“Bill for Papers” Drops Locky (.Osiris) (/checkupdate)

IOCs:

  • 162.144.116.161 – aghadiinfotechforclient.com/jht76gh – Download location found in script
  • 222.124.206.41 – simperizinan.sragenkab.go.id/jht76gh – Download location found in script
  • 199.101.51.76 – livingfreehomeramps.com/jht76gh – Download location found in script
  • 107.180.1.210 – adenadataediting.com/jht76gh – Download location found in script
  • 176.121.14.95 – POST /checkupdate – C2 IP

Traffic:

traffic

Hashes:

SHA256: d2984c1181749bc2bd0d2ad56c6d5865d38dee3c29276cb41297f4b20543a544
File name: 765-HIGV0613.wsf
Hybrid-Analysis Submission

SHA256: 40db24cd899efd4381dbe76eb82a10b29a7b5acff901da9ce9a1b3284d3830be
File name: KwNzXMj1

SHA256: 5c8d053e3339d09bf277a98c73feac0eb34dd604ae8459f3f24cd7c1a56f414a
File name: KwNzXMj1.dll
Hybrid-Analysis Submission

Email:

email

The infection begins with the malspam being opened by the user. In the email there is an attachment containing a .zip file. Opening the .zip file shows there to be a file called 765-HIGV0613.wsf:

wsf

Once the user executes the script there is an automated GET request made to one of the four possible download locations.

My sample was relatively new so the first location was successfully reached. Had the first location not responded there were still three other possible download locations that would have been attempted.

partial-image-of-script

partial image of script showing encoded download locations

Here is the GET for the file:

get

Both the file and the .dll that was created were dropped in %Temp%:

temp

Once the system had been fully infected documents were encrypted and ransom notes displayed:

Ransom notes are called “OSIRIS-[4 alpha numeric].htm” and encrypted files are renamed and appended with a .osiris. This is especially annoying for users as now they really don’t know what files were infected.

My recommendation is to block the download locations and the C2 IP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: