2016-10-24 - ".SHIT" VARIANT LOCKY MALSPAM

ASSOCIATED FILES:

  • 2016-10-24-Locky-malspam-info.csv   (1,965 bytes)
  • artifacts-from-infected-hosts / KiOBUGxRvH1.dll   (274,432 bytes)
  • artifacts-from-infected-hosts / LjXiDmd1.dll   (274,432 bytes)
  • artifacts-from-infected-hosts / UrhgVhR1.dll   (274,432 bytes)
  • artifacts-from-infected-hosts / XebQkujR1.dll   (274,432 bytes)
  • artifacts-from-infected-hosts / YnDGHb1.dll   (274,432 bytes)
  • artifacts-from-infected-hosts / _WHAT_is.bmp   (3,578,902 bytes)
  • artifacts-from-infected-hosts / _WHAT_is.html   (9,976 bytes)
  • artifacts-from-infected-hosts / mIbqzP1.dll   (274,432 bytes)
  • attachments / Receipt 017-13644.zip   (8,018 bytes)
  • attachments / Receipt 15075-053619.zip   (7,400 bytes)
  • attachments / Receipt 46-2734.zip   (7,438 bytes)
  • attachments / Receipt 4845-83761.zip   (7,977 bytes)
  • attachments / Receipt 63-81684.zip   (7,378 bytes)
  • attachments / Receipt 77077-14409.zip   (7,979 bytes)
  • emails / 2016-10-24-malspam-1314-UTC.eml   (10,899 bytes)
  • emails / 2016-10-24-malspam-1322-UTC.eml   (10,841 bytes)
  • emails / 2016-10-24-malspam-1335-UTC.eml   (10,862 bytes)
  • emails / 2016-10-24-malspam-1356-UTC.eml   (11,669 bytes)
  • emails / 2016-10-24-malspam-1421-UTC.eml   (11,686 bytes)
  • emails / 2016-10-24-malspam-1434-UTC.eml   (11,631 bytes)
  • extracted-files / Receipt 15110-632446.wsf   (29,186 bytes)
  • extracted-files / Receipt 34469-690103.wsf   (29,447 bytes)
  • extracted-files / Receipt 43284-144137.hta   (26,180 bytes)
  • extracted-files / Receipt 53744-762732.wsf   (31,424 bytes)
  • extracted-files / Receipt 72645-990319.hta   (27,938 bytes)
  • extracted-files / Receipt 84603-492538.hta   (25,635 bytes)
  • pcaps / 2016-10-24-traffic-from-1314-UTC-malspam.pcap   (120,026 bytes)
  • pcaps / 2016-10-24-traffic-from-1322-UTC-malspam.pcap   (184,925 bytes)
  • pcaps / 2016-10-24-traffic-from-1325-UTC-malspam.pcap   (209,376 bytes)
  • pcaps / 2016-10-24-traffic-from-1358-UTC-malspam.pcap   (177,510 bytes)
  • pcaps / 2016-10-24-traffic-from-1421-UTC-malspam.pcap   (262,724 bytes)
  • pcaps / 2016-10-24-traffic-from-1434-UTC-malspam.pcap   (160,647 bytes)

 

NOTES:

 

EMAILS


Shown above:  Data from six Locky malspam examples (part 1 of 2).

 


Shown above:  Data from six Locky malspam examples (part 2 of 2).

 

TRAFFIC

 

TRAFFIC FROM THE .HTA AND .WSF FILES (TO RETRIEVE THE LOCKY):

 

POST-INFECTION LOCKY CALLBACK:

 

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

LOCKY SAMPLE:

 

IMAGES


Shown above:  Screen shot from an infected Windows desktop.  Note the .shit file extension.

 


Shown above:  Ransom payment is 1.5 bitcoin, just like most samples of the previous variant I've seen.

 

FINAL NOTES

Once again, here is the associated archive:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.