2016-04-27 - LOCKY MALSPAM - SUBJECT: PRICE LIST

ASSOCIATED FILES:

  • 2016-04-27-Locky-malspam-info.csv   (3,534 bytes)
  • 2016-04-27-Locky-traffic-from-one-of-the-js-files.pcap   (200,735 bytes)
  • extracted-js-files/
  • extracted-js-files/01c4b975.js   (3,311 bytes)
  • extracted-js-files/048a35.js   (3,319 bytes)
  • extracted-js-files/298ba6d.js   (3,306 bytes)
  • extracted-js-files/2e1226.js   (3,300 bytes)
  • extracted-js-files/4e5036c3.js   (3,317 bytes)
  • extracted-js-files/6d5e6a.js   (3,300 bytes)
  • extracted-js-files/9b2129a0.js   (3,308 bytes)
  • extracted-js-files/9f6ed08.js   (3,312 bytes)
  • extracted-js-files/af18f.js   (3,303 bytes)
  • extracted-js-files/bac9b964.js   (3,298 bytes)
  • extracted-js-files/c0c0e1c.js   (3,311 bytes)
  • extracted-js-files/c225e93.js   (3,312 bytes)
  • extracted-js-files/cc22f6bf.js   (3,305 bytes)
  • extracted-js-files/cf7f9.js   (3,309 bytes)
  • extracted-js-files/ecdbe.js   (3,316 bytes)
  • malspam/
  • malspam/2016-04-27-1020-UTC.eml   (3,924 bytes)
  • malspam/2016-04-27-1023-UTC.eml   (3,945 bytes)
  • malspam/2016-04-27-1051-UTC.eml   (3,969 bytes)
  • malspam/2016-04-27-1057-UTC.eml   (3,955 bytes)
  • malspam/2016-04-27-1101-UTC.eml   (3,986 bytes)
  • malspam/2016-04-27-1103-UTC.eml   (4,001 bytes)
  • malspam/2016-04-27-1109-UTC.eml   (3,958 bytes)
  • malspam/2016-04-27-1111-UTC.eml   (3,955 bytes)
  • malspam/2016-04-27-1116-UTC.eml   (3,974 bytes)
  • malspam/2016-04-27-1119-UTC.eml   (3,930 bytes)
  • malspam/2016-04-27-1120-UTC.eml   (3,962 bytes)
  • malspam/2016-04-27-1121-UTC.eml   (4,013 bytes)
  • malspam/2016-04-27-1122-UTC.eml   (3,929 bytes)
  • malspam/2016-04-27-1123-UTC.eml   (3,994 bytes)
  • malspam/2016-04-27-1126-UTC.eml   (3,950 bytes)
  • malspam/2016-04-27-1151-UTC.eml   (3,972 bytes)
  • malware-from-the-infected-host/
  • malware-from-the-infected-host/2016-04-27-Locky-from-malspam.exe   (179,200 bytes)
  • malware-from-the-infected-host/2016-04-27-Locky_HELP_instructions.bmp   (3,864,030 bytes)
  • malware-from-the-infected-host/2016-04-27-Locky_HELP_instructions.txt   (1,121 bytes)
  • rar-attachments/
  • rar-attachments/019D5_richard_E89FD5.rar   (1,685 bytes)
  • rar-attachments/5D77E_craig_DE2B6B.rar   (1,683 bytes)
  • rar-attachments/ACDD4_linda_7E9306.rar   (1,674 bytes)
  • rar-attachments/AEAE2_gage_F71707.rar   (1,691 bytes)
  • rar-attachments/craig-client_bill_F85DFB.rar   (1,692 bytes)
  • rar-attachments/E9EB4_richard_FFEAEB.rar   (1,688 bytes)
  • rar-attachments/jennifer-bill_BAD28D.rar   (1,679 bytes)
  • rar-attachments/jennifer-client_bill_AEB977.rar   (1,684 bytes)
  • rar-attachments/linda-bill_0DDC3B.rar   (1,685 bytes)
  • rar-attachments/linda-bill_63B29F.rar   (1,686 bytes)
  • rar-attachments/patricia-client_bill_889605.rar   (1,685 bytes)
  • rar-attachments/richard-bill_3DEF40.rar   (1,675 bytes)
  • rar-attachments/richard-bill_67FE66.rar   (1,687 bytes)
  • rar-attachments/richard-bill_E937AC.rar   (1,676 bytes)
  • rar-attachments/richard-client_bill_052E85.rar   (1,679 bytes)
  • rar-attachments/timmy-client_bill_9A5FC4.rar   (1,682 bytes)

 

NOTES:

 

THE EMAILS


Shown above:  Data on 16 of emails from this wave of Locky malspam.

 

DESCRIPTION:

 

TEXT OF THE MESSAGES:

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

 


Shown above:  An example of the messages from this wave of Locky malspam.

 

THE ATTACHMENTS

(Read: Attachment name   --   Extracted .js file   --   HTTP GET request from the .js file)

 


Shown above:  Contents from one of the .rar attachments.

 

TRAFFIC


Shown above:  Traffic filtered in Wireshark after infecting a Windows host with one of the .js files.

 

HTTP REQUESTS:

 

IMAGES


Shown above:  HTTP GET request for the Locky ransomware.

 


Shown above:  Locky callback traffic.

 


Shown above:  The host's desktop after being infected with Locky from this malspam.

 

FINAL NOTES

Once again, here is the associated file:

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.