2016-06-27 - MONDAY MALSPAM HUNT - LOCKY

NOTES:

ASSOCIATED FILES:

  • 2016-06-27-Locky-malspam-info.csv   (1,889 bytes)
  • 2016-06-27-Locky-malspam-traffic.pcap   (2,630,328 bytes)
  • attachments/alan_updated_doc_759174.zip   (7,370 bytes)
  • attachments/aron_updated_178841.zip   (7,606 bytes)
  • attachments/colin_updated_056106.zip   (7,369 bytes)
  • attachments/linda_updated_435835.zip   (7,322 bytes)
  • attachments/lyn_updated_doc_240360.zip   (7,303 bytes)
  • attachments/ryan_updated_doc_473239.zip   (7,472 bytes)
  • attachments/tim_updated_doc_551787.zip   (7,666 bytes)
  • attachments/update_greg_015676.zip   (7,361 bytes)
  • attachments/update_john_901036.zip   (7,675 bytes)
  • attachments/update_phil_430422.zip   (7,379 bytes)
  • attachments/update_simon_936862.zip   (7,142 bytes)
  • attachments/wendy_updated_246995.zip   (7,428 bytes)
  • emails/2016-06-27-2126-UTC.eml   (11,022 bytes)
  • emails/2016-06-27-2135-UTC.eml   (10,955 bytes)
  • emails/2016-06-27-2153-UTC.eml   (10,691 bytes)
  • emails/2016-06-27-2217-UTC.eml   (10,923 bytes)
  • emails/2016-06-27-2227-UTC.eml   (10,862 bytes)
  • emails/2016-06-27-2231-UTC.eml   (10,951 bytes)
  • emails/2016-06-27-2232-UTC.eml   (10,872 bytes)
  • emails/2016-06-27-2236-UTC.eml   (10,947 bytes)
  • emails/2016-06-27-2240-UTC.eml   (11,344 bytes)
  • emails/2016-06-27-2305-UTC.eml   (11,089 bytes)
  • emails/2016-06-27-2315-UTC.eml   (11,361 bytes)
  • emails/2016-06-27-2325-UTC.eml   (11,275 bytes)
  • extracted-files/swift 24a2.js   (69,397 bytes)
  • extracted-files/swift 352c.js   (69,284 bytes)
  • extracted-files/swift 4f1a.js   (69,564 bytes)
  • extracted-files/swift 58c8.js   (69,575 bytes)
  • extracted-files/swift 5cd0.js   (70,926 bytes)
  • extracted-files/swift 822.js   (69,627 bytes)
  • extracted-files/swift 881a.js   (72,194 bytes)
  • extracted-files/swift 899f.js   (67,383 bytes)
  • extracted-files/swift c9eb.js   (70,097 bytes)
  • extracted-files/swift cc9.js   (69,573 bytes)
  • extracted-files/swift ea2.js   (71,614 bytes)
  • extracted-files/swift eb18.js   (71,333 bytes)
  • malware/2016-06-27-Locky-decryption-instructions.bmp   (4,149,158 bytes)
  • malware/2016-06-27-Locky-decryption-instructions.html   (8,973 bytes)
  • malware/2016-06-27-Locky-from-malspam-sample.exe   (165,888 bytes)

 

EMAILS AND ATTACHMENTS


Shown above:  Data from the .csv spreadsheet on 12 malspam samples from Monday 2016-06-27.

 


Shown above:  Data from the .csv spreadsheet on the 12 malspam attachments from Monday 2016-06-27.

 


Shown above:  An example of the text from one of the emails.

 

TRAFFIC

HTTP REQUESTS FROM THE .JS FILES TO DOWNLOAD LOCKY:

POST-INFECTION CALLBACK FROM TODAY'S LOCKY SAMPLE:

 

IMAGES


Shown above:  From zip archive to looking at the text of the extracted .js file.

 


Shown above:  Traffic from some of today's Locky infections filtered in Wireshark.

 


Shown above:  Locky being downloaded by one of the .js files (Note: Locky is obfuscated here).

 


Shown above:  An example of Locky after it was decoded on a local host.

 


Shown above:  A Windows computer's desktop after one of today's Locky infections.

 

FINAL NOTES

Once again, here is an archive of the associated files:

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.