“Card Receipt” Leads to Locky (.osiris)

IOCs:

  • 116.255.193.108 – yulexiuba.com – GET /1324w?oohNgc=hswXFnBHeja – Distribution Site
  • Additional Distribution Sites:
    • wiktorek140.cba.pl (95.211.144.65)
    • yourwebstek.nl (185.87.184.130)
    • xxmaoyi.com (120.25.161.125)
    • eroicgrvh38j3f3.com (94.231.77.230)
  • 91.142.90.46 – POST /checkupdate

Traffic:

traffic

Hashes:

SHA256: 3fa9335000e47b944dca40defb9107fd2624e73e6ce3efd2de1408afcda9cdea
File name: img(194).jse
Hybrid-Analysis Link (JS Nemucod)

SHA256: 9dde9d37349bf3b28c2e36f514d98b7ce27c580fa8dcf747d0d77bc9480333f6
File name: msTTSUO1

SHA256: 053e51da8f8e2c53f7e11ea305fa8a09554c24a67ef0b4ec0db3eec993ae59a1
File name: msTTSUO1.dll
Hybrid-Analysis Link

Email:

malspam

The attached file is a ZIP file with the name doc(15). Opening the ZIP file shows that it is in fact a JScript Encoded Script File (.jse) named img(194).

script

Executing the script initiates the download from one of the five hard coded distribution sites:

partial-script

Those strings decode to the following distribution sites:
yulexiuba.com/1324w
wiktorek140.cba.pl/1324w
yourwebstek.nl/1324w
xxmaoyi.com/1324w
eroicgrvh38j3f3.com/1324w (Whois Record)

On my run the first distribution site successfully responded and returned the file:

tcp-stream

The file is then dropped in %Temp%:

temp

Encrypted files are changed to a 36 character alpha-numeric string and appended with the file extension .osiris. The first 16 characters represent the user’s personal identification ID. There are also ransom notes called OSIRIS-[4 alpah numeric].html dropped in various locations:

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: