Wednesday 11 May 2016

2016-05-12 Locky

Attachments:
Photo 05-12-2016, 56 65 32.zip (md5: 16d828986e5bb9b454d225ce95de5e49)
Photo 05-12-2016, 06 12 35.js (md5: d97fc6f8cc7ce4943f5dd33b50e1bd6f)
Photo 05-12-2016, 35 06 37.zip (md5: 8aace677570b5140c9789a70407892ff)
Photo 05-12-2016, 35 06 37.js (md5: 46fd748dbbd80059b9e60e735cfe29f1)
Photo 05-12-2016, 10 11 47.zip (md5: 0813eef8fe2d1043585ee1da261c62c3)
Photo 05-12-2016, 10 11 47.js (md5: 432e401b205f29dcc1c787a1574c08e1)

Payload:
md5: b6ab1e3d440f8975d5eaef1505f60345
hxxp://canadamalpractice[.]com/8977g78bi (dropped-as: "%TEMP%\lTsrBCmoGiQ.exe")
hxxp://leoskov[.]dk/8977g78bi (dropped-as: "%TEMP%\nrgyOX.exe")
hxxp://mosaicmutts[.]com/8977g78bi (dropped-as: "%TEMP\yKUYtVS.exe")

Extended List of Payload URLs (ref: https://myonlinesecurity.co.uk/spam-malware-emailing-photo-05-11-2016-82-95-82-delivers-locky/)
hxxp://16industries[.]com/8977g78bi
hxxp://hila.co[.]kr/8977g78bi
hxxp://majaz.co.uk/8977g78bi
hxxp://www.johnlodgearchitects[.]com/8977g78bi
hxxp://cdgame.kgb[.]pl/8977g78bi
hxxp://www.komplettraeder-24[.]de/8977g78bi
hxxp://jkol.za[.]pl/8977g78bi
hxxp://www.cdc-ccd[.]org/8977g78bi
hxxp://ilabell.za[.]pl/8977g78bi

Other Network Activity:
http-post
hxxp://185.82.202[.]170/userinfo.php
hxxp://5.34.183[.]40/userinfo.php

References:
https://myonlinesecurity.co.uk/spam-malware-emailing-photo-05-11-2016-82-95-82-delivers-locky/
https://www.virustotal.com/en/file/49396fee2162109ef10866c8927359b5847dc47d4f70fdc5bf1f4d6caf8e58e5/analysis/
https://www.virustotal.com/en/file/5b9d5034db65fbdf3bcf3c49e4acf17df18f50a70344bae75a3d142d12c1f3f5/analysis/
https://www.virustotal.com/en/file/6af7c33385ba10e2452a51f13e9229ddfbb680a1656982705c0dc8b6c30afbcb/analysis/
https://www.virustotal.com/en/file/9d019fa03ecea2ea9b9569a35b90933b551e00087730e2100cb91ddb051a515c/analysis/

Hello Locky: