Malware-Traffic-Analysis.net - 2016-05-19 - Locky malspam

2016-05-19 - LOCKY MALSPAM - FAKE HP SCANJET MESSAGES

ASSOCIATED FILES:

ZIP archive with all the info: 2016-05-19-Locky-malspam-data.zip 951.0 kB (950,997 bytes)

NOTES:

The Palo Alto Networks Unit 42 blog about Locky ransomware can be found here.
Proofpoint's blog about Locky ransomware is available here.
Another post covering this same wave of Locky malicious spam (malspam) from today:

https://myonlinesecurity.co.uk/spam-malware-scan-d34d94c50b_d8b8aad5ba-hp-scanjet-pretending-to-come-from-your-own-domain/

Shown above: Data from the .csv spreadsheet on 4 emails from today's Locky malspam.

Shown above: Data from the .csv spreadsheet on 4 attachments from today's Locky malspam.

Shown above: Example from one of the emails.

Shown above: Traffic from enabling macros on the .docm files, filtered in Wireshark.

HTTP REQUESTS FROM THE WORD MACROS:

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

Shown above: Desktop of a Windows host after enabling macros on one of the .docm files from the malspam.

artifacts-from-infected-host/2016-05-19-Locky-sample.exe (221,184 bytes)
artifacts-from-infected-host/2016-05-19-Locky_HELP_instructions.bmp (3,721,466 bytes)
artifacts-from-infected-host/2016-05-19-Locky_HELP_instructions.html (9,749 bytes)

Once again, here is the associated file:

ZIP archive with all the info: 2016-05-19-Locky-malspam-data.zip 951.0 kB (950,997 bytes)

The ZIP file is password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.