“Payment Receipt” Drops Locky (.osiris)

IOCs:

  • 62.75.162.77 – test.grafixx.org – GET /098tb?oAzjRAPD=HlElhIQVI
  • Additional Download Locations (contained in obfuscated JS downloader):
    • u-niwon.com/098tb – 218.232.104.232
    • chanet.jp/098tb – 210.196.232.211
    • valuationssa.com.au/098tb – 104.27.149.238
    • More compromised sites being used as download locations (posted by Techhelplist):
      • aetech-solutions.com/098tb – 37.59.51.53
      • bigtrust.co.kr/098tb – 211.40.221.90
      • braindouble.com/098tb – 207.45.186.214
      • haibeiwuliu.com/098tb – 122.114.99.100
      • laferwear.com/098tb – 97.74.215.147
      • malamut.org/098tb – 212.85.104.64
      • markettv.ro/098tb – 89.149.4.195
      • maycongtrinhduylong.com/098tb – 123.30.181.207
      • mondegraphic.com/098tb – 37.187.143.115
      • mtrk.ru/098tb – 212.23.79.123
      • polgarorvasad.hu/098tb – 195.228.152.23
      • software.waleshigh.com/098tb – 188.94.74.76
      • stonerinsurance.com/098tb – 172.246.156.150
      • subys.com/098tb – 180.71.58.101
      • szwanrong.com/098tb – 119.29.99.214
      • theamericanwake.com/098tb – 208.56.45.17
      • travelinsider.com.au/098tb – 203.98.84.123
      • ucbus.net/098tb – 211.149.250.179
      • viscarci.com/098tb – 120.39.243.225
      • walkonwheels.net.au/098tb – 202.125.36.106
      • wirtschaftundumwelt.de/098tb – 85.13.128.34
      • wiselysoft.com/098tb – 107.180.51.106
      • wishingwellhosting.com.au/098tb – 103.63.26.159
      • wudiai.com/098tb – 119.29.9.237
      • swordwind.org/098tb – 216.249.101.162
  • 31.202.128.199 – POST /checkupdate
  • 176.121.14.95 – POST /checkupdate (from Hybrid-Analysis report)

Traffic:

get-and-post

Hashes:

SHA256: f59d43d8c311a92ed5134847051cdc15b67c7dd66777a42b5fa4760a3bd41d7c
File name: VDT8310927.jse
Hybrid-Analysis Report

SHA256: 7374e2124aee0624b4d3b2195ec8f2e4fe0d6cc1e56c84f56529ea7da542e310
File name: ORzVjDFWo1

SHA256: f5f9ba19d6ee135e342a892a78d2d96f9e1d9c9bf8b4106ab36c6e833a075a67
File name: ORzVjDFWo1.dll
Hybrid-Analysis Report

Email:

email

The email contains a ZIP file called Receipt_60.zip. Opening up the ZIP file shows it contains a JScript Encoded Script File called VDT8310927.jse. Executing that script file initiates the GET request(s) for the payload. In my sample there were four download locations:

obfuscated-js-downloader
Partial image of JS Downloader

These strings decode to the following download locations:

  • test.grafixx.org/098tb
  • u-niwon.com/098tb
  • chanet.jp/098tb
  • valuationssa.com.au/098tb

The first download attempt was successful so it skipped the other locations. Below is the GET for the file:

get-for-payload

After we see the file being dropped in %Temp%.

Once infection has completed the user’s encrypted files are renamed to a 36 character alpha-numeric string, with the first 16 characters representing the user’s “personal identification ID.” The encrpyted files are also being appended with a .osiris.

Lastly, we see that there are ransom notes created in folders containing encrypted files (OSIRIS-[4 alpha numeric].htm) and the user’s Desktop displays an image (.bmp) as well as a OSIRIS.htm file:

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: