2017-09-11 - BLANK SLATE MALSPAM PUSHES "LUKITUS" VARIANT LOCKY RANSOMWARE

ASSOCIATED FILES:

  • 2017-09-11-Blank-Slate-malspam-traffic.pcap   (704,156 bytes)
  • 231356.doc   (76,272 bytes)
  • Temp2991.exe   (631,808 bytes)

SOME BACKGROUND:

TODAY'S NOTES:

 

EMAILS


Shown above:  Screenshot from one of today's Blank Slate emails.

 

EMAILS NOTED:

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 

URLS FROM THE RECENT WORD MACROS TO DOWNLOAD LOCKY:

 

ASSOCIATED FILES

EMAIL ATTACHMENT:

FOLLOW-UP LOCKY RANSOMWARE:

 

IMAGES


Shown above:  The attahed Word document.

 


Shown above:  Malicious macro from the Word document is somewhat obfuscated.

 


Shown above:  Removing the "DuE" string reveals the URLs to download follow-up malware (in this case, Locky).

 


Shown above:  Desktop of an infected Windows host.

 


Shown above:  The Locky decryptor showing 0.5 BTC as the ransom payment.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.