About

Tuesday, September 5, 2017

Locky Ransomware Latest Infection - Indicator of Compromise:

IOC for latest locky ransomware infection:

Locky Infection URL:

hxxp://konferencjaora[.]pl/w/523f.php
hxxp://autonikos[.]pl/w/6dty.php
hxxp://oxfordschoolkotputli[.]com/w/vait.php
hxxp://j3[.]rodolfogn[.]com/w/qn0b.php
hxxp://martinagebhardt[.]hu/w/uol4.php

Regex created for this php file is \/w\/[0-9a-z]{4}\.php.

Fake Dropbox landing page which serve locky ransomware:

Fake Dropbox link in the mail


hxxp://albion-cx22.co[.]uk/dropbox.html
hxxp://ambrogiauto[.]com/dropbox.html
hxxp://arthurdenniswilliams[.]com/dropbox.html
hxxp://autoecoleathena[.]com/dropbox.html
hxxp://autoecoleboisdesroches[.]com/dropbox.html
hxxp://autoecoledufrene[.]com/dropbox.html
hxxp://avtokhim[.]ru/dropbox.html
hxxp://bayimpex[.]be/dropbox.html
hxxp://binarycousins[.]com/dropbox.html
hxxp://charleskeener[.]com/dropbox.html
hxxp://campusvoltaire[.]com/dropbox.html
hxxp://dar-alataa[.]com/dropbox.html
hxxp://flooringforyou.co[.]uk/dropbox.html
hxxp://gestionale-orbit[.]it/dropbox.html
hxxp://griffithphoto[.]com/dropbox.html
hxxp://jakuboweb[.]com/dropbox.html
hxxp://jaysonmorrison[.]com/dropbox.html
hxxp://patrickreeves[.]com/dropbox.html
hxxp://potamitis[.]gr/dropbox.html
hxxp://tasgetiren[.]com/dropbox.html
hxxp://willemshoeck[.]nl/dropbox.html

Fake Dropbox landing page
It is advised to block these malicious url in the firewall, if you find any of these urls in your proxy logs or firewall that it is an indication of your system has been infected.

Post made by
newWorld researchers


No comments:

fast16 & The MARINTEK False Positive | Threat Intelligence

fast16 & The MARINTEK False Positive | Threat Intelligence THREAT//INTEL APT Analysis Reverse Engineering False Positive W...