Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Another Day - Another Ransomware Sample

Published: 2016-08-26
Last Updated: 2016-08-26 19:30:45 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Catching ransomware is pretty easy these days. I setup a procmail filter that will extract all e-mails with compressed JavaScript attachments. Whatever is left in the morning after AV decimated the folder I will usually take a quick look at.

Today, I got a bunch of e-mails with the subject "office equipment":

Sure enough. I run it in a virtual machine and end up with the usual crypto ransomware screen:

This time, the malware doesn't even try to hide. One of the hostnames used by this run is "brothermalw.ws". In addition, the samples all use the exact same user agent string, which doesn't match the browser installed on the infected system (It was Windows 10, but the malware used an IE 7.0 user agent string):

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)

So pretty easy to now pull out the URLs that the malware connect to from bro:

zcat http* | bro-cut method host uri user_agent | grep 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)' | awk '{print $1 , $2 , $3}' | sort -u

GET 210.240.104.2 /upp0nqa
GET brothermalw.ws /06qbbzy7     <---------- Yes... they are not even trying to hide the fact that this is malware ;-)
POST 51.254.55.171 /data/info.php
GET baer-afc2.homepage.t-online.de /4yhgvna
GET realm-of-rage.heimat.eu /ut1s5
GET rejoincomp2.in /1tdqo6
GET www.dsalchi.org /uk0lo
GET www.galleriacolonna.org /yhcx6y
POST 138.201.191.196 /data/info.php
POST 188.127.249.203 /data/info.php
POST 51.254.55.171 /data/info.php
POST nkyhrjiaeqcmtqth.pw /data/info.php

As so often, "/data/info.php" may actually also do a pretty good job in detecting these infections. Snort already alerts on the requests to ".pw" hosts.

Indicators of compromise: The IPs and the host names appear to be too ephemeral to be useful as IoCs. I would suggest the "/data/info.php" URL. I don't see that used a lot in non-malicious requests.

 

 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
5 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

View All Diaries →

Latest Discussions

New telnet attack? command injection against telnet...
created 2 days ago by EricWedaa (2 replies)

SWIFT frauds
created 3 days ago by RAJASEKHARAN (0 replies)

IS Audit of DC and DR
created 3 days ago by RAJASEKHARAN (0 replies)

Unix/Linux servers
created 3 days ago by RAJASEKHARAN (0 replies)

AliExpress being used as C&C for DoS?
created 1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
6 months ago by Dr. J. (25 comments)

Data Classification For the Masses
1 week ago by Xme (14 comments)

An Approach to Vulnerability Management
2 months ago by Russell (13 comments)

Using File Entropy to Identify "Ransomwared" Files
2 weeks ago by Rob VandenBrink (2 comments)

Voice Message Notifications Deliver Ransomware
4 days ago by Xme (5 comments)