Month: October 2016

M

Malspam Leads to Locky (.shit) (/linuxsucks.php)

IOCs: 192.186.241.104 – demoinfolink[.]com – GET /076wc?KEMaUkmgWf=TfJgJx 108.168.206.100 – naacllc[.]com – GET /076wc?KEMaUkmgWf=TfJgJx – Locky 208.100.26.234 – gtlbihmxh.pw – POST /linuxsucks.php Additional Distribution Domains from Hybrid-Analysis Report: sowkinah.com – 62.84.69.75 bagnet.ir – 176.9.129.91 nanrangy.net – 120.117.3.119 Traffic: IDS Alerts: Hashes: SHA256: b1c35b291a296b948758729f9fc775504ec764098dbc5c2e02796ee4ab174e0e File name: Receipt 17577-140426.wsf Hybrid-Analysis Report SHA256: b54802e6f6430c75d0683140ef0529c6603418b4ef602d80e85aaa88fe730c79 File name: AvURdJbXv2.dll Infection Chain: ...

Malspam Leads to Hancitor, Downloads pm.dll (Pony) and inst.exe (Vawtrak)

IOCs: 77.246.149.178 – ledintutat[.]com/ls5/gate.php – Hancitor C2 81.169.145.93 – e-kite[.]biz/wp-admin/includes/pm.dll – GET for Pony 77.246.149.178 – ledintutat[.]com/zapoy/gate.php – Pony C2 104.31.87.182 – geadent[.]ro/wp-admin/inst.exe – GET for Vawtrak 185.75.46.13 – SSL Blacklist Malicious SSL Certificate Detected (Vawtrak CnC) Traffic: IDS Events: Hashes: SHA256: d84b585409fb4f538cde666cefc7980ba3a927dc292dfb391bdcd8765d4ce0c8 File name: contract_54262.doc SHA256: 420b028db779bdee1355b568fd1757a579505df41a1f3f620954a34d2b49a926 File name: hancitor.dll SHA256: 903345e2ccc6c0045de61d40c4c85dad625274b0cc7a4fc4e0c3813811e44495 File name: ...

E

EITest Leads to Rig EK at 176.223.111.152. Malicious SSL Certificate Detected.

IOCs: 216.17.111.107 – theconservativeclub.us – Compromised website 176.223.111.152 – bj4lr.xl2sz08.top – Rig EK 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic: Hashes: SHA256: 92594f381dec2034ef0e0f53d0c5dbe8b8f706d36460e84172e9de9a08d3dec3 File name: RigEK Landing Page.html SHA256: 49d5fd5a5b0058eccd888a149f6f995e7c160dd3973c0c0edebf0311365847cd File ...

E

EITest Leads to Rig EK at 176.223.111.33 and 176.223.111.77, Malicious SSL Certificate Detected

IOCs: 184.168.152.59 – abc-imports.com – Compromised website 176.223.111.33 – hs0ql.hd9ads4fb.top – Rig EK 176.223.111.77 – wub2v.pgpbpgu.top – Rig EK (second run) 222.206.156.2 and 208.73.206.179 – post infection DNS queries (shown below) and contacted both IPs via TCP port 80. Domains resolving to the above IPs include: nitrrotetris.com monsterkillyep444.net blintyris.net lamerpamer.org monertee39.com Traffic (first run): Hashes: ...

p

pseudoDarkleech Leads to Rig EK at 5.200.55.126 and Drops Cerber

IOCs: 66.147.244.158 – tbcphoenix.org – Compromised website 5.200.55.126 – ew.albanyparklocksmithchicago.com – Rig EK 194.165.16.0/24, 194.165.17.0/24, 194.165.18.0/24, 194.165.19.0/24 – UDP port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 136.243.157.171 – ffoqr3ug7m726zou.le2brr.bid – Cerber Decryptor site Traffic: Hashes: SHA256: 79cfb143bb59ba051584be153aa1b0669eaa872630ebc647befaf7109a93d3df File name: RigEK Landing Page.html SHA256: 4f2936fc74f7982fb450a0edfd0e200c0301b3cba56f3e55cc08cf92d423917d File name: RigEK Flash Exploit.swf SHA256: 0601888775c21e42d533e028678b91ad70ed7656a2a7aa68f5d46fad2c1c6fbe File name: ...

E

EITest Leads to Rig EK at 192.99.197.128

IOCs: 160.153.75.199 – stampscraparttour.com – Compromised website 192.99.197.128 – qca7.rsecx.top – Rig EK 194.58.108.203 – GET /drb3.php?a=n [truncated] 185.49.68.167 – srugbah.com GET /d8/u1.php?a=n [truncated] 192.168.175.135 and 104.24.28.9 – whoer.net – IP check There were also GET requests to cl.com, craigslist.org, google.com, yahoomail.com, mail.aol.com, and lolvn.gameinfo.garenanow.com. Furthermore, a lot of the request being made are using port ...

E

EITest Leads to Rig EK at 185.45.193.52 Which Drops PushDo/Cutwail

IOCs: 198.23.50.198 – luxurenailbar.com – Compromised website 185.45.193.52 – jw1f0y.wkfroa.top – Rig EK Post infection POST requests: 62.129.220.170 – infotech.pl 76.12.115.26 – leapc.com 50.63.46.84 – 2print.com 104.25.146.12 – dayvo.com 219.122.1.240 – ex-olive.com 103.241.2.201 – pb-games.com 193.34.148.140 – stnic.co.uk 77.66.54.114 – valdal.com 72.3.177.107 – owsports.ca 23.229.223.161 – nunomira.com 46.30.59.13 – com-sit.com 118.23.162.86 – ora.ecnet.jp 69.163.218.51 – ...

p

pseudoDarkleech Leads to Rig EK at 212.116.121.122 & Drops Cerber Ransomware

IOCs: 192.185.28.237 – eureka-resources.com – Compromised website 212.116.121.122 – try.jessicajw.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 107.161.95.138 – ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site Traffic: Hashes: SHA256: 2cfbbe508cdfe85767c4ad9f097adce52bb8a630598f9b2d191b7dc82f195069 File name: RigEK Landing Page.html SHA256: 3474904d1dfd8943d3c779d621aa9767465532f288523bae6b57194b35fb3e6e File name: RigEK Flash Exploit.swf SHA256: 05d0f6625551fc4787430495d8c4f103e00624e7e64eb93b3c3bdbfb789981b2 ...

R

Rig EK at 212.116.121.122 Drops Cerber Ransomware

IOCs: 50.62.216.150 – heathfoodstorenewsmyrna.com – Compromised website 212.116.121.122 – we.jessicaandclayton.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 107.161.95.138 – ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site Traffic: Hashes: SHA256: 2c68d7b4f7bb14a8b9f3986360bd351f34565eb0a4029ee01cc8588bcddb8c50 File name: RigEK Landing Page.html SHA256: 3474904d1dfd8943d3c779d621aa9767465532f288523bae6b57194b35fb3e6e File name: RigEK Flash Exploit.swf SHA256: 05d0f6625551fc4787430495d8c4f103e00624e7e64eb93b3c3bdbfb789981b2 ...

R

Rig EK at 109.234.35.79 Drops Cerber

IOCs: 67.222.1.229 – creeklinehouse.com – Compromised website 109.234.35.79 – xc.executivegrowth.com – Rig EK 31.184.234.0/24 and 31.184.235.0/24 – UDP traffic via port 6892 148.251.6.214 – btc.blockr.io – Bitcoin block explorer 173.254.231.111: ffoqr3ug7m726zou.zn90h4.bid – Cerber Decryptor payment site ffoqr3ug7m726zou.e6cf2t.bid – Cerber Decryptor payment site 107.161.95.138 – ffoqr3ug7m726zou.19jmfr.top – Cerber Decryptor payment site 185.100.85.150 – ffoqr3ug7m726zou.onion.to – Cerber ...