API tools faq
paste
Advertisement
Racco42

2017-05-26 Jaff "Scanned Image from..."

Racco42
May 26th, 2017
2,123
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.02 KB | None | 0 0
raw download clone embed print report
  1. 2017-05-26: #jaff email phishing campaign "Scanned Image from a Xerox WorkCentre"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------
  5. From: "copier@[REDACTED]" <copier@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: Scanned Image from a Xerox WorkCentre
  8.  
  9. You have a received a new image from Xerox WorkCentre.
  10.  
  11. Sent by: copier@[REDACTED]
  12. Number of Images: 2
  13. Attachment File Type: PDF
  14.  
  15. WorkCentre Pro Location: Machine location not set
  16. Device Name: copier@[REDACTED]
  17.  
  18. Attached file is scanned image in PDF format.
  19.  
  20. Attachment: Scan_0069_1694379267.zip
  21. ---------------------------------------------------------------------------------------------------------------
  22. - Sender: (copier|scanner|xerox|canon|MFD)@<recipient's domain>
  23. - Subject: "Scanned Image from a Xerox WorkCentre"
  24. - Attachment Scan_<3-4 numbers>_<10 numbers>.zip contains file <9 numbers>.zip which contains file <9 numbers>.wsf, a JScript downloader
  25.  
  26. Download sites (the URL contains suffix ?<random>=<random> which does not influence download):
  27. http://better57toiuydof.net/af/6gfh33
  28. http://dsopro.com/6gfh33
  29. http://easy2.cn/6gfh33
  30. http://eisenerzgrube.de/6gfh33
  31. http://eselink.com.my/6gfh33
  32. http://e-snhv.com/6gfh33
  33. http://fabriquekorea.com/6gfh33
  34. http://jinqiaonkyy.com/6gfh33
  35. http://orhangazitur.com/6gfh33
  36. http://paradigmenergycorp.com/6gfh33
  37. http://poltec.com.au/6gfh33
  38. http://praktikum-marketing.de/6gfh33
  39. http://pw-shop.com/6gfh33
  40. http://tasfirin-ustasi.net/6gfh33
  41. http://thanprints.com/6gfh33
  42. http://trade-unite.ru/6gfh33
  43. http://vigs.mx/6gfh33
  44. http://www.buchenried.de/6gfh33
  45. http://youtoolgrabeertorse.org/af/6gfh33
  46.  
  47. Malware:
  48. - encoded on download SHA256 68c7b7d97fada3f558a54260491ffe1ce77add158f8a91c2599432f13718b807, MD5 aace687d16706b05aa49c9b7fff7572b
  49. - decode by XORing the file with oACQkDYkveevPExWGku00eNvCy0LSnCn
  50. - decoded SHA256 375ba5457b0a8e0328f38e942dc16fa07e03e2b39571392c0f10f93031158d6f, MD5 6708cc80916e838a9bbed09c91854230
  51.  
  52. C2:
  53. http://comboratiogferrdto.com/a5/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!