Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2016-09-19 #locky email phishing campaign "Express Parcel service"
- Email:
- --------------------------------------------------------------------------------------------------------------------
- From: "Jana Wiley" <Wiley.08@wlink.com.np>
- To: [REDACTED]
- Subject: Express Parcel service
- Date: Mon, 19 Sep 2016 14:01:14 +0545
- Express Parcel service
- Dear [REDACTED], we have sent your parcel by <em>Express Parcel service
- The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
- Thank you.
- Attached: 7132878efa5.zip
- --------------------------------------------------------------------------------------------------------------------
- - sender varies between emails
- - subject is "Express Parcel service"
- - attached file <random hexa chars>.zip contains two files: one zero-filed file with one-char name that is just padding and "Express Parcel service ~<hexa chars>~.js" a JScript downloader
- Download sites:
- http://foveawaac.net/jdpoko
- http://foveawaac.net/qq5dk
- http://foveawaac.net/w2guf
- http://foveawaac.net/wzwzjply
- http://foveawaac.net/yjmaazj
- http://merofid.com/pitggs52
- http://merofid.com/rsyhqoz
- http://merofid.com/w5tnnf6s
- http://merofid.com/z3zeg
- http://merofid.com/zn6mcj
- http://roxieimshi.com/cpboa
- http://roxieimshi.com/eppmn
- http://roxieimshi.com/f10h5fzg
- http://roxieimshi.com/w41x413
- http://roxieimshi.com/y4lf1neg
- Malware:
- - downloads are multihosted, so there may be different malware on same URL
- - encoded on download, two filesizes - 158212 and 157700 bytes
- 0ad37173493cb19d7555579ef36946e9d2570787a8ffc6d968e3163b56753c8e http___foveawaac.net_jdpoko
- c85db0d8a830a6cf81fda6b181e30020ea1325fcd5a343e910e49969c9ff706f http___foveawaac.net_qq5dk
- 23a60f563399d019b6ccbc1c4a49fc219125b71668be9753fe7ece0cff872777 http___foveawaac.net_w2guf
- 317eea26b8aaae32e217a166d13d8d174a89cc3cd08dc44a728972e71cc26f82 http___foveawaac.net_wzwzjply
- 7e965c614a4272736a47d764d978d5e3bf75a05197314f88c2e22b41f45b8078 http___foveawaac.net_yjmaazj
- 06b38e324d68a5146aa665d9809081e8f8bd49b92c48435cc20092c208f56940 http___merofid.com_pitggs52
- 20a104c9595dd4b7ed8d9d5be0be5fde0aafea81175da9501ec2fe79e0b2f1b5 http___merofid.com_rsyhqoz
- fee19c7b2a23d16e8f0f856e23b32c72217c86ac69be7aa6f1ce79a146bdf887 http___merofid.com_w5tnnf6s
- 0d90de1e7ee1976d5d7080c4449fc0dc4696ce66dd0526e5557c3b045dbe8986 http___merofid.com_z3zeg
- 2117018de31d917cb04e3e034039cdfe67445fddfa776ca60214e8d7234151db http___merofid.com_zn6mcj
- fab150d980e16f884cac3393752336244d2e1ef2ae497092b7c9ac850e260289 http___roxieimshi.com_cpboa
- 123e4cc8a869cdd942c599e32b95cc54c660cb461bad59abdf0348e69137ae80 http___roxieimshi.com_eppmn
- 9c2b06ba4d6253b1e3c4aefca7080e4748526122bce157999061eb605c756672 http___roxieimshi.com_f10h5fzg
- 871fee159aca96a1b8d9fb9a70b6e03f4f88904e1b04846448c08d07ad81e46d http___roxieimshi.com_w41x413
- 9f1b3bb4aee763c25a008f9e7b1393f1042209fdfe7c4a772257543cfa70232a http___roxieimshi.com_y4lf1neg
- - decoded
- 46a50691c76a33b8b00359e86b8d1cabb0dd478452d4e612cba5465eb6f9ebd6
- 51ab5c028614b2d8109539e354c1aafddc555eace78e138f43a00926ab25393c
- e6f76eb479856ff6c9b6757d23f0e5a43c2ec9c780ef54cc71d76ae0f05b173b
- df36b88b7e056ea97633d29519d8a31438a907f55b2957dab2e2e7b08386d53d
- 68f39ff9ba2e2ef09ac63aa98770368b6c27d5977eb3a0ead939b0a7b6745c25
- 498811496cb62280f8eabe9fb345b2edc41d99886a4af319f2585fa8ebdc932b
- 69b51fb638a909b8711ad244efe8994f2951a4e32166051534730b43d5b70dbc
- - executed by "rundll32.exe %TEMP%\<dll_name>,qwerty 323"
- https://www.reverse.it/sample/8ae9bfec3b67cd83ba0b9116de452001682b5ea353d60e1fa614678c8b5b2dca?environmentId=100
- https://www.reverse.it/sample/b6ad1dba43ba6747e2f2c9002c8bd71b7cc739620622dca175a6626d7c7d1e53?environmentId=100
- https://www.reverse.it/sample/43be4b89f50998b438d939d6d89e740b833b7c7c9b1e510e05b501498169b4a5?environmentId=100
- https://www.reverse.it/sample/7f2cfe7f92c6ab46158b96165809e6e077c5e08bf5799f02bfddeafa4dac9676?environmentId=100
- https://www.reverse.it/sample/2a96d3a5a7c198a6f999a0f925b4697c77bccf2f0cf7736df27d0c3ddcc7d5b5?environmentId=100
- https://www.reverse.it/sample/33d4e8416db8e94d05ddc6a8d04c63297c77184359892275703804aa35ff35f6?environmentId=100
- https://www.reverse.it/sample/df206c9eac9cef4a6cfba925bd2a379a95890aa523445af82bc04a16cdf94224?environmentId=100
- https://www.reverse.it/sample/b8f601fbaca128e30fa04954f12bfba8ac113b22abd305c2a70e44e39e0013c1?environmentId=100
- https://www.reverse.it/sample/32c9517e83f8bc30812bedeb08af09a246a3f71ba402b71be4e02ed476f58ff6?environmentId=100
- https://www.reverse.it/sample/1184e3255d4ea750176326cdfb8d346ac25d97a4bf8a6ec189e5b0433f8e5e91?environmentId=100
- https://www.reverse.it/sample/ea21284cf7dea76532109aed4b63dfba39125c239228aba30142d3e34c3fadee?environmentId=100
- https://www.reverse.it/sample/b8f601fbaca128e30fa04954f12bfba8ac113b22abd305c2a70e44e39e0013c1?environmentId=100
- https://www.reverse.it/sample/2814b12a1a9ad6e0595e036539bc840eec83fa3e31949bed8db5c4c057c2548f?environmentId=100
- C2:
- 195.64.154.202:80/data/info.php
- 46.38.52.225:80/data/info.php
- ajsrbomqrrlra.pw:80/data/info.php [91.223.88.209]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement