2016-11-21 - "AESIR" VARIANT LOCKY MALSPAM

ASSOCIATED FILES:

  • 2016-11-21-Locky-malspam-info.csv   (7,045 bytes)
  • 2016-11-21-traffic-example-from-locky-malspam.pcap   (338,107 bytes)
  • artifacts-from-infected-hosts / 2016-11-21-Locky-DLL-sample.dll   (286,720 bytes)
  • artifacts-from-infected-hosts / 2016-11-21-Locky-Decryptor-style.css   (3,602 bytes)
  • artifacts-from-infected-hosts / 2016-11-21-Locky-Decryptor.htm   (6,557 bytes)
  • artifacts-from-infected-hosts / 2016-11-21-Locky-decryption-instructions-INSTRUCTION.html   (8,257 bytes)
  • artifacts-from-infected-hosts / 2016-11-21-Locky-decryption-instructions-INSTRUCTION.jpg   (804,526 bytes)
  • attachments / ORDER-050-8378457-6432583.zip   (7,613 bytes)
  • attachments / ORDER-164-1897058-5410357.zip   (7,638 bytes)
  • attachments / ORDER-210-2356200-4106706.zip   (7,631 bytes)
  • attachments / ORDER-269-4312087-7600497.zip   (7,602 bytes)
  • attachments / ORDER-291-2608445-1000757.zip   (7,623 bytes)
  • attachments / ORDER-478-9353190-9763851.zip   (7,635 bytes)
  • attachments / ORDER-614-0205103-8611455.zip   (7,607 bytes)
  • attachments / ORDER-660-0384203-6833726.zip   (7,622 bytes)
  • attachments / ORDER-661-0378261-3171277.zip   (7,633 bytes)
  • attachments / ORDER-860-8499201-7275519.zip   (7,637 bytes)
  • attachments / pm09BA8F5.zip   (7,623 bytes)
  • attachments / pm589EC21.zip   (7,615 bytes)
  • attachments / pm648504.zip   (7,603 bytes)
  • attachments / pm6D72C.zip   (7,623 bytes)
  • attachments / pm85CD0.zip   (7,667 bytes)
  • attachments / pmAA0.zip   (7,658 bytes)
  • attachments / pmCA3F.zip   (7,624 bytes)
  • attachments / pmED847.zip   (7,598 bytes)
  • attachments / pmFB2.zip   (7,603 bytes)
  • attachments / pmFEB84D74.zip   (7,617 bytes)
  • emails / 2016-11-21-0904-UTC.eml   (12,063 bytes)
  • emails / 2016-11-21-0905-UTC.eml   (12,052 bytes)
  • emails / 2016-11-21-0906-UTC.eml   (12,070 bytes)
  • emails / 2016-11-21-0907-UTC.eml   (12,043 bytes)
  • emails / 2016-11-21-0912-UTC.eml   (12,043 bytes)
  • emails / 2016-11-21-0917-UTC.eml   (12,118 bytes)
  • emails / 2016-11-21-0922-UTC.eml   (12,052 bytes)
  • emails / 2016-11-21-0925-UTC.eml   (12,037 bytes)
  • emails / 2016-11-21-0929-UTC.eml   (12,124 bytes)
  • emails / 2016-11-21-0931-UTC.eml   (12,047 bytes)
  • emails / 2016-11-21-0935-UTC.eml   (11,810 bytes)
  • emails / 2016-11-21-0937-UTC.eml   (11,771 bytes)
  • emails / 2016-11-21-0938-UTC.eml   (11,798 bytes)
  • emails / 2016-11-21-0942-UTC.eml   (11,793 bytes)
  • emails / 2016-11-21-0955-UTC.eml   (11,775 bytes)
  • emails / 2016-11-21-1012-UTC.eml   (11,773 bytes)
  • emails / 2016-11-21-1018-UTC.eml   (11,788 bytes)
  • emails / 2016-11-21-1020-UTC.eml   (11,773 bytes)
  • emails / 2016-11-21-1032-UTC.eml   (11,753 bytes)
  • emails / 2016-11-21-1035-UTC.eml   (11,736 bytes)
  • extracted-files / BYDICK290731.js   (25,445 bytes)
  • extracted-files / DYXULJ871830.js   (25,118 bytes)
  • extracted-files / FBBNL821441.js   (25,448 bytes)
  • extracted-files / FPORUT712221.js   (25,738 bytes)
  • extracted-files / HDXWS173226.js   (25,448 bytes)
  • extracted-files / JVCKEE503541.js   (25,095 bytes)
  • extracted-files / JXWOS353240.js   (26,653 bytes)
  • extracted-files / NNVVB261314.js   (25,400 bytes)
  • extracted-files / NTTVY562239.js   (25,469 bytes)
  • extracted-files / OBMFOR383123.js   (25,148 bytes)
  • extracted-files / OSLELN972414.js   (26,401 bytes)
  • extracted-files / PSBLD450107.js   (25,437 bytes)
  • extracted-files / UXKZF552145.js   (25,144 bytes)
  • extracted-files / WXVAQF951210.js   (25,459 bytes)
  • extracted-files / XHSEU550740.js   (26,384 bytes)
  • extracted-files / XXWHA143018.js   (25,708 bytes)
  • extracted-files / YHIOE303045.js   (26,652 bytes)
  • extracted-files / YKULQ123727.js   (26,657 bytes)

 

NOTES:


Shown above:  Locky's authors are sticking with Norse mythology for the file extension name.

 

EMAILS


Shown above:  Data from 20 Locky malspam examples (part 1 of 2).

 


Shown above:  Data from 20 Locky malspam examples (part 2 of 2).

 


Shown above:  An example from the first wave of these emails.

 


Shown above:  An example from second wve of these emails.

 

TRAFFIC


Shown above:  An example of infection traffic from one of the emails.

 

TRAFFIC GENERATED FROM THE EXTRACTED .JS SCRIPTS:

 

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

 

TOR DOMAIN FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

LOCKY DLL SAMPLES:

 

IMAGES


Shown above:  Screen shot from an infected Windows desktop.  Note the .aesir file extension.

 


Shown above:  Ransom payment was 3.0 bitcoin for the infections I generated.

 

FINAL NOTES

Once again, here is the associated archive:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.