2016-11-03 - "THOR" VARIANT LOCKY MALSPAM

ASSOCIATED FILES:

  • 2016-11-03-Locky-malspam-info.csv   (3,965 bytes)
  • 2016-11-03-traffic-example-from-Locky-malspam.pcap   (322,362 bytes)
  • artifacts-from-infected-hosts / 2016-11-03-Locky-Decryptor-style.css   (3,422 bytes)
  • artifacts-from-infected-hosts / 2016-11-03-Locky-Decryptor.html   (6,449 bytes)
  • artifacts-from-infected-hosts / 2016-11-03-Locky-artifact_WHAT_is.bmp   (3,864,030 bytes)
  • artifacts-from-infected-hosts / 2016-11-03-Locky-artifact_WHAT_is.html   (9,378 bytes)
  • artifacts-from-infected-hosts / 2016-11-03-Locky-binary-example-1.dll   (303,104 bytes)
  • artifacts-from-infected-hosts / 2016-11-03-Locky-binary-example-2.dll   (315,392 bytes)
  • attachments / GiWOXG212070.zip   (1,247 bytes)
  • attachments / JZTv73287697.zip   (1,256 bytes)
  • attachments / LSTFpHM0833911.zip   (1,252 bytes)
  • attachments / Lx86173440.zip   (1,262 bytes)
  • attachments / MABBkWp04211954.zip   (1,250 bytes)
  • attachments / QonH3370533.zip   (1,261 bytes)
  • attachments / Rdk4132815.zip   (1,266 bytes)
  • attachments / TXymLf24605687.zip   (1,271 bytes)
  • attachments / VGh48444.zip   (1,253 bytes)
  • attachments / WuFanr053440.zip   (1,257 bytes)
  • attachments / bgvTUO496306.zip   (1,254 bytes)
  • attachments / eZSw8623066.zip   (1,256 bytes)
  • attachments / gUfWy71659761.zip   (1,253 bytes)
  • attachments / lpM3531751.zip   (1,269 bytes)
  • attachments / nsexNZ504951.zip   (1,243 bytes)
  • attachments / pJJ780426.zip   (1,246 bytes)
  • attachments / qDnDRhj713487.zip   (1,249 bytes)
  • attachments / qZQCWp4811495.zip   (1,261 bytes)
  • attachments / qdRIae34444.zip   (1,245 bytes)
  • attachments / qwzDqH0761367.zip   (1,246 bytes)
  • emails / 2016-11-03-malspam-1315-UTC.eml   (2,514 bytes)
  • emails / 2016-11-03-malspam-1323-UTC.eml   (2,516 bytes)
  • emails / 2016-11-03-malspam-1407-UTC.eml   (2,501 bytes)
  • emails / 2016-11-03-malspam-1445-UTC.eml   (2,498 bytes)
  • emails / 2016-11-03-malspam-1447-UTC.eml   (2,500 bytes)
  • emails / 2016-11-03-malspam-1451-UTC.eml   (2,507 bytes)
  • emails / 2016-11-03-malspam-1452-UTC.eml   (2,457 bytes)
  • emails / 2016-11-03-malspam-1454-UTC.eml   (2,487 bytes)
  • emails / 2016-11-03-malspam-1456-UTC.eml   (2,462 bytes)
  • emails / 2016-11-03-malspam-1458-UTC.eml   (2,488 bytes)
  • emails / 2016-11-03-malspam-1501-UTC.eml   (2,495 bytes)
  • emails / 2016-11-03-malspam-1513-UTC.eml   (2,475 bytes)
  • emails / 2016-11-03-malspam-1515-UTC.eml   (2,507 bytes)
  • emails / 2016-11-03-malspam-1522-UTC.eml   (2,472 bytes)
  • emails / 2016-11-03-malspam-1536-UTC.eml   (2,487 bytes)
  • emails / 2016-11-03-malspam-1622-UTC.eml   (2,500 bytes)
  • emails / 2016-11-03-malspam-1732-UTC.eml   (2,499 bytes)
  • emails / 2016-11-03-malspam-1759-UTC.eml   (2,516 bytes)
  • emails / 2016-11-03-malspam-1803-UTC.eml   (2,500 bytes)
  • emails / 2016-11-03-malspam-1921-UTC.eml   (2,465 bytes)
  • extracted-files / BwNptv3681-38112.vbs   (36,24 bytes)
  • extracted-files / CYeqQL7541-29104.vbs   (3,549 bytes)
  • extracted-files / IQVuw6029-1166.vbs   (3,741 bytes)
  • extracted-files / JGhAff4039-0371.vbs   (3,521 bytes)
  • extracted-files / KDdqS9707-1848.vbs   (3,633 bytes)
  • extracted-files / MChhG3267-3359.vbs   (3,583 bytes)
  • extracted-files / TXwYT7031-1420.vbs   (3,582 bytes)
  • extracted-files / TYFGYV7920-0998.vbs   (3,518 bytes)
  • extracted-files / TmUPy382-1682.vbs   (3,614 bytes)
  • extracted-files / UKJLe3894-3543.vbs   (3,524 bytes)
  • extracted-files / bIsoLw7513-3750.vbs   (3,471 bytes)
  • extracted-files / cWGarA9995-1067.vbs   (3,489 bytes)
  • extracted-files / fIFNTp632-2603.vbs   (3,583 bytes)
  • extracted-files / iRXsj7393-1513.vbs   (3,615 bytes)
  • extracted-files / nOXOk9764-24111.vbs   (3,526 bytes)
  • extracted-files / qIJuq8169-2320.vbs   (3,758 bytes)
  • extracted-files / rdjkEj4834-3748.vbs   (3,705 bytes)
  • extracted-files / whGUM1098-3139.vbs   (3,733 bytes)
  • extracted-files / xMzCU4574-23107.vbs   (3,685 bytes)
  • extracted-files / zMXDJX5248-1503.vbs   (3,693 bytes)

 

NOTES:


Shown above:  October 25th 2016, a day that will live in infamy.

 

EMAILS


Shown above:  Data from six Locky malspam examples (part 1 of 2).

 


Shown above:  Data from six Locky malspam examples (part 2 of 2).

 


Shown above:  An example from one of these emails.

 

TRAFFIC


Shown above:  An example of infection traffic from one of the emails.

 

ALL 75 URLS FROM THE 20 EXTRACTED .JS SCRIPTS:

 

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

 

OTHER DNS QUERIES DURING POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

 

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

LOCKY DLL SAMPLES:

 

IMAGES


Shown above:  Screen shot from an infected Windows desktop.  Note the .thor file extension.

 


Shown above:  Ransom payment was 3.0 bitcoin for the infections I generated.

 

FINAL NOTES

Once again, here is the associated archive:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.