API tools faq
paste
Racco42

2016-10-24 Locky "Freebox"

Racco42
Oct 24th, 2016
1,515
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.11 KB | None | 0 0
raw download clone embed print report
  1. 2016-10-24 #locky email phishing camapign "Notification de facture Freebox"
  2. Campaign stats: 5 emails, 5 downloaders, 16 download sites, 1 malware sample
  3.  
  4. Email sample:
  5. ---------------------------------------------------------------------------------------------------------------
  6. From: Free Haut Debit <hautdebit@freetelecom.fr>
  7. To: [REDACTED]
  8. Date: Mon, 24 Oct 2016 13:33:14 +0530
  9. Subject: [Free] Notification de facture Freebox (95854808)
  10.  
  11. Bonjour,
  12.  
  13. Vous trouverez en piece jointe votre facture Free Haut Debit.
  14. Le total de votre facture est de 75.09 Euros.
  15. Nous vous remercions de votre confiance.
  16.  
  17. L'equipe Free
  18.  
  19. Attachment: Facture_Free_201610_6292582_95854808.zip
  20. ---------------------------------------------------------------------------------------------------------------
  21. - sender is "Free Haut Debit <hautdebit@freetelecom.fr>"
  22. - subject is "[Free] Notification de facture Freebox (<random number>)
  23. - attached file "Facture_Free_201610_<random number>_<random number>.zip contains file "Facture_Free_201610_<random number>_<random number>.wsf", a JScript downloader
  24.  
  25. Download sites (actual URLs contains suffix ?<random>=<random> which does not influence download):
  26. http://103.27.52.92/t67bg
  27. http://bpscforum.com/t67bg
  28. http://codezigns.com/t67bg
  29. http://dcorpconstructions.com.au/t67bg
  30. http://filesdiamond.com/t67bg
  31. http://megapowercash.com/t67bg
  32. http://nanrangy.net/t67bg
  33. http://omnibusiness-solutions.com/t67bg
  34. http://rewoza.smartsme.tv/t67bg
  35. http://saioffset.com/t67bg
  36. http://socialandmovieapps.com/t67bg
  37. http://sowkinah.com/t67bg
  38. http://tvctraffic.com/t67bg
  39. http://www.smartporua.com/t67bg
  40. http://zasm.info/t67bg
  41. http://zocaloalminuto.com/t67bg
  42.  
  43. UPDATE (from elsewhere):
  44. http://donaldlococoarchitects.com/t67bg
  45. http://gezgininpusulasi.com/t67bg
  46. http://infosolz.com/t67bg
  47. http://nhachonglu.org/t67bg
  48. http://sustainabletompkins.org/t67bg
  49. http://www.icp.edu.pk/t67bg
  50.  
  51. Malware:
  52. - encoded on download, SHA256 30f4a891edfad01f51041e51c52d109d42f1acf92cf991c4c69de2e27f4cbc86, filesize 278528 bytes
  53. - decoded SHA256 c23facdb56953fa3abd997a078e48f833a310c11ba1c5f14016961b9b78f575d
  54. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty"
  55. - samples:
  56. https://www.reverse.it/sample/1377f7d219d268afaf58efde796ffb0d10b6f730b3f51e6bcf75197fa0888d65?environmentId=100
  57. https://www.reverse.it/sample/523ae1b5ab5883d4b731a1580967236a9733584b17d3cc1fc95bf557d6b7c34e?environmentId=100
  58. https://www.reverse.it/sample/36718c8272cb3d4f3b2e435aec42bbae6be1302da29af3a77f9e9144efd0657f?environmentId=100
  59. https://www.reverse.it/sample/a2e227cf1bcb374f9285b778b736c44ffc880bc66754001549fec97c82042c15?environmentId=100
  60. https://www.reverse.it/sample/e03997be9b15e8fdb887b8e21a37e7af73d616d043ee34656b1ff7deaf24f3e2?environmentId=100
  61. https://www.reverse.it/sample/2f9bfe3a5c5a8e0b3e11133a0f08202f9045df166f3eedfedfcc45da8cff57db?environmentId=100
  62. https://www.reverse.it/sample/3f2d4f21d095716c75766272bf98b29aefbb83d0ec75b71905854c6212f9d8fe?environmentId=100
  63.  
  64. C2:
  65. POST 185.102.136.77:80/linuxsucks.php
  66. POST 91.200.14.124:80/linuxsucks.php
  67. POST 109.234.35.215:80/linuxsucks.php
  68. POST bwcfinnt.work:80/linuxsucks.php [208.100.26.234]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!