2017-12-26 - NECURS BOTNET MALSPAM PUSHES GLOBEIMPOSTER RANSOMWARE

ASSOCIATED FILES:

 


Shown above:  You could say this almost every day.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

IMAGES


Shown above:  Screenshot from today's spreadsheet tracker.

 


Shown above:  Example from one of the emails.

 


Shown above:  One of the attached 7-zip archives and extracted JavaScript (JS) file.

 


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Examples of encrypted files on an infected Windows host.

 


Shown above:  Decryption instructions from the HTML file dropped on the infected Windows host.

 


Shown above:  GlobeImposter decryptor domain was unavailable when I checked today.

 


Shown above:  Artifact found in the user's AppData\Local\Temp directory.

 

INDICATORS

EMAIL DATA FROM 6 EXAMPLES:

 

SHA256 HASHES FOR THE ATTACHMENTS

 

SHA256 HASHES FOR THE EXTRACTED JS FILES:

 

PARTIAL URLS FROM THE JAVASCRIPT FILES TO RETRIEVE GLOBEIMPOSTER RANSOMWARE:

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

GLOBEIMPOSTER RANSOMWARE EXAMPLE:

 

OTHER INFORMATION:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.