- 184.108.40.206 – aghadiinfotechforclient.com/jht76gh – Download location found in script
- 220.127.116.11 – simperizinan.sragenkab.go.id/jht76gh – Download location found in script
- 18.104.22.168 – livingfreehomeramps.com/jht76gh – Download location found in script
- 22.214.171.124 – adenadataediting.com/jht76gh – Download location found in script
- 126.96.36.199 – POST /checkupdate – C2 IP
File name: 765-HIGV0613.wsf
File name: KwNzXMj1
File name: KwNzXMj1.dll
The infection begins with the malspam being opened by the user. In the email there is an attachment containing a .zip file. Opening the .zip file shows there to be a file called 765-HIGV0613.wsf:
Once the user executes the script there is an automated GET request made to one of the four possible download locations.
My sample was relatively new so the first location was successfully reached. Had the first location not responded there were still three other possible download locations that would have been attempted.
Here is the GET for the file:
Both the file and the .dll that was created were dropped in %Temp%:
Once the system had been fully infected documents were encrypted and ransom notes displayed:
Ransom notes are called “OSIRIS-[4 alpha numeric].htm” and encrypted files are renamed and appended with a .osiris. This is especially annoying for users as now they really don’t know what files were infected.
My recommendation is to block the download locations and the C2 IP.