JScript Downloads Locky Ransomware

IOCs:

  • 166.62.27.144 – kothagudemtv.com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD
  • 216.87.185.25 – paintingoregon[.]com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD
  • 51.254.108.40 – Locky callback traffic – POST / data/info.php

Traffic:

traffic

Hashes:

  1. SHA256: 839f8914a9e951e8ccf32ab284675fc7e1099914457356d7cb0a606962f501f6
    File name: DuINsSc1
  2. SHA256: bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75
    File name: DuINsSc2
  3. SHA256: 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859
    File name: DuINsSc2.dll

Infection Chain:

This is a pretty standard infection chain for Locky right now. The malspam was sent out with the subject as “<no subject>” and there wasn’t any content written in the body. Attached to the email was a .zip folder called “20160922162033783339900.zip”. The first part of the string denotes today’s date. I’m not sure the significance, if any, of the end of the string.

email

Once the user opens the attachment they are presented with a oddly named JScript file. I’m hoping most user’s wouldn’t open this suspicious file but curiosity gets the better of people.

jscript-downloader

Once the JScript is opened and ran it makes a GET request for payloads from up to 3 different distribution sites located in an array. In my example there were two seperate GET requests made. The first distribution site (kothagudemtv[.]com) returned a 404 to my host.

404

The file was 1 KB in size was called DuINsSc1, “1” indicating that it was the first distribution site in the array. Since the first site failed to return the payload we see an additional GET request for the payload which was being hosted at paintingoregon[.]com.

locky-payload

The second GET request did successfully return the payload to my host which created both DuINsSc2 and DuINsSc2.dll in the user’s TEMP folder.

temp

Once the 2nd file was received and executed the host made multiple post-infection POST requests to a C2 via a direct IP (51.254.108.40).

Once the files were encrypted ransom notes dropped on the Desktop and in folders containing encrypted files.

desktop

zepto

As always, I recommend blocking all the IPs in the IOCs section listed at the very top of this post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: