p

pseudoDarkleech Leads to Neutrino EK at 137.74.223.56 and Drops CryptMIC Ransomware

IOCs: 184.106.55.75 – getfueled.com – Compromised Site 137.74.223.56 – baldonafunktionel.kayhaggard.com – Neutrino EK 46.165.246.9 – SSL/HTTPS callback traffic – Contains ransom notes Hashes: SHA256: 2b281628a86db99e4bc0ffb4365b1a2086b1241180553ba02b5f44c8d1fca558 File name: NeutrinoEK Landing Page at 137.74.223.56 SHA256: 6cbdf88c3e91bd421ba1eb44bc437fb703a3711def4d3a524626a01ca345403e File name: NeutrinoEK SWF Exploit SHA256: 7d5611e84193bdc10e1a0bf51431eaa76bcd15e51930bf01384c327f763d191d File name: rad8B9FC.tmp.dll The Infection Chain: The infection chain starts off with the compromised ...

Z

ZIP’D JScript File Leads to Malware (boxun4.bin)

IOCs: Sub-domains at .adultgameapp.ru and proadultgame.ru I received some malspam on 9/2/16 entitled “Take easy steps on the ladder of happiness”. The email address of the sender was tqdwsaltpan@wavesboatclub.com and it was supposedly from a “Bettie K. Letbetter”: Allowing pictures to be displayed in the email shows sexually explicit content. Clicking on the link “Lecherous ...

Z

ZIP’d WSF File Retrieves Locky Ransomware

IOCs: 82.197.131.109 – imex.atspace.com – GET /sxqtddp?VlwYKkCOYvI=axCugUhsM 213.205.40.169 – archiviestoria.it – GET /waotorf?VlwYKkCOYvI=axCugUhsM 69.195.129.70 – tlehsdy.biz – POST /data/info.php Hashes: SHA256: 010b6da42c0b377f4b28fbcaa1268f046eeb403a3eb79dfb395fc3c2c0daa85e File name: xVTvTcaaG1 SHA256: 4baf40fe1c7fafd89befe4f2e2bd36aefc8a4faf395631d8bac20e09e372725b File name: xVTvTcaaG2 SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7 File name: xVTvTcaaG2.dll The infection starts with a user getting malspam. This email is coming from a iCloud account and it contains a ...

Z

ZIP’d WSF File Drops Locky Ransomware

IOCs: 62.42.230.17 – http://www.malicioso.net – GET /ulndads?wQPDjpgBhgm=jNgqRaGXM 62.42.230.17 – http://www.idiomestarradellas.com – GET /dhxpkuh?wQPDjpgBhgm=jNgqRaGXM 167.114.138.3 – maxshoppppsr.biz – GET /js/vf3gt4b4?wQPDjpgBhgm=jNgqRaGXM 69.195.129.70 – tlehsdy.biz – POST /data/info.php 91.223.180.66 – cufrmjsomasgdciq.pw – POST /data/info.php Hashes: SHA256: 852c79d430e401f6b57946718ca6555c328dd503b13b9cda22e481903ebe8575 File name: asWMWhWmB3.dll and asWMWhWmB1.dll SHA256: 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7 File name: asWMWhWmB2.dll The user received the following malspam: Summary: From: Bertha_145@icloud.com Subject: 39098622pdf ...

E

EITest Gate at 194.165.16.204 Leads to Rig EK at 195.133.201.44 and Drops CryptFile2 Ransomware

IOCs: 184.106.55.122 – deadendbbq[.]com – Compromised Website 194.165.16.204 – nohydyc.top – EITest Gate 195.133.201.44 – rty.exploredowntownwestpalmbeach.com – Rig Exploit Kit 5.39.86.86 – GET /default.jpg 5.39.86.86 – POST /z/setting.php Hashes: SHA256: f0a8452419edab4ad295d9488759f887a37ceeed7a4a0459b07bcf0490736c34 File name: EITest SWF Redirect.swf SHA256: 028df23609481aeaad07f2ab02b934191f0d90930dfee42ab5ccf845dafc44e9 File name: EITest Gate.html SHA256: 896ba2463377dedaa01b1d5a1634db0dc8daac4fed7804e142a7b176cf81377a File name: RigEK Landing Page.html SHA256: b533cff02059e37a312d59ec4e985e4d3d9578853817818e2743a52d9b2b71c6 File name: RigEK SWF ...

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 50.97.68.34 – eddieoneverything.com – Compromised Site 138.68.18.73 – null.delayofgame.com – Afraidgate JS 5.2.73.124 – aqxsgncqro.anyoneshall.top – Neutrino EK HTTP requests URL: hxxp://95.85.19.195/data/info.php TYPE: POST URL: hxxp://188.127.249.32/data/info.php TYPE: POST URL: hxxp://dutluhnnx.info/data/info.php TYPE: POST URL: hxxp://kqudpyjbcd.biz/data/info.php TYPE: POST DNS requests dutluhnnx.info (69.195.129.70) afgmbssj.org vlrdkvkt.pw jybqbxjcwowph.xyz ggfwsvmnsunvb.work kqudpyjbcd.biz (58.158.177.102) TCP connections 95.85.19.195:80 188.127.249.32:80 69.195.129.70:80 58.158.177.102:80 Hashes: SHA256: ...

A

Afraidgate Leads to Neutrino EK at 5.2.73.124 and Drops Locky Ransomware

IOCs: 195.58.170.31 – skopikundlohn[.]at – Compromised Site 138.68.18.73 – crew.nbbgradstudents.com – Afraidgate JS 5.2.73.124 – kqccnxro.thatset.top – Neutrino EK 188.127.249.32 – POST /data/info.php – callback traffic 95.85.19.195 – POST /data/info.php – callback traffic Hashes: SHA256: 2cf21f333d42cd888e7f6020163a7af668ebafbe705475163bced6a49f1a0550 File name: crew.nbbgradstudents.com.js SHA256: 26feb600f68f086bad98105c114c6d8703a2feda1a58d8adb7cf21a4fd22c1b9 File name: Neutrino EK Landing Page.htm SHA256: 2ed2853579cfaceb90d064de061aedfee2f958d4125724a86cf5707029d5332b File name: Neutrino EK SWF Exploit.swf ...