2016-09-12 - ZEPTO VARIANT LOCKY MALSPAM

NOTES:

• It's been so long since I looked into Locky malspam, I didn't realize it's now a malicious DLL instead of an EXE.
• Lawrence Abrams from BleepingComputer first reported about Locky DLLs last month on 2016-08-26   ( link ).
• Today I saw the following patterns during infection traffic when I looked into Locky malspam:

Shown above:  Flow chart for two different examples of Locky infections from today's malspam.

 

ASSOCIATED FILES:

• ZIP archive of today's traffic:  2016-09-12-Locky-malspam-traffic-all-3-pcaps.zip   2.2 MB (2,216,673 bytes)

• 2016-09-12-locky-malspam-traffic-first-example.pcap   (1,255,591 bytes)
• 2016-09-12-locky-malspam-traffic-second-example.pcap   (1,254,549 bytes)
• 2016-09-12-locky-malspam-traffic-third-example.pcap   (166,055 bytes)

• ZIP archive of today's data:  2016-09-12-Locky-malspam-data.zip   867.9 kB (867,901 bytes)

• 2016-09-12-Locky-malspam-data.csv   (1,578 bytes)

• artifacts-from-infected-host / 2016-09-12-Locky-downloader-caused-by-wsf-file.exe   (240,944 bytes)
• artifacts-from-infected-host / 2016-09-12-Locky-malspam_HELP_instructions.bmp   (3,578,902 bytes)
• artifacts-from-infected-host / 2016-09-12-Locky-malspam_HELP_instructions.html   (8,973 bytes)
• artifacts-from-infected-host / 2016-09-12-Locky-ramsoware-caused-by-js-file.dll   (134,779 bytes)
• artifacts-from-infected-host / 2016-09-12-Locky-ramsoware-caused-by-wsf-file.dll   (159,744 bytes)

• attachments / 3911fcc1e51.zip   (22,780 bytes)
• attachments / 5a80587d100.zip   (22,740 bytes)
• attachments / IG_20160830_9_9_01_Pro.zip   (8,649 bytes)
• attachments / PH_20160830_3_14_53_Pro.zip   (8,621 bytes)
• attachments / WP_20160830_11_61_3_Pro.zip   (8,653 bytes)
• attachments / WP_20160830_1_63_5_Pro.zip   (8,621 bytes)
• attachments / db475b3e2e.zip   (22,416 bytes)
• attachments / fb1fe573a08d.zip   (22,636 bytes)
• attachments / pm55D27DB7.zip   (8,640 bytes)
• attachments / pm892.zip   (8,276 bytes)
• attachments / pmBF2EE7B7.zip   (8,640 bytes)
• attachments / pmE93.zip   (8,272 bytes)

• emails / 2016-09-12-0931-UTC-malspam-attached-invoice.eml   (12,939 bytes)
• emails / 2016-09-12-0933-UTC-malspam-attached-invoice.eml   (12,928 bytes)
• emails / 2016-09-12-1232-UTC-malspam-attached-invoice.eml   (13,430 bytes)
• emails / 2016-09-12-1235-UTC-malspam-attached-invoice.eml   (13,433 bytes)
• emails / 2016-09-12-1320-UTC-malspam-Photo.eml   (12,712 bytes)
• emails / 2016-09-12-1320-UTC-malspam-Photos.eml   (12,758 bytes)
• emails / 2016-09-12-1321-UTC-malspam-Image.eml   (12,765 bytes)
• emails / 2016-09-12-1357-UTC-malspam-budget-report.eml   (31,588 bytes)
• emails / 2016-09-12-1401-UTC-malspam-Picture.eml   (12,795 bytes)
• emails / 2016-09-12-1404-UTC-malspam-budget-report.eml   (31,789 bytes)
• emails / 2016-09-12-1419-UTC-malspam-budget-report.eml   (31,773 bytes)
• emails / 2016-09-12-1420-UTC-malspam-budget-report.eml   (31,294 bytes)

• extracted-files / 00HwYy2rv25.wsf   (34,276 bytes)
• extracted-files / 03agU52Nk02.wsf   (34,293 bytes)
• extracted-files / 05omKt2S13.wsf   (35,947 bytes)
• extracted-files / 14YQg739.wsf   (35,976 bytes)
• extracted-files / 22P5R06.wsf   (35,984 bytes)
• extracted-files / 28SShQBR04.wsf   (35,935 bytes)
• extracted-files / 68BE96D1 Budget_report_xls.js   (133,582 bytes)
• extracted-files / 863AEEA3 Budget_report_xls.js   (133,324 bytes)
• extracted-files / AD3F36C4 Budget_report_xls.js   (132,185 bytes)
• extracted-files / FA6F211A Budget_report_xls.js   (133,341 bytes)

 

EMAILS

Shown above:  Email data from the spreadsheet (part 1 of 2).

 

Shown above:  Email data from the spreadsheet (part 2 of 2).

 

Shown above:  Text of the emails (example 1 of 3).

 

Shown above:  Text of the emails (example 2 of 3).

 

Shown above:  Text of the emails (example 3 of 3).

 

FROM ADDRESSES / SUBJECT LINES:

• <document@reliancesport.com.au> - Subject: Please find attached invoice no: 424845
• <document@twoharborsforum.com> - Subject: Please find attached invoice no: 70983806321
• <document@jecel.com.br> - Subject: Please find attached invoice no: 8478912583
• <document@goldlawgroup.com> - Subject: Please find attached invoice no: 9766123

• "Maura" <Maura0372@[recipient's email address]> - Subject: Photos
• "Boris" <Boris0349@[recipient's email domain]> - Subject: Photo
• "Aldo" <Aldo511@[recipient's email domain]> - Subject: Image
• "Suzette" <Suzette37@[recipient's email domain]> - Subject: Picture

• "Ivy Wong" <Wong.6430@static.vnpt.vn> - Subject: Budget report
• "Candy Vaughan" <Vaughan.69569@10servicescompany.com> - Subject: Budget report
• "Luz Cherry" <Cherry.2159@airtelbroadband.in> - Subject: Budget report
• "Angelina Reed" <Reed.10@remarkablekids.org> - Subject: Budget report

 

TRAFFIC

Shown above:  Traffic from the first example (caused by .wsf file), filtered in Wireshark.

 

Shown above:  Traffic from the first example (also caused by .wsf file), filtered in Wireshark.

 

Shown above:  Traffic from the first example (caused by .js file), filtered in Wireshark.

 

FIRST PCAP:

• 192.185.41.190 port 80 - wamasoftware.com - GET /8fh34f3?IUiqidnymtA=zitRTbI   -   Request for Locky downloader caused .wsf file
• 43.225.54.151 port 80 - mysoregiftsflowers.com - GET /8fh34f3?IUiqidnymtA=zitRTbI   -   Request for Locky downloader caused .wsf file
• 62.149.144.61 port 80 - www.villakeratea.it - GET /8fh34f3?IUiqidnymtA=zitRTbI   -   Request for Locky downloader caused .wsf file

• 103.208.86.154 port 80 - supperuploadtestspeed.ws - POST /p/3d23fd.php HTTP/1.0   -   Post-infection callback by Locky downloader
• 66.85.27.179 port 80 - supperuploadtestspeed.ws - POST /p/3d23fd.php HTTP/1.0   -   Post-infection callback by Locky downloader

• 213.142.143.183 port 80 - yesiloglugrup.com - GET /7g6bubt7v?IUiqidnymtA=zitRTbI   -   Request for Locky caused by Locky downloader
• 202.40.164.200 port 80 - sowhatresearch.com.au - GET /7g6bubt7v?IUiqidnymtA=zitRTbI   -   Request for Locky caused by Locky downloader
• 66.85.27.179 port 80 - supperuploadtestspeed.ws - GET /7g6bubt7v?IUiqidnymtA=zitRTbI   -   Request for Locky caused by Locky downloader

SECOND PCAP:

• 43.225.54.151 port 80 - gift2belgaum.com - GET /8fh34f3?fUrVOQVnKi=ViUtFTEEpm   -   Request for Locky downloader caused .wsf file
• 198.23.59.178 port 80 - nysekolintsika.mg - GET /8fh34f3?fUrVOQVnKi=ViUtFTEEpm   -   Request for Locky downloader caused .wsf file
• 74.81.90.93 port 80 - abcdraw.biz - GET /8fh34f3?fUrVOQVnKi=ViUtFTEEpm   -   Request for Locky downloader caused .wsf file

• 103.208.86.154 port 80 - supperuploadtestspeed.ws - POST /p/3d23fd.php HTTP/1.0   -   Post-infection callback by Locky downloader
• 66.85.27.179 port 80 - supperuploadtestspeed.ws - POST /p/3d23fd.php HTTP/1.0   -   Post-infection callback by Locky downloader

• 174.142.55.229 port 80 - www.alfajerdecor.com - GET /7g6bubt7v?fUrVOQVnKi=ViUtFTEEpm   -   Request for Locky caused by Locky downloader
• 66.147.244.75 port 80 - www.pstimes.com - GET /7g6bubt7v?fUrVOQVnKi=ViUtFTEEpm   -   Request for Locky caused by Locky downloader
• 66.85.27.179 port 80 - supperuploadtestspeed.ws - GET /7g6bubt7v?fUrVOQVnKi=ViUtFTEEpm   -   Request for Locky caused by Locky downloader

THIRD PCAP:

• 23.95.106.223 port 80 - trybttr.ws - GET /h71qizc   -   Request for Locky caused by .js file
• 51.255.105.2 port 80 - 51.255.105.2 - POST /data/info.php   -   Post-infection callback by the Locky ransomware

 

DOMAINS FROM THE DECRYPT INSTRUCTIONS:

• 5n7y4yihirccftc5.tor2web.org
• 5n7y4yihirccftc5.onion.to

 

FILE HASHES

ARTIFACTS FROM THE INFECTED HOSTS:

• SHA256 hash:  b88e84d9c7c407c7bad40777e87413628d8786af643d1581aa9aa82209751fd7
  File name:  2016-09-12-Locky-downloader-caused-by-wsf-file.exe

• SHA256 hash:  bbfb4c0bbae915cc719325970c0cc9e9bf144d96043b9cc7c18a328a2e69a2c5
  File name:  2016-09-12-Locky-ramsoware-caused-by-wsf-file.dll

• SHA256 hash:  76438fc9c86c57bf0fb8028a3a6290cfce8b305e21fca5ae15feaf2e73681a27
  File name:  2016-09-12-Locky-ramsoware-caused-by-js-file.dll

 

IMAGES

Shown above:  Infected Windows desktop from one of the .wsf emails.

 

Shown above:  Going to the decrypt instructions using a Tor browser.

 

Shown above:  Looks like my Locky sample (caused by the .wsf file) wants 3 bitcoins for ransom.

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of today's traffic:  2016-09-12-Locky-malspam-traffic-all-3-pcaps.zip   2.2 MB (2,216,673 bytes)
• ZIP archive of today's data:  2016-09-12-Locky-malspam-data.zip   867.9 kB (867,901 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.