Tag: Ransomware

Malspam Contains Password Protected Document That Downloads Sigma Ransomware

Follow me on Twitter I received some malspam on 03/13/18 entitled “About a internship.” The email came with an attachment called “Janeen Resume.doc”: The email is pretending to come from somebody interested in a job opening and they have attached their “résumé.” In reality, this document is being used as a downloader for Sigma ransomware. ...

“IMG_” Malspam Delivers Locky Ransomware. Appending The “.Lukitus” Extension.

I received this malspam sample on Tuesday (8/29/17) from a friend, so it’s already a couple days old. The subject line of the email starts with “IMG_” and ends with four numbers. As you can see from the image below, it doesn’t contain anything in the body. This is very similar to other ransomware distribution campaigns ...

“IMG_” Malspam Delivers GlobeImposter Ransomware

I received this malspam sample on Saturday from a friend, so it’s already a couple days old. While this is ancient in malspam years I felt like writing up something since I haven’t done a malspam post in quite some time. The subject line of the malspam samples that I received all started with “IMG_” ...

RIG Exploit Kit at 185.154.53.7 Drops Pony, Downloads Philadelphia Ransomware.

IOCs HTTP Traffic: 160.153.131.96 – serene.rushpcb.co.uk – GET /usde.php 185.154.53.7 – add.venicebeachsurflodge.com – RIG exploit kit VirusTotal report showing URLs resolving to that IP 89.45.67.99 – POST /ppp/gate.php – Pony callback traffic 86.106.93.17 – GET /degate/de.exe – Philadelphia ransomware 86.106.93.17 – GET /de/de.php? – Philadelphia ransomware callback traffic Hashes: SHA256: 19f765ddf0242a6676e9eb2fb28f8095211ab1edad15025c3532f662de3aa954 File name: serene.rushpcb.co.ukusde.php.txt SHA256: ...

EITest Campaign Leads to RIG EK at 188.225.39.227. EK Drops Matrix Ransomware v3.

IOCs Network Activity: 104.27.184.144 – teknonisme.com – Compromised WordPress site 188.225.39.227 – fix.russianpropoganda.com – RIG exploit kit 195.248.235.240 – stat6.s76.r53.com.ua – GET / addrecord.php? and POST /uploadextlist.php – C2 traffic 148.251.13.83 – stat6.s76.r53.com.ua – GET / addrecord.php? – C2 traffic Additional answers from the DNS query: 195.248.235.241 – stat6.s76.r53.com.ua – C2 traffic 31.41.216.90 – stat6.s76.r53.com.ua – C2 ...

RIG EK at 5.200.52.238 Drops Ransom Locker

The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain: You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad ...

SAGE 2.2 Ransomware from Good Man Gate

IOCs: 86.106.93.230 – datsonsdaughter.com – Good Man gate 109.234.37.212 – see.letsown.com – RIG EK 34.207.223.86 – mbfce24rgn65bx3g.2kzm0f.com – POST requests to C2 34.207.223.86 – 7gie6ffnkrjykggd.2kzm0f.com – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.6t4u2p.net – SAGE Decryption site 34.207.223.86 – 7gie6ffnkrjykggd.jpo2z1.net – SAGE Decryption site Tor Browser – 7gie6ffnkrjykggd.onion/login/[personal key] Traffic: Hashes: SHA256: d5ee007a06cc4b8c0100ed4950a4350c0e8e4ad17fe5417de2c2231f48a6021f File name: RIG EK Flash Exploit.swf SHA256: ...