- 220.127.116.11 – onushilon.org/56f2gsu782desf – GET request for payload
- SHA256: a48ef938b06ce335f1560836cae24ff11c445a10ccdc75c459507115c9bdf3a7
File name: 20160920034329138280504.zip
- SHA256: b08bca7d704d2bdf7db5b542eda84f5b9cd27ddfcbea33843ec1c08d7d240f66
File name: QL5LY62838.hta
- SHA256: ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d
File name: iIrfSCB1
- SHA256: 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e
File name: iIrfSCB1.dll
The user received an email from with no subject and no content. The only thing contained in the email was an attached .zip folder:
Opening the attachment brings the user to a HTML Application called “QL5LY62838.hta”. Per Wikipedia’s definition an “HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user interface, and the scripting language is used for the program logic. An HTA executes without the constraints of the internet browser security model; in fact, it executes as a ‘fully trusted’ application”. Here is the HTML Application contained within the .zip folder:
When you view the application source code you can see JScript within the <html> tags.
Once the code has run the host will make a GET request for the payload:
This results in two files being dropped in %TEMP%, the first file being “iIrfSCB1” and the next being the same file but appended with .dll. Below are the files dropped in %TEMP%:
Once the system was compromised we see the Locky ransom notes appearing on the Desktop and in folders containing encrypted files:
This version of Locky didn’t generate any POST requests (callback traffic). I recommend blocking the distribution site listed in the IOCs section.