Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-11-01: #locky email phishing camapign "DSCFxxxx.pdf"
- Email sample:
- --------------------------------------------------------------------------------------------------------------
- From: DOLORES COULING <dolores.6768@freepokerbank.com>
- To: [REDACTED]
- Subject: DSCF7053.pdf
- Date: Tue, 01 Nov 2016 17:12:34 -0500
- Attachment: DSCF7053.zip
- --------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "DSCF<4 numbers>.pdf"
- - body of the email is empty
- - attached file "DSCF<4 numbers>.zip" contains file "DSCF<4 numbers>.wsf", a JScript downloader
- Download sites (actual URLs contain suffix ?<random>=<random> which does not influence the download:
- http://abgr.ru/76vvyt
- http://abrahams.ch/76vvyt
- http://adasulamasistemleri.com/76vvyt
- http://agenciamonroy.com/76vvyt
- http://alkfor.ru/76vvyt
- http://allebanken.net/76vvyt
- http://anime-one.com/76vvyt
- http://arnaudgranata.com/76vvyt
- http://atdi.in.th/76vvyt
- http://atforum.pl/76vvyt
- http://autoabs.lt/76vvyt
- http://automaler.ru/76vvyt
- http://ayulduz.biz/76vvyt
- http://baraonda.gr/76vvyt
- http://bassguitartips.com/76vvyt
- http://battleduck.ch/76vvyt
- http://bdvdo.net/76vvyt
- http://beautyexpress.com.au/76vvyt
- http://bechsautomobiler.dk/76vvyt
- http://bestline.cz/76vvyt
- http://bha-group.eu/76vvyt
- http://birthdaystoday.net/76vvyt
- http://bogaziciradyo.com/76vvyt
- http://bst.tw/76vvyt
- http://bvn.lt/76vvyt
- http://cabanaionela.ro/76vvyt
- http://carmenortigosa.com/76vvyt
- http://chandrphen.com/76vvyt
- http://cheappaintball.net/76vvyt
- http://cheedellahousing.com/76vvyt
- http://christen-in-nuernberg.de/76vvyt
- http://christmas-metal-meeting.de/76vvyt
- http://classicnet.ir/76vvyt
- http://coachatelier.nl/76vvyt
- http://codoltaku.com/76vvyt
- http://coinobras.com/76vvyt
- http://consardproiectare.ro/76vvyt
- http://corinnenewton.ca/76vvyt
- http://cpm.coop/76vvyt
- http://cyclingpromotion.com.au/76vvyt
- http://deborahshallcross.com/76vvyt
- http://decactus.cl/76vvyt
- http://desertkingwaterproofing.com/76vvyt
- http://diandiandx.com/76vvyt
- http://dwcell.com/76vvyt
- http://ecomission.com.au/76vvyt
- http://eldamennska.is/76vvyt
- http://el-sklep.com/76vvyt
- http://enkobud.dp.ua/76vvyt
- http://eskopb.com/76vvyt
- http://eurotrading.com.ua/76vvyt
- http://fazilusta.com/76vvyt
- http://fibrotek.com/76vvyt
- http://ikrawane.net/76vvyt
- http://ws.osenilo.com/76vvyt
- http://xiguacity.com/76vvyt
- Malware:
- - encoded on download, SHA256 fc7bcf028e10273d57c55034d2175f8074fa0b0dee7403a285c8da4b606d4a2b, filesize 323584
- - decoded SHA256 3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93, MD5 83767f75cdef5a5eeb8eb8d6a8e2e0f6
- - executed by "rundll32.exe <dll_name>,EnhancedStoragePasswordConfig"
- - samples:
- https://www.virustotal.com/en/file/3c8d8c395eb152000e12532a2eca700214f59cd56aa91403858d25805df98d93/analysis/
- C2:
- POST http://194.28.87.26/linuxsucks.php
- POST http://194.1.239.152/linuxsucks.php
- POST http://51.255.107.20/linuxsucks.php
- POST http://gxfbwjvior.biz/linuxsucks.php
- POST http://gxfbwjvior.biz/linuxsucks.php
- POST http://evhblsxym.org/linuxsucks.php
- POST http://juykbsopyu.pw/linuxsucks.php
Add Comment
Please, Sign In to add comment