2016-09-26 - ODIN VARIANT LOCKY MALSPAM

ASSOCIATED FILES:

  • 2016-09-26-1804-UTC-Locky-malspam-traffic.pcap   (278,130 bytes)
  • 2016-09-26-1840-UTC-Locky-malspam-traffic.pcap   (245,396 bytes)
  • 2016-09-26-1804-UTC-Locky-malspam.eml   (12,577 bytes)
  • 2016-09-26-1804-UTC-attachment-new doc(3).zip   (8,383 bytes)
  • 2016-09-26-1804-UTC-downloaded-Locky-xXINzimwQ1.dll   (233,472 bytes)
  • 2016-09-26-1804-UTC-extracted-file-DGWV9M4027.wsf   (30,433 bytes)
  • 2016-09-26-1840-UTC-Locky-malspam.eml   (16,001 bytes)
  • 2016-09-26-1840-UTC-attachment-f2b119ce7c6.zip   (11,096 bytes)
  • 2016-09-26-1840-UTC-downloaded-Locky-gkrS6IPeMxdlcQhT.dll   (151,040 bytes)
  • 2016-09-26-1840-UTC-extracted-file-Updated invoice pdf D32161A.wsf   (64,991 bytes)
  • 2016-09-26-Odin-variant-Locky-Decryptor-style.css   (3,422 bytes)
  • 2016-09-26-Odin-variant-Locky-Decryptor.html   (5,863 bytes)
  • _HOWDO_text.bmp   (3,578,902 bytes)
  • _HOWDO_text.html   (9,459 bytes)

 

NOTES:

 

 

EMAILS


Shown above:  First Locky malspam example.

 


Shown above:  Second Locky malspam example.

 

ATTACHMENTS

FIRST EMAIL:

 

SECOND EMAIL:

 

TRAFFIC


Shown above:  Traffic from the first Locky malspam example.

 


Shown above:  Traffic from the second Locky malspam example.

 

INFECTION FROM FIRST EMAIL ATTACHMENT:

 

INFECTION FROM SECOND EMAIL ATTACHMENT:

 

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

LOCKY SAMPLES:

 

IMAGES


Shown above:  Screen shot from an infected Windows desktop.  Note the .odin file extension.

 


Shown above:  Ransome payment is 1.5 bitcoin, just like I've seen from the samples of .zepto Locky variant this past week.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.