OVERVIEW
A recent variant of Locky ransomware comes with an outstanding statement as the point of entry. Spam message comes with the subject as the outstanding statement which contains JavaScript file as customer statement.
File Hash (SHA-256): 381272f158b754bf189dce4f7376fa8573583afa1e6659d0e85934080824f4cd
File Size: 13 KB
We observed the malicious domains contacted by this JavaScript file.
DELIVERY
This malware got distributed via spam mail which contains malicious Javascript file as email statement. Once the victim executed the JavaScript (email statement) file, they will end up in infection. Let us see the malicious domain contacted by the JavaScript file:
Malicious Domain
hxxp://www.vayvonvietcombank24h(.)net/wp-content/plugins/duplicator/installer/77805e1530d.html
hxxp://www.tinhnghenanovienhanlam(.)com/bkw.php?pdah
hxxp://www.tinhnghenanovienhanlam(.)com/bfw.php?xmk
hxxp://www.tindungvietcombank24h(.)com/zg.php?voa
hxxp://www.tinchapvpbank-hn(.)com/zc.php?gtdc
This malicious domain becomes the point of serving Locky ransomware files to the victim machines. Specifically the malicious domain ‘vayvonvietcombank24h(.)net’ downloads the Locky ransomware sample and get executed.
The full malicious url is hxxp://vayvonvietcombank24h(.)net /tOldHSYW?
INFECTION
Figure 1 Downloaded Locky sample
|
We also observed the variants in the domain extension:
Figure 2 Observed pattern in the malicious domain
|
Analysis of Locky sample
File Hash (SHA-256): da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c
File Size: 151 KB
We executed the Locky sample in the controlled environment and observed the behavior. It creates runonce entry as follows.
Figure 3 Registry entry
|
ENCRYPTION
Figure 4 Files added after execution (..doc extension added)
|
Figure 5 Readme HTML (payment methods)
|
Threat Indicator
IOC details:
File Hashes:
SHA 256: da3ab88c61deabf4cb4d296cc0b4a586eeedc89e87adc4ea648ab8fe6a41346c
SHA 256: 381272f158b754bf189dce4f7376fa8573583afa1e6659d0e85934080824f4cd
Malicious domain:
vayvonvietcombank24h(.)net
tinhnghenanovienhanlam(.)com
tindungvietcombank24h(.)com
tinchapvpbank-hn(.)com
TOR Link:
n224ezvhg4sgyamb(.)onion/sup.php
File extension added by this variant of ransomware:
‘..doc’
Registry key:
Key: HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE"
Value: "BROWSERUPDATECHECK"
Physical location: %appdata%/<lockysample>
Conclusion
We recommend the users to apply the IOC details to block the infection. In this case, malicious JavaScript file comes as statement distributed via email campaign. We recommend the users to be more cautious on attachments from unknown users. Updated anti-malware with anti-ransomware modules for combat the ransomware attacks.
No comments:
Post a Comment