2017-08-09 - "DIABLO6" VARIANT OF LOCKY RANSOMWARE

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-08-09-Locky-ransomware-traffic.pcap.zip   451.2 kB (451,229 bytes)

• 2017-08-09-Locky-ransomware-traffic.pcap   (556,954 bytes)

• 2017-08-09-files-from-Locky-ransomware-infection.zip   602.1 kB (602,118 bytes)

• 2017-08-09-Locky-decryption-instructions-diablo6.bmp   (5,666,614 bytes)
• 2017-08-09-Locky-decryption-instructions-diablo6.htm   (8,913 bytes)
• 2017-08-09-Locky-ransomware.exe   (620,544 bytes)
• 2017-08-09 (263).vbs   (5,892 bytes)
• 2017-08-09 (780).zip   (2,125 bytes)

 

NOTES:

• The emails were dated 2017-07-24 even though they were sent (or people received them) on 2017-08-09.
• Plenty of info and tweets out about this already, but I'm posting some infection traffic, the associated malware, and screenshots.

 

INFO ABOUT THIS:

• https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-with-spam-campaign-pushing-diablo6-variant/
• https://twitter.com/tmmalanalyst/status/895278078255022080
• https://twitter.com/msftmmpc/status/895451370270183424

 

EMAILS

Shown above:  An example of what the emails looked like.

 

Shown above:  The zip archive attachement and extracted VBS file.

 

TRAFFIC

Shown above:  Traffic from an infection filtered in Wireshark.

 

ASSOCIATED DOMAINS:

• 54.213.174[.]122 port 80 - dbr663dnbssfrodison[.]net - GET /af/y872ff2f   [.js file grabbing Locky executable]
• 31.202.130[.]9 port 80 - 31.202.130[.]9 - POST /checkupdate   [Locky post-infection traffic]
• g46mbrrzpfszonuk[.]onion - Tor domain for the Locky decryptor

 

FILE HASHES

ZIP ARCHIVE FROM THE EMAIL:

• SHA256 hash:  4f3f5f29b94a9259ebd32e65b99270b8986233d35b95a6be2d8b71c80cf8b804
  File name:  E 2017-08-09 (780).zip
  File size:  2,125 bytes

EXTRACTED .VBS FILE:

• SHA256 hash:  788f28e498f32aaabed5d835627dfea1e9894c275d4833ee83c823347e244ff3
  File name:  E 2017-08-09 (263).vbs
  File size:  5,892 bytes

LOCKY RANSOMWARE EXECUTABLE RETRIEVED FROM THE INFECTED HOST:

• SHA256 hash:  f689391b0527fbf40d425e1ffb1fafd5c84fa68af790e8cc4093bcc81708c11b
  File location:  C:\Users\[username]\AppData\Local\Temp\[random string of letters].exe
  File size:  620,544 bytes

 

SCREENSHOTS

Shown above:  Screenshot from a Windows host infected with this Diablo6 variant of Locky.

 

Shown above:  Examples of encrypted files.

 

Shown above:  Locky decryption from the Tor domain.

 

Shown above:  0.5 bitcoin was the ransom cost.

 

Click here to return to the main page.