Malspam Contains WSF, Downloads Locky (.thor) (/linuxsucks.php)


  • – – GET /76vvyt?cFqotowK=rUUwhHw
  • – – GET /76vvyt?cFqotowK=rUUwhHw
  • – – GET /76vvyt?cFqotowK=rUUwhHw
  • – POST /linuxsucks.php
  • – POST /linuxsucks.php
  • – POST /linuxsucks.php



DNS Requests:

Domain IP Address Country Czech Republic United States Spain


SHA256: 92653c0f4adb3e17598f841c5da47775771cf225021c892d8cb0f4017b74ceb8
File name: DSCF0822.wsf
Hybrid-Analysis Report

SHA256: 3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93
File name: SYgTnmS3.dll
Hybrid-Analysis Report

Emerging Threats Alerts:

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET DNS Query to a *.pw domain – Likely Hostile
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET CNC Ransomware Tracker Reported CnC Server TCP group 129

IDS Event:



The email is coming from “Madge Taylforth” at The subject of the email is DSCF6372.pdf. The attachment contains a .zip’d Windows Script File called DSCF0822:



Executing the WSF file generates GET requests for the .dll from various distribution sites. The first two GET requests ( and resulted in a 403 and a 302 (location hxxp://carmenortigosa[.]com/cgi-sys/suspendedpage.cgi?cFqotowK=rUUwhHw).

In my sample we see a GET request for the payload via The file is dropped in the user’s %Temp% folder:


Once the files are encrypted we see the Desktop changed to the Locky ransom note, ransom notes (.html and .bmp) being dropped on the Desktop/folders, as well as the encrypted files renamed to the user’s personal ID number and given the file extension .thor:


As always, block the distribution sites and C2s.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: