Malware-Traffic-Analysis.net - 2016-04-27 - Locky malspam

2016-04-27 - LOCKY MALSPAM - SUBJECT: PRICE LIST

ASSOCIATED FILES:

ZIP archive of the information: 2016-04-27-Locky-traffic-malware-etc.zip 394.7 kB (394,659 bytes)

2016-04-27-Locky-malspam-info.csv (3,534 bytes)

2016-04-27-Locky-traffic-from-one-of-the-js-files.pcap (200,735 bytes)

extracted-js-files/

extracted-js-files/01c4b975.js (3,311 bytes)

extracted-js-files/048a35.js (3,319 bytes)

extracted-js-files/298ba6d.js (3,306 bytes)

extracted-js-files/2e1226.js (3,300 bytes)

extracted-js-files/4e5036c3.js (3,317 bytes)

extracted-js-files/6d5e6a.js (3,300 bytes)

extracted-js-files/9b2129a0.js (3,308 bytes)

extracted-js-files/9f6ed08.js (3,312 bytes)

extracted-js-files/af18f.js (3,303 bytes)

extracted-js-files/bac9b964.js (3,298 bytes)

extracted-js-files/c0c0e1c.js (3,311 bytes)

extracted-js-files/c225e93.js (3,312 bytes)

extracted-js-files/cc22f6bf.js (3,305 bytes)

extracted-js-files/cf7f9.js (3,309 bytes)

extracted-js-files/ecdbe.js (3,316 bytes)

malspam/

malspam/2016-04-27-1020-UTC.eml (3,924 bytes)

malspam/2016-04-27-1023-UTC.eml (3,945 bytes)

malspam/2016-04-27-1051-UTC.eml (3,969 bytes)

malspam/2016-04-27-1057-UTC.eml (3,955 bytes)

malspam/2016-04-27-1101-UTC.eml (3,986 bytes)

malspam/2016-04-27-1103-UTC.eml (4,001 bytes)

malspam/2016-04-27-1109-UTC.eml (3,958 bytes)

malspam/2016-04-27-1111-UTC.eml (3,955 bytes)

malspam/2016-04-27-1116-UTC.eml (3,974 bytes)

malspam/2016-04-27-1119-UTC.eml (3,930 bytes)

malspam/2016-04-27-1120-UTC.eml (3,962 bytes)

malspam/2016-04-27-1121-UTC.eml (4,013 bytes)

malspam/2016-04-27-1122-UTC.eml (3,929 bytes)

malspam/2016-04-27-1123-UTC.eml (3,994 bytes)

malspam/2016-04-27-1126-UTC.eml (3,950 bytes)

malspam/2016-04-27-1151-UTC.eml (3,972 bytes)

malware-from-the-infected-host/

malware-from-the-infected-host/2016-04-27-Locky-from-malspam.exe (179,200 bytes)

malware-from-the-infected-host/2016-04-27-Locky_HELP_instructions.bmp (3,864,030 bytes)

malware-from-the-infected-host/2016-04-27-Locky_HELP_instructions.txt (1,121 bytes)

rar-attachments/

rar-attachments/019D5_richard_E89FD5.rar (1,685 bytes)

rar-attachments/5D77E_craig_DE2B6B.rar (1,683 bytes)

rar-attachments/ACDD4_linda_7E9306.rar (1,674 bytes)

rar-attachments/AEAE2_gage_F71707.rar (1,691 bytes)

rar-attachments/craig-client_bill_F85DFB.rar (1,692 bytes)

rar-attachments/E9EB4_richard_FFEAEB.rar (1,688 bytes)

rar-attachments/jennifer-bill_BAD28D.rar (1,679 bytes)

rar-attachments/jennifer-client_bill_AEB977.rar (1,684 bytes)

rar-attachments/linda-bill_0DDC3B.rar (1,685 bytes)

rar-attachments/linda-bill_63B29F.rar (1,686 bytes)

rar-attachments/patricia-client_bill_889605.rar (1,685 bytes)

rar-attachments/richard-bill_3DEF40.rar (1,675 bytes)

rar-attachments/richard-bill_67FE66.rar (1,687 bytes)

rar-attachments/richard-bill_E937AC.rar (1,676 bytes)

rar-attachments/richard-client_bill_052E85.rar (1,679 bytes)

rar-attachments/timmy-client_bill_9A5FC4.rar (1,682 bytes)

NOTES:

Malicious spam (malspam) is really coming in today...
This is the same wave of Locky malspam reported in Dynamoo's blog ( link ).
In addition to his wave, today we saw different subject lines used for other waves of Locky malspam.

THE EMAILS

Shown above: Data on 16 of emails from this wave of Locky malspam.

DESCRIPTION:

Sender: Various senders
Subject: Price list
Attachment: .rar archive containing a malicious .js file

TEXT OF THE MESSAGES:

Thank you. Our latest price list is attached. For additional information, please contact your local ITT office.

Shown above: An example of the messages from this wave of Locky malspam.

THE ATTACHMENTS

(Read: Attachment name -- Extracted .js file -- HTTP GET request from the .js file)

linda-bill_63B29F.rar -- ecdbe.js -- aaacollectionsjewelry.com - GET /ur8fgs
019D5_richard_E89FD5.rar -- 9f6ed08.js -- myehelpers.com - GET /j3ykf
E9EB4_richard_FFEAEB.rar -- 01c4b975.js -- soccerinsider.net - GET /mys3ks
AEAE2_gage_F71707.rar -- 4e5036c3.js -- warcraft-lich-king.ru - GET /i4ospd
patricia-client_bill_889605.rar -- cc22f6bf.js -- lbbc.pt - GET /n8wisd
jennifer-client_bill_AEB977.rar -- c225e93.js -- pediatriayvacunas.com - GET /q0wps
craig-client_bill_F85DFB.rar -- 048a35.js -- onlinecrockpotrecipes.com - GET /k2tspa
richard-bill_3DEF40.rar -- 6d5e6a.js -- lbbc.pt - GET /n8wisd
linda-bill_0DDC3B.rar -- c0c0e1c.js -- mavrinscorporation.ru - GET /hd7fs
richard-bill_E937AC.rar -- 2e1226.js -- jurang.tk - GET /n2ysk
D77E_craig_DE2B6B.rar -- cf7f9.js -- directenergy.tv - GET /l2isd
richard-bill_67FE66.rar -- af18f.js -- rayzan24.co - GET /m3usjd
jennifer-bill_BAD28D.rar -- 298ba6d.js -- directenergy.tv - GET /l2isd
timmy-client_bill_9A5FC4.rar -- 9b2129a0.js -- games-k.ru - GET /n8eis
richard-client_bill_052E85.rar -- 298ba6d.js -- directenergy.tv - GET /l2isd
ACDD4_linda_7E9306.rar -- bac9b964.js -- lbbc.pt - GET /n8wisd

Shown above: Contents from one of the .rar attachments.

TRAFFIC

Shown above: Traffic filtered in Wireshark after infecting a Windows host with one of the .js files.

HTTP REQUESTS:

2016-04-27 17:38:43 UTC - 50.6.80.160 port 80 - aaacollectionsjewelry.com GET /ur8fgs
2016-04-27 17:39:30 UTC - 107.170.20.33 port 80 - 107.170.20.33 - POST /userinfo.php
2016-04-27 17:39:31 UTC - 107.170.20.33 port 80 - 107.170.20.33 - POST /userinfo.php
2016-04-27 17:39:50 UTC - 107.170.20.33 port 80 - 107.170.20.33 - POST /userinfo.php

IMAGES

Shown above: HTTP GET request for the Locky ransomware.

Shown above: Locky callback traffic.

Shown above: The host's desktop after being infected with Locky from this malspam.

FINAL NOTES

Once again, here is the associated file:

The ZIP file is password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.