SHARE
TWEET

2016-12-21 Locky "Bills"

Racco42 Dec 22nd, 2016 239 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-21: #locky email phishing campaign "Bills"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------------------------------------------
  5. From: JACQUELINE BAILLIE <jacqueline.baillie@ccomme.net>
  6. To: [REDACTED]
  7. Subject: Bills
  8. Date: Wed, 21 Dec 2016 13:10:08 -0300
  9.  
  10. Hi,
  11.  
  12. Please check the attached doc above.
  13.  
  14. Jacqueline
  15.  
  16. Attached: 677749022948_0001.docm
  17. ----------------------------------------------------------------------------------------------------------------------------
  18. - sender varies between emails
  19. - subject is "Bills"
  20. - attached file "<12 digits>_0001.docm" is a Microsoft Word 2007+ file containing macro that will download malware:
  21.  
  22. Download sites:
  23. http://192.138.189.69/87gyub
  24. http://1maximus.ru/87gyub
  25. http://adminca.se/87gyub
  26. http://alaliengineering.net/87gyub
  27. http://aministudio.com/87gyub
  28. http://artlab.co.il/87gyub
  29. http://avenueresto.com/87gyub
  30. http://baraderoteinforma.com.ar/87gyub
  31. http://bilestone.ru/87gyub
  32. http://bluelunar.net/87gyub
  33. http://charlenelouw.co.za/87gyub
  34. http://corlouis.com/87gyub
  35. http://diemsolutions.com/87gyub
  36. http://eagleslearning.com/87gyub
  37. http://edunayok.org/87gyub
  38. http://elaissaoui.nl/87gyub
  39. http://esteknik.net/87gyub
  40. http://fallingspringrun.com/87gyub
  41. http://fondazioneprogenies.com/87gyub
  42. http://forstmog.de/87gyub
  43. http://frankfoeckler.de/87gyub
  44. http://friedensschlag.de/87gyub
  45. http://fsamson.com/87gyub
  46. http://gadgetdealz.net/87gyub
  47. http://gages-56.com/87gyub
  48. http://greatgoods2.bravepages.com/87gyub
  49. http://habets.info/87gyub
  50. http://handicraftmag.com/87gyub
  51. http://hid2s.com/87gyub
  52. http://hostalmilabi.com/87gyub
  53. http://hostingjoomla.be/87gyub
  54. http://householdanimals.50webs.com/87gyub
  55. http://housellaw.com/87gyub
  56. http://iachovski.com/87gyub
  57. http://inchallahrencontre.net/87gyub
  58. http://inzt.net/87gyub
  59. http://ipt.se/87gyub
  60. http://isriir.com/87gyub
  61. http://izmirisgb.com/87gyub
  62. http://janvanduikeren.com/87gyub
  63. http://jayacoat-industries.com.my/87gyub
  64. http://jiger.ru/87gyub
  65. http://kayju.com/87gyub
  66. http://keralavoter.com/87gyub
  67. http://kmwine.ge/87gyub
  68. http://knightsure.co.uk/87gyub
  69. http://kodivac.com/87gyub
  70. http://kungfumasterwang.com/87gyub
  71. http://ldagnes.pl/87gyub
  72. http://lijschool.com/87gyub
  73. http://macoinservicios.com/87gyub
  74. http://mass-appeal.com/87gyub
  75. http://minilab.ca/87gyub
  76. http://multielectricos.com/87gyub
  77. http://mysolosource.com/87gyub
  78. http://namecardcenter.net/87gyub
  79. http://nanomedilac.com/87gyub
  80. http://naturalcode-thailand.com/87gyub
  81. http://naughtypixelads.com/87gyub
  82. http://no1archeryandsports.ca/87gyub
  83. http://noisecontrols.com/87gyub
  84. http://noosnegah.com/87gyub
  85. http://paplanindustries.com/87gyub
  86. http://parentchildmothergoose.com/87gyub
  87. http://personalizedleatherbracelet.com/87gyub
  88. http://phayamengrai.chiangrai.doae.go.th/87gyub
  89. http://pozsgaiingatlan.hu/87gyub
  90. http://residencegardenia.it/87gyub
  91. http://revolutionarymom.com/87gyub
  92. http://samasamanehgroup.com/87gyub
  93. http://seolandia.pl/87gyub
  94. http://shouxinghg.com/87gyub
  95. http://speaklifegreetings.com/87gyub
  96. http://spk-bk.ru/87gyub
  97. http://spmoya-semya.ru/87gyub
  98. http://stav-reporter.ru/87gyub
  99. http://stuifmeelenstamper.be/87gyub
  100. http://taddboxers.com/87gyub
  101. http://tanz-trommeln.at/87gyub
  102. http://theservantsoflove.com/87gyub
  103. http://travelinsider.com.au/87gyub
  104. http://travicoperu.com/87gyub
  105. http://usedtextilemachinerylive.com/87gyub
  106. http://vmarzal.com/87gyub
  107. http://web4-magento.com/87gyub
  108. http://webplatter.com/87gyub
  109. http://www.azrodandclassic.com/87gyub
  110. http://www.genesisbilling.net/87gyub
  111. http://www.judo-hattingen.de/87gyub
  112. http://www.junaida.com/87gyub
  113. http://www.langeoog-meerleben.de/87gyub
  114. http://www.rencontreparis.org/87gyub
  115. http://www.tenji-guide.com/87gyub
  116. http://xfjt.org/87gyub
  117. http://yorkshire-pm.com/87gyub
  118.  
  119. Malware:
  120. - encoded on download SHA256 2974569356b5f22d79af8d0ed9efbdc20a9a4e8dd8831a84f9f6568bc5df3a5a, MD5 2a85c6d7673d685aa3d1d29b82f9b9ff
  121. - decoding (XOR) key: zuOBnhTXfSI4u0R2S24aaSauh99btOss
  122. - decoded SHA256 8e451a03d9abf4767b65bc06f2659db11ddeea2049f556191a3f5cd2ba6534e4, MD5 d4d8887e188d5dd86cb1f99d8c9912e5
  123. - executed by "rundll32.exe %TEMP%\<filename>.aza,pass"
  124. - sameple https://www.virustotal.com/file/8e451a03d9abf4767b65bc06f2659db11ddeea2049f556191a3f5cd2ba6534e4/analysis/1482396386/
  125.  
  126. C2:
  127. POST http://109.234.38.128/checkupdate
  128. POST http://176.121.14.95/checkupdate
  129. POST http://193.201.225.124/checkupdate
RAW Paste Data
Top