Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-01 #locky email phishing campaign "Scanned image from MX2301U"
- Email sample (email pretends to come from scanning device in your domain):
- ------------------------------------------------------------------------------------------------------------
- From: "office@[YOUR_DOMAIN]"
- To: [REDACTED]
- Subject: Scanned image from MX2310U@[YOUR_DOMAIN]
- Reply to: office@[YOUR_DOMAIN] <office@[YOUR_DOMAIN]>
- Device Name: MX2310U@[YOUR_DOMAIN]
- Device Model: MX-2310U
- Location: Reception
- File Format: PDF MMR(G4)
- Resolution: 200dpi x 200dpi
- Attached file is scanned image in PDF format.
- Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
- Adobe(R)Reader(R) can be downloaded from the following URL:
- Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other coun
- tries.
- http://www.adobe.com/
- ------------------------------------------------------------------------------------------------------------
- Attached file "office@[YOUR_DOMAIN]_20160901_[NUMBER].docm" is a macro enabled word file; autostart macros will download content from:
- Download sites:
- http://agarwaen.atspace.org/iceprbg
- http://body-fitness.net/lagmslh
- http://bushman-rest.com/aoeueyk
- http://capannoneinliguria.com/lijrnub
- http://foerschl.gmxhome.de/emyomqa
- http://imakarademo.web.fc2.com/akwhorc
- http://inge28.mytactis.com/cqmoxef
- http://localhost:82/result.bin
- http://pennylanecupcakes.com.au/mhkqxia
- http://rabbitfood.web.fc2.com/ixvnfyj
- http://rosivani.go.ro/qyyrogl
- http://sakon118.web.fc2.com/srmrsgf
- http://sebangou8.xxxxxxxx.jp/kfkdpvl
- http://sitio655.vtrbandaancha.net/aahaodc
- http://sojasaude.com.br/ahtoijg
- http://sp-moto.ru/vodusim
- http://t-schoener.de/mdexigc
- http://www.bytove.jadro.szm.com/dgsqens
- http://www.callisto.cba.pl/oqmfnar
- http://www.ccnprodusenaturiste.home.ro/hiogthu
- http://www.coropeppinumereu.it/xyhhytf
- http://www.john.edmunds.talktalk.net/nokodqm
- http://www.montegelato.it/uyfwvkw
- http://www.one-clap.jp/pourpjr
- http://www.parrucchieriagiacomo.com/dekjxus
- http://www.radicegioielli.com/aayfixd
- http://www.sieas.com/mkndcbn
- http://www.spiritueelcentrumaum.net/ksqoyps
- http://www.vanetti.it/inywdjo
- http://www.whitakerpd.co.uk/ymmcguk
- http://www.xolod-teplo.ru/ygpwfty
- http://yggithuq.utawebhost.at/getatoj
- Malware
- - encoded when downloades, SHA256 f91b30a1c2b0cbea9ca4cd1c50adbf3219a825494b81a67aac65bdccad51d651, filesize 204800
- https://www.reverse.it/sample/de1bf85b25462c028d58ff72b070251cbff28a7bef01d9cdb0678d4c171e8eeb?environmentId=100
- https://www.reverse.it/sample/ad3de8e335f4f5a0aadf9f1f0643f946b49bbf63d1a86082914997c54d4e7ad6?environmentId=100
- https://www.reverse.it/sample/ed0f1e1262dba6065c0039e24ba3637034b3620b2fa34a720feb43af80f27640?environmentId=100
- C2:
- 149.154.152.108:80/data/info.php
- 212.109.192.235:80/data/info.php
- ssvylrn.pw:80/data/info.php [91.223.180.66]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement