Malicious Script sends Locky Ransomware and exposes 17 URL’s and new exe naming

SOURCE: cash_ZEmrxanO120.js
THREAT: Locky Ransomware

ASSOCIATED DOMAIN:

• 5.101.152.83 – nonamenofear.ru – GET /120.exe – HTTP POST INFECTION TRAFFIC
• 192.185.215.103 – espacocognitivo.com.br – GET /120.exe – Locky DOWNLOAD
• 5.144.130.40 – altonblog.ir – GET /120.exe – Locky DOWNLOAD
• 46.28.68.46 – sto.aac-kharkov.com – GET /120.exe – Locky DOWNLOAD
• 51.254.93.2 – pinpad.fr – GET /120.exe – Locky DOWNLOAD
• 75.126.171.192 – extensions.ecomitize.com – GET /120.exe – Locky DOWNLOAD
• 37.58.127.155 – digitalnomadblogger.com – GET /120.exe – Locky DOWNLOAD
• 206.188.192.96 – 03574cd.netsolhost.com – GET /120.exe – Locky DOWNLOAD
• 162.249.6.22 – danischoice.com – GET /120.exe – Locky DOWNLOAD
• 162.210.102.89 – kehfco.com – GET /120.exe – Locky DOWNLOAD
• 178.210.171.15 – gumusevi.com.tr – GET /120.exe – Locky DOWNLOAD
• 176.114.0.200 – mysite.dp.ua – GET /120.exe – Locky DOWNLOAD
• 103.6.198.228 – eshop.myuniformgallery.com.my – GET /120.exe – Locky DOWNLOAD
• 75.126.217.39 – livwell.devserver.co.in – GET /120.exe – Locky DOWNLOAD
• 87.98.183.207 – cablage-reseau-itescom.com – GET /120.exe – Locky DOWNLOAD
• 65.110.76.229 – topmerits.com – GET /120.exe – Locky DOWNLOAD
• 217.160.230.9 – bienestarazul.org – GET /120.exe – Locky DOWNLOAD

POST INFECTION URLS:

• 193.124.185.87 – POST /userinfo.php – Locky C2
• 185.86.78.3 – POST /userinfo.php – Locky C2

IMAGES and DETAILS:

Shown above: Locky ransomware downloads with new executable name “120.exe”

Shown above: Locky ransomware post infection traffic with signature URI pattern “userinfo.php”

Shown above: Locky downloads using numerous “Content Type” downloads

Shown above: Locky ransom note and decrypt instructions

Shown above: Locky file details

MALICIOUS PAYLOAD:

2016-05-07-120.exe
Virus Total Link