IOCs:
- 185.17.41.83 – dx-team.org – GET /jhb6576?GChuOAtzYEq=GVUYNDbBRRE
- 69.195.129.70 – disvfthejnadoufh.biz – POST /message.php
- 176.103.56.119 – POST /message.php
- 109.234.35.230 – POST /message.php
Traffic:
DNS Requests:
| Domain | IP Address | Country |
| xbgokbdvilnrlw.info | ||
| cwvmkawujq.su | ||
| ukyrrqcxd.su | ||
| jkvhihqdaaoyd.org | ||
| ihdteyhyewuaid.click | ||
| bjbsbpmhlpwaxf.pl | ||
| torproject.org | 82.195.75.101 | Germany |
| ojxbkeexoqrbirtq.org | ||
| bqpkcrxsx.su | ||
| dx-team.org | 185.17.41.83 | Poland |
| mwddgguaa5rj7b54.onion.to | 185.100.85.150 | Romania |
| kcnwtdns.pw | ||
| jyvityqhfggxicasf.pw | ||
| mwddgguaa5rj7b54.tor2web.org | 38.229.70.4 | United States |
Hashes:
SHA256: 9fd3e2fc50b2b44d174cb37964016ea0a12c2c8657a32ae6039c4fdc851e9be0
File name: 8038455679-5513221388-201611105248-1028.js
Hybrid-Analysis Report
SHA256: 0e969221c2e8d9c76a5ad863a80be2486a867ad8358bffd3a56158fcf7e3997e
File name: gGoVQg2.dll
Hybrid-Analysis Report
Emerging Threats Alerts:
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET DNS Query to a *.pw domain – Likely Hostile
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET POLICY DNS Query to .onion proxy Domain (tor2web)
ET POLICY DNS Query to .onion proxy Domain (onion.to)
Email:
The email is coming from rebecca.griswold@youmovebnu.com. The subject of the email is !! Urgent payment request. The attachment contains a .zip’d JScript called 8038455679-5513221388-201611105248-1028.js:
Executing the JScript file generates GET requests for the .dll from various distribution sites. In my sample we see a GET request for the payload via dx-team.org. The file is dropped in the user’s %Temp% folder:
Once the files are encrypted we see the Desktop changed to the Locky ransom note, ransom notes (.html and .bmp) being dropped on the Desktop/folders, as well as the encrypted files renamed to the user’s personal ID number and given the file extension .thor:
As always, block the distribution sites and C2s.
Malware breakdown 