2017-11-01 - NECURS BOTNET MALSPAM CONTINUES PUSHING LOCKY

ASSOCIATED FILES:

 

SOME PRIOR DOCUMENTATION:

 

NOTES:


Shown above:  Current chain of events (no DDE, but embedded objects).

 

EMAILS


Shown above:  Example of an email from this wave of malspam.

 

EMAIL HEADERS:

 

EXAMPLES OF SENDING ADDRESSES (ALL SPOOFED):

 


Shown above:  Word document from one of the emails with malicious embedded object).

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

OTHER HTTP REQUESTS GENERATED BY THE MALICIOUS WORD DOCUMENTS:

 

OTHER HTTP REQUESTS FOR THE 1ST-STAGE MALWARE:

 

TOR DOMAIN FOR LOCKY DECRYPTION:

 

FILE HASHES

WORD DOCUMENTS WITH EMBEDDED OBJECT:

 

MALWARE RETRIEVED FROM THE INFECTED HOST:

 

IMAGES


Shown above:  Desktop from an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.