Malicious Java Script downloads Locky Ransomware

ASSOCIATED DOMAINS:

  • 173.214.173.244 – allieddiesel.com – GET /8778h4gLocky DOWNLOAD
  • 51.254.240.60 – POST /userinfo.php Locky POST INFECTION TRAFFIC

 

Shown above: Malicious Java Script downloads Locky executable

 

Shown above: Using Wireshark’s POST filter shows Locky post infection traffic pattern “userinfo.php”

 

Shown above: Using Wireshark’s follow stream filter shows Locky post infection traffic check-in to C2

 

Shown above: Locky ransom note

 

ASSOCIATED JAVASCRIPT AND PAYLOAD: