Today’s Malicious Java Script’s send Locky Ransomware


Source: 00000708542774.js – Script One
Source: 00001406370439.js – Script Two

Threat: Locky Ransomware
Ransom: 4.1 Bitcoin

ASSOCIATED DOMAINS – Script One:

  • 109.237.134.10 – conpaso.de – GET /y78fj34f3 – Locky DOWNLOAD
  • 185.82.202.170 – POST /userinfo.phpC2 (Command and Control) Check-in

ASSOCIATED DOMAINS – Script Two:

  • 217.160.223.69 – www.braddock.de – GET /y78fj34f3 – Locky DOWNLOAD
  • 185.82.202.170 – POST /userinfo.phpC2 (Command and Control) Check-in

 

IMAGES and DETAILS:

Shown above: Script one Locky ransomware downloading an executable file “MZ”

 

Shown above: Script one Locky ransomware download absent a “Content Type”

 

Shown above: Script two Locky ransomware downloading an executable file “MZ” with Content Type “application/x-dosexec”. In script one Content Type was absent.

 

Shown above: Locky ransomware post infection traffic – C2 Check-in – Using signature URI pattern “userinfo.php

 

Shown above: Locky ransom note and Decrypt instructions

 

MALICIOUS PAYLOAD:

2016-05-10-y78fj34f3 – Locky RANSOMWARE
Virus Total Link