2017-10-02 - NECURS BOTNET MALSPAM STILL PUSHING ".YKCOL" VARIANT LOCKY RANSOMWARE

ASSOCIATED FILES:

NOTES:

 

EMAILS

EMAILS COLLECTED:

Read: Date/Time -- Subject -- Sending email address (spoofed)

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark (no post-infection traffic noted).

 

PARTIAL URLS FROM THE .JS FILES TO DOWNLOAD LOCKY:

 

ASSOCIATED FILES

SHA256 HASHES FOR ATTACHMENTS:

SHA256 HASHES FOR EXTRACTED FILES:

SHA256 HASH FOR THE ONE LOCKY BINARY SAMPLE I PULLED TODAY:

 

IMAGES


Shown above:  Screenshot from an infected Windows desktop--Encrypted files all have a .ykcol file extension.

 


Shown above:  Locky Decryptor, where is looks like the ransom cost is .4 Bitcoin now.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.