- 18.104.22.168 – phpwind.0592yt[.]com/result – Download location
- 22.214.171.124 – 902f[.]com/result- Download location
- 126.96.36.199 – shema.org[.]ua/result – Download location
- 188.8.131.52 – directprotectsolutions.co[.]uk/result – Download location
- 184.108.40.206 – aqua-inter[.]com/result – Download location
- 220.127.116.11 – cdsp[.]pl/result – Download location
- 18.104.22.168 – hanavanpools[.]com/result – Download location
- 22.214.171.124 – aguamineralsantacruz.com[.]br/result – Download location
- 126.96.36.199 – POST /checkupdate – Locky C2
- 188.8.131.52 – POST /checkupdate – Locky C2
File name: A4D989B3D.vbs
File name: YA67D5D8.vbs
File name: cIyJxGq.rfh and ASEmIpu.rfh
File name: cIyJxGq.rfh3 and ASEmIpu.rfh3
The user received two emails with the subject “Scanned copy.” These came from two different email addresses:
Each email had an attached .zip file (BR00000004 and BR00000006) containing a .vbs:
Executing the script caused the host to make GET requests for Locky payloads via hard coded download locations. Each script contained 4 download locations. Below are images of the URLs in the script:
If the first download location fails then the next location is attempted. This goes on until all the locations have been tried. Here is an image of one of the GET request:
Once a download location returns the payload it is dropped in %Temp%:
Shortly after execution we see 4 POST requests to the C2. After infection is complete the Desktop background is changed to DesktopOSIRIS.bmp and a ransom note called DesktopOSIRIS.htm is opened on their screen. These files are being stored in the user folder.
Encrypted files are also renamed and appended with .osiris. Notice that a ransom note is dropped in locations containing encrypted files.
If you’re working in a SOC then I would recommend scanning network traffic for any hosts making HTTP connections to the C2s. Adding them to a blocklist couldn’t hurt either.