2017-04-21 - DRIDEX-STYLE MALSPAM PUSHES LOCKY RANSOMWARE INSTEAD

ASSOCIATED FILES:

• ZIP archive of a pcap:  2017-04-21-Locky-malspam-traffic.pcap.zip   238 kB (237,913 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-21-Locky-malspam-tracker.csv.zip   1.2 kB (1,162 bytes)
• ZIP archive of the emails and artifacts/malware:  2017-04-21-Locky-malspam-and-artifacts.zip   2.4 MB (2,440,641 bytes)

MORE INFO:

• 2017-04-21 - My Online Security: The return of Locky ransomware with fake receipts malspam
• 2017-04-21 - BleepingComputer: The Locky Ransomware is Back and Still Adding OSIRIS to Encrypted Files

 

IMAGES

 

SHA256 HASHES

HASHES FOR PDF ATTACHMENTS:

• 1705d38d2ea80177963d67fd18e836326d70a239378d6b9c74d445c5e0b423d6
• 2881600b108ece9a1df3e7659370e3ee79cf233e9723a9acd7985452c5915eb3
• 3ccef773a5527c7128987bb8d359726f0b3d4d84dd6526c1b3aa76fd98b68539
• 59388d5534bd3b7973186c1a82b7db6e33111b57b133f44d8776423aa58f627c
• 9008ee571b139496190f4e54d155300a1c875a8fb9096cfa27809e4e71955176
• 92c3e427edd0b7c986259347e6f5c9a51d534ce789f04cbc086981a7fac7617b
• f1326f8c348b6a4eb0fe0c3fcdc27e8375fd0ea7ecca54d392de790f31a9d037
• ff92433ae4ee90b3c6dd3cd5655302be345addd2a57bf143ee982e692ca7ca33

HASHES FOR EMBEDDED WORD DOCUMENTS:

• 2a8590ec5e8cea900e4f21845ab844df3e74e81bf9a093913b6beec41983e522
• 47f599d4bfd72599cdef4d81ecfc37b9d72fa58481a92ad471e873272cc8a915
• 73dc25a92422d64981dc478cf421cab1490022fff9e8cb5859abe85b9a9d3a55
• 97d991869130c62a2dd36e88e4e2b6080dba69ca4ccd56b149b20d8b2895189e
• 9ee4e4015be4bb51843acff67f5dcda39e2ee5debe76e321cb3bb50f59d19392
• c99ef1c016b265b02b978d5395a63f0559c43b42a576fda12c20913bdcfa9da6
• e25b2a1e70f65f07fc9e61204e11fd024382221ff052a963baede8e32cfb613b
• e76789a6c0c6867d1c519edede59ad1be0ab44606df8f8f6400e289fbf47a964

HASH FOR LOCKY BINARY:

• 4ebc124c7e19c2a87f911e9972f365f6fd0ef1532981a828b085e0a6bac2e310

 

TRAFFIC

URLS FOR LOCKY DOWNLOAD FROM THE WORD MACROS:

• abcenglishclub.com - GET /9yg65
• aielloengineering.com - GET /9yg65
• aim-controls.com - GET /9yg65
• bhmech.com - GET /9yg65
• cindysplace.net - GET /9yg65
• clayhero.com - GET /9yg65
• dont.pl - GET /9yg65
• ercelectronics.com - GET /9yg65
• maheriscriverius.nl - GET /9yg65
• rootcellar.us - GET /9yg65
• ros-jurist.ru - GET /9yg65
• sgph.comcastbiz.net - GET /9yg65
• sherwoodbusiness.com - GET /9yg65
• uwdesign.com.br - GET /9yg65

LOCKY SAMPLE POST-INFECTION TRAFFIC:

• 80.85.158.212 - GET /checkupdate

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of a pcap:  2017-04-21-Locky-malspam-traffic.pcap.zip   238 kB (237,913 bytes)
• ZIP archive of the spreadsheet tracker:  2017-04-21-Locky-malspam-tracker.csv.zip   1.2 kB (1,162 bytes)
• ZIP archive of the emails and artifacts/malware:  2017-04-21-Locky-malspam-and-artifacts.zip   2.4 MB (2,440,641 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.