Tag: Ransomware
Malspam Contains Password Protected Document That Downloads Sigma Ransomware
Follow me on Twitter I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”: The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware. ...
“IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.
I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns ...
“IMG_” Malspam Delivers GlobeImposter Ransomware
I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time. The subject line of the malspam samples that I received all started with “IMG_” ...
RIG Exploit Kit at 185.154.53.7 Drops Pony, Downloads Philadelphia Ransomware.
IOCs HTTP Traffic: 160.153.131.96 – serene.rushpcb.co.uk – GET /usde.php 185.154.53.7 – add.venicebeachsurflodge.com – RIG exploit kit VirusTotal report showing URLs resolving to that IP 89.45.67.99 – POST /ppp/gate.php – Pony callback traffic 86.106.93.17 – GET /degate/de.exe – Philadelphia ransomware 86.106.93.17 – GET /de/de.php? – Philadelphia ransomware callback traffic Hashes: SHA256: 19f765ddf0242a6676e9eb2fb28f8095211ab1edad15025c3532f662de3aa954 File name: serene.rushpcb.co.ukusde.php.txt SHA256: ...
EITest Campaign Leads to RIG EK at 188.225.39.227. EK Drops Matrix Ransomware v3.
IOCs Network Activity: 104.27.184.144 – teknonisme.com – Compromised WordPress site 188.225.39.227 – fix.russianpropoganda.com – RIG exploit kit 195.248.235.240 – stat6.s76.r53.com.ua – GET / addrecord.php? and POST /uploadextlist.php – C2 traffic 148.251.13.83 – stat6.s76.r53.com.ua – GET / addrecord.php? – C2 traffic Additional answers from the DNS query: 195.248.235.241 – stat6.s76.r53.com.ua – C2 traffic 31.41.216.90 – stat6.s76.r53.com.ua – C2 ...
RIG EK at 5.200.52.238 Drops Ransom Locker
The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...
SAGE 2.2 Ransomware from Good Man Gate
IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...
RIG EK at 92.53.105.43 Drops ASN1 Ransomware
IOCs: 80.77.82.40 – wrapsing.gdn – GET /rotation/exoclick – Fake ad server points to RIG EK 92.53.105.43 – far.temperedgraces.com – RIG EK dxostywsduvmn6ra.onion – Payment domain Uses HKLMSoftwareMicrosoftWindowsCurrentVersionRun for persistence Ransom notes = !!!!!readme!!!!!.htm Filenames aren’t changed and encrypted files aren’t appended with a new extension SHA256: b14ffe0bdadfbab0de8b5ef1b5d078a7c500e5f4e164d771163171e1ed170542 File name: RIG EK Flash Exploit.swf SHA256: 2f51e6819a2dff508dae58abf95b5d381801debe0cd52b88d6ac05ad05531ba9 ...
EITest Leads to RIG EK at 188.225.36.251. EK Drops CryptoShield 2.0 Ransomware.
IOCs: 104.28.18.48 – amaz0ns.com – Compromised website 188.225.36.251 – 3tre.sicafnicaragua.com – RIG EK 188.225.36.251 – 3fds.tbsistemas.com – RIG EK (second run) 5.154.191.90 – GET /images/products-over.php – ET TROJAN CryptoShield Ransomware Checkin Traffic: Hashes: SHA256: 9a750f27dfc05d5d41d9da4106ecb71be414538eff3eb3bc8ecca01f5a9aad9b File name: Landing Page.html SHA256: 5628e6cdecc617c18137ff132cda600c72baf23f824fbae5c81a8034a9ba3554 File name: RIG EK v4.0 Flash Exploit.swf SHA256: e142f06a2e96f7a0c6eb046a79b85bc24e79e66c5c2bc12e144285c23fc89b69 File name: o32.tmp SHA256: e2387bcd3d274f5b4d0353edff2755d39d66afedda1d47f7548391c5d4238f52 File ...
EITest Script Leads to RIG-v EK at 92.53.120.4. EK Drops “CryptoShield 2.0 Dangerous” Ransomware.
IOCs: 104.28.31.109 – lepatek.com – Compromised website 92.53.120.4 – key.benslocksmithaddison.info – RIG-v EK 109.236.87.84 – 109.236.87.84 – POST /images/slideshow/info.php – ET TROJAN CryptoShield Ransomware Checkin. Traffic: Hashes: SHA256: 55ee40cb99efa1f3811b6e4459d43b8c4e4d53771f2557e4ade67356d395aef8 File name: RIG-v EK Flash Exploit.swf SHA256: e2cea84c5f4826455d7fc9f1619607a2d82bdb1ee122ec501e4633450263f5ea File name: QTTYUADAF SHA256: e680fae09e442833699d9e6e8363f08cca7d8bd92d7abc86027d6a14c88a5c4e File name: rad26801.tmp.exe Hybrid-Analysis Report Infection Chain: Loading the website in my browser and ...
Malware breakdown 