Sunday, January 14, 2018

Locky ransomware comes with outstanding statement

OVERVIEW

A recent variant of Locky ransomware comes with an outstanding statement as the point of entry. Spam message comes with the subject as the outstanding statement which contains JavaScript file as customer statement.
File Hash (SHA-256): 381272f158b754bf189dce4f7376fa8573583afa1e6659d0e85934080824f4cd
File Size: 13 KB
We observed the malicious domains contacted by this JavaScript file.

                                  DELIVERY

This malware got distributed via spam mail which contains malicious Javascript file as email statement. Once the victim executed the JavaScript (email statement) file, they will end up in infection. Let us see the malicious domain contacted by the JavaScript file:

Malicious Domain
hxxp://www.vayvonvietcombank24h(.)net/wp-content/plugins/duplicator/installer/77805e1530d.html
hxxp://www.tinhnghenanovienhanlam(.)com/bkw.php?pdah
hxxp://www.tinhnghenanovienhanlam(.)com/bfw.php?xmk
hxxp://www.tindungvietcombank24h(.)com/zg.php?voa
hxxp://www.tinchapvpbank-hn(.)com/zc.php?gtdc

This malicious domain becomes the point of serving Locky ransomware files to the victim machines. Specifically the malicious domain ‘vayvonvietcombank24h(.)net’ downloads the Locky ransomware sample and get executed.
The full malicious url is hxxp://vayvonvietcombank24h(.)net /tOldHSYW?

                                        INFECTION
Figure 1 Downloaded Locky sample

We also observed the variants in the domain extension:

Figure 2 Observed pattern in the malicious domain

Analysis of Locky sample

File Hash (SHA-256): da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c
File Size: 151 KB
We executed the Locky sample in the controlled environment and observed the behavior. It creates runonce entry as follows. 


Figure 3 Registry entry


                                                 ENCRYPTION


Figure 4 Files added after execution (..doc extension added)

A large number of files created and it is the behavior of ransomware file that modifies other files in the system. We found ‘..doc’ extension in all the encrypted files. That read_me.html file is a ransomware note contains details of payment method and tor link. The below snapshot is the details of the readme HTML:

Figure 5 Readme HTML (payment methods)


                                                 Threat Indicator
IOC details:

File Hashes:
SHA 256: da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c
SHA 256: 381272f158b754bf189dce4f7376fa8573583afa1e6659d0e85934080824f4cd

Malicious domain:
vayvonvietcombank24h(.)net
tinhnghenanovienhanlam(.)com
tindungvietcombank24h(.)com
tinchapvpbank-hn(.)com

TOR Link:
n224ezvhg4sgyamb(.)onion/sup.php

File extension added by this variant of ransomware:
‘..doc’

Registry key:
Key: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE"  
Value: "BROWSERUPDATECHECK"
Physical location: %appdata%/<lockysample>


                                   Conclusion

We recommend the users to apply the IOC details to block the infection. In this case, malicious JavaScript file comes as statement distributed via email campaign. We recommend the users to be more cautious on attachments from unknown users. Updated anti-malware with anti-ransomware modules for combat the ransomware attacks.






at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Operating system - Part 1:

 In our blog, we published several articles on OS concepts which mostly on the perspective for malware analysis/security research. In few in...