API tools faq
paste
Advertisement
Racco42

2016-11-22 Locky "Please note"

Racco42
Nov 22nd, 2016
1,552
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.82 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-22 #locky email phishing campaign "Please note"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------
  5. From: "Zane Wilcox" <Wilcox.Zane@green-prevention.com>
  6. To: [REDACTED]
  7. Subject: Please note
  8. Date: Wed, 23 Nov 2016 00:39:23 +0700
  9.  
  10. Dear [REDACTED]
  11.  
  12. Your tax bill debt due date is today. Please fulfill the debt.
  13. All the information and payment instructions can be found in the attached document.
  14.  
  15. Best Wishes,
  16. Zane Wilcox
  17. Tax Collector
  18. Te.: (534) 494-26-81
  19.  
  20. Attachment: tax_[REDACTED].zip
  21. ---------------------------------------------------------------------------------------------------------------
  22. - sender varies between emails
  23. - subject is "Please note"
  24. - attached file "tax_<recipient name>.zip" contains file "<random upper chars and digits>.js", a Jscript downloader
  25.  
  26. Download sites:
  27. http://9diao.cn/orejf0ynfc
  28. http://buddrag.net/czwov
  29. http://buddrag.net/dfhvea
  30. http://buddrag.net/rpo0yea
  31. http://chinadj.org/fby7wyrgd
  32. http://coilgalvalumemurah.com/fzrvcr4
  33. http://coilgalvalumemurah.com/wz8qk
  34. http://cx2ip140.x-y.net/jtqtnq9r
  35. http://editoramanancial.com/qa9acs7dhp
  36. http://enalab.com/chrnqnlu5
  37. http://flexflex.nl/oh82yx3lk
  38. http://fluke435.com/jnoc78v7
  39. http://fonteaulente.com/kzmle
  40. http://frederic-moreno.pl/wqz8vqgnv
  41. http://frvr.com.ar/pcdxr7thd
  42. http://fulon.com/jcweyo1ly1
  43. http://fungasoap.net/uezm455f
  44. http://funkybytes.fr/zkgfgyu
  45. http://futuregroup.cz/qhzqqi8ov
  46. http://fuzon.be/j8yzebw25
  47. http://g9bangkok.com/5mc03zwxir
  48. http://ganetek.com/gdjz2p
  49. http://gannanhome.com/ypwyqk
  50. http://garenaqua.com/0r8lo0wq
  51. http://gatelink.com.my/2iiizo
  52. http://gaznordest.ro/pkq732q
  53. http://gcpartyhire.com.au/phbn94p
  54. http://giasungoaingu.net/stg2fdb6
  55. http://gilpat.com/mcocadipxk
  56. http://glutax-ori.com/cmpffbp
  57. http://gnnet.co.kr/9mnpz
  58. http://goldensail.ru/t4hl9mmv
  59. http://golden-y.com/ekihdxq5yf
  60. http://gold-insurance.com/jshh0ac0
  61. http://golfmajor.eu/j2ipf6
  62. http://gostaythere.com/mbuy1
  63. http://gosto.cn/pq7we
  64. http://gotm.ru/ejbxutnj
  65. http://govorokhm.ru/huz9ex2sd8
  66. http://gxhedu.net/vbbc0zlax
  67. http://haboe.com.ua/qbmcirsqoj
  68. http://hallucigenia.info/ssotk
  69. http://hamroinvestments.com/kb2gvuxo
  70. http://hddtk.com/zgvi1mf436
  71. http://hdspycamera.ro/kcjow
  72. http://hermeticoclub.com/oplluugz4f
  73. http://hero-ny.org/epdneamss
  74. http://hiperonline.net/du0lc
  75. http://hoangluong.com/hek6ue
  76. http://hobbis.cz/uhfeii
  77. http://inetcon.de/klorgo5
  78. http://inzt.net/ypwyqk
  79. http://limnseck.com/syqdl
  80. http://limnseck.com/to432
  81. http://limnseck.com/yaw3klf5
  82. http://limnseck.com/zqfjbxzfto
  83. http://mgpu.gomel.by/ui9ronmx
  84. http://monowheels.ru/sqwghtw1
  85. http://notgeile-amateure.com/6ecwxzqz
  86. http://outercerci.net/edsdokp
  87. http://outercerci.net/fx5q7
  88. http://outercerci.net/m63zr4
  89. http://outercerci.net/pdaketz3uk
  90. http://puntiporch.net/jnjonirht
  91. http://puntiporch.net/kkeai
  92. http://puntiporch.net/r9ugx
  93. http://puntiporch.net/tzvhayijkz
  94. http://teemicky.com/dhn9k4v5yb
  95. http://teemicky.com/gbmvtz
  96. http://teemicky.com/jelowc
  97. http://teemicky.com/l5tdvnso
  98. http://test.h2604508.stratoserver.net/laieikwin
  99.  
  100. Malware:
  101. - encoded on download
  102. 11529688b559f019a01c49f3de697a34386da691a5b14f20662515c4929559b2 http___9diao.cn_orejf0ynfc
  103. ba60002bfc3fca40e78a2a78bc0662c8c89cbbdaf31a5fb224941fd109472322 http___chinadj.org_fby7wyrgd
  104. 302cdd99b919c820a6601c75e90d01f57ce28ea00fb63651c12b89d4dadabf27 http___coilgalvalumemurah.com_fzrvcr4
  105. 1a4a79039119507ab1806c0deb0bdde8c93a6afc6ffaac672fa8d7897b4bbab0 http___coilgalvalumemurah.com_wz8qk [5]
  106. cffda04a8e183ab51f5f513278967bb75b987b1a61c38e2127a70f375a3add94 http___cx2ip140.x-y.net_jtqtnq9r
  107. ea738d2c5a712b45e7d9d6d9bba4077c343592bc105cdfa7526640a4434997f5 http___editoramanancial.com_qa9acs7dhp
  108. 81dae5d2991d57fe2fd6b245146afe23c9d6dd53fef0d1690c20ddc62f44eaf9 http___enalab.com_chrnqnlu5
  109. 424b4bb7446cf89f549815673c0cb64ac29309bc8895875c938e51a22af37038 http___flexflex.nl_oh82yx3lk [3]
  110. fc74e2fcbea599297f53be370c1a233599005d6d33665b1ebb834f41a11227ee http___fluke435.com_jnoc78v7
  111. 27ca250aec4d0064e95475b52ce139f3deaaeb9431349b5a08b2bfed3fae70b2 http___fonteaulente.com_kzmle
  112. f16e51cc13da38793f41c1ca5790579d20242f157e3448967040a10c4a09427e http___frederic-moreno.pl_wqz8vqgnv [2]
  113. 6d1fbda98ccc8e473537536736db996ad4abef7b371091bf892e878922ba11a6 http___frvr.com.ar_pcdxr7thd
  114. bb1b70b1e8c6bc899a0aa9da106ca9118acf10b7313b07264307ff9bfc95264e http___fulon.com_jcweyo1ly1
  115. 368fbd7a4c825b4c0ae7a599958b395e0ad929b25f6af7438db3ca7e905e9abd http___funkybytes.fr_zkgfgyu
  116. 8fb8e6394862a29abf08cd9ccc5804de6b4aa56080a697203d540e612ab84fed http___futuregroup.cz_qhzqqi8ov
  117. 70b1632e18348f911ffdeb596b0aa241de714286d790ab14056164e99a35e30d http___fuzon.be_j8yzebw25
  118. a53823f88cd7069839abafa374ce5e6c35d3eb60e944391e015b737f7b017e10 http___g9bangkok.com_5mc03zwxir
  119. fda3bd526e7e0ae30610354ea3fe4e2b05be4e233bbe0ea484ff19d5d2d17267 http___ganetek.com_gdjz2p
  120. 1ebb4055fa978a2a1708b27768dc985ff39c314ecacfbc3f475e9656806a8fbb http___gannanhome.com_ypwyqk [4]
  121. e147af8722e8436701799157dbc6dd3744814ccb773bcfbde8c3adf06e7a7067 http___garenaqua.com_0r8lo0wq
  122. c7eaad2b01f53c8f226fece7bdad61bb682deb82a45da7da1e600f1049e60a0b http___gatelink.com.my_2iiizo
  123. 53db880865dc34d21221675eadd0479676ab965b9e1c0167cc83724706efccdd http___gaznordest.ro_pkq732q
  124. fe215f19d2d7a077df03c4835224bbba7106f587226333e4a2bdaf6f10136f93 http___gcpartyhire.com.au_phbn94p
  125. 512482a17baa04c1d9212433756d15d1a9c2b1ed580ac98d271ca8b106f809f6 http___giasungoaingu.net_stg2fdb6
  126. 26118094f33671cf28f13b7cde17a58b84e7c7e1df18df54153ce2f7590b6530 http___gilpat.com_mcocadipxk
  127. 7451bb46fb6f05beca3ddeb46c0b6b547a5931ccd8abf2688dc51685e5100f7c http___glutax-ori.com_cmpffbp
  128. 0fb68a655ea320f9cf86f3eabd6864a9eecb32faef86815d11197943a854bb25 http___gnnet.co.kr_9mnpz
  129. c2af122863a79e471be4635642ae4619275b755a4d0d2a444bf0b27569e41d85 http___goldensail.ru_t4hl9mmv
  130. a2561c5b49e4c7398165edb71d1ac8a4488a02410b81427055be5717d6ba6875 http___golden-y.com_ekihdxq5yf [1]
  131. b2da2251e77de0b7319c2f393fd7320b759fc17b227562f51bde5af1e8e1a04b http___gold-insurance.com_jshh0ac0
  132. b3708dae0351682d07501433ec91d606a1230a4fdc1af830767cded980725779 http___golfmajor.eu_j2ipf6
  133. 026b4ab90f756624708c8449d270f88d8a1f538dde2c55aa4282822a1ce3e973 http___gostaythere.com_mbuy1
  134. 066ec5ace87bf441ef7ffceffb7375260b582851e79c904769ea6d596f0cf155 http___gosto.cn_pq7we
  135. 8fc7579cf776403e1a3904d0f5d998753c9f09bae8753d533064b7f89c64e7e2 http___gotm.ru_ejbxutnj
  136. 3cff80a8e60c939367e95917175c17c478f8be93695132ed36681a9098273049 http___govorokhm.ru_huz9ex2sd8
  137. cf70a3a6d80f8756a70bc5f7ef53a93ddddf883c8f1da70e11e277521b33c456 http___haboe.com.ua_qbmcirsqoj
  138. 698804522909834ec429715ab7744ba9f56de79a1069772d88718ed37a1395b8 http___hallucigenia.info_ssotk [6]
  139. d63a3fa57761e10538e08dcfe3017e6c7053a6205203baec33b48af1331e96eb http___hdspycamera.ro_kcjow
  140. 9f23002e9051094412c259409bd88c1ce400646a57d58a294e68d79341953a09 http___hermeticoclub.com_oplluugz4f
  141. c806fea8bbbfccd8d3d3ff580afb86f3996405a5c2fb291d69e2dfd85bb2e433 http___hero-ny.org_epdneamss
  142. b6b9ec564b15232889bdf74e531022048f42eafbbc7ef25a5d5c56317c7cc618 http___hiperonline.net_du0lc
  143. 1a9cab03b1a250704189c16a25e2d6c68739b934084b23d946412710ef0f7fff http___hoangluong.com_hek6ue
  144. 4e15f12856b06841803e559adceeacadd697ff67302f4aa0a99b4f08d348fc95 http___inetcon.de_klorgo5
  145. 1ebb4055fa978a2a1708b27768dc985ff39c314ecacfbc3f475e9656806a8fbb http___inzt.net_ypwyqk
  146. 2c37a25c3ed1c160813caa71552a1d7da1b5407a3d3f1107fc66851c4a1f9ad1 http___mgpu.gomel.by_ui9ronmx
  147. 62a2c041e3b2988fc663fff99f553d7f7d7391893dc43989c26f8120a6bd0dad http___monowheels.ru_sqwghtw1
  148. 21fd999fa0def6aa875ee8ce682a769b670478961b55e67b794efed29766ce4e http___notgeile-amateure.com_6ecwxzqz
  149. e01d7a9504edc27cffa3d912c0acf3fdf1de9837bc609a5632b064618fa86dd6 http___test.h2604508.stratoserver.net_laieikwin
  150. - decoded
  151. 29414757b3482c3a85cb2fbc35fdba43a3406dca995c5a8201a864f74d89ddbe [1]
  152. d3faa5044420e70d4ca633c42edd0c988aa906edba935fbc3d21bd70ccb4625a [2]
  153. 0fe2e4d93041695cbc2d585f9cd9bbeb93fe75be9558df963ba6dc5532e2b2dc [3]
  154. aeed8144080e45a4994ffa08fcb7430ce730081ff3e2bb1da7422f1f10dbcf91 [4]
  155. 1f863d2abf7a4ccef4b855856ac7910b6b581dde8294b14ee0500deba22722e9 [5]
  156. 9951eef68c1734132499a627978f2066ac81b45c2e6b935d36da4032b2c9464c [6]
  157. - executed by "rundll32.exe %TEMP%\<dll_name>,hJvPRXDWYR"
  158.  
  159. C2:
  160. POST http://195.123.209.8/information.cgi
  161. POST http://213.32.66.16/information.cgi
  162. POST http://95.213.186.93/information.cgi
  163. POST http://aarmkgw.ru/information.cgi
  164. POST http://dhmpxbtaby.pl/information.cgi
  165. POST http://doakqyc.biz/information.cgi
  166. POST http://dpmtlqndkq.pl/information.cgi
  167. POST http://ghaapfjehrjuuwex.pl/information.cgi
  168. POST http://gjwfccqk.info/information.cgi
  169. POST http://ikbjdclqadoai.xyz/information.cgi
  170. POST http://jvbbuowmklejsiqsf.org/information.cgi
  171. POST http://kerfsbsrsdiqlobox.click/information.cgi
  172. POST http://qwboftw.su/information.cgi
  173. POST http://wajbybkasd.su/information.cgi
  174. POST http://wifjrnhmhcnplta.click/information.cgi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!