ZIP File Containing HTA File Leads to Locky Ransomware

IOCs:

  • 121.200.60.26 – onushilon.org/56f2gsu782desf – GET request for payload

Hashes:

  1. SHA256: a48ef938b06ce335f1560836cae24ff11c445a10ccdc75c459507115c9bdf3a7
    File name: 20160920034329138280504.zip
  2. SHA256: b08bca7d704d2bdf7db5b542eda84f5b9cd27ddfcbea33843ec1c08d7d240f66
    File name: QL5LY62838.hta
  3. SHA256: ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d
    File name: iIrfSCB1
  4. SHA256: 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e
    File name: iIrfSCB1.dll

Infection Chain:

The user received an email from with no subject and no content. The only thing contained in the email was an attached .zip folder:

email-2

Opening the attachment brings the user to a HTML Application called “QL5LY62838.hta”. Per Wikipedia’s definition an “HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a ‘fully trusted’ application”. Here is the HTML Application contained within the .zip folder:

html-application

When you view the application source code you can see JScript within the <html> tags.

Once the code has run the host will make a GET request for the payload:

get-for-payload

This results in two files being dropped in %TEMP%, the first file being “iIrfSCB1” and the next being the same file but appended with .dll. Below are the files dropped in %TEMP%:

temp

Once the system was compromised we see the Locky ransom notes appearing on the Desktop and in folders containing encrypted files:

desktop

ransom-note

This version of Locky didn’t generate any POST requests (callback traffic). I recommend blocking the distribution site listed in the IOCs section.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: