2017-10-04 - BLANK SLATE MALSPAM PUSHES ".YKCOL" VARIANT LOCKY RANSOMWARE

ASSOCIATED FILES:

SOME BACKGROUND:

TODAY'S NOTES:

 

EMAILS


Shown above:  Screenshot from the spreadsheet tacker.

 


Shown above:  Screen shot from one of the emails.

 

EMAILS COLLECTED:

ATTACHMENT INFO:

 

TRAFFIC


Shown above:  Example of the infection traffic filtered in Wireshark (1 of 3).

 


Shown above:  Example of the infection traffic filtered in Wireshark (2 of 3).

 


Shown above:  Example of the infection traffic filtered in Wireshark (3 of 3).

 

TRAFFIC GENERATED BY .JS FILES TO DOWNLOAD LOCKY:

LOCKY POST-INFECTION TRAFFIC:

TOR DOMAIN FOR THE LOCKY DECRYPTOR (SAME ONE FOR A LONG TIME NOW):

 

ASSOCIATED FILES


Shown above:  One of the attached zip archives and its contents.

 

ATTACHMENTS:

EXTRACTED .JS FILES:

FOLLOW-UP MALWARE (LOCKY BINARIES):

LOCKY EXECUTED FROM THE LOCAL HOST AT:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  The Locky decryptor showing today's ransom cost.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.