2017-10-24 – Necurs Botnet malspam uses DDE attack to push Locky

Security News ThreatsCybercrime Uncategorized

2017-10-24 – NECURS BOTNET MALSPAM USES DDE ATTACK TO PUSH LOCKY

ASSOCIATED FILES:

  • Zip archive of the pcap:    854 kB (853,971 bytes)
  • 2017-10-24-Necurs-botnet-DDE-doc-sends-Locky.pcap   (967,844 bytes)
  • Zip archive of the artifacts:    662 kB (662,231 bytes)
  • 2017-10-24-Locky-Decryptor-style.css   (7,206 bytes)
  • 2017-10-24-Locky-Decryptor.html   (12,790 bytes)
  • 2017-10-24-asasin.bmp   (5,228,854 bytes)
  • 2017-10-24-asasin.htm   (9,442 bytes)
  • Invoice_file_426550.doc   (18,759 bytes)
  • K23400jw.exe   (713,216 bytes)
  • heropad64.exe   (183,555 bytes)

BACKGROUND:

  • 2017-10-19 – SANS Internet Storm Center (ISC) –
  • 2017-10-24 – My Online Security –
  • 2017-10-24 – My Online Security –

NOTES:

  • Never got any copies of the emails, but I grabbed one of the Word documents first reported today by MyOnlineSecurity.co.uk.
  • Still seeing the same type of traffic that I reported in the SANS ISC diary last week.


Shown above:  First of the messages seen when opening a Word document with a DDE attack.


Shown above:  Same chain of events seen last week.

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

ASSOCIATED DOMAINS AND URLS:

  • 75.98.175.70 port 80 – transmercasa.com – GET /JHGGsdsw6
  • 151.236.60.40 port 80 – tatianadecastelbajac.fr – GET /kjhgFG
  • 178.151.116.49 port 80 – gdiscoun.org – POST /
  • 62.50.190.101 port 80 – webhotell.enivest.no – POST /cuYT39.enc

OTHER URLS TO RETRIEVE THE 1ST-STAGE DOWNLOADER:

  • 85.214.28.187 port 80 – video.rb-webdev.de – GET /kjhgFG
  • 92.48.90.34 port 80 – themclarenfamily.com – GET /kjhgFG

FILE HASHES

WORD DOCUMENT USING DDE ATTACK:

  • SHA256 hash: 
    File size:  18,759 bytes
    File description:  Attachment from one of the Necurs botnet emails on 2017-10-24

MALWARE RETRIEVED FROM THE INFECTED HOST:

  • SHA256 hash: 
    File size:  183,555 bytes
    File location:  C:\Users\[username]\AppData\Local\Temp\heropad64.exe
    File location:  C:\Users\[username]\AppData\Local\Temp\{1730a00d-6230-8a91-c08c-c740a103185a}\mJRrVn2X.exe
    File description:  Initial malware (generates callback traffic & downloads Locky)
    Registry update:  KHCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • SHA256 hash: 
    File size:  713,216 bytes
    File location:  C:\Users\[username]\AppData\Local\Temp\K23400jw.exe
    File description:  Locky ransomware (.asasin variant)

IMAGES


Shown above:  Artifacts noted in the user’s AppData\Local\Temp directory.


Shown above:  Windows registry update found on the infected host.

FINAL NOTES

Once again, here are the associated files:

  • Zip archive of the pcap:    854 kB (853,971 bytes)
  • Zip archive of the artifacts:    662 kB (662,231 bytes)

Zip and saz files are password-protected with the standard password.  If you don’t know it, look at the “about” page of this website.

to return to the main page.

http://www.malware-traffic-analysis.net/2017/10/24/index3.html

Tagged