2016-05-03 - LOCKY MALSPAM - VARIOUS SUBJECT LINES

ASSOCIATED FILES:

 

NOTES:

The Palo Alto Networks Unit 42 blog about Locky ransomware can be found here.

Proofpoint's blog about Locky ransomware is available here.

Other posts also covering these same items of Locky malicious spam (malspam) from today include:

 

EMAILS AND ATTACHMENTS


Shown above:  Data from the .csv spreadsheet on 10 emails from today's Locky malspam.

 


Shown above:  Data from the .csv spreadsheet on 10 attachments from today's Locky malspam.

 

TRAFFIC


Shown above:  Traffic from executing the extracted .js files, filtered in Wireshark.

 

HTTP REQUESTS FROM THE EXTRACTED .JS FILES:

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLES:

 

IMAGES


Shown above:  Desktop of a Windows host after executing one of the .js attachments from the malspam.

 

ZIP ARCHIVE CONTENTS

 

FINAL NOTES

Once again, here is the associated file:

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.