Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Email:

Series of generic virus spam emails apologize for a delay with your order and implies the attachment has information.

Attached .zip contains .js which downloads malware.

 


  

Subject: Delay with Your Order #69F79B64, Invoice #92094342  

 Dear Valued Customer,

It is very unpleasant to hear about the delay with your order #69F79B64, but
be sure that our department will do its best to resolve the problem. It
usually takes around 7 business days to deliver a package of this size
to your region.

The local post office should contact your as soon as they will receive
the parcel. Be sure that your purchase will be delivered in time and
we also guarantee that you will be satisfied with our services.

Thank you for your business with our company.

Elnora Walls
Sales Manager

order_copy_69F79B64.zip (3)

 


 

Header Examples:

1 March 2016

Spoofs or just uses random junk in the From headers and Envelope From headers. In some cases, the RDNS or hostname of the sending computer is used in the fake headers.

Subject lines are in UTF-8 format.

Received: from 165-255-92-95.ip.adsl.co.za [165.255.92.95]
X-Envelope-From: WarnerMarylou35347@adsl.co.za
From: =?UTF-8?B?TWFyeWxvdSBXYXJuZXI=?= <WarnerMarylou35347@adsl.co.za>
Subject: =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICMyODA4NjVDNywgSW52b2ljZSAjNTQzMTUyMzY=?=
ascii subject : Delay with Your Order #280865C7, Invoice #54315236

Received: from [195.29.15.22]
X-Envelope-From: ShepardJerri573@supportprofessionals.eu
From: =?UTF-8?B?SmVycmkgU2hlcGFyZA==?= <ShepardJerri573@supportprofessionals.eu>
Subject: =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICM2RkY5QzRCRCwgSW52b2ljZSAjMDMzMTUxMTM=?=
ascii subject : Delay with Your Order #6FF9C4BD, Invoice #03315113

Received: from ip17-219.cbn.net.id [202.158.17.219]
X-Envelope-From: DouglasHelena480@cbn.net.id
From: =?UTF-8?B?SGVsZW5hIERvdWdsYXM=?= <DouglasHelena480@cbn.net.id>
Subject: =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICNCOTA3M0ExMSwgSW52b2ljZSAjMzg5NTQzOTg=?=
ascii subject : Delay with Your Order #B9073A11, Invoice #38954398

Received: from PC2015081621HJC [117.5.83.54]
X-Envelope-From: DownsCathryn918@fosterandflux.com
From: =?UTF-8?B?Q2F0aHJ5biBEb3ducw==?= <DownsCathryn918@fosterandflux.com>
Subject: =?UTF-8?B?RGVsYXkgd2l0aCBZb3VyIE9yZGVyICNFNTAwQ0E4NiwgSW52b2ljZSAjMDYxNTg5NDU=?=
ascii subject : Delay with Your Order #E500CA86, Invoice #06158945

 

Malware

1 March 2016

Attachment : zip file containing Windows scripting Javascript file which downloads malware

zip files like :

order_copy_26C910FA.zip
order_copy_280865C7.zip
order_copy_6FF9C4BD.zip
order_copy_B9073A11.zip
order_copy_BBCB901D.zip
order_copy_E500CA86.zip

javascript files like :

important_275293334428.js
important_275293428.js
important_313894645.js
important_354236352.js
important_510428416.js
important_843280245.js
readme_037208055.js
statistics_285052975.js
statistics_108217982.js
statistics_466026824.js
statistics_655400323.js
statistics_961002072.js

warning_183641889.js

VirusTotal report | malwr.com report | hybrid-analysis.com report

There are several versions of this .doc file which download malware from places like :

http://maisespanhol.com.br/1/8y7h8bv6f
http://pacificgiftcards.com/3/67t54cetvy
http://accessinvestment.net/4/0vexw3s5
http://sitemar.ro/5/92buyv5

The files are windows executables even though they are missing the .exe extension.

 

Downloaded executable ( "Locky" ransomware )

The downloaded executables now have various file names like 8y7h8bv6f

VirusTotal report | malwr report | hybrid-analysis.com report | Sample also available at BlueLiv Sandbox.

C2 sites :

http://31.184.197.119/main.php
http://51.254.19.227/main.php
http://91.219.29.55/main.php
http://5.34.183.195/main.php
http://185.14.29.188/main.php

DGA c2 sites in memory, none resolved :

http://kxsvgrpytxfar.tf/main.php
http://nuhiqgn.yt/main.php
http://qkcehlnkcuts.fr/main.php
http://slkyatnnaq.eu/main.php
http://tdhlnatbwyc.pm/main.php

Encrypted files were renamed to 32 hexadecimal chars and appended with .locky file extension.

Tor2Web ransom sites :

http://lpholfnvwbukqwye.tor2web.org
http://lpholfnvwbukqwye.onion.to
http://lpholfnvwbukqwye.onion.cab

Pure onion ransom site :

lpholfnvwbukqwye.onion

The ransom payment page through a tor2web gateway looks like :

Locky ransom website.

At the time of this article, the ransom was 0.5 BTC. The Bitcoin wallet address for this incident was :

1FTaYtcYpP6joR6yCeXjPQYFcR4cUFSUcQ 

 

 SHA-256 hashes for this incident :

0491f355dd864fb6d8aa24e8e92489f6cdbcc20e0c3ad20d04ee04537b5146f4
0e89fe76ee4867383fca138a0114fb6360344939baa9291a1158d9f04855bae3
1fc7d550f99b6d394b6b93f1dba8e1adc515edf32fe7762e0e976f3a4d685266
224f77649d2ffb62220d4fa0b07f714e04731bc687133bfa9d47c63518855a03
522e7bb615ac0c4d77e99e8011a270060cafa167d9e7897d39f57666e735c4c6
663b0a0191d3e315f08ee07b52898f62d2e9b16ff43ed4c69cf56af06252d336
681e656ca82ad6040ab3606009c038658969ec27e411fd1ab6eedfe380f08415
8a948f9db31b2b9e3e085249fe1134a21480a71a956c899ceba70283977df801
8b83f7be3795d0c9df4b9a73acb341f7aecffe0b899c546aec62746d1767a024
93864cc0b2a7883ee0034fdef18947de843ea45345ad2221d73616bd9d164238
afdc5ae61216f8d653bdcefa8c6357ce61412c51eeed54c5eb58e267a6673077
c30a1910ce1695bd7983577fae95efa5723f778232aef28b0c22bbd1911d4b1c
da42c1cd24f9cf9082f08087e797deea6cab07e2d99d99903e13f9e7c810daba
dbbfbc548267e77c415881fc2bb8d7078fb3f59a5655a9904ef55331d18682a5
f7ffa87087c5c6169a817a668838aae5ab68f50652136409a764c8395a13b9ed
f9acad8f7dfaa05d885cc8df314f050b4f296553dcc1ffe53c6a2dbb5785c2db

c6796d2e04b2ccdd6dff34c2ab8d8db88fe680348ac3d03e86d3098f505d39e5
084cf35eb9fa360894deb94362ceeae4a7a969243318e267d7adb44f65b9193e
f52cb36de85c66dde26a1fce68aab487c9ef637e0dbf76f896f1f3fab544457a
1f6b35baaa7286d029d20d388d1bf2dc3c40a48f7c7b9f80e7e43fcd94b700b1
7850850434059adb8354629e2d1102a8fcc7be8b606edbb4bbb22a1060baec26

  


 It is very unpleasant to hear about the delay with your order #69F79B64, but be sure that our department will do its best to resolve the problem. It usually takes around 7 business days to deliver a package of this size to your region.