2016-05-05 - THURSDAY MALSPAM HUNT - DRIDEX AND LOCKY

ASSOCIATED FILES:

 

NOTES:

The Palo Alto Networks Unit 42 blog about Locky ransomware can be found here, and Proofpoint's blog about Dridex actors sending Locky ransomware is available here.

Other posts also covering some of the same malicious spam (malspam) include:

Zip attachments sent by "Jaypee" (a spoofed sender) contain text files, but the files names have no extentions.  I ran them after appending .js to the file names.

 

EMAILS AND ATTACHMENTS


Shown above:  Data from the .csv spreadsheet on 12 emails from today's malspam.

 


Shown above:  Data from the .csv spreadsheet on 12 attachments from today's malspam.

 

TRAFFIC


Shown above:  Traffic from executing the extracted .js files, filtered in Wireshark.

 


Shown above:  Post-infection traffic seen from the Dridex sample.

 

DRIDEX MALSPAM TRAFFIC:

 

HTTP REQUEST BY .JS FILES FOR LOCKY:

 

LOCKY POST-INFECTION TRAFFIC:

 

ZIP ARCHIVE CONTENTS

 

FINAL NOTES

Once again, here is the associated file:

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.