“Delivery Confirmation” Leads to Locky Ransomware

IOC:

49.212.150.106 – mochacat.net – GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl

Hashes:

SHA256: 405ad2f09856f718fe3fce209c9d9e59ba4e1c2e4f16d0c9385224212103bb29
File name: UCCNTXS1519.js

SHA256: c31e83a5b86f4410f1df147ae9717d0c9b69c65dee9fc2f9381ce085f481726a
File name: giHhrMNI1.dll

 
SHA256: e106c1a5f15599fab18934717d36a8e6c8bd8379f9649a565e41bce720fe73f0
File name: giHhrMNI1

The user was sent an email from “ship-confirm@thecabinbreckenridge.com”. The subject of the email was “Delivery Confirmation: 00117932551”. The contents of the email is shown below:

Notice how the email contains a .zip file. Opening that .zip file shows a JScript file called “UCCNTXS1519”:

 
Executing that JScript file generates a GET request for the payload:

This version of Locky doesn’t appear to use C2s as I couldn’t locate any of the usual Locky callback traffic. 

The malware was dropped in %TEMP% and wasn’t deleted after the host was compromised:

Ransom notes were dropped and opened on the Desktop, as well as placed in folders containing encrypted files:

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: