2017-09-18 - NECURS BOTNET MALSPAM PUSHING ".YKCOL" VARIANT LOCKY RANSOMWARE

ASSOCIATED FILES:

NOTES:

 

EMAILS


Shown above:  Screenshot from the spreadsheet tacker.

 


Shown above:  Screen shot of an email from the 1st wave.

 


Shown above:  Screen shot of an email from the 2nd wave.

 

EMAILS COLLECTED:

Read: Date/Time -- Sending email address (spoofed) -- Subject -- Attachment name -- Extracted VBS file name

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark (no post-infection traffic noted).

 

URLS FROM THE VBS FILES TO DOWNLOAD LOCKY:

 

ASSOCIATED FILES

SHA256 HASHES:

 

IMAGES


Shown above:  Screenshot from an infected Windows desktop--Encrypted files all have a .ykcol file extension.

 


Shown above:  Locky Decryptor, where is looks like the ransom cost is .25 Bitcoin now.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.