2017-10-24 - NECURS BOTNET MALSPAM USES DDE ATTACK TO PUSH LOCKY

ASSOCIATED FILES:

  • 2017-10-24-Necurs-botnet-DDE-doc-sends-Locky.pcap   (967,844 bytes)
  • 2017-10-24-Locky-Decryptor-style.css   (7,206 bytes)
  • 2017-10-24-Locky-Decryptor.html   (12,790 bytes)
  • 2017-10-24-asasin.bmp   (5,228,854 bytes)
  • 2017-10-24-asasin.htm   (9,442 bytes)
  • Invoice_file_426550.doc   (18,759 bytes)
  • K23400jw.exe   (713,216 bytes)
  • heropad64.exe   (183,555 bytes)

 

BACKGROUND:

 

NOTES:

 


Shown above:  First of the messages seen when opening a Word document with a DDE attack.

 


Shown above:  Same chain of events seen last week.

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 

ASSOCIATED DOMAINS AND URLS:

 

OTHER URLS TO RETRIEVE THE 1ST-STAGE DOWNLOADER:

 

FILE HASHES

WORD DOCUMENT USING DDE ATTACK:

 

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Artifacts noted in the user's AppData\Local\Temp directory.

 


Shown above:  Windows registry update found on the infected host.

 

FINAL NOTES

Once again, here are the associated files:

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.