2017-08-09 - "DIABLO6" VARIANT OF LOCKY RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-08-09-Locky-ransomware-traffic.pcap.zip 451.2 kB (451,229 bytes)
- 2017-08-09-Locky-ransomware-traffic.pcap (556,954 bytes)
- 2017-08-09-files-from-Locky-ransomware-infection.zip 602.1 kB (602,118 bytes)
- 2017-08-09-Locky-decryption-instructions-diablo6.bmp (5,666,614 bytes)
- 2017-08-09-Locky-decryption-instructions-diablo6.htm (8,913 bytes)
- 2017-08-09-Locky-ransomware.exe (620,544 bytes)
- 2017-08-09 (263).vbs (5,892 bytes)
- 2017-08-09 (780).zip (2,125 bytes)
NOTES:
- The emails were dated 2017-07-24 even though they were sent (or people received them) on 2017-08-09.
- Plenty of info and tweets out about this already, but I'm posting some infection traffic, the associated malware, and screenshots.
INFO ABOUT THIS:
- https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-with-spam-campaign-pushing-diablo6-variant/
- https://twitter.com/tmmalanalyst/status/895278078255022080
- https://twitter.com/msftmmpc/status/895451370270183424
EMAILS
Shown above: An example of what the emails looked like.
Shown above: The zip archive attachement and extracted VBS file.
TRAFFIC
Shown above: Traffic from an infection filtered in Wireshark.
ASSOCIATED DOMAINS:
- 54.213.174[.]122 port 80 - dbr663dnbssfrodison[.]net - GET /af/y872ff2f [.js file grabbing Locky executable]
- 31.202.130[.]9 port 80 - 31.202.130[.]9 - POST /checkupdate [Locky post-infection traffic]
- g46mbrrzpfszonuk[.]onion - Tor domain for the Locky decryptor
FILE HASHES
ZIP ARCHIVE FROM THE EMAIL:
- SHA256 hash: 4f3f5f29b94a9259ebd32e65b99270b8986233d35b95a6be2d8b71c80cf8b804
File name: E 2017-08-09 (780).zip
File size: 2,125 bytes
EXTRACTED .VBS FILE:
- SHA256 hash: 788f28e498f32aaabed5d835627dfea1e9894c275d4833ee83c823347e244ff3
File name: E 2017-08-09 (263).vbs
File size: 5,892 bytes
LOCKY RANSOMWARE EXECUTABLE RETRIEVED FROM THE INFECTED HOST:
- SHA256 hash: f689391b0527fbf40d425e1ffb1fafd5c84fa68af790e8cc4093bcc81708c11b
File location: C:\Users\[username]\AppData\Local\Temp\[random string of letters].exe
File size: 620,544 bytes
SCREENSHOTS
Shown above: Screenshot from a Windows host infected with this Diablo6 variant of Locky.
Shown above: Examples of encrypted files.
Shown above: Locky decryption from the Tor domain.
Shown above: 0.5 bitcoin was the ransom cost.
Click here to return to the main page.