ZIP’d WSF File Drops Locky Ransomware

IOCs:

62.42.230.17 – www.malicioso.net – GET /ulndads?wQPDjpgBhgm=jNgqRaGXM
62.42.230.17 – www.idiomestarradellas.com – GET /dhxpkuh?wQPDjpgBhgm=jNgqRaGXM
167.114.138.3 – maxshoppppsr.biz – GET /js/vf3gt4b4?wQPDjpgBhgm=jNgqRaGXM

69.195.129.70 – tlehsdy.biz – POST /data/info.php
91.223.180.66 – cufrmjsomasgdciq.pw – POST /data/info.php

Hashes:
SHA256: 852c79d430e401f6b57946718ca6555c328dd503b13b9cda22e481903ebe8575
File name: asWMWhWmB3.dll and asWMWhWmB1.dll

SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7
File name: asWMWhWmB2.dll

The user received the following malspam:

Summary:
From: Bertha_145@icloud.com
Subject: 39098622pdf
Attachment = 39098622.zip

Opening the attachment shows a Windows Script File called “uMRPhx3” (30,486 bytes):

Executing the script caused the host to make 3 GET requests:

These GET requests correspond with 3 DLLs dropped into AppData > Local > Temp:

There are only two unique files out of those 3 DLLs since the hash for both asWMWhWmB3.dll and asWMWhWmB1.dll are the same. Both unique files scanned malicious for Locky ransomware.

Following the GET requests for the Locky payloads there were POST requests to what appear to be DGA’s (callback traffic):

Files were appended with .zepto and there were the typical Locky ransom notes dropped on the Desktop, etc:

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: