API tools faq
paste
Advertisement
Racco42

Locky "Scanned image from MX2301U"

Racco42
Sep 1st, 2016
2,093
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.94 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-01 #locky email phishing campaign "Scanned image from MX2301U"
  2.  
  3. Email sample (email pretends to come from scanning device in your domain):
  4. ------------------------------------------------------------------------------------------------------------
  5. From: "office@[YOUR_DOMAIN]"
  6. To: [REDACTED]
  7. Subject: Scanned image from MX2310U@[YOUR_DOMAIN]
  8.  
  9. Reply to: office@[YOUR_DOMAIN] <office@[YOUR_DOMAIN]>
  10. Device Name: MX2310U@[YOUR_DOMAIN]
  11. Device Model: MX-2310U
  12. Location: Reception
  13.  
  14. File Format: PDF MMR(G4)
  15. Resolution: 200dpi x 200dpi
  16.  
  17. Attached file is scanned image in PDF format.
  18. Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
  19. Adobe(R)Reader(R) can be downloaded from the following URL:
  20. Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other coun
  21. tries.
  22.  
  23. http://www.adobe.com/
  24. ------------------------------------------------------------------------------------------------------------
  25. Attached file "office@[YOUR_DOMAIN]_20160901_[NUMBER].docm" is a macro enabled word file; autostart macros will download content from:
  26.  
  27. Download sites:
  28. http://agarwaen.atspace.org/iceprbg
  29. http://body-fitness.net/lagmslh
  30. http://bushman-rest.com/aoeueyk
  31. http://capannoneinliguria.com/lijrnub
  32. http://foerschl.gmxhome.de/emyomqa
  33. http://imakarademo.web.fc2.com/akwhorc
  34. http://inge28.mytactis.com/cqmoxef
  35. http://localhost:82/result.bin
  36. http://pennylanecupcakes.com.au/mhkqxia
  37. http://rabbitfood.web.fc2.com/ixvnfyj
  38. http://rosivani.go.ro/qyyrogl
  39. http://sakon118.web.fc2.com/srmrsgf
  40. http://sebangou8.xxxxxxxx.jp/kfkdpvl
  41. http://sitio655.vtrbandaancha.net/aahaodc
  42. http://sojasaude.com.br/ahtoijg
  43. http://sp-moto.ru/vodusim
  44. http://t-schoener.de/mdexigc
  45. http://www.bytove.jadro.szm.com/dgsqens
  46. http://www.callisto.cba.pl/oqmfnar
  47. http://www.ccnprodusenaturiste.home.ro/hiogthu
  48. http://www.coropeppinumereu.it/xyhhytf
  49. http://www.john.edmunds.talktalk.net/nokodqm
  50. http://www.montegelato.it/uyfwvkw
  51. http://www.one-clap.jp/pourpjr
  52. http://www.parrucchieriagiacomo.com/dekjxus
  53. http://www.radicegioielli.com/aayfixd
  54. http://www.sieas.com/mkndcbn
  55. http://www.spiritueelcentrumaum.net/ksqoyps
  56. http://www.vanetti.it/inywdjo
  57. http://www.whitakerpd.co.uk/ymmcguk
  58. http://www.xolod-teplo.ru/ygpwfty
  59. http://yggithuq.utawebhost.at/getatoj
  60.  
  61. Malware
  62. - encoded when downloades, SHA256 f91b30a1c2b0cbea9ca4cd1c50adbf3219a825494b81a67aac65bdccad51d651, filesize 204800
  63.  
  64. https://www.reverse.it/sample/de1bf85b25462c028d58ff72b070251cbff28a7bef01d9cdb0678d4c171e8eeb?environmentId=100
  65. https://www.reverse.it/sample/ad3de8e335f4f5a0aadf9f1f0643f946b49bbf63d1a86082914997c54d4e7ad6?environmentId=100
  66. https://www.reverse.it/sample/ed0f1e1262dba6065c0039e24ba3637034b3620b2fa34a720feb43af80f27640?environmentId=100
  67.  
  68. C2:
  69. 149.154.152.108:80/data/info.php
  70. 212.109.192.235:80/data/info.php
  71. ssvylrn.pw:80/data/info.php [91.223.180.66]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!