“Scanned copy” Malspam Drops Locky Ransomware (.osiris) (/checkupdate)

IOCs:

  • 211.149.241.201 – phpwind.0592yt[.]com/result – Download location
  • 115.29.247.219 – 902f[.]com/result- Download location
  • 176.114.0.20 – shema.org[.]ua/result – Download location
  • 162.144.211.154 – directprotectsolutions.co[.]uk/result – Download location
  • 202.133.118.222 – aqua-inter[.]com/result – Download location
  • 194.28.49.140 – cdsp[.]pl/result – Download location
  • 216.110.144.152 – hanavanpools[.]com/result – Download location
  • 209.126.99.6 – aguamineralsantacruz.com[.]br/result – Download location
  • 193.201.225.124 – POST /checkupdate – Locky C2
  • 176.121.14.95 – POST /checkupdate – Locky C2

Traffic:

traffictraffic-2

Hashes:

SHA256: 8523c463cee6bffd0f6caf07890c674caa229a8389e87adfe3689f9858f13ba6
File name: A4D989B3D.vbs

SHA256: c014312802badeb909b24283550696f5f2357bd8fd6991a1f26a0613fc7b5469
File name: YA67D5D8.vbs

SHA256: a406a67e5620bbe79026546e3889375497611955ff5248e9bdfef857982f26ba
File name: cIyJxGq.rfh and ASEmIpu.rfh

SHA256: a1689ff89b47b415b5c444c195e037fb6fbe91871d6a68f82ff1accc467648aa
File name: cIyJxGq.rfh3 and ASEmIpu.rfh3

Infection Chain:

The user received two emails with the subject “Scanned copy.” These came from two different email addresses:

malspam-1malspam

Each email had an attached .zip file (BR00000004 and BR00000006) containing a .vbs:

vbsvbs

Executing the script caused the host to make GET requests for Locky payloads via hard coded download locations. Each script contained 4 download locations. Below are images of the URLs in the script:

script-containing-download-locationsscript-containing-download-locations

If the first download location fails then the next location is attempted. This goes on until all the locations have been tried. Here is an image of one of the GET request:

get-for-payload

Once a download location returns the payload it is dropped in %Temp%:

temptemp

Shortly after execution we see 4 POST requests to the C2. After infection is complete the Desktop background is changed to DesktopOSIRIS.bmp and a ransom note called DesktopOSIRIS.htm is opened on their screen. These files are being stored in the user folder.

Encrypted files are also renamed and appended with .osiris. Notice that a ransom note is dropped in locations containing encrypted files.

encrypted

Notes: OSIRIS-([a-z0-9]{4}).htm

If you’re working in a SOC then I would recommend scanning network traffic for any hosts making HTTP connections to the C2s. Adding them to a blocklist couldn’t hurt either.

malwarebreakdown

Just a normal person who spends their free time infecting systems with malware.

Leave a Comment

%d bloggers like this: