2016-05-05 - THURSDAY MALSPAM HUNT - DRIDEX AND LOCKY

ASSOCIATED FILES:

• ZIP archive with the data:  2016-05-05-malspam-data.zip   954.9 kB (954,886 bytes)

 

NOTES:

The Palo Alto Networks Unit 42 blog about Locky ransomware can be found here, and Proofpoint's blog about Dridex actors sending Locky ransomware is available here.

Other posts also covering some of the same malicious spam (malspam) include:

• https://myonlinesecurity.co.uk/jaypee-bill-copy-corrupt-attachment/
• https://myonlinesecurity.co.uk/refund-unsuccessful-your-order-has-been-cancelled-however-we-are-not-able-to-proceed-with-the-refund-js-malware/

Zip attachments sent by "Jaypee" (a spoofed sender) contain text files, but the files names have no extentions.  I ran them after appending .js to the file names.

 

EMAILS AND ATTACHMENTS

Shown above:  Data from the .csv spreadsheet on 12 emails from today's malspam.

 

Shown above:  Data from the .csv spreadsheet on 12 attachments from today's malspam.

 

TRAFFIC

Shown above:  Traffic from executing the extracted .js files, filtered in Wireshark.

 

Shown above:  Post-infection traffic seen from the Dridex sample.

 

DRIDEX MALSPAM TRAFFIC:

• 162.13.162.105 port 80 - jtapecustom.com - GET /adm.exe   [HTTP request by .js files for Dridex]
• 162.251.84.219 port 4343   [Dridex post-infection TLS traffic]

 

HTTP REQUEST BY .JS FILES FOR LOCKY:

• 108.175.158.16 port 80 - fitwellind.com - GET /vbhd6hss
• 81.169.145.77 port 80 - www.semann.de - GET /09y8hb7v6y7g
• 208.83.209.11 port 80 - lovesanimals.com - GET /09y8hb7v6y7g
• 46.17.1.250 port 80 - vermac.info - GET /09y8hb7v6y7g
• 64.22.106.154 port 80 - buntrocks.com - GET /09y8hb7v6y7g
• 88.208.208.231 port 80 - perfectionbridalmaidstone.co.uk - GET /gyh76jk
• 119.81.236.93 port 80 - veytex.com - GET /we7ujd

 

LOCKY POST-INFECTION TRAFFIC:

• 91.219.29.66 port 80 - 91.219.29.66 - POST /userinfo.php
• 138.201.95.72 port 80 - 138.201.95.72 - POST /userinfo.php
• 185.22.67.108 port 80 - 185.22.67.108 - POST /userinfo.php

 

ZIP ARCHIVE CONTENTS

• 2016-05-05-malspam-data.csv   (2,476 bytes)

• attachments\VA01074896506604.zip   (6,411 bytes)
• attachments\VA1689296095398397.zip   (6,410 bytes)
• attachments\VA663969639.zip   (6,381 bytes)
• attachments\VA68751465510.zip   (6,393 bytes)
• attachments\acc_invoices_2BB.zip   (13,090 bytes)
• attachments\account_29B.zip   (13,519 bytes)
• attachments\alan_refund_855945.zip   (10,038 bytes)
• attachments\ref_516105.zip   (9,686 bytes)
• attachments\robert_copy_515338.zip   (10,121 bytes)
• attachments\roger_copy_603480.zip   (10,064 bytes)
• attachments\transfers_812.zip   (13,177 bytes)
• attachments\transfers_D31.zip   (13,087 bytes)

• extracted-files\VA01074896506604   (13,354 bytes)
• extracted-files\VA1689296095398397   (13,362 bytes)
• extracted-files\VA663969639   (13,312 bytes)
• extracted-files\VA68751465510   (13,336 bytes)
• extracted-files\details_D8YwrHEj.js   (26,453 bytes)
• extracted-files\details_R5EyJPfS.js   (27,491 bytes)
• extracted-files\info_sIgnU7Ry0fZrXu.js   (27,419 bytes)
• extracted-files\ref_kUhtCYG5IfT.js   (27,741 bytes)
• extracted-files\transactions 2594754.js   (533,236 bytes)
• extracted-files\transactions 5337654.js   (533,212 bytes)
• extracted-files\transactions 63956038.js   (536,491 bytes)
• extracted-files\transactions 88867446.js   (533,179 bytes)

• malspam\2016-05-05-0518-UTC.eml   (19,801 bytes)
• malspam\2016-05-05-1228-UTC.eml   (15,411 bytes)
• malspam\2016-05-05-1235-UTC.eml   (14,933 bytes)
• malspam\2016-05-05-1316-UTC.eml   (12,012 bytes)
• malspam\2016-05-05-1320-UTC.eml   (12,026 bytes)
• malspam\2016-05-05-1325-UTC.eml   (15,542 bytes)
• malspam\2016-05-05-1331-UTC.eml   (11,958 bytes)
• malspam\2016-05-05-1338-UTC.eml   (15,484 bytes)
• malspam\2016-05-05-1341-UTC.eml   (12,031 bytes)
• malspam\2016-05-05-1347-UTC.eml   (19,317 bytes)
• malspam\2016-05-05-1356-UTC.eml   (19,286 bytes)
• malspam\2016-05-05-1411-UTC.eml   (19,188 bytes)

• malware-from-the-infected-host\2016-05-05-Locky_HELP_instructions.bmp   (4,006,594 bytes)
• malware-from-the-infected-host\2016-05-05-Locky_HELP_instructions.html   (2,086 bytes)
• malware-from-the-infected-host\2016-05-05-malware-from-js-malspam-sample-1-of-5-Dridex.exe   (233,472 bytes)
• malware-from-the-infected-host\2016-05-05-malware-from-js-malspam-sample-2-of-5-Locky.exe   (111,875 bytes)
• malware-from-the-infected-host\2016-05-05-malware-from-js-malspam-sample-3-of-5-Locky.exe   (111,787 bytes)
• malware-from-the-infected-host\2016-05-05-malware-from-js-malspam-sample-4-of-5-Locky.exe   (179,712 bytes)
• malware-from-the-infected-host\2016-05-05-malware-from-js-malspam-sample-5-of-5-Locky.exe   (180,224 bytes)

 

FINAL NOTES

Once again, here is the associated file:

• ZIP archive with the data:  2016-05-05-malspam-data.zip   954.9 kB (954,886 bytes)

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.