2017-09-15 - BLANK SLATE MALSPAM PUSHES LOCKY RANSOMWARE

ASSOCIATED FILES:

SOME BACKGROUND:

TODAY'S NOTES:

 

EMAILS


Shown above:  Screenshot from the spreadsheet tacker.

 


Shown above:  Screen shot from one of the emails.

 

EMAILS COLLECTED:

 

TRAFFIC


Shown above:  Example of the infection traffic filtered in Wireshark.

 

URLS FROM THE WORD MACROS TO DOWNLOAD FOLLOW-UP MALWARE (LOCKY):

POST-INFECTION IP ADDRESSES (SAW ATTEMPTED TCP CONNECTIONS BUT NO HTTP TRAFFIC):

USUAL TOR DOMAIN FOR THE LOCKY DECRYPTOR:

 

ASSOCIATED FILES


Shown above:  Example of an attachment from one of the emails.

 

ATTACHED WORD DOCUMENTS:

 

FOLLOW-UP MALWARE (LOCKY BINARIES):

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  The Locky decryptor showing today's ransom cost.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.