Racco42

2016-11-01 Locky "DSCFxxxx.pdf"

Nov 2nd, 2016
1,770
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.13 KB | None | 0 0
  1. 2016-11-01: #locky email phishing camapign "DSCFxxxx.pdf"
  2.  
  3. Email sample:
  4. --------------------------------------------------------------------------------------------------------------
  5. From: DOLORES COULING <dolores.6768@freepokerbank.com>
  6. To: [REDACTED]
  7. Subject: DSCF7053.pdf
  8. Date: Tue, 01 Nov 2016 17:12:34 -0500
  9.  
  10. Attachment: DSCF7053.zip
  11. --------------------------------------------------------------------------------------------------------------
  12. - sender varies between emails
  13. - subject is "DSCF<4 numbers>.pdf"
  14. - body of the email is empty
  15. - attached file "DSCF<4 numbers>.zip" contains file "DSCF<4 numbers>.wsf", a JScript downloader
  16.  
  17. Download sites (actual URLs contain suffix ?<random>=<random> which does not influence the download:
  18. http://abgr.ru/76vvyt
  19. http://abrahams.ch/76vvyt
  20. http://adasulamasistemleri.com/76vvyt
  21. http://agenciamonroy.com/76vvyt
  22. http://alkfor.ru/76vvyt
  23. http://allebanken.net/76vvyt
  24. http://anime-one.com/76vvyt
  25. http://arnaudgranata.com/76vvyt
  26. http://atdi.in.th/76vvyt
  27. http://atforum.pl/76vvyt
  28. http://autoabs.lt/76vvyt
  29. http://automaler.ru/76vvyt
  30. http://ayulduz.biz/76vvyt
  31. http://baraonda.gr/76vvyt
  32. http://bassguitartips.com/76vvyt
  33. http://battleduck.ch/76vvyt
  34. http://bdvdo.net/76vvyt
  35. http://beautyexpress.com.au/76vvyt
  36. http://bechsautomobiler.dk/76vvyt
  37. http://bestline.cz/76vvyt
  38. http://bha-group.eu/76vvyt
  39. http://birthdaystoday.net/76vvyt
  40. http://bogaziciradyo.com/76vvyt
  41. http://bst.tw/76vvyt
  42. http://bvn.lt/76vvyt
  43. http://cabanaionela.ro/76vvyt
  44. http://carmenortigosa.com/76vvyt
  45. http://chandrphen.com/76vvyt
  46. http://cheappaintball.net/76vvyt
  47. http://cheedellahousing.com/76vvyt
  48. http://christen-in-nuernberg.de/76vvyt
  49. http://christmas-metal-meeting.de/76vvyt
  50. http://classicnet.ir/76vvyt
  51. http://coachatelier.nl/76vvyt
  52. http://codoltaku.com/76vvyt
  53. http://coinobras.com/76vvyt
  54. http://consardproiectare.ro/76vvyt
  55. http://corinnenewton.ca/76vvyt
  56. http://cpm.coop/76vvyt
  57. http://cyclingpromotion.com.au/76vvyt
  58. http://deborahshallcross.com/76vvyt
  59. http://decactus.cl/76vvyt
  60. http://desertkingwaterproofing.com/76vvyt
  61. http://diandiandx.com/76vvyt
  62. http://dwcell.com/76vvyt
  63. http://ecomission.com.au/76vvyt
  64. http://eldamennska.is/76vvyt
  65. http://el-sklep.com/76vvyt
  66. http://enkobud.dp.ua/76vvyt
  67. http://eskopb.com/76vvyt
  68. http://eurotrading.com.ua/76vvyt
  69. http://fazilusta.com/76vvyt
  70. http://fibrotek.com/76vvyt
  71. http://ikrawane.net/76vvyt
  72. http://ws.osenilo.com/76vvyt
  73. http://xiguacity.com/76vvyt
  74.  
  75. Malware:
  76. - encoded on download, SHA256 fc7bcf028e10273d57c55034d2175f8074fa0b0dee7403a285c8da4b606d4a2b, filesize 323584
  77. - decoded SHA256 3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93, MD5 83767f75cdef5a5eeb8eb8d6a8e2e0f6
  78. - executed by "rundll32.exe <dll_name>,EnhancedStoragePasswordConfig"
  79. - samples:
  80. https://www.virustotal.com/en/file/3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93/analysis/
  81.  
  82. C2:
  83. POST http://194.28.87.26/linuxsucks.php
  84. POST http://194.1.239.152/linuxsucks.php
  85. POST http://51.255.107.20/linuxsucks.php
  86. POST http://gxfbwjvior.biz/linuxsucks.php
  87. POST http://gxfbwjvior.biz/linuxsucks.php
  88. POST http://evhblsxym.org/linuxsucks.php
  89. POST http://juykbsopyu.pw/linuxsucks.php
Add Comment
Please, Sign In to add comment