SHARE
TWEET

2016-12-20 Locky "Scan"

Racco42 Dec 20th, 2016 (edited) 164 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 2016-12-20: #locky email phishing campaign "Scan"
  2.  
  3. Email sample:
  4. -----------------------------------------------------------------------------------------------------------------------------
  5. From: "chasity beldowski" <chasity.beldowski@magicfoto24.pl>
  6. To: [REDACTED]
  7. Subject: [SUSPICIOUS MESSAGE] Scan
  8. Date: Tue, 20 Dec 2016 19:45:43 +0300
  9.  
  10. Regards,
  11.  
  12. CHASITY BELDOWSKI
  13. Business Development
  14. Mobile No.  +91 5554217728
  15. Phone No. 021 35669 720
  16.  
  17. Lumax Industries Ltd.
  18. 608. Chakan - Talegaon Road
  19. Mahalunge - Chakan Pune 410501 India
  20.  
  21. Attachment: 843218509b7c2ed.zip -> be27dc4c28efb26ee81c6fbc33a3fbe1.wsf
  22. -----------------------------------------------------------------------------------------------------------------------------
  23. - sender varies between emails
  24. - subject is "Scan"
  25. - attached file "<10-16 random hexa characters>.zip" contains file "<32 random lowercase chars>.wsf", a JScript downloader
  26.  
  27. Download sites:
  28. - the download sites overlaps with "for printing" campaign, but the sample had changed in time
  29. http://alaliengineering.net/hjv56
  30. http://aministudio.com/hjv56
  31. http://artlab.co.il/hjv56
  32. http://bluelunar.net/hjv56
  33. http://carloszubiaga.com/hjv56
  34. http://charlenelouw.co.za/hjv56
  35. http://corlouis.com/hjv56
  36. http://cracoviamanor.com/hjv56
  37. http://devzendo.org/hjv56
  38. http://dwdesigns.us/hjv56
  39. http://friedensschlag.de/hjv56
  40. http://fsamson.com/hjv56
  41. http://greatgoods2.bravepages.com/hjv56
  42. http://guide4health.info/hjv56
  43. http://hostalmilabi.com/hjv56
  44. http://hostingjoomla.be/hjv56
  45. http://householdanimals.50webs.com/hjv56
  46. http://hzcoobl.com/hjv56
  47. http://imperialroofing.co.uk/hjv56
  48. http://inzt.net/hjv56
  49. http://ipt.se/hjv56
  50. http://isriir.com/hjv56
  51. http://jaba-translations.pt/hjv56
  52. http://jansen.com.ua/hjv56
  53. http://jayacoat-industries.com.my/hjv56
  54. http://jimprudom.com/hjv56
  55. http://jzcolorful.com/hjv56
  56. http://kakamiao.com/hjv56
  57. http://kayju.com/hjv56
  58. http://kenix.debugnet.com/hjv56
  59. http://keralavoter.com/hjv56
  60. http://kmwine.ge/hjv56
  61. http://ldagnes.pl/hjv56
  62. http://macoinservicios.com/hjv56
  63. http://mass-appeal.com/hjv56
  64. http://minilab.ca/hjv56
  65. http://mk-beauty.de/hjv56
  66. http://namecardcenter.net/hjv56
  67. http://nfia-china.com/hjv56
  68. http://ogustine.com/hjv56
  69. http://owncloud.weber-rechtenbach.de/hjv56
  70. http://phayamengrai.chiangrai.doae.go.th/hjv56
  71. http://pozsgaiingatlan.hu/hjv56
  72. http://residencegardenia.it/hjv56
  73. http://revolutionarymom.com/hjv56
  74. http://seolandia.pl/hjv56
  75. http://shouxinghg.com/hjv56
  76. http://stuifmeelenstamper.be/hjv56
  77. http://tc12345.com/hjv56
  78. http://theservantsoflove.com/hjv56
  79. http://todoalojamiento.es/hjv56
  80. http://ventureorchestra.com/hjv56
  81. http://webplatter.com/hjv56
  82. http://www.azrodandclassic.com/hjv56
  83. http://www.genesisbilling.net/hjv56
  84. http://www.grupoaex.es/hjv56
  85. http://www.langeoog-meerleben.de/hjv56
  86. http://www.tenji-guide.com/hjv56
  87. http://yorkshire-pm.com/hjv56
  88.  
  89. Malware
  90. - encoded: SHA256 f7fa2e9a0fc039666b98b2176a3544c6c597ec951640d12c22ef7aa5d5c40797, MD5 b435d0006a4fc1701852c0969b258b56
  91. - decoded: SHA256 53a9fedfab0d20d64916f1a03620e2be255c5d8ec334370999f0dd03ca7a7624, MD5 997bea2edabbceb9df6fdd564dc0f143
  92. - decoding (XOR) key is "e81G9Dsvrh0NR2qGWZSk1CSTNyqr8I2f"
  93. - executed by "rundll32.exe %TEMP%\pYmpJfsNiM1.dll,vape"
  94. - sample https://www.virustotal.com/en/file/53a9fedfab0d20d64916f1a03620e2be255c5d8ec334370999f0dd03ca7a7624/analysis/
  95.  
  96. C2:
  97. POST http://176.121.14.95/checkupdate
  98. POST http://188.127.239.48/checkupdate
  99. POST http://193.201.225.124/checkupdate
  100. POST http://91.203.5.144/checkupdate
  101. POST http://91.223.180.3/checkupdate
RAW Paste Data
Top