2017-04-21 - DRIDEX-STYLE MALSPAM PUSHES LOCKY RANSOMWARE INSTEAD
ASSOCIATED FILES:
- ZIP archive of a pcap: 2017-04-21-Locky-malspam-traffic.pcap.zip 238 kB (237,913 bytes)
- ZIP archive of the spreadsheet tracker: 2017-04-21-Locky-malspam-tracker.csv.zip 1.2 kB (1,162 bytes)
- ZIP archive of the emails and artifacts/malware: 2017-04-21-Locky-malspam-and-artifacts.zip 2.4 MB (2,440,641 bytes)
MORE INFO:
- 2017-04-21 - My Online Security: The return of Locky ransomware with fake receipts malspam
- 2017-04-21 - BleepingComputer: The Locky Ransomware is Back and Still Adding OSIRIS to Encrypted Files
IMAGES
SHA256 HASHES
HASHES FOR PDF ATTACHMENTS:
- 1705d38d2ea80177963d67fd18e836326d70a239378d6b9c74d445c5e0b423d6
- 2881600b108ece9a1df3e7659370e3ee79cf233e9723a9acd7985452c5915eb3
- 3ccef773a5527c7128987bb8d359726f0b3d4d84dd6526c1b3aa76fd98b68539
- 59388d5534bd3b7973186c1a82b7db6e33111b57b133f44d8776423aa58f627c
- 9008ee571b139496190f4e54d155300a1c875a8fb9096cfa27809e4e71955176
- 92c3e427edd0b7c986259347e6f5c9a51d534ce789f04cbc086981a7fac7617b
- f1326f8c348b6a4eb0fe0c3fcdc27e8375fd0ea7ecca54d392de790f31a9d037
- ff92433ae4ee90b3c6dd3cd5655302be345addd2a57bf143ee982e692ca7ca33
HASHES FOR EMBEDDED WORD DOCUMENTS:
- 2a8590ec5e8cea900e4f21845ab844df3e74e81bf9a093913b6beec41983e522
- 47f599d4bfd72599cdef4d81ecfc37b9d72fa58481a92ad471e873272cc8a915
- 73dc25a92422d64981dc478cf421cab1490022fff9e8cb5859abe85b9a9d3a55
- 97d991869130c62a2dd36e88e4e2b6080dba69ca4ccd56b149b20d8b2895189e
- 9ee4e4015be4bb51843acff67f5dcda39e2ee5debe76e321cb3bb50f59d19392
- c99ef1c016b265b02b978d5395a63f0559c43b42a576fda12c20913bdcfa9da6
- e25b2a1e70f65f07fc9e61204e11fd024382221ff052a963baede8e32cfb613b
- e76789a6c0c6867d1c519edede59ad1be0ab44606df8f8f6400e289fbf47a964
HASH FOR LOCKY BINARY:
- 4ebc124c7e19c2a87f911e9972f365f6fd0ef1532981a828b085e0a6bac2e310
TRAFFIC
URLS FOR LOCKY DOWNLOAD FROM THE WORD MACROS:
- abcenglishclub.com - GET /9yg65
- aielloengineering.com - GET /9yg65
- aim-controls.com - GET /9yg65
- bhmech.com - GET /9yg65
- cindysplace.net - GET /9yg65
- clayhero.com - GET /9yg65
- dont.pl - GET /9yg65
- ercelectronics.com - GET /9yg65
- maheriscriverius.nl - GET /9yg65
- rootcellar.us - GET /9yg65
- ros-jurist.ru - GET /9yg65
- sgph.comcastbiz.net - GET /9yg65
- sherwoodbusiness.com - GET /9yg65
- uwdesign.com.br - GET /9yg65
LOCKY SAMPLE POST-INFECTION TRAFFIC:
- 80.85.158.212 - GET /checkupdate
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of a pcap: 2017-04-21-Locky-malspam-traffic.pcap.zip 238 kB (237,913 bytes)
- ZIP archive of the spreadsheet tracker: 2017-04-21-Locky-malspam-tracker.csv.zip 1.2 kB (1,162 bytes)
- ZIP archive of the emails and artifacts/malware: 2017-04-21-Locky-malspam-and-artifacts.zip 2.4 MB (2,440,641 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.