2017-06-22 - LOCKY MALSPAM - PDF ATTACHMENTS WITH EMBEDDED .DOCM FILES

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-06-22-Locky-malspam-traffic.pcap.zip   312 kB (312,210 bytes)
• Zip archive of the spreadsheet tracker:  2017-06-22-Locky-malspam-tracker.csv.zip   2.1 kB (2,053 bytes)
• Zip archive of the malware and artifacts:  2017-06-22-Locky-emails-and-artifacts.zip   3.3 MB (3,295,641 bytes)

OTHER NOTES:

• Some recent blog posts and tweets have noted Locky's return in malspam.
• Like others, I had to use Windows XP (instead of Windows Vista, 7, 8, or 10) to get an infection from today's Locky binary.

 

EMAILS

Shown above:  An example of the emails.

 

20 EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME (PDF) -- EMBEDDED .DOCM FILE

• 2017-06-22 11:12:25 UTC -- JOYCE GURR <Joyce4382@acmarmediagroup.com> -- Emailing - DOC787.PDF -- DOC787.PDF -- 000270630709.docm
• 2017-06-22 11:14:19 UTC -- HANNAH NICOLSON <Hannah6956@tecnolab-ba.com.br> -- Emailing - PDF806.PDF -- PDF806.PDF -- 000248089012.docm
• 2017-06-22 11:15:33 UTC -- MORGAN COOMBE <Morgan6045@magato.ru> -- Emailing - DOC199.PDF -- DOC199.PDF -- 000248089012.docm
• 2017-06-22 11:15:34 UTC -- KRISTEN MASSENGILL <Kristen0038@integratedphysio.net> -- Emailing - DOC999.PDF -- DOC999.PDF -- 000518024662.docm
• 2017-06-22 11:15:55 UTC -- ESTER LITTLEFAIR <Ester5226@edgeentertainment.se> -- Emailing - PDF064.PDF -- PDF064.PDF -- 000455383454.docm
• 2017-06-22 11:15:58 UTC -- ADRIENNE PEAKE <Adrienne3129@thebusinessjoint.com> -- Emailing - DOC514.PDF -- DOC514.PDF -- 000455383454.docm
• 2017-06-22 11:16:24 UTC -- LENORE RICHARDSON <Lenore5792@clocksoffracing.com> -- Emailing - DOC787.PDF -- DOC787.PDF -- 000455383454.docm
• 2017-06-22 11:17:11 UTC -- WILLIE BRADFIELD <Willie5496@efpotterappraisal.com> -- Emailing - DOC441.PDF -- DOC441.PDF -- 000890651955.docm
• 2017-06-22 11:17:38 UTC -- LEIF NOTT <Leif9322@lansay.com.br> -- Emailing - PDF537.PDF -- PDF537.PDF -- 000890651955.docm
• 2017-06-22 11:17:49 UTC -- CHASITY STREETER <Chasity3864@kirbywoods.com> -- Emailing - DOC702.PDF -- DOC702.PDF -- 000890651955.docm
• 2017-06-22 11:18:09 UTC -- LEIGH BLACKSTOCK <Leigh3122@forestcart.com> -- Emailing - PDF666.PDF -- PDF666.PDF -- 000731715784.docm
• 2017-06-22 11:19:31 UTC -- JERE FAWSETT <Jere1463@brooklinedemocrats.org> -- Emailing - PDF832.PDF -- PDF832.PDF -- 000812220195.docm
• 2017-06-22 11:19:34 UTC -- HOWARD OF HAINAULT <Howard1979@click2limos.com> -- Emailing - PDF603.PDF -- PDF603.PDF -- 000812220195.docm
• 2017-06-22 11:20:04 UTC -- LUISA RIDDOCK <Luisa7638@kofix.nl> -- Emailing - PDF394.PDF -- PDF394.PDF -- 000904155375.docm
• 2017-06-22 11:47:39 UTC -- AUBREY WHITING <Aubrey5405@headofficebybjorn.com> -- Emailing - DOC134.PDF -- DOC134.PDF -- 000639752201.docm
• 2017-06-22 11:50:11 UTC -- SIMONE CAMERON <Simone5537@rotechelectrical.com> -- Emailing - DOC935.PDF -- DOC935.PDF -- 00091882312.docm
• 2017-06-22 14:07:48 UTC -- ELOY WINDRIDGE <Eloy3302@mo-gerzat.fr> -- Emailing - DOC998.PDF -- DOC998.PDF -- 000862862990.docm
• 2017-06-22 14:14:15 UTC -- KERRI SHEPPARD <Kerri8171@hart-comm.com> -- Emailing - PDF974.PDF -- PDF974.PDF -- 000261712564.docm
• 2017-06-22 14:14:51 UTC -- ALFRED AKISTER <Alfred2203@robertlarin.com> -- Emailing - PDF836.PDF -- PDF836.PDF -- 00091882312.docm
• 2017-06-22 14:16:05 UTC -- RACHAEL BENT <Rachael0755@2hphotography.ca> -- Emailing - DOC827.PDF -- DOC827.PDF -- 000205740858.docm

 

MALWARE

Shown above:  An example of the PDF files attached to the malspam.

 

Shown above:  An example of the embedded Word documents seen when opening the PDF files.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

• 27de13b9f57d2ec30bb0b90cd7d470818f026b0049af81f96210ad6d731b0f95 - PDF603.PDF and PDF832.PDF
• 402d345db262cbf8e25382487feb52be1631d0e5c2e815e201964fb2c3905882 - PDF836.PDF and PDF974.PDF
• 48e52822ddba1ec2b3f634c159f0dc1ccfd193b22d2d8c8794ab699bdb299a87 - DOC134.PDF
• 50098a3edc1b67e6debe23a143e2d24ac67536b4ee3a1506798c0177b123d579 - DOC441.PDF, DOC702.PDF, and PDF537.PDF
• 6d36f5c7cb4b43318c100c9f070da0e35670984224bc6cc2c5dfe471dc86bfd7 - DOC999.PDF
• 73b0097b6f4bb031e9a8bdd75ae4559310c9e335d15ea4418c690d8cca5687f3 - DOC998.PDF
• 7e6f3aad2d1d70dc7a9cabc6e42e91a578ecc7d7ee8b2e8895d88171b31eb2dc - DOC827.PDF
• 9f0c6e6d630b6e12b7b34f858e6746ff6f686f3a4f67fd77510143ed1f778d6d - DOC935.PDF
• a4c4f44741d3f74e9072b23abb7c08c8661c4e30a67859eb94ba16c74fc44006 - DOC199.PDF and PDF806.PDF
• a912588520a6aeece0382126b4c93f42cd31b0ca93f6a1bc5495d4ad2effe7c0 - PDF666.PDF
• b36b17be1eea01c00322cd5ccb6a3106f9558c48eb8a0961d36e545a52c5360e - PDF394.PDF
• ce038868832f30bf52cfae8094fee50a381401d30654286c55b6434c4d1950d5 - DOC204.PDF
• f880cd4bfadc2092484abbc6da106d5a91daeab12f7ce983ea3114a1a0686af2 - DOC514.PDF, DOC787.PDF, and PDF064.PDF

 

SHA256 HASHES FOR THE EXTRACTED .DOCM FILES:

• 1bbe76d89604c0a235538fca4b420f49be876e489a4c6fae95c14ce1f925a994 - 000812220195.docm
• 4536363e33f1312b217596cd126e9143d6c265e89f85add19ffa8cba8db0af90 - 000639752201.docm
• 55bdadc62ae8cac9b1b106b86798d98cfa24cbeac5ab5240a06bfbb4d3a7af4a - 000248089012.docm
• 64ff88edc478747b24b9fba8b99d06652914294117fc3e9e7aa5744a62ed8074 - 000455383454.docm
• 735d5262c3af811499ba5f85d77294cbab90daf723c0fde035a6e9c522fcc257 - 000261712564.docm
• a120b68d1195dffe21a9a68b6a4f2ea8840d584b1bc5f0c8cd50a5b6d8d8ccd0 - 00091882312.docm
• ada1f5f6f46a225a6ca1f42bfdae8441536a810b929f925f20939bbe5b95b44b - 000205740858.docm
• c048209e3fe1c6119c3dc729800f9d0850d186c7c00cc403d104761571821aa8 - 000862862990.docm
• c3d6cac91b2b4b5ddd5d2ca035215e0ee33228f01083cde80545a58d7e47bfe1 - 000518024662.docm
• d9154bda586ad98049374105f20be6bbedd278e6fc3296836a40ee44866f804e - 000904155375.docm
• dcbf50e60f17f3c72ad84fb5f434bcea9ba6b2630075737fbefdde52a8af7797 - 000890651955.docm
• de5441ddffb488777e73e59c9c1ac30827def0eef5b6334d1d0eb66532cdae3c - 000731715784.docm
• e19a94667e12dd445f68fcd4d21e8b1abc8431052f8bfb22449ab3589a2b10cb - 000270630709.docm

 

MALWARE RETRIEVED FROM INFECTED HOST:

• SHA256 hash:  858632df961a6d355abfe7eb090c96156d2206e9171ef07ef1857f016bf737c4
  File size:  311,808 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\proshuto8.exe
  File description:  Locky

 

TRAFFIC

URLS FROM THE WORD MACROS FILES TO DOWNLOAD LOCKY:

• 1time.nl - GET /7gyjgg5r6
• asathlon.it - GET /7gyjgg5r6
• asman.railsplayground.net - GET /7gyjgg5r6
• autobluelite.com - GET /7gyjgg5r6
• blitzacademy.in - GET /7gyjgg5r6
• brontorittoozzo.com - GET /af/7gyjgg5r6
• chocolatesbazaar.com - GET /7gyjgg5r6
• ddplgroup.com - GET /7gyjgg5r6
• i-school-tutor.com - GET /7gyjgg5r6
• itbouquet.com - GET /7gyjgg5r6
• malamalamak9.net - GET /7gyjgg5r6
• melakatropical.com - GET /7gyjgg5r6
• micolon.com - GET /7gyjgg5r6
• obluelite.com - GET /7gyjgg5r6
• partyangel.in - GET /7gyjgg5r6
• randomessstioprottoy.net - GET /af/7gyjgg5r6
• skyfling.com - GET /7gyjgg5r6
• techno-me.com - GET /7gyjgg5r6
• tyastudio.com - GET /7gyjgg5r6
• unitedtanga.com - GET /7gyjgg5r6
• www.losangelesrelocationservices.net - GET /7gyjgg5r6

 

LOCKY POST-INFECTION TRAFFIC:

• 185.115.140.170 port 80 - 185.115.140.170 - GET /checkupdate
• g46mbrrzpfszonuk.onion - Tor domain for Locky decryptor

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  HTTP GET request for the Locky binary.

 

Shown above:  Post-infection callback from the infected host.

 

IMAGES

Shown above:  Encrypted files have .loptr as the file extension.

 

Shown above:  Screen shot of the Locky decryptor asking 0.5 bitcoin for the ransom payment.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-06-22-Locky-malspam-traffic.pcap.zip   312 kB (312,210 bytes)
• Zip archive of the spreadsheet tracker:  2017-06-22-Locky-malspam-tracker.csv.zip   2.1 kB (2,053 bytes)
• Zip archive of the malware and artifacts:  2017-06-22-Locky-emails-and-artifacts.zip   3.3 MB (3,295,641 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.