- 220.127.116.11 – kothagudemtv.com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD
- 18.104.22.168 – paintingoregon[.]com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD
- 22.214.171.124 – Locky callback traffic – POST / data/info.php
- SHA256: 839f8914a9e951e8ccf32ab284675fc7e1099914457356d7cb0a606962f501f6
File name: DuINsSc1
- SHA256: bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75
File name: DuINsSc2
- SHA256: 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859
File name: DuINsSc2.dll
This is a pretty standard infection chain for Locky right now. The malspam was sent out with the subject as “<no subject>” and there wasn’t any content written in the body. Attached to the email was a .zip folder called “20160922162033783339900.zip”. The first part of the string denotes today’s date. I’m not sure the significance, if any, of the end of the string.
Once the user opens the attachment they are presented with a oddly named JScript file. I’m hoping most user’s wouldn’t open this suspicious file but curiosity gets the better of people.
Once the JScript is opened and ran it makes a GET request for payloads from up to 3 different distribution sites located in an array. In my example there were two seperate GET requests made. The first distribution site (kothagudemtv[.]com) returned a 404 to my host.
The file was 1 KB in size was called DuINsSc1, “1” indicating that it was the first distribution site in the array. Since the first site failed to return the payload we see an additional GET request for the payload which was being hosted at paintingoregon[.]com.
The second GET request did successfully return the payload to my host which created both DuINsSc2 and DuINsSc2.dll in the user’s TEMP folder.
Once the 2nd file was received and executed the host made multiple post-infection POST requests to a C2 via a direct IP (126.96.36.199).
Once the files were encrypted ransom notes dropped on the Desktop and in folders containing encrypted files.
As always, I recommend blocking all the IPs in the IOCs section listed at the very top of this post.