Category: Malspam

JScript Downloads Locky Ransomware
IOCs: 166.62.27.144 – kothagudemtv.com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 216.87.185.25 – paintingoregon[.]com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 51.254.108.40 – Locky callback traffic – POST / data/info.php Traffic: Hashes: SHA256: 839f8914a9e951e8ccf32ab284675fc7e1099914457356d7cb0a606962f501f6 File name: DuINsSc1 SHA256: bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75 File name: DuINsSc2 SHA256: 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859 File name: DuINsSc2.dll Infection Chain: This is a pretty standard infection chain for Locky right now. The malspam was ...

ZIP File Containing HTA File Leads to Locky Ransomware
IOCs: 121.200.60.26 – onushilon.org/56f2gsu782desf – GET request for payload Hashes: SHA256: a48ef938b06ce335f1560836cae24ff11c445a10ccdc75c459507115c9bdf3a7 File name: 20160920034329138280504.zip SHA256: b08bca7d704d2bdf7db5b542eda84f5b9cd27ddfcbea33843ec1c08d7d240f66 File name: QL5LY62838.hta SHA256: ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d File name: iIrfSCB1 SHA256: 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e File name: iIrfSCB1.dll Infection Chain: The user received an email from with no subject and no content. The only thing contained in the email was an attached .zip ...

“Delivery Confirmation” Leads to Locky Ransomware
IOC: 49.212.150.106 – mochacat.net – GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl Hashes: SHA256: 405ad2f09856f718fe3fce209c9d9e59ba4e1c2e4f16d0c9385224212103bb29 File name: UCCNTXS1519.js SHA256: c31e83a5b86f4410f1df147ae9717d0c9b69c65dee9fc2f9381ce085f481726a File name: giHhrMNI1.dll SHA256: e106c1a5f15599fab18934717d36a8e6c8bd8379f9649a565e41bce720fe73f0 File name: giHhrMNI1 The user was sent an email from “ship-confirm@thecabinbreckenridge.com”. The subject of the email was “Delivery Confirmation: 00117932551”. The contents of the email is shown below: Notice how the email contains a ...

ZIP’D JScript File Leads to Malware (boxun4.bin)
IOCs: Sub-domains at .adultgameapp.ru and proadultgame.ru I received some malspam on 9/2/16 entitled “Take easy steps on the ladder of happiness”. The email address of the sender was tqdwsaltpan@wavesboatclub.com and it was supposedly from a “Bettie K. Letbetter”: Allowing pictures to be displayed in the email shows sexually explicit content. Clicking on the link “Lecherous ...

ZIP’d WSF File Retrieves Locky Ransomware
IOCs: 82.197.131.109 – imex.atspace.com – GET /sxqtddp?VlwYKkCOYvI=axCugUhsM 213.205.40.169 – archiviestoria.it – GET /waotorf?VlwYKkCOYvI=axCugUhsM 69.195.129.70 – tlehsdy.biz – POST /data/info.php Hashes: SHA256: 010b6da42c0b377f4b28fbcaa1268f046eeb403a3eb79dfb395fc3c2c0daa85e File name: xVTvTcaaG1 SHA256: 4baf40fe1c7fafd89befe4f2e2bd36aefc8a4faf395631d8bac20e09e372725b File name: xVTvTcaaG2 SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7 File name: xVTvTcaaG2.dll The infection starts with a user getting malspam. This email is coming from a iCloud account and it contains a ...

ZIP’d WSF File Drops Locky Ransomware
IOCs: 62.42.230.17 – http://www.malicioso.net – GET /ulndads?wQPDjpgBhgm=jNgqRaGXM 62.42.230.17 – http://www.idiomestarradellas.com – GET /dhxpkuh?wQPDjpgBhgm=jNgqRaGXM 167.114.138.3 – maxshoppppsr.biz – GET /js/vf3gt4b4?wQPDjpgBhgm=jNgqRaGXM 69.195.129.70 – tlehsdy.biz – POST /data/info.php 91.223.180.66 – cufrmjsomasgdciq.pw – POST /data/info.php Hashes: SHA256: 852c79d430e401f6b57946718ca6555c328dd503b13b9cda22e481903ebe8575 File name: asWMWhWmB3.dll and asWMWhWmB1.dll SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7 File name: asWMWhWmB2.dll The user received the following malspam: Summary: From: Bertha_145@icloud.com Subject: 39098622pdf ...