2016-05-31 - TUESDAY MALSPAM HUNT - MORE LOCKY (ALWAYS MORE LOCKY)

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-05-31-traffic-from-Locky-malspam.zip   536.6 kB (536,558 bytes)

• 2016-05-31-Locky-after-details_V9yGF.js.pcap   (157,924 bytes)
• 2016-05-31-Locky-after-details_gyo4a.js.pcap   (193,258 bytes)
• 2016-05-31-Locky-after-doc_scan_GKnaA.js.pcap   (219,064 bytes)
• 2016-05-31-Locky-after-scan_k9w7fm.js.pcap   (219,207 bytes)

• ZIP archive of the emails/malware/etc:  2016-05-31-emails-malware-etc.zip   244.0 kB (243,975 bytes)

• 2016-05-31-malspam-data.csv   (659 bytes)

• artifacts-from-infected-hosts/2016-05-31-Locky-example.exe   (181,760 bytes)
• artifacts-from-infected-hosts/2016-05-31-Locky_HELP_instructions.bmp   (3,293,774 bytes)
• artifacts-from-infected-hosts/2016-05-31-Locky_HELP_instructions.html   (9,355 bytes)

• attachments/caution_trevor_54614652.zip   (5,879 bytes)
• attachments/copy_alan_14149553.zip   (5,897 bytes)
• attachments/report_56098446.zip   (5,864 bytes)
• attachments/security_69514117.zip   (5,772 bytes)

• emails/2016-05-31-0926-UTC.eml   (9,914 bytes)
• emails/2016-05-31-0956-UTC.eml   (9,928 bytes)
• emails/2016-05-31-1134-UTC.eml   (9,657 bytes)
• emails/2016-05-31-1158-UTC.eml   (9,515 bytes)

• extracted-files/details_V9yGF.js   (13,028 bytes)
• extracted-files/details_gyo4a.js   (12,965 bytes)
• extracted-files/doc_scan_GKnaA.js   (12,812 bytes)
• extracted-files/scan_k9w7fm.js   (11,918 bytes)

 

EMAILS AND ATTACHMENTS

Shown above:  Data from the .csv spreadsheet on 4 malspam samples from Tuesday 2016-05-31.

 

Shown above:  Example of Fraudlent Behavior - Account Suspended malspam from
Tuesday 2016-05-31.

 

Shown above:  Example of New Message from your bank manager malspam from
Tuesday 2016-05-31.

 

TRAFFIC

Shown above:  Traffic generated from the first malspam filtered in Wireshark.

 

Shown above:  Traffic generated from the second malspam filtered in Wireshark.

 

Shown above:  Traffic generated from the third malspam filtered in Wireshark.

 

Shown above:  Traffic generated from the fourth malspam filtered in Wireshark.

 

HTTP REQUESTS FORM .JS FILES TO DOWNLOAD THE LOCKY SAMPLE:

• 23.238.19.218 port 80 - akcord.com - GET /R4yjhg
• 37.200.66.30 port 80 - lidgroup.ru - GET /vV9c7l
• 50.62.226.1 port 80 - pgcommunitycab.com - GET /FAlx1b
• 159.253.45.219 port 80 - kontarkum.org - GET /Lntxhy
• 190.196.210.132 port 80 - ladohumano.cl - GET /bnmYOE
• 193.107.88.86 port 80 - pvprojekt.pl - GET /oLlqvX

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

• 85.17.19.102 port 80 - 85.17.19.102 - POST /upload/_dispatch.php
• 93.170.123.60 port 80 - 93.170.123.60 - POST /upload/_dispatch.php
• 195.154.69.90 port 80 - 195.154.69.90 - POST /upload/_dispatch.php

 

IMAGES

Shown above:  Windows computer's desktop after one of today's Locky infections.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-05-31-traffic-from-Locky-malspam.zip   536.6 kB (536,558
• ZIP archive of the emails/malware/etc:  2016-05-31-emails-malware-etc.zip   244.0 kB (243,975 bytes)

The ZIP file is password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.