2016-12-20 - "OSIRIS" VARIANT LOCKY MALSPAM WITH EXCEL FILES CONTAINING MALICOUS MACROS

ASSOCIATED FILES:

• ZIP archive of the spreadsheet:  2016-12-20-Locky-malspam-info.csv.zip   1.8 kB (1,825 bytes)
• ZIP archive of the sample pcap:  2016-12-20-Locky-malspam-traffic-example.pcap.zip   223 kB (222,738 bytes)
• ZIP archive of the emails:  2016-12-20-Locky-malspam-emails.zip   316 kB (315,659 bytes)
• ZIP archive of the attachments:  2016-12-20-Locky-malspam-attachments.zip   291 kB (291,277 bytes)
• ZIP archive of artifacts from an infected host:  2016-12-20-Locky-malspam-artifacts-from-infected-host.zip   207 kB (206,687 bytes)

NOTES:

• The entry point for today's Locky DLL sample is vape in case anyone wants to run it with rundll32.exe in a controlled environment.

I know the ransomware authors were thinking of "Loki" when they named it "Locky".  But this current pairing of Egyptian and Norse mythology doesn't sit well with me.

 

Shown above:  Chain of events for an infection from this malspam.

 

THE EMAILS

IP ADDRESSES OF BOTNET HOSTS SENDING THE MALSPAM:

• 39.37.181.130 : Pakistan - Pakistan Telecommuication Company Limited
• 43.229.90.217 : India - Kottayam Cable Channel Distributors Pvt LTD
• 88.250.146.207 : Turkey - 88.250.146.207.dynamic.ttnet.com.tr
• 115.98.166.224 : India - Hathway IP Over Cable Internet Access Service
• 116.203.73.65 : India - PDSNnew3 Mumbai PDSN
• 160.120.33.182 : Ivory Coast (Cote) - Cote D'ivoire Telecom
• 188.211.62.237 : Iran - Telecommunication Company Of Tehran
• 190.181.34.58 : Bolivia - static-190-181-34-58.acelerate.net
• 197.231.48.141 : Lesotho - Vodacom-Lesotho Wiman 3G clients
• 213.207.48.34 : Albania - VIVO Communications Sh p k

 

SUBJECT LINE:

• for printing

 

SPOOFED SENDING ADDRESSES:

• KRIS GARSIDE <kris.garside@murobonito.com>
• VIRGINIA DAVIS? <virginia.davis?@evansgeorgiachiropractors.com>
• ELBA SCHOPPLE <elba.schopple@actbijverslaving.nl>
• JOANN MONTGOMERY <joann.montgomery@gspta.com>
• SABRINA KNEEN <sabrina.kneen@fourwheeldriveworld.com>
• CAREY SEARLE <carey.searle@platinum.com.br>
• LAURA HIGGIN <laura.higgin@worldtrade-freightagencies.com>
• RACHEL LIGHTNER <rachel.lightner@nathaliasiqueira.com.br>
• CHRYSTAL STAPLETON <chrystal.stapleton@yorker.com.ar>
• STACI KEMP <staci.kemp@andromea.org>>

 

 

Shown above:  Data from 20 Locky malspam examples (part 1 of 2).

 

Shown above:  Data from 20 Locky malspam examples (part 2 of 2).

 

Shown above:  An example of these emails.

 

Shown above:  An example of these attachments--Excel spreadsheets with malicious marcos.

 

TRAFFIC

Shown above:  An example of infection traffic by the Excel macro from one of the emails.

 

TRAFFIC GENERATED BY THE EXCEL SPREADSHEET MACROS RETRIEVING THE LOCKY BINARY:

• 47.90.76.65 port 80 - ashpeptide.com - GET /hjv56
• 50.63.202.53 port 80 - guide4health.info - GET /hjv56
• 69.172.201.253 port 80 - no1archeryandsports.ca - GET /hjv56
• 82.165.156.24 port 80 - friedensschlag.de - GET /hjv56
• 87.229.112.14 port 80 - paplanindustries.com - GET /hjv56
• 162.144.2.204 port 80 - www.azrodandclassic.com - GET /hjv56

 

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

• 176.121.14.95 port 80 - 176.121.14.95 - POST /checkupdate
• 193.201.225.124 port 80 - 193.201.225.124 - POST /checkupdate

 

TOR DOMAIN FROM THE DECRYPTION INSTRUCTIONS:

• g46mbrrzpfszonuk.onion

 

FILE HASHES

LOCKY DLL FILE:

• SHA256 hash:  53a9fedfab0d20d64916f1a03620e2be255c5d8ec334370999f0dd03ca7a7624   (266,240 bytes)
• File name:  C:\Users\[username]\AppData\Local\Temp\momerk2.vip
• DLL entry point:  vape

 

EXCEL SPREADSHEET ATTACHMENTS FROM THE MALSPAM (SHA256 HASH - FILE NAME):

• 1149046f388f232fc82415bbd5137d4f5a44a4f57092726487961bfbbe8c9090 - Certificate_32227380.xls
• 20332e3ad08df38d9041eb2850ad78cfd6bb72c46256aa95e138b8c2fad20c78 - Certificate_5346.xls
• 20332e3ad08df38d9041eb2850ad78cfd6bb72c46256aa95e138b8c2fad20c78 - Certificate_77033.xls
• 20332e3ad08df38d9041eb2850ad78cfd6bb72c46256aa95e138b8c2fad20c78 - Certificate_46011719.xls
• 2eee20dee746b44ae41bd2231722e6eeee23a7ba4a0fb4124e40e8b64bf7682e - Certificate_6650725.xls
• 63f4c13c59dea085eb5093db79f53c206b2fcff6fd02c03ea33d222986a652c9 - Certificate_30440.xls
• 63f4c13c59dea085eb5093db79f53c206b2fcff6fd02c03ea33d222986a652c9 - Certificate_624098.xls
• ad546b4a081e2db9e9443f8c32be9f55b7aa9cb790acd0087c45f93ecddda1c4 - Certificate_48866687.xls
• d57305ab89ac54b834150786cca49e937bb330233b19d2de499014cb9a2ee040 - Certificate_6629.xls
• e3cc4c324a8d5d4d2a5a7e02436fe814cdb364439c7b4db2a1f74c96edc4a414 - Certificate_794823.xls

 

IMAGES

Shown above:  Screen shot from an infected Windows desktop.  Note the .osiris file extension.

 

FINAL NOTES

Once again, here are the associated archives:

• ZIP archive of the spreadsheet:  2016-12-20-Locky-malspam-info.csv.zip   1.8 kB (1,825 bytes)
• ZIP archive of the sample pcap:  2016-12-20-Locky-malspam-traffic-example.pcap.zip   223 kB (222,738 bytes)
• ZIP archive of the emails:  2016-12-20-Locky-malspam-emails.zip   316 kB (315,659 bytes)
• ZIP archive of the attachments:  2016-12-20-Locky-malspam-attachments.zip   291 kB (291,277 bytes)
• ZIP archive of artifacts from an infected host:  2016-12-20-Locky-malspam-artifacts-from-infected-host.zip   207 kB (206,687 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.