API tools faq
paste
Advertisement
Racco42

2016-09-13 Locky "payment copy"

Racco42
Sep 13th, 2016
1,767
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.99 KB | None | 0 0
raw download clone embed print report
  1. 2016-09-13 #locky email phishing campaign "payment copy"
  2.  
  3. Email:
  4. -----------------------------------------------------------------------------------------------------------------
  5. From: "Rhonda leutner" <Rhonda893@smithsgardensinc.com>
  6. To: [REDACTED]
  7. Subject: payment copy
  8. Date: Tue, 13 Sep 2016 17:35:52 -0500
  9.  
  10. --
  11.  
  12. *Best Regards,_________*
  13. *Rhonda leutner*
  14.  
  15. Attachment: PID039701921.zip
  16. -----------------------------------------------------------------------------------------------------------------
  17. - sender differs between emails
  18. - subject is "payment copy"
  19. - attached file "PID<number>.zip" contains file "<random chars>.wsf" a JScript downloader
  20.  
  21. Download sites (actual URLs have ?<random>=<random> suffix which does not influence download)
  22. http://adventurevista.com/ekvjuqf
  23. http://allchannel.net/jpqhvig
  24. http://amaranthine-deerplacenta.com/fcvqdue
  25. http://amicentng.com/bolbfcv
  26. http://bostonbruinsfan.net/ehswrpt
  27. http://cramjuice.com/tlcgfpv
  28. http://daseolchi.com/adiwwcn
  29. http://deligoods.com/ynwvhfq
  30. http://directdesignsny.com/pcuvhva
  31. http://dusklounge.com/wtynnsw
  32. http://feechka.ru/wdxwxoa
  33. http://fleurdelysbridal.co.uk/kucqfai
  34. http://gotous.com/ugvprfv
  35. http://harrisonboileau.com/vwtpkmf
  36. http://inventtheworld.com/oybkysl
  37. http://janie-royce.com/toeskgk
  38. http://jaysilverdp.com/nbbothm
  39. http://jonathankimsey.com/rptyswr
  40. http://kafemar.com/rlqulla
  41. http://kinabalustudios.com/tcfgspq
  42. http://kristinchurch.ca/cnmrypl
  43. http://limret.com/nlkeycd
  44. http://liyuesheng.com/awskjml
  45. http://loansbypeople.com/xvgpksk
  46. http://mamazin.ru/auujqrq
  47. http://michal-luczak.com/sqqlhxh
  48. http://msayin.com/bawyqob
  49. http://narutoshippuuden.org/hodycxv
  50. http://natural-anxiety-remedies.com/cuithur
  51. http://radyohaberleri.com/mmejsjo
  52. http://sexturbo.ru/knbahpw
  53. http://sspvl.com/tmlmkos
  54. http://stratageeks.com/runtcfw
  55. http://thcsgoxoai.com/evtkibv
  56. http://victoriajolie.co.uk/viammie
  57. http://webberm.com/pjruymq
  58. http://xaydungtruonghung.com/njnkpvv
  59. http://xn--odka862xw00d.com/hrypmlq
  60. http://ygc1688.com/xbfortw
  61. http://yourmdb.com/gdysrxv
  62. http://zagros-group.net/gdmxdtb
  63. http://zipcommander.com/qcxpyuv
  64.  
  65. Malware:
  66. - encoded on download, SHA256 7c7fea89ae8a55d37ca9ad4d059d60be2c0d65c7f40ad7b5e17fbac4c9290afd, filesize 159744 bytes
  67. - decoded SHA256 78b222082576d201d81511631a4533ad02314956aeb7001afc0cd9440cdfa188
  68. - executed by "rundll32.exe %TEMP%\fXUUCX1.dll,qwerty"
  69.  
  70. https://www.reverse.it/sample/0882210f59fe6bf5fa31d31553dbe2331e276ba23c99558aeae7b20284b78f6e?environmentId=100
  71. https://www.reverse.it/sample/1c83838fb5f02b7d17d657e3a9a9ca8ad65bb11192fa9a164d0e861b10468d69?environmentId=100
  72. https://www.reverse.it/sample/370c3ff927be6a95f9201c00320f1d3a5da21e05aaf02fff256a445686820a71?environmentId=100
  73. https://www.reverse.it/sample/4337345a5a20d6a17d4c2c8b9313d362ebf742782d816c2ff17171ad02cedf9b?environmentId=100
  74. https://www.reverse.it/sample/1151bf42b1eb9fc727db8a230c367382f42f694dc5cba6160903b800986729c0?environmentId=100
  75.  
  76. C2:
  77. - no C2 communication, encryption key is probably hardcoded in executable
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!