MalSpam 2017-07-29 delivers ransomware

Sender: vm@[Recipient Domain]
Subject: Voice Message Attached from 01222852158 – name unavailable

I have added a zipped pcap file for your analysis. The password for the zipped pcap is infected all lowercase.

PCAP file of the infection traffic:
2017-07-29-Ransomware-pcap.zip

 

Shown above: Email with zip file containing .vbs (Visual Basic Script) file

 

ASSOCIATED DOMAINS AND IP ADDRESSES:

  • 104.236.97.71 – 1888titlework.com GET /rf734rgf? – RANSOMWARE DOWNLOAD
  • 198.23.241.227 – serv1.xyz GET /counter.php?nu=105&fb=725 – RANSOMWARE C2

 

IMAGES AND DETAILS OF INFECTION CHAIN:

Shown above: Network traffic  associated with ransomware

 

Shown above: Batch file used to wipe Shadow copy

 

Shown above: Files encrypted with .725 extension

 

Shown above: Ransom note dropped on desktop of infected host

 

MALICIOUS PAYLOAD ASSOCIATED WITH MALSPAM: