Malspam Leads to Locky (.shit) (/linuxsucks.php)

IOCs:

  • 192.186.241.104 – demoinfolink[.]com – GET /076wc?KEMaUkmgWf=TfJgJx
  • 108.168.206.100 – naacllc[.]com – GET /076wc?KEMaUkmgWf=TfJgJx – Locky
  • 208.100.26.234 – gtlbihmxh.pw – POST /linuxsucks.php

Additional Distribution Domains from Hybrid-Analysis Report:

  • sowkinah.com – 62.84.69.75
  • bagnet.ir – 176.9.129.91
  • nanrangy.net – 120.117.3.119

Traffic:

traffic

IDS Alerts:

ids-events

Hashes:

SHA256: b1c35b291a296b948758729f9fc775504ec764098dbc5c2e02796ee4ab174e0e
File name: Receipt 17577-140426.wsf
Hybrid-Analysis Report

SHA256: b54802e6f6430c75d0683140ef0529c6603418b4ef602d80e85aaa88fe730c79
File name: AvURdJbXv2.dll

Infection Chain:

The user received an email from rosetta.cranston@gmail.com with the subject “Receipt 81-633468”. Opening the attachment shows it is a Windows Script File (.wsf) called “Receipt 17577-140426” (Downloader):

emailreceipt-17577-140426-windows-script-file-locky

Executing “Receipt 17577-140426.wsf” is what generates the GET requests shown above in the Traffic section. The JScript contained within the .wsf has 3 hard-coded URLs where the Locky payload can be downloaded from.

The first GET request to demoinfolink.com returned a 404 and created AvURdJbXv1 in %Temp%. The second GET request for naacllc.com was successful as it returned the payload and dropped AvURdJbXv2.dll in %Temp%.

temp

After the files are encrypted we see ransom notes popping up on the Desktop in both .html (_WHAT_is.html) and Bitmap formats (_WHAT_is.bmp):

_what_is-htmldesktop

The threat actors behind Locky seem to be having some fun as they changed the POST request URI to “/linuxsucks.php” as well as the file extension of encrypted files to “.shit” (SHIT File):

encrypted-files

 

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: