NUEVO MAIL MASIVO QUE LLEGA ANEXANDO FICHERO MALICIOSO QUE INSTALA UNA DLL QUE PASAMOS A CONTROLAR CON EL ELISTARA COMO RANSOMWARE LOCKY.OSIRIS

Se está recibiendo un mail malicioso con solo el encabezado:
MAIL MASIVO MALICIOSO:
_____________________

Asunto: PHOTO_5695
De: “Mohammad” <Mohammad9@dominio destinatario>
Fecha: 15/12/2016 5:21
Para: “destinatario” <destinatario>
ANEXADO: PHOTO_5695.zip (CONTENIENDO ORD_0739.JSE)

_____________________

FIN MAIL MALICIOSO
El preanalisis de virustotal ofrece el siguiente informe:
MD5 d01b3bae790db2486817e7cb96b63b2f
SHA1 1ce5667b75ff589d423d9e3ea052996b36b0c29e
File size 25.6 KB ( 26240 bytes )
SHA256: ab565831d8d53da9fcc4057c10d76b6941c7421cd39eb94b034e3170cc564aeb
File name: ORD_0739.jse
Detection ratio: 25 / 55
Analysis date: 2016-12-15 10:20:31 UTC ( 4 minutes ago )
0
1

Antivirus Result Update
AVG JS/Downloader.Agent.65_I 20161215
AVware Trojan-Downloader.JS.Nemucod.bbp (v) 20161215
Ad-Aware JS:Trojan.Crypt.QD 20161215
AegisLab Troj.Downloader.Script!c 20161215
Antiy-AVL Trojan/Generic.ASMalwRG.70 20161215
Arcabit JS:Trojan.Crypt.QD 20161215
Avira (no cloud) HTML/ExpKit.Gen6 20161215
BitDefender JS:Trojan.Crypt.QD 20161215
Cyren JS/Nemucod.CA2 20161215
DrWeb JS.DownLoader.2997 20161215
ESET-NOD32 JS/TrojanDownloader.Nemucod.BDA 20161215
Emsisoft JS:Trojan.Crypt.QD (B) 20161215
F-Prot JS/Nemucod.CA2 20161215
F-Secure JS:Trojan.Crypt.QD 20161215
Fortinet JS/Nemucod.CAD!tr 20161215
GData JS:Trojan.Crypt.QD 20161215
Ikarus Win32.Outbreak 20161215
Kaspersky HEUR:Trojan-Downloader.Script.Generic 20161215
eScan JS:Trojan.Crypt.QD 20161215
NANO-Antivirus Trojan.Script.Heuristic-js.iacgm 20161215
Qihoo-360 virus.js.gen.1 20161215
Symantec JS.Downloader.D 20161215
Tencent Js.Trojan.Raas.Auto 20161215
TrendMicro-HouseCall JS_GEN.F299E00LF16 20161215
VIPRE Trojan-Downloader.JS.Nemucod.bbp (v) 20161215

y la DLL que descarga,  que es realmente el ransomware, ofrece este informe:

MD5 2e2e7f821ae1c0ff0517e873c6fef7dd
SHA1 6ec7b9bf0877d16a9f254011bb3618b2f41e4f5b
File size 260.0 KB ( 266240 bytes )
SHA256: 1b3389eed27e3d53d786fa1c3bbb5b814dbec7d27d3e7b2e6ab38ba0144d5784
File name: xwmJyewoEI2.dll
Detection ratio: 28 / 57
Analysis date: 2016-12-15 10:30:48 UTC ( 5 minutes ago )
0
1

Antivirus Result Update
Ad-Aware Trojan.RanSerKD.3882173 20161215
AegisLab W32.Troj.Ransom!c 20161215
AhnLab-V3 Trojan/Win32.Locky.C1707597 20161215
Arcabit Trojan.RanSerKD.D3B3CBD 20161215
Avira (no cloud) TR/Locky.mphvz 20161215
BitDefender Trojan.RanSerKD.3882173 20161215
Bkav W32.eHeur.Malware03 20161214
CrowdStrike Falcon (ML) malicious_confidence_90% (D) 20161024
Cyren W32/Trojan.HYZN-5307 20161215
DrWeb Trojan.Encoder.3976 20161215
ESET-NOD32 a variant of Win32/Kryptik.FLEG 20161215
Emsisoft Trojan.RanSerKD.3882173 (B) 20161215
F-Secure Trojan.RanSerKD.3882173 20161215
GData Trojan.RanSerKD.3882173 20161215
Kaspersky Trojan-Ransom.Win32.Locky.wrb 20161215
Malwarebytes Ransom.Locky 20161215
McAfee Artemis!2E2E7F821AE1 20161215
McAfee-GW-Edition Artemis 20161215
eScan Trojan.RanSerKD.3882173 20161215
Microsoft Ransom:Win32/Locky.A 20161215
Qihoo-360 HEUR/QVM40.1.D404.Malware.Gen 20161215
Rising Malware.Generic!Bwh7fwhfWgU@2 (thunder) 20161215
Symantec Ransom.Locky 20161215
Tencent Win32.Trojan.Raas.Auto 20161215
TrendMicro Ransom_HPLOCKY.SMJBB 20161215
TrendMicro-HouseCall Ransom_HPLOCKY.SMJBB 20161215
VBA32 SScope.Malware-Cryptor.Filecoder 20161214
ViRobot Trojan.Win32.Locky.266240[h] 20161215

Dicha versión del ELISTARA 35.81 que los detecta y elimina, estará disponible en nuestra web a partir del 16-12-2016

saludos

ms, 15-12-2016