Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-28 #locky email phishing campaign "Bill for ..."
- Email:
- -----------------------------------------------------------------------------------------------------------
- From: no-reply@hobbyshop.ch
- To: [REDACTED]
- Subject: Bill for papers 5581764-29-09-2016
- Date: Thu, 29 Sep 2016 01:52:07 +0300
- Attachement: Bill 5581764-29-09-2016.rar
- -----------------------------------------------------------------------------------------------------------
- - sender address is no-reply@<random domain>
- - subject varies in format "Bill for <parcel|papers|document> <random number>-<28|29>-09-2016"
- - body of email is empty
- - attached file "Bill <number>-<28|29>-09-2016" contains file "Bill <number>-<number>.js", a JScript downloader
- Download sites (actual URLs contains suffix ?<random>-<random> which does not influence the downloaded file):
- http://81millstreet.nl/8g74crec
- http://alamanconsulting.at/8g74crec
- http://aseandates.com/8g74crec
- http://bandbcreuse.com/8g74crec
- http://baraderoteinforma.com.ar/8g74crec
- http://birthstory.com/8g74crec
- http://cafe-bg.com/8g74crec
- http://cmcomunicacion.es/8g74crec
- http://delphinph.com/8g74crec
- http://droukulnad.com/8g74crec
- http://econopaginas.com/8g74crec
- http://eitanbehar.org/8g74crec
- http://g2cteknoloji.com/8g74crec
- http://gadget24.ro/8g74crec
- http://globalremoteservices.com/8g74crec
- http://gomelnaushnik.com/8g74crec
- http://iachovski.com/8g74crec
- http://ingpors.sk/8g74crec
- http://kelownatownhomes.com/8g74crec
- http://lafripouniere.com/8g74crec
- http://mergrain.com/8g74crec
- http://opmsk.ru/8g74crec
- http://parentchildmothergoose.com/8g74crec
- http://parroquiansg.org/8g74crec
- http://pecschool.com/8g74crec
- http://serenadacourt.com/8g74crec
- http://sipcomponents.com/8g74crec
- http://slaterarts.com/8g74crec
- http://smokintech.com/8g74crec
- http://spaciodentalrd.com/8g74crec
- http://sundanceballoons.com/8g74crec
- http://techsilicon.com/8g74crec
- http://teothemes.com/8g74crec
- http://travelinsider.com.au/8g74crec
- http://undiaem.com/8g74crec
- http://unforgettabletymes.com/8g74crec
- http://veganvet.net/8g74crec
- http://victorcasino.com/8g74crec
- http://w3hostingserver.com/8g74crec
- http://zdiaran.sk/8g74crec
- UPDATED:
- http://administrategia.com/8g74crec
- http://disquesanciens.com/8g74crec
- http://game6media.com/8g74crec
- http://hollywoodjesus.com/8g74crec
- http://mediumsize.org/8g74crec
- http://parsasco.net/8g74crec
- http://sonajp.com/8g74crec
- http://unionathletica.com/8g74crec
- Malware
- - encoded on download, SHA256 d40871f1b996a7d2c296defbb6cc443be7e85edf88308663034fa4d09284b635, filesize 278528 bytes
- - decoded SHA256 b7a32686fc6560314f211388e118294ee182384b02bb723ad0cd5322e4044a00
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
- - samples
- https://www.reverse.it/sample/dc03b431d057c3fd0be42f83d9173d62feecfd396081ffdde6816bbc8f6edbda?environmentId=100
- https://www.reverse.it/sample/c4f4508f118ed036849c268b2bf15cab60efed9f19c03099fb05883849d45a42?environmentId=100
- https://www.reverse.it/sample/98d3417568e89e6f8c2ca60b959328f040dc19bbaa118b2f5b38c0d802487060?environmentId=100
- C2:
- POST 194.67.208.69:80/apache_handler.php
- POST 89.108.83.45:80/apache_handler.php
- POST ehkhxyvvcpk.biz:80/apache_handler.php [45.63.98.158]
- POST rluqypf.pw:80/apache_handler.php [86.110.118.114]
- POST kgijxdracnyjxh.biz:80/apache_handler.php [69.195.129.70]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement