- 18.104.22.168 – demoinfolink[.]com – GET /076wc?KEMaUkmgWf=TfJgJx
- 22.214.171.124 – naacllc[.]com – GET /076wc?KEMaUkmgWf=TfJgJx – Locky
- 126.96.36.199 – gtlbihmxh.pw – POST /linuxsucks.php
Additional Distribution Domains from Hybrid-Analysis Report:
- sowkinah.com – 188.8.131.52
- bagnet.ir – 184.108.40.206
- nanrangy.net – 220.127.116.11
File name: Receipt 17577-140426.wsf
File name: AvURdJbXv2.dll
The user received an email from firstname.lastname@example.org with the subject “Receipt 81-633468”. Opening the attachment shows it is a Windows Script File (.wsf) called “Receipt 17577-140426” (Downloader):
Executing “Receipt 17577-140426.wsf” is what generates the GET requests shown above in the Traffic section. The JScript contained within the .wsf has 3 hard-coded URLs where the Locky payload can be downloaded from.
The first GET request to demoinfolink.com returned a 404 and created AvURdJbXv1 in %Temp%. The second GET request for naacllc.com was successful as it returned the payload and dropped AvURdJbXv2.dll in %Temp%.
After the files are encrypted we see ransom notes popping up on the Desktop in both .html (_WHAT_is.html) and Bitmap formats (_WHAT_is.bmp):
The threat actors behind Locky seem to be having some fun as they changed the POST request URI to “/linuxsucks.php” as well as the file extension of encrypted files to “.shit” (SHIT File):