本帖最后由 龙云宗主^__^ 于 2016-11-30 11:56 编辑
概述 自2月以来,360威胁情报中心监测到一大波勒索软件潮,国内单位组织陆续开始受到的冲击,公司对外的邮箱收到大量如下携带恶意附件的邮件。
邮件内容大致如下:
员工如不小心打开恶意附件,恶意软件会对外连接服务器下载组件,加密系统上的重要文件,要求用户付费解密。 样本行为分析 邮件附件为只有两个JS脚本的压缩包:
JS经过混淆,通过分析得知,受害者双击执行JS后创建MSXML2.XMLHTTP对象下载http://vaseline-amar-ujala.in/euwiyr4hdc可执行文件,并通过WScript.Shell对象的运行方法启动Locky主进程:
下载的EXE经过大量的混淆处理:
进程启动后将机器ID写入HKEY_CURRENT_USER \ SOFTWARE \ Locky \ ID,并将用到的加密公钥写入HKEY_CURRENT_USER \ SOFTWARE \ Locky \ PUBKEY:
随后木马开始遍历目录寻找的.xls,.PPT,.DOC,.wb2,.JPG,.WAV等文件格式,使用RSA加密为编号+哈希.locky文件,并在存在文档得目录下写入恢复指导文档:
完成加密后将HKEY_CURRENT_USER \ SOFTWARE \ Locky \完成设置为1,并通过加密的数据告知服务器:
如下是部分通信地址列表: http://78.40.108.39/main.php http://51.255.107.8/main.php http://51.255.107.10/main.php http://51.254.181.122/main.php http://195.64.154.114/main.php http://188.127.231.116/main.php http://149.202.109.205/main.php 最后将桌面设置为恢复指导图,并弹出恢复指导文档,等待受害者交付赎金:
感染情况与建议 根据360威胁情报中心的数据,自3月以来确认中招的用户超过万人,淘宝上甚至已经出现协助代付款解密的服务。在此建议用户不要随意点击来源不明的邮件,目前360安全卫士已对此勒索软件做持续的查杀。
国际奥林匹克委员会 攻击者用于存放恶意代码的下载服务器大都是被攻陷的合法站点,以下是部分列表,请在边界设备上予以阻断。 hxxp://1.casino-engine.ru/engine/core/76tr5rguinml.exe hxxp://1.casino-engine.ru/modules/images/87yhb54cdfy.exe hxxp://111.208.4.230:82 / 1Q2W3E4R5T6Y7U8I9O0P1Z2X3C4V5B / saigonnew.com.vn /系统/日志/ 76tr5rguinml.exe hxxp://120.52.72.52/biosoftbelgium.com/c3pr90ntcsf0/system/logs/76tr5rguinml.exe hxxp://120.52.72.57/thuanhshop.com/c3pr90ntcsf0/system/logs/4trf3g45.exe hxxp://178.33.176.229/ber.exe hxxp://2.casino-engine.ru/img/multigaminator/4trf3g45.exe hxxp://50.28.211.199/hdd0/89o8i76u5y4 hxxp://51457642.de.strato-hosting.eu/980k7j6h5 hxxp://academiasuperior.net/wp-includes/rest-api/5h45hg4b hxxp://accessinvestment.net/4/0vexw3s5 hxxp://aexpress.co/system/logs/086tg7 hxxp://aimsande.com/87yg756f5.exe hxxp://aksci.net/system/logs/98yhb764d.exe hxxp://alexkote.ru/wp-content/plugins/87tg7v645c.exe hxxp://alumaxgroup.in/87yg756f5.exe hxxp://anro.kiev.ua/vqmod/vqcache/4trf3g45.exe hxxp://aqarhits.com/system/logs/87tg7v645c.exe hxxp://ari-ev.com/system/logs/765uy453gt5 hxxp://aroham.com/87yg756f5.exe hxxp://art-studia-sharm.com.ua/libraries/simplepie/765g473bf34 hxxp://art-wiz.ru/wp-includes/SimplePie/7ygvtyvb7niim.exe hxxp://astralia.ro/08o76g445g hxxp://azshop24.com.vn/system/logs/87tg7v645c.exe hxxp://baiya.org/image/templates/7ygvtyvb7niim.exe hxxp://behrozan.ir/system/logs/7t6f65g.exe hxxp://beltshoesnmore.com/system/logs/87yhb54cdfy.exe hxxp://besttec-cg.com/89ok8jhg hxxp://bindulin.by/system/logs/7ygvtyvb7niim.exe hxxp://biomir.ajanslive.com/system/logs/78tgh76.exe hxxp://biosoftbelgium.com/system/logs/76tr5rguinml.exe hxxp://browardcountystore.com/system/cache/223 hxxp://buyfuntees.com/system/logs/7t6f65g.exe hxxp://c001456.aaa.ididp.com/system/logs/87yg756f5.exe hxxp://casewerkz.demowebsite.net/system/logs/87yhb54cdfy.exe hxxp://cazasports.com/system/logs/uy78hn654e.exe hxxp://ccac3323.com.sapo.pt/0y7bf3r hxxp://cherryuk.co.uk/system/logs/uy78hn654e.exe hxxp://chinhuanoithat.com/system/logs/uy78hn654e.exe hxxp://clubxtoys.com/system/logs/lkj87h.exe hxxp://cocowashi.com/system/logs/76tr5rguinml.exe hxxp://creditwallet.net/87yg756f5.exe hxxp://croqqer.org/wp-content/uploads/5h45hg4b hxxp://cuagonhaviet.com.vn/system/logs/lkj87h.exe hxxp://cyberbuh.pp.ua/97kh65gh5 hxxp://demo.essarinfotech.net/87yg756f5.exe hxxp://demo.rublemag.ru/system/logs/87yhb54cdfy.exe hxxp://demo2.master-pro.biz/modules/payments/76tr5rguinml.exe hxxp://demo2.master-pro.biz/plugins/markitup/4trf3g45.exe hxxp://dgcustomgraphics.com/system/logs/98yhb764d.exe hxxp://dolcevita-ykt.ru/system/logs/uy78hn654e.exe hxxp://dommediciny.ru/system/logs/76h5gf43wg54 hxxp://donutes.33499.info/system/logs/87yhb54cdfy.exe hxxp://dropshipaanbod.nl/system/logs/uy78hn654e.exe hxxp://dsignshop.com.au/system/logs/87tg7v645c.exe hxxp://effone.com/js/playstation4.exe hxxp://eiadmeodeda.securalive.ca/8fjvimkel1/c987ah8j9ei1.php hxxp://e-journal.respati.ac.id/8y74hfb hxxp://electime.com/wp-content/themes/765g473bf34 hxxp://elogistic.ir/wp-admin/network/87hg8n54 hxxp://emotos.ru/admin/model/87yhb54cdfy.exe hxxp://escortbayan.xelionphonesystem.com/wp-content/plugins/hello123/89h8btyfde445.exe hxxp://estudiomatera.com.ar/763fdvf hxxp://fashion-girl.od.ua/catalog/controller/87hg8n54 hxxp://fb7707vd.bget.ru/admin/language/4trf3g45.exe hxxp://fibrefamily.ru/system/logs/87tg7v645c.exe hxxp://fkaouane.free.fr/67uh54gb4 hxxp://flaxxup.com/87yg756f5.exe hxxp://for-sale.pk/system/logs/87yhb54cdfy.exe hxxp://fortyseven.com.ar/system/logs/7t6f65g.exe hxxp://g200.qdesign.vn/system/logs/87yhb54cdfy.exe hxxp://galit-law.co.il/32tguynjk hxxp://gargsons.com/87yg756f5.exe hxxp://giveitallhereqq.com/69.exe hxxp://giveitallhereqq.com/80.exe hxxp://giveitalltheresqq.com/69.exe hxxp://giveitalltheresqq.com/80.exe hxxp://gladilki.bohush.ru/system/library/a.exe hxxp://glslindia.com/87yg756f5.exe hxxp://gwentpressurewashers.com/system/logs/7ygvtyvb7niim.exe hxxp://heenaz.in/system/logs/98yhb764d.exe hxxp://hellomississmithqq.com/69.exe hxxp://hellomississmithqq.com/80.exe hxxp://het-havenhuis.nl/099oj6hg hxxp://hipnotixx.com/27h8n hxxp://hitronic.org/system/logs/76tr5rguinml.exe hxxp://hkhc-shop.lms.hk/system/logs/87yg7g hxxp://howisittomorrowff.com/69.exe hxxp://hppl.net/87yg756f5.exe hxxp://ihsanind.com/system/logs/87jhg44g5 hxxp://imgointoeatnowcc.com/69.exe hxxp://imgointoeatnowcc.com/80.exe hxxp://imgointoeatnowcc.com/80.exe hxxp://imperiovintage.com.br/system/logs/76tr5rguinml.exe hxxp://indianexporthouse.eu/system/logs/uy78hn654e.exe hxxp://iperfume.co.il/system/logs/4trf3g45.exe hxxp://ipovareshka.ru/system/logs/76tr5rguinml.exe hxxp://italco.com.ua/system/logs/98yhb764d.exe hxxp://iwear.md/system/logs/7t6f65g.exe hxxp://izzy-cars.nl/9uj8n76b5.exe HXP://jewellery.jagodesh.com/system/logs/iu8y7g6b hxxp://jldoptics.com/system/logs/87tg7v645c.exe hxxp://joecockerhereqq.com/69.exe hxxp://joecockerhereqq.com/80.exe hxxp://jorgecodas.com/76t2gr345 hxxp://kiddyshop.kiev.ua/image/data/87tg7v645c.exe hxxp://kidtuning.ro/7r5fyf6 hxxp://kievelectric.kiev.ua/art/media/87tg7v645c.exe hxxp://klariss.cz/87yg756f5.exe hxxp://kokoko.himegimi.jp/54g4 hxxp://komplektik.com/system/logs/76tr5rguinml.exe hxxp://lahmar.choukri.perso.neuf.fr/78hg4wg hxxp://lampusorotmurah.com/system/logs/78tgh76.exe hxxp://lapdatcamerachatluongcao.com/system/logs/uy78hn654e.exe hxxp://leaderjewelleryco.com/admin/controller/87yhb54cdfy.exe hxxp://lhs-mhs.org/9uj8n76b5.exe hxxp://lightsroom.ru/system/logs/87tg7v645c.exe hxxp://liquor1.slvtechnologies.com/system/logs/7ygvtyvb7niim.exe hxxp://livewireradio.net/wp-admin/js/765g473bf34 hxxp://magic-beauty.com.ua/system/logs/98yhb764d.exe hxxp://mail-dedmoroz.com.ua/adminka/templ/7ygvtyvb7niim.exe hxxp://mansolution.in.th/system/logs/7ygvtyvb7niim.exe hxxp://massage-himmel.de/978yhen2 hxxp://maxbeauty.dp.ua/administrator/manifests/765g473bf34 hxxp://maybridalsash.com/system/cache/111 hxxp://mercadohiper.com.br/system/logs/uy78hn654e.exe hxxp://ministerepuissancejesus.com/o097jhg4g5 hxxp://mobile-house.be/system/logs/98yhb764d.exe hxxp://myonlinedeals.pk/system/logs/43d5f67n8 hxxp://myphampro.com/system/logs/87yhb54cdfy.exe hxxp://nagrobkipelplin.conceptreklamy.pl/modules/mod_wrapper/4trf3g45.exe hxxp://ncrweb.in/system/logs/7t6f65g.exe hxxp://newleaf.org.in/87yg756f5.exe hxxp://nguoitieudungthongthai.com/system/logs/987i6u5y4t hxxp://nhinh.com/system/logs/uy78hn654e.exe hxxp://nobilitas.cz/0954t4h45 hxxp://nro.gov.sd/23r35y44y5 hxxp://nypizza.ru/system/logs/7ygvtyvb7niim.exe hxxp://ohammam.fr/system/logs/23f3rf33.exe hxxp://ohbelleza.linkium.mx/system/logs/87yhb54cdfy.exe hxxp://ohellograndpaqq.com/69.exe hxxp://ohellograndpaqq.com/80.exe hxxp://ohelloguyff.com/70.exe hxxp://ohelloguyqq.com/70.exe hxxp://ohelloguyzzqq.com/85.exe hxxp://onsancompany.com/system/logs/uy78hn654e.exe hxxp://ozono.org.es/k7j6h5gf hxxp://pacificgiftcards.com/3/67t54cetvy hxxp://parturiencies3f9.besaba.com/76t2gr345 hxxp://perfumy_alice.republika.pl/08h867g5 hxxp://peterdickem.com/87745g hxxp://phatfx.net/98h8n23r23 hxxp://phongsachviettech.com/system/logs/98yg7b hxxp://planetarchery.com.au/system/logs/q32r45g54 hxxp://printisimo.ru/image/cache/7ygvtyvb7niim.exe hxxp://ptunited.net/system/logs/87tg7v645c.exe hxxp://pugmahons.com/~pugmahons/56er5f6g7b hxxp://realvacantcolony.tradersnetwork.co/97adguwod/08h13rfi982y.php hxxp://regentsanctionbisexual.isupplementscanada.com/97adguwod/08h13rfi982y.php hxxp://rem.az/system/logs/lkj87h.exe hxxp://risetravel.net/wp-includes/theme-compat/765g473bf34 hxxp://rmdszms.ro/2/87yv5cds hxxp://saabvolvo.com.ua/system/logs/7ygvtyvb7niim.exe hxxp://saachi.co/system/logs/43ghy8n hxxp://sabriduman.com/wp-content/plugins/hello123/89h8btyfde445.exe hxxp://saigonnew.com.vn/system/logs/76tr5rguinml.exe hxxp://sales-teleselling.eu.org/wp-includes/fonts/5h45hg4b hxxp://scorpyofilms.com/67j5h5h4 hxxp://scs-smesi.ru/published/PD/87tg7v645c.exe hxxp://shapes.com.pk/system/logs/87tg7v645c.exe hxxp://shoescorner.gr/system/logs/76tr5rguinml.exe hxxp://shofukai.web.fc2.com/23rt54y56 hxxp://shop.celiodent.com/system/cache/111 hxxp://shopphpmvc.e-groups.vn/system/logs/lkj87h.exe hxxp://shopthoitrangphukien.com/system/logs/7ygvtyvb7niim.exe hxxp://sigmahardware.com.my/system/logs/7ygvtyvb7niim.exe hxxp://silvermarket.gr/system/logs/78tgh76.exe hxxp://sitemar.ro/5/92buyv5 hxxp://sm1.by/vqmod/xml/76tr5rguinml.exe hxxp://smeja.de/i876jh556h hxxp://smokediscount.de/786u5h hxxp://snosto.com/wp-admin/includes/i75rg456 hxxp://softcrk.com/system/logs/4trf3g45.exe hxxp://softworksbd.com/73tgbf334 hxxp://solucionesdubai.com.ve/system/logs/uy78hn654e.exe hxxp://sribinayakelectricals.com/system/logs/78tgh76.exe hxxp://srv35613.ht-test.ru/storage/plugins/76tr5rguinml.exe hxxp://stalu.sk/43dfg7hy hxxp://stepsaweb.com/system/logs/uy78hn654e.exe hxxp://stopmeagency.free.fr/9uj8n76b5.exe hxxp://storageinbath.co.uk/78jh5h hxxp://store.suhaskhamkar.in/system/logs/78tgh76.exe hxxp://sub4.gustoitalia.ru/system/logs/87tg7v645c.exe hxxp://superiorelectricmotors.com/wp-content/plugins/hello123/89h8btyfde445.exe hxxp://supply-division.dk/system/logs/76tr5rguinml.exe hxxp://surfcash.7u.cz/0o9k7jh55 hxxp://surgitek.co.uk/system/logs/98yt hxxp://surprise.co.in/system/logs/87tg7v645c.exe hxxp://svetluchok.com.ua/admin/images/7ygvtyvb7niim.exe hxxp://szkoleniasluzb.pl/67j5hg hxxp://tcpos.com.vn/system/logs/56y4g45gh45h hxxp://tekstil-world.ru/vqmod/install/7ygvtyvb7niim.exe hxxp://test.sharmx.com.ua/sdideep/87hg8n54 hxxp://texfibre.eu/system/logs/87tg7v645c.exe hxxp://thaihost.biz/bestylethai.com/43t3gh4 hxxp://theskcreativearts.com/45tg hxxp://thewhitemug.co.uk/system/logs/4trf3g45.exe hxxp://thietbianninhngocphuoc.com/system/logs/98yhb764d.exe hxxp://thietbicokhi.com.vn/system/logs/7ygvtyvb7niim.exe hxxp://thisisitsqq.com/69.exe hxxp://thisisitsqq.com/80.exe hxxp://thuanhshop.com/system/logs/4trf3g45.exe hxxp://tianshilive.ru/vqmod/xml/87yhb54cdfy.exe hxxp://tomkinshop.net/system/logs/87yhb54cdfy.exe hxxp://torgtehnik.ru/system/cache/.../1.exe hxxp://tracks4africa.li/43f hxxp://tradesolutions.me.uk/8i76 hxxp://tramps-ike.gr/8i67uy4g hxxp://tratancuongthainguyen.com/v4v5g45hg.exe hxxp://trieugiatrang.net/image/cache/87yhb54cdfy.exe hxxp://trimchic.co.uk/system/logs/lkj87h.exe hxxp://tuning.com.mx/v4v5g45hg.exe hxxp://u1847.netangels.ru/system/smsgate/7ygvtyvb7niim.exe hxxp://ubermensch.altervista.org/system/logs/87yhb54cdfy.exe hxxp://vaanifashion.com/system/logs/uy78hn654e.exe hxxp://vacationinbath.co.uk/v4v5g45hg.exe hxxp://vacationinbath.com/v4v5g45hg.exe hxxp://valerieannefashions.co.uk/v4v5g45hg.exe hxxp://vartashakti.com/v4v5g45hg.exe hxxp://vfwuc.eu.org/wp-content/uploads/5h45hg4b hxxp://vgp3.vitebsk.by/6/98yh8bb hxxp://vikasartsjodhpur.com/v4v5g45hg.exe hxxp://vip-creme.de/v4v5g45hg.exe hxxp://vip-shape.de/v4v5g45hg.exe hxxp://vital4age.de/v4v5g45hg.exe hxxp://vital4age.eu/v4v5g45hg.exe hxxp://washitallawayff.com/69.exe hxxp://washitallawayff.com/80.exe hxxp://webmail.p55.be/v4v5g45hg.exe hxxp://wechselkur.de/v4v5g45hg.exe hxxp://whatskv.com/v4v5g45hg.exe hxxp://winjoytechnologies.com/v4v5g45hg.exe hxxp://wireless-sync.com/system/cache/111 hxxp://workplace-communication.eu.org/wp-includes/pomo/5h45hg4b hxxp://www.aebnworld.com/98o7kj56h hxxp://www.aggiesaquariums.com.au/wp-includes/y78hiuok hxxp://www.almraah.com/wp-content/uploads/y78hiuok hxxp://www.avdanrenault.com/system/logs/4trf3g45.exe hxxp://www.dentiera-rotta.it/files/Fedex/fedex.exe hxxp://www.ekowen.sk/09y8j hxxp://www.findtube.gr/templates/atomic/js/111.exe hxxp://www.fotoleonia.it/files/sample.exe hxxp://www.freeadultcontent.us/98o7kj56h hxxp://www.freepussyshow.com/9oi654gh3 hxxp://www.gruposdemediosrrr.com/9oi654gh3 hxxp://www.gw-fs.co.uk/873y4g7bf3 hxxp://www.houseman.cz/files/10003c.exe hxxp://www.istruiscus.it/7643grb hxxp://www.kidshealingcrohnsandcolitis.com/8y7hybigv hxxp://www.kidshealingcrohnsandcolitis.org/8y7hybigv hxxp://www.koinerestaurant.com/parallax/piatti/promt.exe hxxp://www.livegirlshow.com/8i5ju4g34 hxxp://www.liveshowgirl.com/8i5ju4g34 hxxp://www.momstav.com/087hg67 hxxp://www.myxxxlinks.com/4ggh45yh45 hxxp://www.myxxxlinks.com:20480 / 4ggh45yh45 hxxp://www.nenitasthumbs.com/4ggh45yh45 hxxp://www.nevjegydesign.hu/0k6j6n4h4 hxxp://www.nevjegyportal.hu/0k6j6n4h4 hxxp://www.notebooktable.ru/system/logs/7ygvtyvb7niim.exe hxxp://www.promumedical.com/system/logs/87tg7v645c.exe hxxp://www.silko.ir/k8j5h hxxp://www.souqaqonline.com/system/logs/87tg7v645c.exe hxxp://www.tech-filter.ru/system/logs/78tgh76.exe hxxp://www.toolsavenue.com/system/cache/87yhb54cdfy.exe hxxp://www.trasachthainguyen.com/0l9k7j6 hxxp://www.tuttiesauriti.org/wp-content/plugins/hello123/89h8btyfde445.exe hxxp://www.vtipnetriko.cz/9oi86j5hg4 hxxp://xn--80ahetikodul.xn--p1ai/system/logs/4trf3g45.exe hxxp://xn--b1afonddk2l.xn--p1ai/system/logs/7t6f65g.exe hxxp://yander.by/system/logs/uy78hn654e.exe hxxp://zarabotoknasayte.zz.mu/7/sh87hg5v4
了解敲诈者病毒
| 
京公网安备 11000002002063号
京ICP备08010314号-6 Copyright©2005- 360.com 版权所有 360互联网安全中心
安全卫士
极速浏览器
360壁纸
360摄像机
360动态
手机卫士
评论
直达楼层