2017-10-04 - BLANK SLATE CAMPAIGN PUSHES ".YKCOL" VARIANT LOCKY RANSOMWARE

NOTICE:

ASSOCIATED FILES:

SOME BACKGROUND:

TODAY'S NOTES:

 

EMAILS


Shown above:  Screenshot from the spreadsheet tacker.

 


Shown above:  Screen shot from one of the emails.

 

EMAILS COLLECTED:

ATTACHMENT INFO:

 

TRAFFIC


Shown above:  Example of an infection traffic filtered in Wireshark (1 of 3).

 


Shown above:  Example of an infection traffic filtered in Wireshark (2 of 3).

 


Shown above:  Example of an infection traffic filtered in Wireshark (3 of 3).

 

TRAFFIC GENERATED BY .JS FILES TO DOWNLOAD LOCKY RANSOMWARE:

LOCKY RANSOMWARE POST-INFECTION TRAFFIC:

TOR DOMAIN FOR THE LOCKY DECRYPTOR (SAME ONE FOR A LONG TIME NOW):

 

ASSOCIATED FILES


Shown above:  One of the attached zip archives and its content.

 

ATTACHMENTS:

EXTRACTED .JS FILES:

FOLLOW-UP MALWARE (LOCKY RANSOMWARE BINARIES):

LOCKY EXECUTED FROM THE LOCAL HOST AT:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  The Locky decryptor showing today's ransom cost.

 

Click here to return to the main page.