Malicious Java Script sends Locky Ransomware Again

ASSOCIATED DOMAINS:

  • 119.59.120.4 – gridandgreen.co.th – GET /08j78h65e – Locky DOWNLOAD
  • 83.217.26.168 – POST /userinfo.phpPOST INFECTION CHECK-IN

 

IMAGES and DETAILS:

Shown above: Execution of malicious Java Script starts download of Locky ransomware

 

Shown above: Locky post infection traffic check-in to URI structure “userinfo.php”

 

Shown above: Locky ransom note on Desktop background, .bmp and .html file

 

Shown above: Registry entry created by Locky installation

 

ASSOCIATED JAVASCRIPT AND PAYLOAD: