Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-13 #locky email phishing campaign "payment copy"
- Email:
- -----------------------------------------------------------------------------------------------------------------
- From: "Rhonda leutner" <Rhonda893@smithsgardensinc.com>
- To: [REDACTED]
- Subject: payment copy
- Date: Tue, 13 Sep 2016 17:35:52 -0500
- --
- *Best Regards,_________*
- *Rhonda leutner*
- Attachment: PID039701921.zip
- -----------------------------------------------------------------------------------------------------------------
- - sender differs between emails
- - subject is "payment copy"
- - attached file "PID<number>.zip" contains file "<random chars>.wsf" a JScript downloader
- Download sites (actual URLs have ?<random>=<random> suffix which does not influence download)
- http://adventurevista.com/ekvjuqf
- http://allchannel.net/jpqhvig
- http://amaranthine-deerplacenta.com/fcvqdue
- http://amicentng.com/bolbfcv
- http://bostonbruinsfan.net/ehswrpt
- http://cramjuice.com/tlcgfpv
- http://daseolchi.com/adiwwcn
- http://deligoods.com/ynwvhfq
- http://directdesignsny.com/pcuvhva
- http://dusklounge.com/wtynnsw
- http://feechka.ru/wdxwxoa
- http://fleurdelysbridal.co.uk/kucqfai
- http://gotous.com/ugvprfv
- http://harrisonboileau.com/vwtpkmf
- http://inventtheworld.com/oybkysl
- http://janie-royce.com/toeskgk
- http://jaysilverdp.com/nbbothm
- http://jonathankimsey.com/rptyswr
- http://kafemar.com/rlqulla
- http://kinabalustudios.com/tcfgspq
- http://kristinchurch.ca/cnmrypl
- http://limret.com/nlkeycd
- http://liyuesheng.com/awskjml
- http://loansbypeople.com/xvgpksk
- http://mamazin.ru/auujqrq
- http://michal-luczak.com/sqqlhxh
- http://msayin.com/bawyqob
- http://narutoshippuuden.org/hodycxv
- http://natural-anxiety-remedies.com/cuithur
- http://radyohaberleri.com/mmejsjo
- http://sexturbo.ru/knbahpw
- http://sspvl.com/tmlmkos
- http://stratageeks.com/runtcfw
- http://thcsgoxoai.com/evtkibv
- http://victoriajolie.co.uk/viammie
- http://webberm.com/pjruymq
- http://xaydungtruonghung.com/njnkpvv
- http://xn--odka862xw00d.com/hrypmlq
- http://ygc1688.com/xbfortw
- http://yourmdb.com/gdysrxv
- http://zagros-group.net/gdmxdtb
- http://zipcommander.com/qcxpyuv
- Malware:
- - encoded on download, SHA256 7c7fea89ae8a55d37ca9ad4d059d60be2c0d65c7f40ad7b5e17fbac4c9290afd, filesize 159744 bytes
- - decoded SHA256 78b222082576d201d81511631a4533ad02314956aeb7001afc0cd9440cdfa188
- - executed by "rundll32.exe %TEMP%\fXUUCX1.dll,qwerty"
- https://www.reverse.it/sample/0882210f59fe6bf5fa31d31553dbe2331e276ba23c99558aeae7b20284b78f6e?environmentId=100
- https://www.reverse.it/sample/1c83838fb5f02b7d17d657e3a9a9ca8ad65bb11192fa9a164d0e861b10468d69?environmentId=100
- https://www.reverse.it/sample/370c3ff927be6a95f9201c00320f1d3a5da21e05aaf02fff256a445686820a71?environmentId=100
- https://www.reverse.it/sample/4337345a5a20d6a17d4c2c8b9313d362ebf742782d816c2ff17171ad02cedf9b?environmentId=100
- https://www.reverse.it/sample/1151bf42b1eb9fc727db8a230c367382f42f694dc5cba6160903b800986729c0?environmentId=100
- C2:
- - no C2 communication, encryption key is probably hardcoded in executable
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement