API tools faq
paste
Advertisement
Racco42

Locky "Documents Requested"

Racco42
Sep 9th, 2016
1,665
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.96 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-09 #locky email phishing campaign "Documents Requested"
  2.  
  3. Email sample:
  4. - sender email address is faked to be from same domain as recepient's
  5. - attached filename is doc(<number>).zip, new doc(<number>).zip, or Untitled(<number>).zip
  6. -------------------------------------------------------------------------------------------------------------
  7. From: "Danny"
  8. To: [REDACTED]
  9. Subject: FW:Documents Requested
  10.  
  11. Dear [REDACTED],
  12.  
  13. Please find attached documents as requested.
  14.  
  15. Best Regards,
  16. Danny
  17. -------------------------------------------------------------------------------------------------------------
  18. Attached file "doc(3).zip" contains file <random_chars>.wsf containing a JScript downloader:
  19.  
  20. Download sites (the actual URLs have suffix ?<random>=<random> which does not affect download):
  21. http://Aadreezzcinemedia.net/JHgy64HJBRd
  22. http://abcdraw.biz/JHgy64HJBRd
  23. http://adss30.net/JHgy64HJBRd
  24. http://allcateringservices.in/JHgy64HJBRd
  25. http://ativa3.tempsite.ws/JHgy64HJBRd
  26. http://bangbang55.com/JHgy64HJBRd
  27. http://clickhubli.com/JHgy64HJBRd
  28. http://clickroses.com/JHgy64HJBRd
  29. http://crazycreations.in/JHgy64HJBRd
  30. http://demo.hubliclick.in/JHgy64HJBRd
  31. http://draarun.com/JHgy64HJBRd
  32. http://files.mostafaahmadi.ir/JHgy64HJBRd
  33. http://fpspv.beep.pl/JHgy64HJBRd
  34. http://gift2belgaum.com/JHgy64HJBRd
  35. http://gunturnayeebrahminemployees.com/JHgy64HJBRd
  36. http://herosoft.biz/JHgy64HJBRd
  37. http://hostit.co.in/JHgy64HJBRd
  38. http://kitsgnt.com/JHgy64HJBRd
  39. http://mottofotograf.com/JHgy64HJBRd
  40. http://mysoregiftsflowers.com/JHgy64HJBRd
  41. http://npinfosoft.16mb.com/JHgy64HJBRd
  42. http://nysekolintsika.mg/JHgy64HJBRd
  43. http://partyeazy.com/JHgy64HJBRd
  44. http://platforms-root-technologies.com/JHgy64HJBRd
  45. http://pmlojistik.com/JHgy64HJBRd
  46. http://rajashekharkubasad.com/JHgy64HJBRd
  47. http://ratecompares.com/JHgy64HJBRd
  48. http://root-technologies.net/JHgy64HJBRd
  49. http://samssara.com/JHgy64HJBRd
  50. http://sasmgs.org/JHgy64HJBRd
  51. http://scpolytechnic.com/JHgy64HJBRd
  52. http://site1382371826.provisorio.ws/JHgy64HJBRd
  53. http://syamasahithi.com/JHgy64HJBRd
  54. http://synergyconnect.in/JHgy64HJBRd
  55. http://technometics.com/JHgy64HJBRd
  56. http://tranzporthub.com/JHgy64HJBRd
  57. http://vajrammatrimony.com/JHgy64HJBRd
  58. http://wamasoftware.com/JHgy64HJBRd
  59. http://websamrat.in/JHgy64HJBRd
  60. http://www.ausaf.pk/JHgy64HJBRd
  61. http://www.draarun.com/JHgy64HJBRd
  62. http://www.rajashekharkubasad.com/JHgy64HJBRd
  63. http://www.villakeratea.it/JHgy64HJBRd
  64.  
  65. Malware encoded on download, SHA256 23f3f58acff330900109138918c49c4a6ae9efe3ac88f63a114a293d37e5e914, filesize 159744 bytes
  66. https://www.reverse.it/sample/194805c87e872aea0f2aa9ba766b009e11b6a781b7c978af6a72aac296b0cabf?environmentId=100
  67. https://www.reverse.it/sample/bc8c9dac84f5f3dc150219e73406137377bb35cbbe4da1702e84f51aa2db8ff4?environmentId=100
  68. https://www.reverse.it/sample/3832b31ed85bf48ffc57760ffe754e44ef18bc0fef956ba38b371070b05a854d?environmentId=100
  69. https://www.reverse.it/sample/0386060b08abaf9298302d8922aa17f804e63c74950aa2ac20cc030f24171480?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!