API tools faq
paste
Advertisement
Racco42

2016-11-22 Locky "Documents Requested"

Racco42
Nov 22nd, 2016
1,747
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.83 KB | None | 0 0
raw download clone embed print report
  1. 2016-11-22: #locky email phishing campaign "Documents Requested"
  2.  
  3. Email sample:
  4. ----------------------------------------------------------------------------------------
  5. From: "Alyssa" <Alyssa889@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: FW:Documents Requested
  8. Date: Tue, 22 Nov 2016 16:52:18 +0530
  9.  
  10. Dear [REDACTED],
  11.  
  12. Please find attached documents as requested.
  13.  
  14. Best Regards,
  15. Alyssa
  16.  
  17. Attachment: "new doc(425).zip"
  18. ----------------------------------------------------------------------------------------
  19. - sender varies; sender's display name is just one word (name) and email is <name><random number>@<recepient's domain>
  20. - subject is "Document Requested" in some cases prefixed with "FW:" or "Re:"
  21. - attached file name is "doc(<random number>).zip", "new doc(<random number>).zip" or "Untitled(<random number>).zip" contains file "<digits>-<upcase letters>-<digits>.wsf", a JScript downloader.
  22.  
  23. Download sites (actual URLs contains suffix ?<random>=<random> which does not influence download):
  24. http://alamanconsulting.at/trec4x
  25. http://bowlysilk.net/trec4x
  26. http://emp.omidejelin.ir/trec4x
  27. http://interfacerh.ma/trec4x
  28. http://iptm.com.vn/trec4x
  29. http://jiaotai161.com/trec4x
  30. http://kashimayunohana.jp/trec4x
  31. http://kinafreyr.com/trec4x
  32. http://kozmologic.com/trec4x
  33. http://liceuminbak.com/trec4x
  34. http://magnayacht.com/trec4x
  35. http://mirofusion.com/trec4x
  36. http://mkoyunoglu.com/trec4x
  37. http://mmbeheer.nl/trec4x
  38. http://monowheels.ru/trec4x
  39. http://mybankofgold.com/trec4x
  40. http://nbaykalov.ru/trec4x
  41. http://netshot.co.uk/trec4x
  42. http://nieruchomosci.koszalin.pl/trec4x
  43. http://ninjah47.home.pl/trec4x
  44. http://notyou.ru/trec4x
  45. http://offerst.com/trec4x
  46. http://okidi.nl/trec4x
  47. http://omrolsztyn.neostrada.pl/trec4x
  48. http://omsktut.ru/trec4x
  49. http://oncotice.org/trec4x
  50. http://opengm.es/trec4x
  51. http://orcendre.com/trec4x
  52. http://oscartroya.com/trec4x
  53. http://ourfrontline.com/trec4x
  54. http://overcom.tv/trec4x
  55. http://ozka.ro/trec4x
  56. http://pathkids.com/trec4x
  57. http://paynterroofing.com/trec4x
  58. http://pcflame.com.au/trec4x
  59. http://pdaconference.com/trec4x
  60. http://pdo-mel.myjino.ru/trec4x
  61. http://pleinaxe.fr/trec4x
  62. http://pokerjive.com/trec4x
  63. http://portalmadureira.com/trec4x
  64. http://powersite.hostuju.cz/trec4x
  65. http://probudise.com/trec4x
  66. http://pumeksy.pl/trec4x
  67. http://pyrostar.sk/trec4x
  68. http://ralphkunze.de/trec4x
  69. http://razborka-vigonka.ru/trec4x
  70. http://rent-guarantee-insurance.co.uk/trec4x
  71. http://residencyradio.com/trec4x
  72. http://rosispitaniya.com/trec4x
  73.  
  74. UPDATE:
  75. http://51bike.pinnc.com/trec4x
  76. http://keshuimei.com/trec4x
  77. http://noahapparel.com/trec4x
  78. http://nuntapun.com/trec4x
  79. http://nybeauty.com/trec4x
  80. http://paulinum.edu.rs/trec4x
  81. http://pgringette.ca/trec4x
  82. http://psdha.ir/trec4x
  83. http://radstedjazz.dk/trec4x
  84. http://roadrollerchina.com/trec4x
  85.  
  86. UPDATE2:
  87. http://monsalwa.com/trec4x
  88. http://palekar.com/trec4x
  89. http://ramblahouse.com/trec4x
  90.  
  91. UPDATE3:
  92. http://lisadeck.fr/trec4x
  93. http://oakscardclub.com/trec4x
  94. http://printaholics.co.uk/trec4x
  95.  
  96. UPDATE4:
  97. http://pozychayko.com/trec4x
  98.  
  99. Malware:
  100. - encoded on download, SHA256 c2f354539848ba98ade066ea2cfdca57f380aa104fc3388a531389a731f9b464, MD5 15f8c356799f70d6fe86c32e7e35a841
  101. - decoded SHA256 b8b79de0c2be90bbf4806016f7bf255f34402f5c9458f6b6c6f2e024798615f1, MD5 97a967e85391865ea9fdf943e182b05e
  102. - executed by "rundll32.exe %TEMP%\<dll_name>,getid"
  103.  
  104. C2:
  105. POST http://94.242.55.81/information.cgi
  106. POST http://95.46.114.205/information.cgi
  107. POST http://iiyqwtjrio.xyz/information.cgi
  108. POST http://ixovpsbro.pw/information.cgi
  109. POST http://jaifrpylmhlxhp.pw/information.cgi
  110. POST http://jreajpvhvsymji.su/information.cgi
  111. POST http://mkybtybuj.work/information.cgi
  112. POST http://naqfjsvayt.pl/information.cgi
  113. POST http://noslubk.xyz/information.cgi
  114. POST http://qkbvkyi.click/information.cgi
  115. POST http://qtlemkqkmcogoq.pl/information.cgi
  116. POST http://vdsvtwbyhmqbef.info/information.cgi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!