2016-12-16 - "OSIRIS" VARIANT LOCKY MALSPAM WITH WORD DOCUMENTS CONTAINING MALICIOUS MACROS

ASSOCIATED FILES:

NOTES:


Shown above:  Chain of events for an infection from this malspam.

 

THE EMAILS

IP ADDRESSES OF BOTNET HOSTS SENDING THE MALSPAM:

 

SUBJECT LINES:

 

SPOOFED SENDING ADDRESSES:

 

RECIPIENT:

 


Shown above:  Data from 20 Locky malspam examples (part 1 of 2).

 


Shown above:  Data from 20 Locky malspam examples (part 2 of 2).

 


Shown above:  An example of these emails.

 


Shown above:  An example of these attachments--Word documents with malicious marcos.

 

TRAFFIC


Shown above:  An example of infection traffic by the Word macro from one of the emails.

 

TRAFFIC GENERATED BY THE WORD DOCUMENT MACROS RETRIEVING THE LOCKY BINARY:

 

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

 

TOR DOMAIN FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

LOCKY DLL FILE:

 

WORD DOCUMENT ATTACHMENTS FROM THE MALSPAM (SHA256 HASH - FILE NAME):

 

IMAGES


Shown above:  Screen shot from an infected Windows desktop.  Note the .osiris file extension.

 

FINAL NOTES

Once again, here are the associated archives:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.