Malware-Traffic-Analysis.net - 2016-12-16 - "Osiris" variant Locky malspam with Word documents containing malicoius macros

2016-12-16 - "OSIRIS" VARIANT LOCKY MALSPAM WITH WORD DOCUMENTS CONTAINING MALICIOUS MACROS

ASSOCIATED FILES:

ZIP archive of the spreadsheet: 2016-12-16-Locky-malspam-info.csv.zip 3 kB (3031 bytes)
ZIP archive of the sample pcap: 2016-12-16-Locky-malspam-traffic-example.pcap.zip 227 kB (236,803 bytes)
ZIP archive of the emails: 2016-12-16-Locky-malspam-emails.zip 665 kB (665,407 bytes)
ZIP archive of the attachments: 2016-12-16-Locky-malspam-attachments.zip 625 kB (624,733 bytes)
ZIP archive of artifacts from an infected host: 2016-12-16-Locky-malspam-artifacts-from-infected-host.zip 214 kB (213,585 bytes)

NOTES:

The entry point for today's Locky DLL is sample input in case anyone wants to run it with rundll32.exe in a controlled environment.

Shown above: Chain of events for an infection from this malspam.

THE EMAILS

IP ADDRESSES OF BOTNET HOSTS SENDING THE MALSPAM:

1.54.122.63 : Vietnam - FPT Telecom Company
5.220.181.87 : Iran - Telecommunication company of West Azarbaijan
39.35.229.182 : Pakistan - Pakistan Telecommuication Company Limited
42.118.78.249 : Vietnam - FPT Telecom Company
46.143.248.48 : Iran - Ferdowsi University of Mashhad
79.149.50.118 : Spain - 118.red-79-149-50.dynamicip.rima-tde.net
93.46.181.26 : Italy - 93-46-181-26.ip108.fastwebnet.it
95.0.137.236 : Turkey - 95.0.137.236.dynamic.ttnet.com.tr
103.255.4.6 : Pakistan - For Karachi IGW (CMPak Limited)
103.255.5.249 : Pakistan - For Karachi IGW (CMPak Limited)
112.215.172.111 : Indonesia - PT Excelcomindo Pratama
117.239.31.186 : India - static.ill.117.239.31.186/24.bsnl.in
118.107.133.88 : Pakistan - SCO Dialup and ADSL, ADSL2+ Network (SNET)
120.188.66.120 : Indonesia - PT Indosat
131.0.192.165 : Brazil - 65-192-0-131.clicknetguarai.com.br
175.100.49.229 : Cambodia - Viettel (cambodia) PTE., LTD.
177.23.89.197 : Brazil - Bruno Nascimento Santos Moreira
179.219.186.91 : Brazil - b3dbba5b.virtua.com.br
189.216.199.54 : Mexico - Cablevision S.A. De C.V.
191.179.102.105 : Brazil - bfb36669.virtua.com.br

SUBJECT LINES:

Bill-3046
Bill-5050
Bill-5439
Bill-0600
Bill-6211
Bill-6453
Bill-7855
Bill-06153
Bill-21335
Bill-110199
Bill-213563
Bill-583903
Bill-722121
Bill-899082
Bill-0363222
Bill-0496867
Bill-2206097
Bill-2586897
Bill-8183509
Bill-9302668

SPOOFED SENDING ADDRESSES:

blair farquharson <blair.farquharson@[recipient's email domain]>
brain deacon <brain.deacon@[recipient's email domain]>
dena webber <dena.webber@[recipient's email domain]>
donald armitage <donald.armitage@[recipient's email domain]>
erin morse <erin.morse@[recipient's email domain]>
giovanni hepworth <giovanni.hepworth@[recipient's email domain]>
katy bridges <katy.bridges@[recipient's email domain]>
kay greenhill <kay.greenhill@[recipient's email domain]>
lesa shaddock <lesa.shaddock@[recipient's email domain]>
marquita drynan <marquita.drynan@[recipient's email domain]>
mattie wilde <mattie.wilde@[recipient's email domain]>
pedro mba <pedro.mba@[recipient's email domain]>
quentin handsacre <quentin.handsacre@[recipient's email domain]>
robbie cardow <robbie.cardow@[recipient's email domain]>
rosalind stockill <rosalind.stockill@[recipient's email domain]>
sandy innes <sandy.innes@[recipient's email domain]>
summer ketcham <summer.ketcham@[recipient's email domain]>
susanna lafferty <susanna.lafferty@[recipient's email domain]>
valeria hendrickson <valeria.hendrickson@[recipient's email domain]>
vicente yare <vicente.yare@[recipient's email domain]>

RECIPIENT:

resort@doggiespalace.com

NOTE: This was the recipient in the To: line for all the malspam. The actual recipients were likely BCC-ed.

Shown above: Data from 20 Locky malspam examples (part 1 of 2).

Shown above: Data from 20 Locky malspam examples (part 2 of 2).

Shown above: An example of these emails.

Shown above: An example of these attachments--Word documents with malicious marcos.

TRAFFIC

Shown above: An example of infection traffic by the Word macro from one of the emails.

TRAFFIC GENERATED BY THE WORD DOCUMENT MACROS RETRIEVING THE LOCKY BINARY:

5.135.219.3 - gallery.mohammadtarighi.ir - GET /hjg766
50.62.116.1 - mgascca.com - GET /hjg766
65.39.193.50 - theexcelconsultant.com - GET /hjg766
69.161.143.24 - fiddlefire.net - GET /hjg766
103.9.170.249 - pcflame.com.au - GET /hjg766
107.180.54.172 - dicksmacker.com - GET /hjg766
112.140.42.29 - kurou.bokunenjin.com - GET /hjg766
184.168.207.1 - nortra-cables.com - GET /hjg766
190.105.238.43 - www.servipisos.com.ar - GET /hjg766
198.105.221.209 - amaniinitiative.org - GET /hjg766
199.116.78.152 - mbdvacations.com - GET /hjg766
216.114.192.21 - masonlodgestpeter.org - GET /hjg766

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

37.235.50.29 port 80 - 37.235.50.29 - POST /checkupdate
176.121.14.95 port 80 - 176.121.14.95 - POST /checkupdate

TOR DOMAIN FROM THE DECRYPTION INSTRUCTIONS:

g46mbrrzpfszonuk.onion

FILE HASHES

LOCKY DLL FILE:

SHA256 hash: 5ec1798e890792c5f8e63fe255561d7cd173bedc1abc41faa2a7be11bb2bd947 (282,624 bytes)
File name: C:\Users\[username]\AppData\Local\Temp\loppsa2.aww
DLL entry point: input

WORD DOCUMENT ATTACHMENTS FROM THE MALSPAM (SHA256 HASH - FILE NAME):

02f01ae140e7e659aec7825012bb4739157d0a02c967035601155031db23c1c3 - f9c4e450b9c1bee67fd44e1b9bb585a4.doc
02f01ae140e7e659aec7825012bb4739157d0a02c967035601155031db23c1c3 - 0485f268b5f82c418e20e8d923f5838e.doc
22135e6e8ed919cd652d90c0b23f365d851bea05146774194c04f6177f41dc77 - df01d9c96dff19ac268daad84acaf7fb.doc
22135e6e8ed919cd652d90c0b23f365d851bea05146774194c04f6177f41dc77 - 86c0641067a540a7d521ea9c0cc75885.doc
42f2b6c8fd27400f45d44366e8acfd24b9f13cbcd4eb45a85b319deed55c320e - 13760d185cfd901853627ef53cffbd15.doc
42f2b6c8fd27400f45d44366e8acfd24b9f13cbcd4eb45a85b319deed55c320e - ab57bf9030a5b9bd35f4aab025368e10.doc
4cd922f1a3071cf93c75604fa4a866922b73c4eb7f495d9cbf8bf4af5d55dced - b333d7a351efd50546061aa5d932c37c.doc
78c5af40d37789eacb4bdcc100a2ed16ab33b8762ab51796338c32c416eadab9 - b894dc176d9cc43117efbe1d3df581ca.doc
8032edec46d7c4188e9c7f8f57bbbd0552f00a95943d96278d842a3a527fac64 - 9c8e9408bd970b5e68615069dc2b9c6d.doc
8032edec46d7c4188e9c7f8f57bbbd0552f00a95943d96278d842a3a527fac64 - 1a45dcd5a435e6407a6aeaf08be6a9ff.doc
94e042d3b39b7332152647849ab1b291d25782abf56369e5fc12dc0315a91e6d - 79cb6b24f8f76263592604c6f73d8d20.doc
94e042d3b39b7332152647849ab1b291d25782abf56369e5fc12dc0315a91e6d - 504f19e5b86fe2c41babf5aac90ee0da.doc
9e5c8d9112889e681a40384aab3f45964b53fe168a6a178ae0abae4adf70d708 - f7ef4190f3d968599588c4fa905c998d.doc
b9e985e06eaec1a747872a050622faab6c2e8a05b48d27aafaf8162421a8828a - a10a6465eee3d71f69c2da6152f81361.doc
ca846a081466facaa10e746f083028a45527335d7176c5238d5562f76664745f - 43ec79e9ec7c8b5c6690e409d6601edc.doc
d48aced8ba2beddb014c70f8405a8c4256f8709efbfa90390cd7cd1b36562d17 - 8883607edfb4fb1dd908d2f6796c9562.doc
e68e263b2cb2179f68db06744627777aec11f0a9569fc66bd7e539dcef8532cd - 7e8a2daecf4ed9c549f372e0b7ecfbb4.doc
ef26bbbabaff4a92b0293e6b2857d362d66941e76ec1053db6143cb019058095 - 45c292c9b4922cf46718b70ec505bd83.doc
fdb6f561e8f49d074904ddaee6900a88d1bf493fa2d1a8c1db1dfe4c8e82786b - de5719a94fc4a6fcef0dfa1c548541ed.doc
ff6ec87b2e66ae25394b97f3886b0537e536ed92694453196e3c3ea8468bc973 - 74d277c252b988e2361382e4ca28c9db.doc

IMAGES

Shown above: Screen shot from an infected Windows desktop. Note the .osiris file extension.

FINAL NOTES

Once again, here are the associated archives:

ZIP archive of the spreadsheet: 2016-12-16-Locky-malspam-info.csv.zip 3 kB (3031 bytes)
ZIP archive of the sample pcap: 2016-12-16-Locky-malspam-traffic-example.pcap.zip 227 kB (236,803 bytes)
ZIP archive of the emails: 2016-12-16-Locky-malspam-emails.zip 665 kB (665,407 bytes)
ZIP archive of the attachments: 2016-12-16-Locky-malspam-attachments.zip 625 kB (624,733 bytes)
ZIP archive of artifacts from an infected host: 2016-12-16-Locky-malspam-artifacts-from-infected-host.zip 214 kB (213,585 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.