2016-09-12 - ZEPTO VARIANT LOCKY RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2016-09-12-Locky-ransomware-infection-traffic-3-pcaps.zip 2.2 MB (2,217,311 bytes)
- 2016-09-12-Locky-ransomware-infection-traffic-first-example.pcap (1,255,591 bytes)
- 2016-09-12-Locky-ransomware-infection-traffic-second-example.pcap (1,254,549 bytes)
- 2016-09-12-Locky-ransomware-infection-traffic-third-example.pcap (166,055 bytes)
- 2016-09-12-Locky-ransomware-data.zip 871.0 kB (871,013 bytes)
- 2016-09-12-Locky-ransomware-email-tracker.csv (1,578 bytes)
- files-from-infected-host / 2016-09-12-Locky-ramsomware-downloader-caused-by-wsf-file.exe (240,944 bytes)
- files-from-infected-host / 2016-09-12-Locky-ramsomware_HELP_instructions.bmp (3,578,902 bytes)
- files-from-infected-host / 2016-09-12-Locky-ramsomware_HELP_instructions.html (8,973 bytes)
- files-from-infected-host / 2016-09-12-Locky-ramsomware-caused-by-js-file.dll (134,779 bytes)
- files-from-infected-host / 2016-09-12-Locky-ramsomware-caused-by-wsf-file.dll (159,744 bytes)
- attachments / 3911fcc1e51.zip (22,780 bytes)
- attachments / 5a80587d100.zip (22,740 bytes)
- attachments / IG_20160830_9_9_01_Pro.zip (8,649 bytes)
- attachments / PH_20160830_3_14_53_Pro.zip (8,621 bytes)
- attachments / WP_20160830_11_61_3_Pro.zip (8,653 bytes)
- attachments / WP_20160830_1_63_5_Pro.zip (8,621 bytes)
- attachments / db475b3e2e.zip (22,416 bytes)
- attachments / fb1fe573a08d.zip (22,636 bytes)
- attachments / pm55D27DB7.zip (8,640 bytes)
- attachments / pm892.zip (8,276 bytes)
- attachments / pmBF2EE7B7.zip (8,640 bytes)
- attachments / pmE93.zip (8,272 bytes)
- emails / 2016-09-12-0931-UTC-malspam-attached-invoice.eml (12,939 bytes)
- emails / 2016-09-12-0933-UTC-malspam-attached-invoice.eml (12,928 bytes)
- emails / 2016-09-12-1232-UTC-malspam-attached-invoice.eml (13,430 bytes)
- emails / 2016-09-12-1235-UTC-malspam-attached-invoice.eml (13,433 bytes)
- emails / 2016-09-12-1320-UTC-malspam-Photo.eml (12,712 bytes)
- emails / 2016-09-12-1320-UTC-malspam-Photos.eml (12,758 bytes)
- emails / 2016-09-12-1321-UTC-malspam-Image.eml (12,765 bytes)
- emails / 2016-09-12-1357-UTC-malspam-budget-report.eml (31,588 bytes)
- emails / 2016-09-12-1401-UTC-malspam-Picture.eml (12,795 bytes)
- emails / 2016-09-12-1404-UTC-malspam-budget-report.eml (31,789 bytes)
- emails / 2016-09-12-1419-UTC-malspam-budget-report.eml (31,773 bytes)
- emails / 2016-09-12-1420-UTC-malspam-budget-report.eml (31,294 bytes)
- extracted-files / 00HwYy2rv25.wsf (34,276 bytes)
- extracted-files / 03agU52Nk02.wsf (34,293 bytes)
- extracted-files / 05omKt2S13.wsf (35,947 bytes)
- extracted-files / 14YQg739.wsf (35,976 bytes)
- extracted-files / 22P5R06.wsf (35,984 bytes)
- extracted-files / 28SShQBR04.wsf (35,935 bytes)
- extracted-files / 68BE96D1 Budget_report_xls.js (133,582 bytes)
- extracted-files / 863AEEA3 Budget_report_xls.js (133,324 bytes)
- extracted-files / AD3F36C4 Budget_report_xls.js (132,185 bytes)
- extracted-files / FA6F211A Budget_report_xls.js (133,341 bytes)
NOTES:
- It's been so long since I looked into Locky ransomware, I didn't realize it's now a malicious DLL instead of an EXE.
- Lawrence Abrams from BleepingComputer first reported about Locky ransomware DLLs last month on 2016-08-26 ( link ).
- Today I saw the following patterns during infection traffic when I looked into Locky ransomware:
Shown above: Flow chart for two different examples of Locky ransomware infections from today's emails.
EMAILS
Shown above: Email data from the spreadsheet (part 1 of 2).
Shown above: Email data from the spreadsheet (part 2 of 2).
Shown above: Text of the emails (example 1 of 3).
Shown above: Text of the emails (example 2 of 3).
Shown above: Text of the emails (example 3 of 3).
FROM ADDRESSES / SUBJECT LINES:
- <document@reliancesport[.]com[.]au> - Subject: Please find attached invoice no: 424845
- <document@twoharborsforum[.]com> - Subject: Please find attached invoice no: 70983806321
- <document@jecel[.]com[.]br> - Subject: Please find attached invoice no: 8478912583
- <document@goldlawgroup[.]com> - Subject: Please find attached invoice no: 9766123
- "Maura" <Maura0372@[recipient's email address]> - Subject: Photos
- "Boris" <Boris0349@[recipient's email domain]> - Subject: Photo
- "Aldo" <Aldo511@[recipient's email domain]> - Subject: Image
- "Suzette" <Suzette37@[recipient's email domain]> - Subject: Picture
- "Ivy Wong" <Wong.6430@static.vnpt[.]vn> - Subject: Budget report
- "Candy Vaughan" <Vaughan.69569@10servicescompany[.]com> - Subject: Budget report
- "Luz Cherry" <Cherry.2159@airtelbroadband[.]in> - Subject: Budget report
- "Angelina Reed" <Reed.10@remarkablekids[.]org> - Subject: Budget report
TRAFFIC
Shown above: Traffic from the first example (caused by .wsf file), filtered in Wireshark.
Shown above: Traffic from the first example (also caused by .wsf file), filtered in Wireshark.
Shown above: Traffic from the first example (caused by .js file), filtered in Wireshark.
FIRST PCAP:
- 192.185.41[.]190 port 80 - wamasoftware[.]com - GET /8fh34f3?IUiqidnymtA=zitRTbI - Request for Locky ransomware downloader caused .wsf file
- 43.225.54[.]151 port 80 - mysoregiftsflowers[.]com - GET /8fh34f3?IUiqidnymtA=zitRTbI - Request for Locky ransomware downloader caused .wsf file
- 62.149.144[.]61 port 80 - www.villakeratea[.]it - GET /8fh34f3?IUiqidnymtA=zitRTbI - Request for Locky ransomware downloader caused .wsf file
- 103.208.86[.]154 port 80 - supperuploadtestspeed[.]ws - POST /p/3d23fd.php HTTP/1.0 - Post-infection callback by Locky ransomware downloader
- 66.85.27[.]179 port 80 - supperuploadtestspeed[.]ws - POST /p/3d23fd.php HTTP/1.0 - Post-infection callback by Locky ransomware downloader
- 213.142.143[.]183 port 80 - yesiloglugrup[.]com - GET /7g6bubt7v?IUiqidnymtA=zitRTbI - Request for Locky ransomware by the downloader
- 202.40.164[.]200 port 80 - sowhatresearch[.]com[.]au - GET /7g6bubt7v?IUiqidnymtA=zitRTbI - Request for Locky ransomware by the downloader
- 66.85.27[.]179 port 80 - supperuploadtestspeed[.]ws - GET /7g6bubt7v?IUiqidnymtA=zitRTbI - Request for Locky ransomware by the downloader
SECOND PCAP:
- 43.225.54[.]151 port 80 - gift2belgaum[.]com - GET /8fh34f3?fUrVOQVnKi=ViUtFTEEpm - Request for Locky ransomware downloader caused .wsf file
- 198.23.59[.]178 port 80 - nysekolintsika[.]mg - GET /8fh34f3?fUrVOQVnKi=ViUtFTEEpm - Request for Locky ransomware downloader caused .wsf file
- 74.81.90[.]93 port 80 - abcdraw[.]biz - GET /8fh34f3?fUrVOQVnKi=ViUtFTEEpm - Request for Locky ransomware downloader caused .wsf file
- 103.208.86[.]154 port 80 - supperuploadtestspeed[.]ws - POST /p/3d23fd.php HTTP/1.0 - Post-infection callback by Locky ransomware downloader
- 66.85.27[.]179 port 80 - supperuploadtestspeed[.]ws - POST /p/3d23fd.php HTTP/1.0 - Post-infection callback by Locky ransomware downloader
- 174.142.55[.]229 port 80 - www.alfajerdecor[.]com - GET /7g6bubt7v?fUrVOQVnKi=ViUtFTEEpm - Request for Locky ransomware by the downloader
- 66.147.244[.]75 port 80 - www.pstimes[.]com - GET /7g6bubt7v?fUrVOQVnKi=ViUtFTEEpm - Request for Locky ransomware by the downloader
- 66.85.27[.]179 port 80 - supperuploadtestspeed[.]ws - GET /7g6bubt7v?fUrVOQVnKi=ViUtFTEEpm - Request for Locky ransomware by the downloader
THIRD PCAP:
- 23.95.106[.]223 port 80 - trybttr[.]ws - GET /h71qizc - Request for Locky ransomware caused by .js file
- 51.255.105[.]2 port 80 - 51.255.105[.]2 - POST /data/info.php - Post-infection callback by the Locky ransomware
DOMAINS FROM THE DECRYPT INSTRUCTIONS:
- 5n7y4yihirccftc5[.]tor2web[.]org
- 5n7y4yihirccftc5[.]onion[.]to
FILE HASHES
ARTIFACTS FROM THE INFECTED HOSTS:
- SHA256 hash: b88e84d9c7c407c7bad40777e87413628d8786af643d1581aa9aa82209751fd7
File name: 2016-09-12-Locky-ransomware-downloader-caused-by-wsf-file.exe
- SHA256 hash: bbfb4c0bbae915cc719325970c0cc9e9bf144d96043b9cc7c18a328a2e69a2c5
File name: 2016-09-12-Locky-ramsoware-caused-by-wsf-file.dll
- SHA256 hash: 76438fc9c86c57bf0fb8028a3a6290cfce8b305e21fca5ae15feaf2e73681a27
File name: 2016-09-12-Locky-ramsoware-caused-by-js-file.dll
IMAGES
Shown above: Infected Windows desktop from one of the .wsf emails.
Shown above: Going to the decrypt instructions using a Tor browser.
Shown above: Looks like my Locky ransomware sample (caused by the .wsf file) wants 3 bitcoins for ransom.
Click here to return to the main page.