Tag: Locky

Afraidgate at 178.62.242.179 Leads to RIG-v EK at 92.53.120.233, Godzilla Loader Grabs Locky (.osiris)

IOCs: 138.128.171.35 – northcoastmed.com – Compromised website 178.62.242.179 – dropname.syncroweb.com – Afraidgate subdomain 92.53.120.233 – red.telco.news – RIG-v EK 200.7.102.105 – lingvitopr.com – Godzilla loader GET for Locky 188.127.239.53 – Locky post-infection traffic – POST /checkupdate Traffic: Hashes: SHA256: 443b3bb140553acc8c861ddc2a0275936a5a26489030b424703775d2f3242ae8 File name: northcoastmed.com.html SHA256: cebd2b86b7830c3b11414581de5068d6d152873731a4a1f3fa7270d21a7a3fb2 File name: dropname.syncroweb.com Afraidgate.js SHA256: eb8fb3f87093c0a9e24047cee0f472373d3d78212ced708d235825b31a70df4b File name: RIG-v Pre-Landing ...

&

“Scanned copy” Malspam Drops Locky Ransomware (.osiris) (/checkupdate)

IOCs: 211.149.241.201 – phpwind.0592yt[.]com/result – Download location 115.29.247.219 – 902f[.]com/result- Download location 176.114.0.20 – shema.org[.]ua/result – Download location 162.144.211.154 – directprotectsolutions.co[.]uk/result – Download location 202.133.118.222 – aqua-inter[.]com/result – Download location 194.28.49.140 – cdsp[.]pl/result – Download location 216.110.144.152 – hanavanpools[.]com/result – Download location 209.126.99.6 – aguamineralsantacruz.com[.]br/result – Download location 193.201.225.124 – POST /checkupdate – Locky C2 ...

&

“Bill for Papers” Drops Locky (.Osiris) (/checkupdate)

IOCs: 162.144.116.161 – aghadiinfotechforclient.com/jht76gh – Download location found in script 222.124.206.41 – simperizinan.sragenkab.go.id/jht76gh – Download location found in script 199.101.51.76 – livingfreehomeramps.com/jht76gh – Download location found in script 107.180.1.210 – adenadataediting.com/jht76gh – Download location found in script 176.121.14.95 – POST /checkupdate – C2 IP Traffic: Hashes: SHA256: d2984c1181749bc2bd0d2ad56c6d5865d38dee3c29276cb41297f4b20543a544 File name: 765-HIGV0613.wsf Hybrid-Analysis Submission SHA256: 40db24cd899efd4381dbe76eb82a10b29a7b5acff901da9ce9a1b3284d3830be ...

&

“Payment Receipt” Drops Locky (.osiris)

IOCs: 62.75.162.77 – test.grafixx.org – GET /098tb?oAzjRAPD=HlElhIQVI Additional Download Locations (contained in obfuscated JS downloader): u-niwon.com/098tb – 218.232.104.232 chanet.jp/098tb – 210.196.232.211 valuationssa.com.au/098tb – 104.27.149.238 More compromised sites being used as download locations (posted by Techhelplist): aetech-solutions.com/098tb – 37.59.51.53 bigtrust.co.kr/098tb – 211.40.221.90 braindouble.com/098tb – 207.45.186.214 haibeiwuliu.com/098tb – 122.114.99.100 laferwear.com/098tb – 97.74.215.147 malamut.org/098tb – 212.85.104.64 markettv.ro/098tb – ...

&

“Card Receipt” Leads to Locky (.osiris)

IOCs: 116.255.193.108 – yulexiuba.com – GET /1324w?oohNgc=hswXFnBHeja – Distribution Site Additional Distribution Sites: wiktorek140.cba.pl (95.211.144.65) yourwebstek.nl (185.87.184.130) xxmaoyi.com (120.25.161.125) eroicgrvh38j3f3.com (94.231.77.230) 91.142.90.46 – POST /checkupdate Traffic: Hashes: SHA256: 3fa9335000e47b944dca40defb9107fd2624e73e6ce3efd2de1408afcda9cdea File name: img(194).jse Hybrid-Analysis Link (JS Nemucod) SHA256: 9dde9d37349bf3b28c2e36f514d98b7ce27c580fa8dcf747d0d77bc9480333f6 File name: msTTSUO1 SHA256: 053e51da8f8e2c53f7e11ea305fa8a09554c24a67ef0b4ec0db3eec993ae59a1 File name: msTTSUO1.dll Hybrid-Analysis Link Email: The attached file is a ZIP ...

M

Malspam Leads to Locky (.zzzzz)

IOCs: 185.25.149.13 – xn--pasaer-spb.pl – Distribution Site 139.224.165.195 – temail.com – Distribution Site DNS queries: bqukfjfv.org (69.195.129.70) abwwngsovislmi.info sqoygkkolb.biz vbtjntlcl.info akhsipwfesvxmer.xyz iwswtkibjbsrqj.ru eltbqgwtjmqvf.su hmthqpva.su hxbvgunernmw.pw vqpiuffvpgdop.pw qrdobtle.pw udfkorp.xyz wibcjkwrk.ru szwanrong.com (119.29.99.214) amnclgo.click ktlgpiilbj.biz hhmunlxtxjpv.xyz egxjtbh.work nrkvwucxxqgbi.org qijftdcnky.click Traffic: Hashes: SHA256: ee530b2234501b4d24adfc2505ae940082750fb32d6ed8a4c43cb8342d8b92a7 File name: 201612031056373427451410.vbs Hybrid-Analysis Link SHA256: 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e File name: uQzqIRdHQ.34 SHA256: 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf File name: ...

M

Malspam Contains WSF, Downloads Locky (.thor) (/linuxsucks.php)

IOCs: 93.185.104.25 – bestline.cz – GET /76vvyt?cFqotowK=rUUwhHw 37.153.89.141 – carmenortigosa.com – GET /76vvyt?cFqotowK=rUUwhHw 108.163.209.27 – decactus.cl – GET /76vvyt?cFqotowK=rUUwhHw 194.1.239.152 – POST /linuxsucks.php 51.255.107.20 – POST /linuxsucks.php 194.28.87.26 – POST /linuxsucks.php Traffic: DNS Requests: Domain IP Address Country iyemdymjdev.pl qcatgljdsgfvcqq.pw pllyggakgcuto.org moyihqyicfciqf.ru mygyylys.biz uxwamyckkeyfndcrg.xyz odysdabvtgvjqguls.pw bestline.cz 93.185.104.25 Czech Republic decactus.cl 108.163.209.27 United States hrogqamrchfj.info qsrxtej.info ...

&

“Urgent Payment Request” Malspam Leads to Locky (.thor) (/message.php)

IOCs: 185.17.41.83 – dx-team.org – GET /jhb6576?GChuOAtzYEq=GVUYNDbBRRE 69.195.129.70 – disvfthejnadoufh.biz – POST /message.php 176.103.56.119 – POST /message.php 109.234.35.230 – POST /message.php Traffic: DNS Requests: Domain IP Address Country xbgokbdvilnrlw.info cwvmkawujq.su ukyrrqcxd.su jkvhihqdaaoyd.org ihdteyhyewuaid.click bjbsbpmhlpwaxf.pl torproject.org 82.195.75.101 Germany ojxbkeexoqrbirtq.org bqpkcrxsx.su dx-team.org 185.17.41.83 Poland mwddgguaa5rj7b54.onion.to 185.100.85.150 Romania kcnwtdns.pw jyvityqhfggxicasf.pw mwddgguaa5rj7b54.tor2web.org 38.229.70.4 United States Hashes: SHA256: 9fd3e2fc50b2b44d174cb37964016ea0a12c2c8657a32ae6039c4fdc851e9be0 File ...

M

Malspam Leads to Locky (.shit) (/linuxsucks.php)

IOCs: 192.186.241.104 – demoinfolink[.]com – GET /076wc?KEMaUkmgWf=TfJgJx 108.168.206.100 – naacllc[.]com – GET /076wc?KEMaUkmgWf=TfJgJx – Locky 208.100.26.234 – gtlbihmxh.pw – POST /linuxsucks.php Additional Distribution Domains from Hybrid-Analysis Report: sowkinah.com – 62.84.69.75 bagnet.ir – 176.9.129.91 nanrangy.net – 120.117.3.119 Traffic: IDS Alerts: Hashes: SHA256: b1c35b291a296b948758729f9fc775504ec764098dbc5c2e02796ee4ab174e0e File name: Receipt 17577-140426.wsf Hybrid-Analysis Report SHA256: b54802e6f6430c75d0683140ef0529c6603418b4ef602d80e85aaa88fe730c79 File name: AvURdJbXv2.dll Infection Chain: ...

J

JScript Downloads Locky Ransomware

IOCs: 166.62.27.144 – kothagudemtv.com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 216.87.185.25 – paintingoregon[.]com – GET /g38f3fg?QWXPpShGH=jFGcsuhLD 51.254.108.40 – Locky callback traffic – POST / data/info.php Traffic: Hashes: SHA256: 839f8914a9e951e8ccf32ab284675fc7e1099914457356d7cb0a606962f501f6 File name: DuINsSc1 SHA256: bb39ae9ae9e383ff8154fb7475842dbf40d4f35e37af9144560a4904203c7b75 File name: DuINsSc2 SHA256: 899818264bc620c39932db8945fd98ff98e1cd6fff761d5424bd9860e62a5859 File name: DuINsSc2.dll Infection Chain: This is a pretty standard infection chain for Locky right now. The malspam was ...