2016-12-12 - "OSIRIS" VARIANT LOCKY MALSPAM WITH ZIP ATTACHMENTS CONTAINING .JSE FILES

ASSOCIATED FILES:

NOTES:


Shown above:  Chain of events for an infection from this malspam.

 

EMAILS

SUBJECT LINES:

 


Shown above:  Data from 20 Locky malspam examples (part 1 of 2).

 


Shown above:  Data from 20 Locky malspam examples (part 2 of 2).

 


Shown above:  An example from these emails.

 

TRAFFIC


Shown above:  An example of infection traffic by the Excel sheets from one of the emails.

 

EXAMPLES OF TRAFFIC GENERATED BY THE .JSE FILES RETRIEVING THE LOCKY BINARY:

 

POST-INFECTION CALLBACK FROM THE LOCKY SAMPLE:

 

TOR DOMAIN FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

LOCKY DLL FILE:

 

ZIP ATTACHMENTS FROM THE MALSPAM (SHA256 HASH - FILE NAME):

 

.JSE FILES EXTRACTED FROM THE ZIP ATTACHMENTS (SHA256 HASH - FILE NAME):

 

IMAGES


Shown above:  Screen shot from an infected Windows desktop.  Note the .osiris file extension.

 


Shown above:  Ransom payment was 1.5 bitcoin for the infections I generated.

 


Shown above:  There was an error in emails from this wave of malspam, causing .dzip attachments instead of .zip attachments.

 

FINAL NOTES

Once again, here are the associated archives:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.