I got a spam on Thursday around 5 pm (I won't post the IP address the
direct-to-mx spam came from, but it's from a large mid-western US
university):
----------------
Return-Path:
Received: from DELL-PC ([xxx.yyy.232.155])
Subject: Ticket
From: Jame suckling
Attachment: TICKET-T(bunch of numbers).zip
Unzipped: VA-bunch-of-numbers.js
-------------------
I still say that Macro$haft should pull .zip file-handling /
decompression capability from Win-8/win-10, because (a) nobody
compresses files anymore (does windoze even have the native capability
to perform .zip compression?) and (b) it's bloody obvious that sending
these .js scripts (and many other forms of malware) as zip-compressed
email attachments is critical to the exploit chain of operation.
This script file:
- Performs some HTTP requests (buntrocks.com/09y8hb7v6y7g)
- attempted to delay the analysis task by a long amount of time.
(WScript.exe tried to sleep 1566864 seconds, actually delayed
analysis time by 0 seconds)
- Tries to unhook Windows functions monitored by Cuckoo
- Installs itself for autorun at Windows startup
"buntrocks.com" is (currently) resolving to 64.22.106.154
rDNS for 64.22.106.154 is boson.dnsprotect.com.
64.22.106.154 is assigned to:
NetRange: 64.22.64.0 - 64.22.127.255
CIDR: 64.22.64.0/18
NetName: GNAXNET
Organization: Global Net Access, LLC (GNAL-2)
Address: 1100 White St SW
City: Atlanta
OrgTechName: GNAX ENGINEERING
OrgTechPhone: +1-404-230-9150
OrgTechEmail: engineering@gnax.net
The file 09y8hb7v6y7g was apparently analyzed at 7:32 pm thursday night.
It's ID's as Locky - ie Ransomware.
By the way, buntrocks.com still resolves to 64.22.106.154, and more than
48 hours is still serving up the locky payload:
buntrocks.com/09y8hb7v6y7g
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|