“Scanned copy” Malspam Drops Locky Ransomware (.osiris) (/checkupdate)

IOCs:

  • 211.149.241.201 – phpwind.0592yt[.]com/result – Download location
  • 115.29.247.219 – 902f[.]com/result- Download location
  • 176.114.0.20 – shema.org[.]ua/result – Download location
  • 162.144.211.154 – directprotectsolutions.co[.]uk/result – Download location
  • 202.133.118.222 – aqua-inter[.]com/result – Download location
  • 194.28.49.140 – cdsp[.]pl/result – Download location
  • 216.110.144.152 – hanavanpools[.]com/result – Download location
  • 209.126.99.6 – aguamineralsantacruz.com[.]br/result – Download location
  • 193.201.225.124 – POST /checkupdate – Locky C2
  • 176.121.14.95 – POST /checkupdate – Locky C2

Traffic:

traffictraffic-2

Hashes:

SHA256: 8523c463cee6bffd0f6caf07890c674caa229a8389e87adfe3689f9858f13ba6
File name: A4D989B3D.vbs

SHA256: c014312802badeb909b24283550696f5f2357bd8fd6991a1f26a0613fc7b5469
File name: YA67D5D8.vbs

SHA256: a406a67e5620bbe79026546e3889375497611955ff5248e9bdfef857982f26ba
File name: cIyJxGq.rfh and ASEmIpu.rfh

SHA256: a1689ff89b47b415b5c444c195e037fb6fbe91871d6a68f82ff1accc467648aa
File name: cIyJxGq.rfh3 and ASEmIpu.rfh3

Infection Chain:

The user received two emails with the subject “Scanned copy.” These came from two different email addresses:

malspam-1malspam

Each email had an attached .zip file (BR00000004 and BR00000006) containing a .vbs:

vbsvbs

Executing the script caused the host to make GET requests for Locky payloads via hard coded download locations. Each script contained 4 download locations. Below are images of the URLs in the script:

script-containing-download-locationsscript-containing-download-locations

If the first download location fails then the next location is attempted. This goes on until all the locations have been tried. Here is an image of one of the GET request:

get-for-payload

Once a download location returns the payload it is dropped in %Temp%:

temptemp

Shortly after execution we see 4 POST requests to the C2. After infection is complete the Desktop background is changed to DesktopOSIRIS.bmp and a ransom note called DesktopOSIRIS.htm is opened on their screen. These files are being stored in the user folder.

Encrypted files are also renamed and appended with .osiris. Notice that a ransom note is dropped in locations containing encrypted files.

encrypted

Notes: OSIRIS-([a-z0-9]{4}).htm

If you’re working in a SOC then I would recommend scanning network traffic for any hosts making HTTP connections to the C2s. Adding them to a blocklist couldn’t hurt either.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: