- 18.104.22.168 – xn--pasaer-spb.pl – Distribution Site
- 22.214.171.124 – temail.com – Distribution Site
- DNS queries:
- bqukfjfv.org (126.96.36.199)
- szwanrong.com (188.8.131.52)
File name: 201612031056373427451410.vbs
File name: uQzqIRdHQ.34
File name: uQzqIRdHQ.343
The image above shows the email attachment as a ZIP file. Opening the ZIP file shows the user a file called “201612031056373427451410.”
While Windows doesn’t show you file extensions by default you can see that the file type is a VBScript Script File. Going to your Folder Options > View > and then unchecking “Hide extensions for known file types” will allow you to see the file extensions.
Once executed the script will download the file from three different locations. In my run it attempted the first location (xn--pasaer-spb.pl) but failed. However, it was successful on the second attempt (temai1.com):
The script also contained a third location of ruifengweb.com (184.108.40.206).
Below is a snippet from the script:
We see the files dropped in %Temp%:
Once infected user’s files are renamed and the file extension is changed to .zzzzz. Furthermore, user’s are also shown ransom notes called “-INSTRUCTION.html.”: