“Delivery Confirmation” Leads to Locky Ransomware

IOC: – mochacat.net – GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl


SHA256: 405ad2f09856f718fe3fce209c9d9e59ba4e1c2e4f16d0c9385224212103bb29
File name: UCCNTXS1519.js

SHA256: c31e83a5b86f4410f1df147ae9717d0c9b69c65dee9fc2f9381ce085f481726a
File name: giHhrMNI1.dll

SHA256: e106c1a5f15599fab18934717d36a8e6c8bd8379f9649a565e41bce720fe73f0
File name: giHhrMNI1

The user was sent an email from “ship-confirm@thecabinbreckenridge.com”. The subject of the email was “Delivery Confirmation: 00117932551”. The contents of the email is shown below:

Notice how the email contains a .zip file. Opening that .zip file shows a JScript file called “UCCNTXS1519”:

Executing that JScript file generates a GET request for the payload:

This version of Locky doesn’t appear to use C2s as I couldn’t locate any of the usual Locky callback traffic. 

The malware was dropped in %TEMP% and wasn’t deleted after the host was compromised:

Ransom notes were dropped and opened on the Desktop, as well as placed in folders containing encrypted files:

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: