Malspam Leads to Locky (.zzzzz)

IOCs:

  • 185.25.149.13 – xn--pasaer-spb.pl – Distribution Site
  • 139.224.165.195 – temail.com – Distribution Site
  • DNS queries:
    • bqukfjfv.org (69.195.129.70)
    • abwwngsovislmi.info
    • sqoygkkolb.biz
    • vbtjntlcl.info
    • akhsipwfesvxmer.xyz
    • iwswtkibjbsrqj.ru
    • eltbqgwtjmqvf.su
    • hmthqpva.su
    • hxbvgunernmw.pw
    • vqpiuffvpgdop.pw
    • qrdobtle.pw
    • udfkorp.xyz
    • wibcjkwrk.ru
    • szwanrong.com (119.29.99.214)
    • amnclgo.click
    • ktlgpiilbj.biz
    • hhmunlxtxjpv.xyz
    • egxjtbh.work
    • nrkvwucxxqgbi.org
    • qijftdcnky.click

Traffic:

traffic

Hashes:

SHA256: ee530b2234501b4d24adfc2505ae940082750fb32d6ed8a4c43cb8342d8b92a7
File name: 201612031056373427451410.vbs
Hybrid-Analysis Link

SHA256: 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e
File name: uQzqIRdHQ.34

SHA256: 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf
File name: uQzqIRdHQ.343
Hybrid-Analysis Link

Email:

malspam-3

The image above shows the email attachment as a ZIP file. Opening the ZIP file shows the user a file called “201612031056373427451410.”

script-3

While Windows doesn’t show you file extensions by default you can see that the file type is a VBScript Script File. Going to your Folder Options > View > and then unchecking “Hide extensions for known file types” will allow you to see the file extensions.

Once executed the script will download the file from three different locations. In my run it attempted the first location (xn--pasaer-spb.pl) but failed. However, it was successful on the second attempt (temai1.com):

file

The script also contained a third location of ruifengweb.com (122.114.124.34).

Below is a snippet from the script:

distribution-locations

Processes:

system-resource-monitor

We see the files dropped in %Temp%:

temp

Once infected user’s files are renamed and the file extension is changed to .zzzzz. Furthermore, user’s are also shown ransom notes called “-INSTRUCTION.html.”:

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: