2018-04-17 - "ZERO-GAND" MALSPAM ACTIVE AGAIN SINCE MONDAY 2018-04-16

ASSOCIATED FILES:

NOTES:


Shown above:  Screenshot from the malspam tracker.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains.  With the exception of "uh.exe", all of this has been previously reported.

 

EMAIL

DATA FROM 40 EMAILS:

 

TRAFFIC


Shown above:  Traffic from the infection fitlered in Wireshark.

 


Shown above:  Notice how some of the DNS traffic goes to public IP addresses, which is different than what's normally configured (in this case, normal is 10.4.17.1).

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES


Shown above:  One of the malspam attachments and its extracted JS file.

 

40 EMAIL ATTACHMENTS:

40 EXTRACTED .JS FILES:

GANDCRAB RANSOMWARE:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.