Malspam Contains WSF, Downloads Locky (.thor) (/linuxsucks.php)

IOCs:

  • 93.185.104.25 – bestline.cz – GET /76vvyt?cFqotowK=rUUwhHw
  • 37.153.89.141 – carmenortigosa.com – GET /76vvyt?cFqotowK=rUUwhHw
  • 108.163.209.27 – decactus.cl – GET /76vvyt?cFqotowK=rUUwhHw
  • 194.1.239.152 – POST /linuxsucks.php
  • 51.255.107.20 – POST /linuxsucks.php
  • 194.28.87.26 – POST /linuxsucks.php

Traffic:

traffic

DNS Requests:

Domain IP Address Country
iyemdymjdev.pl
qcatgljdsgfvcqq.pw
pllyggakgcuto.org
moyihqyicfciqf.ru
mygyylys.biz
uxwamyckkeyfndcrg.xyz
odysdabvtgvjqguls.pw
bestline.cz 93.185.104.25 Czech Republic
decactus.cl 108.163.209.27 United States
hrogqamrchfj.info
qsrxtej.info
syjrhnjosou.biz
carmenortigosa.com 37.153.89.141 Spain
aqedukoewhxysqotd.org

Hashes:

SHA256: 92653c0f4adb3e17598f841c5da47775771cf225021c892d8cb0f4017b74ceb8
File name: DSCF0822.wsf
Hybrid-Analysis Report

SHA256: 3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93
File name: SYgTnmS3.dll
Hybrid-Analysis Report

Emerging Threats Alerts:

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET DNS Query to a *.pw domain – Likely Hostile
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
ET CNC Ransomware Tracker Reported CnC Server TCP group 129

IDS Event:

ids-alertids-event

Email:

The email is coming from “Madge Taylforth” at madge.0975@fourgates.hu. The subject of the email is DSCF6372.pdf. The attachment contains a .zip’d Windows Script File called DSCF0822:

email

windows-script-file

Executing the WSF file generates GET requests for the .dll from various distribution sites. The first two GET requests (bestline.cz and carmenortigosa.com) resulted in a 403 and a 302 (location hxxp://carmenortigosa[.]com/cgi-sys/suspendedpage.cgi?cFqotowK=rUUwhHw).

In my sample we see a GET request for the payload via decactus.cl. The file is dropped in the user’s %Temp% folder:

temp

Once the files are encrypted we see the Desktop changed to the Locky ransom note, ransom notes (.html and .bmp) being dropped on the Desktop/folders, as well as the encrypted files renamed to the user’s personal ID number and given the file extension .thor:

desktopencrypted-file

As always, block the distribution sites and C2s.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: