Tag: Locky

“IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.

I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns ...

Afraidgate at 178.62.242.179 Leads to RIG-v EK at 92.53.120.233, Godzilla Loader Grabs Locky (.osiris)

IOCs: 138.128.171.35 – northcoastmed.com – Compromised website 178.62.242.179 – dropname.syncroweb.com – Afraidgate subdomain 92.53.120.233 – red.telco.news – RIG-v EK 200.7.102.105 – lingvitopr.com – Godzilla loader GET for Locky 188.127.239.53 – Locky post-infection traffic – POST /checkupdate Traffic: Hashes: SHA256: 443b3bb140553acc8c861ddc2a0275936a5a26489030b424703775d2f3242ae8 File name: northcoastmed.com.html SHA256: cebd2b86b7830c3b11414581de5068d6d152873731a4a1f3fa7270d21a7a3fb2 File name: dropname.syncroweb.com Afraidgate.js SHA256: eb8fb3f87093c0a9e24047cee0f472373d3d78212ced708d235825b31a70df4b File name: RIG-v Pre-Landing ...

&

“Scanned copy” Malspam Drops Locky Ransomware (.osiris) (/checkupdate)

IOCs: 211.149.241.201 – phpwind.0592yt[.]com/result – Download location 115.29.247.219 – 902f[.]com/result- Download location 176.114.0.20 – shema.org[.]ua/result – Download location 162.144.211.154 – directprotectsolutions.co[.]uk/result – Download location 202.133.118.222 – aqua-inter[.]com/result – Download location 194.28.49.140 – cdsp[.]pl/result – Download location 216.110.144.152 – hanavanpools[.]com/result – Download location 209.126.99.6 – aguamineralsantacruz.com[.]br/result – Download location 193.201.225.124 – POST /checkupdate – Locky C2 ...

&

“Bill for Papers” Drops Locky (.Osiris) (/checkupdate)

IOCs: 162.144.116.161 – aghadiinfotechforclient.com/jht76gh – Download location found in script 222.124.206.41 – simperizinan.sragenkab.go.id/jht76gh – Download location found in script 199.101.51.76 – livingfreehomeramps.com/jht76gh – Download location found in script 107.180.1.210 – adenadataediting.com/jht76gh – Download location found in script 176.121.14.95 – POST /checkupdate – C2 IP Traffic: Hashes: SHA256: d2984c1181749bc2bd0d2ad56c6d5865d38dee3c29276cb41297f4b20543a544 File name: 765-HIGV0613.wsf Hybrid-Analysis Submission SHA256: 40db24cd899efd4381dbe76eb82a10b29a7b5acff901da9ce9a1b3284d3830be ...

&

“Payment Receipt” Drops Locky (.osiris)

IOCs: 62.75.162.77 – test.grafixx.org – GET /098tb?oAzjRAPD=HlElhIQVI Additional Download Locations (contained in obfuscated JS downloader): u-niwon.com/098tb – 218.232.104.232 chanet.jp/098tb – 210.196.232.211 valuationssa.com.au/098tb – 104.27.149.238 More compromised sites being used as download locations (posted by Techhelplist): aetech-solutions.com/098tb – 37.59.51.53 bigtrust.co.kr/098tb – 211.40.221.90 braindouble.com/098tb – 207.45.186.214 haibeiwuliu.com/098tb – 122.114.99.100 laferwear.com/098tb – 97.74.215.147 malamut.org/098tb – 212.85.104.64 markettv.ro/098tb – ...

&

“Card Receipt” Leads to Locky (.osiris)

IOCs: 116.255.193.108 – yulexiuba.com – GET /1324w?oohNgc=hswXFnBHeja – Distribution Site Additional Distribution Sites: wiktorek140.cba.pl (95.211.144.65) yourwebstek.nl (185.87.184.130) xxmaoyi.com (120.25.161.125) eroicgrvh38j3f3.com (94.231.77.230) 91.142.90.46 – POST /checkupdate Traffic: Hashes: SHA256: 3fa9335000e47b944dca40defb9107fd2624e73e6ce3efd2de1408afcda9cdea File name: img(194).jse Hybrid-Analysis Link (JS Nemucod) SHA256: 9dde9d37349bf3b28c2e36f514d98b7ce27c580fa8dcf747d0d77bc9480333f6 File name: msTTSUO1 SHA256: 053e51da8f8e2c53f7e11ea305fa8a09554c24a67ef0b4ec0db3eec993ae59a1 File name: msTTSUO1.dll Hybrid-Analysis Link Email: The attached file is a ZIP ...

M

Malspam Leads to Locky (.zzzzz)

IOCs: 185.25.149.13 – xn--pasaer-spb.pl – Distribution Site 139.224.165.195 – temail.com – Distribution Site DNS queries: bqukfjfv.org (69.195.129.70) abwwngsovislmi.info sqoygkkolb.biz vbtjntlcl.info akhsipwfesvxmer.xyz iwswtkibjbsrqj.ru eltbqgwtjmqvf.su hmthqpva.su hxbvgunernmw.pw vqpiuffvpgdop.pw qrdobtle.pw udfkorp.xyz wibcjkwrk.ru szwanrong.com (119.29.99.214) amnclgo.click ktlgpiilbj.biz hhmunlxtxjpv.xyz egxjtbh.work nrkvwucxxqgbi.org qijftdcnky.click Traffic: Hashes: SHA256: ee530b2234501b4d24adfc2505ae940082750fb32d6ed8a4c43cb8342d8b92a7 File name: 201612031056373427451410.vbs Hybrid-Analysis Link SHA256: 6a186b353bbd729a2cbaa42b0c78ee67cfe69d3b1e56e1a10f1d33afc5ac473e File name: uQzqIRdHQ.34 SHA256: 17f455cc3d24b2333ef999b8ae61040fc459f6ad5798f33abbbbb5407a8174bf File name: ...