2016-09-12 - ZEPTO VARIANT LOCKY MALSPAM

NOTES:


Shown above:  Flow chart for two different examples of Locky infections from today's malspam.

 

ASSOCIATED FILES:

  • 2016-09-12-locky-malspam-traffic-first-example.pcap   (1,255,591 bytes)
  • 2016-09-12-locky-malspam-traffic-second-example.pcap   (1,254,549 bytes)
  • 2016-09-12-locky-malspam-traffic-third-example.pcap   (166,055 bytes)
  • 2016-09-12-Locky-malspam-data.csv   (1,578 bytes)
  • artifacts-from-infected-host / 2016-09-12-Locky-downloader-caused-by-wsf-file.exe   (240,944 bytes)
  • artifacts-from-infected-host / 2016-09-12-Locky-malspam_HELP_instructions.bmp   (3,578,902 bytes)
  • artifacts-from-infected-host / 2016-09-12-Locky-malspam_HELP_instructions.html   (8,973 bytes)
  • artifacts-from-infected-host / 2016-09-12-Locky-ramsoware-caused-by-js-file.dll   (134,779 bytes)
  • artifacts-from-infected-host / 2016-09-12-Locky-ramsoware-caused-by-wsf-file.dll   (159,744 bytes)
  • attachments / 3911fcc1e51.zip   (22,780 bytes)
  • attachments / 5a80587d100.zip   (22,740 bytes)
  • attachments / IG_20160830_9_9_01_Pro.zip   (8,649 bytes)
  • attachments / PH_20160830_3_14_53_Pro.zip   (8,621 bytes)
  • attachments / WP_20160830_11_61_3_Pro.zip   (8,653 bytes)
  • attachments / WP_20160830_1_63_5_Pro.zip   (8,621 bytes)
  • attachments / db475b3e2e.zip   (22,416 bytes)
  • attachments / fb1fe573a08d.zip   (22,636 bytes)
  • attachments / pm55D27DB7.zip   (8,640 bytes)
  • attachments / pm892.zip   (8,276 bytes)
  • attachments / pmBF2EE7B7.zip   (8,640 bytes)
  • attachments / pmE93.zip   (8,272 bytes)
  • emails / 2016-09-12-0931-UTC-malspam-attached-invoice.eml   (12,939 bytes)
  • emails / 2016-09-12-0933-UTC-malspam-attached-invoice.eml   (12,928 bytes)
  • emails / 2016-09-12-1232-UTC-malspam-attached-invoice.eml   (13,430 bytes)
  • emails / 2016-09-12-1235-UTC-malspam-attached-invoice.eml   (13,433 bytes)
  • emails / 2016-09-12-1320-UTC-malspam-Photo.eml   (12,712 bytes)
  • emails / 2016-09-12-1320-UTC-malspam-Photos.eml   (12,758 bytes)
  • emails / 2016-09-12-1321-UTC-malspam-Image.eml   (12,765 bytes)
  • emails / 2016-09-12-1357-UTC-malspam-budget-report.eml   (31,588 bytes)
  • emails / 2016-09-12-1401-UTC-malspam-Picture.eml   (12,795 bytes)
  • emails / 2016-09-12-1404-UTC-malspam-budget-report.eml   (31,789 bytes)
  • emails / 2016-09-12-1419-UTC-malspam-budget-report.eml   (31,773 bytes)
  • emails / 2016-09-12-1420-UTC-malspam-budget-report.eml   (31,294 bytes)
  • extracted-files / 00HwYy2rv25.wsf   (34,276 bytes)
  • extracted-files / 03agU52Nk02.wsf   (34,293 bytes)
  • extracted-files / 05omKt2S13.wsf   (35,947 bytes)
  • extracted-files / 14YQg739.wsf   (35,976 bytes)
  • extracted-files / 22P5R06.wsf   (35,984 bytes)
  • extracted-files / 28SShQBR04.wsf   (35,935 bytes)
  • extracted-files / 68BE96D1 Budget_report_xls.js   (133,582 bytes)
  • extracted-files / 863AEEA3 Budget_report_xls.js   (133,324 bytes)
  • extracted-files / AD3F36C4 Budget_report_xls.js   (132,185 bytes)
  • extracted-files / FA6F211A Budget_report_xls.js   (133,341 bytes)

 

EMAILS


Shown above:  Email data from the spreadsheet (part 1 of 2).

 


Shown above:  Email data from the spreadsheet (part 2 of 2).

 


Shown above:  Text of the emails (example 1 of 3).

 


Shown above:  Text of the emails (example 2 of 3).

 


Shown above:  Text of the emails (example 3 of 3).

 

FROM ADDRESSES / SUBJECT LINES:

 

TRAFFIC


Shown above:  Traffic from the first example (caused by .wsf file), filtered in Wireshark.

 


Shown above:  Traffic from the first example (also caused by .wsf file), filtered in Wireshark.

 


Shown above:  Traffic from the first example (caused by .js file), filtered in Wireshark.

 

FIRST PCAP:

SECOND PCAP:

THIRD PCAP:

 

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

 

FILE HASHES

ARTIFACTS FROM THE INFECTED HOSTS:

 

IMAGES


Shown above:  Infected Windows desktop from one of the .wsf emails.

 


Shown above:  Going to the decrypt instructions using a Tor browser.

 


Shown above:  Looks like my Locky sample (caused by the .wsf file) wants 3 bitcoins for ransom.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.