIS, Italy)
The payload is the Locky ransomware.
UPDATE
I received the following information from another source (thank you)
Additional download locations:
ari-ev.com/system/logs/765uy453gt5
hipnotixx.com/27h8n
myonlinedeals.pk/system/logs/43d5f67n8
planetarchery.com.au/system/logs/q32r45g54
saachi.co/system/logs/43ghy8n
shofukai.web.fc2.com/23rt54y56
www.ekowen.sk/09y8j
Payload MD5s:
252957f37b8bd7a57473eab5f1a65d5c
39443da2c5454e0cb3ab42e407266d12
536162e0df26db751c3aa192af512413
6d42c5aa20117483b47b6e9c10444626
80baac1953a3fa6b74c2cd9689a0d81c
84a47c9c74efe890d7e0e9935fc96bda
b81006520f0d50317a66c0eb9d2185a5
e12fde01606227d45e8048fb4e5cc88c
eebb1e3a4fefcbacf3a7076b32180673
Additional C2s:
91.195.12.131 (PE Astakhov Pavel Viktorovich, Ukraine)
151.236.14.51 (EDIS, Netherlands)
37.235.53.18 (EDIS, Spain)
Recommended blocklist:
78.40.108.39
149.154.157.14
91.195.12.131
151.236.14.51
37.235.53.18