2017-06-22 - LOCKY MALSPAM - PDF ATTACHMENTS WITH EMBEDDED .DOCM FILES
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-06-22-Locky-malspam-traffic.pcap.zip 312 kB (312,210 bytes)
- Zip archive of the spreadsheet tracker: 2017-06-22-Locky-malspam-tracker.csv.zip 2.1 kB (2,053 bytes)
- Zip archive of the malware and artifacts: 2017-06-22-Locky-emails-and-artifacts.zip 3.3 MB (3,295,641 bytes)
OTHER NOTES:
- Some recent blog posts and tweets have noted Locky's return in malspam.
- Like others, I had to use Windows XP (instead of Windows Vista, 7, 8, or 10) to get an infection from today's Locky binary.
EMAILS
Shown above: An example of the emails.
20 EXAMPLES:
READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (PDF) -- EMBEDDED .DOCM FILE
- 2017-06-22 11:12:25 UTC -- JOYCE GURR <Joyce4382@acmarmediagroup.com> -- Emailing - DOC787.PDF -- DOC787.PDF -- 000270630709.docm
- 2017-06-22 11:14:19 UTC -- HANNAH NICOLSON <Hannah6956@tecnolab-ba.com.br> -- Emailing - PDF806.PDF -- PDF806.PDF -- 000248089012.docm
- 2017-06-22 11:15:33 UTC -- MORGAN COOMBE <Morgan6045@magato.ru> -- Emailing - DOC199.PDF -- DOC199.PDF -- 000248089012.docm
- 2017-06-22 11:15:34 UTC -- KRISTEN MASSENGILL <Kristen0038@integratedphysio.net> -- Emailing - DOC999.PDF -- DOC999.PDF -- 000518024662.docm
- 2017-06-22 11:15:55 UTC -- ESTER LITTLEFAIR <Ester5226@edgeentertainment.se> -- Emailing - PDF064.PDF -- PDF064.PDF -- 000455383454.docm
- 2017-06-22 11:15:58 UTC -- ADRIENNE PEAKE <Adrienne3129@thebusinessjoint.com> -- Emailing - DOC514.PDF -- DOC514.PDF -- 000455383454.docm
- 2017-06-22 11:16:24 UTC -- LENORE RICHARDSON <Lenore5792@clocksoffracing.com> -- Emailing - DOC787.PDF -- DOC787.PDF -- 000455383454.docm
- 2017-06-22 11:17:11 UTC -- WILLIE BRADFIELD <Willie5496@efpotterappraisal.com> -- Emailing - DOC441.PDF -- DOC441.PDF -- 000890651955.docm
- 2017-06-22 11:17:38 UTC -- LEIF NOTT <Leif9322@lansay.com.br> -- Emailing - PDF537.PDF -- PDF537.PDF -- 000890651955.docm
- 2017-06-22 11:17:49 UTC -- CHASITY STREETER <Chasity3864@kirbywoods.com> -- Emailing - DOC702.PDF -- DOC702.PDF -- 000890651955.docm
- 2017-06-22 11:18:09 UTC -- LEIGH BLACKSTOCK <Leigh3122@forestcart.com> -- Emailing - PDF666.PDF -- PDF666.PDF -- 000731715784.docm
- 2017-06-22 11:19:31 UTC -- JERE FAWSETT <Jere1463@brooklinedemocrats.org> -- Emailing - PDF832.PDF -- PDF832.PDF -- 000812220195.docm
- 2017-06-22 11:19:34 UTC -- HOWARD OF HAINAULT <Howard1979@click2limos.com> -- Emailing - PDF603.PDF -- PDF603.PDF -- 000812220195.docm
- 2017-06-22 11:20:04 UTC -- LUISA RIDDOCK <Luisa7638@kofix.nl> -- Emailing - PDF394.PDF -- PDF394.PDF -- 000904155375.docm
- 2017-06-22 11:47:39 UTC -- AUBREY WHITING <Aubrey5405@headofficebybjorn.com> -- Emailing - DOC134.PDF -- DOC134.PDF -- 000639752201.docm
- 2017-06-22 11:50:11 UTC -- SIMONE CAMERON <Simone5537@rotechelectrical.com> -- Emailing - DOC935.PDF -- DOC935.PDF -- 00091882312.docm
- 2017-06-22 14:07:48 UTC -- ELOY WINDRIDGE <Eloy3302@mo-gerzat.fr> -- Emailing - DOC998.PDF -- DOC998.PDF -- 000862862990.docm
- 2017-06-22 14:14:15 UTC -- KERRI SHEPPARD <Kerri8171@hart-comm.com> -- Emailing - PDF974.PDF -- PDF974.PDF -- 000261712564.docm
- 2017-06-22 14:14:51 UTC -- ALFRED AKISTER <Alfred2203@robertlarin.com> -- Emailing - PDF836.PDF -- PDF836.PDF -- 00091882312.docm
- 2017-06-22 14:16:05 UTC -- RACHAEL BENT <Rachael0755@2hphotography.ca> -- Emailing - DOC827.PDF -- DOC827.PDF -- 000205740858.docm
MALWARE
Shown above: An example of the PDF files attached to the malspam.
Shown above: An example of the embedded Word documents seen when opening the PDF files.
SHA256 HASHES FOR THE PDF ATTACHMENTS:
- 27de13b9f57d2ec30bb0b90cd7d470818f026b0049af81f96210ad6d731b0f95 - PDF603.PDF and PDF832.PDF
- 402d345db262cbf8e25382487feb52be1631d0e5c2e815e201964fb2c3905882 - PDF836.PDF and PDF974.PDF
- 48e52822ddba1ec2b3f634c159f0dc1ccfd193b22d2d8c8794ab699bdb299a87 - DOC134.PDF
- 50098a3edc1b67e6debe23a143e2d24ac67536b4ee3a1506798c0177b123d579 - DOC441.PDF, DOC702.PDF, and PDF537.PDF
- 6d36f5c7cb4b43318c100c9f070da0e35670984224bc6cc2c5dfe471dc86bfd7 - DOC999.PDF
- 73b0097b6f4bb031e9a8bdd75ae4559310c9e335d15ea4418c690d8cca5687f3 - DOC998.PDF
- 7e6f3aad2d1d70dc7a9cabc6e42e91a578ecc7d7ee8b2e8895d88171b31eb2dc - DOC827.PDF
- 9f0c6e6d630b6e12b7b34f858e6746ff6f686f3a4f67fd77510143ed1f778d6d - DOC935.PDF
- a4c4f44741d3f74e9072b23abb7c08c8661c4e30a67859eb94ba16c74fc44006 - DOC199.PDF and PDF806.PDF
- a912588520a6aeece0382126b4c93f42cd31b0ca93f6a1bc5495d4ad2effe7c0 - PDF666.PDF
- b36b17be1eea01c00322cd5ccb6a3106f9558c48eb8a0961d36e545a52c5360e - PDF394.PDF
- ce038868832f30bf52cfae8094fee50a381401d30654286c55b6434c4d1950d5 - DOC204.PDF
- f880cd4bfadc2092484abbc6da106d5a91daeab12f7ce983ea3114a1a0686af2 - DOC514.PDF, DOC787.PDF, and PDF064.PDF
SHA256 HASHES FOR THE EXTRACTED .DOCM FILES:
- 1bbe76d89604c0a235538fca4b420f49be876e489a4c6fae95c14ce1f925a994 - 000812220195.docm
- 4536363e33f1312b217596cd126e9143d6c265e89f85add19ffa8cba8db0af90 - 000639752201.docm
- 55bdadc62ae8cac9b1b106b86798d98cfa24cbeac5ab5240a06bfbb4d3a7af4a - 000248089012.docm
- 64ff88edc478747b24b9fba8b99d06652914294117fc3e9e7aa5744a62ed8074 - 000455383454.docm
- 735d5262c3af811499ba5f85d77294cbab90daf723c0fde035a6e9c522fcc257 - 000261712564.docm
- a120b68d1195dffe21a9a68b6a4f2ea8840d584b1bc5f0c8cd50a5b6d8d8ccd0 - 00091882312.docm
- ada1f5f6f46a225a6ca1f42bfdae8441536a810b929f925f20939bbe5b95b44b - 000205740858.docm
- c048209e3fe1c6119c3dc729800f9d0850d186c7c00cc403d104761571821aa8 - 000862862990.docm
- c3d6cac91b2b4b5ddd5d2ca035215e0ee33228f01083cde80545a58d7e47bfe1 - 000518024662.docm
- d9154bda586ad98049374105f20be6bbedd278e6fc3296836a40ee44866f804e - 000904155375.docm
- dcbf50e60f17f3c72ad84fb5f434bcea9ba6b2630075737fbefdde52a8af7797 - 000890651955.docm
- de5441ddffb488777e73e59c9c1ac30827def0eef5b6334d1d0eb66532cdae3c - 000731715784.docm
- e19a94667e12dd445f68fcd4d21e8b1abc8431052f8bfb22449ab3589a2b10cb - 000270630709.docm
MALWARE RETRIEVED FROM INFECTED HOST:
- SHA256 hash: 858632df961a6d355abfe7eb090c96156d2206e9171ef07ef1857f016bf737c4
File size: 311,808 bytes
File location: C:\Users\[username]\AppData\Local\Temp\proshuto8.exe
File description: Locky
TRAFFIC
URLS FROM THE WORD MACROS FILES TO DOWNLOAD LOCKY:
- 1time.nl - GET /7gyjgg5r6
- asathlon.it - GET /7gyjgg5r6
- asman.railsplayground.net - GET /7gyjgg5r6
- autobluelite.com - GET /7gyjgg5r6
- blitzacademy.in - GET /7gyjgg5r6
- brontorittoozzo.com - GET /af/7gyjgg5r6
- chocolatesbazaar.com - GET /7gyjgg5r6
- ddplgroup.com - GET /7gyjgg5r6
- i-school-tutor.com - GET /7gyjgg5r6
- itbouquet.com - GET /7gyjgg5r6
- malamalamak9.net - GET /7gyjgg5r6
- melakatropical.com - GET /7gyjgg5r6
- micolon.com - GET /7gyjgg5r6
- obluelite.com - GET /7gyjgg5r6
- partyangel.in - GET /7gyjgg5r6
- randomessstioprottoy.net - GET /af/7gyjgg5r6
- skyfling.com - GET /7gyjgg5r6
- techno-me.com - GET /7gyjgg5r6
- tyastudio.com - GET /7gyjgg5r6
- unitedtanga.com - GET /7gyjgg5r6
- www.losangelesrelocationservices.net - GET /7gyjgg5r6
LOCKY POST-INFECTION TRAFFIC:
- 185.115.140.170 port 80 - 185.115.140.170 - GET /checkupdate
- g46mbrrzpfszonuk.onion - Tor domain for Locky decryptor
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: HTTP GET request for the Locky binary.
Shown above: Post-infection callback from the infected host.
IMAGES
Shown above: Encrypted files have .loptr as the file extension.
Shown above: Screen shot of the Locky decryptor asking 0.5 bitcoin for the ransom payment.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-06-22-Locky-malspam-traffic.pcap.zip 312 kB (312,210 bytes)
- Zip archive of the spreadsheet tracker: 2017-06-22-Locky-malspam-tracker.csv.zip 2.1 kB (2,053 bytes)
- Zip archive of the malware and artifacts: 2017-06-22-Locky-emails-and-artifacts.zip 3.3 MB (3,295,641 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.