Anyone want a locky executable?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I got a spam on Thursday around 5 pm (I won't post the IP address the
direct-to-mx spam came from, but it's from a large mid-western US

Received:    from DELL-PC ([xxx.yyy.232.155])
Subject:     Ticket

Attachment:  TICKET-T(bunch of numbers).zip

Unzipped:  VA-bunch-of-numbers.js

I still say that Macro$haft should pull .zip file-handling /
decompression capability from Win-8/win-10, because (a) nobody
compresses files anymore (does windoze even have the native capability
to perform .zip compression?) and (b) it's bloody obvious that sending
these .js scripts (and many other forms of malware) as zip-compressed
email attachments is critical to the exploit chain of operation.

This script file:

 - Performs some HTTP requests  (
 - attempted to delay the analysis task by a long amount of time.
   (WScript.exe tried to sleep 1566864 seconds, actually delayed
    analysis time by 0 seconds)
 - Tries to unhook Windows functions monitored by Cuckoo
 - Installs itself for autorun at Windows startup

"" is (currently) resolving to

rDNS for is is assigned to:

NetRange: -
NetName:        GNAXNET
Organization:   Global Net Access, LLC (GNAL-2)
Address:        1100 White St SW
City:           Atlanta
OrgTechPhone:   +1-404-230-9150  

The file 09y8hb7v6y7g was apparently analyzed at 7:32 pm thursday night.

It's ID's as Locky - ie Ransomware.

By the way, still resolves to, and more than
48 hours is still serving up the locky payload:

Site Timeline