Malicious Script sends Locky Ransomware and exposes 17 URL’s and new exe naming

by Analysis in Malicious Javascript

SOURCE: cash_ZEmrxanO120.js
THREAT: Locky Ransomware

ASSOCIATED DOMAIN:

  • 5.101.152.83 – nonamenofear.ru – GET /120.exe – HTTP POST INFECTION TRAFFIC
  • 192.185.215.103 – espacocognitivo.com.br – GET /120.exe – Locky DOWNLOAD
  • 5.144.130.40 – altonblog.ir – GET /120.exe – Locky DOWNLOAD
  • 46.28.68.46 – sto.aac-kharkov.com – GET /120.exe – Locky DOWNLOAD
  • 51.254.93.2 – pinpad.fr – GET /120.exe – Locky DOWNLOAD
  • 75.126.171.192 – extensions.ecomitize.com – GET /120.exe – Locky DOWNLOAD
  • 37.58.127.155 – digitalnomadblogger.com – GET /120.exe – Locky DOWNLOAD
  • 206.188.192.96 – 03574cd.netsolhost.com – GET /120.exe – Locky DOWNLOAD
  • 162.249.6.22 – danischoice.com – GET /120.exe – Locky DOWNLOAD
  • 162.210.102.89 – kehfco.com – GET /120.exe – Locky DOWNLOAD
  • 178.210.171.15 – gumusevi.com.tr – GET /120.exe – Locky DOWNLOAD
  • 176.114.0.200 – mysite.dp.ua – GET /120.exe – Locky DOWNLOAD
  • 103.6.198.228 – eshop.myuniformgallery.com.my – GET /120.exe – Locky DOWNLOAD
  • 75.126.217.39 – livwell.devserver.co.in – GET /120.exe – Locky DOWNLOAD
  • 87.98.183.207 – cablage-reseau-itescom.com – GET /120.exe – Locky DOWNLOAD
  • 65.110.76.229 – topmerits.com – GET /120.exe – Locky DOWNLOAD
  • 217.160.230.9 – bienestarazul.org – GET /120.exe – Locky DOWNLOAD

POST INFECTION URLS:

  • 193.124.185.87 – POST /userinfo.phpLocky C2
  • 185.86.78.3 – POST /userinfo.phpLocky C2

 

IMAGES and DETAILS:

Shown above: Locky ransomware downloads with new executable name “120.exe

 

Shown above: Locky ransomware post infection traffic with signature URI pattern “userinfo.php

 

Shown above: Locky downloads using numerous “Content Type” downloads

 

Shown above: Locky ransom note and decrypt instructions

 

Shown above: Locky file details

 

MALICIOUS PAYLOAD:

2016-05-07-120.exe
Virus Total Link