2017-11-09 - NECURS BOTNET MALSPAM STILL PUSHING LOCKY RANSOMWARE

ASSOCIATED FILES:

 

NOTES:


Shown above:  Chain of events for the recent infections.

 

EMAILS


Shown above:  Screenshot from the spreadsheet tracker.

 

EMAIL HEADERS:

 

WORD ATTACHMENTS


Shown above:  An example of the attached Word documents.

 


Shown above:  A closer look at the embedded object (a shortcut for Powershell to download and run Locky).

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 


Shown above:  Powershell loading script with list of URLs for Locky.

 


Shown above:  Powershell downloading the Locky binary.

 

URLS GENERATED BY THE WORD ATTACHMENTS - 1ST WAVE:

URLS GENERATED BY THE WORD ATTACHMENTS - 2ND WAVE:

URLS TO RETRIEVE LOCKY RANSOMWARE BINARY - 1ST WAVE:

URLS TO RETRIEVE LOCKY RANSOMWARE BINARY - 2ND WAVE:

 

FILE HASHES

ATTACHED WORD DOCUMENTS:

DOWNLOADED LOCKY RANSOMWARE BINARIES:

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.