“Urgent Payment Request” Malspam Leads to Locky (.thor) (/message.php)

IOCs:

  • 185.17.41.83 – dx-team.org – GET /jhb6576?GChuOAtzYEq=GVUYNDbBRRE
  • 69.195.129.70 – disvfthejnadoufh.biz – POST /message.php
  • 176.103.56.119 – POST /message.php
  • 109.234.35.230 – POST /message.php

Traffic:

traffic

DNS Requests:

Domain IP Address Country
xbgokbdvilnrlw.info
cwvmkawujq.su
ukyrrqcxd.su
jkvhihqdaaoyd.org
ihdteyhyewuaid.click
bjbsbpmhlpwaxf.pl
torproject.org 82.195.75.101 Germany
ojxbkeexoqrbirtq.org
bqpkcrxsx.su
dx-team.org 185.17.41.83 Poland
mwddgguaa5rj7b54.onion.to 185.100.85.150 Romania
kcnwtdns.pw
jyvityqhfggxicasf.pw
mwddgguaa5rj7b54.tor2web.org 38.229.70.4 United States

Hashes:

SHA256: 9fd3e2fc50b2b44d174cb37964016ea0a12c2c8657a32ae6039c4fdc851e9be0
File name: 8038455679-5513221388-201611105248-1028.js
Hybrid-Analysis Report

SHA256: 0e969221c2e8d9c76a5ad863a80be2486a867ad8358bffd3a56158fcf7e3997e
File name: gGoVQg2.dll
Hybrid-Analysis Report

Emerging Threats Alerts:

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET DNS Query to a *.pw domain – Likely Hostile
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET POLICY DNS Query to .onion proxy Domain (tor2web)
ET POLICY DNS Query to .onion proxy Domain (onion.to)

Email:

The email is coming from rebecca.griswold@youmovebnu.com. The subject of the email is !! Urgent payment request. The attachment contains a .zip’d JScript called 8038455679-5513221388-201611105248-1028.js:

emailjscript-file

Executing the JScript file generates GET requests for the .dll from various distribution sites. In my sample we see a GET request for the payload via dx-team.org. The file is dropped in the user’s %Temp% folder:

temp

Once the files are encrypted we see the Desktop changed to the Locky ransom note, ransom notes (.html and .bmp) being dropped on the Desktop/folders, as well as the encrypted files renamed to the user’s personal ID number and given the file extension .thor:

desktopencrypted-file

As always, block the distribution sites and C2s.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: