Tuesday, September 5, 2017

Locky Ransomware Latest Infection - Indicator of Compromise:

IOC for latest locky ransomware infection:

Locky Infection URL:

hxxp://konferencjaora[.]pl/w/523f.php
hxxp://autonikos[.]pl/w/6dty.php
hxxp://oxfordschoolkotputli[.]com/w/vait.php
hxxp://j3[.]rodolfogn[.]com/w/qn0b.php
hxxp://martinagebhardt[.]hu/w/uol4.php

Regex created for this php file is \/w\/[0-9a-z]{4}\.php.

Fake Dropbox landing page which serve locky ransomware:

Fake Dropbox link in the mail


hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html

Fake Dropbox landing page
It is advised to block these malicious url in the firewall, if you find any of these urls in your proxy logs or firewall that it is an indication of your system has been infected.

Post made by
newWorld researchers


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...