J

JScript Downloads Locky Ransomware

IOCs: 166.62.27.144 – kothagudemtv.com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 216.87.185.25 – paintingoregon[.]com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 51.254.108.40 – Locky callback traffic – POST / data/info.php Traffic: Hashes: SHA256: 839f8914a9e951e8ccf32ab284675fc7e1099914457356d7cb0a606962f501f6 File name: DuINsSc1 SHA256: bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75 File name: DuINsSc2 SHA256: 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859 File name: DuINsSc2.dll Infection Chain: This is a pretty standard infection chain for Locky right now. The malspam was ...

E

EITest Gate at 31.184.193.179 Leads to Rig EK at 185.117.73.220 and Drops What Appears to be Betabot

IOCs: 198.15.70.67 – azarsenalsc[.]org – Compromised Site 31.184.193.179 – aliancaadm.top – EITest Gate 185.117.73.220 – zio11q.oa3ri8.top – Rig EK 103.243.38.25 – b.uandmearertyasport1.com – POST /direct/mail9/order.php – Betabot 103.234.37.4 – GET /rd927.exe – Post infection download 66.55.153.57 – and30.blabladomdom.com – POST /bla30/gate.php 104.223.89.174 – and30.blabladomdom.com – POST /bla30/gate.php 107.155.99.135 – and30.blabladomdom.com – POST /bla30/gate.php Reference for ...

Z

ZIP File Containing HTA File Leads to Locky Ransomware

IOCs: 121.200.60.26 – onushilon.org/56f2gsu782desf – GET request for payload Hashes: SHA256: a48ef938b06ce335f1560836cae24ff11c445a10ccdc75c459507115c9bdf3a7 File name: 20160920034329138280504.zip SHA256: b08bca7d704d2bdf7db5b542eda84f5b9cd27ddfcbea33843ec1c08d7d240f66 File name: QL5LY62838.hta SHA256: ec44b16f4806c37a83fecee4fd68cdea830e046eaa451a212ec519613248c27d File name: iIrfSCB1 SHA256: 60b2d7d1cf0d543b5287088fa5f1d594181a128024770fc6cd08cb414a4ab07e File name: iIrfSCB1.dll Infection Chain: The user received an email from with no subject and no content. The only thing contained in the email was an attached .zip ...

R

Rig EK at 74.208.192.129 Drops CryptMIC Ransomware

Rig EK at 74.208.192.129 Drops CryptMIC Ransomware

R

Rig EK at 74.208.99.252 Drops CryptMIC Ransomware

Rig EK Drops CryptMIC Ransomware

E

EITest Gate at 31.184.192.188 Leads to RigEK 185.117.73.207 and Drops Vawtrak

IOCs: 31.184.192.188 – kinepolis.top – EITest Gate 185.117.73.207 – culxw0.b28zu4.top – Rig Exploit Kit 108.61.99.79 – GET Requests via direct IP with the following URI pattern – “/module/[32 alphanumeric characters]” Post Infection DNS Queries: 95.46.98.89 – ctwruhwdk.com 95.46.98.89 – apgtsdeh.com 81.177.13.242 – lkfiravihg.com Hashes: SHA256: 74690c93ce0fef0c40c842fba6e3963c15a4d3c02e230000c0eb8da83deb22d8 File name: EITest Flash File.swf SHA256: 013c1c061383c27273398da975230a752487ae914bcc03892df905b859800a19 File name: ...

&

“Delivery Confirmation” Leads to Locky Ransomware

IOC: 49.212.150.106 – mochacat.net – GET /hjy93JNBasdas?FSDfsVLeGGr=GRNhTnWl Hashes: SHA256: 405ad2f09856f718fe3fce209c9d9e59ba4e1c2e4f16d0c9385224212103bb29 File name: UCCNTXS1519.js SHA256: c31e83a5b86f4410f1df147ae9717d0c9b69c65dee9fc2f9381ce085f481726a File name: giHhrMNI1.dll   SHA256: e106c1a5f15599fab18934717d36a8e6c8bd8379f9649a565e41bce720fe73f0 File name: giHhrMNI1 The user was sent an email from “ship-confirm@thecabinbreckenridge.com”. The subject of the email was “Delivery Confirmation: 00117932551”. The contents of the email is shown below: Notice how the email contains a ...

p

pseudoDarkleech Leads to Neutrino EK at 188.165.197.194 and Drops CryptMIC Ransomware

IOCs: 184.106.55.84 – busbycabinets.com – Compromised Site 188.165.197.194 – apulaisista.scrubs101webstore.com – Neutrino EK 46.165.246.9 – SSL/HTTPS callback traffic – Contains Ransom Note Hashes: SHA256: fec4923f156bf46563bc8b06e8c9dc4e2ae25799224c0893e01d3f069dd9c7c7 File name: Neutrino EK Landing Page.html SHA256: 71db2bde4b377426657ab5a6554e274bb6fbdffd6b6ed3e7ef51ea48364cb17a File name: Neutrino EK Flash Exploit.swf SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad432F6.tmp.dll Traffic: The Infection Chain: The infection chain starts off with the ...

p

pseudoDarkleech Leads to Neutrino EK at 137.74.223.56 and Drops CryptMIC Ransomware

IOCs: 184.106.55.75 – getfueled.com – Compromised Site 137.74.223.56 – baldonafunktionel.kayhaggard.com – Neutrino EK 46.165.246.9 – SSL/HTTPS callback traffic – Contains ransom notes Hashes: SHA256: 2b281628a86db99e4bc0ffb4365b1a2086b1241180553ba02b5f44c8d1fca558 File name: NeutrinoEK Landing Page at 137.74.223.56 SHA256: 6cbdf88c3e91bd421ba1eb44bc437fb703a3711def4d3a524626a01ca345403e File name: NeutrinoEK SWF Exploit SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad8B9FC.tmp.dll The Infection Chain: The infection chain starts off with the compromised ...

Z

ZIP’D JScript File Leads to Malware (boxun4.bin)

IOCs: Sub-domains at .adultgameapp.ru and proadultgame.ru I received some malspam on 9/2/16 entitled “Take easy steps on the ladder of happiness”. The email address of the sender was tqdwsaltpan@wavesboatclub.com and it was supposedly from a “Bettie K. Letbetter”: Allowing pictures to be displayed in the email shows sexually explicit content. Clicking on the link “Lecherous ...

Browse Categories