IOCs:
- 162.144.116.161 – aghadiinfotechforclient.com/jht76gh – Download location found in script
- 222.124.206.41 – simperizinan.sragenkab.go.id/jht76gh – Download location found in script
- 199.101.51.76 – livingfreehomeramps.com/jht76gh – Download location found in script
- 107.180.1.210 – adenadataediting.com/jht76gh – Download location found in script
- 176.121.14.95 – POST /checkupdate – C2 IP
Traffic:
Hashes:
SHA256: d2984c1181749bc2bd0d2ad56c6d5865d38dee3c29276cb41297f4b20543a544
File name: 765-HIGV0613.wsf
Hybrid-Analysis Submission
SHA256: 40db24cd899efd4381dbe76eb82a10b29a7b5acff901da9ce9a1b3284d3830be
File name: KwNzXMj1
SHA256: 5c8d053e3339d09bf277a98c73feac0eb34dd604ae8459f3f24cd7c1a56f414a
File name: KwNzXMj1.dll
Hybrid-Analysis Submission
Email:
The infection begins with the malspam being opened by the user. In the email there is an attachment containing a .zip file. Opening the .zip file shows there to be a file called 765-HIGV0613.wsf:
Once the user executes the script there is an automated GET request made to one of the four possible download locations.
My sample was relatively new so the first location was successfully reached. Had the first location not responded there were still three other possible download locations that would have been attempted.
partial image of script showing encoded download locations
Here is the GET for the file:
Both the file and the .dll that was created were dropped in %Temp%:
Once the system had been fully infected documents were encrypted and ransom notes displayed:
Ransom notes are called “OSIRIS-[4 alpha numeric].htm” and encrypted files are renamed and appended with a .osiris. This is especially annoying for users as now they really don’t know what files were infected.
My recommendation is to block the download locations and the C2 IP.
Malware breakdown 