ZIP’d WSF File Drops Locky Ransomware

IOCs:

62.42.230.17 – http://www.malicioso.net – GET /ulndads?wQPDjpgBhgm=jNgqRaGXM
62.42.230.17 – http://www.idiomestarradellas.com – GET /dhxpkuh?wQPDjpgBhgm=jNgqRaGXM
167.114.138.3 – maxshoppppsr.biz – GET /js/vf3gt4b4?wQPDjpgBhgm=jNgqRaGXM

69.195.129.70 – tlehsdy.biz – POST /data/info.php
91.223.180.66 – cufrmjsomasgdciq.pw – POST /data/info.php

Hashes:
SHA256: 852c79d430e401f6b57946718ca6555c328dd503b13b9cda22e481903ebe8575
File name: asWMWhWmB3.dll and asWMWhWmB1.dll

SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7
File name: asWMWhWmB2.dll

The user received the following malspam:

Summary:
From: Bertha_145@icloud.com
Subject: 39098622pdf
Attachment = 39098622.zip

Opening the attachment shows a Windows Script File called “uMRPhx3” (30,486 bytes):

Executing the script caused the host to make 3 GET requests:

These GET requests correspond with 3 DLLs dropped into AppData > Local > Temp:

There are only two unique files out of those 3 DLLs since the hash for both asWMWhWmB3.dll and asWMWhWmB1.dll are the same. Both unique files scanned malicious for Locky ransomware.

Following the GET requests for the Locky payloads there were POST requests to what appear to be DGA’s (callback traffic):

Files were appended with .zepto and there were the typical Locky ransom notes dropped on the Desktop, etc:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: