Malspam Leads to Locky (.shit) (/linuxsucks.php)


  • – demoinfolink[.]com – GET /076wc?KEMaUkmgWf=TfJgJx
  • – naacllc[.]com – GET /076wc?KEMaUkmgWf=TfJgJx – Locky
  • – – POST /linuxsucks.php

Additional Distribution Domains from Hybrid-Analysis Report:

  • –
  • –
  • –



IDS Alerts:



SHA256: b1c35b291a296b948758729f9fc775504ec764098dbc5c2e02796ee4ab174e0e
File name: Receipt 17577-140426.wsf
Hybrid-Analysis Report

SHA256: b54802e6f6430c75d0683140ef0529c6603418b4ef602d80e85aaa88fe730c79
File name: AvURdJbXv2.dll

Infection Chain:

The user received an email from with the subject “Receipt 81-633468”. Opening the attachment shows it is a Windows Script File (.wsf) called “Receipt 17577-140426” (Downloader):


Executing “Receipt 17577-140426.wsf” is what generates the GET requests shown above in the Traffic section. The JScript contained within the .wsf has 3 hard-coded URLs where the Locky payload can be downloaded from.

The first GET request to returned a 404 and created AvURdJbXv1 in %Temp%. The second GET request for was successful as it returned the payload and dropped AvURdJbXv2.dll in %Temp%.


After the files are encrypted we see ransom notes popping up on the Desktop in both .html (_WHAT_is.html) and Bitmap formats (_WHAT_is.bmp):


The threat actors behind Locky seem to be having some fun as they changed the POST request URI to “/linuxsucks.php” as well as the file extension of encrypted files to “.shit” (SHIT File):



Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: