2017-11-23 - NECURS BOTNET MALSPAM PUSHES "SCARAB" RANSOMWARE

ASSOCIATED FILES:

NOTES:

 

EMAILS


Shown above:  Screenshot from one of the emails.

 

EMAIL HEADERS:

 


Shown above:  Attachment and extracted VBS file from one of the emails.

 

TRAFFIC


Shown above:  Traffic from the infection filtered in Wireshark.

 

URLS FROM THE EXTRACTED VBS FILES:

IP ADDRESS CHECK BY INFECTED HOST (NOT INHERENTLY MALICIOUS):

EMAIL ADDRESS FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

FILE HASHES FOR THE ATTACHMENTS:

FILE HASHES FOR THE EXTRACTED VBS FILES:

DOWNLOADED "SCARAB" RANSOMWARE:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  An example of the encrypted files.

 


Shown above:  Registry key updated to display the ransom note on reboot.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.