Malware-Traffic-Analysis.net - 2017-04-21 - Locky ransomware infection

2017-04-21 - LOCKY RANSOMWARE INFECTION

NOTICE:

The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.

ASSOCIATED FILES:

2017-04-21-Locky-ransomware-infection-traffic.pcap.zip 237.9 kB (237,939 bytes)
2017-04-21-Locky-ransomware-malspam-tracker.csv.zip 1.2 kB (1,184 bytes)
2017-04-21-Locky-ransomware-emails-and-malware.zip 2.4 MB (2,445,413 bytes)

MORE INFO:

2017-04-21 - My Online Security: The return of Locky ransomware with fake receipts malspam
2017-04-21 - BleepingComputer: The Locky Ransomware is Back and Still Adding OSIRIS to Encrypted Files

IMAGES

ASSOCIATED MALWARE SAMPLES

SHA256 HASHES FOR PDF ATTACHMENTS:

1705d38d2ea80177963d67fd18e836326d70a239378d6b9c74d445c5e0b423d6
2881600b108ece9a1df3e7659370e3ee79cf233e9723a9acd7985452c5915eb3
3ccef773a5527c7128987bb8d359726f0b3d4d84dd6526c1b3aa76fd98b68539
59388d5534bd3b7973186c1a82b7db6e33111b57b133f44d8776423aa58f627c
9008ee571b139496190f4e54d155300a1c875a8fb9096cfa27809e4e71955176
92c3e427edd0b7c986259347e6f5c9a51d534ce789f04cbc086981a7fac7617b
f1326f8c348b6a4eb0fe0c3fcdc27e8375fd0ea7ecca54d392de790f31a9d037
ff92433ae4ee90b3c6dd3cd5655302be345addd2a57bf143ee982e692ca7ca33

SHA256 HASHES FOR EMBEDDED WORD DOCUMENTS:

2a8590ec5e8cea900e4f21845ab844df3e74e81bf9a093913b6beec41983e522
47f599d4bfd72599cdef4d81ecfc37b9d72fa58481a92ad471e873272cc8a915
73dc25a92422d64981dc478cf421cab1490022fff9e8cb5859abe85b9a9d3a55
97d991869130c62a2dd36e88e4e2b6080dba69ca4ccd56b149b20d8b2895189e
9ee4e4015be4bb51843acff67f5dcda39e2ee5debe76e321cb3bb50f59d19392
c99ef1c016b265b02b978d5395a63f0559c43b42a576fda12c20913bdcfa9da6
e25b2a1e70f65f07fc9e61204e11fd024382221ff052a963baede8e32cfb613b
e76789a6c0c6867d1c519edede59ad1be0ab44606df8f8f6400e289fbf47a964

SHA256 HASH FOR LOCKY RANSOMWARE EXE:

4ebc124c7e19c2a87f911e9972f365f6fd0ef1532981a828b085e0a6bac2e310

INFECTION TRAFFIC

URLS FOR LOCKY RANSOMWARE EXE DOWNLOAD FROM THE WORD MACROS:

abcenglishclub[.]com - GET /9yg65
aielloengineering[.]com - GET /9yg65
aim-controls[.]com - GET /9yg65
bhmech[.]com - GET /9yg65
cindysplace[.]net - GET /9yg65
clayhero[.]com - GET /9yg65
dont[.]pl - GET /9yg65
ercelectronics[.]com - GET /9yg65
maheriscriverius[.]nl - GET /9yg65
rootcellar[.]us - GET /9yg65
ros-jurist[.]ru - GET /9yg65
sgph.comcastbiz.net - GET /9yg65
sherwoodbusiness[.]com - GET /9yg65
uwdesign[.]com[.]br - GET /9yg65

LOCKY RANSOMWARE POST-INFECTION TRAFFIC:

80.85.158[.]212 - GET /checkupdate

Click here to return to the main page.