2018-07-23 - MALSPAM USING PASSWORD-PROTECTED WORD DOCS CONTINUES TO PUSH RANSOMWARE

ASSOCIATED FILES:

 

NOTES:


Shown above:  Flow chart for today's infection.

 

MALSPAM


Shown above:  Example of the malspam.

 

DATA FROM 6 EMAIL EXAMPLES:

(Read: date received -- date listed in the email -- Sending mail server -- sending email address -- Subject line -- Attachment name -- Password for the Word doc)

 


Shown above:  Opening one of the Word doc attachments.

 


Shown above:  Word doc after entering the password: 321.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 


Shown above:  Initial HTTP request for AZORult.

 


Shown above:  AZORult post-infection traffic.

 


Shown above:  Follow-up HTTP request for Hermes ransomware.

 

Contact information to pay the ransom:

 

MALWARE

SHA256 HASHES:

 

IMAGES


Shown above:  Files encrypted by Hermes ransomware didn't change their names or file extensions.

 


Shown above:  Decryption instructions from Hermes ransomware.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.