2018-04-17 - "ZERO-GAND" MALSPAM ACTIVE AGAIN SINCE MONDAY 2018-04-16

ASSOCIATED FILES:

• Zip archive of some infection traffic:  2018-04-17-Zero-Gand-malspam-tracker-40-examples.csv.zip   2.3 kB (2,295 bytes)
• Zip archive of some infection traffic:  2018-04-17-Zero-Gand-malspam-infection-traffic.pcap.zip   191 kB (190,708 bytes)
• Zip archive of the emails, malware, & artifacts:  2018-04-17-Zero-Gand-malspam-emails-and-artifacts.zip   1.6 MB (1,595,157 bytes)

NOTES:

• These waves of malspam use [0.0.0.0] as a spoofed address in a "Received: from" line from the email headers.
• Last week, I started calling this the "Zero-Gand" campaign as noted in this ISC diary.
• This campaign occasionally changes attachments.  So far, I've seen it use Word documents or JS files.
• Since yesterday, it's been using JS files.

Shown above:  Screenshot from the malspam tracker.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains.  With the exception of "uh.exe", all of this has been previously reported.

• hxxp://185.189.58.222/uh.exe
• ransomeware.bit
• zonealarm.bit
• gandcrab2pie73et.onion
• gandcrab2pie73et.onion.rip
• gandcrab2pie73et.onion.plus
• gandcrab2pie73et.onion.to

 

EMAIL

DATA FROM 40 EMAILS:

• Date/Time: Monday 2018-04-16 as early as 04:25 UTC through Tuesday 2018-04-17 as late as 18:39 UTC

• Received: from [0.0.0.0] ([1.22.172.62])
• Received: from [0.0.0.0] ([1.47.200.195])
• Received: from [0.0.0.0] ([5.178.186.63])
• Received: from [0.0.0.0] ([27.123.214.110])
• Received: from [0.0.0.0] ([36.37.129.249])
• Received: from [0.0.0.0] ([37.150.0.255])
• Received: from [0.0.0.0] ([42.112.80.163])
• Received: from [0.0.0.0] ([42.112.84.240])
• Received: from [0.0.0.0] ([46.70.198.170])
• Received: from [0.0.0.0] ([81.177.254.148])
• Received: from [0.0.0.0] ([91.229.151.177])
• Received: from [0.0.0.0] ([95.152.63.70])
• Received: from [0.0.0.0] ([109.75.49.213])
• Received: from [0.0.0.0] ([111.93.29.194])
• Received: from [0.0.0.0] ([115.74.67.100])
• Received: from [0.0.0.0] ([116.108.54.181])
• Received: from [0.0.0.0] ([116.111.171.142])
• Received: from [0.0.0.0] ([117.4.173.50])
• Received: from [0.0.0.0] ([121.52.149.3])
• Received: from [0.0.0.0] ([122.171.197.73])
• Received: from [0.0.0.0] ([158.181.42.134])
• Received: from [0.0.0.0] ([158.181.43.243])
• Received: from [0.0.0.0] ([171.249.79.177])
• Received: from [0.0.0.0] ([176.100.190.84])
• Received: from [0.0.0.0] ([177.38.236.188])
• Received: from [0.0.0.0] ([178.135.88.206])
• Received: from [0.0.0.0] ([178.168.242.118])
• Received: from [0.0.0.0] ([178.205.39.82])
• Received: from [0.0.0.0] ([178.215.104.51])
• Received: from [0.0.0.0] ([181.49.230.153])
• Received: from [0.0.0.0] ([182.16.158.212])
• Received: from [0.0.0.0] ([185.108.20.166])
• Received: from [0.0.0.0] ([185.81.93.253])
• Received: from [0.0.0.0] ([194.44.152.136])
• Received: from [0.0.0.0] ([196.202.155.126])
• Received: from [0.0.0.0] ([203.153.45.182])
• Received: from [0.0.0.0] ([203.76.222.10])
• Received: from [0.0.0.0] ([213.157.33.192])
• Received: from [0.0.0.0] ([213.175.161.90])
• Received: from [0.0.0.0] ([223.179.232.10])

• From: Aida Adams <Aida89@6814.com>
• From: Aisha Allen <Aisha62@4869.com>
• From: Billie Garcia <Billie68@8197.com>
• From: Billie Walker <Billie33@4178.com>
• From: Billy Jenkins <Billy12@0204.com>
• From: Blair James <Blair83@0264.com>
• From: Blake Moore <Blake60@8794.com>
• From: Blanca Evans <Blanca92@4618.com>
• From: Bobbi Turner <Bobbi55@7607.com>
• From: Bobbie Roberts <Bobbie65@1109.com>
• From: Bonita Reed <Bonita96@4833.com>
• From: Booker Ross <Booker04@6787.com>
• From: Boris Johnson <Boris74@7851.com>
• From: Bradley Taylor <Bradley11@0478.com>
• From: Bradly Bennett <Bradly71@6410.com>
• From: Bradly Jackson <Bradly65@5499.com>
• From: Debbie Ross <Debbie99@5592.com>
• From: Delbert Roberts <Delbert69@2574.com>
• From: Delia Collins <Delia31@7672.com>
• From: Delia Harris <Delia41@7643.com>
• From: Gilda Hernandez <Gilda38@7318.com>
• From: Giovanni Campbell <Giovanni38@0644.com>
• From: Giovanni Clark <Giovanni45@1099.com>
• From: Giovanni Peterson <Giovanni47@7147.com>
• From: Giovanni Scott <Giovanni40@3785.com>
• From: Gladys Wright <Gladys43@2872.com>
• From: Glenda Brooks <Glenda11@5537.com>
• From: Glenn Green <Glenn49@6473.com>
• From: Glenn Howard <Glenn75@1988.com>
• From: Glenna Bailey <Glenna29@7101.com>
• From: Gloria Lopez <Gloria18@7682.com>
• From: Gonzalo Morris <Gonzalo83@4829.com>
• From: Humberto Cook <Humberto38@8059.com>
• From: Humberto Lee <Humberto34@0122.com>
• From: Hung Ward <Hung87@1700.com>
• From: Ida Cox <Ida75@2311.com>
• From: Ila Cook <Ila73@4555.com>
• From: Ila Scott <Ila91@6984.com>
• From: Ilene Collins <Ilene87@1197.com>
• From: Taylor Green <Taylor91@3588.com>

• Subject: Document #08291
• Subject: Document #17407
• Subject: Document #26534
• Subject: Document #89718
• Subject: Invoice #04653
• Subject: Invoice #25348
• Subject: Invoice #25932
• Subject: Invoice #35324
• Subject: Invoice #63930
• Subject: Invoice #92062
• Subject: Order #01920
• Subject: Order #37926
• Subject: Order #47120
• Subject: Order #77573
• Subject: Order #80327
• Subject: Order #94523
• Subject: Order #99487
• Subject: Payment #18660
• Subject: Payment #24148
• Subject: Payment #49488
• Subject: Payment #68880
• Subject: Payment #72392
• Subject: Payment Invoice #14450
• Subject: Payment Invoice #18733
• Subject: Payment Invoice #26088
• Subject: Payment Invoice #27883
• Subject: Payment Invoice #53946
• Subject: Payment Invoice #99782
• Subject: Ticket #33098
• Subject: Ticket #44862
• Subject: Your Document #00693
• Subject: Your Document #04501
• Subject: Your Document #89008
• Subject: Your Order #09716
• Subject: Your Order #31296
• Subject: Your Order #84959
• Subject: Your Ticket #21052
• Subject: Your Ticket #31342
• Subject: Your Ticket #80962
• Subject: Your Ticket #98684

 

TRAFFIC

Shown above:  Traffic from the infection fitlered in Wireshark.

 

Shown above:  Notice how some of the DNS traffic goes to public IP addresses, which is different than what's normally configured (in this case, normal is 10.4.17.1).

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

• 185.189.58.222 port 80 - 185.189.58.222 - GET /uh.exe
• 66.171.248.178 port 80 - ransomware.bit - GET /
• 86.126.136.160 port 80 - ransomware.bit - POST /alfuiph?ph=st
• 130.204.21.137 port 80 - ransomware.bit - POST /bei
• 66.171.248.178 port 80 - ransomware.bit - GET /
• 109.96.248.32 port 80 - ransomware.bit - POST /zaeede
• 130.204.21.137 port 80 - ransomware.bit - POST /beres?lfea=sa&orelf=gh
• 66.171.248.178 port 80 - ransomware.bit - GET /
• 37.143.160.70 port 80 - ransomware.bit - POST /ores?ge=s&apheigh=ei
• 194.204.25.137 port 80 - ransomware.bit - POST /uisoas?ailoey=ai&faust=loey
• 66.171.248.178 port 80 - ransomware.bit - GET /
• 82.114.65.50 port 80 - ransomware.bit - POST /seighlf?ge=oade&agea=ayfow

• DNS queries for ipv4bot.whatismyipaddress.com (results used in IP address checks to ransomware.bit)
• DNS queries for ns1.corp-servers.ru (results used in DNS queries for zonealarm.bit)
• 89.203.10.56 port 53 - DNS query for zonealarm.bit (results used in HTTP POST requests to ransomware.bit)
• 94.249.60.127 port 53 - DNS query for zonealarm.bit (results used in HTTP POST requests to ransomware.bit)
• 189.162.188.117 port 53 - DNS query for zonealarm.bit (results used in HTTP POST requests to ransomware.bit)
• 189.75.183.21 port 53 - DNS query for zonealarm.bit (results used in HTTP POST requests to ransomware.bit)

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

• gandcrab2pie73et.onion
• gandcrab2pie73et.onion.rip
• gandcrab2pie73et.onion.plus
• gandcrab2pie73et.onion.to

 

FILE HASHES

Shown above:  One of the malspam attachments and its extracted JS file.

 

40 EMAIL ATTACHMENTS:

• faf0ebf33d21e2a9cf46b6d6bb67cd0b50256cfe4b33588e087f72c6f653d08b - DOC1041937684.zip
• 7fe716a12480983c7694d66ff9f379d780fdb1cca1131031dbd9af109c010986 - DOC1106022591.zip
• 7ef9665776daf32e2f643de696e0f84ccb396e03c565840cb3c5d6421eba5415 - DOC1115226785.zip
• bf1f21531e2356036006115bde8585061f97bddd5b940b2417e71c59ee78214b - DOC1165724396.zip
• bc2399c08e1b31d0247bbd579e73296ce6305703cecf0628fa0567031fd06cf6 - DOC1185734425.zip
• 28fcdeacda337c36b9fc26849cc8531654ec2f5cedecd8fb8e24e4b1eccf3799 - DOC1214829834.zip
• d77eb535d17cb82f48b8a8db1529de7c1501a1c8cce030056fd7737c520d300f - DOC1235830180.zip
• bfe6ad096e9ef46fb13da46e0253ffa772a947e8b1f2aff9f0aed14a52e04dc5 - DOC1393010102.zip
• b143002c473786d89ea86658ce84cddd9e72a610d35fc7e0c9face57b4a4c4b7 - DOC1443026327.zip
• c0b164d4731ff52a6e7a2f67b813e96e586d9250f21b91a59625425f228b2c73 - DOC1468633890.zip
• 8da730793a001de06b3d029e7811e78837461f0ebc389956735694c137c6ba07 - DOC1641716505.zip
• 6438a70837d41daad80b68e1ea7bcdce8d08b8f6054de9ee510998dc32943ea1 - DOC1831436464.zip
• 98b9cf06d55798b754f5758a6486121901d20631f923cba6815568ed090cc04d - DOC2325839057.zip
• 2b36af6efd2b0fbea039f385a54070392fa6c352a820df888c788b22e06d11c4 - DOC2515918147.zip
• 7de669191877e04d6450fed5aa0616ba761d642429ca9ff612362774dfd6c87c - DOC2523525530.zip
• a6645dad4201a884645c00259e092c0dbaa5a94139d35921425e3ce67e8fa25b - DOC2669922187.zip
• ee0100e58c52657166a2baed792dfd4cdbc2928d6e29c34ae0d53ce640e52055 - DOC2674728587.zip
• 196f8ef5430bfb2ca30c8aeb09e90af82a4a74b2bfd7376634d11e27180e5594 - DOC2773911604.zip
• 828d1c02d94efa6f1982136f96af116f4f82e93dd40589cf8c9b2661983e90eb - DOC2886638186.zip
• c4eee41c646e840cf86142c97cc5d07ce45a7c93d2e66aa00c9d61840acbdb97 - DOC2892914828.zip
• ce006e1d06143ed2305154c55cc5c108b864c517d0233d934550991d4a6fb313 - DOC2905514090.zip
• 163d4f46900adae36b1467fe0e54ddf6185bfa51470ac7c26bae3c58aba79d00 - DOC2912527924.zip
• 5e85c40eca99c0dd79f5689ca443b6d529d9ab41837c47552d67dfc3830a4ff1 - DOC3038142426.zip
• 7df64aa821a9e39851c2994a7f4d39b7b0b1ae221a58ec8aecb55ded864c42aa - DOC3062710601.zip
• 11d7dfc73c6a1603030f27dbccff4a64caec47b4f258a440c176be6065ad4148 - DOC3063225757.zip
• 98ecddb70755ceeff10625765710e98e8d53ee6fe81a7ef91f404302b68bff0b - DOC3096718037.zip
• 920129258b67b150df804c9055330e1413bb93b83661b732bebb9977f7986eca - DOC3288918471.zip
• 2788dd2548f14945ce895df84ce8459f1735a154c243bcce90a9b22e3f0afbdc - DOC3308331381.zip
• 999388d82f1d51c7b3931045dfd289b5afa455def7297d3493a3686f7d05d0c5 - DOC3437219426.zip
• 3adb20ca38173db2faff3b10fb54964616dad7328193b499109f9203eb4203b8 - DOC3482620097.zip
• 38366f219b691f8415888313cf42e1213e7cc290927a0ee95fcf5649f5862c86 - DOC3650036004.zip
• ea9c75c00986f3593e27a7fe024825646366673959496353800b3311ece1f35d - DOC3674429629.zip
• 247acff8a2b1c2fbf1ad6c5e61c0ce8b361087b9a8b2bd514a5e5891bfb8dc6f - DOC3877327605.zip
• feb5ceeeea8d5174a69fdb8c0a0d55efaf74d368309769fc45720c2621ca18a9 - DOC3906733473.zip
• 7db92b7e99698b0074802a93c32782a9b019a05d8f424fb4c5bc8b8a7cb59c06 - DOC3920110804.zip
• 2a3d45abc55bfdbb25ff20b38f6c2ca4c58de8f062ab96ea6ccc6d52d61b0278 - DOC3922424391.zip
• f5cbec1fb7dd120f603f1b8ca75ad52367090405cbeaa173c8415b8ce83c7b01 - DOC3961032088.zip
• e318d924cbef7a8e5fe2205b5e079a95302b2e0ae330cd5809d3d12cfaafe85e - DOC3962721620.zip
• 403b2cbd35d6c177544d9fde8a807df201ba70b3adacab73d8bca67921a2b08f - DOC4015119990.zip
• 2c8b1c591b852b4acacb5f8dda24f863f5faabfbe54a5386aeb0c90026952150 - DOC4219839376.zip

40 EXTRACTED .JS FILES:

• bcccda3051c89d4bd2c1f9e70450cd8150284498cf188d98278b344d3a4841d7 - DOC1041937684.js
• 1eb351f8882be28fb0d52ed387cb1fe87efcbb185400248c4202ca8c26eb2896 - DOC1106022591.js
• c3a3c01680304de2f06015d1b79dc76d3fde7659ff98a975c0d2ca97e7ae4dae - DOC1115226785.js
• fd7e1992bee5a4beb9beefff1f2982356348574e6a07d6bcea2da7faab3b1352 - DOC1165724396.js
• 2fe4a5d7c748a5cb568b78ad364bffb3b40530eb873aa2562aa4aafbc58c08f9 - DOC1185734425.js
• 7bf0b6f86bf916614bc7ae67e567794e39df6097e1de3721f0f496e516a74334 - DOC1214829834.js
• 64b0d90da749409ebe2ab1c68ada8ea9b8f2e82bafd2a83babab4a40a51c022d - DOC1235830180.js
• 34f54e6a102435d7e7c19ca5ff0a1959f9dd56261a48b20476ef0302064214ee - DOC1393010102.js
• 14f31304b270f1e4009d012dd6959ed0db8dec5516c2bb578ba8bf5dd19eb26d - DOC1443026327.js
• 65e47f8492fd868c9c9a91d7ac35b8be73c94d1f96ab47a0d99a45e9f93989dc - DOC1468633890.js
• 3cd4312dcaac23dd29995f2d60a86554175b0e10d657ed3c8d007d0c9217d0f5 - DOC1641716505.js
• 2d1a8ad9936837daa2aa9c06d752a7efa84d856b847c48d21481886c9421a058 - DOC1831436464.js
• 3a37d90e98c0964f57163c3ec7b0805f8b8d3d1da8206db3a23af4523bd71460 - DOC2325839057.js
• 9134352687fe37b7d7fccf0727de431e7e0ba67fd071fe7a9c407e8fc3e334aa - DOC2515918147.js
• 1a49671814fde04000f22e8f6faf2dbf99b1ac951444c3910f99eec20e28511c - DOC2523525530.js
• 42fde73c742467f8df796a162607e8f17337fb02207ca35a4c7e6383a0c31419 - DOC2669922187.js
• 713d4f1f206a6a773827e9d1960269c51c8681c7a530639ab309763c2dcb7625 - DOC2674728587.js
• 5a273b0de041c6a520cce29dec9c435ae8179cb9def7f87959d44769c9ec683f - DOC2773911604.js
• 90f3b488a144e74bd81d318d9173d96f39e5a6107b1dbb617c3ee9877c4dc5d4 - DOC2886638186.js
• 1394a8cc6d7a945ebb674e23f08939f4c9ba6577c89c0dd252f292542dcda974 - DOC2892914828.js
• ee7fbb555a15a3b74b848bb09c702f55476b134f2489a8fb660f63096b180420 - DOC2905514090.js
• 7503ae5601d7daf81dcb2113bf2aac9175f3dfb5b386c4b6d4bf7df77532f334 - DOC2912527924.js
• 808aff0889036605b26beaee394148f8e172b30c83a33c707f439917e2f0f169 - DOC3038142426.js
• a6b7689d7efe0132cddd06662b30b76cf48f903fef6b40d3c88fa89ef31ea756 - DOC3062710601.js
• 46a39c24126e1fe5a2a88e60b2aba329942409ca2964633ea86a0386d16ba8f6 - DOC3063225757.js
• 57c398a854784b811ab4a14e558c25c2f51d4ba935e30b3513d635dc168bf3c0 - DOC3096718037.js
• da6e88ca1a256597f2e5382fdfe949abdbb303b53433eab6757f145327875b29 - DOC3288918471.js
• 05aacf529c09fbd8c85252af3306e8ce8318123ccc581f8d00cce4b9127f157a - DOC3308331381.js
• e3581807504cd338722b7031cf631c46404d66322b5ae090047936b16ebb52ec - DOC3437219426.js
• d41128ebd262fed5785cbc07335077d811612d70ad23476f36a204baf7410a6e - DOC3482620097.js
• 8392a6a5d04de4e09d048fb4e058c3aa12ed5b5f91ff1cd5603612210322550e - DOC3650036004.js
• 8bd9569019a3e739ea24bdc6dae691e45c028d59ce8330c98981710668aae424 - DOC3674429629.js
• 6148952ea78af12e9e54d42f2a3a9a8e4707d60990f8884be81e9be98997e528 - DOC3877327605.js
• 6eca72dece5f59f60903901bd3e4ac9c64c67a86c857cae4ad80d18d4fb4d435 - DOC3906733473.js
• 771d376429e18ca84bd24f64b15605e97f6392e362e7e63dce131a460e2cf2a3 - DOC3920110804.js
• d441d25540b7f0afdfdfd1bd8b2ca97b866380a0b79c16b18a85a2a35215415a - DOC3922424391.js
• 4eb7eeabd603bccdd1048c2f4b4393a14aa124c59430b492192f5e14d97c92ee - DOC3961032088.js
• c4b85dd31156948414d3c7da5b7226098e9bdb20661a75daa65762a0d66d0674 - DOC3962721620.js
• 134051bca4b9718c810e2bca64ad0c4aa8578384db1d73f52c67e8946d8f9748 - DOC4015119990.js
• ba5044f299986f223f41c7148cb71f996c2f2e4a1cdc86e6875a198319bce044 - DOC4219839376.js

GANDCRAB RANSOMWARE:

• SHA256 hash:  339d22b5e02c79cdaa355bb11b063645332d0a2fd43ae78af6577818c4078284
  File size:  208,392 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\z.exe
  File location:  C:\Users\[username]\AppData\Roaming\Microsoft\cooxjh.exe
  File description:  Gandcrab ransomware

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of some infection traffic:  2018-04-17-Zero-Gand-malspam-tracker-40-examples.csv.zip   2.3 kB (2,295 bytes)
• Zip archive of some infection traffic:  2018-04-17-Zero-Gand-malspam-infection-traffic.pcap.zip   191 kB (190,708 bytes)
• Zip archive of the emails, malware, & artifacts:  2018-04-17-Zero-Gand-malspam-emails-and-artifacts.zip   1.6 MB (1,595,157 bytes)

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.