“Payment Receipt” Drops Locky (.osiris)

IOCs:

• 62.75.162.77 – test.grafixx.org – GET /098tb?oAzjRAPD=HlElhIQVI
• Additional Download Locations (contained in obfuscated JS downloader):
  • u-niwon.com/098tb – 218.232.104.232
  • chanet.jp/098tb – 210.196.232.211
  • valuationssa.com.au/098tb – 104.27.149.238
  • More compromised sites being used as download locations (posted by Techhelplist):
    • aetech-solutions.com/098tb – 37.59.51.53
    • bigtrust.co.kr/098tb – 211.40.221.90
    • braindouble.com/098tb – 207.45.186.214
    • haibeiwuliu.com/098tb – 122.114.99.100
    • laferwear.com/098tb – 97.74.215.147
    • malamut.org/098tb – 212.85.104.64
    • markettv.ro/098tb – 89.149.4.195
    • maycongtrinhduylong.com/098tb – 123.30.181.207
    • mondegraphic.com/098tb – 37.187.143.115
    • mtrk.ru/098tb – 212.23.79.123
    • polgarorvasad.hu/098tb – 195.228.152.23
    • software.waleshigh.com/098tb – 188.94.74.76
    • stonerinsurance.com/098tb – 172.246.156.150
    • subys.com/098tb – 180.71.58.101
    • szwanrong.com/098tb – 119.29.99.214
    • theamericanwake.com/098tb – 208.56.45.17
    • travelinsider.com.au/098tb – 203.98.84.123
    • ucbus.net/098tb – 211.149.250.179
    • viscarci.com/098tb – 120.39.243.225
    • walkonwheels.net.au/098tb – 202.125.36.106
    • wirtschaftundumwelt.de/098tb – 85.13.128.34
    • wiselysoft.com/098tb – 107.180.51.106
    • wishingwellhosting.com.au/098tb – 103.63.26.159
    • wudiai.com/098tb – 119.29.9.237
    • swordwind.org/098tb – 216.249.101.162
• 31.202.128.199 – POST /checkupdate
• 176.121.14.95 – POST /checkupdate (from Hybrid-Analysis report)

Traffic:

Hashes:

SHA256: f59d43d8c311a92ed5134847051cdc15b67c7dd66777a42b5fa4760a3bd41d7c
File name: VDT8310927.jse
Hybrid-Analysis Report

SHA256: 7374e2124aee0624b4d3b2195ec8f2e4fe0d6cc1e56c84f56529ea7da542e310
File name: ORzVjDFWo1

SHA256: f5f9ba19d6ee135e342a892a78d2d96f9e1d9c9bf8b4106ab36c6e833a075a67
File name: ORzVjDFWo1.dll
Hybrid-Analysis Report

Email:

The email contains a ZIP file called Receipt_60.zip. Opening up the ZIP file shows it contains a JScript Encoded Script File called VDT8310927.jse. Executing that script file initiates the GET request(s) for the payload. In my sample there were four download locations:

Partial image of JS Downloader

These strings decode to the following download locations:

• test.grafixx.org/098tb
• u-niwon.com/098tb
• chanet.jp/098tb
• valuationssa.com.au/098tb

The first download attempt was successful so it skipped the other locations. Below is the GET for the file:

After we see the file being dropped in %Temp%.

Once infection has completed the user’s encrypted files are renamed to a 36 character alpha-numeric string, with the first 16 characters representing the user’s “personal identification ID.” The encrpyted files are also being appended with a .osiris.

Lastly, we see that there are ransom notes created in folders containing encrypted files (OSIRIS-[4 alpha numeric].htm) and the user’s Desktop displays an image (.bmp) as well as a OSIRIS.htm file:

• Category: Malspam
• Tag: IOCs, Locky, Ransomware

Published by malwarebreakdown

Just a normal person who spends their free time infecting systems with malware. View all posts by malwarebreakdown