Threat Research Lab | Locky Ransomware Spreading via True Telecom

7th September 2017 | By Editor

Comodo threat research labs

[07 September 2017] – [Locky Ransomware Spreading via True Telecom] – SUBJECT : [64809565 – True Telecom Invoice for August 2017]

Comodo Threat Research Labs (CTRL) identified a new MalSpam email, that contains a  Compressed Malware file which is used by the Attacker to Download Locky Ransomware from Command & Control Server and Compromise the Victims Machine, and spread to email user with subject “64809565 – True Telecom Invoice for August 2017”.

ASSOCIATED FILES:

ZIP archive of the malware: [07 September 2017] – [Locky Ransomware Spreading via True Telecom] – 338 KB (3,46,470 bytes)

  • 19200-1504542929-855360.eml 405 KB (4,15,215 bytes)
  • SCNMSG00002188.vbs 10.6 KB (10,871 bytes)
  • wireshark for new locky.pcapng 370 KB (3,79,624 bytes)

THE EMAIL:

Initially, Victims Received an Email from True Telecom with attached rar File that contain Executable VB Script.

Email Contact Says , “To be able to read your invoice file you will require the Adobe Acrobat PDF viewer”.

Email Attachment

EMAIL DATA:

  • From: billing@true-telecom.com
  • Subject: 64809565 – True Telecom Invoice for August 2017
  • Content-Type: multipart/mixed; boundary=”=_NextPart_2rcPRHxWxvPdBJXpRxgABJc”;
  • MIME-Version: 1.0
  • Date: Mon, 04 Sep 2017 23:35:25 +0700
  • Message-ID: <AFF-MAI-SVC02IZfSp34127639b@giresun.edu.tr>

THE ATTACHMENT: 

Email Attachment Contain Executable VB Script that is used to communicate with Command & Control server to Download Original Ransomware File into Victims computer.

Email

DROPPED FILE:

Dropped

EXTRACTED FILE DETAILS FOR MALWARE :

C&C Server Link From Code

Server

File Name         :2017-08-50050811-Bill.7z 3.45 KB (3,537 bytes)
MD5                   :5D6A7B93309B599237DBED9471372F55
SHA1                 :E2F2A89239CC2D8056D9F64578B4D80FD6403EBE
SHA256             :6ECAC39D4F522F00AAB757B734D1E8F08F10538671788603FE58196BF2B99D59

File Name         :zEmCtvp.exeA 603 KB (6,17,472 bytes)
MD5                  :869DEBB0E6580AC74DD321FBEFB6A2ED
SHA1                :0CA83440024A645351818A6A2F13D7D323B555D0
SHA256            :4CDC0E6CD4C8D020B1D90C49352C9F4E7B279248B6A851CAD6DD6F600B55920F

TRAFFIC:

Traffic

ASSOCIATED URLS:

  • proyectogambia.com/JIKJHgft?#naturofind.org/p66/JIKJHgft#geolearner.com/JIKJHgft?”, “
  • Source – 10.108.55.58 Destination – 87.186.65.247
  • 9 3.310429 10.108.55.58 87.106.65.247 HTTP 392 GET /JIKJHgft? HTTP/1.1
  • 493 72.449080 204.246.164.223 10.108.55.58 HTTP 378 HTTP/1.1 206 Partial Content (application/octet-stream)

FINAL NOTES:

Final Notes
ASSOCIATED FILES:

ZIP archive of the malware: [07 September 2017] – [Locky Ransomware Spreading via True Telecom] – 338 KB (3,46,470 bytes)

  • 19200-1504542929-855360.eml 405 KB (4,15,215 bytes))
  • SCNMSG00002188.vbs 10.6 KB (10,871 bytes)
  • wireshark for new locky. pcapng 370 KB (3,79,624 bytes)

 

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *
Be Sociable, Share!

Add new comment

Your name
Comment

You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>