2016-08-08 - LOCKY MALSPAM - SUBJECT: COPY: IMG(6559)

ASSOCIATED FILES:

• ZIP archive of the traffic:  2016-08-08-Locky-malspam-traffic.pcap.zip   705.7 kB (705,748 bytes)

• 2016-08-08-Locky-malspam-traffic.pcap   (873,563 bytes)

• ZIP archive of the email, malware, and artifacts:  2016-08-08-Locky-malspam-malware-and-artifacts.zip   249.9 kB (249,919 bytes)

• 2016-08-08-0939-UTC-Locky-malspam.eml   (12,356 bytes)
• 2016-08-08-Locky-from-malspam-instructions.bmp   (3,721,466 bytes)
• 2016-08-08-Locky-from-malspam-instructions.html   (100,07 bytes)
• 2016-08-08-Locky-from-malspam.exe   (281,600 bytes)
• IMG(6,559).zip   (7,041 bytes)
• Photo195.wsf   (32,253 bytes)

 

NOTES:

• Waves of Locky malspam (the .zepto variant) continue on a near-daily basis.
• This post has only one sample.  It documents a recent pattern change in .zepto variant Locky post-infection traffic.

 

EMAIL

Shown above:  An email from this wave of malspam.

 

Shown above:  Email headers.

 

ATTACHMENT

Shown above:  Attachment and extracted .wsf file.

 

TRAFFIC

Shown above:  Traffic generated from the extracted .wsf file.

 

ASSOCIATED DOMAINS:

• 108.60.15.36 port 80 - nflfootballpool.ca - GET /988g765f?kyudVHTd=LetXYvHUJDE   [initial download of .exe]
• 185.129.148.19 port 80 - 185.129.148.19 - POST /php/upload.php   [callback]
• 213.205.40.169 port 80 - www.azetapiemonte.it - GET /988g765f?BzWfzNh=nSQAkwir   [follow-up download of the same .exe]
• 208.71.106.35 port 80 - keramago.web.fc2.com - GET /988g765f?SEhkUhewzxB=VvmKzoiC   [follow-up download of the same .exe]

 

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• zjfq4lnfbs7pncr5.tor2web.org
• zjfq4lnfbs7pncr5.onion.to

 

FILE HASHES

LOCKY SAMPLE FROM THE INFECTED HOST:

• SHA256 hash:  21d92fa81d5748c9981f4aa2ade97c1b04e264457bb2c610263476000036ade1
  File name:  2016-08-08-Locky-from-malspam.exe

 

IMAGES

Shown above:  Infected Windows desktop after double-clicking the .wsf file.

 

Shown above:  Re-named encrypted files showing this is the .zepto variant of Locky.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the traffic:  2016-08-08-Locky-malspam-traffic.pcap.zip   705.7 kB (705,748 bytes)
• ZIP archive of the email, malware, and artifacts:  2016-08-08-Locky-malspam-malware-and-artifacts.zip   249.9 kB (249,919 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.