Malicious Script sends Locky Ransomware and exposes 17 URL’s and new exe naming
SOURCE: cash_ZEmrxanO120.js
THREAT: Locky Ransomware
ASSOCIATED DOMAIN:
- 5.101.152.83 – nonamenofear.ru – GET /120.exe – HTTP POST INFECTION TRAFFIC
- 192.185.215.103 – espacocognitivo.com.br – GET /120.exe – Locky DOWNLOAD
- 5.144.130.40 – altonblog.ir – GET /120.exe – Locky DOWNLOAD
- 46.28.68.46 – sto.aac-kharkov.com – GET /120.exe – Locky DOWNLOAD
- 51.254.93.2 – pinpad.fr – GET /120.exe – Locky DOWNLOAD
- 75.126.171.192 – extensions.ecomitize.com – GET /120.exe – Locky DOWNLOAD
- 37.58.127.155 – digitalnomadblogger.com – GET /120.exe – Locky DOWNLOAD
- 206.188.192.96 – 03574cd.netsolhost.com – GET /120.exe – Locky DOWNLOAD
- 162.249.6.22 – danischoice.com – GET /120.exe – Locky DOWNLOAD
- 162.210.102.89 – kehfco.com – GET /120.exe – Locky DOWNLOAD
- 178.210.171.15 – gumusevi.com.tr – GET /120.exe – Locky DOWNLOAD
- 176.114.0.200 – mysite.dp.ua – GET /120.exe – Locky DOWNLOAD
- 103.6.198.228 – eshop.myuniformgallery.com.my – GET /120.exe – Locky DOWNLOAD
- 75.126.217.39 – livwell.devserver.co.in – GET /120.exe – Locky DOWNLOAD
- 87.98.183.207 – cablage-reseau-itescom.com – GET /120.exe – Locky DOWNLOAD
- 65.110.76.229 – topmerits.com – GET /120.exe – Locky DOWNLOAD
- 217.160.230.9 – bienestarazul.org – GET /120.exe – Locky DOWNLOAD
POST INFECTION URLS:
- 193.124.185.87 – POST /userinfo.php – Locky C2
- 185.86.78.3 – POST /userinfo.php – Locky C2
IMAGES and DETAILS:
Shown above: Locky ransomware downloads with new executable name “120.exe”
Shown above: Locky ransomware post infection traffic with signature URI pattern “userinfo.php”
Shown above: Locky downloads using numerous “Content Type” downloads
Shown above: Locky ransom note and decrypt instructions
Shown above: Locky file details
MALICIOUS PAYLOAD:
2016-05-07-120.exe
Virus Total Link