Advertisement
Racco42

Locky "Documents Requested"

Sep 9th, 2016
1,976
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.96 KB | None | 0 0
  1. 2016-09-09 #locky email phishing campaign "Documents Requested"
  2.  
  3. Email sample:
  4. - sender email address is faked to be from same domain as recepient's
  5. - attached filename is doc(<number>).zip, new doc(<number>).zip, or Untitled(<number>).zip
  6. -------------------------------------------------------------------------------------------------------------
  7. From: "Danny"
  8. To: [REDACTED]
  9. Subject: FW:Documents Requested
  10.  
  11. Dear [REDACTED],
  12.  
  13. Please find attached documents as requested.
  14.  
  15. Best Regards,
  16. Danny
  17. -------------------------------------------------------------------------------------------------------------
  18. Attached file "doc(3).zip" contains file <random_chars>.wsf containing a JScript downloader:
  19.  
  20. Download sites (the actual URLs have suffix ?<random>=<random> which does not affect download):
  21. http://Aadreezzcinemedia.net/JHgy64HJBRd
  22. http://abcdraw.biz/JHgy64HJBRd
  23. http://adss30.net/JHgy64HJBRd
  24. http://allcateringservices.in/JHgy64HJBRd
  25. http://ativa3.tempsite.ws/JHgy64HJBRd
  26. http://bangbang55.com/JHgy64HJBRd
  27. http://clickhubli.com/JHgy64HJBRd
  28. http://clickroses.com/JHgy64HJBRd
  29. http://crazycreations.in/JHgy64HJBRd
  30. http://demo.hubliclick.in/JHgy64HJBRd
  31. http://draarun.com/JHgy64HJBRd
  32. http://files.mostafaahmadi.ir/JHgy64HJBRd
  33. http://fpspv.beep.pl/JHgy64HJBRd
  34. http://gift2belgaum.com/JHgy64HJBRd
  35. http://gunturnayeebrahminemployees.com/JHgy64HJBRd
  36. http://herosoft.biz/JHgy64HJBRd
  37. http://hostit.co.in/JHgy64HJBRd
  38. http://kitsgnt.com/JHgy64HJBRd
  39. http://mottofotograf.com/JHgy64HJBRd
  40. http://mysoregiftsflowers.com/JHgy64HJBRd
  41. http://npinfosoft.16mb.com/JHgy64HJBRd
  42. http://nysekolintsika.mg/JHgy64HJBRd
  43. http://partyeazy.com/JHgy64HJBRd
  44. http://platforms-root-technologies.com/JHgy64HJBRd
  45. http://pmlojistik.com/JHgy64HJBRd
  46. http://rajashekharkubasad.com/JHgy64HJBRd
  47. http://ratecompares.com/JHgy64HJBRd
  48. http://root-technologies.net/JHgy64HJBRd
  49. http://samssara.com/JHgy64HJBRd
  50. http://sasmgs.org/JHgy64HJBRd
  51. http://scpolytechnic.com/JHgy64HJBRd
  52. http://site1382371826.provisorio.ws/JHgy64HJBRd
  53. http://syamasahithi.com/JHgy64HJBRd
  54. http://synergyconnect.in/JHgy64HJBRd
  55. http://technometics.com/JHgy64HJBRd
  56. http://tranzporthub.com/JHgy64HJBRd
  57. http://vajrammatrimony.com/JHgy64HJBRd
  58. http://wamasoftware.com/JHgy64HJBRd
  59. http://websamrat.in/JHgy64HJBRd
  60. http://www.ausaf.pk/JHgy64HJBRd
  61. http://www.draarun.com/JHgy64HJBRd
  62. http://www.rajashekharkubasad.com/JHgy64HJBRd
  63. http://www.villakeratea.it/JHgy64HJBRd
  64.  
  65. Malware encoded on download, SHA256 23f3f58acff330900109138918c49c4a6ae9efe3ac88f63a114a293d37e5e914, filesize 159744 bytes
  66. https://www.reverse.it/sample/194805c87e872aea0f2aa9ba766b009e11b6a781b7c978af6a72aac296b0cabf?environmentId=100
  67. https://www.reverse.it/sample/bc8c9dac84f5f3dc150219e73406137377bb35cbbe4da1702e84f51aa2db8ff4?environmentId=100
  68. https://www.reverse.it/sample/3832b31ed85bf48ffc57760ffe754e44ef18bc0fef956ba38b371070b05a854d?environmentId=100
  69. https://www.reverse.it/sample/0386060b08abaf9298302d8922aa17f804e63c74950aa2ac20cc030f24171480?environmentId=100
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement