2016-11-29 - "ZZZZZ" VARIANT LOCKY MALSPAM

ASSOCIATED FILES:

  • 2016-11-29-Locky-malspam-infection-traffic-example-from-1st-wave.pcap   (244,630 bytes)
  • 2016-11-29-Locky-malspam-infection-traffic-example-from-2nd-wave.pcap   (134,876 bytes)
  • 2016-11-29-Locky-malspam-info.csv   (7,994 bytes)
  • artifacts-from-infected-hosts / 2016-11-29-Locky-Decryptor-style.css   (3,422 bytes)
  • artifacts-from-infected-hosts / 2016-11-29-Locky-Decryptor.html   (6,389 bytes)
  • artifacts-from-infected-hosts / 2016-11-29-Locky-binary-luswiacs1.dll   (221,184 bytes)
  • artifacts-from-infected-hosts / 2016-11-29-Locky-decryption-instructions-INSTRUCTION.bmp   (3,578,902 bytes)
  • artifacts-from-infected-hosts / 2016-11-29-Locky-decryption-instructions-INSTRUCTION.html   (9,221 bytes)
  • attachments / COPY.29112016.0076.XLS   (28,443 bytes)
  • attachments / COPY.29112016.022138.XLS   (28,490 bytes)
  • attachments / COPY.29112016.0493.XLS   (28,546 bytes)
  • attachments / COPY.29112016.11089.XLS   (28,490 bytes)
  • attachments / COPY.29112016.132642.XLS   (28,519 bytes)
  • attachments / COPY.29112016.2456.XLS   (28,555 bytes)
  • attachments / COPY.29112016.3054.XLS   (28,530 bytes)
  • attachments / COPY.29112016.494446.XLS   (28,534 bytes)
  • attachments / COPY.29112016.5314.XLS   (28,555 bytes)
  • attachments / COPY.29112016.61652.XLS   (28,533 bytes)
  • attachments / COPY.29112016.625239.XLS   (28,453 bytes)
  • attachments / COPY.29112016.6596.XLS   (28,554 bytes)
  • attachments / COPY.29112016.6610.XLS   (28,516 bytes)
  • attachments / COPY.29112016.6922.XLS   (28,531 bytes)
  • attachments / COPY.29112016.705897.XLS   (28,551 bytes)
  • attachments / COPY.29112016.7141.XLS   (28,558 bytes)
  • attachments / COPY.29112016.7955.XLS   (28,567 bytes)
  • attachments / COPY.29112016.917519.XLS   (28,532 bytes)
  • attachments / COPY.29112016.94437.XLS   (28,540 bytes)
  • attachments / COPY.29112016.94603.XLS   (28,496 bytes)
  • attachments / INVOICE.TAM_078107_20161129_EB80D624D.xls   (44,368 bytes)
  • attachments / INVOICE.TAM_083482_20161129_178B52CB2.xls   (44,347 bytes)
  • attachments / INVOICE.TAM_135486_20161129_F54C387E0.xls   (44,394 bytes)
  • attachments / INVOICE.TAM_139603_20161129_FCC172411.xls   (44,387 bytes)
  • attachments / INVOICE.TAM_161425_20161129_F8363B5F4.xls   (44,347 bytes)
  • attachments / INVOICE.TAM_19014_20161129_1155219AD.xls   (44,370 bytes)
  • attachments / INVOICE.TAM_21078_20161129_E3DBB2719.xls   (44,371 bytes)
  • attachments / INVOICE.TAM_28697_20161129_1E4F735BA.xls   (44,381 bytes)
  • attachments / INVOICE.TAM_40234_20161129_49ED776BD.xls   (44,399 bytes)
  • attachments / INVOICE.TAM_42709_20161129_A805F73C0.xls   (44,369 bytes)
  • attachments / INVOICE.TAM_52133_20161129_B72AE506E.xls   (44,348 bytes)
  • attachments / INVOICE.TAM_52201_20161129_FCAE04AC3.xls   (44,377 bytes)
  • attachments / INVOICE.TAM_55935_20161129_055BB65DD.xls   (44,394 bytes)
  • attachments / INVOICE.TAM_61960_20161129_AFA46BED8.xls   (44,359 bytes)
  • attachments / INVOICE.TAM_83732_20161129_EFD7983DD.xls   (44,363 bytes)
  • attachments / INVOICE.TAM_84170_20161129_91A729B75.xls   (44,340 bytes)
  • attachments / INVOICE.TAM_844370_20161129_3B7365ECB.xls   (44,339 bytes)
  • attachments / INVOICE.TAM_875063_20161129_B2D8CF86B.xls   (44,361 bytes)
  • attachments / INVOICE.TAM_90207_20161129_910A929DF.xls   (44,334 bytes)
  • attachments / INVOICE.TAM_96492_20161129_CF7763F18.xls   (44,394 bytes)
  • emails / 2016-11-29-0809-UTC.eml (61,253 bytes)
  • emails / 2016-11-29-0901-UTC.eml (61,222 bytes)
  • emails / 2016-11-29-0929-UTC.eml (61,211 bytes)
  • emails / 2016-11-29-0932-UTC.eml (61,217 bytes)
  • emails / 2016-11-29-0952-UTC.eml (61,233 bytes)
  • emails / 2016-11-29-0953-UTC.eml (61,293 bytes)
  • emails / 2016-11-29-1000-UTC.eml (61,183 bytes)
  • emails / 2016-11-29-1003-UTC.eml (61,248 bytes)
  • emails / 2016-11-29-1015-UTC.eml (61,237 bytes)
  • emails / 2016-11-29-1031-UTC.eml (61,238 bytes)
  • emails / 2016-11-29-1117-UTC.eml (61,204 bytes)
  • emails / 2016-11-29-1121-UTC.eml (61,247 bytes)
  • emails / 2016-11-29-1134-UTC.eml (61,274 bytes)
  • emails / 2016-11-29-1135-UTC.eml (61,272 bytes)
  • emails / 2016-11-29-1137-UTC.eml (61,271 bytes)
  • emails / 2016-11-29-1138-UTC.eml (61,215 bytes)
  • emails / 2016-11-29-1205-UTC.eml (61,259 bytes)
  • emails / 2016-11-29-1239-UTC.eml (61,193 bytes)
  • emails / 2016-11-29-1256-UTC.eml (61,287 bytes)
  • emails / 2016-11-29-1300-UTC.eml (61,217 bytes)
  • emails / 2016-11-29-1416-UTC.eml (40,486 bytes)
  • emails / 2016-11-29-1421-UTC.eml (40,547 bytes)
  • emails / 2016-11-29-1434-UTC.eml (40,524 bytes)
  • emails / 2016-11-29-1503-UTC.eml (40,528 bytes)
  • emails / 2016-11-29-1512-UTC.eml (40,486 bytes)
  • emails / 2016-11-29-1513-UTC.eml (40,496 bytes)
  • emails / 2016-11-29-1543-UTC.eml (40,536 bytes)
  • emails / 2016-11-29-1549-UTC.eml (40,551 bytes)
  • emails / 2016-11-29-1553-UTC.eml (40,507 bytes)
  • emails / 2016-11-29-1558-UTC.eml (40,419 bytes)
  • emails / 2016-11-29-1559-UTC.eml (40,584 bytes)
  • emails / 2016-11-29-1607-UTC.eml (40,536 bytes)
  • emails / 2016-11-29-1614-UTC.eml (40,559 bytes)
  • emails / 2016-11-29-1623-UTC.eml (40,501 bytes)
  • emails / 2016-11-29-1625-UTC.eml (40,571 bytes)
  • emails / 2016-11-29-1629-UTC.eml (40,569 bytes)
  • emails / 2016-11-29-1630-UTC.eml (40,569 bytes)
  • emails / 2016-11-29-1707-UTC.eml (40,557 bytes)
  • emails / 2016-11-29-1721-UTC.eml (40,589 bytes)
  • emails / 2016-11-29-1725-UTC.eml (40,612 bytes)

 

NOTES:

 


Shown above:  A Google image search related to the .zzzzz file extension.

 

EMAILS


Shown above:  Data from 40 Locky malspam examples (part 1 of 2).

 


Shown above:  Data from 40 Locky malspam examples (part 2 of 2).

 


Shown above:  An example from the first wave of these emails.

 


Shown above:  An example from second wave of these emails.

 

TRAFFIC


Shown above:  An example of infection traffic from one of the emails in the first wave.

 


Shown above:  An example of infection traffic from one of the emails in the second.

 

EXAMPLES OF TRAFFIC GENERATED BY THE EXCEL MARCO GRABBING THE LOCKY BINARY:

 

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

 

TOR DOMAIN FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

LOCKY DLL FILE:

 

EXCEL SPREADSHEETS FROM THE MALSPAM (SHA256 HASH - FILE NAME):

 

IMAGES


Shown above:  Screen shot from an infected Windows desktop.  Note the .zzzzz file extension.

 


Shown above:  Ransom payment was 1.5 bitcoin for the infections I generated.

 

FINAL NOTES

Once again, here are the associated archives:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.