2017-09-07 - "LUKITUS" VARIANT LOCKY RANSOMWARE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-09-07-Locky-ransomware-traffic-2-pcaps.zip 1.1 MB (1,100,858 bytes)
- 2017-09-07-Locky-ransomware-email-tracker.csv.zip 1.9 kB (1,863 bytes)
- 2017-09-07-Locky-ransomware-emails-and-malware.zip 1.3 MB (1,262,329 bytes)
EMAILS
Shown above: Screenshot of the spreadsheet tracker.
EMAILS:
- 2017-09-07 11:05:39 UTC -- From: fax@freefaxtoemail[.]net -- Subject: FreeFax From:1701939350
- 2017-09-07 11:21:01 UTC -- From: message@freefaxtoemail[.]net -- Subject: FreeFax From:1706775789
- 2017-09-07 11:52:37 UTC -- From: msg@freefaxtoemail[.]net -- Subject: FreeFax From:1703594719
- 2017-09-07 12:15:16 UTC -- From: no-reply@freefaxtoemail[.]net -- Subject: FreeFax From:1707482765
- 2017-09-07 12:40:00 UTC -- From: message@freefaxtoemail[.]net -- Subject: FreeFax From:1703101361
- 2017-09-07 12:40:01 UTC -- From: msg@freefaxtoemail[.]net -- Subject: FreeFax From:1704734691
- 2017-09-07 12:40:12 UTC -- From: message@freefaxtoemail[.]net -- Subject: FreeFax From:1704312326
- 2017-09-07 13:10:33 UTC -- From: faxes@freefaxtoemail[.]net -- Subject: FreeFax From:1707587404
- 2017-09-07 13:10:39 UTC -- From: fax@freefaxtoemail[.]net -- Subject: FreeFax From:1700476324
- 2017-09-07 14:11:06 UTC -- From: fax@freefaxtoemail[.]net -- Subject: FreeFax From:1705242396
- 2017-09-07 14:43:53 UTC -- From: Voice Message <VoiceMessage@[recipient's email domain]> -- Subject: Voice Message from 016569520580 - name unavailable
- 2017-09-07 14:43:59 UTC -- From: Voice Message <VoiceMessage@[recipient's email domain]> -- Subject: Voice Message from 018453488715 - name unavailable
- 2017-09-07 14:46:00 UTC -- From: Voice Message <VoiceMessage@[recipient's email domain]> -- Subject: Voice Message from 013640681415 - name unavailable
- 2017-09-07 14:50:55 UTC -- From: Voice Message <VoiceMessage@[recipient's email domain]> -- Subject: Voice Message from 011012517642 - name unavailable
- 2017-09-07 14:55:05 UTC -- From: Voice Message <VoiceMessage@[recipient's email domain]> -- Subject: Voice Message from 018303087912 - name unavailable
- 2017-09-07 18:26:12 UTC -- From: no-reply@freefaxtoemail[.]net -- Subject: FreeFax From:1705511496
- 2017-09-07 18:27:39 UTC -- From: msg@freefaxtoemail[.]net -- Subject: FreeFax From:1701967685
- 2017-09-07 18:28:50 UTC -- From: message@freefaxtoemail[.]net -- Subject: FreeFax From:1708712609
- 2017-09-07 18:36:39 UTC -- From: fax@freefaxtoemail[.]net -- Subject: FreeFax From:1706502712
- 2017-09-07 18:36:43 UTC -- From: faxes@freefaxtoemail[.]net -- Subject: FreeFax From:1707319225
- 2017-09-07 21:19:26 UTC -- From: Microsoft <do_not_reply@asia.microsoft[.]com> -- Subject: Microsoft Store E-invoice for your order #2710489319
- 2017-09-07 21:19:29 UTC -- From: Microsoft <do_not_reply@asia.microsoft[.]com> -- Subject: Microsoft Store E-invoice for your order #5342761373
- 2017-09-07 21:19:51 UTC -- From: Microsoft <do_not_reply@asia.microsoft[.]com> -- Subject: Microsoft Store E-invoice for your order #6742972673
- 2017-09-07 21:19:55 UTC -- From: Microsoft <do_not_reply@us.microsoft[.]com> -- Subject: Microsoft Store E-invoice for your order #4775006733
- 2017-09-07 21:20:04 UTC -- From: Microsoft <do_not_reply@us.microsoft[.]com> -- Subject: Microsoft Store E-invoice for your order #8288285902
- 2017-09-07 21:20:26 UTC -- From: Microsoft <do_not_reply@asia.microsoft[.]com> -- Subject: Microsoft Store E-invoice for your order #8095552605
Shown above: Screenshot of the emails (earlier wave 1 of 2).
Shown above: Screenshot of the emails (earlier wave 2 of 2).
Shown above: Screenshot of the emails (later wave).
TRAFFIC
Shown above: Traffic from an earlier infection filtered in Wireshark.
Shown above: Traffic from a later infection filtered in Wireshark.
LINKS FROM THE EARLIER EMAILS:
- hxxp[:]//areanuova[.]it/fax.html
- hxxp[:]//brillantelimpieza[.]com/fax.html
- hxxp[:]//brovalbox[.]net/fax.html
- hxxp[:]//computertechnicians[.]net/fax.html
- hxxp[:]//fortcollins-accounting[.]com/fax.html
- hxxp[:]//imblog[.]de/fax.html
- hxxp[:]//itsmaterial[.]us/fax.html
- hxxp[:]//jeangurunlian[.]com/fax.html
- hxxp[:]//kedemcapital[.]com/fax.html
- hxxp[:]//lacosturera[.]es/fax.html
- hxxp[:]//malvapraha[.]cz/fax.html
- hxxp[:]//nekkeveldecoplus[.]nl/fax.html
- hxxp[:]//oscarbuitron[.]com/fax.html
- hxxp[:]//pki.jwo[.]com/fax.html
- hxxp[:]//rmrcreative[.]com/fax.html
- hxxp[:]//scottborthwick[.]com/fax.html
- hxxp[:]//signlight[.]com[.]au/fax.html
- hxxp[:]//theceocforeporter[.]com/fax.html
- hxxp[:]//themaninroom306[.]com/fax.html
- hxxp[:]//toldoslidia[.]es/fax.html
URLS TO DOWNLOAD LOCKY RANSOMWARE CAUSED BY EARLIER EMAILS:
- hxxp[:]//leypart[.]su/fax.php
- hxxp[:]//atargoryled[.]net/fax.php
- hxxp[:]//hookerdeepseafishing[.]com/pututfi.exe
LINKS IN LATER EMAILS:
- hxxp[:]//intelicalls[.]com/MS_INV_1046.7z
- hxxp[:]//labkonstrukt[.]com/MS_INV_1046.7z
- hxxp[:]//mercaropa[.]es/MS_INV_1046.7z
- hxxp[:]//pesonamas[.]co[.]id/MS_INV_1046.7z
- hxxp[:]//robbie.ggc-bremen[.]de/MS_INV_1046.7z
- hxxp[:]//schwellenwertdaten[.]de/MS_INV_1046.7z
URLS TO DOWNLOAD LOCKY RANSOMWARE CAUSED BY LATER EMAILS:
- hxxp[:]//aac-autoecole[.]com/3936jkgHGdcm?
- hxxp[:]//awholeblueworld[.]com/3936jkgHGdcm?
- hxxp[:]//etforhartohat[.]info/af/3936jkgHGdcm
- hxxp[:]//lp-usti[.]cz/3936jkgHGdcm?
- hxxp[:]//montessibooks[.]com/3936jkgHGdcm?
- hxxp[:]//weekendjevliegen[.]nl/3936jkgHGdcm?
LOCKY RANSOMWARE POST-INFECTION TRAFFIC:
- hxxp[:]//46.148.20[.]53/imageload.cgi
- hxxp[:]//185.67.2[.]156/imageload.cgi
- hxxp[:]//babmitontwronsed[.]info/eroorrrs
- g46mbrrzpfszonuk[.]onion
FILE HASHES
SHA256 hash: b6a6c9746694e4aa7081c1fc4b3c54e7716b80ef438b069a906fb852c89a7923
- File name: Fax_Message_4910872563.js
- File description: JavaScript (.js) file downloaded from links in earlier emails
SHA256 hash: ba573c9c097ff7ec0f9c24a11f17c6de24133a214183ec1e21d443c525271dfd
- File name: Fax_Message_6310542798.js
- File description: JavaScript (.js) file downloaded from links in earlier emails
SHA256 hash: 958569e5942e3e4aa2df592f1c2cdd24cf187a237a0073c6ef1462a6c89a8590
- File name: MS_INV_1046.7z
- File description: 7-Zip (.7z) archive downloaded from links in later emails
SHA256 hash: f31aee58fc2dfde26a4d40fe081ce467ce31d4955212a53f93f717e1f1c5f4c1
- File names: MS_INV_3015.7z and MS_INV_3710.7z
- File description: 7-Zip (.7z) archives as file attachments in later emails
SHA256 hash: 1db77f180460ae8be542c5e392e1c2ceed47f420f3831685babebdc038a99446
- File names: MS_INV_5989.7z, MS_INV_6712.7z, MS_INV_7512.7z, and MS_INV_7526.7z
- File description: 7-Zip (.7z) archives as file attachments in later emails
SHA256 hash: 39d986b3a62f4d1b2e43c8295a2a645187e08417b6c0d2d8b08a9f7e75343936
- File name: MS_INV_1046.vbs
- File description: Visual Basic Script (VBS) file extracted from .7z archive
SHA256 hash: f34c4bc6bca63d3c18b3a570d602a7d513594dc6c563ace7372ed3046b3d567f
- File name: MS_INV_7493.vbs
- File description: Visual Basic Script (VBS) file extracted from .7z archive
SHA256 hash: 24ca332249210bec427078f877e8c1b942fb469387428682ff421de7e68d0582
- File name: MS_INV_8448.vbs
- File description: Visual Basic Script (VBS) file extracted from .7z archive
SHA256 hash: e9981527fade0266ec18c73bf3cb066738ed12c3c3530a30a2e56a790d180107
- File location: C:\Users\[username]\AppData\Roaming\scareGT.exe
- File description: Locky ransomware binary from earlier emails
SHA256 hash: 278e5503f777b0fec03cff2acddedb67f8b62bb14f34a9e761408aaf3ce5450f
- File location: C:\Users\[username]\AppData\Local\Temp\vQqEpFK.exe
- File description: Locky ransomware binary from later emails
IMAGES
Shown above: Downloading a JavaScript (.js) file from the earlier waves.
Shown above: Downloading a 7-Zip archive (.7z) from the later wave.
Shown above: JavaScript (.js) example from the earlier waves.
Shown above: 7-Zip archive (.7z) example from the later wave.
Shown above: If you've seen one Windows desktop infected with Lukitus variant Locky, you've seen them all.
Shown above: 0.5 Bitcoin seems a little steep for the ransom cost.
Click here to return to the main page.