2017-09-07 - MALSPAM PUSHES "LUKITUS" VARIANT LOCKY RANSOMWARE

ASSOCIATED FILES:

EMAILS


Shown above:  Screenshot of the spreadsheet tracker.

 

EMAILS:

 


Shown above:  Screenshot of the emails (earlier wave 1 of 2).

 


Shown above:  Screenshot of the emails (earlier wave 2 of 2).

 


Shown above:  Screenshot of the emails (later wave).

 

TRAFFIC


Shown above:  Traffic from an earlier infection filtered in Wireshark.

 


Shown above:  Traffic from a later infection filtered in Wireshark.

 

LINKS FROM THE EARLIER EMAILS:

URLS TO DOWNLOAD LOCKY CAUSED BY EARLIER EMAILS:

LINKS IN LATER EMAILS:

URLS TO DOWNLOAD LOCKY CAUSED BY LATER EMAILS:

LOCKY POST-INFECTION TRAFFIC:

 

FILE HASHES

SHA256 hash: b6a6c9746694e4aa7081c1fc4b3c54e7716b80ef438b069a906fb852c89a7923

 

SHA256 hash: ba573c9c097ff7ec0f9c24a11f17c6de24133a214183ec1e21d443c525271dfd

 

SHA256 hash: 958569e5942e3e4aa2df592f1c2cdd24cf187a237a0073c6ef1462a6c89a8590

 

SHA256 hash: f31aee58fc2dfde26a4d40fe081ce467ce31d4955212a53f93f717e1f1c5f4c1

 

SHA256 hash: 1db77f180460ae8be542c5e392e1c2ceed47f420f3831685babebdc038a99446

 

SHA256 hash: 39d986b3a62f4d1b2e43c8295a2a645187e08417b6c0d2d8b08a9f7e75343936

 

SHA256 hash: f34c4bc6bca63d3c18b3a570d602a7d513594dc6c563ace7372ed3046b3d567f

 

SHA256 hash: 24ca332249210bec427078f877e8c1b942fb469387428682ff421de7e68d0582

 

SHA256 hash: e9981527fade0266ec18c73bf3cb066738ed12c3c3530a30a2e56a790d180107

 

SHA256 hash: 278e5503f777b0fec03cff2acddedb67f8b62bb14f34a9e761408aaf3ce5450f

 

IMAGES


Shown above:  Downloading a JavaScript (.js) file from the earlier waves.

 


Shown above:  Downloading a 7-Zip archive (.7z) from the later wave.

 


Shown above:  JavaScript (.js) example from the earlier waves.

 


Shown above:  7-Zip archive (.7z) example from the later wave.

 


Shown above:  If you've seen one Windows desktop infected with Lukitus variant Locky, you've seen them all.

 


Shown above:  0.5 Bitcoin seems a little steep for the ransom cost.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.