2016-08-15 - ZEPTO VARIANT LOCKY MALSPAM

ASSOCIATED FILES:

  • 2016-08-15-Locky-malspam-data.csv   (1,577 bytes)
  • 2016-08-15-traffic-from-Locky-malspam.pcap   (579,729 bytes)
  • artifacts-from-infected-host / _HELP_instructions.html   (10,328 bytes)
  • artifacts-from-infected-host / _HELP_instructions.bmp   (4,006,594 bytes)
  • artifacts-from-infected-host / ferdoxs.exe   (283,648 bytes)
  • attachments / 3220549838967.docm   (33,517 bytes)
  • attachments / 76D61A7FCA46CF93B78F1288CDF232F5.docm   (33,523 bytes)
  • attachments / 8203439616364.docm   (33,467 bytes)
  • attachments / 9180520338858.docm   (33,517 bytes)
  • attachments / 97B1C9B8FE58680AE514FFE0EA5C0F56.docm   (33,604 bytes)
  • attachments / A6C5307AE24DE3CC48C00F59EE26E1E4.docm   (33,603 bytes)
  • emails / 2016-08-15-1233-UTC.eml   (48,616 bytes)
  • emails / 2016-08-15-1251-UTC.eml   (48,678 bytes)
  • emails / 2016-08-15-1254-UTC.eml   (48,651 bytes)
  • emails / 2016-08-15-1309-UTC.eml   (47,602 bytes)
  • emails / 2016-08-15-1312-UTC.eml   (47,498 bytes)
  • emails / 2016-08-15-1337-UTC.eml   (47,606 bytes)

EMAILS


Shown above:  Email data from the spreadsheet (part 1 of 2).

 


Shown above:  Email data from the spreadsheet (part 2 of 2).

 


Shown above:  Text of the emails (example 1 of 2).

 


Shown above:  Text of the emails (example 2 of 4).

 

FROM ADDRESSES / SUBJECT LINES:

 

TRAFFIC


Shown above:  Traffic from checking all the malspam attachments, filtered in Wireshark.

 

URLS FOR LOCKY DOWNLOAD BY THE MALICIOUS WORD MACROS:

 

POST-INFECTION TRAFFIC FROM THE LOCKY SAMPLE:

 

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

LOCKY SAMPLE FROM THE INFECTED HOSTS:

 

IMAGES


Shown above:  Infected Windows desktop from one of the emails.

 


Shown above:  This is something I haven't noticed before during a Locky infection.

 


Shown above:  Names of the encrypted files showing this is the Zepto variant of Locky.

 

FINAL NOTES

Once again, here is the archive with all the data:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.