2016-12-09 - "OSIRIS" VARIANT LOCKY MALSPAM

ASSOCIATED FILES:

• ZIP archive of the spreadsheet:  2016-12-09-Locky-malspam-info.csv.zip   2.9 kB (2,892 bytes)
• ZIP archive of the sample pcap:  2016-12-09-Locky-malspam-traffic-example.pcap.zip   152 kB (152,113 bytes)
• ZIP archive of the emails:  2016-12-09-Locky-malspam-emails.zip   643 kB (642,790 bytes)
• ZIP archive of the attachments:  2016-12-09-Locky-malspam-attachments.zip   407 kB (407,192 bytes)
• ZIP archive of artifacts from an infected host:  2016-12-09-Locky-malspam-artifacts-from-infected-host.zip   185 kB (185,125 bytes)

 

NOTES:

• On Monday December 5th, Locky switched from the .zzzzz extension to the .osiris extension for the files it encrypts.
• A Google search on osiris locky should give you more information.
• All attachments from the 2 waves of malspam I saw today delivered the same Locky DLL file.
• The entry point for today's Locky DLL is sample sym in case anyone wants to run it with rundll32.exe in a controlled environment.

 

EMAILS

SUBJECT LINES:

• See attached - I will call you in 3 mins
• See attached - I will call you in 5 mins
• See attached - I will call you in 10 mins
• See attached - I will call you in 15 mins
• See attached - I will call you in 20 mins
• See attached - I will call you in 30 mins
• Documents Requested
• Re:Documents Requested
• FW:Documents Requested

 

Shown above:  Data from 20 Locky malspam examples (part 1 of 2).

 

Shown above:  Data from 20 Locky malspam examples (part 2 of 2).

 

Shown above:  An example from the first wave of these emails.

 

Shown above:  An example from second wave of these emails.

 

TRAFFIC

Shown above:  An example of infection traffic by the Excel sheets from one of the emails.

 

EXAMPLES OF TRAFFIC GENERATED BY THE EXCEL MARCO RETRIEVING THE LOCKY BINARY:

• 97.74.215.147 port 80 - laferwear.com - GET /34f43
• 108.174.153.189 port 80 - djelixir.com - GET /34f43
• 193.68.112.65 port 80 - cafe-bg.com - GET /34f43
• 195.222.33.173 port 80 - facerecognition.com.ba - GET /34f43
• 195.228.152.23 port 80 - polgarorvasad.hu - GET /34f43
• 202.125.36.106 port 80 - walkonwheels.net.au - GET /34f43
• 202.174.32.106 port 80 - denva-art.com - GET /34f43
• 216.250.121.1 port 80 - kathollowell.com - GET /34f43
• 217.160.223.75 port 80 - waat.co.uk - GET /34f43
• 218.232.104.232 port 80 - u-niwon.com - GET /34f43

 

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

• 176.121.14.95 port 80 - 176.121.14.95 - POST /checkupdate
• 185.102.136.67 port 80 - 185.102.136.67 - POST /checkupdate

 

TOR DOMAIN FROM THE DECRYPTION INSTRUCTIONS:

• g46mbrrzpfszonuk.onion

 

FILE HASHES

LOCKY DLL FILE:

• SHA256 hash:  3f2e77d2ef17c7374f5ca26427cd34348f54c29b1d765c0f0c6a891ed97dd76a   (225,280 bytes)
• File name:  C:\Users\[username]\AppData\Local\Temp\clsooach1.feds
• DLL entry point:  sym

 

EXCEL SPREADSHEETS FROM THE MALSPAM (SHA256 HASH - FILE NAMES):

• 02aed7aa31b4522018e2df2ffdc7c3d2e7853844fffdb8315c251cc5a17150f2 - Copy_6482_final.xlsm
• 08d4dbc7de30671446ee03b209b796a6f91945c66cef7a4d54fc5e91660af4ff - Receipt_508140_final.xlsm
• 0fb0bae04d07fb41f07fb4c0618a441fe6f0e7f1172460966eb616d58be2f023 - Receipt_964983_final.xlsm
• 128e3463d36adf61ef8afd3e560ffb307200886b30c96726ee6d95551f17c14a - doc(901).xlsm
• 1fae5a4c51718733ae0e4be662bd9789a9ed29aa97fe0c0139981464bb914873 - Untitled(362).xlsm
• 23f06446fa649286c2602aacd15821d18aedd4e63e4ffe7b9098f802eb0d4109 - Untitled(21).xlsm
• 5209db0993ea7081d8daed6eab7aa47e604ea014f4280db26bff7a4be6010892 - new doc(94).xlsm
• 7e75750ebd406499d5e36c1d585e00c11edfe3f58e5acf235a394de0b24fdd7b - doc(3).xlsm , doc(81).xlsm
• 916247902cc76455ec88316d86e15fd43365942921acc566350b426a19b417cd - Untitled(7).xlsm
• 99c37808ba2e36224a594c668763fd4f3148ec0769da19cad7930146b1bbbeb8 - Untitled(8).xlsm
• aea3c9a4de3eeb1dc1500c12558426081440ff5ec6d623c45f4ea88c739e9fd1 - Copy_44_final.xlsm , Report_16466_final.xlsm
• b739bc19c49b34171fa08af014291de79d6876aa91316a3103476d6013f263f9 - Report_43_final.xlsm
• ba098fabf6758d5777917bda0589d430b642d217f49d40319eecf4211a3633db - Invoice_20965_final.xlsm
• bb9137f79557696674dbd5bf2306a1b1d046cef7cad8854f6648cd9d3f819760 - Invoice_553_final.xlsm , Receipt_790568_final.xlsm
• bd88640115c4350671fba0dd7063690f0daa4b4755658669680f1b2d88d4e3c0 - Document_68_final.xlsm
• f508fb948d76129da5b348f319858f39670525e5beca9b157bc659e614637a66 - Untitled(36).xlsm
• f8795e7b0ce3cfc97278ec31e35b7833505e6d54f379c5a3d4c3d5bfc326c341 - Untitled(778).xlsm

 

IMAGES

Shown above:  Screen shot from an infected Windows desktop.  Note the .osiris file extension.

 

Shown above:  Ransom payment was 1.5 bitcoin for the infections I generated.

 

FINAL NOTES

Once again, here are the associated archives:

• ZIP archive of the spreadsheet:  2016-12-09-Locky-malspam-info.csv.zip   2.9 kB (2,892 bytes)
• ZIP archive of the sample pcap:  2016-12-09-Locky-malspam-traffic-example.pcap.zip   152 kB (152,113 bytes)
• ZIP archive of the emails:  2016-12-09-Locky-malspam-emails.zip   643 kB (642,790 bytes)
• ZIP archive of the attachments:  2016-12-09-Locky-malspam-attachments.zip   407 kB (407,192 bytes)
• ZIP archive of artifacts from an infected host:  2016-12-09-Locky-malspam-artifacts-from-infected-host.zip   185 kB (185,125 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.