API tools faq
paste
Racco42

2016-09-02 Locky "xxxxxgif, xxxxxtiff, xxxxxpdf"

Racco42
Sep 13th, 2016
1,454
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.90 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-02 #locky email phishing campaign "xxxxxgif, xxxxxtiff, xxxxxpdf"
  2.  
  3. Email:
  4. ----------------------------------------------------------------------------------------------------------------------
  5. From: "Benny_09370@icloud.com" <Benny_09370@icloud.com>
  6. To: [REDACTED]
  7. Subject: 121181995tiff
  8. Date: Fri, 02 Sep 2016 02:08:49 -0700
  9.  
  10. Attachment: 121181995.zip
  11. ----------------------------------------------------------------------------------------------------------------------
  12. - sender address is <name>_<random number>@icloud.com
  13. - subject is <random_number><docx|tiff|jpg|png|pdf|gif>
  14. - email body is empty
  15. - attachment name is <random_number>.zip, <random_number> matches the subject <random_number>
  16. - attachment contains file "<random chars>.wsf" a JScript downloader
  17.  
  18. Download sites (actual URLs have ?<random>=<random> suffix which does not affect download)
  19. http://158.195.68.10/porirue
  20. http://209.41.183.242/cerhgsj
  21. http://69.61.11.216/ikpmpue
  22. http://abcbureautique.abc.perso.neuf.fr/yfyyiyr
  23. http://albertowe.cba.pl/terwquq
  24. http://andante-co.jp/orxovwy
  25. http://bajkowestokrotki.cba.pl/jsypbws
  26. http://cultpro.ru/lhnqtla
  27. http://danzig.vtrbandaancha.net/djaokpj
  28. http://dcqoutlet.es/vcxyssl
  29. http://e-gmp.home.ro/ierssce
  30. http://ghost-tony.com.es/bxrsksb
  31. http://golfteam.fr/kqlhtqe
  32. http://greentechdesign.ca/bswfvhl
  33. http://illaghettodelcircoletto.it/flkekqs
  34. http://imex.atspace.com/sxqtddp
  35. http://immobilien1000.de/igrakbo
  36. http://josemedina.com/tveslqt
  37. http://lokum1985.republika.pl/dsmggtg
  38. http://maxshoppppsr.biz/js/vf3gt4b4
  39. http://maxshoppppsr.biz/js/y54g3tr
  40. http://news.oboyle.ro/myeyuum
  41. http://olivier.coroenne.perso.sfr.fr/bskhcyg
  42. http://portadeenrolar.ind.br/rtaoqip
  43. http://postaldigitalrs.com.br/buwjobf
  44. http://pp4_09_10_2s.republika.pl/vifalte
  45. http://srxrun.nobody.jp/mjhltpo
  46. http://szkolagrojec.republika.pl/skdulpr
  47. http://tujdaehn.homepage.t-online.de/nrsojje
  48. http://unimet.tmhandel.com/nibttjk
  49. http://www.agridiving.net/dawkmoc
  50. http://www.alanmorgan.plus.com/yqjytxx
  51. http://www.alessandrocangiano.com/bnnjyle
  52. http://www.alpstaxi.co.jp/dueisgs
  53. http://www.anacuamic.com/pcoyepo
  54. http://www.archiviestoria.it/waotorf
  55. http://www.association-julescatoire.fr/vdrnlnt
  56. http://www.bavaria-wein.de/kyisute
  57. http://www.bluedizioni.com/iskorry
  58. http://www.caminettilcd.it/ikpjqqt
  59. http://www.cortesidesign.com/qfdirfh
  60. http://www.coseincredibili.it/gugpcpb
  61. http://www.courtesyweb.it/fvtuknb
  62. http://www.dallaglio-nordin.com/cjkgjtl
  63. http://www.ediazahar.com/oqyvsuh
  64. http://www.empolio.com/bgfxwqs
  65. http://www.erretisnc.it/ehujqne
  66. http://www.fenit.net/elckuqa
  67. http://www.imaginarium.home.ro/hmfbirt
  68. http://www.impresadeambrosis.it/bwkwpjd
  69. http://www.informaonline.org/qpbhrdw
  70. http://www.malicioso.net/ulndads
  71. http://www.meallservice.it/mulccfi
  72. http://www.motortecnica.org/vfkhqpi
  73. http://www.mussystems.net/rhygtpe
  74. http://www.saumi.jazztel.es/snyhslx
  75. http://www.termoalbiate.com/uwmakrm
  76. http://www.threshold-online.co.uk/jicxccg
  77. http://www.trauchgauer-weihnachtsmarkt.de/vqupuun
  78. http://www.valerypro.com/trmqtsy
  79.  
  80. Malware
  81. - encoded on download, SHA256 4baf40fe1c7fafd89befe4f2e2bd36aefc8a4faf395631d8bac20e09e372725b, filesize 201216
  82. - decoded SHA256 852c79d430e401f6b57946718ca6555c328dd503b13b9cda22e481903ebe8575
  83. - encoded on download, SHA256 65d76a8ad5ad5817d1abc977c3b5585dc26b12be18b690637e6722811e91af8c, filesize 201728
  84. - decoded SHA256 72d9cbdec23f9c4f95ce8fb1217ef67c979957c58b4fb7c8fe98ac8cec62aca7
  85. - executed by "rundll32.exe %TEMP%\XxncrW1.dll,qwerty"
  86.  
  87. https://www.reverse.it/sample/f4dc61df743a5fc1335c06c72fd992e8e88f34187194aae9b308d7acb2eb2fc5?environmentId=100
  88. https://www.reverse.it/sample/41bd08637ce358db145bfd313165c92d25428f723523e11329d1a8467b8801db?environmentId=100
  89.  
  90. C2:
  91. 149.154.152.108:80/data/info.php
  92. 212.109.192.235:80/data/info.php
  93. ssvylrn.pw:80/data/info.php [91.223.180.66]
  94. cdxbbpngq.pw:80/data/info.php [188.120.232.55]
  95. qsbfwgtedexirbyoq.pw:80/data/info.php [95.211.174.92]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!