2016-05-31 - TUESDAY MALSPAM HUNT - MORE LOCKY (ALWAYS MORE LOCKY)

ASSOCIATED FILES:

  • 2016-05-31-Locky-after-details_V9yGF.js.pcap   (157,924 bytes)
  • 2016-05-31-Locky-after-details_gyo4a.js.pcap   (193,258 bytes)
  • 2016-05-31-Locky-after-doc_scan_GKnaA.js.pcap   (219,064 bytes)
  • 2016-05-31-Locky-after-scan_k9w7fm.js.pcap   (219,207 bytes)
  • 2016-05-31-malspam-data.csv   (659 bytes)
  • artifacts-from-infected-hosts/2016-05-31-Locky-example.exe   (181,760 bytes)
  • artifacts-from-infected-hosts/2016-05-31-Locky_HELP_instructions.bmp   (3,293,774 bytes)
  • artifacts-from-infected-hosts/2016-05-31-Locky_HELP_instructions.html   (9,355 bytes)
  • attachments/caution_trevor_54614652.zip   (5,879 bytes)
  • attachments/copy_alan_14149553.zip   (5,897 bytes)
  • attachments/report_56098446.zip   (5,864 bytes)
  • attachments/security_69514117.zip   (5,772 bytes)
  • emails/2016-05-31-0926-UTC.eml   (9,914 bytes)
  • emails/2016-05-31-0956-UTC.eml   (9,928 bytes)
  • emails/2016-05-31-1134-UTC.eml   (9,657 bytes)
  • emails/2016-05-31-1158-UTC.eml   (9,515 bytes)
  • extracted-files/details_V9yGF.js   (13,028 bytes)
  • extracted-files/details_gyo4a.js   (12,965 bytes)
  • extracted-files/doc_scan_GKnaA.js   (12,812 bytes)
  • extracted-files/scan_k9w7fm.js   (11,918 bytes)

 

EMAILS AND ATTACHMENTS


Shown above:  Data from the .csv spreadsheet on 4 malspam samples from Tuesday 2016-05-31.

 


Shown above:  Example of Fraudlent Behavior - Account Suspended malspam from
Tuesday 2016-05-31.

 


Shown above:  Example of New Message from your bank manager malspam from
Tuesday 2016-05-31.

 

TRAFFIC


Shown above:  Traffic generated from the first malspam filtered in Wireshark.

 


Shown above:  Traffic generated from the second malspam filtered in Wireshark.

 


Shown above:  Traffic generated from the third malspam filtered in Wireshark.

 


Shown above:  Traffic generated from the fourth malspam filtered in Wireshark.

 

HTTP REQUESTS FORM .JS FILES TO DOWNLOAD THE LOCKY SAMPLE:

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

 

IMAGES


Shown above:  Windows computer's desktop after one of today's Locky infections.

 

FINAL NOTES

Once again, here are the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.