API tools faq
paste
Racco42

2016-10-06 Locky "wrong paychecks"

Racco42
Oct 6th, 2016
1,738
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.65 KB | None | 0 0
raw download clone embed print report
  1. 2016-10-06 #locky email phishing campaign "wrong paychecks"
  2.  
  3. Email:
  4. ------------------------------------------------------------------------------------------------------
  5. From: "Sally Mckee" <Mckee.1484@atozdomainnames.com>
  6. To: [REDACTED]
  7. Subject: wrong paychecks
  8. Date: Fri, 07 Oct 2016 00:09:27 +0300
  9.  
  10. Hey Michale. They send us the wrong paychecks. Attached is your paycheck arrived to my email by mistake.
  11. Please send mine back too.
  12.  
  13. Best regards,
  14. Sally Mckee
  15.  
  16. Attachment: paychecks_64db41272.zip
  17. ------------------------------------------------------------------------------------------------------
  18. - sender varies
  19. - subject is "wrong paychecks"
  20. - attached file "paychecks_<random hexa>.zip" contain 2 files - a one-letter-name junk file and "paychecks exported <random hexa>.js", a JScript downloader
  21.  
  22. Download sites:
  23. http://aboeon.net/0m5xgh22
  24. http://aboeon.net/2ysacpos
  25. http://aboeon.net/4brwowy8
  26. http://aboeon.net/76r6w2
  27. http://akseko.ru/ojpg5qqs
  28. http://all-rides.com/u8ndx
  29. http://aseandates.com/n36zl
  30. http://bbs.vlibang.com/v77y39w
  31. http://bbxyshop.com/alk1q7px
  32. http://bdfxb.com/jp0zuso
  33. http://bestsourcecode.com/fm9wn7
  34. http://betwer.com/avian
  35. http://bezdeals.com/nb0enj
  36. http://bezdeals.com/zxts67w2
  37. http://bhxingda.com/hix5s
  38. http://bishasf.com/h0jt3idr
  39. http://bj-fzwb.com/a2jpzln
  40. http://bjlekoufu.com/b6dta9x
  41. http://bobadc.com/g6w28
  42. http://brioconseils.com/jkpkukf3
  43. http://bubbleonlineshop.com/f7ba7
  44. http://caihongemc.com/jwgo6v
  45. http://cangsu.net/fvai6a8h
  46. http://cg3dstudio.com/fvai6a8h
  47. http://cg3dstudio.com/nzi2eb5
  48. http://chandigarhcabs.com/ewirc4qm
  49. http://chchqq.com/f5mfuv
  50. http://cheapreplicahandbag.com/awrg4po
  51. http://china0315.com/hp9ap2
  52. http://chinafanin.com/e0g7zme
  53. http://chinazhudong.com/eygss
  54. http://chulkyu.com/bcvd2
  55. http://clinicatafur.com/k89bo8k
  56. http://diemsolutions.com/fm9wn7
  57. http://diemsolutions.com/nyhsyu
  58. http://dom-dekor.net/v9hg9h
  59. http://edunonline.com/ycxaob
  60. http://enricobasili.com/t4j6ryv6
  61. http://essennarose.com/hix5s
  62. http://essennarose.com/o82gf
  63. http://fightingtommyriley.com/wxlcncw
  64. http://gaa-sc.org/x60gpm
  65. http://glazypablo.com/10djrb
  66. http://glazypablo.com/3cc135zw
  67. http://glazypablo.com/539gbzh
  68. http://glazypablo.com/7qjga9
  69. http://goodkiddy.com/wlr3ht9h
  70. http://idealuze.com/tam8m
  71. http://maxtherm.net/g6w28
  72. http://maxtherm.net/o4cxcswe
  73. http://mediaalias.com/sgbxqk
  74. http://minoritycounselor.com/ovdoh
  75. http://miroyill.com/01xav6jc
  76. http://miroyill.com/1t3a7
  77. http://miroyill.com/4aype7si
  78. http://miroyill.com/5nhtqiy
  79. http://misicka.com/lfg4y
  80. http://peryskop.biz/ns3o9
  81. http://peryskop.biz/zhqkdkx
  82. http://protescil.net/okfgx3s
  83. http://scorecapture.com/m48kh
  84. http://scorecapture.com/z66urpod
  85. http://supergem.net/tk0b180
  86. http://taddboxers.com/lsnd6wy
  87. http://teiltekke.net/1d0wq
  88. http://teiltekke.net/3uk0zf7
  89. http://teiltekke.net/5ec4a
  90. http://teiltekke.net/7sv7ix
  91. http://tupekvetch.org/0zr9fmd
  92. http://tupekvetch.org/34ajx5c
  93. http://tupekvetch.org/4dxdtz
  94. http://tupekvetch.org/7lymrkhm
  95. http://upav.org/o9600kho
  96. http://upper-classmen.com/wvlcta
  97. http://upper-classmen.com/xsd9pifu
  98. http://usedtextilemachinerylive.com/h0jt3idr
  99. http://usedtextilemachinerylive.com/obeyg
  100. http://us-htpc.com/kddr6k
  101. http://www.resumebuddy.net/xdl60
  102. http://xixiaxianggua.com/l9wz8
  103. http://xoomland.com/lym13oci
  104. http://zorgboerderijtzicht.nl/lm3mhz
  105.  
  106.  
  107. Malware
  108. - encoded on download, filesize 185860, 185348 and 184836 bytes
  109. 1c54f67e95113b3d405f74ef28a1ae8c5be8dc9dbe0506f8a256afa7fd442d25 http___akseko.ru_ojpg5qqs
  110. c262b2ddbb17b6849af2060989aed9519cf33f68a7cc3bfa60ccd36eeb14a480 http___all-rides.com_u8ndx
  111. bd252d921ed63b2978896701f620416a23859c2882a5f878356952f213ef84cf http___aseandates.com_n36zl
  112. 351da76248dfed432763551e01925142399e2a66e281051c7642f8b473208ea8 http___bbs.vlibang.com_v77y39w
  113. f55f7427e7162210b89ea6b2b9e1d1eb9d9eaa466853ad8db8aa5529fb2a5505 http___bdfxb.com_jp0zuso
  114. 07505dcaab27c982181cb5ab0da2fa5837c293f7849af84f70b3e0354a92b046 http___bestsourcecode.com_fm9wn7
  115. ee7dea87ea8342fc14caf58c0f5ce7cad9ca2e2c480c11ba775a9d5ccfcab491 http___betwer.com_avian
  116. 88e06f1b157a19959bb6994d3304badc1b4e1d65acbaaa615c966b5e53dcce13 http___bezdeals.com_nb0enj
  117. 6403db3438e8eb049ce74a6c3a95074962262c601a7df19f76dd782af0a1709a http___bezdeals.com_zxts67w2
  118. 231c8ae650a4cc7682a29df395de85aee600fa610f3072a47fe4fc71992bceb3 http___bhxingda.com_hix5s
  119. f4864587e40d0d85f401fc4760ead725852d68e04fd81438b4814e01ed0d9821 http___bishasf.com_h0jt3idr
  120. dff3c49ff7bbb92f4c017e9dadfd78af18377d47642ba586790cdc58b168d32d http___bj-fzwb.com_a2jpzln
  121. 10f520b1a3b5c2dd01150c545551449110def0b272b859d0d21f6e46050cbdaa http___bobadc.com_g6w28
  122. a4940e1835c49f314dfa9bb622e7307707b485a7599234c8ee5a27c20bedd5ab http___bubbleonlineshop.com_f7ba7
  123. debcf8614c47c771df2cc17ee6ed5c6d632fa28c14cd06f68c356e476b807ff5 http___caihongemc.com_jwgo6v
  124. e6cf4f352761d503926c59beb8a29c9540d021f531b9de731d2adaa4c4920c7b http___cangsu.net_fvai6a8h
  125. e6cf4f352761d503926c59beb8a29c9540d021f531b9de731d2adaa4c4920c7b http___cg3dstudio.com_fvai6a8h
  126. be2e411ba6c117644e6799a9b7926cef660bbd19816ea1a4323ef10b6c18edfe http___cg3dstudio.com_nzi2eb5
  127. c806cb6b33fafff985f57a1292a6ebc587f9ecf0e9b430023bd54d7eac3772bd http___chandigarhcabs.com_ewirc4qm
  128. 3e2485eeaf22fd75c16c436b83a2a22931f8b4c95daacb96d4b83f7e754d9db6 http___chchqq.com_f5mfuv
  129. c3d59946ddb40759dcdf415a29b8ed159bb5f3721f76c89911f85a2f8a03c86a http___china0315.com_hp9ap2
  130. ede90e1f936fdfed5e2dab892882536714a93649bb9b2855c0cc7c2b46a70278 http___chinafanin.com_e0g7zme
  131. c9f08cf6a3580267d9dde0eddba8abeb7abb38135d95e621e590f55100221572 http___chulkyu.com_bcvd2
  132. 31aa38682d3f1a578cd724d0f01907858ca1e703c4e611295a959697e437d114 http___clinicatafur.com_k89bo8k
  133. 07505dcaab27c982181cb5ab0da2fa5837c293f7849af84f70b3e0354a92b046 http___diemsolutions.com_fm9wn7
  134. 8be2a0121382e4a256ce1c66e9add55f4a3f2a52b5d6de3637e5b813f81b9d9d http___diemsolutions.com_nyhsyu
  135. 7d8a84bc81e1a4609a57a47162a06c93f4283b5a7db21fa01e9600e6664a1255 http___edunonline.com_ycxaob
  136. 97a9fa8194c1e33eb33111ea47a5bf5fc4fffbb92fdef587a005175e3309bb18 http___enricobasili.com_t4j6ryv6
  137. 231c8ae650a4cc7682a29df395de85aee600fa610f3072a47fe4fc71992bceb3 http___essennarose.com_hix5s
  138. a28588ab9a61edb2d0e5c446f4b771572bffc978d95f1be54a4a41403b244760 http___essennarose.com_o82gf
  139. 04c683e372cb9129cbc78701dee9113b95f7848671a5dc17469016fcf06e3b5f http___fightingtommyriley.com_wxlcncw
  140. 5da7c0351747ca493749d5c90340a27d9ddf159d7d3fed55d536b5e16acb9675 http___gaa-sc.org_x60gpm
  141. 24399ecd984d673730b74246104673ee40af0d42706032d69c462516a7f9cb6a http___goodkiddy.com_wlr3ht9h
  142. 94eee926812979a94ca04a399f5b7d5f0483bcc1483c26b621b0f7fafbce3b8e http___idealuze.com_tam8m
  143. 10f520b1a3b5c2dd01150c545551449110def0b272b859d0d21f6e46050cbdaa http___maxtherm.net_g6w28
  144. bdf65bf05fe7a85030b916f83b89f3db31449b80619d339f52d10ae6170cf579 http___maxtherm.net_o4cxcswe
  145. a98e5bf0d79684762fc251325203ccc84b353b712df3089e5c529bbe137d58f3 http___mediaalias.com_sgbxqk
  146. 0ec6642b191dc2e88fcc31d310e16e86d971a5c9ea41fd78696d8a5f4cb5bb92 http___minoritycounselor.com_ovdoh
  147. d026e48be417bdb76c94e30a1e0b007c0f516843cbdea8f4727ce2d554e440a8 http___misicka.com_lfg4y
  148. 4c3454d7386f9e81d08931bb9cdf354cdf8b2cde80626623ccc66226dc048c19 http___peryskop.biz_ns3o9
  149. caa7230e6b6b67dbfd331de9902e5995feb0858285e64c5a5d9371eb09d9437a http___protescil.net_okfgx3s
  150. b14629da4889b415d211c93270caf4cdfcf14608281d99868a175972337ba9e2 http___scorecapture.com_m48kh
  151. 2cb69f681f0473a2cc9ed3ed09a8acb382a4c680dfb9881bcc34e67e8c52ff19 http___scorecapture.com_z66urpod
  152. b778376c5354049edbfb49c9a161a42c9a5a32fbbf24b015206ae57761e6d851 http___supergem.net_tk0b180
  153. befe122e136271083eb67cff9d09bd92201cdca78e645efee422127b2c5f38f3 http___taddboxers.com_lsnd6wy
  154. dd18108433a43f490da1abaf6128cbd603d1238560494a0faf824a74cecba33a http___upav.org_o9600kho
  155. f4864587e40d0d85f401fc4760ead725852d68e04fd81438b4814e01ed0d9821 http___usedtextilemachinerylive.com_h0jt3idr
  156. 31a73629f6c33efe8c648fb27af9ceeda2e24f13888c506b21c08a0390a8ce88 http___usedtextilemachinerylive.com_obeyg
  157. f69ea81644c548eed51fa04a22db2e030921ee374c7a5355513cdc75a579cea0 http___us-htpc.com_kddr6k
  158. 9e99c2082f7f555829707b9d54d336c05add52f13c18e463449034ef80b8aa8e http___www.resumebuddy.net_xdl60
  159. 1459d30ddf2b21f363e724b8a0c8f8c6e842599243c3985b58f56cb4493dccd8 http___xixiaxianggua.com_l9wz8
  160. 9c018d91a43bc447063686788ff8aaa83b9df03fa5ac9b3ee95ba17472c47fdf http___xoomland.com_lym13oci
  161. 1604fd7b4e2480212a55dbc07d073eb159179b315ce22d496beb9e321f1ab5e5 http___zorgboerderijtzicht.nl_lm3mhz
  162. - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
  163. - samples
  164. https://www.reverse.it/sample/934dae4e1afedf1ab0fb0ff9866e58fa07cbf9711683d5b26ad6de0603ed8508?environmentId=100
  165. https://www.reverse.it/sample/a9545ce728f832673024c2a6a3a88cbc0670778a68c72b270909058473eae922?environmentId=100
  166. https://www.reverse.it/sample/04412a698262748d26c55c98f5606e04327b2e4de3202f78804320e47130950f?environmentId=100
  167. https://www.reverse.it/sample/273975013699aea757df857ff9b0edbc1695302abdca22c596bdc91abb23c2b6?environmentId=100
  168. https://www.reverse.it/sample/ce3606f9d7726b914e404e1e7bcab67964cf7a7ce053709a8b6aceee1d6b1ee1?environmentId=100
  169. https://www.reverse.it/sample/5c540fd1e6c1ddbf4feab720f167ab819a5aa1c175e58fc61d92f4382aaf834b?environmentId=100
  170. https://www.reverse.it/sample/f4c235ff94fca4a6f13425f2ad615accea2e9c30772d59d55abee25fd470ea8c?environmentId=100
  171. https://www.reverse.it/sample/ccb5297bb9c21d06ead549c73d427e7025d3d58f066bd994217a5abe18a91c5d?environmentId=100
  172. https://www.reverse.it/sample/7acd0e76edb52df6c01ce9c4faf98d41eff9af274b3152304662a8260966c89c?environmentId=100
  173.  
  174. C2:
  175. POST 185.154.13.182:80/apache_handler.php
  176. POST 185.75.46.122:80/apache_handler.php
  177. POST 185.82.217.98:80/apache_handler.php
  178. POST 95.213.179.232:80/apache_handler.php
  179. POST senawhlqiyl.biz:80/apache_handler.php [69.195.129.70]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!