2018-03-26 - MALSPAM PUSHING SIGMA RANSOMWARE

ASSOCIATED FILES:

  • 2018-03-26-Sigma-ransomware-malspam-infection-traffic.pcap   (12,507,887 bytes)
  • 63-password-removed.doc   (27,802 bytes)
  • 63.doc   (37,376 bytes)
  • 82.doc   (37,376 bytes)
  • 89.doc   (37,376 bytes)
  • 144.doc   (37,376 bytes)
  • 175.doc   (37,376 bytes)
  • 180.doc   (37,376 bytes)
  • 184.doc   (37,376 bytes)
  • 227.doc   (37,376 bytes)
  • 254.doc   (37,376 bytes)
  • 301.doc   (37,376 bytes)
  • 316.doc   (37,376 bytes)
  • 340.doc   (37,376 bytes)
  • 395.doc   (37,376 bytes)
  • 458.doc   (37,376 bytes)
  • 463.doc   (37,376 bytes)
  • 487.doc   (37,376 bytes)
  • 2018-03-26-Sigma-ransomware-ReadMe.html   (4,565 bytes)
  • 2018-03-26-Sigma-ransomware-ReadMe.txt   (1,969 bytes)
  • 2018-03-26-Sigma-ransomware-initial-download-1-of-2-45.png-self-extracting-archive.exe   (53,022 bytes)
  • 2018-03-26-Sigma-ransomware-initial-download-2-of-2-icon.png.exe   (3,456,974 bytes)
  • 2018-03-26-malware-extracted-from-45.png-file-svchost.exe   (122,880 bytes)

 

NOTES:


Shown above:  Screenshot sent by the person who notified me of this malspam.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs:

 

EMAILS

EMAIL INFO:

 

EXAMPLES OF PASSWORD-PROTECTED WORD DOCUMENTS ASSOCIATED WITH THIS MALSPAM (ALL ARE 37,376 BYTES):

 


Shown above:  Opening one of the associated Word documents from this malspam requests a password.

 


Shown above:  After that, you're presented with a macro to enable.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

 

TOR ADDRESSES FROM THE DECRYPTION INSTRUCTIONS (UNCHANGED FROM LAST TIME):

 

FILE HASHES

MALWARE RETRIEVED FROM AN INFECTED WINDOWS HOST:

 

IMAGES


Shown above:  Desktop background from an infected Windows host.

 


Shown above:  Decryption instructions from an HTML file dropped to the infected user's desktop.

 


Shown above:  Sigma ransomware decryptor.

 


Shown above:  Example of encrypted files from the Sigma ransomware infection.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

 

Click here to return to the main page.