TIP: Click on subject to list as thread! ANSI
echo: alt-comp-anti-virus
to: ALL
from: VIRUS GUY
date: 2016-05-07 07:31:00
subject: Anyone want a locky execu

I got a spam on Thursday around 5 pm (I won't post the IP address the
direct-to-mx spam came from, but it's from a large mid-western US
university):

----------------
Return-Path: 
Received:    from DELL-PC ([xxx.yyy.232.155])
Subject:     Ticket
From:        Jame suckling 

Attachment:  TICKET-T(bunch of numbers).zip

Unzipped:  VA-bunch-of-numbers.js
-------------------

I still say that Macro$haft should pull .zip file-handling /
decompression capability from Win-8/win-10, because (a) nobody
compresses files anymore (does windoze even have the native capability
to perform .zip compression?) and (b) it's bloody obvious that sending
these .js scripts (and many other forms of malware) as zip-compressed
email attachments is critical to the exploit chain of operation.

This script file:

 - Performs some HTTP requests  (buntrocks.com/09y8hb7v6y7g)
 - attempted to delay the analysis task by a long amount of time.
   (WScript.exe tried to sleep 1566864 seconds, actually delayed
    analysis time by 0 seconds)
 - Tries to unhook Windows functions monitored by Cuckoo
 - Installs itself for autorun at Windows startup

"buntrocks.com" is (currently) resolving to 64.22.106.154

rDNS for 64.22.106.154 is boson.dnsprotect.com.

64.22.106.154 is assigned to:

NetRange:       64.22.64.0 - 64.22.127.255
CIDR:           64.22.64.0/18
NetName:        GNAXNET
Organization:   Global Net Access, LLC (GNAL-2)
Address:        1100 White St SW
City:           Atlanta
OrgTechName:    GNAX ENGINEERING
OrgTechPhone:   +1-404-230-9150 
OrgTechEmail:   engineering@gnax.net

The file 09y8hb7v6y7g was apparently analyzed at 7:32 pm thursday night.

It's ID's as Locky - ie Ransomware.

By the way, buntrocks.com still resolves to 64.22.106.154, and more than
48 hours is still serving up the locky payload:

buntrocks.com/09y8hb7v6y7g
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)

SOURCE: echomail via QWK@docsplace.org

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.