2017-10-11 - FTFY: NECURS BOTNET MALSPAM PUSHING ".ASASIN" VARIANT LOCKY RANSOMWARE

ASSOCIATED FILES:

NOTES:


Shown above:  This malspam wouldn't do well on the Maury Povich Show.

 

EMAILS

EMAILS COLLECTED:


Shown above:  Screenshot showing part of the spreadsheet data.

Read: Date/Time -- Sending email address (spoofed) -- Subject

 

Read: Date/Time -- Attachment name -- Extracted file name

 


Shown above:  One of today's emails as seen with the messed formatting.

 


Shown above:  One of today's emails after I FTFY.

 


Shown above:  An example of today's attachments, extracted from one of the fixed emails.

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 

URLS FROM THE VBS FILES TO DOWNLOAD LOCKY (2017-10-10 & 2017-10-11):

 

OTHER RELATED TRAFFIC GENERATED BY THE 2017-10-11 ATTACHMENTS:

 

ASSOCIATED FILES

SHA256 HASHES FOR ATTACHMENTS:

SHA256 HASHES FOR EXTRACTED FILES:

SHA256 HASH FOR THE LOCKY BINARY I RETRIEVED TODAY:

 

IMAGES


Shown above:  Screenshot from an infected Windows desktop--Encrypted files all have a .asasin file extension.

 


Shown above:  Locky Decryptor, where the ransom cost was .25 Bitcoin.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.