SHARE
TWEET

2016-12-14 Locky "DOC, FAX, PHOTO, SCAN_xxxx"

Racco42 Dec 14th, 2016 (edited) 217 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-14: #locky email phishing campaign "DOC, FAX, PHOTO, SCAN_xxxx"
  2.  
  3. Email sample:
  4. ---------------------------------------------------------------------------------------------------------------------
  5. From: "Cynthia" <Cynthia6@[REDACTED]>
  6. To: [REDACTED]
  7. Subject: ORD_3619
  8. Date: Wed, 14 Dec 2016 18:26:14 -0500
  9.  
  10. Attachment: ORD_3619.zip -> ORD_1712.jse
  11. ---------------------------------------------------------------------------------------------------------------------
  12. - sender address varies between emails, but is spoofed to be from recipient's own domain
  13. - subject is "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>"
  14. - email body is empty
  15. - attached file "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>.zip" (same as subject) contains file "<DOC|DOCUMENT|FAX|IMG|LABEL|ORD|PHOTO|PIC|SCAN|SHEET>_<4 digits>.jse" (not same as subject), a JScript downloader (JScript is not encrypted as extension suggests, but plain .js)
  16.  
  17. Download sites (actual URLs contains suffix ?<random>=<random> which does not influence download):
  18. http://172.246.84.150/zxc678
  19. http://2kindustri.se/zxc678
  20. http://ada-avto.ru/zxc678
  21. http://autozirkus.com/zxc678
  22. http://backup.dressageclinic.com/zxc678
  23. http://benjamin.nhvvs.fr/zxc678
  24. http://blackswan.com.ng/zxc678
  25. http://brigma.com/zxc678
  26. http://demo.evgesha.ru/zxc678
  27. http://dev.bychancefarm.com/zxc678
  28. http://ekbundit.com/zxc678
  29. http://eplotery.pl/zxc678
  30. http://followmyleadatl.com/zxc678
  31. http://fotoserver4.cyper.at/zxc678
  32. http://gratissexchat.org/zxc678
  33. http://jybedb.com/zxc678
  34. http://killdoors.myjino.ru/zxc678
  35. http://lamsangda.com/zxc678
  36. http://margu.cn/zxc678
  37. http://maxibutor.hu/zxc678
  38. http://mechanikkapusta.pl/zxc678
  39. http://midnightgroove.co.uk/zxc678
  40. http://mirror-ufa.ru/zxc678
  41. http://ninkala.com/zxc678
  42. http://ozzcleanenergy.com/zxc678
  43. http://puzzrollrings.com/zxc678
  44. http://quanuvcut.com/zxc678
  45. http://terrabit.ro/zxc678
  46. http://test.invideohit.ru/zxc678
  47. http://test.maciejdudek.com.pl/zxc678
  48. http://toastmedia.co.uk/zxc678
  49. http://transunvip.com/zxc678
  50. http://unitedetec.com/zxc678
  51. http://wordpress.kikihairandbeauty.co.uk/zxc678
  52. http://ws.osenilo.com/zxc678
  53. http://www.al-hasany.com/zxc678
  54. http://www.convertus.com/zxc678
  55. http://www.draaksteken.nl/zxc678
  56. http://www.dreamlifez.com/zxc678
  57. http://www.iaprog.nl/zxc678
  58. http://www.majorleaguesecurity.com/zxc678
  59. http://www.qubamosque.org/zxc678
  60. http://www.rencontreparis.org/zxc678
  61. http://www.sajuname131.com/zxc678
  62. http://www.skolickasovicka.cz/zxc678
  63. http://www.telesmart.co.nz/zxc678
  64. http://www.vidcampaign.com/zxc678
  65. http://xn--80ajjchqepikd1b.xn--80asehdb/zxc678
  66. http://yzwle.com/zxc678
  67.  
  68. UPDATE:
  69. http://dating.instantlab.ru/zxc678
  70. http://demo.satisnet.org/zxc678
  71. http://gui92.vn/zxc678
  72. http://inzt.net/zxc678
  73. http://m.besthairsaloncolumbia.com/zxc678
  74. http://mmdk.eu/zxc678
  75. http://neu.hansmuennich.de.baugebiet-stadlhof.de/zxc678
  76. http://nlyuniforma.com/zxc678
  77. http://seslibuz.com/zxc678
  78. http://stjudetravelandtours.com/zxc678
  79. http://suivresanature.net/zxc678
  80. http://test.smallbusinessdiy.com/zxc678
  81. http://www.vanitylab.it/zxc678
  82.  
  83. UPDATE:
  84. http://dcipostdoc.com/zxc678
  85. http://dfl210.ru/zxc678
  86. http://felipebueno.com/zxc678
  87. http://friendlygeek.org/zxc678
  88. http://friends.yuki-mura.net/zxc678
  89. http://helping4.com/zxc678
  90. http://kayleemoline.com/zxc678
  91. http://vjumamel.com/zxc678
  92. http://www.pespis.hu/zxc678
  93. http://www.urbani.com.au/zxc678
  94. http://yun.charmlong.com/zxc678
  95.  
  96. Malware:
  97. - encoded on download, SHA256 befac17a3c972784ec322a916473c65c297f93ddf51bb6694312d3ff6cd7c662, MD5 d8300e3827de5c898ddcecb2db9b15b8
  98. - decoded SHA256 1b3389eed27e3d53d786fa1c3bbb5b814dbec7d27d3e7b2e6ab38ba0144d5784, MD5 2e2e7f821ae1c0ff0517e873c6fef7dd
  99. - executed by "rundll32.exe %TEMP%\<dll_name>,sendmsg"
  100. - samples: https://www.virustotal.com/file/1b3389eed27e3d53d786fa1c3bbb5b814dbec7d27d3e7b2e6ab38ba0144d5784/analysis/1481759361/
  101.  
  102. C2:
  103. POST http://176.121.14.95/checkupdate
  104. POST http://193.70.86.51/checkupdate
RAW Paste Data
Top